SRX – A Juniper Firewall

  • By
  • August 27, 2019
  • Firewall
SRX - A Juniper Firewall

SRX – A Juniper Firewall

Firewall is very common thing in network now a days, that even end users( like non technical people) knows about it. Its basic purpose is to keep out bad stuff. Juniper Firewall is transforming into new domain called as service gateway and is known as SRX series firewall.

Deep inspection from a services gateway is the new firewall of the future, it needs to look deeper into the packet.

Juniper taken an enormous amount of effort to create a platform that can grow over time. The scalability is inbuilt features, performance, and multi-function capability of the SRX Series.

For Free Demo classes Call: 7798058777
Registration Link: Click Here!

Small Branch

Small Branch

 

Small Branch2

Medium Branch

Medi Branch

 

Medium Branch

Large Branch

Large Branch

 

Large Branch2

Data Center

Data Center

SRX Firewall Flow Processing

Srx Firewall Flow Processing

  1. Pull packet from Interface Queue
  2. Police Packet
  3. Stateless Packet Filtering
  4. Lookup Session
    • No Match ⇒ First Path
    • Screen Check
    • DNAT
    • Route Lookup
    • Destination Interface/Zone
    • Firewall Policy Lookup
    • NAT Lookup
    • Setup ALG Vector
    • IDP,VPN, Other Services
    • Install Session
    • Match ⇒ Fast Path
    • FW Screen Check
    • TCP Check
    • Routing/NAT Translation
    • ALG Processing
    • IDP, VPN, Other Services
  • Filter Packet
  • Shape Packet
  • Transmit Packet

For Free Demo classes Call: 7798058777
Registration Link: Click Here!

SRX Policy Processing

SRX Policy Processing

Viewing all policies configured on Juniper SRX Firewall is difficult, better we need to check policies between two zones by using command options from-zone <zone> to-zone <zone>:

admin@SRX> show security policies from-zone trust to-zone Internet
From zone: trust, To zone: Internet
Policy: default-permit, State: enabled, Index: 5, Sequence number: 3
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Policy: protect_inside_users, State: enabled, Index: 7, Sequence number: 4
Source addresses: inside-users
Destination addresses: bad_hosts
Applications: any
Action: deny

Session Flows

juniper@SRX5800> show security flow session
Session ID: 4785, Policy name: default-permit/1, Timeout: 1800
In: 10.10.1.1/49229 –> 10.1.1.254/23;tcp, If: ge-0/0/0.0
Out: 10.1.1.254/23 –> 10.10.1.1/49229;tcp, If: ge-0/0/1.0

What is NAT?

Process or translating private IP address (RFC1918) into globally rout-able address & vice-versa. Internet Assigned Number Authority (IANA) reserved following address for private internet use, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. 

Why NAT?
  • To avoid IPV4 Exhaustion
  • To Secure Network by Hiding Network
  • To Merge & Migrate Network
NAT Types
  • Source NAT
  • Destination NAT
  • Static NAT

How the SRX Processes NAT?

Srx Processes Nat

NAT is configured in the SRX under the Junos security stanza.It is fully integrated with stateful flow processing, while it is logically separate from security policy configuration.A given traffic flow can match, at most, a single NAT rule, and must match just a single security policy. There is no direct correspondence between NAT rules and security policies—the flows matched by one NAT rule may then be matched by one or several security policies.Flows matched by one security policy may have matched zero, one, or several NAT rules.But once a flow is matched by a NAT rule, the effect of the NAT rule will be fully integrated with the creation of a session table flow such that translation takes place symmetrically for both directions of IP Conversation.

For Free Demo classes Call: 7798058777
Registration Link: Click Here!

Source NAT

Source NAT Translates source IP address and TCP/UDP ports in the headers of IP flows Source NAT is the most common method used to translate private IP address into globally routable address Juniper SRX translate one or more private IP address to a group of public IP address of equal or smaller size TCP/UDP Ports can be used to overload single or smaller group of IP address

Source Nat

Config

set security nat source rule-set NAT-DMZ-TO-INTERNET from zone DMZ
set security nat source rule-set NAT-DMZ-TO-INTERNET to zone INTERNET
set security nat source rule-set NAT-DMZ-TO-INTERNET rule PAT-INTERFACE match source-address 192.168.0.0/16
set security nat source rule-set NAT-DMZ-TO-INTERNET rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set NAT-DMZ-TO-INTERNET rule PAT-INTERFACE then source-nat interface

Destination NAT
Scenario

Destination Nat

Config

set security nat destination pool POOL-WEBSERVER address 192.168.1.10/32
set security nat destination rule-set NAT-INTERNET-TO-DMZ from zone INTERNET
set security nat destination rule-set NAT-INTERNET-TO-DMZ to zone DMZ
set security nat destination rule-set NAT-INTERNET-TO-DMZ rule DEST-NAT match destination-address 200.1.1.3/32
set security nat destination rule-set NAT-INTERNET-TO-DMZ rule DEST-NAT then destination-nat pool POOL-WEBSERVER

Explanation

Any traffic coming to Juniper SRX  firewall on the INTERNET zone that is destined for 200.1.1.3 will be destination translated to go to 192.168.1.10. Note, 192.168.1.10 can respond to this traffic due to Juniper SRX being a stateful firewall, however if it initiates traffic it will not be source NAT’d.

For Free Demo classes Call: 7798058777
Registration Link: Click Here!

Port Forwarding

set security nat destination pool POOL-PORT-FORWARD address 192.168.1.10/32 port 80
set security nat destination rule-set NAT-INTERNET-TO-DMZ from zone INTERNET
set security nat destination rule-set NAT-INTERNET-TO-DMZ to zone DMZ
set security nat destination rule-set NAT-INTERNET-TO-DMZ rule DEST-NAT match destination-address 200.1.1.3/32
set security nat destination rule-set NAT-INTERNET-TO-DMZ rule DEST-NAT match destination-port 8080
set security nat destination rule-set NAT-INTERNET-TO-DMZ rule DEST-NAT then destination-nat pool POOL-PORT-FORWARD

Explanation

Anyone coming into Juniper SRX from the INTERNET interface trying to get to 200.1.1.3 on port 8080, will be translated to go to 192.168.1.10 on port 8080.

Static NAT

Static Nat

Config

set security nat static rule-set STATIC-SERVER1 from zone INTERNET
set security nat static rule-set STATIC-SERVER1 rule RULE-NAME match destination-address 200.1.1.3/32
set security nat static rule-set STATIC-SERVER1 rule RULE-NAME then static-nat 192.168.1.10/32

Verification Commands

admin@srx>show security flow session
admin@srx>show security nat source summary
admin@srx>show security destination source summary

IPSEC VPN

Ipsec Vpn

For Free Demo classes Call: 7798058777
Registration Link: Click Here!

Juniper SRX

This Juniper SRX Code will built up IPSec VPN Tunnel between two sites

Config

# IKE proposal
set security ike proposal IKE-SHA-AES128-DH1 authentication-method pre-shared-keys
set security ike proposal IKE-SHA-AES128-DH1 dh-group group2
set security ike proposal IKE-SHA-AES128-DH1 encryption-algorithm aes-128-cbc
set security ike proposal IKE-SHA-AES128-DH1 authentication algorithm sha1
set security ike proposal IKE-SHA-AES128-DH1 lifetime-seconds 86400

# IKE policy
set security ike policy IKE-POLICY-HQ mode main
set security ike policy IKE-POLICY-HQ proposals IKE-SHA-AES128-DH1
set security ike policy IKE-POLICY-HQ pre-shared-key ascii-text s3kreTKey

# IKE gateway
set security ike gateway IKE-GATEWAY-HQ ike-policy IKE-POLICY-HQ
set security ike gateway IKE-GATEWAY-HQ address 200.1.1.1
set security ike gateway IKE-GATEWAY-HQ external-interface ge-0/0/0.0

# IPSec proposal/transform set
set security ipsec proposal IPSEC-SHA-AES128-ESP1 encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-SHA-AES128-ESP1 authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-SHA-AES128-ESP1 protocol esp
set security ipsec proposal IPSEC-SHA-AES128-ESP1 lifetime-seconds 3600

# IPSec policy
set security ipsec policy VPN-POLICY-HQ proposals IPSEC-SHA-AES128-ESP1

# IPSec VPN
set security ipsec vpn VPN-HQ ike gateway IKE-GATEWAY-HQ
set security ipsec vpn VPN-HQ ike ipsec-policy VPN-POLICY-HQ

# Address book
set security zones security-zone UNTRUST address-book address NET-REMOTE-VPN 172.16.1.0/24
set security zones security-zone TRUST address-book address NET-LOCAL 192.168.1.0/24

# Policies to define the interesting traffic
set security policies from-zone TRUST to-zone UNTRUST policy VPN-POLICY-HQ-OUT1 match source-address NET-LOCAL
set security policies from-zone TRUST to-zone UNTRUST policy VPN-POLICY-HQ-OUT1 match destination-address NET-REMOTE-VPN
set security policies from-zone TRUST to-zone UNTRUST policy VPN-POLICY-HQ-OUT1 match application any
set security policies from-zone TRUST to-zone UNTRUST policy VPN-POLICY-HQ-OUT1 then permit tunnel ipsec-vpn VPN-HQ
set security policies from-zone TRUST to-zone UNTRUST policy VPN-POLICY-HQ-OUT1 then permit tunnel pair-policy VPN-POLICY-HQ-IN
set security policies from-zone UNTRUST to-zone TRUST policy VPN-POLICY-HQ-IN match source-address NET-REMOTE-VPN
set security policies from-zone UNTRUST to-zone TRUST policy VPN-POLICY-HQ-IN match destination-address NET-LOCAL
set security policies from-zone UNTRUST to-zone TRUST policy VPN-POLICY-HQ-IN match application any
set security policies from-zone UNTRUST to-zone TRUST policy VPN-POLICY-HQ-IN then permit tunnel ipsec-vpn VPN-HQ
set security policies from-zone UNTRUST to-zone TRUST policy VPN-POLICY-HQ-IN then permit tunnel pair-policy VPN-POLICY-HQ-OUT1

# Exclude the VPN traffic from being NAT’d
set security nat source rule-set NAT-INTERFACE rule NO-NAT match source-address 192.168.1.0/24
set security nat source rule-set NAT-INTERFACE rule NO-NAT match destination-address 172.16.1.0/24
#set security nat source rule-set NAT-INTERFACE rule NO-NAT then source-nat off

Cisco ASA Firewall

This Cisco ASA Code will built up IPSec VPN Tunnel between two sites

! Interesting traffic
access-list ACL-VPN-SRX1 extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

! IKE parameters
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

For Free Demo classes Call: 7798058777
Registration Link: Click Here!

! IPSec settings
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map MAP-VPN1 10 match address ACL-VPN-SRX
crypto map MAP-VPN1 10 set peer 100.1.1.1
crypto map MAP-VPN1 10 set ikev1 transform-set ESP-AES128-SHA
crypto map MAP-VPN1 interface OUTSIDE

! Tunnel group
tunnel-group 100.1.1.1 type ipsec-l2l
tunnel-group 100.1.1.1 ipsec-attributes
ikev1 pre-shared-key s3kreTKey

!Should Not be NAT’d this Traffic as it goes through the firewall
object network OBJ-172.16.1.0
subnet 172.16.1.0 255.255.255.0
object network OBJ-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static OBJ-172.16.1.0 OBJ-172.16.1.0 destination static OBJ-192.168.1.0 OBJ-192.168.1.0 no-proxy-arp description No NAT for VPN to SRX

Juniper SRX Firewall is big technology, but I tried to explain a few concepts to simplify it.

I hope this article to be helpful in understanding Juniper SRX Firewall.

Call the Trainer and Book your free demo Class for now!!!

call icon

Submit Comment

Your email address will not be published. Required fields are marked *

*
*