Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
See matching posts in thread - Public IP ...
See matching posts in thread - Can SRX get its WAN IP ...
Additionally, the SRX Series device uses a NAT 1.1.1.1 to 192.168.1.1 to make a Web Application available publicly. The following shows the basic configuration for interfaces, zones, and BGP: interfaces ( ge-0/0/4 ( description Untrust; unit 0 ( family inet ( address 200.200.200.2/30; ) ) ) ge-0/0/8 ( description Trust; unit 0 ( family inet ( address 172.16.0.1/24; ) ) ) ) protocols ( bgp ( group partner ( export conditional route; peer-as 1111; neighbor 200.200.200.1; ) group wan ( peer-as 65100; neighbor 172.16.0.2; ) ) ) routing-options ( autonomous-system 65100; ) security ( zones ( security-zone untrust ( interfaces ( ge-0/0/4.0 ( host-inbound-traffic ( protocols ( bgp; ) ) ) ) ) security-zone trust ( interfaces ( ge-0/0/8.0 ( host-inbound-traffic ( protocols ( bgp; ) ) ) ) ) ) ) The export policy conditional route is as follows: policy-options ( policy-statement conditional route ( term 1 ( from ( route-filter 1.1.1.0/24 exact; condition check route; ) then accept; ) then reject; ) ) The SRX Series device advertises 1.1.1.0/24 based on the condition labeled check route, shown as follows: policy-options ( condition check route ( if-route-exists ( 192.168.1.0/24; table inet.0; ) ) ) You must add 1.1.1.0/24 into the route table
1 Comment - no search term matches found in comments.
See matching posts in thread - Is there a JunOS command equivelent to "show mac...
Use the Track-IP Feature on SRX Platforms For SLAX 1.0 version 1.0 and higher, you can use the track-ip event script to implement the Track-IP feature on the SRX platforms
Both profiles hand out IP addresses and DNS servers from the address assignment pool dyn-vpn-address-pool
4 Comments - no search term matches found in comments.
Convert Between Zone-Defined and Global Address Books For SLAX version 1.0 and higher, you can run the upgrade script to convert address books from a zone-defined address book (Junos OS Release 11.1 and earlier) to a global address book, and vice versa. You can also run the downgrade script to convert address books from global address books to zone-defined address books
Https relies on certificates for authenticating and encrypting the connection. The server buys a certificate from a Certificate Authority the client trusts...This way the client also trusts the server because of the chain of trust
Zone-based vs Global When dealing with address objects on an SRX running older versions of Junos, they typically would employ a zone-based address-book for it's configuration. When using a zone-based address-book, the address objects referenced in the security policies are created per zone, which means that every zone will have an address-book configuration, and could potentially have duplicate objects. Newer Junos versions use a global address-book configuration. The global address-book reduces complexity in your configuration by managing all address objects in one spot, and if you need to reference the same object in different zones, you aren't defining said object under multiple zones in your configuration
1 Comment - show configuration | display set | save config.txt start shell sed s”/set security zones.*address-book/set security address-book global/g” config.txt >gconfig.txt exit edit delete load set gconfig.txt show | compare commit and-quit
set system login user lab uid 2000 set system login user lab class super-user set system login user lab authentication encrypted-password "$1$s95t$az6TXbMwo4FChdBEp/06d1" set system services ftp set system services ssh set system services telnet set system syslog archive size 100k set system syslog archive files 3 set system syslog user * any emergency set system syslog file messages any critical set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set system license autoupdate url https://ae1.juniper.net/junos/key retrieval set interfaces fe-0/0/0 unit 0 family inet address 10.0.0.1/30 set interfaces fe-0/0/0 unit 0 family iso set interfaces fe-0/0/0 unit 0 family inet6 set interfaces fe-0/0/1 unit 0 family inet address 10.0.0.2/30 set interfaces fe-0/0/1 unit 0 family iso set interfaces fe-0/0/1 unit 0 family inet6 set interfaces fe-0/0/2 vlan-tagging set interfaces fe-0/0/2 unit 0 vlan-id 0 set interfaces fe-0/0/2 unit 0 family inet address 192.168.0.1/30 set interfaces fe-0/0/2 unit 1 vlan-id 1 set interfaces fe-0/0/2 unit 1 family inet address 24.0.0.1/30 set interfaces fe-0/0/3 vlan-tagging set interfaces fe-0/0/3 unit 0 vlan-id 0 set interfaces fe-0/0/3 unit 0 family inet address 192.168.0.2/30 set interfaces fe-0/0/3 unit 1 vlan-id 1 set interfaces fe-0/0/3 unit 1 family inet address 24.0.0.2/30 set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust set interfaces fe-0/0/7 unit 0 family inet filter input ICMP deactivate interfaces fe-0/0/7 unit 0 family inet filter set interfaces fe-0/0/7 unit 0 family inet dhcp-client set interfaces lo0 unit 0 family inet address 1.1.1.1/32 set interfaces lo0 unit 0 family iso address 49.0000.0010.0100.1001.00 set interfaces lo0 unit 1 family inet address 2.2.2.2/32 set interfaces lo0 unit 1 family iso address 49.0000.0020.0200.2002.00 set interfaces lo0 unit 2 family inet address 10.0.0.1/32 set interfaces lo0 unit 3 family inet address 10.0.0.2/32 set interfaces lo0 unit 4 family inet address 36.0.0.1/32 set interfaces vlan unit 0 family inet address 192.168.1.1/24 set protocols stp set policy-options policy-statement EXPLOOP from protocol direct set policy-options policy-statement EXPLOOP from route-filter 36.0.0.1/32 exact set policy-options policy-statement EXPLOOP then accept set policy-options policy-statement NHS term 1 from protocol direct set policy-options policy-statement NHS term 1 then accept set policy-options policy-statement NHS term 2 then next-hop self set security forwarding-options family inet6 mode packet-based set security forwarding-options family mpls mode packet-based set firewall filter ICMP term ICMP from protocol icmp set firewall filter ICMP term ICMP from icmp-type echo-request set firewall filter ICMP term ICMP then count ICMP entrant set firewall filter ICMP term ICMP then discard set firewall filter ICMP term ELSE then count Le RESTE set firewall filter ICMP term ELSE then accept set routing-instances R1 instance-type virtual-router set routing-instances R1 interface fe-0/0/0.0 set routing-instances R1 interface lo0.0 set routing-instances R1 protocols ospf area 0.0.0.0 interface fe-0/0/0.0 set routing-instances R1 protocols ospf area 0.0.0.0 interface lo0.0 passive set routing-instances R1 protocols isis interface fe-0/0/0.0 level 1 disable set routing-instances R1 protocols isis interface lo0.0 set routing-instances R2 instance-type virtual-router set routing-instances R2 interface fe-0/0/1.0 set routing-instances R2 interface lo0.1 set routing-instances R2 protocols ospf area 0.0.0.0 interface lo0.1 passive set routing-instances R2 protocols ospf area 0.0.0.0 interface fe-0/0/1.0 set routing-instances R2 protocols isis interface fe-0/0/1.0 level 1 disable set routing-instances R2 protocols isis interface lo0.1 set routing-instances RB1 instance-type virtual-router set routing-instances RB1 interface fe-0/0/2.0 set routing-instances RB1 interface lo0.2 set routing-instances RB1 routing-options static route 10.0.0.2/32 next-hop 192.168.0.2 set routing-instances RB1 routing-options autonomous-system 65000 set routing-instances RB1 protocols bgp group INTERNE type internal set routing-instances RB1 protocols bgp group INTERNE local-address 10.0.0.1 set routing-instances RB1 protocols bgp group INTERNE neighbor 10.0.0.2 set routing-instances RB2 instance-type virtual-router set routing-instances RB2 interface fe-0/0/2.1 set routing-instances RB2 interface fe-0/0/3.0 set routing-instances RB2 interface lo0.3 set routing-instances RB2 routing-options static route 10.0.0.1/32 next-hop 192.168.0.1 set routing-instances RB2 routing-options autonomous-system 65000 set routing-instances RB2 protocols bgp group INTERNE type internal set routing-instances RB2 protocols bgp group INTERNE local-address 10.0.0.2 set routing-instances RB2 protocols bgp group INTERNE export NHS set routing-instances RB2 protocols bgp group INTERNE neighbor 10.0.0.1 set routing-instances RB2 protocols bgp group EXTERNE type external set routing-instances RB2 protocols bgp group EXTERNE neighbor 24.0.0.2 peer-as 65001 set routing-instances RB3 instance-type virtual-router set routing-instances RB3 interface fe-0/0/3.1 set routing-instances RB3 interface lo0.4 set routing-instances RB3 routing-options autonomous-system 65001 set routing-instances RB3 protocols bgp group EXTERNE type external set routing-instances RB3 protocols bgp group EXTERNE export EXPLOOP set routing-instances RB3 protocols bgp group EXTERNE neighbor 24.0.0.1 peer-as 65000 set vlans vlan-trust vlan-id 3 set vlans vlan-trust l3-interface vlan.0 Notes If you have a look at routing instances RB1, RB2, and RB3 connected via ports fe-0/0/2 and fe-0/0/3, there are three more routers running IBGP and eBGP to check how next-hop self option works