Setting up an SRX branch office

SRX 210

This is more of a placeholder for now.  Basically I needed a real gateway, with updates new code etc etc.

So as reference a few links

So using that as a starting point let’s cook up a config:

set version 12.1X46-D66.1
set system host-name srx210be
set system time-zone UTC+8
set system root-authentication encrypted-password 50m3th1nG
set system name-server PUBLIC_DNS1
set system name-server PUBLIC_DNS2
set system services ssh
set system services dhcp-local-server group g1 interface ge-0/0/1.0
set system syslog archive size 100k
set system syslog archive files 5
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system ntp server 17.253.84.253
set interfaces ge-0/0/0 unit 0 family inet address PUBLIC_IP/30
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop PUBLIC_GW
set protocols lldp interface ge-0/0/1.0
set security alarms audible
set security alarms potential-violation policy destination-ip
set security alarms potential-violation replay-attacks
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat static rule-set rs1 from zone untrust
set security nat static rule-set rs1 rule SSH match destination-address PUBLIC_IP/32
set security nat static rule-set rs1 rule SSH match destination-port 2022
set security nat static rule-set rs1 rule SSH then static-nat prefix 192.168.1.5/32
set security nat static rule-set rs1 rule SSH then static-nat prefix mapped-port 22
set security nat static rule-set rs1 rule QuakeWorld match destination-address PUBLIC_IP/32
set security nat static rule-set rs1 rule QuakeWorld match destination-port 27500
set security nat static rule-set rs1 rule QuakeWorld then static-nat prefix 192.168.1.7/32
set security nat static rule-set rs1 rule QuakeWorld then static-nat prefix mapped-port 27500
set security nat static rule-set rs1 rule WEB match destination-address PUBLIC_IP/32
set security nat static rule-set rs1 rule WEB match destination-port 8080
set security nat static rule-set rs1 rule WEB then static-nat prefix 192.168.1.6/32
set security nat static rule-set rs1 rule WEB then static-nat prefix mapped-port 443
set security nat static rule-set rs1 rule HECNet match destination-address PUBLIC_IP/32
set security nat static rule-set rs1 rule HECNet match destination-port 5500
set security nat static rule-set rs1 rule HECNet then static-nat prefix 192.168.1.5/32
set security nat static rule-set rs1 rule HECNet then static-nat prefix mapped-port 5500
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone untrust to-zone trust policy SSH_Server match source-address any
set security policies from-zone untrust to-zone trust policy SSH_Server match destination-address 192.168.1.5/32
set security policies from-zone untrust to-zone trust policy SSH_Server match application tcp_2022
set security policies from-zone untrust to-zone trust policy SSH_Server match application tcp_22
set security policies from-zone untrust to-zone trust policy SSH_Server then permit
set security policies from-zone untrust to-zone trust policy QuakeWorld match source-address any
set security policies from-zone untrust to-zone trust policy QuakeWorld match destination-address 192.168.1.7/32
set security policies from-zone untrust to-zone trust policy QuakeWorld match application udp_27500
set security policies from-zone untrust to-zone trust policy QuakeWorld then permit
set security policies from-zone untrust to-zone trust policy WebServer match source-address any
set security policies from-zone untrust to-zone trust policy WebServer match destination-address 192.168.1.6/32
set security policies from-zone untrust to-zone trust policy WebServer match application tcp_8080
set security policies from-zone untrust to-zone trust policy WebServer match application tcp_443
set security policies from-zone untrust to-zone trust policy WebServer then permit
set security policies from-zone untrust to-zone trust policy HECNet match source-address any
set security policies from-zone untrust to-zone trust policy HECNet match destination-address 192.168.1.5/32
set security policies from-zone untrust to-zone trust policy HECNet match application udp_5500
set security policies from-zone untrust to-zone trust policy HECNet then permit
set security zones security-zone trust address-book address 192.168.1.7/32 192.168.1.7/32
set security zones security-zone trust address-book address 192.168.1.6/32 192.168.1.6/32
set security zones security-zone trust address-book address 192.168.1.5/32 192.168.1.5/32
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set access address-assignment pool dhcp-pool family inet network 192.168.1.0/24
set access address-assignment pool dhcp-pool family inet range range1 low 192.168.1.130
set access address-assignment pool dhcp-pool family inet range range1 high 192.168.1.190
set access address-assignment pool dhcp-pool family inet dhcp-attributes maximum-lease-time 86400
set access address-assignment pool dhcp-pool family inet dhcp-attributes name-server PUBLIC_DNS1
set access address-assignment pool dhcp-pool family inet dhcp-attributes name-server PUBLIC_DNS2
set access address-assignment pool dhcp-pool family inet dhcp-attributes name-server 8.8.8.8
set access address-assignment pool dhcp-pool family inet dhcp-attributes router 192.168.1.1
set applications application tcp_8080 protocol tcp
set applications application tcp_8080 destination-port 8080
set applications application tcp_2022 protocol tcp
set applications application tcp_2022 destination-port 2022
set applications application tcp_22 protocol tcp
set applications application tcp_22 destination-port 22
set applications application udp_27500 protocol udp
set applications application udp_27500 destination-port 27500
set applications application tcp_443 protocol tcp
set applications application tcp_443 destination-port 443
set applications application udp_5500 protocol udp
set applications application udp_5500 destination-port 5500

So let’s go through the mess.

To start, the SRX has a static internet connection, which we are going to NAT our internet traffic out of.  Our home LAN is a simple 192.168.1.0/24 network, and I decided to use both of the gigabit Ethernet ports on the SRX to connect to the WAN and LAN.  If it matters, on the LAN side, I have a gigabit Ethernet switch with all my servers being on a VMWare server which is in turn using LACP.  But that’s neither here nor there, we want to configure the WAN.

I’ll need to walk backwards, but basically you want to configure the physical ports first, although if you have modern enough kit, auto detection will basically ‘work out of the box’.  I don’t need any VLANs for this as I’m not giving anyone external interactive access to anything so I don’t need or care for a traditional DMZ.  I’m trying to keep this one simple.

You will have to initially set a password for the root user, and it is done clear text.  Naturally this isn’t my password, and I hope it isn’t yours either. Also we can go ahead and put in the IP addresses.

set system root-authentication encrypted-password 50m3th1nG
set interfaces ge-0/0/0 unit 0 family inet address PUBLIC_IP/30
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop PUBLIC_GW
set protocols lldp interface ge-0/0/1.0

With this fragment configured, and if your WAN is all working you can now ping out over the internet.  Very simple, right?

root@srx210be> ping 4.2.2.4 count 3
PING 4.2.2.4 (4.2.2.4): 56 data bytes
64 bytes from 4.2.2.4: icmp_seq=0 ttl=57 time=39.556 ms
64 bytes from 4.2.2.4: icmp_seq=1 ttl=57 time=39.501 ms
64 bytes from 4.2.2.4: icmp_seq=2 ttl=57 time=39.314 ms

With basic internet connectivity established it’s time to create some basic rules, and NAT.  The first thing to do is establish some security zones.  As I have imagination they are simply called trust and untrust.

set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces ge-0/0/0.0

Next I allow all the inbound system services on the trust interface (internal).  In more sophisticated setups you would have a management network that this would sit on that was access restricted, but I’m still trying for that old branch office restricted feel.

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

Now for the nat statements.  Simple stuff the magic is in the direction

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

And our security policies.  This simply lets anything on the trust network flow between them, say if I add static routes on the SRX to bounce somewhere else it will be needed.  And I’m allowing trust to talk to anything on the untrust network.  Of course you can actually put in a policy that ONLY allows for registered IP space.  Probably the reasonable thing to do later.

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit

And now you should be able to access the internet from the inside.

Now this is good fun, but what about hosting applications? So say I have this QuakeWorld server, how do I NAT it?

First we have to build a NAT rule. This would also let us put it on a different port, if we needed to, however 27500 is available on both the outside and inside, so the values just match.

set security nat static rule-set rs1 rule QuakeWorld match destination-address PUBLIC_IP/32
set security nat static rule-set rs1 rule QuakeWorld match destination-port 27500
set security nat static rule-set rs1 rule QuakeWorld then static-nat prefix 192.168.1.7/32
set security nat static rule-set rs1 rule QuakeWorld then static-nat prefix mapped-port 27500

Now we need to build a firewall rule. Notice that the destination is the internal private address. If the port were different you need to list BOTH ports in the rule.

set security policies from-zone untrust to-zone trust policy QuakeWorld match source-address any
set security policies from-zone untrust to-zone trust policy QuakeWorld match destination-address 192.168.1.7/32
set security policies from-zone untrust to-zone trust policy QuakeWorld match application udp_27500
set security policies from-zone untrust to-zone trust policy QuakeWorld then permit

We need to build the address book.

set security zones security-zone trust address-book address 192.168.1.7/32 192.168.1.7/32

And finally define the application

set applications application udp_27500 protocol udp
set applications application udp_27500 destination-port 27500

And now we are hosting an application on the internet!

From there I added fun things like DHCP, some basic security features of the SRX. It’s not a great config, but It’ll get you going.