dimanche 29 juillet 2012

Juniper SSG Initial configuration

Juniper SSG Initial configuration

1. Access SSG by running http://192.168.1.1.
 2. In Rapid Deployment Wizard, make sure No, use the Initial Configuration Wizard instaed and click Next.



2. Follow the Wizard to configure it.


3. Assign administrator username and password. you may want to check HTTP Redirect to HTTPS.


4. Choose the interfaces.


5. Enter IP information accordingly.


6. After finishing, you will see the configuration summary.

Publié par à Aucun commentaire:

How to use mapped IP to allow inbound traffic to reach private address

How to use mapped IP to allow inbound traffic to reach private address

1. Logon juniper SSG.
2. Open Interface from Network.

3. Click Edit in untrust/etherent1.

4. Click on MIP and then New.

5. Mapped IP is public IP address and Host IP is private IP address. since this is from untrust zone to trust zone, the Host Virtual Router name should be trust-vr.

6. Aftersave teh settings, it looks like this:

7. Follow this article to forward ports.

How to forward ports in Juniper SSG

How to forward ports in Juniper SSG. There are 3 steps to configure JuniperSSG to forward a port. Create a custom object in Juniper SSG ...
www.howtonetworking.com/Routers/ssgportforward0.htm

Publié par à Aucun commentaire:
How to forward ports in Juniper SSG

There are 3 steps to configure Juniper SSG to forward a port.

Create a custom object in Juniper SSG

How to forward ports in Juniper SSG - Creating a custom object

1. Login SSG.
2. Navigate Object>Services>Custom.
3. Check the protocol, and type other information such as Service name and port #. Note: the Source Port should be between 0 to 65535.
4. Click OK to save it.




Create a Policy in Juniper SSG

How to forward ports in Juniper SSG - Create a Policy

1. Login SSG.
2. Navigate Policies
3. Select Untrust from and Trust to.
4. Click new.
5. Source Address is Any.
6. Destination Address is the VIP you created, for example VIP (ethernet0/0)
7. Select the Service from predefine or custom.
8. Click OK to save it.



Create a Virtual IP on Juniper SSG

How to forward ports in Juniper SSG -  Create a Virtual IP

1. Login SSG.
2. Navigate Network>Interface>List.
3. In the List windows, click edit in ethernet0/0.


4. Click VIP.
5. In the Virtual I, enter the public IP address of the WAN.
6. Virtual Port is the port you want to forward.
7. Map the Service, predefine or custom service.
 8. Map to IP is the computer you will forward to.
9. Click OK to save it.



After these 3 steps, you should have a policy to forward a port to a computer.

Publié par à Aucun commentaire:

How to create a object group in Juniper SSG

How to create a object group in Juniper SSG

In a case you need to manage a group IP addresses, you can create address object group. To do that please follow these steps.

1. Login SSG.
2. Create a address object first.
3. Navigate Object>Addresses>Group.
3. Select a filter, DMZ in our case.
4. Click new.
5. add all addresses' objects and click OK to save it.



6. After closing, you should have a new object group.

Publié par à Aucun commentaire:

How to create an address object in Juniper SSG

How to create an address object in Juniper SSG

In a case you need to manage an IP address, you can create address object. To do that please follow these steps.

1. Login SSG.
2. Navigate Object>Addresses>List.
3. Select a filter, DMZ in our case.
4. Click new.


4. Assuming you want to create abject for an IP phone QoS, enter Address Name and IP information.


5. Continue to make other address object. When finishing, you should see all addresses' objects.

Publié par à Aucun commentaire:

How to configure WAN (etherenet0/0) in Juniper SSG

How to configure WAN (etherenet0/0) in Juniper SSG

1. Login SSG.
2. Click DHCP.
3. Select ethernet0/0.
4. Make sure None is checked.


5. Navigate Network>Interface>List.
6. Choose ethernet0/0.
7. Check Static IP and assign IP information. Note: you don't have option to assign default gateway in this windows.


8. Navigate Network>Routing and click New.
9. Assign gateway inforamtion.

Publié par à Aucun commentaire:

How to change WAN IP address on Juniper SSG5

How to change WAN IP address on Juniper SSG5

in our example, our client is changing his ISP from Comcast to AT@T. Out goal is changing the new WAN IP address on the Juniper SSG5 without changing any inside private IP addresses and network configuration.

1. Open SSG from web browser, for example, http://10.0.0.2:8080.
2. Navigate to Network>Interface>List.
3. In our example, bgroup0 and all ethernet0/2 to 0/6 are LAN ports. The ethernet0/0 is for WAN connecting to the AT@T modem.  Other ports are not used. Click Edit on the ethernet0/0.


4. In the Properties of Basic, make sure the Zone Name is Untrust. Enter the ATT IP address to replace Comcast IP address. Make sure you have correct /#. For more information about /#, please check this link: IPv4 Subnet Chart. Click Apply to save the settigns.

5. If you have port forwarding, please click VIP to check the new IP address is correct and all forwarding configuration is correct.

6. To change the Routing, navigate to Network>Routing>Destination. Click Remove on the Comcast IP.

7. Then click New on the top right. Enter 0.0.0.0 /0 for IP Address/Network since we want to access the Internet. Enter the AT&T default gateway to replace Comcast gateway IP. Click OK to save the settings.
;

8. You may want to change the DNS also. Click DNS>Host under Network. Make the change accordingly.

9. You may need to reboot the Juniper SSG5 to take the new configuration.
Publié par à Aucun commentaire:

How to backup and restore Juniper configuration

How to backup and restore Juniper configuration

A. Using GUI to backup and restore the configuration. Login the firewall using Internet Browser. Navigate to Configuration>Update>Config file. You can save, merge or replace configuration.



B. Command lines.
1. To copy configuration, use "get config" command.
2. To copy the configuration from a computer to the router, and hen load it
1) copy the configuration file: "file copy servername:ssg5-config.txt" Note: make sure the file is in the same path running command line or you will need to add path for example, copy file servername:/temp/ssg5-config.txt.
2) Verify the file has been copied: "file list"
3) load file: "load override ssg5-config.txt'
4) Review the configuration: "show"
5) Activate the configuration: "commit"
3. Save the existing configuration to a TFTP server with the command:
save config to tftp <tftp_server_ip> <config_filename>
4. Update the existing config with the command: save config from tftp <tftp_server_ip> <config_filename> to flash

Reset the security device: reset
Configuration modified. Save? [y] y/n n <-----answer N for No; otherwise you will overwrite the config loaded in step 1 (if you entered y, then repeat step 1.)
System reset? Are you sure? y/n y
Publié par à Aucun commentaire:

Example of Juniper SSG Configuration

Example of Juniper SSG Configuration

set clock ntp
set clock timezone -6
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDC" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "pcAnywhere1" protocol tcp src-port 0-65535 dst-port 5631-5632
set service "pcAnywhere1" + udp src-port 0-65535 dst-port 5631-5632
set service "Upluad" protocol tcp src-port 0-65535 dst-port 85-85
set service "IP5060" protocol tcp src-port 0-65535 dst-port 5060-5060
set service "IP5061" protocol tcp src-port 0-65535 dst-port 5061-5061
unset alg sip enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin port 8080
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 192.168.11.61/30
set interface ethernet0/0 route
set interface ethernet0/1 ip 172.16.10.1/16
set interface ethernet0/1 nat
set interface bgroup0 ip 10.10.10.1/24
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage mtrace
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip untrust 3389 "RDC" 10.10.10.10
set interface ethernet0/0 vip untrust 85 "Upluad" 10.10.10.10
set interface ethernet0/0 vip untrust 5631 "pcAnywhere1" 10.10.10.10
set interface ethernet0/0 vip untrust 80 "HTTP" 10.10.10.10
set interface ethernet0/0 vip untrust 5060 "IP5060" 10.10.10.176
set interface ethernet0/0 vip untrust 5061 "IP5061" 10.10.10.169
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option domainname chicagotech.net
set interface bgroup0 dhcp server option dns1 4.2.2.1
set interface bgroup0 dhcp server option dns2 4.2.2.1
set interface bgroup0 dhcp server ip 10.10.10.11 to 10.10.10.200
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
set domain chicagotech.net
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "0.0.0.0/0" 0.0.0.0 0.0.0.0
set address "Trust" "10.10.10.10/24" 10.10.10.10 255.255.255.0
set address "Trust" "10.10.10.10/255.255.255.255" 10.10.10.10 255.255.255.255
set address "Trust" "10.10.10.10/32" 10.10.10.10 255.255.255.255
set address "Trust" "phone ip1" 10.10.10.169 255.255.255.255
set address "Trust" "phone ip2" 10.10.10.176 255.255.255.255
set group address "Trust" "phone ips"
set group address "Trust" "phone ips" add "phone ip1"
set group address "Trust" "phone ips" add "phone ip2"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 13 from "Trust" to "Untrust" "phone ips" "Any" "ANY" permit log traffic priority 0
set policy id 13
exit
set policy id 7 from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "RDC" permit log
set policy id 7
exit
set policy id 5 from "Untrust" to "Trust" "Any" "0.0.0.0/0" "MGCP" permit
set policy id 5
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 8 name "pcAnywhere" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "pcAnywhere1" permit
set policy id 8
exit
set policy id 9 name "Upload" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "Upluad" permit
set policy id 9
exit
set policy id 10 name "http" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "HTTP" permit
set policy id 10
exit
set policy id 11 name "IPPhone" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "IP5060" permit
set policy id 11
exit
set policy id 12 name "IP5061" from "Untrust" to "Trust" "Any" "VIP(ethernet0/0)" "IP5061" permit
set policy id 12
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set ntp server "0.0.0.0"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 192.168.11.62 preference 20
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
Publié par à Aucun commentaire:
Inscription à : Articles (Atom)