Archive for janvier, 2017

Getting started with Juniper SRX platform [en]

vendredi, janvier 6th, 2017

I started to play with the Juniper SRX platform a few month ago. I got a SRX 220 on loan from Rafael and i bought a SRX100 for my experimentations. The JunOS operating system installed on the boxes is heavily based on FreeBSD, so we’re in familar Unix-land. This is going to be fun. 🙂

I have access to lab documentation, but i will not exactly reproduce the setup from the books: there will be some adaptations (mainly about port numbering) that will fit my lab setup, since I will work on those devices from a remote location and i will not enjoy 100% physical access during my exercises. To make matters even more interesting, i still have my old ADSL connection that will be used as a separate internet access.

The default configuration is a simple NATing firewall/router, similar to the one you might expect from a stock OpenWRT installation. There is a web interface, but i will just ignore it, so let’s dig out the Cisco serial cable and connect to the console port.

Configuring the SRXes over serial port is nice, but they are available only in limited quantity on my Terminator server, so we will start by setting up the devices for a more convenient ssh access from my home network. The config statements allow for comments: they start with the character ‘#’ and the commands will be peppered with them, so you can copy-paste huge blocks of text at once.

We will start with the SRX100: the management port is connected to port 7 on the firewall

# Set system root password (REQUIRED)
set system root-authentication plain-text-password 

# Check if config passes
commit check 

# Remove interface from bridge
delete interfaces fe-0/0/7 unit 0 

# Add ssh pubkey
set system root-authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC98TAUD9PPuzRj5uyHWlxZiXGLm1JI7T2hPNwmW9pU5V/guoJ90VTNQ7lugEoX8HYxB7JC0/RA5ogJBkhcQHIAMIGT6yM7F2zzVv9LadbiMU0KrB2dZVmPKKxi49uqqj+d8zIWTbm4tLf7xdF42kr7c2AUl1kYzaD1ymlAXSavvHTg7y/h2/mZ36F7WZmVwa7Q6iI5Vuca66lauwGgl1ETS2lwneQn+CWDZFMSFDT9TmphR8mpISi8063oTwvvHa/t0bpeQnKltg1iqM2YGTlIGTgXuEWsiAARfF96zhOUAXseA9WHeCTDUITmycFau4+ILxVH47Z6oC11W52BtwIf frederic@pekko"

# Set IP address
set interfaces fe-0/0/7 unit 0 family inet address 192.168.4.60/26

# Put interface into mgmt zone and activate services
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services http
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services https
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
set security zones security-zone mgmt interfaces fe-0/0/7.0 host-inbound-traffic system-services ping

# save changes
commit

# From now, ssh is available and we can disconnect the serial interface. It won’t be used for the rest of the experimentations unless we need to move the management interface to another port. Now, let’s set up PPPoE…

set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pp0 unit 0 ppp-options chap local-name <YOUR_USERNAME>
set interfaces pp0 unit 0 ppp-options chap default-chap-secret <YOUR_PASSWORD>
set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0
set interfaces pp0 unit 0 pppoe-options client
# When using PPPoE, always set MTU to 1492
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address
# Explicitly tell to use the PPPoE interface as default route
set routing-options static route 0.0.0.0/0 next-hop pp0.0 metric 0
commit

At that point, the PPPoE session is established. Let’s check it:

run show interfaces terse

<snip>
...
</snip>
pimd up up 
pime up up 
pp0 up up
pp0.0 up up inet 62.235.222.80 --> 62.235.222.1
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up up
vlan.0 up up inet 192.168.1.1/24

This looks good ! We have an IP address from our ISP ! Let’s attack the SRX220…