Professional Documents
Culture Documents
n
JUNOS Software
io
9.a
ct
du
ro
ep
Detailed Lab Guide
rR
Fo
ot
N
n
io
ct
Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without notice.
du
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The JUNOS software has no
known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
ro
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
ep
rR
Fo
ot
N
Contents
Lab 1: Initial System Configuration (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Part 1: Load a Reset Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Part 2: Establish Layer 2 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Part 3: Assign IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Part 4: Establish Layer 3 Connectivity Using OSPF Routing Protocol . . . . . . . . . . . . . . . . . . . . . . 1-11
Part 5: Establish Hosts Within Each Site and Summarize the Advertisement of Their Prefixes
Across the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-17
n
Lab 2: Security Policies (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Part 1: Interface Assignment to Security Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
io
Part 2: Building Address Books for Each Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Part 3: Establishing and Configuring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
ct
Part 4: Testing and Monitoring the Functionality of Security Zones . . . . . . . . . . . . . . . . . . . . . . . 2-23
du
Part 1: Adding Public Addresses to Address Books of Necessary Security Zones . . . . . . . . . . . . 3-2
Part 2: Define Source and Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Part 3: Incorporating Source and Destination NAT into Security Policies . . . . . . . . . . . . . . . . . . . 3-9
Part 4: NAT Testing and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
ro
Lab 4: Campus Interconnectivity—IPSec VPNs (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Part 1: Configuring IKE Phase 1 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
ep
Part 2: Configuring IKE Phase 2 Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Part 3: Configuring Route-Based IPSec VPN Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Part 4: Troubleshooting the Retail/Finance IPSec VPN Operation . . . . . . . . . . . . . . . . . . . . . . . . 4-10
rR
Contents • iii
iv • Contents
N
ot
Fo
rR
ep
ro
du
ct
io
n
.
Course Overview
The Operating Enhanced Services for JUNOS Software course is an instructor-led, four-day
course designed to provide enterprise network engineers with the knowledge and skills
necessary to use JUNOS software with enhanced services. It covers advanced security
features and configurations of Juniper Networks platforms, focusing specifically on the
enhanced services of JUNOS software. The course combines both lecture and labs, with
significant time allocated for hands-on experience with JUNOS software enhanced services.
Objectives
After successfully completing this course, you should be able to:
n
• Describe the requirements of routers and firewalls.
io
• Describe the architecture of JUNOS software with enhanced services.
• Describe and define zone types and their purpose.
ct
• Configure and monitor zones.
• Explain the meaning of SCREEN options.
du
• Identify advantages of using JUNOS SCREEN options.
• Configure and monitor zone-based SCREEN options.
•
•
ro
Explain security policy functionality.
Configure and monitor security policies.
ep
• Describe Network Address Translation (NAT) features.
• Configure and monitor NAT.
• Describe IPSec VPNs.
rR
Intended Audience
The primary audiences for this course are the following:
ot
Course Level
This is an advanced-level course.
. Course Overview • v
Prerequisites
The following are the prerequisites for this course:
• The Operating Juniper Networks Routers in the Enterprise course or equivalent
experience;
• Knowledge, familiarity, and comfort with the JUNOS software CLI;
• Experience managing routers (not necessarily Juniper Networks) in an enterprise
environment;
• An understanding of destination-based, hop-by-hop IP routing; and
• Experience with interior gateway protocols (IGPs).
n
io
ct
du
ro
ep
rR
Fo
ot
N
vi • Course Overview
Course Agenda
Day 1
Lab 1: Initial System Configuration (Detailed)
Day 2
Lab 2: Security Policies (Detailed)
Day 3
Lab 3: Network Address Translation (NAT) (Detailed)
n
Day 4
io
Lab 4: Campus Interconnectivity—IPSec VPNs (Detailed)
ct
du
ro
ep
rR
Fo
ot
N
n
Gothic Guide and Student Guide.
Console text:
io
Courier
New commit complete
• Screen captures
ct
• Noncommand-related Exiting configuration
syntax mode
du
Century GUI text elements: Select File>Open, and then click
Gothic Configuration.conf in the
• Menu names
Filename text box.
• Text field entry
ro
Input Text Versus Output Text
ep
You will also frequently see cases where you must enter input text yourself. Often this will be
shown in the context of where you must enter it. We use bold style to distinguish text that is
input versus text that is simply displayed.
rR
CLI Input Text that you must enter. lab@San_Jose> show route
GUI Input Select File>Save, and enter
ot
n
GUI Click on my-peers in the dialog.
Variable
io
CLI Text where the variable’s value is Type set policy
Undefined the user’s discretion and text where policy-name.
ct
the variable’s value as shown in the
GUI ping 10.0.1.1
lab guide might differ from the
Undefined
value the user must input. Select File>Save, and enter
du
filename in the Filename field.
ro
ep
rR
Fo
ot
N
Document Conventions • ix
Additional Information
n
differently so you should always consult the documentation and release notes for the version
of code you are running before reporting errors.
io
This document is written and maintained by the Juniper Networks Education Services
development team. Please send questions and suggestions for improvement to
ct
training@juniper.net.
Technical Publications
du
You can print technical manuals and release notes directly from the Internet in a variety of
formats:
• Go to http://www.juniper.net/techpubs/.
ro
• Locate the specific software or hardware release and title you need, and choose
the format in which you want to view or print the document.
ep
Documentation sets and CDs are available through your local Juniper Networks sales office or
account representative.
x • Additional Information
Lab 1
Initial System Configuration (Detailed)
Overview
n
io
In this first lab you will establish the baseline for all other labs. Specifically, you will establish
Layer 2 and Layer 3 connectivity between the devices within your group. There are four
ct
groups—A,B,C, and D. You will work in pairs, as defined by your instructor. Layer 2 connectivity
consists in establishing a WAN Frame Relay connection across the Internet, and virtual LAN
(VLAN) connectivity within each city of your group. Layer 3 connectivity consists of assigning IP
du
addressing, as defined in the lab guide, and configuring the OSPF routing protocol. Once all the
connections are established, you will configure three hosts within each site, and ensure that
summary routes for these hosts are propagated across the WAN links.
This lab is available in two formats: a high-level format, that is designed to make you think
ro
through each step, and a detailed format that offers step-by-step instructions complete with
sample output from most of the commands.
ep
By completing this lab, you will perform the following tasks:
• Load the reset configuration files.
• Establish Layer 2 Frame Relay and VLAN addressing.
rR
Key Commands
n
Part 1: Load a Reset Configuration File
io
In this part of the lab each team will load the reset configuration file.
ct
Step 1.1
du
Log in to the router with the username lab and the password lab123. Note that the
username and the password are case sensitive.
Tokyo (ttyd0)
login: lab
Password:
ro
--- JUNOS 9.0R1.10 built 2008-02-14 03:14:18 UTC
ep
lab@Tokyo> configure
Entering configuration mode
rR
Step 1.2
Enter configuration mode and load a reset configuration using the load override
command. The file to be loaded is located in the /var/home/lab/oesj/
lab1-reset.conf directory.
Fo
lab@Tokyo> configure
Entering configuration mode
[edit]
lab@Tokyo# load override /var/home/lab/oesj/lab1-reset.conf
ot
load complete
[edit]
N
lab@Tokyo#
Step 1.3
Display the resulting configuration.
Here is the sample configuration for the Tokyo router:
[edit]
lab@Tokyo# show
## Last changed: 2008-02-22 04:02:56 UTC
version 9.0R1.10;
system {
host-name Tokyo;
root-authentication {
encrypted-password "$1$88Mjdcd5$QDURoHCb0BJHBzSOyhqly."; ## SECRET-DATA
}
login {
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$MEG.LEMV$N5FAp2A5tUP6U52UiSHoB/"; ##
SECRET-DATA
n
}
}
io
}
services {
ct
ssh;
telnet;
web-management {
du
http {
interface ge-0/0/0.0;
}
} ro
}
syslog {
user * {
ep
any emergency;
}
file messages {
any any;
rR
authorization info;
}
file interactive-commands {
interactive-commands any;
}
Fo
}
}
interfaces {
ge-0/0/0 {
description "Do-not-delete-Management-Interface!";
ot
unit 0 {
family inet {
address 10.210.11.178/28;
N
}
}
}
}
security {
zones {
security-zone trust {
interfaces {
all {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
n
policy trust {
match {
io
source-address any;
destination-address any;
ct
application any;
}
then {
du
permit;
}
}
} ro
}
}
ep
[edit]
lab@Tokyo#
In this part of the lab you will configure all Layer 2 addresses for your router. Refer to the Lab 1
diagram for your group letter (A, B, C, or D).
Fo
Step 2.1
Display the status of the Internet-facing serial interface and LAN interface ge-0/0/3.
[edit]
lab@Tokyo# run show interfaces ge-0/0/3
ot
[edit]
lab@Tokyo# run show interfaces se-1/0/1
Physical interface: se-1/0/1, Enabled, Physical link is Up
Interface index: 142, SNMP ifIndex: 38
Type: Serial, Link-level type: PPP, MTU: 1504, Maximum speed: 8mbps
Device flags : Present Running
Interface flags: Point-To-Point Internal: 0x4000
n
Link flags : Keepalives
CoS queues : 8 supported, 8 maximum usable queues
io
Last flapped : 2007-12-03 02:42:31 UTC (4d 23:06 ago)
Input rate : 0 bps (0 pps)
ct
Output rate : 0 bps (0 pps)
du
Question: What is the link-level type for the serial
interface facing the Internet?
ro
Answer: The link-level type is PPP.
Step 2.2
ot
Configure Layer 2 parameters, as identified in the network diagram for your group letter (A, B,
C, or D). Commit the changes.
[edit]
N
[edit interfaces]
lab@Tokyo# set ge-0/0/3 vlan-tagging
[edit interfaces]
lab@Tokyo# set ge-0/0/3 unit 100 vlan-id 100
[edit interfaces]
lab@Tokyo# set ge-0/0/3 unit 200 vlan-id 200
[edit interfaces]
lab@Tokyo# set se-1/0/1 encapsulation frame-relay
[edit interfaces]
lab@Tokyo# set se-1/0/1 unit 602 dlci 602
[edit interfaces]
lab@Tokyo# show ge-0/0/3
vlan-tagging;
unit 100 {
vlan-id 100;
n
}
unit 200 {
io
vlan-id 200;
}
ct
[edit interfaces]
lab@Tokyo# show se-1/0/1
du
encapsulation frame-relay;
unit 602 {
dlci 602;
} ro
[edit interfaces]
lab@Tokyo# commit
ep
commit complete
[edit interfaces]
lab@Tokyo#
rR
Step 2.3
Display the status of the interfaces again using show interfaces interface-name
command.
Fo
[edit]
lab@Tokyo# run show interfaces ge-0/0/3
Physical interface: ge-0/0/3, Enabled, Physical link is Up
Interface index: 140, SNMP ifIndex: 36
Link-level type: Ethernet, MTU: 1518, Speed: 100mbps, Loopback: Disabled,
ot
n
Input packets : 0
Output packets: 0
io
Security: Zone: trust
Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp
ct
nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh
telnet traceroute xnm-clear-text xnm-ssl lsping
du
Logical interface ge-0/0/3.32767 (Index 69) (SNMP ifIndex 44)
Flags: SNMP-Traps VLAN-Tag [ 0x0000.0 ] Encapsulation: ENET2
Input packets : 0 ro
Output packets: 0
Security: Zone: trust
Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp
ep
nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh
telnet traceroute xnm-clear-text xnm-ssl lsping
rR
[edit]
lab@Tokyo# run show interfaces se-1/0/1
Physical interface: se-1/0/1, Enabled, Physical link is Up
Interface index: 142, SNMP ifIndex: 38
Type: Serial, Link-level type: Frame-Relay, MTU: 1504, Maximum speed: 8mbps
Fo
DTE statistics:
Enquiries sent : 3
Full enquiries sent : 0
N
n
nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp
ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh
io
telnet traceroute xnm-clear-text xnm-ssl lsping
DLCI 602
ct
Flags: Down, DCE-Unconfigured
Total down time: 00:00:19 sec, Last down: 00:00:19 ago
Input packets : 0
du
Output packets: 0
DLCI statistics:
Active DLCI :0 Inactive DLCI :1
ro
Question: What is the difference between the display of
the interfaces status in this step and Step 2.1?
ep
rR
Step 3.1
N
Assign IP addresses to the WAN, LAN, and lo0 interfaces of your router, as illustrated in the
Lab 1 diagram for your group letter (A, B, C, or D).
[edit interfaces]
lab@Tokyo# set ge-0/0/3 unit 100 family inet address 10.222.100.1/24
[edit interfaces]
lab@Tokyo# set ge-0/0/3 unit 200 family inet address 10.222.200.1/24
[edit interfaces]
[edit interfaces]
lab@Tokyo# set lo0 unit 0 family inet address 192.168.24.1
[edit interfaces]
lab@Tokyo# show
ge-0/0/0 {
description "Do-not-delete-Management-Interface!";
unit 0 {
family inet {
address 10.210.11.178/28;
n
}
}
io
}
ge-0/0/3 {
ct
vlan-tagging;
unit 100 {
vlan-id 100;
du
family inet {
address 10.222.100.1/24;
}
} ro
unit 200 {
vlan-id 200;
family inet {
ep
address 10.222.200.1/24;
}
}
}
rR
se-1/0/1 {
encapsulation frame-relay;
unit 602 {
dlci 602;
family inet {
Fo
address 172.18.36.1/30;
}
}
}
lo0 {
ot
unit 0 {
family inet {
address 192.168.24.1/32;
N
}
}
}
[edit interfaces]
lab@Tokyo#
Step 3.2
Commit the configuration changes.
[edit interfaces]
lab@Tokyo# commit and-quit
commit complete
Exiting configuration mode
lab@Tokyo>
Step 3.3
Test IP connectivity by pinging the IP address of the directly attached interface of your peer
router across the Internet.
lab@Tokyo> ping 172.18.36.2
n
PING 172.18.36.2 (172.18.36.2): 56 data bytes
64 bytes from 172.18.36.2: icmp_seq=0 ttl=65 time=3.758 ms
io
64 bytes from 172.18.36.2: icmp_seq=1 ttl=65 time=2.346 ms
64 bytes from 172.18.36.2: icmp_seq=2 ttl=65 tim^C
ct
--- 172.18.36.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.344/2.816/3.758/0.666 ms
du
lab@Tokyo>
lab@Tokyo>
Now continue testing IP connectivity by pinging the IP address of the lo0 interface of your peer
router across the Internet.
lab@Tokyo> ping 192.168.36.1
PING 192.168.36.1 (192.168.36.1): 56 data bytes
ping: sendto: No route to host
n
ping: sendto: No route to host
ping: sendto: No route to host
io
^C
--- 192.168.36.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
ct
lab@Tokyo>
du
Question: Is the ping successful? Why?
ro
ep
Answer: The ping is not successful because there is no
route to the destination IP address. To learn the route, a
dynamic routing protocol or static route is required.
rR
In this part of the lab, you will establish Layer 3 connectivity between all the routers within your
Fo
city region (which includes your router, XX-VR, and XX-VR2) and between those routers and
the routers of your peer. You are to use OSPF as the routing protocol. Refer to the network
diagram of Lab 1 for your group letter (A, B, C, or D) to determine the OSPF areas assignments.
Step 4.1
ot
From your router, use Telnet to access the XX-VR router of your city region. Recall that XX are
the first two letters of your city name. For example, TO-VR is the router name attached to
Tokyo. The login name is your router name, router-VR, where router is in lower case
N
Sydney (ttyp0)
login: tokyo-VR
Password:
NOTE: This router is divided into many virtual routers used by different
teams. Please only configure your own virtual router.
tokyo-VR@Sydney>
Step 4.2
n
Configure the OSPF routing protocol for routing-instance XX-VR. Use the Lab 1 diagram to
identify which OSPF area to configure. OSPF interfaces include lo0. xyz and
io
ge-0/0/3.xyz, where xyz is the corresponding VLAN ID, as defined on the lab diagram.
tokyo-VR@Sydney> configure private
ct
warning: uncommitted changes will be discarded on exit
Entering configuration mode
du
[edit]
tokyo-VR@Sydney# edit routing-instances TO-VR
protocols {
ospf {
area 0.0.0.1 {
N
interface ge-0/0/3.100;
interface lo0.100;
}
}
}
Step 4.3
Commit configuration file.
[edit]
tokyo-VR@Sydney# commit
commit complete
[edit]
tokyo-VR@Sydney#
Step 4.4
n
Close the Telnet session with the XX-VR router. Now use Telnet to access the XX-VR2 router
of your city region. (Recall that XX are the first two letters of your city name. For example,
io
TO-VR2 is the router name attached to Tokyo. The login name is your router name,
router-VR2, where router is in lower case letters, and the password is lab123.)
ct
[edit]
tokyo-VR@Sydney# exit
Exiting configuration mode
du
tokyo-VR@Sydney> exit
Sydney (ttyp0)
rR
login: tokyo-VR2
Password:
NOTE: This router is divided into many virtual routers used by different
teams. Please only configure your own virtual router.
tokyo-VR2@Sydney>
Step 4.5
N
Configure the OSPF routing protocol for the routing-instance XX-VR2. Use the Lab 1 diagram
to identify which OSPF area to configure. OSPF interfaces include lo0. xyz and
ge-0/0/3.xyz, where xyz is the corresponding VLAN ID, as defined on the lab diagram.
tokyo-VR2@Sydney> configure private
warning: uncommitted changes will be discarded on exit
Entering configuration mode
[edit]
tokyo-VR2@Sydney# edit routing-instances TO-VR2
n
protocols {
ospf {
io
area 0.0.0.11 {
interface ge-0/0/3.200;
ct
interface lo0.200;
}
}
du
}
Step 4.6
Commit the configuration file. Next, exit the Telnet session.
ro
[edit routing-instances TO-VR2]
tokyo-VR2@Sydney# top
ep
[edit]
tokyo-VR2@Sydney# commit and-quit
commit complete
rR
tokyo-VR2@Sydney> exit
lab@Tokyo>
[edit routing-instances TO-VR2]
tokyo-VR2@Sydney# top
ot
[edit]
tokyo-VR2@Sydney# commit
commit complete
N
[edit]
tokyo-VR2@Sydney# exit
Exiting configuration mode
tokyo-VR2@Sydney> exit
lab@Tokyo>
Step 4.7
Configure the OSPF protocol on your router. Use the Lab 1 network diagram to identify which
interfaces belong to which OSPF areas. Your router is the OSPF area border router (ABR).
lab@Tokyo> edit
Entering configuration mode
[edit]
lab@Tokyo# edit protocols
[edit protocols]
n
lab@Tokyo# set ospf area 0 interface se-1/0/1.602
io
[edit protocols]
lab@Tokyo# set ospf area 0 interface lo0
ct
[edit protocols]
lab@Tokyo# set ospf area 1 interface ge-0/0/3.100
du
[edit protocols]
lab@Tokyo# set ospf area 11 interface ge-0/0/3.200
[edit protocols] ro
lab@Tokyo# show
ospf {
area 0.0.0.0 {
ep
interface se-1/0/1.602;
interface lo0.0;
}
area 0.0.0.1 {
rR
interface ge-0/0/3.100;
}
area 0.0.0.11 {
interface ge-0/0/3.200;
}
Fo
[edit protocols]
lab@Tokyo#
ot
Step 4.8
Commit the configuration changes in your router.
N
[edit protocols]
lab@Tokyo# commit and-quit
commit complete
Exiting configuration mode
lab@Tokyo>
Step 4.9
Check OSPF neighbor status from your router. If the status of OSPF neighbors is not showing as
FULL, fix the problem.
n
Step 4.10
io
Check the routing table on your router.
lab@Tokyo> show route table inet.0
ct
inet.0: 17 destinations, 18 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
du
10.210.11.176/28 *[Direct/0] 6d 00:53:33
> via ge-0/0/0.0
10.210.11.178/32 *[Local/0] 6d 00:53:35 ro
Local via ge-0/0/0.0
10.222.100.0/24 *[Direct/0] 1d 00:58:12
> via ge-0/0/3.100
ep
10.222.100.1/32 *[Local/0] 1d 00:58:12
Local via ge-0/0/3.100
10.222.101.0/24 *[OSPF/10] 00:03:05, metric 13
> via se-1/0/1.602
rR
Step 4.11
Test IP connectivity. Issue a ping from the lo0 interface of your router to the lo0 interface of
your peer router across the Internet.
n
Step 4.12
io
Issue a ping from your LAN interface’s IP address to one of the LAN sites of your peer router.
ct
lab@Tokyo> ping 192.168.36.1 source 192.168.24.1
PING 192.168.36.1 (192.168.36.1): 56 data bytes
64 bytes from 192.168.36.1: icmp_seq=0 ttl=65 time=3.614 ms
du
64 bytes from 192.168.36.1: icmp_seq=1 ttl=65 time=4.186 ms
64 bytes from 192.168.36.1: icmp_seq=2 ttl=65 time=3.440 ms
64 bytes from 192.168.36.1: icmp_seq=3 ttl=65 time=4.139 ms
^C ro
--- 192.168.36.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.440/3.845/4.186/0.324 ms
ep
lab@Tokyo> ping source 10.222.200.1 192.168.125.1
PING 192.168.125.1 (192.168.125.1): 56 data bytes
64 bytes from 192.168.125.1: icmp_seq=0 ttl=64 time=4.036 ms
rR
lab@Tokyo>
Part 5: Establish Hosts Within Each Site and Summarize the Advertisement of
ot
In this part of the lab you will configure local hosts within the XX-VR and XX-VR2 sites. You
will emulate the existence of these hosts by assigning additional addresses to the lo0.tyx
interface, where tyx is the lo0 logical interface belonging to either the XX-VR or XX-VR2
router. Next, you will ensure that only a /24 prefix for the hosts is advertised across the
Internet. Refer to the static routes and hosts table on the Lab 1 diagram for your group letter
(A, B, C, or D).
Step 5.1
From your router, use Telnet to access the XX-VR router of your city region. (Recall that XX are
the first two letters of your city name. For example, TO-VR is the router name attached to
Tokyo. The login name is your router name, router-VR, where router is in lower case
letters, and the password is lab123.)
lab@Tokyo> telnet 10.222.100.2
Trying 10.222.100.2...
Connected to 10.222.100.2.
Escape character is '^]'.
n
Sydney (ttyp0)
io
login: tokyo-VR
Password:
ct
--- JUNOS 9.0R1.10 built 2008-02-14 03:13:25 UTC
NOTE: This router is divided into many virtual routers used by different
du
teams. Please only configure your own virtual router.
tokyo-VR@Sydney>
ro
Step 5.2
ep
Define local hosts belonging to the predefined LAN the assigning host IP addresses to the lo0
interface of your router, as identified in the table on the Lab 1 diagram for your group letter (A,
B, C, or D).
rR
[edit]
Fo
Step 5.3
Commit the changes.
[edit interfaces lo0 unit 100]
tokyo-VR@Sydney# top
[edit]
n
tokyo-VR@Sydney# commit
commit complete
io
ct
[edit]
tokyo-VR@Sydney#
Step 5.4
du
Close the Telnet session with XX-VR router. Now use Telnet to access the XX-VR2 router of
your city region. (Recall that XX are the first two letters of your city name. For example,
TO-VR2 is the router name attached to Tokyo. The login name is your router name,
ro
router-VR2, where router is in lower case letters, and the password is lab123.)
[edit]
ep
tokyo-VR@Sydney# exit
Exiting configuration mode
tokyo-VR@Sydney> exit
rR
Connected to 10.222.200.2.
Escape character is '^]'.
Sydney (ttyp0)
ot
login: tokyo-VR2
Password:
N
NOTE: This router is divided into many virtual routers used by different
teams. Please only configure your own virtual router.
tokyo-VR2@Sydney>
Step 5.5
Define local hosts belonging to the predefined LAN by assigning host IP addresses to the lo0
interface of your router, as identified in the table on the Lab 1 diagram for your group letter (A,
B, C, or D).
tokyo-VR@Sydney> configure private
warning: uncommitted changes will be discarded on exit
Entering configuration mode
[edit]
tokyo-VR@Sydney# edit interfaces lo0 unit 200
n
[edit interfaces lo0 unit 200]
io
tokyo-VR2@Sydney# set family inet address 10.10.200.1
ct
tokyo-VR2@Sydney# set family inet address 10.10.200.2
du
tokyo-VR2@Sydney# set family inet address 10.10.200.3
Step 5.6
Fo
Commit the changes and log out from the XX-VR2 router.
[edit interfaces lo0 unit 200]
tokyo-VR2@Sydney# top
ot
[edit]
tokyo-VR2@Sydney# commit
commit complete
N
[edit]
tokyo-VR2@Sydney# exit
Exiting configuration mode
tokyo-VR2@Sydney> exit
lab@Tokyo>
Step 5.7
Check the routing tables in your router. Specifically, ensure that your router is receiving all the
host routes that you just defined.
lab@Tokyo> show route 10.10/16
n
10.10.100.2/32 *[OSPF/10] 17:22:31, metric 1
> to 10.222.100.2 via ge-0/0/3.100
io
10.10.100.3/32 *[OSPF/10] 17:22:31, metric 1
> to 10.222.100.2 via ge-0/0/3.100
10.10.101.1/32 *[OSPF/10] 17:22:37, metric 13
ct
> via se-1/0/1.602
10.10.101.2/32 *[OSPF/10] 17:22:37, metric 13
> via se-1/0/1.602
du
10.10.101.3/32 *[OSPF/10] 17:22:37, metric 13
> via se-1/0/1.602
10.10.200.1/32 *[OSPF/10] 17:22:26, metric 1
> to 10.222.200.2 via ge-0/0/3.200
ro
10.10.200.2/32 *[OSPF/10] 17:22:26, metric 1
> to 10.222.200.2 via ge-0/0/3.200
10.10.200.3/32 *[OSPF/10] 17:22:26, metric 1
ep
> to 10.222.200.2 via ge-0/0/3.200
10.10.201.1/32 *[OSPF/10] 17:22:37, metric 13
> via se-1/0/1.602
10.10.201.2/32 *[OSPF/10] 17:22:37, metric 13
rR
lab@Tokyo>
Fo
Step 5.8
Summarize host routes, ensuring that only /24 prefixes are advertised across the Internet for
each of the sites.
lab@Tokyo> edit
Entering configuration mode
n
[edit]
io
lab@Tokyo# edit protocols ospf
ct
lab@Tokyo# set area 1 area-range 10.10.100/24
du
lab@Tokyo# set area 11 area-range 10.10.200/24
}
area 0.0.0.11 {
area-range 10.10.200.0/24;
interface ge-0/0/3.200;
Fo
Step 5.9
ot
lab@Tokyo# commit
commit complete
[edit]
lab@Tokyo# exit
Exiting configuration mode
lab@Tokyo>
Step 5.10
Check the routing table of your router.
lab@Tokyo> show route 10.10/16
n
> to 10.222.100.2 via ge-0/0/3.100
10.10.100.2/32 *[OSPF/10] 17:26:25, metric 1
io
> to 10.222.100.2 via ge-0/0/3.100
10.10.100.3/32 *[OSPF/10] 17:26:25, metric 1
> to 10.222.100.2 via ge-0/0/3.100
ct
10.10.101.0/24 *[OSPF/10] 00:01:07, metric 13
> via se-1/0/1.602
10.10.200.0/24 *[OSPF/10] 00:00:25, metric 16777215
du
Discard
10.10.200.1/32 *[OSPF/10] 17:26:20, metric 1
> to 10.222.200.2 via ge-0/0/3.200
10.10.200.2/32 *[OSPF/10] 17:26:20, metric 1
ro
> to 10.222.200.2 via ge-0/0/3.200
10.10.200.3/32 *[OSPF/10] 17:26:20, metric 1
> to 10.222.200.2 via ge-0/0/3.200
ep
10.10.201.0/24 *[OSPF/10] 00:01:07, metric 13
> via se-1/0/1.602
lab@Tokyo>
rR
Step 5.11
Check connectivity by logging in to the XX-VR or XX-VR2 router and initiating a ping from one
of the local host IP addresses, which was configured during this lab, to another local host IP
address of the peer site across the Internet. If there is a problem, troubleshoot the problem
with the help of traceroute and various show commands.
lab@Tokyo> telnet 10.222.100.2
Trying 10.222.100.2...
Connected to 10.222.100.2.
Escape character is '^]'.
Sydney (ttyp0)
login: tokyo-VR
Password:
NOTE: This router is divided into many virtual routers used by different
teams. Please only configure your own virtual router.
n
tokyo-VR@Sydney> ping routing-instance TO-VR source 10.10.100.1 10.10.201.3
io
PING 10.10.201.3 (10.10.201.3): 56 data bytes
64 bytes from 10.10.201.3: icmp_seq=0 ttl=62 time=6.717 ms
ct
64 bytes from 10.10.201.3: icmp_seq=1 ttl=62 time=5.440 ms
64 bytes from 10.10.201.3: icmp_seq=2 ttl=62 time=7.935 ms
64 bytes from 10.10.201.3: icmp_seq=3 ttl=62 time=5.141 ms
du
^C
--- 10.10.201.3 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 5.141/6.308/7.935/1.110 ms
ro
tokyo-VR@Sydney> traceroute routing-instance TO-VR source 10.10.100.1
10.10.201.3
ep
traceroute to 10.10.201.3 (10.10.201.3) from 10.10.100.1, 30 hops max, 40 byte
packets
1 10.222.100.1 (10.222.100.1) 1.643 ms 1.306 ms 1.863 ms
2 172.18.36.2 (172.18.36.2) 4.709 ms 3.592 ms 3.971 ms
rR
tokyo-VR@Sydney>
Fo
Overview
n
io
In this lab you will establish security zones and security policies as identified in the network
diagram for Lab 2. Within the security policies you will enable specific services and necessary
ct
protocols to maintain IP connectivity established in Lab 1. You will test and monitor the
functionality of your configuration using the JUNOS command-line interface (CLI).
The lab is available in two formats: a high-level format that is designed to make you think
du
through each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
ro
• Configure security zones for your network.
• Implement security policies to enable communications between the security
ep
zones.
• Monitor security zone operation.
Similar to the previous lab, this lab requires the use of the Sydney router, which is logically
rR
segmented into several virtual routers. Each student router connects to two virtual routers in
the form of XX-VR and XX-VR2, where XX is a two-letter abbreviation for the directly
connected student router. Sydney also acts as the service provider, which provides Frame
Relay services between sites.
Fo
ot
N
Key Commands
n
traceroute
io
Part 1: Interface Assignment to Security Zones
ct
In this part each team will assign the router’s interfaces to the appropriate security zones, as
identified in the Lab 2 network diagram for your group letter (A, B, C, or D).
du
Step 1.1
Log in to the router with the username lab and the password lab123. Note that the
username and the password are case sensitive.
ro
Tokyo (ttyd0)
login: lab
Password:
ep
Step 1.2
Delete the security zone called trust and the security policies. Note that the trust zone
was preconfigured in the initial setup. Now that you have established Layer 3 connectivity, you
Fo
must eliminate the trust zone and establish other security zones, as defined in this lab.
lab@Tokyo> edit
Entering configuration mode
[edit]
ot
interfaces {
all {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust {
match {
source-address any;
destination-address any;
application any;
}
n
then {
permit;
io
}
}
ct
}
}
du
[edit]
lab@Tokyo# delete security
[edit] ro
lab@Tokyo# show security
[edit]
ep
lab@Tokyo#
Step 1.3
Configure the functional management zone and assign the interface ge-0/0/0.0 to it.
rR
Ensure that all system services and protocols are allowed for the ge-0/0/0.0 interface.
[edit]
lab@Tokyo# edit security zones functional-zone management
Fo
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
Step 1.4
Assign interfaces to the security zones, as identified in the Lab 2 network diagram for your
group letter (A, B, C, or D). In total, there are the following five security zones:
• Public zone: Across the Internet between the two peer routers;
• Retail and Admin zones: Local to the left peer router; and
n
• HR and Finance zones: Local to the right peer router.
io
Note
ct
Zones names are case sensitive.
Use the following table to ensure correct assignment of interfaces and zones on your router.
du
Zone Assignment
ro
Group Router name Interface Security Zone
ge-0/0/3.200 Admin
ge-0/0/3.101 HR
ge-0/0/3.201 Finance
ge-0/0/3.105 Retail
ge-0/0/3.205 Admin
N
Zone Assignment
Group Router name Interface Security Zone
n
se-1/0/0.608 Public
ge-0/0/3.103 HR
io
ge-0/0/3.203 Finance
ct
Montreal lo0 Public
se-1/0/1.605 Public
du
ge-0/0/3.107 Retail
ge-0/0/3.207 Admin
Admsterdam ro lo0 Public
se-1/0/0.604 Public
ge-0/0/3.104 HR
ep
ge-0/0/3.204 Finance
[edit]
rR
all;
}
}
}
}
}
security-zone Public {
interfaces {
lo0.0;
se-1/0/1.602;
}
}
n
security-zone Retail {
interfaces {
io
ge-0/0/3.100;
}
ct
}
security-zone Admin {
interfaces {
du
ge-0/0/3.200;
}
}
lab@Tokyo# commit
commit complete
[edit]
lab@Tokyo# exit
Exiting configuration mode
lab@Tokyo>
ot
Step 1.6
Check IP connectivity on your router. You can test the connectivity by pinging the lo0 interface
N
lab@Tokyo>
Step 1.7
Check the OSPF neighbors from your router’s perspective.
n
lab@Tokyo> show ospf neighbor
io
lab@Tokyo> show ospf interface
Interface State Area DR ID BDR ID Nbrs
lo0.0 DR 0.0.0.0 192.168.24.1 0.0.0.0 0
ct
se-1/0/1.602 PtToPt 0.0.0.0 0.0.0.0 0.0.0.0 0
ge-0/0/3.100 DR 0.0.0.1 192.168.24.1 0.0.0.0 0
du
ge-0/0/3.200 DR 0.0.0.11 192.168.24.1 0.0.0.0 0
lab@Tokyo>
ro
Question: Does your router see the OSPF neighbors?
Why?
ep
Step 1.8
Fo
Permit the OSPF routing protocol into all security zones of your router.
lab@Tokyo> edit
Entering configuration mode
ot
[edit]
lab@Tokyo# edit security zones
N
lab@Tokyo# show
functional-zone management {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
n
}
}
io
}
security-zone Public {
ct
host-inbound-traffic {
protocols {
ospf;
du
}
}
interfaces {
lo0.0; ro
se-1/0/1.602;
}
}
ep
security-zone Retail {
host-inbound-traffic {
protocols {
ospf;
rR
}
}
interfaces {
ge-0/0/3.100;
}
Fo
}
security-zone Admin {
host-inbound-traffic {
protocols {
ospf;
ot
}
}
interfaces {
N
ge-0/0/3.200;
}
}
Step 1.9
Commit the configuration. Then check the status of OSPF on your router.
n
[edit security zones]
lab@Tokyo# run show ospf neighbor
io
Address Interface State ID Pri Dead
172.18.36.2 se-1/0/1.602 Full 192.168.36.1 128 34
ct
10.222.100.2 ge-0/0/3.100 Full 10.10.100.1 128 37
10.222.200.2 ge-0/0/3.200 Full 10.10.200.1 128 36
du
[edit security zones]
lab@Tokyo#
Step 1.10
Check the status of the 10.10/16 networks in the routing table of your router.
Fo
n
are in the routing table? Is this correct?
io
ct
du
Answer: There are ten prefixes belonging to the
10.10/10 address space, which is the correct number
of routes.
Step 2.1
Using the table of hosts defined on the network diagram for Lab 2, configure the address book
for Retail, Admin, HR, and Finance security zones. Use the following naming convention
for the address sets: XX-VRhosts and XX-VR2hosts, where XX is the two-letter
Fo
abbreviation for your city name. For example, the address set names for Tokyo are
TO-VRhosts and TO-VR2hosts.
Note
ot
The following example illustrates the configuration for the Tokyo router, which includes the
address book configurations for the Retail and Admin security zones.
[edit security zones]
lab@Tokyo# edit security-zone Retail
n
[edit security zones security-zone Retail]
lab@Tokyo# show address-book
io
address TO-VRhost1 10.10.100.1/32;
address TO-VRhost2 10.10.100.2/32;
ct
address TO-VRhost3 10.10.100.3/32;
address-set TO-VRhosts {
address TO-VRhost1;
du
address TO-VRhost2;
address TO-VRhost3;
}
ro
[edit security zones security-zone Retail]
lab@Tokyo# lab@Tokyo# up
ep
[edit security zones]
lab@Tokyo# edit security-zone Admin
address TO-VR2host2;
address TO-VR2host3;
}
Step 2.2
Configure the address book for the Public zone. Ensure that it contains four address sets,
including the Retail, Admin, HR, and Finance zones.
[edit security zones security-zone Admin]
n
lab@Tokyo# up
io
[edit security zones]
lab@Tokyo# edit security-zone Public
ct
[edit security zones security-zone Public]
lab@Tokyo#set address-book address TO-VRhost1 10.10.100.1
du
[edit security zones security-zone Public]
lab@Tokyo# set address-book address TO-VRhost2 10.10.100.2
n
lab@Tokyo# set address-book address-set LO-VRhosts address LO-VRhost2
io
[edit security zones security-zone Public]
lab@Tokyo# set address-book address-set LO-VRhosts address LO-VRhost3
ct
[edit security zones security-zone Public]
lab@Tokyo# set address-book address LO-VR2host1 10.10.201.1
du
[edit security zones security-zone Public]
lab@Tokyo# set address-book address LO-VR2host2 10.10.201.2
ro
[edit security zones security-zone Public]
lab@Tokyo# set address-book address LO-VR2host3 10.10.201.3
ep
[edit security zones security-zone Public]
lab@Tokyo# set address-book address-set LO-VR2hosts address LO-VR2host1
address-set TO-VR2hosts {
address TO-VR2host1;
address TO-VR2host2;
address TO-VR2host3;
}
address-set LO-VRhosts {
address LO-VRhost1;
address LO-VRhost2;
address LO-VRhost3;
}
address-set LO-VR2hosts {
address LO-VR2host1;
n
address LO-VR2host2;
address LO-VR2host3;
io
}
ct
[edit security zones security-zone Public]
lab@Tokyo#
Step 2.3
du
Commit the changes.
[edit security zones security-zone Public]
lab@Tokyo# commit and-quit
commit complete
ro
Exiting configuration mode
ep
lab@Tokyo>
In this part of the lab you will establish and configure security policies that enable the
necessary traffic flow between the security zones.
Fo
Step 3.1
Issue a ping from your router to one of the hosts connected to your router via the LAN.
lab@Tokyo> ping 10.10.100.1
PING 10.10.100.1 (10.10.100.1): 56 data bytes
ot
^C
--- 10.10.100.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.289/2.929/4.118/0.842 ms
lab@Tokyo>
n
Step 3.2
io
Now, issue another ping across the Internet. For example, if you are in Group A, issue a ping
from the Tokyo router to one of the host addresses behind the London router—for instance,
10.10.101.1.
ct
lab@Tokyo> ping 10.10.101.1
PING 10.10.101.1 (10.10.101.1): 56 data bytes
du
^C
--- 10.10.101.1 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss
ro
lab@Tokyo>
ep
Question: Is the ping successful? Why or why not?
rR
Step 3.3
Configure an application set called my-apps. You will specify the applications that will be
ot
permitted by the security policies, which you will define later in this lab. The applications
include junos-http, junos-telnet, junos-ftp, and junos-ping.
lab@Tokyo> edit
N
[edit]
lab@Tokyo# edit applications
[edit applications]
lab@Tokyo# set application-set my-apps application junos-http
[edit applications]
lab@Tokyo# set application-set my-apps application junos-telnet
[edit applications]
lab@Tokyo# set application-set my-apps application junos-ftp
[edit applications]
lab@Tokyo# set application-set my-apps application junos-ping
[edit applications]
lab@Tokyo# show
application-set my-apps {
application junos-http;
application junos-telnet;
application junos-ftp;
n
application junos-ping;
}
io
[edit applications]
ct
lab@Tokyo#
Step 3.4
du
Configure security policies that permit the my-apps applications between the Retail and
Admin security zones of your router. Ensure the ability of traffic to originate in both security
zones. Name the policies RetailToAdmin and AdminToRetail.
[edit applications]
lab@Tokyo# top
ro
ep
[edit]
lab@Tokyo# edit security policies
}
}
n
[edit security policies from-zone Admin to-zone Retail]
lab@Tokyo# set policy AdminToRetail match destination-address TO-VRhosts
io
[edit security policies from-zone Admin to-zone Retail]
ct
lab@Tokyo# set policy AdminToRetail match application my-apps
du
lab@Tokyo# set policy AdminToRetail then permit
permit;
}
}
lab@Tokyo#
Step 3.5
Configure security policies that permit the my-apps applications between the Retail and
Finance security zones of your router. Because the Retail and Finance zones are
separated by the Internet, you must reference the Public zone as either the source or the
destination zone when configuring the security policies. Name the policies
RetailToFinance and FinanceToRetail.
n
lab@Tokyo# set policy RetailtoFinance match destination-address LO-VR2hosts
io
[edit security policies from-zone Retail to-zone Public]
lab@Tokyo# set policy RetailToFinance match application my-apps
ct
[edit security policies from-zone Retail to-zone Public]
lab@Tokyo# set policy RetailToFinance then permit
du
[edit security policies from-zone Retail to-zone Public]
lab@Tokyo# show
policy RetailToFinance {
match {
source-address TO-VRhosts;
destination-address LO-VR2hosts;
ro
application my-apps;
ep
}
then {
permit;
}
rR
match {
source-address LO-VR2hosts;
destination-address TO-VRhosts;
application my-apps;
}
then {
permit;
}
}
n
Here it the sample configuration for the London router:
io
[edit]
lab@London# edit security policies
ct
[edit security policies]
lab@London# edit from-zone Finance to-zone Public
du
[edit security policies from-zone Finance to-zone Public]
lab@London# set policy FinanceToRetail match source-address LO-VR2hosts
ro
[edit security policies from-zone Finance to-zone Public]
lab@London# set policy FinanceToRetail match destination-address TO-VRhosts
ep
[edit security policies from-zone Finance to-zone Public]
lab@London# set policy FinanceToRetail match application my-apps
match {
source-address LO-VR2hosts;
destination-address TO-VRhosts;
application my-apps;
}
ot
then {
permit;
}
N
n
match {
source-address TO-VRhosts;
io
destination-address LO-VR2hosts;
application my-apps;
ct
}
then {
permit;
du
}
}
Step 3.6
ep
Configure security policies that permit the my-apps applications between the Admin and HR
security zones of your router. Because the Admin and HR zones are separated by the Internet,
you must reference the Public zone as either the source or destination zone when
configuring the security policies. Name the policies AdminToHR and HRtoAdmin.
rR
match {
source-address TO-VR2hosts;
destination-address LO-VRhosts;
application my-apps;
}
then {
permit;
}
}
n
[edit security policies]
io
lab@Tokyo# edit from-zone Public to-zone Admin
ct
[edit security policies from-zone Public to-zone Admin]
lab@Tokyo# set policy HRtoAdmin match source-address LO-VRhosts
du
[edit security policies from-zone Public to-zone Admin]
lab@Tokyo# set policy HRtoAdmin match destination-address TO-VR2hosts
policy HRtoAdmin {
match {
source-address LO-VRhosts;
destination-address TO-VR2hosts;
application my-apps;
Fo
}
then {
permit;
}
}
ot
n
match {
source-address TO-VR2hosts;
io
destination-address LO-VRhosts;
application my-apps;
ct
}
then {
permit;
du
}
}
match {
source-address LO-VRhosts;
destination-address TO-VR2hosts;
application my-apps;
}
then {
permit;
}
}
Step 3.7
Commit the changes.
[edit security policies from-zone Public to-zone Admin]
lab@Tokyo# commit and-quit
commit complete
Exiting configuration mode
lab@Tokyo>
n
io
Part 4: Testing and Monitoring the Functionality of Security Zones
ct
In this part of the lab you will test and monitor the functionality of the security zones.
Step 4.1
du
Configure traceoptions within the security flow stanza, flagging basic-datapath
and session. Use the file name lab2debug.
lab@Tokyo> edit ro
Entering configuration mode
[edit]
ep
lab@Tokyo# edit security flow
flag basic-datapath;
flag session;
}
N
Step 4.2
Commit the changes.
lab@Tokyo>
Step 4.3
Note
This step should be performed by only one of the
members of the group because the other member
n
of the group will be observing the results of flow
debugging.
io
From your router use Telnet to access the XX-VR router of your city region. (Recall that XX are
the first two letters of your city name. For example, TO-VR is the router name attached to
ct
Tokyo. The login name is your router name, router-VR, where router is in lower case
letters, and the password is lab123.)
du
lab@Tokyo> telnet 10.222.100.2
Trying 10.222.100.2...
Connected to 10.222.100.2.
Escape character is '^]'. ro
Sydney (ttyp0)
ep
login: tokyo-VR
Password:
NOTE: This router is divided into many virtual routers used by different
teams. Please only configure your own virtual router.
Fo
tokyo-VR@Sydney>
Step 4.4
ot
From the XX-VR router issue a ping from one of the hosts located in the Retail zone to
another host located in the Finance zone.
tokyo-VR@Sydney> ping source 10.10.100.1 10.10.201.3 routing-instance TO-VR
N
tokyo-VR@Sydney>
n
to the Finance zones through the Public zone.
io
Step 4.5
Now issue a ping from one of the hosts located in the Admin zone to another host located in
ct
the Finance zone.
tokyo-VR@Sydney> ping source 10.10.200.3 10.10.201.1 routing-instance TO-VR2
du
PING 10.10.201.1 (10.10.201.1): 56 data bytes
^C
--- 10.10.201.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
ro
tokyo-VR@Sydney>
ep
Question: Is ping successful? Why or why not?
rR
Step 4.6
Using the management interface ge-0/0/0.0, use Telnet to access the router that is
performing the tests identified in Steps 4.4 and 4.5.
lab@London> telnet 10.210.11.178
ot
Trying 10.210.11.178...
Connected to 10.210.11.178.
Escape character is '^]'.
N
Tokyo (ttyp0)
login: lab
Password:
Step 4.7
Examine the sessions in progress.
lab@Tokyo> show security flow session
Session ID: 7, Policy name: self-traffic-policy/1, Timeout: 58
In: 10.222.100.2/1 --> 224.0.0.5/1;ospf, If: ge-0/0/3.100
Out: 224.0.0.5/1 --> 10.222.100.2/1;ospf, If: .local..0
n
Session ID: 11, Policy name: self-traffic-policy/1, Timeout: 52
io
In: 172.18.36.2/1 --> 224.0.0.5/1;ospf, If: se-1/0/1.602
Out: 224.0.0.5/1 --> 172.18.36.2/1;ospf, If: .local..0
ct
Session ID: 29, Policy name: self-traffic-policy/1, Timeout: 1570
In: 10.222.100.1/58230 --> 10.222.100.2/23;tcp, If: .local..0
Out: 10.222.100.2/23 --> 10.222.100.1/58230;tcp, If: ge-0/0/3.100
du
Session ID: 32, Policy name: self-traffic-policy/1, Timeout: 1800
In: 10.210.11.179/62114 --> 10.210.11.178/23;tcp, If: ge-0/0/0.0
Out: 10.210.11.178/23 --> 10.210.11.179/62114;tcp, If: .local..0
ro
5 sessions displayed
ep
lab@Tokyo>
n
io
lab@Tokyo> show security flow session summary
Session summary:
Unicast-sessions: 5
ct
Multicast-sessions: 0
Failed-sessions: 0
Sessions-in-use: 5
du
Maximum-sessions: 262144
lab@Tokyo>
Step 4.8
ro
From the XX-VR router, open a Telnet session from one of the hosts in the Retail zone to a
host within a Finance zone through the Public zone.
ep
tokyo-VR@Sydney> telnet 10.10.201.2 source 10.10.100.3 routing-instance TO-VR
Trying 10.10.201.2...
Connected to 10.10.201.2.
rR
Sydney (ttyp1)
login: london-VR
Fo
Password:
NOTE: This router is divided into many virtual routers used by different
ot
london-VR@Sydney>
On your router, turn on monitoring of the lab2debug file to observe the results of session
forming debugging.
lab@Tokyo> monitor start lab2debug
lab@Tokyo>
*** lab2debug ***
Feb 25 02:42:49 02:42:49.803547:CID-0:RT:<10.210.11.179/62114->10.210.11.178/
23;6> : <management/ge-0/0/0.0>
n
Feb 25 02:42:49 02:42:49.803611:CID-0:RT:mbuf 0x4a0b1f40, exit nh 0xfffb0006
io
Feb 25 02:42:49 02:42:49.804583:CID-0:RT:Using in_ifp from pfe_tag with index
0
ct
Feb 25 02:42:49 02:42:49.804591:CID-0:RT:Using vr id from pfe_tag with value= 0
du
Feb 25 02:42:49 02:42:49.804596:CID-0:RT:Changing lpak->in_ifp from:.local..0
-> to:.local..0
n
205865(0x3ffff), sa 10.210.11.179, da 10.210.11.178, sp 62114, dp 23, proto 6,
tok 16
io
Feb 25 02:42:49 02:42:49.945269:CID-0:RT: flow fast tcp/udp session id 32
ct
Feb 25 02:42:49 02:42:49.945278:CID-0:RT: post addr xlation:
10.210.11.179->10.210.11.178.
du
Feb 25 02:42:49 02:42:49.945286:CID-0:RT:mbuf 0x49f5ea00, exit nh 0xfffb0006
tok 4
n
Feb 25 02:42:50 02:42:49.1053182:CID-0:RT:Using in_ifp from pfe_tag with index
0
io
Feb 25 02:42:50 02:42:49.1053191:CID-0:RT:Using vr id from pfe_tag with value=
ct
0
du
-> to:.local..0
n
Feb 25 02:42:50 02:42:49.1303578:CID-0:RT: find flow: table 0x4b5f7104, hash
17001(0x3ffff), sa 10.222.200.2, da 224.0.0.5, sp 1, dp 1, proto 89, tok 20
io
Feb 25 02:42:50 02:42:49.1303595:CID-0:RT: flow session id 9
ct
Feb 25 02:42:50 02:42:49.1303600:CID-0:RT: refreshing session
du
Feb 25 02:42:50 02:42:49.1303607:CID-0:RT: post addr xlation:
10.222.200.2->224.0.0.5.
-> to:.local..0
62114;6> : <junos-self/.local..0>
n
Feb 25 02:42:51 02:42:50.1054204:CID-0:RT: post addr xlation:
10.210.11.179->10.210.11.178.
io
Feb 25 02:42:51 02:42:50.1054213:CID-0:RT:mbuf 0x4a0466c0, exit nh 0xfffb0006
ct
Feb 25 02:42:51 02:42:50.1055176:CID-0:RT:Using in_ifp from pfe_tag with index
0
du
Feb 25 02:42:51 02:42:50.1055184:CID-0:RT:Using vr id from pfe_tag with value=
0
ro
Feb 25 02:42:51 02:42:50.1055190:CID-0:RT:Changing lpak->in_ifp from:.local..0
-> to:.local..0
ep
Feb 25 02:42:51 02:42:50.1055196:CID-0:RT:Over-riding lpak->vsys with 0
n
Feb 25 02:42:51 02:42:51.951866:CID-0:RT:Changing lpak->in_ifp from:.local..0
io
-> to:.local..0
ct
Feb 25 02:42:51 02:42:51.951872:CID-0:RT:Over-riding lpak->vsys with 0
du
62114;6> : <junos-self/.local..0>
tok 16
n
Feb 25 02:42:53 02:42:51.1055964:CID-0:RT:packet [73] ipid = 55884, @48aaa292
******
io
Feb 25 02:42:53 02:42:51.1055974:CID-0:RT: find flow: table 0x4b5f7104, hash
ct
126567(0x3ffff), sa 10.210.11.178, da 10.210.11.179, sp 23, dp 62114, proto 6,
tok 4
du
Feb 25 02:42:53 02:42:51.1055991:CID-0:RT: flow fast tcp/udp session id 32
******
n
Feb 25 02:42:53 02:42:52.1347005:CID-0:RT: refreshing session
io
Feb 25 02:42:53 02:42:52.1347013:CID-0:RT: post addr xlation:
10.210.11.178->10.210.11.179.
ct
Feb 25 02:42:53 02:42:52.1347022:CID-0:RT:mbuf 0x48eca640, exit nh 0x90010
du
Feb 25 02:42:53 02:42:52.1448947:CID-0:RT:<10.210.11.179/62114->10.210.11.178/
23;6> : <management/ge-0/0/0.0>
-> to:.local..0
n
: <Retail/ge-0/0/3.100>
io
Feb 25 02:42:53 02:42:52.1515971:CID-0:RT:packet [68] ipid = 54028, @4a060cf2
******
ct
Feb 25 02:42:53 02:42:52.1515982:CID-0:RT: ge-0/0/
3.100:10.222.100.2->224.0.0.5, 89
du
Feb 25 02:42:53 02:42:52.1515990:CID-0:RT: find flow: table 0x4b5f7104, hash
143045(0x3ffff), sa 10.222.100.2, da 224.0.0.5, sp 1, dp 1, proto 89, tok 18
tok 16
n
Feb 25 02:42:54 02:42:53.1347474:CID-0:RT: find flow: table 0x4b5f7104, hash
126567(0x3ffff), sa 10.210.11.178, da 10.210.11.179, sp 23, dp 62114, proto 6,
io
tomonitor stop
ct
lab@Tokyo>
Step 4.9
du
Close all the Telnet sessions and return to your router.
london-VR@Sydney> exit
lab@Tokyo>
rR
lab@London>
STOP
N
n
io
ct
du
ro
ep
rR
Fo
ot
N
Overview
n
io
Now that you have established full connectivity and defined all the security zones, ensure that
private addresses do not enter the Internet by using destination and source Network Address
ct
Translation (NAT) and Port Address Translation (PAT).
You will deploy policy-based destination NAT using IP address translation to a range of IP
addresses. You will also accomplish the source address NAT using a source pool with PAT. The
du
Lab 3 network diagram provides the public address space for each group. Upon establishing
NAT, you will monitor the functionality of your configuration.
This lab is available in two formats: a high-level format that is designed to make you think
ro
through each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
By completing this lab, you will perform the following tasks:
ep
• Configure policy-based destination NAT.
• Configure source NAT using a source pool with PAT.
rR
the form of XX-VR and XX-VR2, where XX is a two-letter abbreviation for the directly
connected student router. Sydney also acts as the service provider, which provides Frame
Relay services between the sites.
ot
N
Key Commands
n
traceroute
io
Part 1: Adding Public Addresses to Address Books of Necessary Security Zones
ct
In this part of the lab you will add public addresses corresponding to hosts in the Retail,
Admin, HR, and Finance security zones. Refer to the network diagram for Lab 3 for your
group letter (A, B, C, or D).
du
The public address space is identified in the following table.
ro
Public Address Assignment
Security Zone Name Name of the Address Public Address Space
ep
Retail PublicAddressRetail 200.10.10/24
HR PublicAddressHR 136.10.10/24
Step 1.1
Fo
Log in to the router with the username lab and the password lab123.
Note
ot
Tokyo (ttyd0)
login: lab
Password:
Step 1.2
Add public addresses, identified in the Public Address Assignment table, to the Public zone
address book. Use the names for public addresses as identified in the table.
lab@Tokyo> edit
Entering configuration mode
[edit]
lab@Tokyo# edit security zones security-zone Public
n
[edit security zones security-zone Public]
lab@Tokyo# set address-book address PublicAddressHR 136.10.10/24
io
[edit security zones security-zone Public]
ct
lab@Tokyo# set address-book address PublicAddressFinance 136.10.11/24
[edit security zones security-zone Public]
lab@Tokyo# show address-book
du
address TO-VRhost1 10.10.100.1/32;
address TO-VRhost2 10.10.100.2/32;
address TO-VRhost3 10.10.100.3/32;
address TO-VR2host1 10.10.200.1/32;
ro
address TO-VR2host3 10.10.200.3/32;
address TO-VR2host2 10.10.200.2/32;
address LO-VRhost1 10.10.101.1/32;
ep
address LO-VRhost2 10.10.101.2/32;
address LO-VRhost3 10.10.101.3/32;
address LO-VR2host1 10.10.201.1/32;
address LO-VR2host2 10.10.201.2/32;
rR
address-set TO-VRhosts {
address TO-VRhost1;
address TO-VRhost2;
address TO-VRhost3;
}
ot
address-set TO-VR2hosts {
address TO-VR2host1;
address TO-VR2host2;
N
address TO-VR2host3;
}
address-set LO-VRhosts {
address LO-VRhost1;
address LO-VRhost2;
address LO-VRhost3;
}
address-set LO-VR2hosts {
address LO-VR2host1;
address LO-VR2host2;
address LO-VR2host3;
Step 1.3
Add the defined public addresses to the address books of other security zones of your router.
Again, use the variable name for the addresses as identified in the table Public Address
Assignment table.
Note
n
Add only the addresses that are necessary for a
io
corresponding security zone.
ct
should add to address books of your local security
zones?
du
Retail security zone:
200.10.11/24
address TO-VRhost3;
}
n
address TO-VR2host3;
}
io
[edit security zones]
ct
lab@Tokyo#
The following configuration is for the London router:
du
[edit security zones security-zone Public]
lab@London# up
Step 1.4
Commit the changes.
[edit security zones]
lab@Tokyo# commit
commit complete
n
io
Part 2: Define Source and Destination NAT
ct
In this part of the lab you will configure source and destination NAT. Recall that you are to
deploy policy-based destination NAT using IP address translation to a range of IP addresses
and source NAT using a source pool with PAT.
du
You must work with your partner to ensure that proper addresses are applied to source and
destination NAT. Let’s take Tokyo and London as an example. For traffic originating from the
Retail to Finance security zones (through the Public zone), you will require source NAT
ro
to take place on the Tokyo router and destination NAT to take place on the London router.
Likewise, for traffic originating from the Finance to Retail security zones (through Public
zone), you will require source NAT to take place on the London router and destination NAT to
take place on the Tokyo router.
ep
The following table provides a summary of the NAT types to be deployed in every router of the
network.
rR
Montreal Amsterdam D
Retail through A
N
n
Public
Hong Kong San Jose B
io
Sao Paulo Denver C
Amsterdam Montreal D
ct
Step 2.1
du
Using the Deployment of NAT Types table, configure the appropriate source NAT on your router.
Use the first host of the corresponding public address space to assign to the source pool. For
example, you will use the source pool address 200.10.10.1 (which is the first host of the
200.10.10/24 address space) when configuring the Tokyo source pool to be used for source
ro
NAT from the Retail zone.
Use the following convention for source pool naming: ZoneNameSourcePool. For example,
Tokyo’s source pool for traffic originating from the Retail zone should be named
ep
RetailSourcePool.
[edit security zones]
lab@Tokyo# up
rR
[edit security]
lab@Tokyo# edit nat
200.10.11.1;
}
}
}
n
[edit security nat interface se-1/0/0.603]
lab@London# show
io
source-nat {
pool FinanceSourcePool {
ct
address {
136.10.11.1;
}
du
}
pool HRsourcePool {
address {
136.10.10.1; ro
}
}
}
ep
[edit security nat interface se-1/0/0.603]
lab@London#
Step 2.2
rR
Using the Deployment of NAT Types table, configure the appropriate destination NAT on your
router. The destination address range should be from the lowest to the highest private host
address in the corresponding zone. For example, destination NAT for the Retail zone applied
on Tokyo should range from 10.10.100.1 to 10.10.100.3. Name the destination NAT
Fo
ZoneNameDestNat. For example, the destination NAT’s name on Tokyo for the Retail
zone is RetailDestNAT.
[edit security nat interface se-1/0/1.602]
lab@Tokyo# up
ot
high 10.10.100.3
n
lab@London# show destination-nat FinanceDestNAT
address-range low 10.10.201.1 high 10.10.201.3;
io
[edit security nat]
ct
lab@London#
du
In this part of the lab you will adjust source and destination addresses in the security policies
of your router. Furthermore, you will refer to source NAT, destination NAT, or both from within
ro
the action statements of the corresponding security policies.
Step 3.1
ep
Using the Deployment of NAT Types table, fill in the following table for your group and router.
The answers for all groups are found in the NAT Deployment table. You defined in Lab 2 the
source and destination address sets, and the named XX-VRhosts or XX-VR2hosts. Those
address sets contain private addresses (remember that XX is the corresponding city
N
abbreviation).
NAT Deployment
City from-zone to-zone Source Destination Source NAT Destination NAT
Address Address
Tokyo, Retail Public XX-VRhosts PublicAddress RetailSourceP n/a
Finance ool
San Jose,
Denver,
Montreal
n
Public Retail PublicAddr PublicAddress n/a RetailDestNAT
io
essFinance Retail
ct
HR ol
du
Public Admin PublicAddr PublicAddress n/a AdminDestNAT
essHR Admin
Amsterdam
ep
HR Public XX-VRhosts PublicAddress HRSourcePool n/a
Admin
essRetail Finance
Retail Pool
Step 3.2
ot
lab@Tokyo# up
[edit security]
lab@Tokyo# edit policies
application my-apps;
}
then {
permit;
}
}
n
destination-address TO-VRhosts;
application my-apps;
io
}
then {
ct
permit;
}
}
du
[edit security policies]
lab@Tokyo# show from-zone Admin to-zone Public
policy AdminToHR { ro
match {
source-address TO-VR2hosts;
destination-address LO-VRhosts;
ep
application my-apps;
}
then {
permit;
rR
}
}
policy HRtoAdmin {
match {
source-address LO-VRhosts;
destination-address TO-VR2hosts;
application my-apps;
ot
}
then {
permit;
N
}
}
Step 3.3
Using the table that you filled out in Step 3.1, adjust the security policies configurations,
reflecting all the necessary changes in the source and destination addresses. Also, make
appropriate changes to the permit statements of security policies, ensuring that the
corresponding source NAT, destination NAT, or both take place as a result of policy execution.
[edit security policies]
lab@Tokyo# edit from-zone Retail to-zone Public
n
[edit security policies from-zone Retail to-zone Public]
io
lab@Tokyo# set policy RetailToFinance match destination-address
PublicAddressFinance
ct
[edit security policies from-zone Retail to-zone Public]
lab@Tokyo# set policy RetailToFinance then permit source-nat pool
RetailSourcePool
du
[edit security policies from-zone Retail to-zone Public]
lab@Tokyo# show
policy RetailToFinance { ro
match {
source-address TO-VRhosts;
destination-address PublicAddressFinance;
ep
application my-apps;
}
then {
permit {
rR
source-nat {
pool RetailSourcePool;
}
}
}
Fo
n
source-address PublicAddressFinance;
destination-address PublicAddressRetail;
io
application my-apps;
}
ct
then {
permit {
destination-nat {
du
RetailDestNAT;
}
}
} ro
}
match {
source-address TO-VR2hosts;
destination-address PublicAddressHR;
application my-apps;
}
then {
permit {
source-nat {
pool AdminSourcePool;
}
}
}
}
n
[edit security policies from-zone Public to-zone Admin]
lab@Tokyo# delete policy HRtoAdmin match destination-address
io
[edit security policies from-zone Public to-zone Admin]
ct
lab@Tokyo# set policy HRtoAdmin match source-address PublicAddressHR
du
lab@Tokyo# set policy HRtoAdmin match destination-address PublicAddressAdmin
application my-apps;
}
then {
permit {
destination-nat {
Fo
AdminDestNAT;
}
}
}
}
ot
The following is the resulting configuration from the Tokyo’s peer, London:
[edit security policies]
lab@London# show
from-zone Public to-zone HR {
policy AdminToHR {
match {
source-address PublicAddressAdmin;
destination-address PublicAddressHR;
application my-apps;
}
then {
permit {
destination-nat {
HRdestNAT;
}
}
}
}
}
from-zone Public to-zone Finance {
policy RetailtoFinance {
match {
n
source-address PublicAddressRetail;
destination-address PublicAddressFinance;
io
application any;
}
ct
then {
permit {
destination-nat {
du
FinanceDestNAT;
}
}
} ro
}
}
from-zone Finance to-zone Public {
ep
policy FinanceToRetail {
match {
source-address LO-VR2hosts;
destination-address PublicAddressRetail;
rR
application my-apps;
}
then {
permit {
source-nat {
Fo
pool FinanceSourcePool;
}
}
}
}
ot
}
from-zone HR to-zone Public {
policy HRtoPublic {
N
match {
source-address LO-VRhosts;
destination-address PublicAddressAdmin;
application my-apps;
}
then {
permit {
source-nat {
pool HRsourcePool;
}
}
}
}
}
Step 3.4
Commit the configuration file.
[edit security policies from-zone Public to-zone Admin]
lab@Tokyo# commit and-quit
n
commit complete
Exiting configuration mode
io
lab@Tokyo>
ct
Part 4: NAT Testing and Troubleshooting
du
In this part of the lab you will test source and destination NAT.
Step 4.1 ro
From your router use Telnet to access the XX-VR router of your city region. (Recall that XX are
the first two letters of your city name. For example, TO-VR is the router name attached to
Tokyo. The login name is your router name, router-VR, where router is in lower case
ep
letters, and the password is lab123.)
lab@Tokyo> telnet 10.222.100.2
Trying 10.222.100.2...
rR
Connected to 10.222.100.2.
Escape character is '^]'.
Sydney (ttyp0)
Fo
login: tokyo-VR
Password:
NOTE: This router is divided into many virtual routers used by different
teams. Please only configure your own virtual router.
N
tokyo-VR@Sydney>
Step 4.2
From the XX-VR router initiate a Telnet session from one of the hosts located in the Retail
or Admin zone to another host, located in the Finance or HR zone.
n
public address space belonging to the Finance zone.
The reason is that other traffic will not be (should not
io
be) permitted by security policies.
ct
Trying 136.10.10.1...
telnet: connect to address 136.10.10.1: No route to host
telnet: Unable to connect to remote host
du
tokyo-VR@Sydney>
Step 4.3
Fo
lab@Tokyo>
Configure static routes to the prefixes of public addresses for the hosts belonging to the local
security zones of your router. For example, the Tokyo router will have static routes for
200.10.10/24 and 200.10.11/24 prefixes, as they represent prefixes of public addresses for
the Retail and Admin security zones, which are local to Tokyo. The London router, on the
other hand, will have static routes for 136.10.10/24 and 136.10.11/24 prefixes, as they
represent prefixes of public addresses for the HR and Finance security zones, which are local
to London.
The next-hop addresses, to be used in the static routes definitions, are the 10.222.x.y
addresses, leading to the respective hosts in the corresponding security zones. For example,
the 200.10.10/24 static route, because it represents public address prefix for hosts in
Retail zone, will use 10.222.100.2 as its next-hop address. The Lab 3 network diagrams
provide all the necessary information.
The following Public Address Assignment table provides the reference between the public
address prefixes and the corresponding security zones.
n
Security Zone Name Public Address Space
io
Retail 200.10.10/24
Admin 200.10.11/24
ct
HR 136.10.10/24
Finance 136.10.11/24
du
lab@Tokyo> edit
Entering configuration mode
[edit]
lab@Tokyo# edit routing-options static
ro
ep
[edit routing-options static]
lab@Tokyo# set route 200.10.10/24 next-hop 10.222.100.2
rR
[edit]
lab@London
Step 4.4
Ensure that the configured static routes are propagated to routers across the Internet and your
local LANs.
n
Answer: To propagate static routes to other routers, use
OSPF and routing policies. First, configure routing
io
policies. Next, export the configured policy under OSPF
protocol.
ct
[edit routing-options static]
lab@Tokyo# top
du
[edit]
lab@Tokyo# edit policy-options
[edit policy-options] ro
lab@Tokyo# set policy-statement staticToOSPF term 10 from protocol static
[edit policy-options]
ep
lab@Tokyo# set policy-statement staticToOSPF term 10 then accept
[edit policy-options]
lab@Tokyo# show
rR
policy-statement staticToOSPF {
term 10 {
from protocol static;
then accept;
Fo
}
}
[edit policy-options]
lab@Tokyo# top
ot
[edit]
lab@Tokyo# edit protocols ospf
N
area 0.0.0.1 {
area-range 10.10.100.0/24;
interface ge-0/0/3.100;
}
area 0.0.0.11 {
area-range 10.10.200.0/24;
interface ge-0/0/3.200;
}
n
Step 4.5
io
Commit the changes.
[edit protocols ospf]
ct
lab@Tokyo# commit and-quit
commit complete
Exiting configuration mode
du
lab@Tokyo>
Step 4.6
ro
Note
This step should be performed only by one of the
members of the group because the other member
ep
of the group will be observing the results of NAT.
From your router use Telnet to access the XX-VR router of your city region. (Recall that XX are
rR
the first two letters of your city name. For example, TO-VR is the router name attached to
Tokyo. The login name is your router name, router-VR, where router is in lower case
letters, and the password is lab123.)
lab@Tokyo> telnet 10.222.100.2
Fo
Trying 10.222.100.2...
Connected to 10.222.100.2.
Escape character is '^]'.
Sydney (ttyp0)
ot
login: tokyo-VR
Password:
N
NOTE: This router is divided into many virtual routers used by different
teams. Please only configure your own virtual router.
tokyo-VR@Sydney>
Step 4.7
From the XX-VR router, initiate a Telnet session from one of the hosts located in the Retail
or Admin zone to another host, located in the Finance or HR zone.
tokyo-VR@Sydney> telnet source 10.10.100.1 136.10.11.1 routing-instance TO-VR
Trying 136.10.11.1...
Connected to 136.10.11.1.
Escape character is '^]'.
Sydney (ttyp0)
n
login:
io
ct
Answer: Yes, the Telnet session should be successful.
du
Step 4.8
Using the management interface ge-0/0/0.0, use Telnet to access the router that is
performing the tests identified in the Step 4.7.
lab@London> telnet 10.210.11.178
Trying 10.210.11.178...
ro
Connected to 10.210.11.178.
ep
Escape character is '^]'.
Tokyo (ttyp0)
rR
login: lab
Password:
lab@Tokyo>
Step 4.9
Use show commands to observe NAT functionality.
lab@Tokyo> show security flow session
ot
6 sessions displayed
n
lab@Tokyo>
io
Question: How many sessions exist? Explain.
ct
du
ro
Answer: The Tokyo router has six sessions. Three
sessions in each router are OSPF sessions. The other
ep
sessions are Telnet sessions.
Step 4.10
rR
Use the show security nat command to view source and destination NAT details.
lab@Tokyo> show security nat destination-nat summary
Pool name Address range Port
RetailDestNAT 10.10.100.1 - 10.10.100.3
Fo
n
io
ct
du
ro
ep
rR
Fo
ot
N
n
io
ct
du
ro
ep
rR
Fo
ot
N
Overview
n
io
In this lab, you will implement secure tunnels using route-based IPSec VPNs.
This lab is available in two formats: a high-level format that is designed to make you think
ct
through each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
du
Specifically, by completing this lab, you will perform the following tasks:
• Configure a route-based IPSec VPN between the two sites across the Internet.
• Troubleshoot and monitor IPSec VPNs.
ro
Similar to the previous lab, this lab requires you to use the Sydney router, which is logically
segmented into several virtual routers. Each student router connects to two virtual routers in
the form of XX-VR and XX-VR2, where XX is a two-letter abbreviation for the directly
ep
connected student router. Sydney also acts as the service provider, which provides Frame
Relay services between sites.
rR
Fo
ot
N
Key Commands
Key operational mode commands used in this lab include the following:
?
clear security ike security-associations
clear security ipsec security-associations
clear security ipsec statistics
configure
monitor start
monitor stop
n
ping
show log
io
show ospf neighbor
show route
show security ike security-associations
ct
show security ipsec security-associations
show security ipsec statistics
show security policies
du
show security zones
Step 1.1
rR
Log in to the router with the username lab and the password lab123.
Note
Fo
Tokyo (ttyd0)
login: lab
Password:
ot
lab@Tokyo>
Step 1.2
Define the IKE Phase 1 proposal, named IkeProposal, using the following parameters:
• Authentication method: Preshared keys;
• DH group: Group 5;
• Authentication algorithm: MD5;
• Encryption algorithm: 3DES-CBC; and
• Proposal lifetime value: 1200 seconds.
Here is the sample configuration for the Tokyo router:
n
lab@Tokyo> edit
io
Entering configuration mode
[edit]
ct
lab@Tokyo# edit security ike
[edit security ike]
lab@Tokyo# show proposal IkeProposal
du
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm md5;
encryption-algorithm 3des-cbc; ro
lifetime-seconds 1200;
Step 1.3
Define the IKE Phase 1 policy, called IkePolicy. Use main mode and a preshared key called
rR
vpn123.
Here is the sample configuration for the Tokyo router:
[edit security ike]
Fo
Step 1.4
Define the IKE Phase 1 gateway, named IkeGateway.
n
[edit security ike]
io
lab@Tokyo# show gateway IkeGateway
ike-policy IkePolicy;
address 172.18.36.2;
ct
external-interface se-1/0/1.602;
du
[edit security ike]
lab@Tokyo# up
[edit security]
lab@Tokyo#
Step 2.1
rR
Configure the IPSec proposal, named ProposalIke2, using the following parameters:
• The protocol is ESP;
• The authentication algorithm is HMAC-MD5-96;
Fo
[edit security]
lab@Tokyo# edit ipsec
N
Step 2.2
Define the IPSec policy, called IPSecPolicy, to use the Group 5 perfect-forward-secrecy key.
Here is the sample configuration for the Tokyo router:
[edit security ipsec]
lab@Tokyo# show policy IPSecPolicy
perfect-forward-secrecy {
keys group5;
}
n
lab@Tokyo#
Step 2.3
io
Assign the proposal, named ProposalIke2, to the policy defined in Step 2.2.
ct
[edit security ipsec]
lab@Tokyo# set policy IPSecPolicy proposals ProposalIke2
du
Step 2.4
Define the IPSec VPN, called IPSecVPN. Ensure that the IPSec tunnel is established only
when there is traffic that needs to go through the tunnel.
ro
Question: How do you ensure that an IPSec tunnel is
established without waiting for any traffic?
ep
ike {
gateway IkeGateway;
ipsec-policy IPSecPolicy;
}
establish-tunnels on-traffic;
ot
Step 2.5
Bind the configured IPSec VPN to the st0.0 interface.
[edit security ipsec]
lab@Tokyo# set vpn IPSecVPN bind-interface st0.0
In this part of the lab you will configure distinguishing parameters for route-based IPSec VPNs.
Step 3.1
Configure the st0.0 interface on your router. Use the Lab 4 network diagram for IP address
assignment for your group.
[edit security ipsec]
lab@Tokyo# top
n
[edit]
lab@Tokyo# edit interfaces
io
[edit interfaces]
lab@Tokyo# set st0 unit 0 family inet address 172.18.38.1/30
ct
[edit interfaces]
du
lab@Tokyo# up
[edit]
lab@Tokyo#
Step 3.2
ro
Ensure that routing between the two sites across the Internet is performed across the st0.0
ep
interface.
Question: To what OSPF area should interface st0.0
belong on your router?
rR
[edit]
Fo
interface lo0.0;
}
area 0.0.0.1 {
N
area-range 10.10.100.0/24;
interface ge-0/0/3.100;
}
area 0.0.0.11 {
area-range 10.10.200.0/24;
interface ge-0/0/3.200;
}
}
[edit]
[edit]
lab@Tokyo# set protocols ospf area 0 interface st0.0
[edit]
lab@Tokyo# show protocols
ospf {
export staticToOSPF;
area 0.0.0.0 {
interface lo0.0;
interface st0.0;
}
n
area 0.0.0.1 {
area-range 10.10.100.0/24;
io
interface ge-0/0/3.100;
}
ct
area 0.0.0.11 {
area-range 10.10.200.0/24;
interface ge-0/0/3.200;
du
}
}
Step 3.3
Commit the configuration.
ro
[edit]
ep
lab@Tokyo# commit
commit complete
Step 3.4
rR
[edit]
lab@Tokyo# run show ospf neighbor
Address Interface State ID Pri Dead
10.222.100.2 ge-0/0/3.100 Full 10.10.100.1 128 35
10.222.200.2 ge-0/0/3.200 Full 10.10.200.1 128 34
[edit]
lab@Tokyo# run show ospf interface
Interface State Area DR ID BDR ID Nbrs
lo0.0 DR 0.0.0.0 192.168.24.1 0.0.0.0 0
[edit]
lab@Tokyo#
Step 3.5
Ensure that the problem identified in Step 3.4 is fixed.
[edit]
lab@Tokyo# edit security zones
n
[edit security zones]
io
lab@Tokyo# edit security-zone Public
ct
[edit security zones security-zone Public]
lab@Tokyo# show
address-book {
du
address TO-VRhost1 10.10.100.1/32;
address TO-VRhost2 10.10.100.2/32;
address TO-VRhost3 10.10.100.3/32;
address TO-VR2host1 10.10.200.1/32;
address TO-VR2host2 10.10.200.2/32;
address TO-VR2host3 10.10.200.3/32;
ro
address LO-VRhost1 10.10.101.1/32;
ep
address LO-VRhost2 10.10.101.2/32;
address LO-VRhost3 10.10.101.3/32;
address LO-VR2host1 10.10.201.1/32;
address LO-VR2host2 10.10.201.2/32;
rR
address-set TO-VRhosts {
address TO-VRhost1;
address TO-VRhost2;
address TO-VRhost3;
}
ot
address-set LO-VRhosts {
address LO-VRhost1;
address LO-VRhost2;
N
address LO-VRhost3;
}
address-set TO-VR2hosts {
address TO-VR2host1;
address TO-VR2host2;
address TO-VR2host3;
}
address-set LO-VR2hosts {
address LO-VR2host1;
address LO-VR2host2;
address LO-VR2host3;
}
}
host-inbound-traffic {
protocols {
ospf;
}
}
interfaces {
lo0.0;
se-1/0/1.602;
}
n
[edit security zones security-zone Public]
lab@Tokyo# set interfaces st0.0
io
[edit security zones security-zone Public]
ct
lab@Tokyo# show interfaces
lo0.0;
se-1/0/1.602;
du
st0.0;
Step 3.7
Fo
[edit]
lab@Tokyo# exit
Exiting configuration mode
lab@Tokyo>
n
Part 4: Troubleshooting the Retail/Finance IPSec VPN Operation
io
Step 4.1
ct
Confirm that IKE Phase 1 security associations (SAs) are formed.
du
Question: In what state is the IKE Phase 1 SA? Why?
ro
ep
Answer: IKE Phase 1 SAs are formed because IPSec
VPN tunnels are established on the condition of
receiving the traffic that must be sent. In our case, it is
OSPF traffic that causes IKE Phase 1 SAs to be formed.
rR
Step 4.2
Confirm that IKE Phase 2 SAs are formed.
lab@Tokyo> show security ipsec security-associations
ot
lab@Tokyo>
Step 4.3
From your router, use Telnet to access the XX-VR router of your city region. (Recall that XX are
the first two letters of your city name. For example, TO-VR is the router name attached to
Tokyo. The login name is your router name, router-VR, where router is in lower case
letters, and the password is lab123.)
Sydney (ttyp0)
login: tokyo-VR
Password:
n
NOTE: This router is divided into many virtual routers used by different
teams. Please only configure your own virtual router.
io
You must use 'configure private' to configure this router.
ct
tokyo-VR@Sydney>
Step 4.4
du
From the XX-VR router, initiate a Telnet session from one of the hosts located in the Retail
zone to another host located in the Finance zone.
ro
tokyo-VR@Sydney> telnet source 10.10.100.1 136.10.11.1 routing-instance TO-VR
Trying 136.10.11.1...
^C
ep
tokyo-VR@Sydney>
Step 4.5
Fo
lab@Tokyo>
Step 4.6
N
Recall that your router and your partner’s router is performing NAT. Check the source NAT
assignments.
Question: With which interfaces are the source NAT
addresses associated?
n
lab@Tokyo>
io
lab@London> show security nat source-nat summary
ct
Pool name Address low Address high Interface PAT
FinanceSourcePool 136.10.11.1 136.10.11.1 se-1/0/0.603 yes
HRsourcePool 136.10.10.1 136.10.10.1 se-1/0/0.603 yes
du
lab@London>
Step 4.7
lab@Tokyo> edit
Fix the problem identified in Step 4.6.
ro
ep
Entering configuration mode
[edit]
lab@Tokyo# edit security nat
rR
interface se-1/0/1.602 {
source-nat {
pool RetailSourcePool {
address {
200.10.10.1;
ot
}
}
pool AdminSourcePool {
N
address {
200.10.11.1;
}
}
}
}
lab@Tokyo# show
destination-nat RetailDestNAT address-range low 10.10.100.1 high 10.10.100.3;
destination-nat AdminDestNAT address-range low 10.10.200.1 high 10.10.200.3;
interface st0.0 {
source-nat {
pool RetailSourcePool {
address {
200.10.10.1;
}
}
pool AdminSourcePool {
n
address {
200.10.11.1;
io
}
}
}
ct
}
du
lab@Tokyo#
Step 4.8
Commit the configuration changes.
ro
[edit security nat]
lab@Tokyo# commit
ep
commit complete
[edit]
lab@Tokyo# exit
Exiting configuration mode
Fo
lab@Tokyo>
Step 4.9
Repeat Steps 4.3 and 4.4.
ot
Sydney (ttyp0)
login: tokyo-VR
Password:
NOTE: This router is divided into many virtual routers used by different
teams. Please only configure your own virtual router.
tokyo-VR@Sydney>
tokyo-VR@Sydney> telnet source 10.10.100.1 136.10.11.1 routing-instance TO-VR
n
Trying 136.10.11.1...
Connected to 136.10.11.1.
io
Escape character is '^]'.
ct
Sydney (ttyp1)
du
Connection closed by foreign host.
tokyo-VR@Sydney>
Step 4.10 ro
Exit the Telnet session.
ep
tokyo-VR@Sydney> exit
lab@Tokyo>
Step 4.11
From your router, use Telnet to access the XX-VR2 router of your city region. (Recall that XX
are the first two letters of your city name. For example, TO-VR2 is the router name attached to
Fo
Tokyo. The login name is your router name, router-VR2, where router is in lower case
letters, and the password is lab123.)
lab@Tokyo> telnet 10.222.200.2
Trying 10.222.200.2...
ot
Connected to 10.222.200.2.
Escape character is '^]'.
N
Sydney (ttyp0)
login: tokyo-VR2
Password:
NOTE: This router is divided into many virtual routers used by different
teams. Please only configure your own virtual router.
tokyo-VR2@Sydney>
Step 4.12
Ensure that the established IPSec tunnel works for Admin/HR zones connection as well,
which you can do by establishing a Telnet session originating from a host located in Admin
zone to a host located in HR zone.
tokyo-VR2@Sydney> telnet 136.10.10.1 source 10.10.200.1 routing-instance
TO-VR2
Trying 136.10.10.1...
n
Connected to 136.10.10.1.
Escape character is '^]'.
io
Sydney (ttyp1)
ct
login:
du
Question: Is the Telnet session successful?
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
ot
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
lab@London>
n
io
ct
du
ro
ep
rR
Fo
ot
N
n
io
Appendix A: Lab Diagrams
ct
du
ro
ep
rR
Fo
ot
N
Operating Enhanced Services for JUNOS Software
n
io
ct
du
ro
ep
rR
Fo
ot
N
n
io
ct
du
ro
ep
rR
Fo
ot
N
n
io
ct
du
ro
ep
rR
Fo
ot
N
n
io
ct
du
ro
ep
rR
Fo
ot
N
n
io
ct
du
ro
ep
rR
Fo
ot
N
n
io
ct
du
ro
ep
rR
Fo
ot
N
n
io
ct
du
ro
ep
rR
Fo
ot
N
n
io
ct
du
ro
ep
rR
Fo
ot
N
n
io
ct
du
ro
ep
rR
Fo
ot
N