dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Comparable Sample Configuration:
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

Description

* In this sample configuration, the Juniper SRX is functioning as a single box of Internet Gateway; doing eBGP peer with ISP (without a need of a router), acting as Internet Firewall to internal mail server, doing NAT/PAT for internal machines sitting in Trust Zone, and acting as Internet IPSec VPN Concentrator to remote users over Untrust Zone (in this case, the Internet)
* The LAN subnet is 172.16.2.0/24 (Trust Zone) while the 1.1.1.0/24 is Public IP subnet assigned by the ISP serving as the firewall SSH management IP address and NAT/PAT IP addresses. You may note that the 1.1.1.1 is the NAT-ed IP address of a mail server, 1.1.1.253 is the PAT-ed IP address of internal machines to go out to the Internet, and 1.1.1.254 is the SSH management IP address of the firewall.
* The remote users can use any PC or server running any operating system. It is suggested to use Juniper-approved remote IPSec VPN client software such as Junos Pulse to connect to the firewall
* Once the remote users establish IPSec VPN tunnel to the firewall, the remote PC is assigned IP address within 192.168.0.0/24 range
* There is a split tunnel in place, meaning that traffic from and to 192.168.0.0/24 will be going through the tunnel while other traffic (i.e. Internet traffic from the remote PC) will be going outside the tunnel. In this sample configuration, both the LAN subnet (172.16.2.0/24) and the remote VPN subnet (192.168.0.0/24) are reachable only through the tunnel while other traffic are going outside the tunnel. You can simply add more LAN subnet to be reachable through the tunnel by specifying those subnets in remote-protected-resources command while traffic going outside the tunnel is specified in remote-exception command to activate the split tunnel. When the remote PC is a Windows machine, you can verify such split tunnel condition by issuing route print or netstat -r to show the PC's routing table.
* You may notice that there is permit any any rule for inbound traffic from Untrust (the Internet) to Trust (the LAN) which will be treated as encrypted tunnel. Even though this rule may seem as security risk, no insecure traffic is going through since the rule is only applicable for IPSec VPN traffic. When there is an inbound plain-text (unencrypted) traffic, the firewall drops the traffic since the traffic does not meet the IPSec VPN policy.

Sample Configuration

## Last commit: 2012-07-27 11:06:31 EDT by admin
version 11.2R4.3;
system {
    host-name InternetFirewall;
    time-zone America/New_York;
    root-authentication {
        encrypted-password "********"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "*******"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            http {
                interface ge-0/0/2.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/2.0;
            }
        }
        dhcp {
            pool 172.16.2.0/24 {
                address-range low 172.16.2.250 high 172.16.2.254;
                domain-name diablo.com;
                name-server {
                    4.2.2.2;
                    8.8.8.8;
                }
                router {
                    172.16.2.1;
                }
                propagate-settings vlan.2;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    processes {
        general-authentication-service {
            traceoptions {
                file jtac size 1m files 10 world-readable;
                flag all;
            }
        }
    }
    ntp {
        server 64.90.182.55;
        server 96.47.67.105 prefer;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0;
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.0.1.6/30;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 1.1.0.2/30;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.1.1.254/32;
            }
        }
    }
    vlan {
        unit 2 {
            family inet {
                address 172.16.2.1/24;
            }
        }
    }
}
routing-options {
    aggregate {
        route 1.1.1.0/24 discard;
    }
    router-id 10.0.1.125;
}
protocols {
    bgp {
        group eBGP-ISP {
            description "Internet";
            preference 20;
            local-address 1.1.0.2;
            export 1.1.1.0/24;
            peer-as 4078;
            local-as 14079;
            neighbor 1.1.0.1 {
                graceful-restart;
            }
        }
    }
    ospf {
        preference 110;
        external-preference 110;
        area 0.0.0.255 {
            interface ge-0/0/2.0 {
                passive;
                metric 10;
            }
            interface lo0.0 {
                metric 10;
            }
            interface vlan.2 {
                passive;
                metric 10;
            }
        }
    }
    stp;
}
policy-options {
    policy-statement 1.1.1.0/24 {
        term eBGP {
            from {
                protocol aggregate;
                route-filter 1.1.1.0/24 exact;
            }
            then accept;
        }
    }
}
security {
    ike {
        traceoptions {
            file iketrace size 1m files 10 world-readable;
            flag all;
        }
        policy ike-dyn-vpn-policy {
            mode aggressive;
            proposal-set standard;
            pre-shared-key ascii-text "*******"; ## SECRET-DATA
        }
        gateway dyn-vpn-local-gw {
            ike-policy ike-dyn-vpn-policy;
            dynamic {
                hostname NY4vpn;
                connections-limit 2;
                ike-user-type group-ike-id;
            }
            external-interface ge-0/0/2.0;
            xauth access-profile dyn-vpn-access-profile;
        }
    }
    ipsec {
        policy ipsec-dyn-vpn-policy {
            proposal-set standard;
        }
        vpn dyn-vpn {
            ike {
                gateway dyn-vpn-local-gw;
                ipsec-policy ipsec-dyn-vpn-policy;
            }
        }
    }
    dynamic-vpn {
        access-profile dyn-vpn-access-profile;
        clients {
            IT_Support {
                remote-protected-resources {
                    192.168.0.0/24;
                    172.16.2.0/24;
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ipsec-vpn dyn-vpn;
                user {
                    user01;
                }
            }
        }
    }
    flow {
        traceoptions {
            file jtac size 1m files 10 world-readable;
            flag basic-datapath;
            flag packet-drops;
            packet-filter pf1 {
                destination-prefix 1.1.0.2/32;
            }
            packet-filter pf2 {
                source-prefix 192.168.0.0/24;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            pool source-nat_pool {
                address {
                    1.1.1.253/32;
                }
            }
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule nonat-rule-01 {
                    match {
                        source-address 172.16.2.0/24;
                        destination-address 1.1.1.252/32;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
                rule nonat-rule-02 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 192.168.0./24;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            pool {
                                source-nat_pool;
                            }
                        }
                    }
                }
            }
        }
        destination {
            pool Mail_Server01 {
                address 172.16.2.4/32;
            }
            rule-set untrust-to-trust {
                from zone untrust;
                rule Mail {
                    match {
                        destination-address 1.1.1.1/32;
                    }
                    then {
                        destination-nat pool Mail_Server01;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/2.0 {
                address {
                    1.1.1.253/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy Mail {
                match {
                    source-address any;
                    destination-address Mail;
                    application junos-mail;
                }
                then {
                    permit;
                }
            }
            policy dyn-vpn-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn dyn-vpn;
                        }
                    }
                }
            }
        }
        from-zone trust to-zone Management {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone Management {
            policy Remote_Management {
                match {
                    source-address any;
                    destination-address 1.1.1.254/32;
                    application junos-ssh;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address 172.16.2.0/24 172.16.2.0/24;
                address 172.16.2.4/32 172.16.2.4/32;
                address-set Mail {
                    address 172.16.2.4/32;
                }
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.2;
            }
        }
        security-zone untrust {
            address-book {
                address 192.168.0.0/24 192.168.0.0/24;
            }
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0;
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            https;
                        }
                        protocols {
                            bgp;
                            ospf;
                        }
                    }
                }
            }
        }
        security-zone Management {
            address-book {
                address 1.1.1.254/32 1.1.1.254/32;
            }
            interfaces {
                lo0.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                        }
                        protocols {
                            ospf;
                        }
                    }
                }
            }
        }
    }
}
access {
    profile dyn-vpn-access-profile {
        client user01 {
            firewall-user {
                password "********"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.0.0/24;
                xauth-attributes {
                    primary-dns 4.2.2.2/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile dyn-vpn-access-profile;
        }
    }
}
vlans {
    vlan-DMZ01 {
        vlan-id 2;
        l3-interface vlan.2;
    }
}
 


Expand got feedback?

by aryoba See Profile
last modified: 2012-08-03 15:47:46