Categories
Networking

Juniper SRX setup

Initialise

root%           <-- Shell
root% cli       <-- Operational CLI mode
root>           <-- Logged in to operational CLI mode
root>configure <-- Configuration mode
root#           <-- Logged in to configuration mode

Creating password

root# set system root-authentication plain-text-password

New password:
Retype new password:

root# set system host-name srx
root# commit

commit complete

root@srx#

Interfaces

#delete interfaces ge-0/0/0
#delete interfaces ge-0/0/1
#set interfaces ge-0/0/0 unit 0 family inet address 192.168.100.38/24
#set interfaces ge-0/0/1 unit 0 family inet address 192.168.239.1/24

Default route

#set routing-options static route 0.0.0.0/0 next-hop 192.168.100.1

Security zone allowing ping and ssh

#set security zones security-zone INTERNAL interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
#set security zones security-zone INTERNAL interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
#set security zones security-zone INTERNAL interfaces ge-0/0/0.0

Address book entries

#set security zones security-zone INTERNAL address-book address network_239 192.168.239.0/24

Security policies

#delete security policies
#set security policies from-zone internal to-zone internet policy allow-internal-clients match source-address network_239
#set security policies from-zone internal to-zone internet policy allow-internal-clients match destination-address any
#set security policies from-zone internal to-zone internet policy allow-internal-clients match application any
#set security policies from-zone INTERNAL to-zone internet policy allow-internal-clients then permit

Nat for internal clients

#delete security nat
#set security nat source rule-set internal-to-internet from zone internal
#set security nat source rule-set internal-to-internet to zone internet
#set security nat source rule-set internal-to-internet rule internet-access match source-address 192.168.239.0/24
#set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
#set security nat source rule-set internal-to-internet rule internet-access then source-nat interface
#commit

Enable specific incoming system service traffic

#set security zones security-zone INTERNAL host-inbound-traffic system-services all
#set security zones security-zone INTERNAL host-inbound-traffic system-services ftp except
#set security zones security-zone INTERNAL host-inbound-traffic system-services http except

Allow SSH and NetConf for Ansible to connect

user@hostname> configure 
Entering configuration mode

[edit]
user@hostname# set system services netconf ssh 

[edit]
user@hostname# commit and-quit 
commit complete
Exiting configuration mode

user@hostname> show system connections inet | match 830 
tcp4       0      0  *.830                    *.*                       LISTEN

user@hostname> show system connections inet6 | match 830   
tcp6       0      0  *.830                    *.*