Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Oct 18, 2017 5:08 pm


Author Message
admin
Post  Post subject: [Config] Juniper SRX home LAN with dual AX411 wireless Access Points and source nat / dhcp untrust  |  Posted: Mon Apr 22, 2013 10:14 am
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 101

Offline
 

[Config] Juniper SRX home LAN with dual AX411 wireless Access Points and source nat / dhcp untrust

Below is a simple config of an SRX 220 managing two Juniper AX411 Access points, performing source nat from trust (internal LAN) to untrust (internet). It permits all traffic from trust->untrust as well.

Hierarchical config:
Code:
## Last changed: 2013-04-19 16:27:21 UTC
version 11.4R7.5;
system {
    host-name Andrei-SRX;
    root-authentication {
        encrypted-password "<SECRET DATA>"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
        8.8.8.8;
    }
    services {
        ssh {
            root-login allow;
            protocol-version v2;
        }
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface vlan.10;
            }
            https {
                system-generated-certificate;
                interface vlan.10;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                domain-name 8.8.8.8;
                router {
                    192.168.1.1;
                }
                propagate-settings vlan.10;
            }
            pool 10.0.0.1/28 {
                address-range low 10.0.0.2 high 10.0.0.5;
                name-server {
                    8.8.8.8;
                }
                router {
                    10.0.0.1;
                }
                propagate-settings vlan.9;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    interface-range WLAN {
        member ge-0/0/1;
        member ge-0/0/2;
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ vlan-10-trust vlan-9-mgmt ];
                }
                native-vlan-id 9;
            }
        }
    }
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-10-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-10-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-10-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-10-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-10-trust;
                }
            }
        }
    }
    vlan {
        unit 9 {
            family inet {
                address 10.0.0.1/28;
            }
        }
        unit 10 {
            family inet {
                address 192.168.1.1/32;
            }
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-https junos-http ];
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            deny-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.10;
            }
        }
        security-zone untrust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            dhcp;
                            bootp;
                        }
                    }
                }
            }
        }
        security-zone management {
            interfaces {
                vlan.9 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}
poe {
    interface all {
        disable;
    }
    interface ge-0/0/1 {
        priority high;
    }
    interface ge-0/0/2 {
        priority high;
    }
}
wlan {
    admin-authentication {
        encrypted-password "<SECRET DATA>"; ## SECRET-DATA
    }
    access-point AP1 {
        mac-address 28:c1:da:d1:05:50;
        access-point-options {
            country {
                NL;
            }
        }
        radio 2 {
            radio-options {
                mode bgn;
            }
            virtual-access-point 0 {
                ssid Andrei-SRX;
                vlan 10;
                security {
                    wpa-personal {
                        wpa-version {
                            v2;
                        }
                        cipher-suites {
                            both;
                        }
                        key "<SECRET DATA>"; ## SECRET-DATA
                        broadcast-key-refresh-rate 20;
                    }
                }
            }
        }
        radio 1 {
            radio-options {
                mode 5GHz;
            }
            virtual-access-point 0 {
                ssid Andrei-SRX;
                vlan 10;
                security {
                    wpa-personal {
                        wpa-version {
                            v2;
                        }
                        cipher-suites {
                            both;
                        }
                        key "<SECRET DATA>"; ## SECRET-DATA
                        broadcast-key-refresh-rate 20;
                    }
                }
            }
        }
    }
    access-point AP2 {
        mac-address 2c:6a:e5:14:72:10;
        access-point-options {
            country {
                NL;
            }
        }
        radio 2 {
            radio-options {
                mode bgn;
            }
            virtual-access-point 0 {
                ssid Andrei-SRX;
                vlan 10;
                security {
                    wpa-personal {
                        wpa-version {
                            v2;
                        }
                        cipher-suites {
                            both;
                        }
                        key "<SECRET DATA>"; ## SECRET-DATA
                        broadcast-key-refresh-rate 20;
                    }
                }
            }
        }
        radio 1 {
            radio-options {
                mode 5GHz;
            }
            virtual-access-point 0 {
                ssid Andrei-SRX;
                vlan 10;
                security {
                    wpa-personal {
                        wpa-version {
                            v2;
                        }
                        cipher-suites {
                            both;
                        }
                        key "<SECRET DATA>"; ## SECRET-DATA
                        broadcast-key-refresh-rate 20;
                    }
                }
            }
        }
    }
}
vlans {
    vlan-10-trust {
        vlan-id 10;
        l3-interface vlan.10;
    }
    vlan-9-mgmt {
        vlan-id 9;
        l3-interface vlan.9;
    }
}


Display set config
Code:
set version 11.4R7.5
set system host-name Andrei-SRX
set system root-authentication encrypted-password "<SECRET DATA>"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system name-server 8.8.8.8
set system services ssh root-login allow
set system services ssh protocol-version v2
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.10
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.10
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp pool 192.168.1.0/24 domain-name 8.8.8.8
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings vlan.10
set system services dhcp pool 10.0.0.1/28 address-range low 10.0.0.2
set system services dhcp pool 10.0.0.1/28 address-range high 10.0.0.5
set system services dhcp pool 10.0.0.1/28 name-server 8.8.8.8
set system services dhcp pool 10.0.0.1/28 router 10.0.0.1
set system services dhcp pool 10.0.0.1/28 propagate-settings vlan.9
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces interface-range WLAN member ge-0/0/1
set interfaces interface-range WLAN member ge-0/0/2
set interfaces interface-range WLAN unit 0 family ethernet-switching port-mode trunk
set interfaces interface-range WLAN unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces interface-range WLAN unit 0 family ethernet-switching vlan members vlan-9-mgmt
set interfaces interface-range WLAN unit 0 family ethernet-switching native-vlan-id 9
set interfaces ge-0/0/0 unit 0 family inet dhcp
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-10-trust
set interfaces vlan unit 9 family inet address 10.0.0.1/28
set interfaces vlan unit 10 family inet address 192.168.1.1/32
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application junos-https
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application junos-http
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security policies default-policy deny-all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.10
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services bootp
set security zones security-zone management interfaces vlan.9 host-inbound-traffic system-services all
set security zones security-zone management interfaces vlan.9 host-inbound-traffic protocols all
set poe interface all disable
set poe interface ge-0/0/1 priority high
set poe interface ge-0/0/2 priority high
set wlan admin-authentication encrypted-password "<SECRET DATA>"
set wlan access-point AP1 mac-address 28:c1:da:d1:05:50
set wlan access-point AP1 access-point-options country NL
set wlan access-point AP1 radio 2 radio-options mode bgn
set wlan access-point AP1 radio 2 virtual-access-point 0 ssid Andrei-SRX
set wlan access-point AP1 radio 2 virtual-access-point 0 vlan 10
set wlan access-point AP1 radio 2 virtual-access-point 0 security wpa-personal wpa-version v2
set wlan access-point AP1 radio 2 virtual-access-point 0 security wpa-personal cipher-suites both
set wlan access-point AP1 radio 2 virtual-access-point 0 security wpa-personal key "<SECRET DATA>"
set wlan access-point AP1 radio 2 virtual-access-point 0 security wpa-personal broadcast-key-refresh-rate 20
set wlan access-point AP1 radio 1 radio-options mode 5GHz
set wlan access-point AP1 radio 1 virtual-access-point 0 ssid Andrei-SRX
set wlan access-point AP1 radio 1 virtual-access-point 0 vlan 10
set wlan access-point AP1 radio 1 virtual-access-point 0 security wpa-personal wpa-version v2
set wlan access-point AP1 radio 1 virtual-access-point 0 security wpa-personal cipher-suites both
set wlan access-point AP1 radio 1 virtual-access-point 0 security wpa-personal key "<SECRET DATA>"
set wlan access-point AP1 radio 1 virtual-access-point 0 security wpa-personal broadcast-key-refresh-rate 20
set wlan access-point AP2 mac-address 2c:6a:e5:14:72:10
set wlan access-point AP2 access-point-options country NL
set wlan access-point AP2 radio 2 radio-options mode bgn
set wlan access-point AP2 radio 2 virtual-access-point 0 ssid Andrei-SRX
set wlan access-point AP2 radio 2 virtual-access-point 0 vlan 10
set wlan access-point AP2 radio 2 virtual-access-point 0 security wpa-personal wpa-version v2
set wlan access-point AP2 radio 2 virtual-access-point 0 security wpa-personal cipher-suites both
set wlan access-point AP2 radio 2 virtual-access-point 0 security wpa-personal key "<SECRET DATA>"
set wlan access-point AP2 radio 2 virtual-access-point 0 security wpa-personal broadcast-key-refresh-rate 20
set wlan access-point AP2 radio 1 radio-options mode 5GHz
set wlan access-point AP2 radio 1 virtual-access-point 0 ssid Andrei-SRX
set wlan access-point AP2 radio 1 virtual-access-point 0 vlan 10
set wlan access-point AP2 radio 1 virtual-access-point 0 security wpa-personal wpa-version v2
set wlan access-point AP2 radio 1 virtual-access-point 0 security wpa-personal cipher-suites both
set wlan access-point AP2 radio 1 virtual-access-point 0 security wpa-personal key "<SECRET DATA>"
set wlan access-point AP2 radio 1 virtual-access-point 0 security wpa-personal broadcast-key-refresh-rate 20
set vlans vlan-10-trust vlan-id 10
set vlans vlan-10-trust l3-interface vlan.10
set vlans vlan-9-mgmt vlan-id 9
set vlans vlan-9-mgmt l3-interface vlan.9



A little about the above:

- Interface ge-0/0/0 is the interface facing the internet and it belogs to "untrust" security zone with only a handfull of host-inbound system services allowed. Also, it uses dhcp to aquire an IP address.
- Interfaces ge-0/0/1 and ge-0/0/2 are configured for AX411 APs (POE enabled). Both are configured under "interface-range WLAN" instead of each one individually. They are both configured in trunk for VLAN10 (trust vlan) and vlan 9 (management, untagged traffic between SRX and AX411). I did not want to use default vlan here to avoid future problems.
- Both APs advertise SSID and mark wireless clients traffic with vlan10 towards the srx.
- All traffic from trust zone to internet is allowed and source nat





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "[Config] Juniper SRX home LAN with dual AX411 wireless Access Points and source nat / dhcp untrust"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Juniper SRX: How to access/vty on the PFE from CLI

mandrei99

0

3498

Mon Jan 26, 2015 6:39 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX - How to collect RSI (Request Support Information) to provide it to Juniper TAC

mandrei99

0

13875

Fri Jul 12, 2013 9:46 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX cluster - How the hostname is configured

mandrei99

0

2881

Sat Jan 31, 2015 7:04 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX PPPoE configuration for RCS RDS provider in Romania

mandrei99

0

1562

Fri Jan 09, 2015 8:21 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Squid http(s) transparent proxy with Juniper SRX | part 1

mandrei99

0

6744

Fri May 03, 2013 4:30 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Squid http(s) transparent proxy with Juniper SRX | part 2

mandrei99

0

4839

Tue May 21, 2013 5:58 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Squid http(s) transparent proxy with Juniper SRX | part 3

mandrei99

0

4808

Fri May 24, 2013 8:32 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper - SRX: SNMP monitoring of interface input output bytes per second

mandrei99

0

6890

Wed Oct 16, 2013 9:45 am

mandrei99 View the latest post

There are no new unread posts for this topic. How to monitor CPU usage and flow sessions via SNMP - Juniper SRX Branch - 12.1X44

mandrei99

0

9130

Tue Jun 18, 2013 6:13 pm

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper Firefly (vSRX) 12.1X47 chassis cluster under Vmware ESXi5.5

mandrei99

0

11694

Sun Feb 22, 2015 9:47 pm

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO