Embed Size (px)
Citation preview
Juniper Firewall Training
Table of Contents
Juniper Initial Configuration............................................................................................................... 3
Destination NAT (one to many) ......................................................................................................... 9
Static NAT (one to one) ................................................................................................................... 11
Source NAT using IP pool ................................................................................................................. 14
Source NAT using Interface IP .......................................................................................................... 18
Security Policy ................................................................................................................................. 21
Chassis cluster Active/Passive .......................................................................................................... 22
Juniper Initial Configuration
1. Initial konsol Login
Yang pertama kali di lakukan dalam mengkonfigurasi router Juniper adalah login sebagai user “root”
tanpa menggunakan password. Ketika masuk ke dalam device sebagai user root maka user akan
berada dalam shell prompt yang di tandai dengan karakter “%”, JUNOS software command-line (CLI)
harus di lakukan secara manual seperti contoh di bawah ini:
login: root Password: --- JUNOS 9.6R1.13 built 2009-08-01 09:02:46 UTC root@% cli root> Karakter “>” menandakan bahwa user berada dalam operational mode dan untuk kembali ke shell prompt format dapat mengikuti contoh di bawah ini: root> start shell root@%
2. Konfigurasi Out of Band (OoB) Manajemen Network
Untuk dapat mengakses router Juniper secara remote maka interface management atau fxp0 dan
telnet/ssh service perlu di aktifkan, lihat contoh di bawah ini:
root> configure [edit] root# [edit] root# set system host-name LAB [edit] root# set interfaces fxp0 unit 0 family inet address 192.168.1.1/24 [edit] root# set system services telnet [edit] root# set system services ssh
pada contoh di atas, tidak lupa untuk memberi nama yang unik untuk setiap perangkat atau
hostname. Agar dapat melakukan perubahan/penambahan konfigurasi maka user harus berada
dalam konfigurasi mode yang di tandai dengan karakter ”#” dengan mengetik perintah configure di
mode oprational.
3. Membuat User Account
User Pasword Class/Permission
Root Root123 Superuser
Lab Lab123 Superuser
Ops Operator Can view standard show
Juniper memiliki user default yaitu root,
[edit] root@LAB# set system root-authentication plain-text-password New password: Retype new password: Perintah di bawah ini, membuat user lab dengan class/permission superuser: [edit] root@LAB# set system login user lab class super-user authentication plain-text-password New password: Retype new password:
Sekarang kita akan membuat sebuah user dengan authorisasi yang terbatas misal user hanya boleh
melakukan perintah show.
root@LAB# set system login class ops permissions view [edit] root@LAB# set system login user ops class ops authentication plain-text-password New password: Retype new password: Untuk memastikan bahwa user ops hanya memiliki keterbatasan permission, maka kita harus login
sebagai user ops dan melakukan verifikasi:
ops@LAB> ? Possible completions: file Perform file operations help Provide help information op Invoke an operation script quit Exit the management session request Make system-level requests set Set CLI properties, date/time, craft interface message show Show system information start Start shell test Perform diagnostic debugging ops@LAB> configure ̂unknown command. ops@LAB>
Case study
Intial sistem konfigurasi Beri masing-masing router dengan hostname rn dimana n merupakan nomor dari router
Konfigurasi interface fxp0 sesuai dengan tabel 1.1. Buat user account dan permission berdasarkan tabel 1.2.
Setiap device dapat di remote melalui port 23 dan 24
Hostname Ipaddress
R1 192.168.x.1/24
R2 192.168.x.1/24
R3 192.168.x.1/24
R4 192.168.x.1/24
R5 192.168.x.1/24
R6 192.168.x.1/24
R7 192.168.x.1/24
R8 192.168.x.1/24
R9 192.168.x.1/24
R10 192.168.x.1/24
R11 192.168.x.1/24
Tabel 1.1
User Pasword Class/Permission
Root Root123 Superuser
student Student123 Superuser
noc Operator Ping only
Tabel 1.2
Appendix A
Step by step initial configuration
No Activities
1 - Login : root - Password : Blank (no password)
2 Start the CLI - Type following command
Root%cli root@>
3 Enter the configuration mode - Type following command
root@> configure root@# set system host-name <any-name>
4 Create management console account - Type following command
root@# set system login user root authentication plain-text-password new password: retype new password:
5 Configure the IP address and netmask for the router’s management interfaces - Type following command
root@# set interface fxp0 unit 0 family inet address <ipaddress/netmask>
6 Commit the configuration to activate it on the router - Type following command
root@# commit
7 Finished configuration the router. Exit configuration - Type following command
root@#exit root@>exit
Case study answer
Konfigurasi anda akan mirip seperti contoh di bawah ini
## Last changed: 2011-10-05 20:51:40 WIT version 8.5R1.14; system { host-name r1; time-zone Asia/Jakarta; root-authentication { encrypted-password "$1$o/4g69VL$ZPuY5HNg8B5fNUHfBqb/u."; ## SECRET-DATA } login { class noc { permissions network; } user student { uid 2037; class super-user; authentication { encrypted-password "$1$uKqtUVie$YMuJaaoHJxFJg1Jvoc5.p1"; ## SECRET-DATA } } user noc { uid 2038; class noc; authentication { encrypted-password "$1$03ax6dsu$mz/Nff6Zkt0gmjuPonLxY/"; ## SECRET-DATA } } services { ssh; telnet; } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } } fxp0 { unit 0 { family inet { address 192.168.1.1/24; }
} }
Destination NAT (one to many)
Hanya satu IP destination yang akan digunakan, hasil translasi IP destination lebih dari satu.
Dari host internet melakukan telnet ke 202.72.223.136 port 1, ditranslasikan ke telnet vr1
Dari host internet melakukan telnet ke 202.72.223.136 port 2, ditranslasikan ke telnet vr2 dan seterusnya
Buat Zone di SRX (zone untrust dan vr2-trust) set security zones security-zone untrust interfaces ge-1/1/15.0 host-inbound-traffic system-services all set security zones security-zone vr1-trust interfaces ge-1/1/8.1 host-inbound-traffic system-services all Buat address book di zone vr1-trust set security zones security-zone vr1-trust address-book address addr-vr1 192.168.201.0/24 Buat pool destination nat beserta rulenya set security nat destination pool vr1-pool address 192.168.201.2/32 set security nat destination pool vr1-pool address port 23 et security nat destination rule-set rs-vr-trust from zone untrust set security nat destination rule-set rs-vr-trust rule vr1-trust match destination-address 202.72.223.136/32 set security nat destination rule-set rs-vr-trust rule vr1-trust match destination-port 1 set security nat destination rule-set rs-vr-trust rule vr1-trust then destination-nat pool vr1-pool Buat proxy arp sebagai resolution IP dalam interface untrust set security nat proxy-arp interface ge-1/1/15.0 address 202.72.223.136/32 to 202.72.223.137/32
Buat security policy untuk mendefinisikan rule dari session nya set security policies from-zone untrust to-zone vr1-trust policy 1 match source-address any set security policies from-zone untrust to-zone vr1-trust policy 1 match destination-address addr-vr1 set security policies from-zone untrust to-zone vr1-trust policy 1 match application any set security policies from-zone untrust to-zone vr1-trust policy 1 then permit Verifikasi telnet dari host 202.72.223.133 ke 202.72.223.136 port 1 telnet 202.72.223.136 1 hit translation lab@srx5800# run show security nat destination rule vr1-trust Destination NAT rule: vr1-trust Rule-set: rs-vr-trust Rule-Id : 3 Rule position : 1 From zone : untrust Destination addresses : 202.72.223.136 - 202.72.223.136 Action : vr1-pool Destination port : 1 Translation hits : 3 flow session lab@srx5800# run show security flow session destination-port 1 Flow Sessions on FPC0 PIC0: Total sessions: 0 Flow Sessions on FPC0 PIC1: Session ID: 10020597, Policy name: 1/4, Timeout: 1720, Valid In: 202.72.223.133/51201 --> 202.72.223.136/1;tcp, If: ge-1/1/15.0, Pkts: 42, Bytes: 2349 Out: 192.168.201.2/23 --> 202.72.223.133/51201;tcp, If: ge-1/1/8.1, Pkts: 32, Bytes: 1986 Total sessions: 1 total session lab> show security flow cp-session summary Valid sessions: 7 Pending sessions: 0 Invalidated sessions: 7 Sessions in other states: 0 Total sessions: 14 Maximum sessions: 2359296 Maximum inet6 sessions: 1179648
Static NAT (one to one)
Hanya satu IP destination yang akan digunakan, hasil translasi IP destination lebih dari satu.
Dari host internet melakukan telnet/ping ke 202.72.223.136, ditranslasikan telnet/ping ke vr1
Dari host internet melakukan telnet/ping ke 202.72.223.137, ditranslasikan telnet/ping vr2
Buat Zone di SRX (zone untrust dan vr2-trust) set security zones security-zone untrust interfaces ge-1/1/15.0 host-inbound-traffic system-services all set security zones security-zone vr1-trust interfaces ge-1/1/8.1 host-inbound-traffic system-services all Buat address book di zone vr1-trust set security zones security-zone vr1-trust address-book address addr-vr1 192.168.201.0/24 Buat static nat beserta rulenya set security nat static rule-set rs-vr1-trust from zone untrust set security nat static rule-set rs-vr1-trust rule vr1-trust match destination-address 202.72.223.136/32 set security nat static rule-set rs-vr1-trust rule vr1-trust then static-nat prefix 192.168.201.2/32 Buat proxy arp sebagai resolution IP dalam interface untrust set security nat proxy-arp interface ge-1/1/15.0 address 202.72.223.136/32 to 202.72.223.137/32 buat security policy untuk mendefinisikan rule dari session nya set security policies from-zone untrust to-zone vr1-trust policy 1 match source-address any set security policies from-zone untrust to-zone vr1-trust policy 1 match destination-address addr-vr1 set security policies from-zone untrust to-zone vr1-trust policy 1 match application any set security policies from-zone untrust to-zone vr1-trust policy 1 then permit
Verifikasi telnet/ping dari host 202.72.223.133/host luar ke 202.72.223.136 telnet 202.72.223.136 ping 202.72.223.136 telnet/ping dari host 202.72.223.133/host luar ke 202.72.223.137 telnet 202.72.223.137 ping 202.72.223.137 Hit translation lab@srx5800# run show security nat static rule vr1-trust Static NAT rule: vr1-trust Rule-set: rs-vr1-trust Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 202.72.223.136 Host addresses : 192.168.201.2 Netmask : 32 Host routing-instance : N/A Translation hits : 526 flow session lab@srx5800# run show security flow session Flow Sessions on FPC0 PIC0: Session ID: 10443, Policy name: 1/4, Timeout: 2, Valid In: 202.72.223.133/5 --> 202.72.223.136/48651;icmp, If: ge-1/1/15.0, Pkts: 1, Bytes: 84 Out: 192.168.201.2/48651 --> 202.72.223.133/5;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Total sessions: 1 Flow Sessions on FPC0 PIC1: Session ID: 10020734, Policy name: 1/4, Timeout: 2, Valid In: 202.72.223.133/6 --> 202.72.223.136/48651;icmp, If: ge-1/1/15.0, Pkts: 1, Bytes: 84 Out: 192.168.201.2/48651 --> 202.72.223.133/6;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Session ID: 10020735, Policy name: 1/4, Timeout: 2, Valid In: 202.72.223.133/7 --> 202.72.223.136/48651;icmp, If: ge-1/1/15.0, Pkts: 1, Bytes: 84 Out: 192.168.201.2/48651 --> 202.72.223.133/7;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Session ID: 10020736, Policy name: 1/4, Timeout: 4, Valid In: 202.72.223.133/8 --> 202.72.223.136/48651;icmp, If: ge-1/1/15.0, Pkts: 1, Bytes: 84 Out: 192.168.201.2/48651 --> 202.72.223.133/8;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Total sessions: 3 total session lab> show security flow cp-session summary Valid sessions: 7
Pending sessions: 0 Invalidated sessions: 7 Sessions in other states: 0 Total sessions: 14 Maximum sessions: 2359296 Maximum inet6 sessions: 1179648
Source NAT using IP pool
Setiap virtual router harus bisa ping ke internet (yahoo.com, google.com dll), dimana IP pool
yang akan digunakan adalah 202.72.223.136 dan 202.72.223.137
Hapus konfigurasi security Delete security Buat virtual router VR1 dan pasang routing static default ke IP gatewaynya. set interfaces ge-1/1/9 vlan-tagging set interfaces ge-0/2/0 unit 1 vlan-id 1 family inet address 192.168.201.2/24 set routing-options static route 0.0.0.0/0 next-hop 192.168.201.1 Buat koneksi antara SRX5800 dan vr1 set interfaces ge-1/1/8 vlan-tagging set interfaces ge-1/1/8 unit 1 vlan-id 1 family inet address 192.168.201.1/24 Buat Zone di SRX (zone untrust dan vr2-trust) set security zones security-zone untrust interfaces ge-1/1/15.0 host-inbound-traffic system-services all set security zones security-zone vr1-trust interfaces ge-1/1/8.1 host-inbound-traffic system-services all Buat nat source Pool 136-137 set security nat source pool 136-137 address 202.72.223.136/32 to 202.72.223.137/32 Buat nat source rule match 192.168.201.0/24 dengan source-nat pool 136-137 set security nat source rule-set rs-vr1-trust from zone vr1-trust set security nat source rule-set rs-vr1-trust to zone untrust set security nat source rule-set rs-vr1-trust rule r-vr1-trust match source-address 192.168.201.0/24 set security nat source rule-set rs-vr1-trust rule r-vr1-trust then source-nat pool 136-137
Karena IP pool satu subnet dengan interface untrust maka IP pool harus dipasang sebagai IP proxy-arp. set security nat proxy-arp interface ge-1/1/15.0 address 202.72.223.136/32 set security nat proxy-arp interface ge-1/1/15.0 address 202.72.223.137/32 Buat security policy antar zone vr1-trust dan untrust set security policies from-zone vr1-trust to-zone untrust policy 1 match source-address any set security policies from-zone vr1-trust to-zone untrust policy 1 match destination-address any set security policies from-zone vr1-trust to-zone untrust policy 1 match application any set security policies from-zone vr1-trust to-zone untrust policy 1 then permit Verifikasi: Ping dari SRX5800 ke vr1 lab# run ping 192.168.201.2 PING 192.168.201.2 (192.168.201.2): 56 data bytes 64 bytes from 192.168.201.2: icmp_seq=0 ttl=64 time=2.932 ms 64 bytes from 192.168.201.2: icmp_seq=1 ttl=64 time=1.660 ms ^C --- 192.168.201.2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.660/2.296/2.932/0.636 ms telnet dari SRX5800 ke vr1 lab# run telnet vr1 Verifikasi route di vr1 vr1@lab:vr1> show route inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 03:13:06 > to 192.168.201.1 via ge-0/2/0.1 192.168.201.0/24 *[Direct/0] 03:13:06 > via ge-0/2/0.1 192.168.201.2/32 *[Local/0] 03:13:06 Local via ge-0/2/0.1 Verifikasi ping vr1 ke internet vr1@lab:vr1> ping yahoo.com PING yahoo.com (67.195.160.76): 56 data bytes 64 bytes from 67.195.160.76: icmp_seq=0 ttl=44 time=335.267 ms ^C --- yahoo.com ping statistics --- 2 packets transmitted, 1 packets received, 50% packet loss round-trip min/avg/max/stddev = 335.267/335.267/335.267/0.000 ms
Verifikasi summary source nat lab@srx5800# run show security nat source summary Total pools: 1 Pool Address Routing PAT Total Name Range Instance Address 136-137 202.72.223.136-202.72.223.137 default yes 2 Total rules: 12 Rule name Rule set From To Action r-vr2-trust rs-vr2-trust vr2-trust untrust 136-137 r-vr3-trust rs-vr3-trust vr3-trust untrust 136-137 r-vr4-trust rs-vr4-trust vr4-trust untrust 136-137 r-vr5-trust rs-vr5-trust vr5-trust untrust 136-137 r-vr6-trust rs-vr6-trust vr6-trust untrust 136-137 r-vr7-trust rs-vr7-trust vr7-trust untrust 136-137 r-vr8-trust rs-vr8-trust vr8-trust untrust 136-137 r-vr9-trust rs-vr9-trust vr9-trust untrust 136-137 r-vr10-trust rs-vr10-trust vr10-trust untrust 136-137 r-vr11-trust rs-vr11-trust vr11-trust untrust 136-137 r-vr12-trust rs-vr12-trust vr12-trust untrust 136-137 r-vr1-trust rs-vr1-trust vr1-trust untrust 136-137 verifikasi translation hit per pool lab@srx5800# run show security nat source rule r-vr1-trust source NAT rule: r-vr1-trust Rule-set: rs-vr1-trust Rule-Id : 13 Rule position : 1 From zone : vr1-trust To zone : untrust Match Source addresses : 192.168.201.0 - 192.168.201.255 Destination port : 0 - 0 Action : 136-137 Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 236 Verifikasi flow session lab> show security flow session source-prefix 192.168.201/24 Flow Sessions on FPC0 PIC0: Session ID: 3945, Policy name: 1/4, Timeout: 2, Valid In: 192.168.201.2/7 --> 98.137.149.56/37651;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Out: 98.137.149.56/37651 --> 202.72.223.136/21197;icmp, If: ge-1/1/15.0, Pkts: 1, Bytes: 84 Total sessions: 1 Flow Sessions on FPC0 PIC1:
Session ID: 10007793, Policy name: 1/4, Timeout: 2, Valid In: 192.168.201.2/6 --> 98.137.149.56/37651;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Out: 98.137.149.56/37651 --> 202.72.223.137/16193;icmp, If: ge-1/1/15.0, Pkts: 1, Bytes: 84 Session ID: 10007794, Policy name: self-traffic-policy/1, Timeout: 4, Valid In: 192.168.201.2/7 --> 98.137.149.56/37651;icmp, If: .local..5, Pkts: 1, Bytes: 84 Out: 98.137.149.56/37651 --> 192.168.201.2/7;icmp, If: ge-1/1/9.1, Pkts: 1, Bytes: 84 Session ID: 10007795, Policy name: self-traffic-policy/1, Timeout: 4, Valid In: 192.168.201.2/8 --> 98.137.149.56/37651;icmp, If: .local..5, Pkts: 1, Bytes: 84 Out: 98.137.149.56/37651 --> 192.168.201.2/8;icmp, If: ge-1/1/9.1, Pkts: 1, Bytes: 84 Session ID: 10007796, Policy name: 1/4, Timeout: 4, Valid In: 192.168.201.2/8 --> 98.137.149.56/37651;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Out: 98.137.149.56/37651 --> 202.72.223.137/19964;icmp, If: ge-1/1/15.0, Pkts: 1, Bytes: 84 Session ID: 10007797, Policy name: 1/4, Timeout: 60, Valid In: 192.168.201.2/9 --> 98.137.149.56/37651;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Out: 98.137.149.56/37651 --> 202.72.223.136/29099;icmp, If: ge-1/1/15.0, Pkts: 0, Bytes: 0 Total sessions: 5 Tampilan total session lab> show security flow cp-session summary Valid sessions: 7 Pending sessions: 0 Invalidated sessions: 7 Sessions in other states: 0 Total sessions: 14 Maximum sessions: 2359296 Maximum inet6 sessions: 1179648
Source NAT using Interface IP
Setiap virtual router harus bisa ping ke internet (yahoo.com, google.com dll), source IP akan
di translasikan dengan interface IP egress (untrust)
Hapus konfigurasi security Delete security Buat Zone di SRX (zone untrust dan vr2-trust) set security zones security-zone untrust interfaces ge-1/1/15.0 host-inbound-traffic system-services all set security zones security-zone vr1-trust interfaces ge-1/1/8.1 host-inbound-traffic system-services all Buat souce nat dengan translasi IP interface untrust set security nat source rule-set rs-vr1-trust from zone vr1-trust set security nat source rule-set rs-vr1-trust to zone untrust set security nat source rule-set rs-vr1-trust rule r-vr1-trust match source-address 192.168.201.0/24 set security nat source rule-set rs-vr1-trust rule r-vr1-trust then source-nat interface Buat security policy antar zone vr1-trust dan untrust set security policies from-zone vr1-trust to-zone untrust policy 1 match source-address any set security policies from-zone vr1-trust to-zone untrust policy 1 match destination-address any set security policies from-zone vr1-trust to-zone untrust policy 1 match application any set security policies from-zone vr1-trust to-zone untrust policy 1 then permit Verifikasi ping vr1 ke internet vr1@lab:vr1> ping yahoo.com PING yahoo.com (67.195.160.76): 56 data bytes 64 bytes from 67.195.160.76: icmp_seq=0 ttl=44 time=335.267 ms
^C --- yahoo.com ping statistics --- 2 packets transmitted, 1 packets received, 50% packet loss round-trip min/avg/max/stddev = 335.267/335.267/335.267/0.000 ms hit translation lab@srx5800# run show security nat source rule r-vr1-trust source NAT rule: r-vr1-trust Rule-set: rs-vr1-trust Rule-Id : 13 Rule position : 1 From zone : vr1-trust To zone : untrust Match Source addresses : 192.168.201.0 - 192.168.201.255 Destination port : 0 - 0 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 236 flow session lab@srx5800# run show security flow session source-prefix 192.168.201/24 Flow Sessions on FPC0 PIC0: Session ID: 9394, Policy name: 1/5, Timeout: 4, Valid In: 192.168.201.2/15 --> 98.137.149.56/30750;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Out: 98.137.149.56/30750 --> 202.72.223.135/63094;icmp, If: ge-1/1/15.0, Pkts: 1, Bytes: 84 Total sessions: 1 Flow Sessions on FPC0 PIC1: Session ID: 10018639, Policy name: 1/5, Timeout: 2, Valid In: 192.168.201.2/14 --> 98.137.149.56/30750;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Out: 98.137.149.56/30750 --> 202.72.223.135/30681;icmp, If: ge-1/1/15.0, Pkts: 1, Bytes: 84 Session ID: 10018640, Policy name: 1/5, Timeout: 4, Valid In: 192.168.201.2/16 --> 98.137.149.56/30750;icmp, If: ge-1/1/8.1, Pkts: 1, Bytes: 84 Out: 98.137.149.56/30750 --> 202.72.223.135/54361;icmp, If: ge-1/1/15.0, Pkts: 1, Bytes: 84 Total sessions: 2 total session lab> show security flow cp-session summary Valid sessions: 7 Pending sessions: 0 Invalidated sessions: 7 Sessions in other states: 0
Total sessions: 14 Maximum sessions: 2359296 Maximum inet6 sessions: 1179648
Security Policy
Flow session antar zone harus didefinisikan dengan security policy, antar vr hanya
diperbolehkan aplikasi telnet saja (vr1-vr2, vr3-vr4………vr11-vr12)
Security policy dengan aplikasi telnet default set security policies from-zone vr1-trust to-zone vr2-trust policy 1 match source-address any set security policies from-zone vr1-trust to-zone vr2-trust policy 1 match destination-address any set security policies from-zone vr1-trust to-zone vr2-trust policy 1 match application junos-telnet set security policies from-zone vr1-trust to-zone vr2-trust policy 1 then permit Security policy dengan aplikasi telnet modifikasi set applications application vr1-telnet-app term 1 protocol tcp set applications application vr1-telnet-app term 1 destination-port 23 set security policies from-zone vr1-trust to-zone vr2-trust policy 1 match source-address any set security policies from-zone vr1-trust to-zone vr2-trust policy 1 match destination-address any set security policies from-zone vr1-trust to-zone vr2-trust policy 1 match application vr1-telnet-app set security policies from-zone vr1-trust to-zone vr2-trust policy 1 then permit Verifikasi Vr1 melakukan telnet ke vr2 vr1@lab:vr1> telnet 192.168.202.2
Chassis cluster Active/Passive
Koneksikan kedua SRX seperti pada topologi Port fe-0/0/1 sebagai data plane Port fe-0/0/7 sebagai control link Optional fe-0/0/6 sebagai management port (fxp0) Konfigur kedua SRX dalam mode cluster, cluster-id 1, SRX pertama sebagai node 0 dan yang kedua sebagai node 1 set chassis cluster cluster-id <0-15> node <0-1> reboot Pasang IP management kedua SRX dalam makro konfigurasi kemudian di load makro tersebut dengan apply-groups set groups node0 system host-name node0 set groups node0 interfaces fxp0 unit 0 family inet address 100.100.100.1/24 set groups node1 system host-name node1 set groups node1 interfaces fxp0 unit 0 family inet address 100.100.100.2/24 set apply-groups "${node}" set system backup-router 100.100.100.1 destination 100.100.100.1 Buat FAB links secara konfigurasi hanya dilakukan pada SRX pertama set interfaces fab0 fabric-options member-interfaces fe-0/0/1 set interfaces fab1 fabric-options member-interfaces fe-1/0/1 Buat redudancy group sebagai fungsi routing engine yang dilakukan pada SRX pertama set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster node 0 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster node 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster node 0 set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster node 1 Buat interface Reth dengan jumlah batasan tertentu misal 2 interface yang dilakukan pada SRX pertama set chassis cluster reth-count 2 set interfaces fe-0/0/2 fastether-options redundant-parent reth0 set interfaces fe-1/0/2 fastether-options redundant-parent reth0 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address 202.72.223.136/28 set interfaces fe-0/0/3 fastether-options redundant-parent reth1 set interfaces fe-1/0/3 fastether-options redundant-parent reth1 set interfaces reth1 redundant-ether-options redundancy-group 2 set interfaces reth1 unit 0 family inet address 192.168.201.1/24 Commit Maka konfigurasi dieksekusi pada SRX pertama dan SRX kedua Selanjutnya dibuat aplikasi source nat interface Buat Zone di SRX (zone untrust dan vr2-trust) set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services all set security zones security-zone vr1-trust interfaces reth1.0 host-inbound-traffic system-services all Buat souce nat dengan translasi IP interface untrust set security nat source rule-set rs-vr1-trust from zone vr1-trust set security nat source rule-set rs-vr1-trust to zone untrust set security nat source rule-set rs-vr1-trust rule r-vr1-trust match source-address 192.168.201.0/24 set security nat source rule-set rs-vr1-trust rule r-vr1-trust then source-nat interface Buat security policy antar zone vr1-trust dan untrust set security policies from-zone vr1-trust to-zone untrust policy 1 match source-address any set security policies from-zone vr1-trust to-zone untrust policy 1 match destination-address any set security policies from-zone vr1-trust to-zone untrust policy 1 match application any set security policies from-zone vr1-trust to-zone untrust policy 1 then permit Verifikasi: status chassis cluster show chassis cluster status failover cluster secara manual dari node 0 ke node 1 didalam redudancy group 1: request chassis cluster failover node 1 redundancy-group 1 Setelah melakukan failover manual, maka untuk melakukan failover lagi state failover harus direset request chassis cluster failover reset redundancy-group 1 failover secara alami, tidak perlu dilakukan reset seperti cara failover manual set interfaces fe-0/0/2 disable cek kondisi trafik ping dari vr1 pastikan lewat di fab nya yaitu interface fe-0/0/1 dan fe-1/0/1 set interfaces fe-0/0/3 disable cek kondisi trafik pastikan link fab tidak dilewati trafik
Route Based VPN IPSEC
Konsep route based VPN IPSEC menggunakan interface secure tunnel (st0) untuk establishment VPN
IPSEC. Sehingga setiap router terlebih dahulu dikonfig interface st0. Dari topology menggunakan
SRX5800 yang membawahi VR1 sampai dengan VR12 sedangkan SRX100 membawahi VRA sampai
dengan VRL.
Pada Lab kali ini dibuat establishmen VPN IPSEC untuk mengkoneksikan VR1 dengan VRA, VR2
dengan VRB dan seterusnya.
Step by step Buat inteface untrust, st0 di SRX5800 set interfaces ge-1/1/9 vlan-tagging set interfaces ge-1/1/9 speed 100m set interfaces ge-1/1/9 unit 1 vlan-id 1 family inet address 110.72.10.2/30 Buat interface vr1 dan pasang static route default telnet terlebih dahulu ke 192.168.100.45 user vr1 set interfaces ge-0/2/0 unit 1 vlan-id 1 family inet address 192.168.201.2/24 set routing-options static route 0.0.0.0/0 next-hop 192.168.201.1 Buat static route destination VRA di SRX5800 melalui inteface st0.1 set routing-options static route 172.168.201.0/24 next-hop st0.1 Konfigur Zone vr1-trust, untrust dan vpn1 set security zones security-zone vr1-trust host-inbound-traffic system-services all set security zones security-zone vr1-trust interfaces ge-1/1/8.1 set security zones security-zone vpn1 interfaces st0.1 set security zones security-zone vpn1 host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-1/1/9.1 Konfigur parameter IKE, meliputi proposal, policy dan gateway set security ike proposal ike-proposal-1 authentication-method pre-shared-keys set security ike proposal ike-proposal-1 dh-group group2 set security ike proposal ike-proposal-1 authentication-algorithm md5 set security ike proposal ike-proposal-1 encryption-algorithm 3des-cbc set security ike proposal ike-proposal-1 lifetime-seconds 86400 set security ike policy ike-policy-1 mode main set security ike policy ike-policy-1 proposals ike-proposal-1 set security ike policy ike-policy-1 pre-shared-key ascii-text rahasia set security ike gateway ike-gate-1 ike-policy ike-policy-1 set security ike gateway ike-gate-1 address 110.72.10.1 set security ike gateway ike-gate-1 external-interface ge-1/1/9.1 Konfigur parameter IPSEC meliputi, proposal, policy dan gateway set security ipsec proposal ike-proposal-1 protocol esp set security ipsec proposal ike-proposal-1 authentication-algorithm hmac-md5-96 set security ipsec proposal ike-proposal-1 encryption-algorithm 3des-cbc set security ipsec proposal ike-proposal-1 lifetime-seconds 3600 set security ipsec proposal ike-proposal-1 lifetime-kilobytes 1048576 set security ipsec policy ipsec-policy-1 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-policy-1 proposals ike-proposal-1 set security ipsec vpn ike-vpn-1 bind-interface st0.1 set security ipsec vpn ike-vpn-1 ike gateway ike-gate-1 set security ipsec vpn ike-vpn-1 ike ipsec-policy ipsec-policy-1 set security ipsec vpn ike-vpn-1 establish-tunnels immediately Konfigur security policy set security policies from-zone vr1-trust to-zone untrust policy 1 match source-address any set security policies from-zone vr1-trust to-zone untrust policy 1 match destination-address any set security policies from-zone vr1-trust to-zone untrust policy 1 match application any set security policies from-zone vr1-trust to-zone untrust policy 1 then permit set security policies from-zone vpn1 to-zone vr1-trust policy 1 match source-address any set security policies from-zone vpn1 to-zone vr1-trust policy 1 match destination-address any set security policies from-zone vpn1 to-zone vr1-trust policy 1 match application any set security policies from-zone vpn1 to-zone vr1-trust policy 1 then permit set security policies from-zone vr1-trust to-zone vpn1 policy 1 match source-address any set security policies from-zone vr1-trust to-zone vpn1 policy 1 match destination-address any set security policies from-zone vr1-trust to-zone vpn1 policy 1 match application any set security policies from-zone vr1-trust to-zone vpn1 policy 1 then permit Konfigur tcp-mss (maximum segment size), dengan pemilihan yang tepat maka dapat menghindari packet loss dilevel fragmentasi packet. Direkomendasikan nilai 1350 set security flow tcp-mss ipsec-vpn mss 1350 Verifikasi Pastikan status level IKE (internet key exchange) phase 1 establish lab@srx5800> show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode 8070186 110.72.10.17 UP 54e17446c730cde2 43973b81c7d861a7 Main 41624618 110.72.10.21 UP 5dbcfe50fb361945 4047b2b9582d7320 Main 58401869 110.72.10.5 UP 930646d8ee4e84e2 b32f89337531f0cc Main 108733483 110.72.10.9 UP 27f1bbde075442a9 091bee95ea230a08 Main 108733484 110.72.10.13 UP ba6d1c8fb60a2b30 4343e8a7df4a8f10 Main 125510800 110.72.10.1 UP 0a8da148d9787692 bcfd682d9f161063 Main lab@srx5800> show security ike security-associations index 8070186 detail IKE peer 110.72.10.17, Index 8070186, Location: FPC 0, PIC 0, KMD-Instance 1 Role: Responder, State: UP Initiator cookie: 54e17446c730cde2, Responder cookie: 43973b81c7d861a7 Exchange type: Main, Authentication method: Pre-shared-keys Local: 110.72.10.18:500, Remote: 110.72.10.17:500 Lifetime: Expires in 68279 seconds Peer ike-id: 110.72.10.17 Xauth user-name: not available Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : md5 Encryption : 3des-cbc Traffic statistics: Input bytes : 1032 Output bytes : 956 Input packets: 5 Output packets: 4 IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0
Konfirmasi IPSEC (phase 2) lab@srx5800> show security ipsec security-associations Total active tunnels: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <131074 110.72.10.1 500 ESP:3des/md5 798c310 915/ 838856 - root >131074 110.72.10.1 500 ESP:3des/md5 11daa936 915/ 838856 - root <131073 110.72.10.5 500 ESP:3des/md5 3ca603d 2206/ 943713 - root >131073 110.72.10.5 500 ESP:3des/md5 cc2da2f7 2206/ 943713 - root lab@srx5800> show security ipsec security-associations index 131074 detail Virtual-system: root Local Gateway: 110.72.10.2, Remote Gateway: 110.72.10.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) DF-bit: clear Location: FPC 0, PIC 1, KMD-Instance 4 Direction: inbound, SPI: 798c310, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 868 seconds Lifesize Remaining: 838856 kilobytes Soft lifetime: Expires in 228 seconds Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Location: FPC 0, PIC 1, KMD-Instance 4 Direction: outbound, SPI: 11daa936, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 868 seconds Lifesize Remaining: 838856 kilobytes Soft lifetime: Expires in 228 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 lab@srx5800> show security ipsec statistics index 131074 ESP Statistics: Encrypted bytes: 136408 Decrypted bytes: 84252 Encrypted packets: 1003 Decrypted packets: 1003 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 Ping end to end,dari VR1 ping ke 172.168.201.2 Ping 172.168.201.2
