This is more of a placeholder for now. Â Basically I needed a real gateway, with updates new code etc etc.
So as reference a few links
- security-branch-device-configuration-factory-default.html
- juniper-srx-nat
- nat-security-static-single-address-translation-configuring.html
- security-device-dhcp-server-configuring.html
So using that as a starting point let’s cook up a config:
set version 12.1X46-D66.1 set system host-name srx210be set system time-zone UTC+8 set system root-authentication encrypted-password 50m3th1nG set system name-server PUBLIC_DNS1 set system name-server PUBLIC_DNS2 set system services ssh set system services dhcp-local-server group g1 interface ge-0/0/1.0 set system syslog archive size 100k set system syslog archive files 5 set system syslog user * any emergency set system syslog file messages any critical set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands error set system ntp server 17.253.84.253 set interfaces ge-0/0/0 unit 0 family inet address PUBLIC_IP/30 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set routing-options static route 0.0.0.0/0 next-hop PUBLIC_GW set protocols lldp interface ge-0/0/1.0 set security alarms audible set security alarms potential-violation policy destination-ip set security alarms potential-violation replay-attacks set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security nat static rule-set rs1 from zone untrust set security nat static rule-set rs1 rule SSH match destination-address PUBLIC_IP/32 set security nat static rule-set rs1 rule SSH match destination-port 2022 set security nat static rule-set rs1 rule SSH then static-nat prefix 192.168.1.5/32 set security nat static rule-set rs1 rule SSH then static-nat prefix mapped-port 22 set security nat static rule-set rs1 rule QuakeWorld match destination-address PUBLIC_IP/32 set security nat static rule-set rs1 rule QuakeWorld match destination-port 27500 set security nat static rule-set rs1 rule QuakeWorld then static-nat prefix 192.168.1.7/32 set security nat static rule-set rs1 rule QuakeWorld then static-nat prefix mapped-port 27500 set security nat static rule-set rs1 rule WEB match destination-address PUBLIC_IP/32 set security nat static rule-set rs1 rule WEB match destination-port 8080 set security nat static rule-set rs1 rule WEB then static-nat prefix 192.168.1.6/32 set security nat static rule-set rs1 rule WEB then static-nat prefix mapped-port 443 set security nat static rule-set rs1 rule HECNet match destination-address PUBLIC_IP/32 set security nat static rule-set rs1 rule HECNet match destination-port 5500 set security nat static rule-set rs1 rule HECNet then static-nat prefix 192.168.1.5/32 set security nat static rule-set rs1 rule HECNet then static-nat prefix mapped-port 5500 set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone untrust to-zone trust policy SSH_Server match source-address any set security policies from-zone untrust to-zone trust policy SSH_Server match destination-address 192.168.1.5/32 set security policies from-zone untrust to-zone trust policy SSH_Server match application tcp_2022 set security policies from-zone untrust to-zone trust policy SSH_Server match application tcp_22 set security policies from-zone untrust to-zone trust policy SSH_Server then permit set security policies from-zone untrust to-zone trust policy QuakeWorld match source-address any set security policies from-zone untrust to-zone trust policy QuakeWorld match destination-address 192.168.1.7/32 set security policies from-zone untrust to-zone trust policy QuakeWorld match application udp_27500 set security policies from-zone untrust to-zone trust policy QuakeWorld then permit set security policies from-zone untrust to-zone trust policy WebServer match source-address any set security policies from-zone untrust to-zone trust policy WebServer match destination-address 192.168.1.6/32 set security policies from-zone untrust to-zone trust policy WebServer match application tcp_8080 set security policies from-zone untrust to-zone trust policy WebServer match application tcp_443 set security policies from-zone untrust to-zone trust policy WebServer then permit set security policies from-zone untrust to-zone trust policy HECNet match source-address any set security policies from-zone untrust to-zone trust policy HECNet match destination-address 192.168.1.5/32 set security policies from-zone untrust to-zone trust policy HECNet match application udp_5500 set security policies from-zone untrust to-zone trust policy HECNet then permit set security zones security-zone trust address-book address 192.168.1.7/32 192.168.1.7/32 set security zones security-zone trust address-book address 192.168.1.6/32 192.168.1.6/32 set security zones security-zone trust address-book address 192.168.1.5/32 192.168.1.5/32 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust interfaces ge-0/0/0.0 set access address-assignment pool dhcp-pool family inet network 192.168.1.0/24 set access address-assignment pool dhcp-pool family inet range range1 low 192.168.1.130 set access address-assignment pool dhcp-pool family inet range range1 high 192.168.1.190 set access address-assignment pool dhcp-pool family inet dhcp-attributes maximum-lease-time 86400 set access address-assignment pool dhcp-pool family inet dhcp-attributes name-server PUBLIC_DNS1 set access address-assignment pool dhcp-pool family inet dhcp-attributes name-server PUBLIC_DNS2 set access address-assignment pool dhcp-pool family inet dhcp-attributes name-server 8.8.8.8 set access address-assignment pool dhcp-pool family inet dhcp-attributes router 192.168.1.1 set applications application tcp_8080 protocol tcp set applications application tcp_8080 destination-port 8080 set applications application tcp_2022 protocol tcp set applications application tcp_2022 destination-port 2022 set applications application tcp_22 protocol tcp set applications application tcp_22 destination-port 22 set applications application udp_27500 protocol udp set applications application udp_27500 destination-port 27500 set applications application tcp_443 protocol tcp set applications application tcp_443 destination-port 443 set applications application udp_5500 protocol udp set applications application udp_5500 destination-port 5500
So let’s go through the mess.
To start, the SRX has a static internet connection, which we are going to NAT our internet traffic out of. Â Our home LAN is a simple 192.168.1.0/24 network, and I decided to use both of the gigabit Ethernet ports on the SRX to connect to the WAN and LAN. Â If it matters, on the LAN side, I have a gigabit Ethernet switch with all my servers being on a VMWare server which is in turn using LACP. Â But that’s neither here nor there, we want to configure the WAN.
I’ll need to walk backwards, but basically you want to configure the physical ports first, although if you have modern enough kit, auto detection will basically ‘work out of the box’. Â I don’t need any VLANs for this as I’m not giving anyone external interactive access to anything so I don’t need or care for a traditional DMZ. Â I’m trying to keep this one simple.
You will have to initially set a password for the root user, and it is done clear text. Â Naturally this isn’t my password, and I hope it isn’t yours either. Also we can go ahead and put in the IP addresses.
set system root-authentication encrypted-password 50m3th1nG set interfaces ge-0/0/0 unit 0 family inet address PUBLIC_IP/30 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set routing-options static route 0.0.0.0/0 next-hop PUBLIC_GW set protocols lldp interface ge-0/0/1.0
With this fragment configured, and if your WAN is all working you can now ping out over the internet. Â Very simple, right?
root@srx210be> ping 4.2.2.4 count 3 PING 4.2.2.4 (4.2.2.4): 56 data bytes 64 bytes from 4.2.2.4: icmp_seq=0 ttl=57 time=39.556 ms 64 bytes from 4.2.2.4: icmp_seq=1 ttl=57 time=39.501 ms 64 bytes from 4.2.2.4: icmp_seq=2 ttl=57 time=39.314 ms
With basic internet connectivity established it’s time to create some basic rules, and NAT. Â The first thing to do is establish some security zones. Â As I have imagination they are simply called trust and untrust.
set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust interfaces ge-0/0/0.0
Next I allow all the inbound system services on the trust interface (internal). Â In more sophisticated setups you would have a management network that this would sit on that was access restricted, but I’m still trying for that old branch office restricted feel.
set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all
Now for the nat statements. Â Simple stuff the magic is in the direction
set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
And our security policies. Â This simply lets anything on the trust network flow between them, say if I add static routes on the SRX to bounce somewhere else it will be needed. Â And I’m allowing trust to talk to anything on the untrust network. Â Of course you can actually put in a policy that ONLY allows for registered IP space. Â Probably the reasonable thing to do later.
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit
And now you should be able to access the internet from the inside.
Now this is good fun, but what about hosting applications? So say I have this QuakeWorld server, how do I NAT it?
First we have to build a NAT rule. This would also let us put it on a different port, if we needed to, however 27500 is available on both the outside and inside, so the values just match.
set security nat static rule-set rs1 rule QuakeWorld match destination-address PUBLIC_IP/32 set security nat static rule-set rs1 rule QuakeWorld match destination-port 27500 set security nat static rule-set rs1 rule QuakeWorld then static-nat prefix 192.168.1.7/32 set security nat static rule-set rs1 rule QuakeWorld then static-nat prefix mapped-port 27500
Now we need to build a firewall rule. Notice that the destination is the internal private address. If the port were different you need to list BOTH ports in the rule.
set security policies from-zone untrust to-zone trust policy QuakeWorld match source-address any set security policies from-zone untrust to-zone trust policy QuakeWorld match destination-address 192.168.1.7/32 set security policies from-zone untrust to-zone trust policy QuakeWorld match application udp_27500 set security policies from-zone untrust to-zone trust policy QuakeWorld then permit
We need to build the address book.
set security zones security-zone trust address-book address 192.168.1.7/32 192.168.1.7/32
And finally define the application
set applications application udp_27500 protocol udp set applications application udp_27500 destination-port 27500
And now we are hosting an application on the internet!
From there I added fun things like DHCP, some basic security features of the SRX. It’s not a great config, but It’ll get you going.