Junos

Currently in Redbrick we are using a SRX220H firewall. There is a router-on-a-stick setup between Sebastian and our SRX. This allows multiple VLANs to go over the link between Sebastian and the SRX. The SRX is also our gateway whether that be 192.168.x.254/X or 136.206.15.254/24

Junos Commands

Unlike Cisco you do not need to be in privilege mode to view configuration. However as Junos runs FreeBSD you do need to have the correct privilege level to access different hierarchies of the Junos device.

Login

If you log in as root you will be greeted with a UNIX cli this is denoted by the %. You will need to type cli in order to view any configuration.

root% cli
root@SRX>

View interfaces

To view any interfaces on a Junos device you can do the following command: show interface terse This will output information as below:

user@SRX> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     X.X.X.X/X
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    up
ge-0/0/1.0              up    up
ge-0/0/1.1              up    up   inet     192.168.0.254/24
ge-0/0/1.2              up    up   inet     192.168.1.254/24
ge-0/0/1.16             up    up   inet     136.206.16.254/24
ge-0/0/1.20             up    up

The interface name in this case will be: ge which stands for gigabit ethernet-0/0/number of port

What do the points after the interface name mean?

They are the logical interfaces of that interface.

Enter Configuration Mode

Unlike Cisco IOS you do not need to type conf t you would instead type edit

user@SRX> edit
Entering configuration mode

[edit]
user@SRX#

In order to navigate around this mode you start your command with edit

Saving Configuration

Before saving your changes it is recommended to do the following command show | compare. This will show you any configuration changes that have been made.

Unlike Cisco when you edit the configuration. It is not running until you commit it. In order to commit, you need to type commit confirmed this command will automatically rollback to the previous configuration in the event that you lost access and cannot finalize the change by typing commit.

[edit]
user@SRX# show | compare

[edit]
user@SRX#

Edit an interface

To edit an interface you will need to do the following command edit interfaces ge-x/x/x.

To edit a logical interface you would do the same command but you would include the logical number edit interfaces ge-x/x/x.x.

[edit]
user@SRX# edit interfaces ge-0/0/1.1

[edit interfaces ge-0/0/1 unit 1]
user@SRX# show
family inet {
    address 192.168.0.254/24;
}

[edit interfaces ge-0/0/1 unit 1]
user@SRX#

Destination NAT

If you want to reach a service within Redbrick you will need destination NAT unless it is running on a 136.206.15.X/24 address already.

To do this you will need to do the following:

  1. Configure a NAT pool to the destination IP within Redbrick
  2. Create a NAT rule within the destination NAT ruleset
Create a destination NAT pool

To create a NAT pool you will need use the following commands:

edit security nat destination
set pool NAME_OF_POOL address X.X.X.X
Create a NAT rule within the destination NAT ruleset

To create a rule within the destination NAT ruleset you need to use the following commands:

edit security nat destination ruleset NAME_OF_RULESET

set rule NAME match source-address 136.206.X.X

set rule NAME match destination-port X

set rule NAME then destination-nat pool WHATEVERYOUCALLEDTHEPOOL

Source NAT

If you want to allow a specific machine to access the internet from within Redbrick you will need to configure source NAT that will use a 136.206.15.X/24 address. To do this you'll need to do the following:

  • Configure a NAT pool to the external IP within Redbrick's 136.206.15.X subnet
  • Create a NAT rule within the source NAT ruleset
Create a source NAT pool

To create a NAT pool you will need to do the following commands:

edit security nat source

set pool NAME_OF_POOL address X.X.X.X
Create a NAT rule within the source NAT ruleset

To create a rule within the source NAT ruleset you need to use the following commands:

edit security nat source ruleset OUTBOUND

set rule NAME match source-address X.X.X.X

set rule NAME match destination-port X

set rule NAME then source-nat pool WHATEVERYOUCALLEDTHEPOOL