Previously I reviewed some high level information of Juniper SRX Firewall. Now I will configure it as my main firewall at home/office/lab.
Interface ge-0/0/0 and ge-0/0/7 are by default part of “Untrust” zone already as shown below:
I simply moved the ISP cable from my old firewall to the SRX300 port “ge-0/0/0”. It took about 10 seconds and I had an IP on the port. Now, internet was online but I needed to get this firewall configured for rest of my network so I can talk to all the VLANs. NOTE: I could have setup VLANs and DHCP on the firewall as well (another blog post), but I did not want to do that for now.
Based on the network shown above, I needed to get my interface between the firewall and the core switch up next. Command below took care of that.
set interfaces irb unit 0 family inet address 172.16.0.1/30
Next, firewall required return routes to the VLANs behind the core switch. Following commands handled the routes back to the VLAN:
set routing-options static route 192.168.20.0/24 next-hop 172.16.0.2 set routing-options static route 192.168.30.0/24 next-hop 172.16.0.2 set routing-options static route 192.168.10.0/24 next-hop 172.16.0.2
These are “nat” commands and they are already setup in the firewall for basic connectivity, so I did not have to do anything. Keep in mind that the flow of traffic from the “trust” zone to “untrust” is allowed by default.
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
Now this firewall has all the following:
- Outbound connectivity to the internet
- connectivity to the LAN
- All the required return routes to the VLANs.
Once all the routes were in place, my laptop was able to ping outbound.
Lastly I needed to setup “root authentication”. I made a mistake here that locked me out of the firewall. I utilized the following command, thinking I am being smart and secure:
set system root-authentication encrypted-password
Don’t do that, unless you are using an already encrypted password, there is no need to use this command. If you enter a plan text password here or a blank. You can not log back in there. Which is exactly what I did. Only way normally to get out of this is to do a password recovery on the switch, which means downtime. Luckily Mist UI allows shell access to the gateways also. This access allowed me to fix my mistake, without having to go through the recovery process.
Following commands fixed my SSH and login issues:
set system services ssh root-login allow delete system root-authentication encrypted-password set system root-authentication plain-text-password <enter> New Password: Will need to enter twice. commit check commit
Please feel free to add any feedback and if you see something in correct, do let me know and I’d be happy to fix it. Let’s see what this can do and what all it shows in the Mist Dashboard now. Thank you for reading.