juniper - configuring juniper networks firewall.ipsec vpn products - high-level lab guide

5/13/2018 Juniper - Configuring Juniper Networks Firewall.ipsec VPN Products - High-Level Lab Guide

Configuring Juniper NetworksFirewalljlPSec VPN Products5.b

High-Level Lab Gu

d T I J O U ! per'1194 North Mathi lda AvenueSunnyvale, CA94089USA408-745-2000www.juniper.net

~ H ~i

Course Number: EDU-JUN-CJFV
http://www.juniper.net/http://www.juniper.net/


Junper Networks , the Junper Networks l ogo,NetScreen, and ScreenOSare regs tered t rademarks ofJunper Networks , Inc . i n theUntedS tates andothercountres. JUNOSand JUNOSeare trademarks ofJunper Networks, Inc. Al lother trademarks, service marks, regstered trademarks, or regstered service marksarethe proper ty of ther respec tve owners .Confgurng Junper Networks F rewa/V IPSec VPNProduc ts HghLeve LabGude, Revision 5.bCopyrght 2007, Junper Networks, Inc.A ll rghts reserved. P rnted inUSA.Revision Hstory:Revi si on 5.b-Apr 2007The informaton in ths document i scurrent asof thedate l i s ted above.The infonnaton in ths document has been carefu l y ver fed andi s be ieved tobe accurate for sof tware Reease 5.4 . Junper Networks assumes norespcns ib i tes forany inaccuraces that mayappear i n ths document Innoevent w l Junper Networks be l i abe for drect , i ndrect , speca, exemplary, i ncdentaorconsequenta damages resutng f rom anydefec tor omssion in ths document, even i fadvsed of the pcssib i t y o fsuchdamages .

ContLab 1:

Lab 2:

Junper Networks reserves the rght to change, modfy , t rans fer oro therwse revse ths pubicaton wthout notce.YEAR2000 NOTICEJunper Networks hardware and software products donot suf fer f rom Year2000 probems andhence are Year2000 compli ant The JUNOSsof tware hasnoknownt me-reated l im ta tons through the year 2038. However , theNTPappl icaton i sknown tohavesome df fcuty i n theyear2036.SOFTWARELICENSEThe terms andcondtons for using Junper Networks sof tware are descrbed in thesof tware l icenseprovided wth the sof tware, or to the ex tentapp li cabe, i nanagreement executed between youand Junper Networks, orJunper Networks agent By using Junper Networks software, you indcate that you understand andagree tobe bound by i t s l i cense terms andcondtons . Genera ly speaking, the software l icense rest rc ts themanner i nwhch you are perm t ted to usethe JunperNetworks software, maycontan prohbt ons aganst certan uses ,and may s ta te condtons under whchthe l icense i sautomatca l y termnated. Youshoudconsut thesoftware l icense for further deta s .

Lab5:

Lab3:Lab4:

:1 Lab6:

Lab 7:

Lab8:

Lab9:

" " 1 '1;1-I-f1

Initial Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 1 : B asic C onnectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Device Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 1 : Device Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 2 : Configuration Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 3: Asset Recovery (optional)Layer 3 OperationsPart 1: A ccess t he Management Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Basic Policy ConfigurationPart 1: Basic Policy ConfigurationPolicy Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 1 : Policy Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 2: W ebAuth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Address TranslationPart 1: N AT-src . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 2: D estination NAT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 3: VIP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 4: MIP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Transparent Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 1: Transparent Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Policy-BasedVPNsPart 1 : B asic C onnectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 2 : VPN Configuration .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 3 : Demo: V PNManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Route-Based VPNsPart 1 : B asic C onnectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 2 : VPN Configuration .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Part 3 : D emo: Using VPNManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Con t


- - ..!III--"I

r --I _

LaIn it ia l Conf igura

OverviewThis lablab explores the initial Juniper Networks device configuration. First,youwilladeviceand reset the configuration, then youwill configure your device for network conYouhavethe option to switch over and useSecurity Manager for the rest of the confiThis labis available intwo formats: a high-level format that isdesigned to make youtthrough each step anda detailed format that offers step-by-step instructions completsample output from most commands.Bycompleting this lab, youwill perform the following tasks:

Accessyour Juniper Networks devicefrom its console port and reset theconfiguration onthe your Juniper Networks deviceto its default mode.

Accessyour Juniper Networks devicethrough the WebUI and verify confisettings.

Usethe CLIor the WebUIto configure untrust ore thOj1 inter face and ro Usethe CLI,the WebUI,or Security Manager to complete ini tial configura

procedure.This lab requires youto usethe student PCtoconfigure theJuniper Networks devicethe serial port. Youwill usethe instructor router as a default gateway of your device.

x Additional Information Ini tial Configuration


Configuring Jun iper Networks Firewal lj lPSec VPN Products

Network DiagramThe c la ss room netwo rk i sd iv ided i nto fou r workg roups w ith each workg roup connected to apor t on an NS-208 dev ice v ia a hub . A workg roup , a sshown here, con ta in s fou r SSG5 dev ices ,NS5 -XT dev ices , o r NS-5GT dev ices and fou r PCs .Each PC in the workg roup i sconnec ted to aJun iper Netwo rks dev ice v ia the Trust i nter fa ce and the conso le por t. The i ns tr uc to r w il l a ss igneach s tudent to a workg roup , and each workg roup w il l cor re spond to a por t on the NS-208dev ice. For examp le , i f you a re i nWo rkgroup 1 ,you r hub i sconnected to por t E1on the NS-208device.F il l i n you r ass igned Xand Yva lues bel ow :X= _ Y=-----

Port Address Connects to ZoneE1 1111/24 Group1 Group1E? 1121/24 Group2 Group2E3 1131/24 Group3 Group3E4 1141/24 Group4 Group4E5 N/ A HA H AE6E7 10.1.751/24 Management MgmtE8 1181/24 Internet Internet

Server10.1.75.111

Security Manaj3r10.1.75.222

Instruc1DrPC10.1.75.250= Row/Group/Port.fl:

Y = StationAllSubnet Masksare/24

UntrustTrust

10XY5 10XY5 10XY.5

Lab 1-2 Initial Configuration Initial Configuration

Configuring Jun iper Networks Firewal lj lPSec VPN

Part 1: Basic ConnectivityStep 1.1

Con fi rm tha t the IPcon fi gu ra ti on o fyour PC i scor re ct a s per the l ab d iagram . I fno t aa lr eady , obtai n you r X and yva lue f rom the i ns tr uc to r and w ri te i t i n the fol lowi ng spap rovi ded. These val ues w il l b eassi gned to you for the remai nder o f the cou rse.

PC IP address: 10.X. Y.5 -X i syou r row and g roup . y is your workstation.

PC mask: 255.255.255.0PC gateway: 10.X.Y.1 ( th e Trust i nter fa ce onyour 5GT dev ice) .

X value(your row)Yvalue(your workstation)PC IP addressPC Gateway

Step 1.2Usi ng the conso le conne ti on , r eset you r the dev ice to the fac to ry -defau lt con fi gu ra ti onsave the con fi gu ra ti on i fp rompted to do so.

Step 1.3After the dev ice i s re se t, l og i n usi ng the defau lt u se rname and password o fnetscrethe hostname of your device to GroupX-gtx;.

Step 1.4Con fi gu re you r dev ice w ith the IPadd resses shown i n the d iagram . Enabl e Tel ne t andUntrust interface

Trust: 10.X.Y.l/24Untrust: 1.1.X.YOj24

NoteAt thi s poi nt you can choose to beg in usi ng the WebGUI ,o r you can con ti nue usi ng the CLI .

Step 1.5Set a defau lt r ou te usi ng the netwo rk d iagram . Thi s add ress i sa l ready con fi gu red onNS-208 device.

Step 1.6Ensure tha t a pol ic y exi sts to a ll ow you r PC toaccess the i ns tr uc to r PC.


VerifyIPconnectivity byissuing a pingfrom your PCto the NS-208 interface (1.1.K.1).

Thislab requiresyouto use the student PCtoaccess the device. Youwi ll use yourstfor device administration .

Configuring Juniper Networks FirewalljlPSec VPNProducts

Step 1.7

Step 1.8

Step 1.9

Step 1.10

Step 1.11

Step 1.12

LaDev ic e Adm in i st r

Verify IPconnectivity byissuing a pingfrom your PCto the classroom server (10.1.75.111).

Ifyou are usingthe CLI,saveyourconfiguration to flash memory. Ifyou are using the WebUI,your changes are saved automatically.

OverviewNote

Ifyou are not using Security Manager, proceed tothe end ofthis lab. This labexplores the configuration of the Juniper Networks device administration. Dlab, youwill beworking onyour own device.

This labis available intwo formats: a high-level format that isdesigned to make youthrough each step and a detailed format that offers step-by-step instructions complesample output from most commands.Bycompleting this lab, youwill perform the following tasks:

Configure device administration, including external management servic

Open the Security Manager client, usingthe login super, password netscreen. TheSecurityManager server is located at 10.1.75.222.

Addyour device to the list of managed devices. Usethe syntax GroupK-gtyfor the device name. Manage configuration files using TFTPand config rollback usingt

Perform asset recovery (optional) .Import your configuration.

T e ll y ou r i ns tr uc to r t ha t y ou h av e c om pl et ed L ab 1 .

~iJuniper~NETWORKS

DeviceAdministration Lab 1-4 Ini tial Configuration


Verifythat your TFTPserver isrunning onyour PCbyclicking the following icon:

L

--

- -- -- -- -- -- -- --- -

r-

Step 2.7


Part 1: Device Administration Step 1.8Step 1.1

Step 1.2

Step 1.3

Step 1.4

Step 1.5

Step 1.6

Step 1.7

Step 1.9

Createtwo administrator user accounts: one read-only andthe other having all privileges. Ifyouare using Security Manager, update your device after this step.

Step 1.10

Test each account byloggingin to your Juniper Networks device through the CLI orthe WebUIusingthe accounts just created.

Question: What isthe difference between logging in asthe rootand logging inas anadministrator userwith allprivileges?

Configuring Juniper Networks FirewalljlPSec VP

Createa host-based permitted IPaddress for your PCto manage your devicedirectly

Createa host-based permitted IPaddress forthe instructor's PC,located at 10.1.75.Question: What would happen ifyou reversed the orderofSteps 1.8 and 1.9?

Set the clock onyour deviceto the correct time zone. Ifyouhaveaccess toan NTPsconfigure the NTPserver. If not, setthe clock to match your local PC.If youare usingManager, update your device after this step.

Part 2: Configuration Management

Ifyouareusingthe CLIor the WebUI,log out, then log back inas the root user (that is, login:netscreen, password: net screen). Step 2.1

Ifyouareusingthe CLI,set the console timeout to 60 minutes.Ifyouareusingthe WebUI,setthe WebUItimeout to 60 minutes.Ifyouare usingSecurity Manager, skip this step; your timeout between your client and SecurityManager defaults to 45 minutes.

Step 2.2

Step 2.3EnableDNSonyourdevice.The DNSserver isthe classroom server(10.1.75.111). The refreshinterval is24 hours. Step 2.4Enable syslog on your device.

Your PCisthe syslogserver (3CDaemon hassyslogservices). Step 2.5 Thesyslog source interface isTrust.

Log allevents.Thesecurity facility is localO.Thefacility is locall.UDPis the transport mechanism.

Step 2.6

Lab 2-2 DeviceAdministration DeviceAdministration r t . . . i J u n i p e r ' "~NETWORKS

NoteUsethe CLIfor this portion ofthe lab unlessotherwise instructed.

Savethe configuration to flash memory andthen save it to your local PCusingTFTPgroup name asthefi lename, that is, groupname.cfg.

Resetyour deviceto factory defaults byclearing the configuration and performing ayoudid inthe previous lab.

Login asthe root administrator. Verify that previously configured values, such as hoandsyslog configuration, are restored to factory defaults.

Setthe IPaddress onyour Trust interface to 10.K.Y.1.j24

Restore the configuration from TFTPusingthemerge parameter to update the runnconfiguration and the backup copy inflash memory.

Verifythat the configuration is restored bychecking the syslog configuration.

Issuethe save config to last-known-good command to create a separateconfiguration file inflash memory.


Change the system hostname to TestingRollback. Note that the prompt changesimmediately. Saveyour changes.

Step 3.7


Step 2.8

Step 2.9

Step 2.10

Step 2.11

Step 2.12

Step 3.2

Fromthe CLI,issue the exec config rollback command. Whenthe unit restarts, logback in.

Step 3.3

Question: After rebooting, what should the systemhostname be?

Step 3.4

View the system event logusing your preferred user interface. Observe some of the recentevents that were logged byyour device.

Question: List three different events shown inthe log.Step 3.5

Onthe PC,open the 3CDaemon display window. Click on the SyslogServer tab to displayrecently loggedevents. Compare those results with the event logonthe devicethat youdisplayed inthe previous step. Notice the similarities. Step 3.6

Ifyou areusing the CLIor WebUI,save your current copy ofthe configuration file to flashmemory and to your PCfor future use.

NoteThis completes the required portion of this labexercise. Anoptional exercise begins inthefollowing step.

I' 1 , -' 1 r -t a r t 3 : A ss e t Recove r y ( o pt io n a l)

Step 3.1

NoteUsethe CLIforthis portion ofthe lab unlessotherwise instructed.

Save the software image from your deviceto your PCusingTFTP.

DeviceAdministration ab2-4 DeviceAdministration

Configuring Juniper Networks FirewalljlPSec VP

Issuethe reset command to restart theJuniper Networks device. Assumethat thesoftware image inflash memory iscorrupted andthat the device will not boot complInterrupt the boot process when the Press key for Boot Loader message is

Assignthe IPaddress ofthe Trust interface asthe Sel f IP, specify the address of theserver, and enter the name of the ScreenOSsoftware image that yousaved earlier. Tserver must beaccessible from the Trust interface!

Write the newlyloaded imageto flash memory andactivate the downloaded file. Oncoperation iscomplete, log inandverifythat the configuration file isintact and that thfully functional.

Enter the get system command.Question: What isthe serial number of your JuniperNetworks device?

Verify that asset recovery isenabled using the get admincommand.

Assume that youhaveforgotten the root password and now need to perform asset reQuestion: Howdo youdo this?

List the steps below. Ifyou want to do an actual asset recovery, havethe instructor vsteps before performing the procedure.

T e ll y o ur i ns tr uc to r t ha t y ou h av e c om pl et ed L ab 2 .


LaConfiguring Juniper Networks FirewalljlPSec VPNProducts

Lay er 3 O p e ra

OverviewThis lab exploresthe verification of your existing configuration.This labis available intwo formats: a high-level format that isdesigned to make youthrough each step and a detailed format that offers step-by-step instructions complesample output from most commands.Bycompleting this lab, youwill perform the following tasks:

Verifyyour existing IPconfiguration with get commands, ping and deThis labrequires youto verifyyour configuration.

Lab2-6 Device Administration Layer3Opera ti ons



Network D iag ramStep 1.1

Configuring Juniper Networks FirewalljlPSec VPN

Part 1: Access the Management Network

Por t Address Connects to ZoneE1 1111/24 Group1 Group1E2 11.2.1/24 Group2 Group2E3 113.1/24 Group3 Group3E4 1141/24 Group4 Group4E5 N/ A H A H AE6E7 10.1.751/24 Management MgmtE8 1 181 /24 Internet Internet

x = Row/Group/Port,.Y=StationAllSubnet Masks are/24

10XY5

Server10.1.75.111

Security Manager10.1.75.222

Instructor PC10.1.75.250

10XY.5

Step 1.2

UntrustTrust 10XY

10XY.5 10XY.5 Step 1.3Note

Youwill usethe CLIin addition to your preferredinterface for this lab. Step 1.4

Step 1.5

Step 1.6

Step 1.7

View the current interface configuration to answerthe following question.Question: Inwhat mode isthe Trust interface? Inwhatmode isthe Untrust interface?

Question: Shouldyou beable to ping your workgroup'sport onthe NS-208 devicefrom your PC?Whyor whynot? (Hint:Think routing and policies.)

Verify your answer byissuing a continuous ping from your PCtoyour group's port on tNS-208 device, then viewing the session onyour device with the get session comfrom either the CLIorthe troubleshooting interface of Security Manager.

Question: What isthe destination address ofthe returnpacket, andwhy?

Fromyour PC,pingthe Untrust interfaces of allthe Juniper Networks devices inyourworkgroup. Work with other members ofyour workgroup to resolve anyconnectivity is(Hint: Think about interface management settings.)

Fromyour PC,pinga neighboring PCwithin your workgroup.Question: Wasthe ping successful? Whyor whynot?

Usethe get route ip address command to verify routing to other PCsinyour wfrom either the CLIor the troubleshooting interface of Security Manager.

Question: Isthe routing correct?

Configure your Trust interface for route mode.

Configure routesto reach allother PCsinyour workgroup. Theexisting default route alto reach PCsin other workgroups. Ifyou areusingSecurity Manager, update your devithis step.

Layer3 Opera ti ons ab3-2 Layer3 Opera ti ons ~1Juniper~NETWORKS

~lJuniper~NETWORKS


Configuring Juniper Networks FirewalljlPSec VPNProducts 11:3i

Latep 1.8Verifythat your device hascorrect routing byusing the commands get route ip, ping,and tracerou te from your device. Note that the ping will not besuccessful.

Question: Isthe traffic reaching the correct firewall? (Ifnot, correct your routing until it is.)

Bas ic Po li cy Configura

Question: Iftraffic is being dropped, what else could bethe problem? Overview

Step 1.9 This labexplores policyconfiguration. First,you will create address book entries, thenaddgroups to your device. Finally,you will establish policies required to accessthemanagement network.This labis available intwo formats: a high-level format that isdesigned to make youthrough each step and a detailed format that offers step-by-step instructions complesample output from most commands.Bycompleting this lab, youwill perform the following tasks:

Createaddress book entries, service groups, and policies that control athe classroom management network and to the Internet.

This lab requires youto accessthe classroom management network.

Work with another individual inyourworkgroup forthis step. Usethe debugcommand to verifyyour answer to the previous question. Both of youmust setthe appropriate flow filters, thenenable debugging. Oneof youthen initiates a ping from your PCto your neighbor's PC.Stop thedebugandcompare your output to your neighbor's. T e ll y ou r i ns tr uc to r t ha t y ou h av e c om pl et ed L ab 3 . 1 1 ; '; 1 ' .1 1 : I

I. : : 4 _!

I. , : ~;. i l l. 1 .. ~ .!. ..............

Lab3-4 Layer3Operations Bas ic Pol icyConf igurat ion



Ne two rk D iagramConfiguring Juniper Networks FirewalljlPSec VP

Pa rt 1 : B as ic Po li c yCon fi gu r at io n

Port Address Connects to ZoneE1 11.1.1/24 Group1 Group1E2 11.2.1/24 Group2 Group2E3 1 131 /24 Group3 Group3E4 1 141 /24 Group4 Group4E5 N/ A H A H AE6E7 10.1751 /2 4 Management MgmtE8 118.1/24 Internet Internet

x = Row/Group/Port#Y =StationAllSubnet Masks are/24

Server10.1.75.111

Security Manaj3r10.1 75.222


Step 1.1-

UntrustTrust

10XY.5 10XY.5 10XY.5 1DXY.5

Step 1.2

Step 1.3

- ~

-r-

Step 1.4

Lab 4-2 Basic PolicyConfiguration

Createaddress book entries for the following:Your PC-host entry;Theclassroom server-host entry;

The Security Manager server-host entry;The instructor PC-host entry; andThemanagement subnet (10.1.75.0/24).

Createa custom service called NSM-client. Usethe following parameters:Protocol: TCPSource ports: allDestination port: 7801

Createa service group of the following predefined services: DNS,FTP,HTTP.CallitqassServices.

Create policies to match the following criteria:Your PCcan access the Security Manager server using thefollowing serv

NSM;NSM-client; andping.

Your PCcan access the classroom server using the ClassServices servic A ll o ther t raf fi c to the management network i sden ied.

Theinstructor PCcan accessyour PCusingany service. YourPCcan access the Internet usingthe fol lowing services (use multice

create this rule):DNS;FTP;HTTP;Mail;ping;SSH;andTelnet;

All other traffic should be denied (delete your default policy).

lJunipef ':"NETWORKS Basic Pol icyConfiguration


Usethe following spaceto plan your policies. Carefully consider the policyorder!Ifyou are using Security Manager, update your device after this step. (Youwill lose theconnection to the Security Manager server.)

LConfiguring Juniper Networks FirewalljlPSec VPNProducts

Step 1.5 Po li cy OpVerifythe class server policy byusing ping, FTP,TFTP,and HTTPto the classroom server. Theping should fail; the other services should be available.

Step 1.6Verifythe policydenyingaccess to other devices onthe management network bytrying toconnect to the instructor PC. Overview

Step 1.7Verifythe Internet policyby accessing the Internet. This labexplores the policyoptions available using a Juniper Networks device. Youwconfigure andverify logging andcounters. Youwill also explore WebAuth.

This labis available intwo formats: a high-level format that isdesigned to make youthrough each step and a detailed format that offers step-by-step instructions complesample output from most commands.Bycompleting this lab,you will perform the following tasks:

Configure and verify logging and counters.Configure and test WebAuth.

This labrequires youto useyour ScreenOSdeviceto verify logging and counters.

Step 1.8Ask the instructor to verifyyour policyallowing the instructor PCtoconnect to your PC. Tell your instructor that you have completed Lab 4.

,. : .Lab 4-4 Basic PolicyConfiguration Pol icyOpt ions



Ne two rk D i ag ramStep 1.1


Pa rt 1 : Po li cy Op t io n s

Port Address Connects to ZoneE1 1111/24 Group1 Group1E 2 11 .21/ 24 Group2 Group2E3 1131/24 Group3 Group3E 4 11 41/ 24 Group4 Group4E5 N / A H A HAE6E7 10.1.751/24 Management MgmtE8 1181/24 Internet Internet

x = Row/Group/Port#Y = StationAllSubnet Masks are/24

Server10.1.75.111

Security Manag:;r10.1.75.222


Step 1.2

UntrustTrust

10XY.5 10XY.5 10XY.5

Step 1.3

Step 1.4

Lab 5-2 Pol icyOpt ions

ill

. i .

Addloggingand counting to allyourpolicies. Enablelogging on both session start andclose. Ifyou are using Security Manager, update your device after this step. (Youwill lconnection to the Security Manager server.)

Accessthe classroom server andthe Internet again using ping and HTTP

Checkthe counters from the WebUI.Question: What isthe peak value for bytes/second?

Question: What isthe peak value for Kbytes/minute?

Checkthe logs.Question: How many sessions were established to theclassroom server?

Question: What isthe duration of the longest session?

P a rt 2 : W e bA u thStep 2.1

Step 2.2

Step 2.3_ ' .11"3., . - . ... ,

.-til8'



Latep 2.4 Usingthe CLI,clear allexisting sessions using the clear session all command.Tryto accessthe classroom server again. If WebAuth isproperly configured, youwill be unableto reach the classroom server.

Address T rans latep 2.5Step 2.6

Browse to the WebAuth address and authenticate usingthe username and password youcreated inStep 2.1. OverviewStep 2.7 Verifythat the policyis nowallowing youto accessthe Instructor PC.

.;-. ' -

Thislab explores multiple NATconfigurations.This labis available intwo formats: a high-levelformat that isdesigned to make youtthrough each step and a detailed format that offers step-by-step instructions completsample output from most commands.Bycompleting this lab, youwill perform the following tasks:

Configure source NAT(NAT-src) Configure destination NAT(NAT-dst). Configure a v ir tual IP (VIP)address . Configure a mapped IP(MIP)address .

This labrequires youto configure NAT

Usethe get user nameand get auth table commands to view information about yourauthentication.

Step 2.8

T e ll y o ur i ns tr uc to r t ha t y ou h av e c om pl et ed L ab 5 .

Lab 5-4 PolicyOptions ~Juniper_NETWORKS Address Trans la ti on



Network D iagr am

Step 1.6


P ar t 1 : NA T- sr c

Port Address Connects to ZoneE1 1111/24 Group1 Group1E2 1121/24 Group2 Group2E3 1131/24 Group3 Group3E4 1141/ 24 Group4 Group4E5 N / A H A H AE6E7 10.1.751/24 Management MgmtE8 1181/24 Internet Internet

x = Row/Group/Port:tty =StationAllSubnet Masl


Configuring Jun iper Networks Firewal lj lPSec VPN Products

Step 1.10

Step 1.11

Step 1.12

Step 1.13

Step 2.3Create a fou r-en tr y D IP add ress poo l on the Unt ru st i nter fa ce , u si ng anaddress tha t s ta rts twoh ighe r than the i nter fa ce IPadd ress . For examp le , i f the Unt ru st i nter fa ce IPadd ress i s1 .1 .6 .10, the D IP add ress poo l w il l b e 1 .1 .6 .12-1.1.6.15 . I f you a re usi ng Secur it y Manager ,mod ify the g loba l D IP add ress to i nc lude thi s new D IP add ress poo l and remove the D IPadd ress poo l f rom the p revi ous s tep.

Step 2.4

Mod ify you r NAT-s rc pol ic y to use the mul ti -e nt ry D IP add ress poo l. I f you a re usi ng Secur it yManager , you do not need to mod ify you r pol ic y; s impl y update you r dev ice. (Youw il l l ose theconnection to Security Manager.) .'. Step 2.5Ii/.Fromyour PC, beg in a con ti nuous p ing (ping -t at t he c ommand p romp t) t o o ne of t heUntrust inter faces. Issue a get session command.

Quest ion: Whi ch add ress i n the D IP add ress poo l i sbeing used for translation?

II

Ii-Issue the get session command again .

Question: D id the address used for transla tion change?Why o rwhy not? Step 2.6 Part 3: VIP Address


Create a s ta ti c rou te to thi s hos t add ress usi ng the Trust i nter fa ce as the outbound i(Youdo not need to speci fy a nex t-hop add ress ; thi s rou te w il l b e used for t rans la ti on

Usi ng NAT-dst add ress t rans la ti on , c reate a pol ic y tha t a ll ows any dev ice to p ing you raccessing the public address. Enable logging in the pol icy.

Work w ith a nei ghbo r to tes t each o thers' con fi gu ra ti ons usi ng p ing. When you havesuccessfu l p ing, issue the get session command and ver ify that transla tion istakA fter you c lo se you r sessi on , v iew the t ra ff ic l og .

NoteI f you a re tak ing thi s c la ss v ia e -l ea rn tng, a sk theinstructor to test your configuration.

Quest io n: Shoul d you beab le to p ing the i ns tr uc to r PCf rom you r PC?Why o rwhy not?

Ver if y you r answe r byp i ng ing the i ns tr uc to r PC.

Part 2: Destination NAT

Step 2.1

Step 2.2

Trust UntrustTorest o fworkgroup/classroom ealaddress 102iY5Publicaddress 1 LXY1:6 Step 3.1

Reconfigure NAT-src to use the inter face address for transla tion.

The pub li c add ress for you r PC i s 1.1.xY.Y6. For examp le , i f you a re PC2 i nGroup 1 ,your PC' spub li c add ress w il l b e 1 .1 .12.26 . C reate an add ress book ent ry for you r pub li c PCadd ress i nthe Trust zone.

Trust UntrustTorest o fworkgroup/classroom

1.lX1:9

The VIP address is 1.1.X.Y9. Create the VIP address on the Untrust inter face using theport mappings:

HT IP maps t o y our PC (10.X.Y.5) port 80.FTPmaps to 10.X.Y.5 port 21.

I f you a re usi ng Secur it y Manager , add thi s V IP add ress to a g loba l V IP add ress , u si ngname as the name o f the g loba l V IP add ress .

Ad dr es s T ran slat io n ab 6- 4 Ad dr es s T ran sl at ion



Step 3.2

Step 3.3

Step 3.4

Step 3.5

Create address book entr ies forthe other PCsinthe classroom. (Hint: NAT-srcissti ll in place onall student firewalls.)

. ' . . : . Step 4.4Create a policy that allows other PCsin the classroom, including the instructor PC,to accessthe VIPaddress and services. Ifyou are using Security Manager, update your device after thisstep.

Start the Xitami and3CDaemon applications onyour PC.Theseapplications open ports 80and 21 respectively.

Step 4.5

Work with a neighbor totest each others' configuration. When someone hassuccessfullyopened a browser session to your VIPaddress, issuethe get session command to verifythat translation istaking place.

Question: When browsing to yourneighbor's PC,what isthe source address your neighbor sees, andwhy?

. : . Step 4.6

P ar t 4 : M IP A d d re s s

Step 4.1

Step 4.2

Step 4.3

rust Untrust Torest o fworkgroup/classroomReal address 106:15 MIP 116:17 Remove all policies. The only policy that should existon your Juniper Networks device shouldbefrom Trustto Untrustany any anypermit.

Create a MIP address onthe Untrust interface. Use1.1.2.(.17 asthe MIPaddress. Create policies to allow the following:

All PCsinthe classroom should beableto access your PCusingyour MIPaddress. Youshould beableto reach all PCsinthe classroom usingtheir MIP address .

:a. : .


Workwith a neighbor to test each others' configurations using ping.When youhaveasuccessful ping,begin a continuous pingto the same IPaddress, then issuethe getsession command to verifythat outbound address translation isoccurring. Besuretranslation in both directions (inbound and outbound).

NoteI fyouare taking this c lass via e-Iearning, asktheinstructor to test your configuration.

Question: Ifboth NAT-srcand a MIPaddress areconfigured, which takes precedence? Assume that thetraffic in question matches the NAT-srcpolicy and thatthe egressinterface has a MIPaddress configured forthe traffic source address.

Verifyyour answer: re-enable basic NAT-srcinyour Trust-to-Untrust policy,and issue acontinuous ping to the instructor PC.

T e ll y o u r i ns tr uc to r t ha t y ou h av e c om pl et ed L ab 6 .

Address Translation ab 6-6 Address Translation



LaT ra ns p ar en t M

OverviewThis optional labexplores the configuration of transparent mode.This labis available intwo formats: a high-level format that isdesigned to make you ththrough each step and a detailed format that offers step-by-step instructions completsample output from most commands.Bycompleting this lab, youwillperform the following tasks:

Configure the Trustand Untrust interfaces for usein transparent mode.Usethe zone and IPaddress scheme from thefollowing diagram.Allow management onVLAN1for Webonly.

Ver ify t ransparent modefunct iona li ty .This optional lab requires youto configure transparent mode.

.; .IIZII. : .Lab 6-8 Address Translation ~ J u n i p e r

~NETWORKS

Transparen t Mode



Ne two rk D iagram

Step 1.4

- - - Configuring Juniper Networks FirewalljlPSec VPPart 1: Transparent Mode

The classroom network isdivided into four workgroups with each workgroup connected to aport on an NS-208 devicevia a hub. Aworkgroup, asshown here, contains four NS-5XP,NS5-XT,or NS-5GTdevices andfour PCs.Each PCinthe workgroup isconnected to a JuniperNetworks devicevia the Trust interface andthe console port. Theinstructor will assign eachstudent to a workgroup and each workgroup will correspond to a port onthe NS-208 device.Forexample, i fyouare inWorkgroup 1,your hub isconnected to port E1onthe NS-208device.Fill inyour assigned Xand Yvalues below:X= _ Y=-----

Step1.1

Step 1.2

Step 1.3

Port Address Connects to ZoneEl 1111/24 Groupl GrouplE2 11.21/24 Group2 Group2E3 1131/24 Group3 Group3E4 1 141 /24 Group4 Group4E5 N/ A H A H AE6E7 10.1.751/24 Management MgmtE8 1 181 /24 Internet Internet

x = Row/Group/Port,.Y = StationAllSubnet Masks are/24

Untrust 1.lXTrust

10.x.Y.5 10XY5

Server10.1.75.111

Security Manag3r10.1.75.222


10.x.Y.5 10.x.Y.5

Lab7-2 Transparent Mode

-------1-.~.......hii.

I,

Step1.5.'.

Step 1.6

Unsetyour Juniper Networks deviceto factory defaults and reset the device.

Configure your PCwith the following IPaddresses:IP:1.1.~.t1Mask:255.255.255.0Gateway1.1.~.1

Usingthe console connection, putthe interfaces intheir respective Layer2 zones.Unsetthe IPaddress onthe Trust interface: unset int trust ipAssign the Trust interface to the V1-Trustzone, andthe Untrust interfaceV1-Untrust zone.

Question: Will the Juniper Networks device allow youtoconfigure anyIP address on the Untrust interface?

Usingthe console connection, give the ScreenOSdevice an IPaddress. You will usetaddress soyour PCcan Telnetto the ScreenOSdevice.

Use 1.1.~.tO/24Question: Onwhich interface didyou configure the IPaddress inthe previous step?

Disable allservices onthe VLAN1 interface exceptfor Telnet.Question: Canyouopen a Telnetsession?

Question: Canyou open a WebUI session?

Displaythe MACtable on the Juniper Networks device.Question: Towhich device does the Trust zone MACaddress belong?

Transparent Mode l J u n i p e r N E T W O R K S


Display the management settings for the V1-Trustzone.Question: What services are enabled?


Lab7-4 Transparent Mode

Step 1.7

Step 1.8

Step 1.9

Step 1.10

Step 1.11

Step 1.12

Step 1.13

LaPo li cy -Based V

Disable Telnet on the V1-Trustzone.

OverviewAnswer the following question:Question: Canyou nowuseTelnetto accessthe device?Why? This labexplores the configuration of policy-based VPN.

This lab isavailable intwo formats: a high-level format that isdesigned to make youtthrough each step anda detailed format that offers step-by-step instructions completsample output from most commands.Bycompleting this lab, youwill perform the following tasks:Pingthe NS-208 devicefrom your CLI.

Answer the following question:Question: Whose MACaddress should youexpect to seeadded inthis table?

Configure yourfirewall for basic connectivity:IPreachability; andPolicyallowing your PCto communicate with the Security Manage

Configure a VPNbetween your device andthe central firewall device usipolicy-based VPNson your firewall.Demo: Using VPNManager to create policy-based VPNs.uestion: Can younow ping the NS-208 devicefrom

your PC?Whyor why not? Fromyour PC,ping the instructor's PC.It should notwork.

Configure a policy to allow only ping to reach the instructor PC.Use/32 masks for youraddresses.

Generate a continuous ping from your PC(command: ping 10.1. 75 .250 -t) totheinstructor PC.Fromthe console, issue a get session command.

Question: What isthe destination address of the returnpacket, and why?

1 " i ' _ c t .- ; .- . . IJ~ Pol icy-BasedVPNs T el l y o ur i ns tr uc to r t ha t y ou h av e c om p le te d L ab 7 .


MgmtZone

Configuring Juniper Networks FirewalljlPSec VPNonfiguring Juniper Networks FirewalljlPSec VPNProducts

Ne two rk D iag ram Part 1: Basic ConnectivityThis labrequires youto enable a VPNon your device. Step 1.1

10.

Confi rm that the IPaddress configuration ofyourPCiscorrect asperthe lab diagramassigned already, obtain your Xand Y value from the instructor and wri te i tin the spaprovided. These values will beassigned to youfor the remainder of the course.

IP address: 10.K.Y.5:K isyour rowand group.Y isyour workstation. Mask: 255.255.255.0

Untrust ZoneX isyour group numberY isyour workstation number

Gateway: 10.K.Y.l (the Trust interface on your NS-5GTdevice).

PC Gateway

X valueYvaluePCIPaddress

I. h . Step 1.2Usingthe console connetion, reset your the deviceto thefactory-default configurationsave the configuration if prompted to do so.

Step 1.3After the device is reset, login usingthe default username/password ofnetscreen.hostname of your device to GroupK-gtY.

Step 1.4

Configure your device with the IPaddresses shown inthe diagram:

Trust: 10.K.Y.l/24Untrust: 1.1.K.YO/24

NoteAtthis point you can choose to begin using theWebUI,or youcan continue using the CLI.

Step 1.5 Set a default route using the gateway address specified previously. This address isalconfigured on the NS-208 device. Step 1.6 Enable Telnet, Web, and ping management onthe Untrust interface.

Lab8-2 Pol icy-BasedVPNs Pol icy-BasedVPNs

Configuring Juniper Networks FirewalljlPSec VPNProducts Configuring Juniper Networks FirewalljlPSec VP


Step 1.7

Step 1.8

Step 1.9

Step 1.10

Step 1.11

Step 1.12

Step 1.13

Step 2.1Ensurethat a policyexists to allowyour PCtoaccess the Instructor network.

Verify IPconnectivity byissuing a pingfrom your PCto the NS-208 interface (1.1.K.1).

Verify IPconnectivity byissuing a ping from your PCto the classroom server (10.1.75.111).

Step 2.2

If youare using the CLI,saveyour configuration to flash memory. Ifyou areusingthe WebUI,your changes are saved automatically.

NoteIfyou are not using Security Manager, proceed toPart 2 ofthis lab.

Open the Security Manager client anduse the loginsuper andthe password netscreen.

Addyour device to the list of managed devices. Usethe syntaxGroup2(-gtYor the device name.

Step 2.5

Step 2.3Import your configuration.

Pa rt 2 : VPN Con fi g ur a ti on Step 2.4

NoteIfyou are using Security Manager, do not useVPNManager for this portion ofthe lab. Step 2.6MgmtZone

10 Untrust Zone

X isyour group numberY isyour workstation number

Step 2.7.'.II. . . Pol icy-BasedVPNs ab8-4 Pol icy-BasedVPNs

Configure an IKEgateway onyour firewall device usingthe following parameters:Gatewayname: Group2(-gtY-GWforexample, group1-gt1-GW).

Remote gateway type: Static IPaddress .Remote IPaddress: See diagram.Outbound interface: See diagram.Preshared key:Askthe instructor what isset onthe instructor NS-208 dSecurity level: Standard.

NoteThe instructor will configure the VPNconfigurationon the instrucor NS-208 device. Ask your instructorwhat preshared keyto use.

Configure anAutoKeyIKEVPNonyour device using thefollowing parameters:VPNname: GroupK:gtY-VPN(for example, group1-gt1-VPN),Security level: Standard, andPhase1 gateway: Group2(-gtY-GWthe gatewayyou created inStep 1).

Define address objects for your PCand for the classroom server at 10.1.75.111.

Configure policies onyour firewall that tunnel traffic from your PCto the classroom s10.1.75.111 and viceversa. Makesureyour pol icies are placed atthe top ofthe pol i

Ifyou are usingthe CLI,saveyourconfiguration on both devices. Ifyou are using SecManager, update the configuration of both devices.

Verifyconnectivity byissuing a ping from your PCtothe classroom server. Ifthe tunneestablished, usethetroubleshooting commands wediscussed inthe class lecture tothe issues.

Usethe commands discussed in class to answerthe following questions:Question: What encryption algorithm is used inPhase 1?Which command didyou useto verifythis?



Question: What authentication algorithm is used inPhase2? Whichcommand didyou useto verifythis? LaQuestion: What policynumber isbeing used for each SAon your device?

Rou te -B as ed V

Question: What IPprotocol is being used for the tunnel?

OverviewStep 2.8 Generate a continuous pingfrom your PCto the classroom server (ping 10.1.75.111 - tonyour PC)Issue the command get session tunnel. When you havethe output, cancelthe ping.

Step 3.1

This labexplores the configuration of route-based VPNs.This labis available intwo formats: a high-level format that isdesigned to make youtthrough each step anda detailed format that offers step-by-step instructions completsample output from most commands.Bycompleting this lab, youwill perform the following tasks:

Configure a route-based andtunnel-based AutoKey IKEVPNfrom your lonetwork to the instructor PCnetwork.

P ar t 3 : D e mo : V PN M an ag er

Watchthe demo using VPNManager to create policy-basedVPNs. Ver ifyVPNfunct iona li ty . Demo: UsingVPNManager to create route-based VPNs.

,*;. This labrequires youto enable VPNon your device.T e ll y o u r i ns tr uc to r t ha t y ou h av e c om pl et ed L ab 8 .

Route-Based VPNs Lab8-6 Policy-Based VPNs Configuring Jun iper Networks Firewal lj lPSec VPN Products


Ne two rk D iagramThe c la ss room netwo rk i sd i vi ded i nto fou r workg roups w ith each workg roup connected to apor t onan NS-208 dev ice v ia a hub . Awo rkgroup, a sshown here, con ta in s fou r NS-5XP,NS5 -XT, o r NS-5GT dev ices and fou r PCs .Each PC in the workg roup i sconnec ted to a Jun iperNetwo rks dev ice v ia the Trust i nter fa ce and the conso le por t. The i ns tr uc to r w il l a ss ign eachs tudent to a workg roup and each workg roup w il l cor re spond to a por t on the NS-208 dev ice.For examp le , i f you a re i nWo rkgroup 1 ,you r hub i sconnected to por t E1on the NS-208device.F il l i n you r ass igned X and Y values below:X= _ Y=-----

Port Address Connects to ZoneE1 11.1.1/24 Group1 Group1E2 1 .1 .2 .1 /2 4 Group2 Group2E3 11.3.1/?4 Group3 Group3E4 1 141 /24 Group4 Group4E5 N / A H A H AE6E7 10175Jj24 Management MgnltE8 1 181 /?4 I nt er net Internet

Server10.1.75.111

Security Manaj:lr10.1.75.222

Instructor PC10.1.75.250= Row/Group/PorttfY =StationAllSubnetMasks are/24

UntrustTrust 10XY

10XY.50XY.5 10XY.5

Lab 9-2 Route-Based VPNs

Configure your ScreenOS device with the IPaddressing as per the lab d iagram.Trust:10.K.Y.1/24Untrust:1.1.K.YO/24


Part 1: Basic ConnectivityStep 1.1

Con fi rm tha t the IPcon fi gu ra ti on o fyour PC i scor re ct a s per the l ab d iagram . I fno t aa lready, obtain your Xand Y val ue f rom the i ns tr uc to r and w ri te i t i n the space p rovi deval ues w il l b eassi gned to you for the remai nder o f the cou rse:

IP address: 10.K.Y.5: K i syou r row and g roup ; Y is your workstation.Mask: 255.255.255.0Gateway: 10.K.Y.1 ( the Trust inter face on your 5GT device) .

X valueYvaluePCIPaddressPC Gateway

Step 1.2Erase the configura tion of your Jun iper Networks device.

Step 1.3After the dev ice i s re se t, l og i n usi ng the defau lt u se rname and password o f netscreethe hostname of your device to GroupK-gtY.

Step 1.4

. ' . NoteAt th is poi nt you can choose to beg in usi ng theWebUI , o r you can con ti nue usi ng the CLI .Step 1.5

Set a defau lt route using the gateway address speci fied previously. This address is a lrecon fi gu red on the NS-208 dev ice .1141

l1:liStep 1.6

Enable Telnet, Web, and p ing management on the Untrust inter face.

lJunipef'" "NETWORKS Rout e- Ba se d VPNs

Configuring Juniper Networks FirewalljlPSec VPNProducts Configuring Juniper Networks FirewalljlPSec VPN


Ensure that a policyexists to allowyour PCto accessthe instructor network.Step 2.2Step 1.7

Step 1.8

Step 1.9

Step 1.10

Step 1.11

Step 1.12

Step 1.13

Step 2.3VerifyIPconnectivity byissuing a ping from your PCtothe NS-208 interface (l.l.K.l). r : / VerifyIPconnectivity byissuing a ping from your PCtothe classroom server (10.1.75.111). I: Ifyou are using the CLI,saveyour configuration to flash memory. Ifyou are using the WebUI,your changes are saved automatically.

Step 2.4Note I:".Ifyou are not usingSecurity Manager, proceed toPart 2 ofthis lab. Step 2.5

Openthe Security Manager client using the login super and the password netscreen. I: Add your deviceto the list of managed devices. Usethe syntaxGroupK-gtYfor the device name. mport your configuration. Part 2: VPN Configuration Step 2.6

Step 2.1

oteIfyou are using Security Manager, do not useVPNManager for this portion ofthe lab. Step 2.7

MgmtZone . : ...X isyour group numberY isyour workstation number Step 2.8

Configure a tunnel interface onyourScreenOSdevice. Theinterface should be inthe Trustzone, IPaddress unnumbered usingthe Trust interface.

Lab9-4 Route-Based VPNs u . . . 1 J u n i p e r ~NETWORKS

Onthe instructor NS-208 device, removethe VPNpolicies from the previous lab(if pr

Configure a tunnel interface on the instructor NS-208 device. The interface should beInstructor zone, IPunnumbered address usingthe interface boundto the instructor zothe number ofyourtunnel interface. Youwill not configure the instructor NS-208 deviSecurity Manager.

NoteMultiple users will simultaneously be configuring theInstructor NS-208 device. Make sure younote thenumber of your own tunnel interface.

Configure a route entry onyour ScreenOS device that directs traffic to 10.1.75.0/24 vtunnel interface.

Configure a route entry onthe instructor NS-208 device that directs traffic toyour 10.subnet viathe tunnel interface. Youwill not configure the instructor NS-208 device usSecurity Manager.

NoteMultiple userswill simultaneously beconfiguring theNS-208 device. Make sure you use your tunnelinterface .

Configure an IKEgateway on both your ScreenOSdeviceand the instructor NS-208 devStandard security level. Youwill notconfigure the instructor NS-208 device using SManager.

Configure anAutoKeyIKEentry on both your ScreenOSdevice andthe instructor NS-2device. IntheAdvanced screen, bindthe VPNentryto the tunnel interface you creaprevious steps. Youwill notconfigure the instructor NS-208 device usingSecurity Ma

NoteMultiple users willsimultaneously be configuring theinstructor NS-208 device. Make sure you useyourtunnel interface.

Verify connectivity byissuing a ping from your PCto the instructor server, 10.1.75.111.

Route-Based VPNs



Lab9-6 Route-Based VPNs

Step 2.9Question: Verifythat the correct route ischosen for ping10.1.75.111.what command doyou use? What istheegress interface?

Step 2.10Verifythat IKEPhase 1 and Phase2 have completed.

Question: What commands did youuse?

Question: What policies are required for this networkdesign?

Step 2.11Enterthe get sa active command.

Question: What islisted forthe PID?

Step 2.12Saveyourconfiguration to flash memory.

P art 3 : D em o : U sin g V P N M an ag erStep 3.1

Watchthe demo of VPN Manager.

Te ll your instruc tor that you have com p leted Lab 9.

juniper - configuring juniper networks firewall.ipsec vpn products - high-level lab guide

Documents

juniper networks firewall

juniper networks deviceto

junper networks software

i s ted

youand junper networks

junper networks sof

level lab guidejunper

orjunper networks agent