Not For Reproduction. Operating Enhanced Services for JUNOS Software. 9.a. Detailed Lab Guide

Transcription

1 Operating Enhanced Services for JUNOS Software 9.a 1194 North Mathilda Avenue Sunnyvale, CA USA Detailed Lab Guide Course Number: EDU-JUN-OESJ

2 Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Operating Enhanced Services for JUNOS Software Detailed Lab Guide, Revision 9.a Copyright 2008, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History: Revision 9.a March 2008 The information in this document is current as of the date listed above. The information in this document has been carefully verified and is believed to be accurate for software Release 9.0R1. Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages. Juniper Networks reserves the right to change, modify, transfer or otherwise revise this publication without notice. YEAR 2000 NOTICE Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The JUNOS software has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year SOFTWARE LICENSE The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.

3 Contents Lab 1: Initial System Configuration (Detailed) Part 1: Load a Reset Configuration File Part 2: Establish Layer 2 Addressing Part 3: Assign IP Addressing Part 4: Establish Layer 3 Connectivity Using OSPF Routing Protocol Part 5: Establish Hosts Within Each Site and Summarize the Advertisement of Their Prefixes Across the Internet Lab 2: Security Policies (Detailed) Part 1: Interface Assignment to Security Zones Part 2: Building Address Books for Each Security Zone Part 3: Establishing and Configuring Security Policies Part 4: Testing and Monitoring the Functionality of Security Zones Lab 3: Network Address Translation (NAT) (Detailed) Part 1: Adding Public Addresses to Address Books of Necessary Security Zones Part 2: Define Source and Destination NAT Part 3: Incorporating Source and Destination NAT into Security Policies Part 4: NAT Testing and Troubleshooting Lab 4: Campus Interconnectivity IPSec VPNs (Detailed) Part 1: Configuring IKE Phase 1 Parameters Part 2: Configuring IKE Phase 2 Parameters Part 3: Configuring Route-Based IPSec VPN Elements Part 4: Troubleshooting the Retail/Finance IPSec VPN Operation Appendix A: Lab Diagrams A-1 Contents iii

4 iv Contents.

5 Course Overview Objectives Intended Audience The Operating Enhanced Services for JUNOS Software course is an instructor-led, four-day course designed to provide enterprise network engineers with the knowledge and skills necessary to use JUNOS software with enhanced services. It covers advanced security features and configurations of Juniper Networks platforms, focusing specifically on the enhanced services of JUNOS software. The course combines both lecture and labs, with significant time allocated for hands-on experience with JUNOS software enhanced services. After successfully completing this course, you should be able to: Describe the requirements of routers and firewalls. Describe the architecture of JUNOS software with enhanced services. Describe and define zone types and their purpose. Configure and monitor zones. Explain the meaning of SCREEN options. Identify advantages of using JUNOS SCREEN options. Configure and monitor zone-based SCREEN options. Explain security policy functionality. Configure and monitor security policies. Describe Network Address Translation (NAT) features. Configure and monitor NAT. Describe IPSec VPNs. Configure and monitor policy-based and route-based IPSec VPNs. Describe high availability support and the JUNOS Services Redundancy Protocol (JSRP). Describe JSRP operation. Configure and monitor JSRP. The primary audiences for this course are the following: Enterprise network engineers; and Reseller support engineers. Course Level This is an advanced-level course.. Course Overview v

6 Prerequisites The following are the prerequisites for this course: The Operating Juniper Networks Routers in the Enterprise course or equivalent experience; Knowledge, familiarity, and comfort with the JUNOS software CLI; Experience managing routers (not necessarily Juniper Networks) in an enterprise environment; An understanding of destination-based, hop-by-hop IP routing; and Experience with interior gateway protocols (IGPs). vi Course Overview

7 Course Agenda Day 1 Day 2 Day 3 Day 4 Lab 1: Initial System Configuration (Detailed) Lab 2: Security Policies (Detailed) Lab 3: Lab 4: Network Address Translation (NAT) (Detailed) Campus Interconnectivity IPSec VPNs (Detailed) Course Agenda vii

8 Document Conventions CLI and GUI Text Frequently throughout this course, we refer to text that appears in a command-line interface (CLI) or a graphical user interface (GUI). To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter text according to the following table. Input Text Versus Output Text Style Description Usage Example Franklin Gothic Courier New Century Gothic Normal text. Console text: Screen captures Noncommand-related syntax GUI text elements: Menu names Text field entry Most of what you read in the Lab Guide and Student Guide. commit complete Exiting configuration mode Select File>Open, and then click Configuration.conf in the Filename text box. You will also frequently see cases where you must enter input text yourself. Often this will be shown in the context of where you must enter it. We use bold style to distinguish text that is input versus text that is simply displayed. Style Description Usage Example Normal CLI Normal GUI CLI Input GUI Input No distinguishing variant. Text that you must enter. Physical interface:fxp0, Enabled View configuration history by clicking Configuration>History. lab@san_jose> show route Select File>Save, and enter config.ini in the Filename field. viii Document Conventions

9 Defined and Undefined Syntax Variables Finally, this course distinguishes between regular text and syntax variables, and it also distinguishes between syntax variables where the value is already assigned (defined variables) and syntax variables where you must assign the value (undefined variables). Note that these styles can be combined with the input style as well. Style Description Usage Example CLI Variable GUI Variable CLI Undefined GUI Undefined Text where variable value is already assigned. Text where the variable s value is the user s discretion and text where the variable s value as shown in the lab guide might differ from the value the user must input. policy my-peers Click on my-peers in the dialog. Type set policy policy-name. ping Select File>Save, and enter filename in the Filename field. Document Conventions ix

10 Additional Information Education Services Offerings About This Publication Technical Publications Juniper Networks Support You can obtain information on the latest Education Services offerings, course dates, and class locations from the World Wide Web by pointing your Web browser to: The Operating Enhanced Services for JUNOS Software Detailed Lab Guide was developed and tested using software version 9.0R1. Previous and later versions of software may behave differently so you should always consult the documentation and release notes for the version of code you are running before reporting errors. This document is written and maintained by the Juniper Networks Education Services development team. Please send questions and suggestions for improvement to You can print technical manuals and release notes directly from the Internet in a variety of formats: Go to Locate the specific software or hardware release and title you need, and choose the format in which you want to view or print the document. Documentation sets and CDs are available through your local Juniper Networks sales office or account representative. For technical support, contact Juniper Networks at support/, or at JTAC (within the United States) or (from outside the United States). x Additional Information

11 Lab 1 Initial System Configuration (Detailed) Overview In this first lab you will establish the baseline for all other labs. Specifically, you will establish Layer 2 and Layer 3 connectivity between the devices within your group. There are four groups A,B,C, and D. You will work in pairs, as defined by your instructor. Layer 2 connectivity consists in establishing a WAN Frame Relay connection across the Internet, and virtual LAN (VLAN) connectivity within each city of your group. Layer 3 connectivity consists of assigning IP addressing, as defined in the lab guide, and configuring the OSPF routing protocol. Once all the connections are established, you will configure three hosts within each site, and ensure that summary routes for these hosts are propagated across the WAN links. This lab is available in two formats: a high-level format, that is designed to make you think through each step, and a detailed format that offers step-by-step instructions complete with sample output from most of the commands. By completing this lab, you will perform the following tasks: Load the reset configuration files. Establish Layer 2 Frame Relay and VLAN addressing. Assign IP addresses to all the specified interfaces. Establish Layer 3 connectivity using the OSPF routing protocol. Ensure the distribution of aggregate routes across the Internet. Test and monitor network connectivity. This lab requires you to use the Sydney router, which is logically segmented into several virtual routers. XX-VR and XX-VR2 are defined as virtual routers for each site, where XX is a two-letter abbreviation of your router. Sydney also acts as the service provider, which provides Frame Relay services between sites. Initial System Configuration (Detailed) Lab a.9.0R1

12 Key Commands configure load override ping show interfaces terse show ospf show route table traceroute Key operational-mode commands used in this lab include the following: Part 1: Load a Reset Configuration File Step 1.1 Tokyo (ttyd0) login: lab Password: In this part of the lab each team will load the reset configuration file. Log in to the router with the username lab and the password lab123. Note that the username and the password are case sensitive. --- JUNOS 9.0R1.10 built :14:18 UTC lab@tokyo> configure Entering configuration mode Step 1.2 Enter configuration mode and load a reset configuration using the load override command. The file to be loaded is located in the /var/home/lab/oesj/ lab1-reset.conf directory. lab@tokyo> configure Entering configuration mode [edit] lab@tokyo# load override /var/home/lab/oesj/lab1-reset.conf load complete [edit] lab@tokyo# Step 1.3 Display the resulting configuration. Here is the sample configuration for the Tokyo router: [edit] lab@tokyo# show ## Last changed: :02:56 UTC version 9.0R1.10; Lab 1 2 Initial System Configuration (Detailed)

13 system { host-name Tokyo; root-authentication { encrypted-password "$1$88Mjdcd5$QDURoHCb0BJHBzSOyhqly."; ## SECRET-DATA login { user lab { uid 2000; class super-user; authentication { encrypted-password "$1$MEG.LEMV$N5FAp2A5tUP6U52UiSHoB/"; ## SECRET-DATA services { ssh; telnet; web-management { http { interface ge-0/0/0.0; syslog { user * { any emergency; file messages { any any; authorization info; file interactive-commands { interactive-commands any; interfaces { ge-0/0/0 { description "Do-not-delete-Management-Interface!"; unit 0 { family inet { address /28; security { zones { security-zone trust { interfaces { all { host-inbound-traffic { system-services { Initial System Configuration (Detailed) Lab 1 3

14 all; protocols { all; policies { from-zone trust to-zone trust { policy trust { match { source-address any; destination-address any; application any; then { permit; [edit] lab@tokyo# Part 2: Establish Layer 2 Addressing Step 2.1 In this part of the lab you will configure all Layer 2 addresses for your router. Refer to the Lab 1 diagram for your group letter (A, B, C, or D). Display the status of the Internet-facing serial interface and LAN interface ge-0/0/3. [edit] lab@tokyo# run show interfaces ge-0/0/3 Physical interface: ge-0/0/3, Enabled, Physical link is Up Interface index: 140, SNMP ifindex: 36 Link-level type: Ethernet, MTU: 1514, Speed: 100mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x4000 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: 00:17:cb:4e:ab:03, Hardware address: 00:17:cb:4e:ab:03 Last flapped : :42:03 UTC (4d 23:06 ago) Input rate : 0 bps (0 pps) Lab 1 4 Initial System Configuration (Detailed)

15 Output rate : 0 bps (0 pps) Active alarms : None Active defects : None [edit] lab@tokyo# run show interfaces se-1/0/1 Physical interface: se-1/0/1, Enabled, Physical link is Up Interface index: 142, SNMP ifindex: 38 Type: Serial, Link-level type: PPP, MTU: 1504, Maximum speed: 8mbps Device flags : Present Running Interface flags: Point-To-Point Internal: 0x4000 Link flags : Keepalives CoS queues : 8 supported, 8 maximum usable queues Last flapped : :42:31 UTC (4d 23:06 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Step 2.2 Question: What is the link-level type for the serial interface facing the Internet? Answer: The link-level type is PPP. Question: Based on the network diagram for your group, what are the link-level encapsulations for the serial interface that faces the Internet and the ge-0/0/3 interface? Answer: The ge-0/0/3 interface requires VLAN-tagging encapsulation. The serial link that faces the Internet requires Frame Relay encapsulation. Configure Layer 2 parameters, as identified in the network diagram for your group letter (A, B, C, or D). Commit the changes. [edit] lab@tokyo# edit interfaces [edit interfaces] lab@tokyo# set ge-0/0/3 vlan-tagging [edit interfaces] lab@tokyo# set ge-0/0/3 unit 100 vlan-id 100 [edit interfaces] lab@tokyo# set ge-0/0/3 unit 200 vlan-id 200 Initial System Configuration (Detailed) Lab 1 5

16 [edit interfaces] set se-1/0/1 encapsulation frame-relay [edit interfaces] set se-1/0/1 unit 602 dlci 602 [edit interfaces] show ge-0/0/3 vlan-tagging; unit 100 { vlan-id 100; unit 200 { vlan-id 200; [edit interfaces] lab@tokyo# show se-1/0/1 encapsulation frame-relay; unit 602 { dlci 602; [edit interfaces] lab@tokyo# commit commit complete [edit interfaces] lab@tokyo# Step 2.3 Display the status of the interfaces again using show interfaces interface-name command. [edit] lab@tokyo# run show interfaces ge-0/0/3 Physical interface: ge-0/0/3, Enabled, Physical link is Up Interface index: 140, SNMP ifindex: 36 Link-level type: Ethernet, MTU: 1518, Speed: 100mbps, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x4000 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Current address: 00:17:cb:4e:ab:03, Hardware address: 00:17:cb:4e:ab:03 Last flapped : :42:03 UTC (4d 23:09 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : None Active defects : None Lab 1 6 Initial System Configuration (Detailed)

17 Logical interface ge-0/0/3.100 (Index 64) (SNMP ifindex 43) Flags: SNMP-Traps VLAN-Tag [ 0x ] Encapsulation: ENET2 Input packets : 0 Output packets: 0 Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping Logical interface ge-0/0/3.200 (Index 67) (SNMP ifindex 47) Flags: SNMP-Traps VLAN-Tag [ 0x ] Encapsulation: ENET2 Input packets : 0 Output packets: 0 Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping Logical interface ge-0/0/ (Index 69) (SNMP ifindex 44) Flags: SNMP-Traps VLAN-Tag [ 0x ] Encapsulation: ENET2 Input packets : 0 Output packets: 0 Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping [edit] lab@tokyo# run show interfaces se-1/0/1 Physical interface: se-1/0/1, Enabled, Physical link is Up Interface index: 142, SNMP ifindex: 38 Type: Serial, Link-level type: Frame-Relay, MTU: 1504, Maximum speed: 8mbps Device flags : Present Running Interface flags: Point-To-Point Internal: 0x4000 Link flags : Keepalives DTE ANSI LMI settings: n391dte 6, n392dte 3, n393dte 4, t391dte 10 seconds LMI: Input: 4 (00:00:02 ago), Output: 3 (00:00:02 ago) DTE statistics: Enquiries sent : 3 Full enquiries sent : 0 Enquiry responses received : 3 Full enquiry responses received : 0 DCE statistics: Enquiries received : 0 Full enquiries received : 0 Enquiry responses sent : 0 Full enquiry responses sent : 0 Common statistics: Unknown messages received : 0 Asynchronous updates received : 1 Out-of-sequence packets received : 0 Initial System Configuration (Detailed) Lab 1 7

18 Keepalive responses timedout : 0 CoS queues : 8 supported, 8 maximum usable queues Last flapped : :42:31 UTC (4d 23:09 ago) Input rate : 0 bps (0 pps) Output rate : 112 bps (0 pps) Logical interface se-1/0/1.602 (Index 70) (SNMP ifindex 46) Flags: Hardware-Down Point-To-Point SNMP-Traps Encapsulation: FR-NLPID Input packets : 0 Output packets: 0 Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dlsw dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping DLCI 602 Flags: Down, DCE-Unconfigured Total down time: 00:00:19 sec, Last down: 00:00:19 ago Input packets : 0 Output packets: 0 DLCI statistics: Active DLCI :0 Inactive DLCI :1 Part 3: Assign IP Addressing Step 3.1 Question: What is the difference between the display of the interfaces status in this step and Step 2.1? Answer: The interface status in Step 2.1 illustrated Layer 1 parameters for LAN and WAN interfaces. Also, the serial interface used PPP as its Layer 2 protocol. Now the LAN interface status illustrates logical units (VLANs), and the serial interface uses Frame Relay as its Layer 2 protocol. Assign IP addresses to the WAN, LAN, and lo0 interfaces of your router, as illustrated in the Lab 1 diagram for your group letter (A, B, C, or D). [edit interfaces] lab@tokyo# set ge-0/0/3 unit 100 family inet address /24 [edit interfaces] lab@tokyo# set ge-0/0/3 unit 200 family inet address /24 [edit interfaces] Lab 1 8 Initial System Configuration (Detailed)

19 set se-1/0/1 unit 602 family inet address /30 [edit interfaces] set lo0 unit 0 family inet address [edit interfaces] lab@tokyo# show ge-0/0/0 { description "Do-not-delete-Management-Interface!"; unit 0 { family inet { address /28; ge-0/0/3 { vlan-tagging; unit 100 { vlan-id 100; family inet { address /24; unit 200 { vlan-id 200; family inet { address /24; se-1/0/1 { encapsulation frame-relay; unit 602 { dlci 602; family inet { address /30; lo0 { unit 0 { family inet { address /32; [edit interfaces] lab@tokyo# Step 3.2 Commit the configuration changes. Initial System Configuration (Detailed) Lab 1 9

20 [edit interfaces] commit and-quit commit complete Exiting configuration mode Step 3.3 Test IP connectivity by pinging the IP address of the directly attached interface of your peer router across the Internet. ping PING ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=65 time=3.758 ms 64 bytes from : icmp_seq=1 ttl=65 time=2.346 ms 64 bytes from : icmp_seq=2 ttl=65 tim^c ping statistics packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.344/2.816/3.758/0.666 ms lab@tokyo> Question: Is the ping successful? Answer: The ping should be successful. Continue testing IP connectivity by pinging the IP address of the XX-VR and XX-VR2 LAN interfaces directly attached to your router. lab@tokyo> ping PING ( ): 56 data bytes 64 bytes from : icmp_seq=1 ttl=64 time=3.096 ms 64 bytes from : icmp_seq=2 ttl=64 time=2.130 ms 64 bytes from : icmp_seq=3 ttl=64 time=2.410 ms 64 bytes from : icmp_seq=4 ttl=64 time=4.187 ms ^C ping statistics packets transmitted, 4 packets received, 20% packet loss round-trip min/avg/max/stddev = 2.130/2.956/4.187/0.793 ms lab@tokyo> ping PING ( ): 56 data bytes 64 bytes from : icmp_seq=1 ttl=64 time=2.390 ms 64 bytes from : icmp_seq=2 ttl=64 time=3.104 ms 64 bytes from : icmp_seq=3 ttl=64 time= ms 64 bytes from : icmp_seq=4 ttl=64 ti^c ping statistics packets transmitted, 4 packets received, 20% packet loss round-trip min/avg/max/stddev = 2.373/5.745/15.112/5.416 ms lab@tokyo>not For Reproduction Lab 1 10 Initial System Configuration (Detailed)

21 Question: Is the ping successful? Answer: The ping should be successful. Now continue testing IP connectivity by pinging the IP address of the lo0 interface of your peer router across the Internet. ping PING ( ): 56 data bytes ping: sendto: No route to host ping: sendto: No route to host ping: sendto: No route to host ^C ping statistics packets transmitted, 0 packets received, 100% packet loss lab@tokyo> Question: Is the ping successful? Why? Answer: The ping is not successful because there is no route to the destination IP address. To learn the route, a dynamic routing protocol or static route is required. Part 4: Establish Layer 3 Connectivity Using OSPF Routing Protocol Step 4.1 In this part of the lab, you will establish Layer 3 connectivity between all the routers within your city region (which includes your router, XX-VR, and XX-VR2) and between those routers and the routers of your peer. You are to use OSPF as the routing protocol. Refer to the network diagram of Lab 1 for your group letter (A, B, C, or D) to determine the OSPF areas assignments. From your router, use Telnet to access the XX-VR router of your city region. Recall that XX are the first two letters of your city name. For example, TO-VR is the router name attached to Tokyo. The login name is your router name, router-vr, where router is in lower case letters, and the password is lab123. lab@tokyo> telnet Trying Connected to Escape character is '^]'. Sydney (ttyp0) login: tokyo-vr Password: Initial System Configuration (Detailed) Lab 1 11

22 --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. Step 4.2 Configure the OSPF routing protocol for routing-instance XX-VR. Use the Lab 1 diagram to identify which OSPF area to configure. OSPF interfaces include lo0. xyz and ge-0/0/3.xyz, where xyz is the corresponding VLAN ID, as defined on the lab diagram. tokyo-vr@sydney> configure private warning: uncommitted changes will be discarded on exit Entering configuration mode [edit] tokyo-vr@sydney# edit routing-instances TO-VR [edit routing-instances TO-VR] tokyo-vr@sydney# edit protocols [edit routing-instances TO-VR protocols] tokyo-vr@sydney# set ospf area 1 interface ge-0/0/3.100 [edit routing-instances TO-VR protocols] tokyo-vr@sydney# set ospf area 1 interface lo0.100 [edit routing-instances TO-VR protocols] tokyo-vr@sydney# up [edit routing-instances TO-VR] tokyo-vr@sydney# show instance-type virtual-router; interface ge-0/0/3.100; interface lo0.100; protocols { ospf { area { interface ge-0/0/3.100; interface lo0.100; Step 4.3 Commit configuration file. Lab 1 12 Initial System Configuration (Detailed)

23 [edit routing-instances TO-VR] top [edit] commit commit complete [edit] Step 4.4 Close the Telnet session with the XX-VR router. Now use Telnet to access the XX-VR2 router of your city region. (Recall that XX are the first two letters of your city name. For example, TO-VR2 is the router name attached to Tokyo. The login name is your router name, router-vr2, where router is in lower case letters, and the password is lab123.) [edit] exit Exiting configuration mode exit Connection closed by foreign host. telnet Trying Connected to Escape character is '^]'. Sydney (ttyp0) login: tokyo-vr2 Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. Step 4.5 Configure the OSPF routing protocol for the routing-instance XX-VR2. Use the Lab 1 diagram to identify which OSPF area to configure. OSPF interfaces include lo0. xyz and ge-0/0/3.xyz, where xyz is the corresponding VLAN ID, as defined on the lab diagram. tokyo-vr2@sydney> configure private warning: uncommitted changes will be discarded on exit Entering configuration mode [edit] tokyo-vr2@sydney# edit routing-instances TO-VR2 Initial System Configuration (Detailed) Lab 1 13

24 [edit routing-instances TO-VR2] set protocols ospf area 11 interface ge-0/0/3.200 [edit routing-instances TO-VR2] set protocols ospf area 11 interface lo0.200 [edit routing-instances TO-VR2] show instance-type virtual-router; interface ge-0/0/3.200; interface lo0.200; protocols { ospf { area { interface ge-0/0/3.200; interface lo0.200; Step 4.6 Commit the configuration file. Next, exit the Telnet session. [edit routing-instances TO-VR2] tokyo-vr2@sydney# top [edit] tokyo-vr2@sydney# commit and-quit commit complete Exiting configuration mode tokyo-vr2@sydney> exit Connection closed by foreign host. lab@tokyo> [edit routing-instances TO-VR2] tokyo-vr2@sydney# top [edit] tokyo-vr2@sydney# commit commit complete [edit] tokyo-vr2@sydney# exit Exiting configuration mode tokyo-vr2@sydney> exit Connection closed by foreign host. lab@tokyo>not For Reproduction Lab 1 14 Initial System Configuration (Detailed)

25 Step 4.7 Configure the OSPF protocol on your router. Use the Lab 1 network diagram to identify which interfaces belong to which OSPF areas. Your router is the OSPF area border router (ABR). lab@tokyo> edit Entering configuration mode [edit] lab@tokyo# edit protocols [edit protocols] lab@tokyo# set ospf area 0 interface se-1/0/1.602 [edit protocols] lab@tokyo# set ospf area 0 interface lo0 [edit protocols] lab@tokyo# set ospf area 1 interface ge-0/0/3.100 [edit protocols] lab@tokyo# set ospf area 11 interface ge-0/0/3.200 [edit protocols] lab@tokyo# show ospf { area { interface se-1/0/1.602; interface lo0.0; area { interface ge-0/0/3.100; area { interface ge-0/0/3.200; [edit protocols] lab@tokyo# Step 4.8 Commit the configuration changes in your router. [edit protocols] lab@tokyo# commit and-quit commit complete Exiting configuration mode lab@tokyo> Step 4.9 Check OSPF neighbor status from your router. If the status of OSPF neighbors is not showing as FULL, fix the problem. Initial System Configuration (Detailed) Lab 1 15

26 show ospf neighbor Address Interface State ID Pri Dead se-1/0/1.602 Full ge-0/0/3.100 Full ge-0/0/3.200 Full Step 4.10 Check the routing table on your router. show route table inet.0 Question: How many OSPF neighbors do you see? Answer: You should see three OSPF neighbors. inet.0: 17 destinations, 18 routes (17 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /28 *[Direct/0] 6d 00:53:33 > via ge-0/0/ /32 *[Local/0] 6d 00:53:35 Local via ge-0/0/ /24 *[Direct/0] 1d 00:58:12 > via ge-0/0/ /32 *[Local/0] 1d 00:58:12 Local via ge-0/0/ /24 *[OSPF/10] 00:03:05, metric 13 > via se-1/0/ /24 *[Direct/0] 1d 00:58:12 > via ge-0/0/ /32 *[Local/0] 1d 00:58:12 Local via ge-0/0/ /24 *[OSPF/10] 00:02:50, metric 13 > via se-1/0/ /30 *[Direct/0] 1d 00:55:24 > via se-1/0/1.602 [OSPF/10] 00:07:50, metric 12 > via se-1/0/ /32 *[Local/0] 1d 00:58:12 Local via se-1/0/ /32 *[Direct/0] 1d 00:58:12 > via lo /32 *[OSPF/10] 00:07:40, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 00:03:05, metric 12 > via se-1/0/ /32 *[OSPF/10] 00:02:50, metric 13 > via se-1/0/ /32 *[OSPF/10] 00:07:40, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 00:02:50, metric 13 > via se-1/0/1.602 Lab 1 16 Initial System Configuration (Detailed)

27 /32 *[OSPF/10] 00:07:55, metric 1 MultiRecv Step 4.11 Step 4.12 Test IP connectivity. Issue a ping from the lo0 interface of your router to the lo0 interface of your peer router across the Internet. Question: Is the ping successful? Answer: Yes, the ping should be successful. Issue a ping from your LAN interface s IP address to one of the LAN sites of your peer router. lab@tokyo> ping source PING ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=65 time=3.614 ms 64 bytes from : icmp_seq=1 ttl=65 time=4.186 ms 64 bytes from : icmp_seq=2 ttl=65 time=3.440 ms 64 bytes from : icmp_seq=3 ttl=65 time=4.139 ms ^C ping statistics packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.440/3.845/4.186/0.324 ms lab@tokyo> ping source PING ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=64 time=4.036 ms 64 bytes from : icmp_seq=1 ttl=64 time=2.118 ms 64 bytes from : icm^c ping statistics packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.118/2.833/4.036/0.855 ms lab@tokyo> Part 5: Establish Hosts Within Each Site and Summarize the Advertisement of Their Prefixes Across the Internet In this part of the lab you will configure local hosts within the XX-VR and XX-VR2 sites. You will emulate the existence of these hosts by assigning additional addresses to the lo0.tyx interface, where tyx is the lo0 logical interface belonging to either the XX-VR or XX-VR2 router. Next, you will ensure that only a /24 prefix for the hosts is advertised across the Internet. Refer to the static routes and hosts table on the Lab 1 diagram for your group letter (A, B, C, or D). Initial System Configuration (Detailed) Lab 1 17

28 Step 5.1 From your router, use Telnet to access the XX-VR router of your city region. (Recall that XX are the first two letters of your city name. For example, TO-VR is the router name attached to Tokyo. The login name is your router name, router-vr, where router is in lower case letters, and the password is lab123.) telnet Trying Connected to Escape character is '^]'. Sydney (ttyp0) login: tokyo-vr Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. Step 5.2 Define local hosts belonging to the predefined LAN the assigning host IP addresses to the lo0 interface of your router, as identified in the table on the Lab 1 diagram for your group letter (A, B, C, or D). tokyo-vr@sydney> configure private warning: uncommitted changes will be discarded on exit Entering configuration mode [edit] tokyo-vr@sydney# edit interfaces lo0 unit 100 [edit interfaces lo0 unit 100] tokyo-vr@sydney# set family inet address [edit interfaces lo0 unit 100] tokyo-vr@sydney# set family inet address [edit interfaces lo0 unit 100] tokyo-vr@sydney# set family inet address [edit interfaces lo0 unit 100] tokyo-vr@sydney# show description "TO-VR loopback"; family inet { address /32; address /32; address /32; address /32; Lab 1 18 Initial System Configuration (Detailed)

29 [edit interfaces lo0 unit 100] Step 5.3 Commit the changes. [edit interfaces lo0 unit 100] top [edit] commit commit complete [edit] Step 5.4 Close the Telnet session with XX-VR router. Now use Telnet to access the XX-VR2 router of your city region. (Recall that XX are the first two letters of your city name. For example, TO-VR2 is the router name attached to Tokyo. The login name is your router name, router-vr2, where router is in lower case letters, and the password is lab123.) [edit] exit Exiting configuration mode exit Connection closed by foreign host. telnet Trying Connected to Escape character is '^]'. Sydney (ttyp0) login: tokyo-vr2 Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. Initial System Configuration (Detailed) Lab 1 19

30 Step 5.5 Define local hosts belonging to the predefined LAN by assigning host IP addresses to the lo0 interface of your router, as identified in the table on the Lab 1 diagram for your group letter (A, B, C, or D). tokyo-vr@sydney> configure private warning: uncommitted changes will be discarded on exit Entering configuration mode [edit] tokyo-vr@sydney# edit interfaces lo0 unit 200 [edit interfaces lo0 unit 200] tokyo-vr2@sydney# set family inet address [edit interfaces lo0 unit 200] tokyo-vr2@sydney# set family inet address [edit interfaces lo0 unit 200] tokyo-vr2@sydney# set family inet address [edit interfaces lo0 unit 200] tokyo-vr2@sydney# show description "TO-VR2 loopback"; family inet { address /32; address /32; address /32; address /32; [edit interfaces lo0 unit 200] tokyo-vr2@sydney# Step 5.6 Commit the changes and log out from the XX-VR2 router. [edit interfaces lo0 unit 200] tokyo-vr2@sydney# top [edit] tokyo-vr2@sydney# commit commit complete [edit] tokyo-vr2@sydney# exit Exiting configuration mode tokyo-vr2@sydney> exit Connection closed by foreign host. lab@tokyo> Lab 1 20 Initial System Configuration (Detailed)

31 Step 5.7 Check the routing tables in your router. Specifically, ensure that your router is receiving all the host routes that you just defined. show route 10.10/16 inet.0: 29 destinations, 30 routes (29 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /32 *[OSPF/10] 17:22:31, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 17:22:31, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 17:22:31, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 17:22:37, metric 13 > via se-1/0/ /32 *[OSPF/10] 17:22:37, metric 13 > via se-1/0/ /32 *[OSPF/10] 17:22:37, metric 13 > via se-1/0/ /32 *[OSPF/10] 17:22:26, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 17:22:26, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 17:22:26, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 17:22:37, metric 13 > via se-1/0/ /32 *[OSPF/10] 17:22:37, metric 13 > via se-1/0/ /32 *[OSPF/10] 17:22:37, metric 13 > via se-1/0/1.602 lab@tokyo> Step 5.8 Question: How many route belonging to the prefix 10.10/16 exist? Answer: There are 12 routes that belong to the prefix 10.10/16: three host routes for each of the four routers in the group. Summarize host routes, ensuring that only /24 prefixes are advertised across the Internet for each of the sites. Initial System Configuration (Detailed) Lab 1 21

32 Question: What router(s) must perform the summary function required in this step? edit Entering configuration mode [edit] edit protocols ospf Answer: The route summarization must be defined at the ABR routers. [edit protocols ospf] set area 1 area-range /24 [edit protocols ospf] lab@tokyo# set area 11 area-range /24 [edit protocols ospf] lab@tokyo# show area { interface se-1/0/1.602; interface lo0.0; area { area-range /24; interface ge-0/0/3.100; area { area-range /24; interface ge-0/0/3.200; [edit protocols ospf] lab@tokyo# Step 5.9 Commit the changes. [edit protocols ospf] lab@tokyo# commit commit complete [edit protocols ospf] lab@tokyo# exit [edit] lab@tokyo# exit Exiting configuration mode lab@tokyo> Lab 1 22 Initial System Configuration (Detailed)

33 Step 5.10 Check the routing table of your router. show route 10.10/16 inet.0: 27 destinations, 28 routes (27 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /24 *[OSPF/10] 00:00:25, metric Discard /32 *[OSPF/10] 17:26:25, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 17:26:25, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 17:26:25, metric 1 > to via ge-0/0/ /24 *[OSPF/10] 00:01:07, metric 13 > via se-1/0/ /24 *[OSPF/10] 00:00:25, metric Discard /32 *[OSPF/10] 17:26:20, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 17:26:20, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 17:26:20, metric 1 > to via ge-0/0/ /24 *[OSPF/10] 00:01:07, metric 13 > via se-1/0/1.602 lab@tokyo> Step 5.11 Question: How many routes of 10.10/16 prefix are you seeing from your peer router? Answer: In total there are ten 10.10/16 prefixes six for local sites, two summaries of /24 from the peer router, and two summary routes generated internally. Check connectivity by logging in to the XX-VR or XX-VR2 router and initiating a ping from one of the local host IP addresses, which was configured during this lab, to another local host IP address of the peer site across the Internet. If there is a problem, troubleshoot the problem with the help of traceroute and various show commands. lab@tokyo> telnet Trying Connected to Escape character is '^]'. Initial System Configuration (Detailed) Lab 1 23

34 Sydney (ttyp0) login: tokyo-vr Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. ping routing-instance TO-VR source PING ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=62 time=6.717 ms 64 bytes from : icmp_seq=1 ttl=62 time=5.440 ms 64 bytes from : icmp_seq=2 ttl=62 time=7.935 ms 64 bytes from : icmp_seq=3 ttl=62 time=5.141 ms ^C ping statistics packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 5.141/6.308/7.935/1.110 ms tokyo-vr@sydney> traceroute routing-instance TO-VR source traceroute to ( ) from , 30 hops max, 40 byte packets ( ) ms ms ms ( ) ms ms ms ( ) ms ms ms tokyo-vr@sydney> STOP Tell your instructor that you have completed Lab 1. Lab 1 24 Initial System Configuration (Detailed)

35 Lab 2 Security Policies (Detailed) Overview In this lab you will establish security zones and security policies as identified in the network diagram for Lab 2. Within the security policies you will enable specific services and necessary protocols to maintain IP connectivity established in Lab 1. You will test and monitor the functionality of your configuration using the JUNOS command-line interface (CLI). The lab is available in two formats: a high-level format that is designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab, you will perform the following tasks: Configure security zones for your network. Implement security policies to enable communications between the security zones. Monitor security zone operation. Similar to the previous lab, this lab requires the use of the Sydney router, which is logically segmented into several virtual routers. Each student router connects to two virtual routers in the form of XX-VR and XX-VR2, where XX is a two-letter abbreviation for the directly connected student router. Sydney also acts as the service provider, which provides Frame Relay services between sites. Security Policies (Detailed) Lab a.9.0R1

36 Key Commands configure ping show interfaces terse show route table show security flow show security policies show security zones traceroute Key operational-mode commands used in this lab include the following: Part 1: Interface Assignment to Security Zones Step 1.1 Tokyo (ttyd0) login: lab Password: In this part each team will assign the router s interfaces to the appropriate security zones, as identified in the Lab 2 network diagram for your group letter (A, B, C, or D). Log in to the router with the username lab and the password lab123. Note that the username and the password are case sensitive. --- JUNOS 9.0R1.10 built :14:18 UTC lab@tokyo> Step 1.2 Delete the security zone called trust and the security policies. Note that the trust zone was preconfigured in the initial setup. Now that you have established Layer 3 connectivity, you must eliminate the trust zone and establish other security zones, as defined in this lab. lab@tokyo> edit Entering configuration mode [edit] lab@tokyo# show security zones { security-zone trust { interfaces { all { host-inbound-traffic { system-services { all; protocols { all; Lab 2 2 Security Policies (Detailed)

37 policies { from-zone trust to-zone trust { policy trust { match { source-address any; destination-address any; application any; then { permit; [edit] lab@tokyo# delete security [edit] lab@tokyo# show security [edit] lab@tokyo# Step 1.3 Configure the functional management zone and assign the interface ge-0/0/0.0 to it. Ensure that all system services and protocols are allowed for the ge-0/0/0.0 interface. [edit] lab@tokyo# edit security zones functional-zone management [edit security zones functional-zone management] lab@tokyo# set interfaces ge-0/0/0.0 host-inbound-traffic system-services all [edit security zones functional-zone management] lab@tokyo# set interfaces ge-0/0/0.0 host-inbound-traffic protocols all [edit security zones functional-zone management] lab@tokyo# show interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; protocols { all; Security Policies (Detailed) Lab 2 3

38 [edit security zones functional-zone management] top Step 1.4 Assign interfaces to the security zones, as identified in the Lab 2 network diagram for your group letter (A, B, C, or D). In total, there are the following five security zones: Public zone: Across the Internet between the two peer routers; Retail and Admin zones: Local to the left peer router; and HR and Finance zones: Local to the right peer router. Note Zones names are case sensitive. Use the following table to ensure correct assignment of interfaces and zones on your router. Zone Assignment Group Router name Interface Security Zone A Tokyo lo0 se-1/0/1.602 ge-0/0/3.100 ge-0/0/3.200 London lo0 se-1/0/0.603 ge-0/0/3.101 ge-0/0/3.201 B San Jose lo0 se-1/0/1.606 ge-0/0/3.105 ge-0/0/3.205 Hong Kong lo0 se-1/0/0.601 ge-0/0/3.102 ge-0/0/3.202 Public Public Retail Admin Public Public HR Finance Public Public Retail Admin Public Public HR Finance Lab 2 4 Security Policies (Detailed)

39 C Denver lo0 se-1/0/1.607 ge-0/0/3.106 ge-0/0/3.206 Sao Paulo [edit] edit security zones [edit security zones] set security-zone Public interfaces lo0 [edit security zones] set security-zone Public interfaces se-1/0/1.602 [edit security zones] set security-zone Retail interfaces ge-0/0/3.100 [edit security zones] set security-zone Admin interfaces ge-0/0/3.200 [edit security zones] show functional-zone management { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; protocols { lo0 se-1/0/0.608 ge-0/0/3.103 ge-0/0/3.203 D Montreal lo0 se-1/0/1.605 ge-0/0/3.107 ge-0/0/3.207 Admsterdam Zone Assignment Group Router name Interface Security Zone lo0 se-1/0/0.604 ge-0/0/3.104 ge-0/0/3.204 Public Public Retail Admin Public Public HR Finance Public Public Retail Admin Public Public HR Finance Security Policies (Detailed) Lab 2 5

40 all; security-zone Public { interfaces { lo0.0; se-1/0/1.602; security-zone Retail { interfaces { ge-0/0/3.100; security-zone Admin { interfaces { ge-0/0/3.200; [edit security zones] lab@tokyo# Step 1.5 Commit the changes. [edit security zones] lab@tokyo# commit commit complete [edit security zones] lab@tokyo# exit [edit] lab@tokyo# exit Exiting configuration mode lab@tokyo> Step 1.6 Check IP connectivity on your router. You can test the connectivity by pinging the lo0 interface of your peer router. lab@tokyo> ping PING ( ): 56 data bytes ping: sendto: No route to host ping: sendto: No route to host ^C ping statistics packets transmitted, 0 packets received, 100% packet loss lab@tokyo> Lab 2 6 Security Policies (Detailed)

41 Question: Is the ping successful? Why or why not? Step 1.7 Answer: The ping is not successful because there is no route to the destination address. Check the OSPF neighbors from your router s perspective. lab@tokyo> show ospf neighbor lab@tokyo> show ospf interface Interface State Area DR ID BDR ID Nbrs lo0.0 DR se-1/0/1.602 PtToPt ge-0/0/3.100 DR ge-0/0/3.200 DR lab@tokyo> Step 1.8 Question: Does your router see the OSPF neighbors? Why? Answer: The router does not see any OSPF neighbors because the newly configured security zones are not permitting any traffic into the router, including OSPF traffic. Permit the OSPF routing protocol into all security zones of your router. lab@tokyo> edit Entering configuration mode [edit] lab@tokyo# edit security zones [edit security zones] lab@tokyo# set security-zone Public host-inbound-traffic protocols ospf [edit security zones] lab@tokyo# set security-zone Retail host-inbound-traffic protocols ospf [edit security zones] lab@tokyo# set security-zone Admin host-inbound-traffic protocols ospf [edit security zones] Security Policies (Detailed) Lab 2 7

42 show functional-zone management { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; protocols { all; security-zone Public { host-inbound-traffic { protocols { ospf; interfaces { lo0.0; se-1/0/1.602; security-zone Retail { host-inbound-traffic { protocols { ospf; interfaces { ge-0/0/3.100; security-zone Admin { host-inbound-traffic { protocols { ospf; interfaces { ge-0/0/3.200; [edit security zones] lab@tokyo# Step 1.9 Commit the configuration. Then check the status of OSPF on your router. Lab 2 8 Security Policies (Detailed)

43 [edit security zones] commit commit complete [edit security zones] run show ospf interface Interface State Area DR ID BDR ID Nbrs lo0.0 DR se-1/0/1.602 PtToPt ge-0/0/3.100 DR ge-0/0/3.200 DR [edit security zones] lab@tokyo# run show ospf neighbor Address Interface State ID Pri Dead se-1/0/1.602 Full ge-0/0/3.100 Full ge-0/0/3.200 Full [edit security zones] lab@tokyo# Step 1.10 Question: Does OSPF on your router see the neighbors? Why or why not? Answer: Now the router sees the OSPF neighbors because their packets are allowed into the router. Check the status of the 10.10/16 networks in the routing table of your router. [edit security zones] lab@tokyo# run show route 10.10/16 inet.0: 27 destinations, 28 routes (27 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both /24 *[OSPF/10] 00:17:37, metric Discard /32 *[OSPF/10] 00:17:37, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 00:17:37, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 00:17:37, metric 1 > to via ge-0/0/ /24 *[OSPF/10] 00:17:38, metric 13 > via se-1/0/ /24 *[OSPF/10] 00:17:32, metric Discard /32 *[OSPF/10] 00:17:32, metric 1 Security Policies (Detailed) Lab 2 9

44 > to via ge-0/0/ /32 *[OSPF/10] 00:17:32, metric 1 > to via ge-0/0/ /32 *[OSPF/10] 00:17:32, metric 1 > to via ge-0/0/ /24 *[OSPF/10] 00:17:31, metric 13 > via se-1/0/1.602 [edit security zones] lab@tokyo# Question: How many routes with the 10.10/16 prefix are in the routing table? Is this correct? Answer: There are ten prefixes belonging to the 10.10/10 address space, which is the correct number of routes. Part 2: Building Address Books for Each Security Zone Step 2.1 In this part of the lab you will build the address books for the security zones on the LAN side of your router. The address books must include the IP addresses of the hosts in each security zone, as defined in the Lab 2 network diagram for your group letter (A, B, C, or D). Using the table of hosts defined on the network diagram for Lab 2, configure the address book for Retail, Admin, HR, and Finance security zones. Use the following naming convention for the address sets: XX-VRhosts and XX-VR2hosts, where XX is the two-letter abbreviation for your city name. For example, the address set names for Tokyo are TO-VRhosts and TO-VR2hosts. The following example illustrates the configuration for the Tokyo router, which includes the address book configurations for the Retail and Admin security zones. [edit security zones] lab@tokyo# edit security-zone Retail Note Address and address set names are case sensitive. [edit security zones security-zone Retail] lab@tokyo# set address-book address TO-VRhost [edit security zones security-zone Retail] lab@tokyo# set address-book address TO-VRhost Lab 2 10 Security Policies (Detailed)

45 [edit security zones security-zone Retail] set address-book address TO-VRhost [edit security zones security-zone Retail] set address-book address-set TO-VRhosts address TO-VRhost1 [edit security zones security-zone Retail] set address-book address-set TO-VRhosts address TO-VRhost2 [edit security zones security-zone Retail] set address-book address-set TO-VRhosts address TO-VRhost3 [edit security zones security-zone Retail] show address-book address TO-VRhost /32; address TO-VRhost /32; address TO-VRhost /32; address-set TO-VRhosts { address TO-VRhost1; address TO-VRhost2; address TO-VRhost3; [edit security zones security-zone Retail] lab@tokyo# lab@tokyo# up [edit security zones] lab@tokyo# edit security-zone Admin [edit security zones security-zone Admin] lab@tokyo# set address-book address TO-VR2host [edit security zones security-zone Admin] lab@tokyo# set address-book address TO-VR2host [edit security zones security-zone Admin] lab@tokyo# set address-book address TO-VR2host [edit security zones security-zone Admin] lab@tokyo#set address-book address-set TO-VR2hosts address TO-VR2host1 [edit security zones security-zone Admin] lab@tokyo# set address-book address-set TO-VR2hosts address TO-VR2host2 [edit security zones security-zone Admin] lab@tokyo# set address-book address-set TO-VR2hosts address TO-VR2host3 [edit security zones security-zone Admin] lab@tokyo# show address-book address TO-VR2host /32; address TO-VR2host /32; address TO-VR2host /32; address-set TO-VR2hosts { address TO-VR2host1; Security Policies (Detailed) Lab 2 11

46 address TO-VR2host2; address TO-VR2host3; [edit security zones security-zone Admin] Step 2.2 Configure the address book for the Public zone. Ensure that it contains four address sets, including the Retail, Admin, HR, and Finance zones. [edit security zones security-zone Admin] up [edit security zones] edit security-zone Public [edit security zones security-zone Public] address-book address TO-VRhost [edit security zones security-zone Public] set address-book address TO-VRhost [edit security zones security-zone Public] set address-book address TO-VRhost [edit security zones security-zone Public] set address-book address-set TO-VRhosts address TO-VRhost1 [edit security zones security-zone Public] set address-book address-set TO-VRhosts address TO-VRhost2 [edit security zones security-zone Public] set address-book address-set TO-VRhosts address TO-VRhost3 [edit security zones security-zone Public] set address-book address TO-VR2host [edit security zones security-zone Public] set address-book address TO-VR2host [edit security zones security-zone Public] set address-book address TO-VR2host [edit security zones security-zone Public] set address-book address-set TO-VR2hosts address TO-VR2host1 [edit security zones security-zone Public] set address-book address-set TO-VR2hosts address TO-VR2host2 [edit security zones security-zone Public] set address-book address-set TO-VR2hosts address TO-VR2host3 [edit security zones security-zone Public] Lab 2 12 Security Policies (Detailed)

47 set address-book address LO-VRhost [edit security zones security-zone Public] set address-book address LO-VRhost [edit security zones security-zone Public] set address-book address LO-VRhost [edit security zones security-zone Public] set address-book address-set LO-VRhosts address LO-VRhost1 [edit security zones security-zone Public] set address-book address-set LO-VRhosts address LO-VRhost2 [edit security zones security-zone Public] set address-book address-set LO-VRhosts address LO-VRhost3 [edit security zones security-zone Public] set address-book address LO-VR2host [edit security zones security-zone Public] set address-book address LO-VR2host [edit security zones security-zone Public] set address-book address LO-VR2host [edit security zones security-zone Public] set address-book address-set LO-VR2hosts address LO-VR2host1 [edit security zones security-zone Public] set address-book address-set LO-VR2hosts address LO-VR2host2 [edit security zones security-zone Public] set address-book address-set LO-VR2hosts address LO-VR2host3 [edit security zones security-zone Public] show address-book address TO-VRhost /32; address TO-VRhost /32; address TO-VRhost /32; address TO-VR2host /32; address TO-VR2host /32; address TO-VR2host /32; address LO-VRhost /32; address LO-VRhost /32; address LO-VRhost /32; address LO-VR2host /32; address LO-VR2host /32; address LO-VR2host /32; address-set TO-VRhosts { address TO-VRhost1; address TO-VRhost2; address TO-VRhost3; Security Policies (Detailed) Lab 2 13

48 address-set TO-VR2hosts { address TO-VR2host1; address TO-VR2host2; address TO-VR2host3; address-set LO-VRhosts { address LO-VRhost1; address LO-VRhost2; address LO-VRhost3; address-set LO-VR2hosts { address LO-VR2host1; address LO-VR2host2; address LO-VR2host3; [edit security zones security-zone Public] lab@tokyo# Step 2.3 Commit the changes. [edit security zones security-zone Public] lab@tokyo# commit and-quit commit complete Exiting configuration mode lab@tokyo> Part 3: Establishing and Configuring Security Policies Step 3.1 In this part of the lab you will establish and configure security policies that enable the necessary traffic flow between the security zones. Issue a ping from your router to one of the hosts connected to your router via the LAN. lab@tokyo> ping PING ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=64 time=2.289 ms 64 bytes from : icmp_seq=1 ttl=64 time=2.379 ms 64 bytes from : icmp_seq=2 ttl=64 time=4.118 ms ^C ping statistics packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.289/2.929/4.118/0.842 ms lab@tokyo>not For Reproduction Lab 2 14 Security Policies (Detailed)

49 Question: Is the ping successful? Why or why not? Step 3.2 Answer: Yes, the ping is successful. The source and the destination addresses of the ping belong to the interfaces of the same security zone. Although JUNOS software with enhanced services requires intrazone security policies for any intrazone traffic, the ping s echo request packets resulted in session creation, allowing echo-reply packets to come back to the router. Now, issue another ping across the Internet. For example, if you are in Group A, issue a ping from the Tokyo router to one of the host addresses behind the London router for instance, lab@tokyo> ping PING ( ): 56 data bytes ^C ping statistics packets transmitted, 0 packets received, 100% packet loss lab@tokyo> Step 3.3 Question: Is the ping successful? Why or why not? Answer: The ping is not successful. The source address of the ping belongs to the interface of the Public zone. The destination address of the ping belongs to another security zone. Because the echo-request packet of the ping must traverse the peer router, the security policy is required to enable this type of traffic. Configure an application set called my-apps. You will specify the applications that will be permitted by the security policies, which you will define later in this lab. The applications include junos-http, junos-telnet, junos-ftp, and junos-ping. lab@tokyo> edit Entering configuration mode [edit] lab@tokyo# edit applications [edit applications] lab@tokyo# set application-set my-apps application junos-http [edit applications] lab@tokyo# set application-set my-apps application junos-telnet Security Policies (Detailed) Lab 2 15

50 [edit applications] set application-set my-apps application junos-ftp [edit applications] set application-set my-apps application junos-ping [edit applications] show application-set my-apps { application junos-http; application junos-telnet; application junos-ftp; application junos-ping; [edit applications] lab@tokyo# Step 3.4 [edit applications] lab@tokyo# top Configure security policies that permit the my-apps applications between the Retail and Admin security zones of your router. Ensure the ability of traffic to originate in both security zones. Name the policies RetailToAdmin and AdminToRetail. [edit] lab@tokyo# edit security policies [edit security policies] lab@tokyo# edit from-zone Retail to-zone Admin [edit security policies from-zone Retail to-zone Admin] lab@tokyo# set policy RetailToAdmin match source-address TO-VRhosts [edit security policies from-zone Retail to-zone Admin] lab@tokyo# set policy RetailToAdmin match destination-address TO-VR2hosts [edit security policies from-zone Retail to-zone Admin] lab@tokyo# set policy RetailToAdmin match application my-apps [edit security policies from-zone Retail to-zone Admin] lab@tokyo# set policy RetailToAdmin then permit [edit security policies from-zone Retail to-zone Admin] lab@tokyo# show policy RetailToAdmin { match { source-address TO-VRhosts; destination-address TO-VR2hosts; application my-apps; then { permit; Lab 2 16 Security Policies (Detailed)

51 [edit security policies from-zone Retail to-zone Admin] up [edit security policies] edit from-zone Admin to-zone Retail [edit security policies from-zone Admin to-zone Retail] set policy AdminToRetail match source-address TO-VR2hosts [edit security policies from-zone Admin to-zone Retail] set policy AdminToRetail match destination-address TO-VRhosts [edit security policies from-zone Admin to-zone Retail] set policy AdminToRetail match application my-apps [edit security policies from-zone Admin to-zone Retail] set policy AdminToRetail then permit [edit security policies from-zone Admin to-zone Retail] show policy AdminToRetail { match { source-address TO-VR2hosts; destination-address TO-VRhosts; application my-apps; then { permit; [edit security policies from-zone Admin to-zone Retail] lab@tokyo# Step 3.5 Question: On which router must you perform the configuration? Answer: You must perform the configuration on the router that is directly attached to the Retail and Admin security zones (Tokyo, San Jose, Denver, or Montreal). Configure security policies that permit the my-apps applications between the Retail and Finance security zones of your router. Because the Retail and Finance zones are separated by the Internet, you must reference the Public zone as either the source or the destination zone when configuring the security policies. Name the policies RetailToFinance and FinanceToRetail. Security Policies (Detailed) Lab 2 17

52 Here is the sample configuration for the Tokyo router: [edit security policies from-zone Admin to-zone Retail] up [edit security policies] edit from-zone Retail to-zone Public [edit security policies from-zone Retail to-zone Public] set policy RetailToFinance match source-address TO-VRhosts [edit security policies from-zone Retail to-zone Public] set policy RetailtoFinance match destination-address LO-VR2hosts [edit security policies from-zone Retail to-zone Public] set policy RetailToFinance match application my-apps [edit security policies from-zone Retail to-zone Public] set policy RetailToFinance then permit [edit security policies from-zone Retail to-zone Public] show policy RetailToFinance { match { source-address TO-VRhosts; destination-address LO-VR2hosts; application my-apps; then { permit; [edit security policies from-zone Retail to-zone Public] lab@tokyo# up [edit security policies] lab@tokyo# edit from-zone Public to-zone Retail [edit security policies from-zone Public to-zone Retail] lab@tokyo# set policy FinanceToRetail match source-address LO-VR2hosts [edit security policies from-zone Public to-zone Retail] lab@tokyo# set policy FinancetoRetail match destination-address TO-VRhosts [edit security policies from-zone Public to-zone Retail] lab@tokyo# set policy FinanceToRetail match application my-apps [edit security policies from-zone Public to-zone Retail] lab@tokyo# set policy FinanceToRetail then permit [edit security policies from-zone Public to-zone Retail] lab@tokyo# show policy FinanceToRetail { Lab 2 18 Security Policies (Detailed)

53 match { source-address LO-VR2hosts; destination-address TO-VRhosts; application my-apps; then { permit; [edit security policies from-zone Public to-zone Retail] lab@tokyo# Here it the sample configuration for the London router: [edit] lab@london# edit security policies [edit security policies] lab@london# edit from-zone Finance to-zone Public [edit security policies from-zone Finance to-zone Public] lab@london# set policy FinanceToRetail match source-address LO-VR2hosts [edit security policies from-zone Finance to-zone Public] lab@london# set policy FinanceToRetail match destination-address TO-VRhosts [edit security policies from-zone Finance to-zone Public] lab@london# set policy FinanceToRetail match application my-apps [edit security policies from-zone Finance to-zone Public] lab@london# set policy FinanceToRetail then permit [edit security policies from-zone Finance to-zone Public] lab@london# show policy FinanceToRetail { match { source-address LO-VR2hosts; destination-address TO-VRhosts; application my-apps; then { permit; [edit security policies from-zone Finance to-zone Public] lab@london# up [edit security policies] lab@london# edit from-zone Public to-zone Finance [edit security policies from-zone Public to-zone Finance] lab@london# set policy RetailToFinance match source-address TO-VRhosts Security Policies (Detailed) Lab 2 19

54 [edit security policies from-zone Public to-zone Finance] set policy RetailToFinance match destination-address LO-VR2hosts [edit security policies from-zone Public to-zone Finance] set policy RetailToFinance match application my-apps [edit security policies from-zone Public to-zone Finance] set policy RetailToFinance then permit [edit security policies from-zone Public to-zone Finance] show policy RetailToFinance { match { source-address TO-VRhosts; destination-address LO-VR2hosts; application my-apps; then { permit; [edit security policies from-zone Public to-zone Finance] lab@london# Step 3.6 Configure security policies that permit the my-apps applications between the Admin and HR security zones of your router. Because the Admin and HR zones are separated by the Internet, you must reference the Public zone as either the source or destination zone when configuring the security policies. Name the policies AdminToHR and HRtoAdmin. Here is the sample configuration for the Tokyo router. [edit security policies from-zone Public to-zone Retail] lab@tokyo# up [edit security policies] lab@tokyo# edit from-zone Admin to-zone Public [edit security policies from-zone Admin to-zone Public] lab@tokyo# set policy AdminToHR match source-address TO-VR2hosts [edit security policies from-zone Admin to-zone Public] lab@tokyo# set policy AdminToHR match destination-address LO-VRhosts [edit security policies from-zone Admin to-zone Public] lab@tokyo# set policy AdminToHR match application my-apps [edit security policies from-zone Admin to-zone Public] lab@tokyo# set policy AdminToHR then permit [edit security policies from-zone Admin to-zone Public] lab@tokyo# show policy AdminToHR { Lab 2 20 Security Policies (Detailed)

55 match { source-address TO-VR2hosts; destination-address LO-VRhosts; application my-apps; then { permit; [edit security policies from-zone Admin to-zone Public] lab@tokyo# lab@tokyo# up [edit security policies] lab@tokyo# edit from-zone Public to-zone Admin [edit security policies from-zone Public to-zone Admin] lab@tokyo# set policy HRtoAdmin match source-address LO-VRhosts [edit security policies from-zone Public to-zone Admin] lab@tokyo# set policy HRtoAdmin match destination-address TO-VR2hosts [edit security policies from-zone Public to-zone Admin] lab@tokyo# set policy HRtoAdmin match application my-apps [edit security policies from-zone Public to-zone Admin] lab@tokyo# set policy HRtoAdmin then permit [edit security policies from-zone Public to-zone Admin] lab@tokyo# show policy HRtoAdmin { match { source-address LO-VRhosts; destination-address TO-VR2hosts; application my-apps; then { permit; [edit security policies from-zone Public to-zone Admin] lab@tokyo# Here is the sample configuration for the London router. [edit security policies from-zone Public to-zone Finance] lab@london# up [edit security policies] lab@london# edit from-zone Public to-zone HR [edit security policies from-zone Public to-zone HR] lab@london# set policy AdminToHR match source-address TO-VR2hosts Security Policies (Detailed) Lab 2 21

56 [edit security policies from-zone Public to-zone HR] set policy AdminToHR match destination-address LO-VRhosts [edit security policies from-zone Public to-zone HR] set policy AdminToHR match application my-apps [edit security policies from-zone Public to-zone HR] set policy AdminToHR then permit [edit security policies from-zone Public to-zone HR] show policy AdminToHR { match { source-address TO-VR2hosts; destination-address LO-VRhosts; application my-apps; then { permit; [edit security policies from-zone Public to-zone HR] lab@london# up [edit security policies] lab@london# edit from-zone HR to-zone Public [edit security policies from-zone HR to-zone Public] lab@london# set policy HRtoAdmin match source-address LO-VRhosts [edit security policies from-zone HR to-zone Public] lab@london# set policy HRtoAdmin match destination-address TO-VR2hosts [edit security policies from-zone HR to-zone Public] lab@london# set policy HRtoAdmin match application my-apps [edit security policies from-zone HR to-zone Public] lab@london# set policy HRtoAdmin then permit [edit security policies from-zone HR to-zone Public] lab@london# show policy HRtoAdmin { match { source-address LO-VRhosts; destination-address TO-VR2hosts; application my-apps; then { permit; Lab 2 22 Security Policies (Detailed)

57 [edit security policies from-zone HR to-zone Public] Step 3.7 Commit the changes. [edit security policies from-zone Public to-zone Admin] commit and-quit commit complete Exiting configuration mode Part 4: Testing and Monitoring the Functionality of Security Zones Step 4.1 In this part of the lab you will test and monitor the functionality of the security zones. Configure traceoptions within the security flow stanza, flagging basic-datapath and session. Use the file name lab2debug. edit Entering configuration mode [edit] edit security flow [edit security flow] set traceoptions flag session [edit security flow] set traceoptions flag basic-datapath [edit security flow] set traceoptions file lab2debug [edit security flow] show traceoptions { file lab2debug; flag basic-datapath; flag session; [edit security flow] lab@tokyo# Step 4.2 Commit the changes. Security Policies (Detailed) Lab 2 23

58 [edit security flow] commit and-quit commit complete Exiting configuration mode Step 4.3 From your router use Telnet to access the XX-VR router of your city region. (Recall that XX are the first two letters of your city name. For example, TO-VR is the router name attached to Tokyo. The login name is your router name, router-vr, where router is in lower case letters, and the password is lab123.) telnet Trying Connected to Escape character is '^]'. Sydney (ttyp0) login: tokyo-vr Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. Step 4.4 Note This step should be performed by only one of the members of the group because the other member of the group will be observing the results of flow debugging. From the XX-VR router issue a ping from one of the hosts located in the Retail zone to another host located in the Finance zone. tokyo-vr@sydney> ping source routing-instance TO-VR PING ( ): 56 data bytes 64 bytes from : icmp_seq=0 ttl=62 time=6.220 ms 64 bytes from : icmp_seq=1 ttl=62 time=4.395 ms 64 bytes from : icmp_seq=2 ttl=62 time=7.471 ms 64 bytes from : icmp_seq=3 ttl=62 time=7.191 ms 64 bytes from : icmp_seq=4 ttl=62 time=4.415 ms ^C Lab 2 24 Security Policies (Detailed)

59 ping statistics packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 4.395/5.938/7.471/1.319 ms tokyo-vr@sydney> Step 4.5 Question: Is ping successful? Why or why not? Answer: The ping should be successful because the security policies are permitting pings from the Retail to the Finance zones through the Public zone. Now issue a ping from one of the hosts located in the Admin zone to another host located in the Finance zone. tokyo-vr@sydney> ping source routing-instance TO-VR2 PING ( ): 56 data bytes ^C ping statistics packets transmitted, 0 packets received, 100% packet loss tokyo-vr@sydney> Step 4.6 Question: Is ping successful? Why or why not? Answer: The ping should not be successful because no security policy permits pings from the Admin to the Finance zones. Recall that the default policy is to discard all traffic. Using the management interface ge-0/0/0.0, use Telnet to access the router that is performing the tests identified in Steps 4.4 and 4.5. lab@london> telnet Trying Connected to Escape character is '^]'. Tokyo (ttyp0) login: lab Password: --- JUNOS 9.0R1.10 built :14:18 UTC lab@tokyo> Security Policies (Detailed) Lab 2 25

60 Step 4.7 Examine the sessions in progress. show security flow session Session ID: 7, Policy name: self-traffic-policy/1, Timeout: 58 In: /1 --> /1;ospf, If: ge-0/0/3.100 Out: /1 --> /1;ospf, If:.local..0 Session ID: 9, Policy name: self-traffic-policy/1, Timeout: 56 In: /1 --> /1;ospf, If: ge-0/0/3.200 Out: /1 --> /1;ospf, If:.local..0 Session ID: 11, Policy name: self-traffic-policy/1, Timeout: 52 In: /1 --> /1;ospf, If: se-1/0/1.602 Out: /1 --> /1;ospf, If:.local..0 Session ID: 29, Policy name: self-traffic-policy/1, Timeout: 1570 In: / > /23;tcp, If:.local..0 Out: /23 --> /58230;tcp, If: ge-0/0/3.100 Session ID: 32, Policy name: self-traffic-policy/1, Timeout: 1800 In: / > /23;tcp, If: ge-0/0/0.0 Out: /23 --> /62114;tcp, If:.local..0 5 sessions displayed lab@tokyo> Question: What command must you issue to view the sessions in progress? Answer: Use the show security flow session command to view the sessions in progress. Question: How many sessions exist? Answer: There are five active sessions. Lab 2 26 Security Policies (Detailed)

61 Question: What command must you issue to obtain the information on the maximum number of sessions that the router can handle? Answer: Use the show security flow session summary command. Here is the sample output taken from the Tokyo router: show security flow session summary Session summary: Unicast-sessions: 5 Multicast-sessions: 0 Failed-sessions: 0 Sessions-in-use: 5 Maximum-sessions: lab@tokyo> Step 4.8 From the XX-VR router, open a Telnet session from one of the hosts in the Retail zone to a host within a Finance zone through the Public zone. tokyo-vr@sydney> telnet source routing-instance TO-VR Trying Connected to Escape character is '^]'. Sydney (ttyp1) login: london-vr Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. london-vr@sydney> On your router, turn on monitoring of the lab2debug file to observe the results of session forming debugging. lab@tokyo> monitor start lab2debug lab@tokyo> *** lab2debug *** Feb 25 02:42:49 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Security Policies (Detailed) Lab 2 27

62 Feb 25 02:42:49 02:42: :CID-0:RT:packet [53] ipid = ****** Feb 25 02:42:49 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Feb 25 02:42:49 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:49 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:49 02:42: :CID-0:RT:mbuf 0x4a0b1f40, exit nh 0xfffb0006 Feb 25 02:42:49 02:42: :CID-0:RT:Using in_ifp from pfe_tag with index 0 Feb 25 02:42:49 02:42: :CID-0:RT:Using vr id from pfe_tag with value= 0 Feb 25 02:42:49 02:42: :CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0 Feb 25 02:42:49 02:42: :CID-0:RT:Over-riding lpak->vsys with 0 Feb 25 02:42:49 02:42: :CID-0:RT:< /23-> / 62114;6> : <junos-self/.local..0> Feb 25 02:42:49 02:42: :CID-0:RT:packet [53] ipid = ****** Feb 25 02:42:49 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 23, dp 62114, proto 6, tok 4 Feb 25 02:42:49 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:49 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:49 02:42: :CID-0:RT:mbuf 0x48aaa0e0, exit nh 0x90010 Feb 25 02:42:49 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Feb 25 02:42:49 02:42: :CID-0:RT:packet [52] ipid = ****** Feb 25 02:42:49 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Feb 25 02:42:49 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Lab 2 28 Security Policies (Detailed)

63 Feb 25 02:42:49 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:49 02:42: :CID-0:RT:mbuf 0x4a1ed640, exit nh 0xfffb0006 Feb 25 02:42:49 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Feb 25 02:42:49 02:42: :CID-0:RT:packet [54] ipid = ****** Feb 25 02:42:49 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Feb 25 02:42:49 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:49 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:49 02:42: :CID-0:RT:mbuf 0x49f5ea00, exit nh 0xfffb0006 Feb 25 02:42:49 02:42: :CID-0:RT:Using in_ifp from pfe_tag with index 0 Feb 25 02:42:49 02:42: :CID-0:RT:Using vr id from pfe_tag with value= 0 Feb 25 02:42:49 02:42: :CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0 Feb 25 02:42:49 02:42: :CID-0:RT:Over-riding lpak->vsys with 0 Feb 25 02:42:49 02:42: :CID-0:RT:< /23-> / 62114;6> : <junos-self/.local..0> Feb 25 02:42:49 02:42: :CID-0:RT:packet [53] ipid = ****** Feb 25 02:42:49 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 23, dp 62114, proto 6, tok 4 Feb 25 02:42:49 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:49 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:49 02:42: :CID-0:RT:mbuf 0x48aaa0e0, exit nh 0x90010 Feb 25 02:42:50 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Feb 25 02:42:50 02:42: :CID-0:RT:packet [52] ipid = ****** Security Policies (Detailed) Lab 2 29

64 Feb 25 02:42:50 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Feb 25 02:42:50 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:50 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:50 02:42: :CID-0:RT:mbuf 0x4a067e00, exit nh 0xfffb0006 Feb 25 02:42:50 02:42: :CID-0:RT:Using in_ifp from pfe_tag with index 0 Feb 25 02:42:50 02:42: :CID-0:RT:Using vr id from pfe_tag with value= 0 Feb 25 02:42:50 02:42: :CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0 Feb 25 02:42:50 02:42: :CID-0:RT:Over-riding lpak->vsys with 0 Feb 25 02:42:50 02:42: :CID-0:RT:< /23-> / 62114;6> : <junos-self/.local..0> Feb 25 02:42:50 02:42: :CID-0:RT:packet [67] ipid = ****** Feb 25 02:42:50 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 23, dp 62114, proto 6, tok 4 Feb 25 02:42:50 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:50 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:50 02:42: :CID-0:RT:mbuf 0x48aaa0e0, exit nh 0x90010 Feb 25 02:42:50 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Feb 25 02:42:50 02:42: :CID-0:RT:packet [52] ipid = ****** Feb 25 02:42:50 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Feb 25 02:42:50 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:50 02:42: :CID-0:RT: post addr xlation: > Lab 2 30 Security Policies (Detailed)

65 Feb 25 02:42:50 02:42: :CID-0:RT:mbuf 0x49fe6d60, exit nh 0xfffb0006 Feb 25 02:42:50 02:42: :CID-0:RT:< /513-> /48;89> : <Admin/ge-0/0/3.200> Feb 25 02:42:50 02:42: :CID-0:RT:packet [68] ipid = ****** Feb 25 02:42:50 02:42: :CID-0:RT: ge-0/0/ 3.200: > , 89 Feb 25 02:42:50 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash 17001(0x3ffff), sa , da , sp 1, dp 1, proto 89, tok 20 Feb 25 02:42:50 02:42: :CID-0:RT: flow session id 9 Feb 25 02:42:50 02:42: :CID-0:RT: refreshing session Feb 25 02:42:50 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:50 02:42: :CID-0:RT:mbuf 0x4a0a13a0, exit nh 0xfff80006 Feb 25 02:42:50 02:42: :CID-0:RT:Using in_ifp from pfe_tag with index 0 Feb 25 02:42:50 02:42: :CID-0:RT:Using vr id from pfe_tag with value= 0 Feb 25 02:42:50 02:42: :CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0 Feb 25 02:42:50 02:42: :CID-0:RT:Over-riding lpak->vsys with 0 Feb 25 02:42:50 02:42: :CID-0:RT:< /23-> / 62114;6> : <junos-self/.local..0> Feb 25 02:42:50 02:42: :CID-0:RT:packet [1075] ipid = ****** Feb 25 02:42:50 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 23, dp 62114, proto 6, tok 4 Feb 25 02:42:50 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:50 02:42: :CID-0:RT: refreshing session Feb 25 02:42:50 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:50 02:42: :CID-0:RT:mbuf 0x48eca640, exit nh 0x90010 Security Policies (Detailed) Lab 2 31

66 Feb 25 02:42:51 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Feb 25 02:42:51 02:42: :CID-0:RT:packet [52] ipid = ****** Feb 25 02:42:51 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Feb 25 02:42:51 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:51 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:51 02:42: :CID-0:RT:mbuf 0x4a0466c0, exit nh 0xfffb0006 Feb 25 02:42:51 02:42: :CID-0:RT:Using in_ifp from pfe_tag with index 0 Feb 25 02:42:51 02:42: :CID-0:RT:Using vr id from pfe_tag with value= 0 Feb 25 02:42:51 02:42: :CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0 Feb 25 02:42:51 02:42: :CID-0:RT:Over-riding lpak->vsys with 0 Feb 25 02:42:51 02:42: :CID-0:RT:< /23-> / 62114;6> : <junos-self/.local..0> Feb 25 02:42:51 02:42: :CID-0:RT:packet [94] ipid = ****** Feb 25 02:42:51 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 23, dp 62114, proto 6, tok 4 Feb 25 02:42:51 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:51 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:51 02:42: :CID-0:RT:mbuf 0x48aaa0e0, exit nh 0x90010 Feb 25 02:42:51 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Feb 25 02:42:51 02:42: :CID-0:RT:packet [52] ipid = ****** Feb 25 02:42:51 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Lab 2 32 Security Policies (Detailed)

67 Feb 25 02:42:51 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:51 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:51 02:42: :CID-0:RT:mbuf 0x4a1efc60, exit nh 0xfffb0006 Feb 25 02:42:51 02:42: :CID-0:RT:Using in_ifp from pfe_tag with index 0 Feb 25 02:42:51 02:42: :CID-0:RT:Using vr id from pfe_tag with value= 0 Feb 25 02:42:51 02:42: :CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0 Feb 25 02:42:51 02:42: :CID-0:RT:Over-riding lpak->vsys with 0 Feb 25 02:42:51 02:42: :CID-0:RT:< /23-> / 62114;6> : <junos-self/.local..0> Feb 25 02:42:51 02:42: :CID-0:RT:packet [1075] ipid = ****** Feb 25 02:42:51 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 23, dp 62114, proto 6, tok 4 Feb 25 02:42:51 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:51 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:51 02:42: :CID-0:RT:mbuf 0x48eca640, exit nh 0x90010 Feb 25 02:42:52 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Feb 25 02:42:53 02:42: :CID-0:RT:packet [52] ipid = ****** Feb 25 02:42:53 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Feb 25 02:42:53 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:53 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:53 02:42: :CID-0:RT:mbuf 0x4a06a440, exit nh 0xfffb0006 Feb 25 02:42:53 02:42: :CID-0:RT:Using in_ifp from pfe_tag with index 0 Security Policies (Detailed) Lab 2 33

68 Feb 25 02:42:53 02:42: :CID-0:RT:Using vr id from pfe_tag with value= 0 Feb 25 02:42:53 02:42: :CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0 Feb 25 02:42:53 02:42: :CID-0:RT:Over-riding lpak->vsys with 0 Feb 25 02:42:53 02:42: :CID-0:RT:< /23-> / 62114;6> : <junos-self/.local..0> Feb 25 02:42:53 02:42: :CID-0:RT:packet [73] ipid = ****** Feb 25 02:42:53 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 23, dp 62114, proto 6, tok 4 Feb 25 02:42:53 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:53 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:53 02:42: :CID-0:RT:mbuf 0x48aaa0e0, exit nh 0x90010 Feb 25 02:42:53 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Feb 25 02:42:53 02:42: :CID-0:RT:packet [52] ipid = ****** Feb 25 02:42:53 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Feb 25 02:42:53 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:53 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:53 02:42: :CID-0:RT:mbuf 0x49f95960, exit nh 0xfffb0006 Feb 25 02:42:53 02:42: :CID-0:RT:Using in_ifp from pfe_tag with index 0 Feb 25 02:42:53 02:42: :CID-0:RT:Using vr id from pfe_tag with value= 0 Feb 25 02:42:53 02:42: :CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0 Feb 25 02:42:53 02:42: :CID-0:RT:Over-riding lpak->vsys with 0 Lab 2 34 Security Policies (Detailed)

69 Feb 25 02:42:53 02:42: :CID-0:RT:< /23-> / 62114;6> : <junos-self/.local..0> Feb 25 02:42:53 02:42: :CID-0:RT:packet [1075] ipid = ****** Feb 25 02:42:53 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 23, dp 62114, proto 6, tok 4 Feb 25 02:42:53 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:53 02:42: :CID-0:RT: refreshing session Feb 25 02:42:53 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:53 02:42: :CID-0:RT:mbuf 0x48eca640, exit nh 0x90010 Feb 25 02:42:53 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Feb 25 02:42:53 02:42: :CID-0:RT:packet [52] ipid = ****** Feb 25 02:42:53 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Feb 25 02:42:53 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:53 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:53 02:42: :CID-0:RT:mbuf 0x4a103340, exit nh 0xfffb0006 Feb 25 02:42:53 02:42: :CID-0:RT:Using in_ifp from pfe_tag with index 0 Feb 25 02:42:53 02:42: :CID-0:RT:Using vr id from pfe_tag with value= 0 Feb 25 02:42:53 02:42: :CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0 Feb 25 02:42:53 02:42: :CID-0:RT:Over-riding lpak->vsys with 0 Feb 25 02:42:53 02:42: :CID-0:RT:< /23-> / 62114;6> : <junos-self/.local..0> Feb 25 02:42:53 02:42: :CID-0:RT:packet [75] ipid = ****** Security Policies (Detailed) Lab 2 35

70 Feb 25 02:42:53 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 23, dp 62114, proto 6, tok 4 Feb 25 02:42:53 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:53 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:53 02:42: :CID-0:RT:mbuf 0x48aaa0e0, exit nh 0x90010 Feb 25 02:42:53 02:42: :CID-0:RT:< /513-> /48;89> : <Retail/ge-0/0/3.100> Feb 25 02:42:53 02:42: :CID-0:RT:packet [68] ipid = ****** Feb 25 02:42:53 02:42: :CID-0:RT: ge-0/0/ 3.100: > , 89 Feb 25 02:42:53 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 1, dp 1, proto 89, tok 18 Feb 25 02:42:53 02:42: :CID-0:RT: flow session id 7 Feb 25 02:42:53 02:42: :CID-0:RT: refreshing session Feb 25 02:42:53 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:53 02:42: :CID-0:RT:mbuf 0x4a060b40, exit nh 0xfff80006 Feb 25 02:42:53 02:42: :CID-0:RT:< /62114-> / 23;6> : <management/ge-0/0/0.0> Feb 25 02:42:53 02:42: :CID-0:RT:packet [52] ipid = ****** Feb 25 02:42:53 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 62114, dp 23, proto 6, tok 16 Feb 25 02:42:53 02:42: :CID-0:RT: flow fast tcp/udp session id 32 Feb 25 02:42:53 02:42: :CID-0:RT: post addr xlation: > Feb 25 02:42:53 02:42: :CID-0:RT:mbuf 0x4a07fc60, exit nh 0xfffb0006 Feb 25 02:42:54 02:42: :CID-0:RT:Using in_ifp from pfe_tag with index 0 Feb 25 02:42:54 02:42: :CID-0:RT:Using vr id from pfe_tag with value= 0 Lab 2 36 Security Policies (Detailed)

71 Feb 25 02:42:54 02:42: :CID-0:RT:Changing lpak->in_ifp from:.local..0 -> to:.local..0 Feb 25 02:42:54 02:42: :CID-0:RT:Over-riding lpak->vsys with 0 Feb 25 02:42:54 02:42: :CID-0:RT:< /23-> / 62114;6> : <junos-self/.local..0> Feb 25 02:42:54 02:42: :CID-0:RT:packet [1075] ipid = ****** Feb 25 02:42:54 02:42: :CID-0:RT: find flow: table 0x4b5f7104, hash (0x3ffff), sa , da , sp 23, dp 62114, proto 6, tomonitor stop lab@tokyo> Step 4.9 Close all the Telnet sessions and return to your router. london-vr@sydney> exit Connection closed by foreign host. tokyo-vr@sydney> exit Connection closed by foreign host. lab@tokyo> Shown here is the step for the other router: lab@tokyo> exit Connection closed by foreign host. lab@london> STOP Tell your instructor that you have completed Lab 2. Security Policies (Detailed) Lab 2 37

72 Lab 2 38 Security Policies (Detailed)

73 Lab 3 Network Address Translation (NAT) (Detailed) Overview Now that you have established full connectivity and defined all the security zones, ensure that private addresses do not enter the Internet by using destination and source Network Address Translation (NAT) and Port Address Translation (PAT). You will deploy policy-based destination NAT using IP address translation to a range of IP addresses. You will also accomplish the source address NAT using a source pool with PAT. The Lab 3 network diagram provides the public address space for each group. Upon establishing NAT, you will monitor the functionality of your configuration. This lab is available in two formats: a high-level format that is designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab, you will perform the following tasks: Configure policy-based destination NAT. Configure source NAT using a source pool with PAT. Ensure that full connectivity is maintained. Test and monitor NAT operation. Similar to the previous lab, this lab requires you to use the Sydney router, which is logically segmented into several virtual routers. Each student router connects to two virtual routers in the form of XX-VR and XX-VR2, where XX is a two-letter abbreviation for the directly connected student router. Sydney also acts as the service provider, which provides Frame Relay services between the sites. Network Address Translation (NAT) (Detailed) Lab a.9.0R1

74 Key Commands configure ping show route table show security flow show security nat show security policies show security zones traceroute Key operational-mode commands used in this lab include the following: Part 1: Adding Public Addresses to Address Books of Necessary Security Zones Step 1.1 Tokyo (ttyd0) login: lab Password: In this part of the lab you will add public addresses corresponding to hosts in the Retail, Admin, HR, and Finance security zones. Refer to the network diagram for Lab 3 for your group letter (A, B, C, or D). The public address space is identified in the following table. Public Address Assignment Security Zone Name Name of the Address Public Address Space Retail PublicAddressRetail /24 Admin PublicAddressAdmin /24 HR PublicAddressHR /24 Finance PublicAddressFinance /24 Log in to the router with the username lab and the password lab123. Note The username and the password are case sensitive. --- JUNOS 9.0R1.10 built :14:18 UTC lab@tokyo> Step 1.2 Add public addresses, identified in the Public Address Assignment table, to the Public zone address book. Use the names for public addresses as identified in the table. Lab 3 2 Network Address Translation (NAT) (Detailed)

75 edit Entering configuration mode [edit] edit security zones security-zone Public [edit security zones security-zone Public] set address-book address PublicAddressRetail /24 [edit security zones security-zone Public] set address-book address PublicAddressAdmin /24 [edit security zones security-zone Public] set address-book address PublicAddressHR /24 [edit security zones security-zone Public] set address-book address PublicAddressFinance /24 [edit security zones security-zone Public] show address-book address TO-VRhost /32; address TO-VRhost /32; address TO-VRhost /32; address TO-VR2host /32; address TO-VR2host /32; address TO-VR2host /32; address LO-VRhost /32; address LO-VRhost /32; address LO-VRhost /32; address LO-VR2host /32; address LO-VR2host /32; address LO-VR2host /32; address PublicAddressRetail /24; address PublicAddressAdmin /24; address PublicAddressHR /24; address PublicAddressFinance /24; address-set TO-VRhosts { address TO-VRhost1; address TO-VRhost2; address TO-VRhost3; address-set TO-VR2hosts { address TO-VR2host1; address TO-VR2host2; address TO-VR2host3; address-set LO-VRhosts { address LO-VRhost1; address LO-VRhost2; address LO-VRhost3; address-set LO-VR2hosts { address LO-VR2host1; address LO-VR2host2; address LO-VR2host3; Network Address Translation (NAT) (Detailed) Lab 3 3

76 [edit security zones security-zone Public] Step 1.3 Add the defined public addresses to the address books of other security zones of your router. Again, use the variable name for the addresses as identified in the table Public Address Assignment table. Question: What are the public addresses that you should add to address books of your local security zones? Retail security zone: Answer: You should be adding PublicAddressRetail address to the Retail zone, PublicAddressAdmin address to the Admin zone, PublicAddressHR address to the HR zone, and PublicAddressFinance address to the Finance zone. The following configuration is for the Tokyo router: [edit security zones security-zone Public] up [edit security zones] set security-zone Retail address-book address PublicAddressRetail /24 [edit security zones] set security-zone Admin address-book address PublicAddressAdmin /24 Note Add only the addresses that are necessary for a corresponding security zone. Admin security zone: HR security zone: Finance security zone: [edit security zones] lab@tokyo# show security-zone Retail address-book address TO-VRhost /32; address TO-VRhost /32; address TO-VRhost /32; address PublicAddressRetail /24; address-set TO-VRhosts { address TO-VRhost1; address TO-VRhost2; Lab 3 4 Network Address Translation (NAT) (Detailed)

77 address TO-VRhost3; [edit security zones] show security-zone Admin address-book address TO-VR2host /32; address TO-VR2host /32; address TO-VR2host /32; address PublicAddressAdmin /24; address-set TO-VR2hosts { address TO-VR2host1; address TO-VR2host2; address TO-VR2host3; [edit security zones] lab@tokyo# The following configuration is for the London router: [edit security zones security-zone Public] lab@london# up [edit security zones] lab@london# set security-zone address-book address PublicAddressHR / 24 [edit security zones] lab@london# set security-zone address-book address PublicAddressFinance /24 [edit security zones] lab@london# show security-zone HR address-book address LO-VRhost /32; address LO-VRhost /32; address LO-VRhost /32; address PublicAddressHR /24; address-set LO-VRhosts { address LO-VRhost1; address LO-VRhost2; address LO-VRhost3; [edit security zones] lab@london# show security-zone Finance address-book address LO-VR2host /32; address LO-VR2host /32; address LO-VR2host /32; address PublicAddressFinance /24; address-set LO-VR2hosts { address LO-VR2host1; address LO-VR2host2; address LO-VR2host3; Network Address Translation (NAT) (Detailed) Lab 3 5

78 [edit security zones] Step 1.4 Commit the changes. [edit security zones] commit commit complete [edit security zones] Part 2: Define Source and Destination NAT In this part of the lab you will configure source and destination NAT. Recall that you are to deploy policy-based destination NAT using IP address translation to a range of IP addresses and source NAT using a source pool with PAT. You must work with your partner to ensure that proper addresses are applied to source and destination NAT. Let s take Tokyo and London as an example. For traffic originating from the Retail to Finance security zones (through the Public zone), you will require source NAT to take place on the Tokyo router and destination NAT to take place on the London router. Likewise, for traffic originating from the Finance to Retail security zones (through Public zone), you will require source NAT to take place on the London router and destination NAT to take place on the Tokyo router. The following table provides a summary of the NAT types to be deployed in every router of the network. Deployment of NAT Types Source Zone Destination Zone Source NAT applied in: Retail Finance Finance through Public Retail through Public Tokyo San Jose Denver Montreal London Hong Kong Sao Paulo Amsterdam Destination NAT applied in: London Hong Kong Sao Paulo Amsterdam Tokyo San Jose Denver Montreal Group A B C D A B C D Lab 3 6 Network Address Translation (NAT) (Detailed)

79 Deployment of NAT Types Source Zone Destination Zone Source NAT applied in: Destination NAT applied in: Group Step 2.1 [edit security zones] up [edit security] edit nat Admin HR through Public Tokyo HR Admin through Public Using the Deployment of NAT Types table, configure the appropriate source NAT on your router. Use the first host of the corresponding public address space to assign to the source pool. For example, you will use the source pool address (which is the first host of the /24 address space) when configuring the Tokyo source pool to be used for source NAT from the Retail zone. Use the following convention for source pool naming: ZoneNameSourcePool. For example, Tokyo s source pool for traffic originating from the Retail zone should be named RetailSourcePool. [edit security nat] lab@tokyo# edit interface se-1/0/1.602 [edit security nat interface se-1/0/1.602] lab@tokyo# set source-nat pool RetailSourcePool address [edit security nat interface se-1/0/1.602] lab@tokyo# set source-nat pool AdminSourcePool address [edit security nat interface se-1/0/1.602] lab@tokyo# show source-nat { pool RetailSourcePool { address { ; pool AdminSourcePool { address { San Jose Denver Montreal London Hong Kong Sao Paulo Amsterdam London Hong Kong Sao Paulo Amsterdam Tokyo San Jose Denver Montreal A B C D A B C D Network Address Translation (NAT) (Detailed) Lab 3 7

80 ; [edit security nat interface se-1/0/1.602] The following configuration is for Tokyo s peer of London: [edit security nat] lab@london# edit interface se-1/0/0.603 [edit security nat interface se-1/0/0.603] lab@london# show source-nat { pool FinanceSourcePool { address { ; pool HRsourcePool { address { ; [edit security nat interface se-1/0/0.603] lab@london# Step 2.2 Using the Deployment of NAT Types table, configure the appropriate destination NAT on your router. The destination address range should be from the lowest to the highest private host address in the corresponding zone. For example, destination NAT for the Retail zone applied on Tokyo should range from to Name the destination NAT ZoneNameDestNat. For example, the destination NAT s name on Tokyo for the Retail zone is RetailDestNAT. [edit security nat interface se-1/0/1.602] lab@tokyo# up [edit security nat] lab@tokyo# set destination-nat RetailDestNAT address-range low high [edit security nat] lab@tokyo# set destination-nat AdminDestNAT address-range low high [edit security nat] lab@tokyo# show destination-nat RetailDestNAT address-range low high ; [edit security nat] Lab 3 8 Network Address Translation (NAT) (Detailed)

81 show destination-nat AdminDestNAT address-range low high ; [edit security nat] The following configuration is for Tokyo s peer of London: [edit security nat] lab@london# show destination-nat HRdestNAT address-range low high ; [edit security nat] lab@london# show destination-nat FinanceDestNAT address-range low high ; [edit security nat] lab@london# Part 3: Incorporating Source and Destination NAT into Security Policies Step 3.1 In this part of the lab you will adjust source and destination addresses in the security policies of your router. Furthermore, you will refer to source NAT, destination NAT, or both from within the action statements of the corresponding security policies. Using the Deployment of NAT Types table, fill in the following table for your group and router. City from-zone to-zone Source Address NAT Deployment in Security Policies Destination Address Source NAT Destination NAT The answers for all groups are found in the NAT Deployment table. You defined in Lab 2 the source and destination address sets, and the named XX-VRhosts or XX-VR2hosts. Those address sets contain private addresses (remember that XX is the corresponding city abbreviation). Network Address Translation (NAT) (Detailed) Lab 3 9

82 NAT Deployment City from-zone to-zone Source Address Destination Address Source NAT Destination NAT Tokyo, San Jose, Denver, Montreal London, Hong Kong, Sao Paulo, Amsterdam Step 3.2 Retail Public XX-VRhosts PublicAddress Finance Public Retail PublicAddr essfinance [edit security nat] up [edit security] edit policies PublicAddress Retail Admin Public XX-VR2hosts PublicAddress HR Public Admin PublicAddr esshr Public HR PublicAddr essadmin PublicAddress Admin PublicAddress HR HR Public XX-VRhosts PublicAddress Admin Public Finance PublicAddr essretail PublicAddress Finance Finance Public XX-VR2hosts PublicAddress Retail Display the configuration of security policies to be altered. RetailSourceP ool n/a AdminSourcePo ol n/a n/a HRSourcePool n/a FinanceSource Pool n/a RetailDestNAT n/a AdminDestNAT HRDestNAT n/a FinanceDestNAT n/a [edit security policies] show from-zone Retail to-zone Public policy RetailToFinance { match { source-address TO-VRhosts; destination-address LO-VR2hosts; Lab 3 10 Network Address Translation (NAT) (Detailed)

83 application my-apps; then { permit; [edit security policies] lab@tokyo# show from-zone Public to-zone Retail policy FinanceToRetail { match { source-address LO-VR2hosts; destination-address TO-VRhosts; application my-apps; then { permit; [edit security policies] lab@tokyo# show from-zone Admin to-zone Public policy AdminToHR { match { source-address TO-VR2hosts; destination-address LO-VRhosts; application my-apps; then { permit; [edit security policies] lab@tokyo# show from-zone Public to-zone Admin policy HRtoAdmin { match { source-address LO-VRhosts; destination-address TO-VR2hosts; application my-apps; then { permit; [edit security policies] lab@tokyo# Network Address Translation (NAT) (Detailed) Lab 3 11

84 Step 3.3 Using the table that you filled out in Step 3.1, adjust the security policies configurations, reflecting all the necessary changes in the source and destination addresses. Also, make appropriate changes to the permit statements of security policies, ensuring that the corresponding source NAT, destination NAT, or both take place as a result of policy execution. [edit security policies] lab@tokyo# edit from-zone Retail to-zone Public [edit security policies from-zone Retail to-zone Public] lab@tokyo# delete policy RetailToFinance match destination-address [edit security policies from-zone Retail to-zone Public] lab@tokyo# set policy RetailToFinance match destination-address PublicAddressFinance [edit security policies from-zone Retail to-zone Public] lab@tokyo# set policy RetailToFinance then permit source-nat pool RetailSourcePool [edit security policies from-zone Retail to-zone Public] lab@tokyo# show policy RetailToFinance { match { source-address TO-VRhosts; destination-address PublicAddressFinance; application my-apps; then { permit { source-nat { pool RetailSourcePool; [edit security policies from-zone Retail to-zone Public] lab@tokyo# up [edit security policies] lab@tokyo# edit from-zone Public to-zone Retail [edit security policies from-zone Public to-zone Retail] lab@tokyo# delete policy FinanceToRetail match source-address [edit security policies from-zone Public to-zone Retail] lab@tokyo# delete policy FinanceToRetail match destination-address [edit security policies from-zone Public to-zone Retail] lab@tokyo# set policy FinanceToRetail match source-address PublicAddressFinance Lab 3 12 Network Address Translation (NAT) (Detailed)

85 [edit security policies from-zone Public to-zone Retail] set policy FinanceToRetail match destination-address PublicAddressRetail [edit security policies from-zone Public to-zone Retail] set policy FinanceToRetail then permit destination-nat RetailDestNAT [edit security policies from-zone Public to-zone Retail] show policy FinanceToRetail { match { source-address PublicAddressFinance; destination-address PublicAddressRetail; application my-apps; then { permit { destination-nat { RetailDestNAT; [edit security policies from-zone Public to-zone Retail] lab@tokyo# up [edit security policies] lab@tokyo# edit from-zone Admin to-zone Public [edit security policies from-zone Admin to-zone Public] lab@tokyo# delete policy AdminToHR match destination-address [edit security policies from-zone Admin to-zone Public] lab@tokyo# set policy AdminToHR match destination-address PublicAddressHR [edit security policies from-zone Admin to-zone Public] lab@tokyo# set policy AdminToHR then permit source-nat pool AdminSourcePool [edit security policies from-zone Admin to-zone Public] lab@tokyo# show policy AdminToHR { match { source-address TO-VR2hosts; destination-address PublicAddressHR; application my-apps; then { permit { source-nat { pool AdminSourcePool; Network Address Translation (NAT) (Detailed) Lab 3 13

86 [edit security policies from-zone Admin to-zone Public] up [edit security policies] edit from-zone Public to-zone Admin [edit security policies from-zone Public to-zone Admin] delete policy HRtoAdmin match source-address [edit security policies from-zone Public to-zone Admin] delete policy HRtoAdmin match destination-address [edit security policies from-zone Public to-zone Admin] set policy HRtoAdmin match source-address PublicAddressHR [edit security policies from-zone Public to-zone Admin] set policy HRtoAdmin match destination-address PublicAddressAdmin [edit security policies from-zone Public to-zone Admin] set policy HRtoAdmin then permit destination-nat AdminDestNAT [edit security policies from-zone Public to-zone Admin] show policy HRtoAdmin { match { source-address PublicAddressHR; destination-address PublicAddressAdmin; application my-apps; then { permit { destination-nat { AdminDestNAT; [edit security policies from-zone Public to-zone Admin] lab@tokyo# The following is the resulting configuration from the Tokyo s peer, London: [edit security policies] lab@london# show from-zone Public to-zone HR { policy AdminToHR { match { source-address PublicAddressAdmin; destination-address PublicAddressHR; application my-apps; Lab 3 14 Network Address Translation (NAT) (Detailed)

87 then { permit { destination-nat { HRdestNAT; from-zone Public to-zone Finance { policy RetailtoFinance { match { source-address PublicAddressRetail; destination-address PublicAddressFinance; application any; then { permit { destination-nat { FinanceDestNAT; from-zone Finance to-zone Public { policy FinanceToRetail { match { source-address LO-VR2hosts; destination-address PublicAddressRetail; application my-apps; then { permit { source-nat { pool FinanceSourcePool; from-zone HR to-zone Public { policy HRtoPublic { match { source-address LO-VRhosts; destination-address PublicAddressAdmin; application my-apps; then { permit { source-nat { pool HRsourcePool; Network Address Translation (NAT) (Detailed) Lab 3 15

88 [edit security policies] Step 3.4 Commit the configuration file. [edit security policies from-zone Public to-zone Admin] commit and-quit commit complete Exiting configuration mode Part 4: NAT Testing and Troubleshooting Step 4.1 In this part of the lab you will test source and destination NAT. From your router use Telnet to access the XX-VR router of your city region. (Recall that XX are the first two letters of your city name. For example, TO-VR is the router name attached to Tokyo. The login name is your router name, router-vr, where router is in lower case letters, and the password is lab123.) telnet Trying Connected to Escape character is '^]'. Sydney (ttyp0) login: tokyo-vr Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. Step 4.2 From the XX-VR router initiate a Telnet session from one of the hosts located in the Retail or Admin zone to another host, located in the Finance or HR zone. Lab 3 16 Network Address Translation (NAT) (Detailed)

89 Question: If you are initiating a Telnet session from the Retail zone, what destination address must you use? To which security zone does it belong? Why? Answer: You will initiate a Telnet session from a host in the Retail zone with the destination address of the public address space belonging to the Finance zone. The reason is that other traffic will not be (should not be) permitted by security policies. tokyo-vr@sydney> telnet source routing-instance TO-VR2 Trying telnet: connect to address : No route to host telnet: Unable to connect to remote host tokyo-vr@sydney> Step 4.3 Question: Is the Telnet session successful? Why or why not? Answer: The Telnet session is not successful because no route to the public addresses exists. Fix the routing issue identified in the Step 4.2. Exit the Telnet session into XX-VR router of your city region. tokyo-vr@sydney> exit Connection closed by foreign host. lab@tokyo> Configure static routes to the prefixes of public addresses for the hosts belonging to the local security zones of your router. For example, the Tokyo router will have static routes for /24 and /24 prefixes, as they represent prefixes of public addresses for the Retail and Admin security zones, which are local to Tokyo. The London router, on the other hand, will have static routes for /24 and /24 prefixes, as they represent prefixes of public addresses for the HR and Finance security zones, which are local to London. Network Address Translation (NAT) (Detailed) Lab 3 17

90 The next-hop addresses, to be used in the static routes definitions, are the x.y addresses, leading to the respective hosts in the corresponding security zones. For example, the /24 static route, because it represents public address prefix for hosts in Retail zone, will use as its next-hop address. The Lab 3 network diagrams provide all the necessary information. The following Public Address Assignment table provides the reference between the public address prefixes and the corresponding security zones. lab@tokyo> edit Entering configuration mode [edit] lab@tokyo# edit routing-options static [edit routing-options static] lab@tokyo# set route /24 next-hop [edit routing-options static] lab@tokyo# set route /24 next-hop [edit routing-options static] lab@tokyo# show route /24 next-hop ; route /24 next-hop ; [edit routing-options static] lab@tokyo# Here is the sample configuration for Tokyo s peer router of London: [edit] lab@london# show routing-options static { route /24 next-hop ; route /24 next-hop ; [edit] lab@london Public Address Assignment Security Zone Name Public Address Space Retail /24 Admin /24 HR /24 Finance /24 Lab 3 18 Network Address Translation (NAT) (Detailed)

91 Step 4.4 Ensure that the configured static routes are propagated to routers across the Internet and your local LANs. Question: What technique in JUNOS software do you use to propagate static routes to other routers? [edit routing-options static] top [edit] edit policy-options Answer: To propagate static routes to other routers, use OSPF and routing policies. First, configure routing policies. Next, export the configured policy under OSPF protocol. [edit policy-options] set policy-statement statictoospf term 10 from protocol static [edit policy-options] set policy-statement statictoospf term 10 then accept [edit policy-options] show policy-statement statictoospf { term 10 { from protocol static; then accept; [edit policy-options] lab@tokyo# top [edit] lab@tokyo# edit protocols ospf [edit protocols ospf] lab@tokyo# set export statictoospf [edit protocols ospf] lab@tokyo# show export statictoospf; area { interface se-1/0/1.602; interface lo0.0; Network Address Translation (NAT) (Detailed) Lab 3 19

92 area { area-range /24; interface ge-0/0/3.100; area { area-range /24; interface ge-0/0/3.200; [edit protocols ospf] lab@tokyo# Step 4.5 Commit the changes. [edit protocols ospf] lab@tokyo# commit and-quit commit complete Exiting configuration mode lab@tokyo> Step 4.6 From your router use Telnet to access the XX-VR router of your city region. (Recall that XX are the first two letters of your city name. For example, TO-VR is the router name attached to Tokyo. The login name is your router name, router-vr, where router is in lower case letters, and the password is lab123.) lab@tokyo> telnet Trying Connected to Escape character is '^]'. Sydney (ttyp0) login: tokyo-vr Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. tokyo-vr@sydney> Note This step should be performed only by one of the members of the group because the other member of the group will be observing the results of NAT. Lab 3 20 Network Address Translation (NAT) (Detailed)

93 Step 4.7 From the XX-VR router, initiate a Telnet session from one of the hosts located in the Retail or Admin zone to another host, located in the Finance or HR zone. tokyo-vr@sydney> telnet source routing-instance TO-VR Trying Connected to Escape character is '^]'. Sydney (ttyp0) login: Step 4.8 Question: Is the Telnet session successful? Answer: Yes, the Telnet session should be successful. Using the management interface ge-0/0/0.0, use Telnet to access the router that is performing the tests identified in the Step 4.7. lab@london> telnet Trying Connected to Escape character is '^]'. Tokyo (ttyp0) login: lab Password: --- JUNOS 9.0R1.10 built :14:18 UTC lab@tokyo> Step 4.9 Use show commands to observe NAT functionality. lab@tokyo> show security flow session Session ID: 1, Policy name: self-traffic-policy/1, Timeout: 54 In: /1 --> /1;ospf, If: ge-0/0/3.200 Out: /1 --> /1;ospf, If:.local..0 Session ID: 2, Policy name: self-traffic-policy/1, Timeout: 60 In: /1 --> /1;ospf, If: ge-0/0/3.100 Out: /1 --> /1;ospf, If:.local..0 Session ID: 5, Policy name: self-traffic-policy/1, Timeout: 1782 In: / > /23;tcp, If:.local..0 Out: /23 --> /49463;tcp, If: ge-0/0/3.100 Session ID: 6, Policy name: self-traffic-policy/1, Timeout: 58 In: /1 --> /1;ospf, If: se-1/0/1.602 Network Address Translation (NAT) (Detailed) Lab 3 21

94 Out: /1 --> /1;ospf, If:.local..0 Session ID: 8, Policy name: RetailToFinance/6, Timeout: 1782 In: / > /23;tcp, If: ge-0/0/3.100 Out: /23 --> /1025;tcp, If: se-1/0/1.602 Session ID: 9, Policy name: self-traffic-policy/1, Timeout: 1800 In: / > /23;tcp, If: ge-0/0/0.0 Out: /23 --> /56534;tcp, If:.local..0 6 sessions displayed lab@tokyo> Step 4.10 Question: How many sessions exist? Explain. Answer: The Tokyo router has six sessions. Three sessions in each router are OSPF sessions. The other sessions are Telnet sessions. Use the show security nat command to view source and destination NAT details. lab@tokyo> show security nat destination-nat summary Pool name Address range Port RetailDestNAT AdminDestNAT lab@tokyo> show security nat source-nat summary Pool name Address low Address high Interface PAT RetailSourcePool se-1/0/1.602 yes AdminSourcePool se-1/0/1.602 yes lab@london> show security nat destination-nat summary Pool name Address range Port FinanceDestNAT HRdestNAT lab@london> show security nat source-nat summary Pool name Address low Address high Interface PAT FinanceSourcePool se-1/0/0.603 yes HRsourcePool se-1/0/0.603 yes Lab 3 22 Network Address Translation (NAT) (Detailed)

95 STOP Tell your instructor that you have completed Lab 3. Network Address Translation (NAT) (Detailed) Lab 3 23

96 Lab 3 24 Network Address Translation (NAT) (Detailed)

97 Lab 4 Campus Interconnectivity IPSec VPNs (Detailed) Overview In this lab, you will implement secure tunnels using route-based IPSec VPNs. This lab is available in two formats: a high-level format that is designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. Specifically, by completing this lab, you will perform the following tasks: Configure a route-based IPSec VPN between the two sites across the Internet. Troubleshoot and monitor IPSec VPNs. Similar to the previous lab, this lab requires you to use the Sydney router, which is logically segmented into several virtual routers. Each student router connects to two virtual routers in the form of XX-VR and XX-VR2, where XX is a two-letter abbreviation for the directly connected student router. Sydney also acts as the service provider, which provides Frame Relay services between sites. Campus Interconnectivity IPSec VPNs (Detailed) Lab a.9.0R1

98 Key Commands Key operational mode commands used in this lab include the following:? clear security ike security-associations clear security ipsec security-associations clear security ipsec statistics configure monitor start monitor stop ping show log show ospf neighbor show route show security ike security-associations show security ipsec security-associations show security ipsec statistics show security policies show security zones Part 1: Configuring IKE Phase 1 Parameters Step 1.1 Tokyo (ttyd0) login: lab Password: In this part of the lab, you will configure IKE Phase 1 parameters for the Retail/Finance IPSec VPN Tunnel. Specifically, you will configure the IKE proposal, the IKE policy, and the IKE gateway. Log in to the router with the username lab and the password lab123. Note The username and the password are case sensitive. --- JUNOS 9.0R1.10 built :14:18 UTC lab@tokyo> Lab 4 2 Campus Interconnectivity IPSec VPNs (Detailed)

99 Step 1.2 Define the IKE Phase 1 proposal, named IkeProposal, using the following parameters: Authentication method: Preshared keys; DH group: Group 5; Authentication algorithm: MD5; Encryption algorithm: 3DES-CBC; and Proposal lifetime value: 1200 seconds. Here is the sample configuration for the Tokyo router: lab@tokyo> edit Entering configuration mode [edit] lab@tokyo# edit security ike [edit security ike] lab@tokyo# show proposal IkeProposal authentication-method pre-shared-keys; dh-group group5; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 1200; [edit security ike] lab@tokyo# Step 1.3 Define the IKE Phase 1 policy, called IkePolicy. Use main mode and a preshared key called vpn123. Here is the sample configuration for the Tokyo router: [edit security ike] lab@tokyo# set policy IkePolicy mode main [edit security ike] lab@tokyo# set policy IkePolicy pre-shared-key ascii-text vpn123 [edit security ike] lab@tokyo# set policy IkePolicy proposals IkeProposal [edit security ike] lab@tokyo# show policy IkePolicy mode main; proposals IkeProposal; pre-shared-key ascii-text "$9$0z2e1SeKMXbs48LGDkqf5"; ## SECRET-DATA [edit security ike] lab@tokyo# Step 1.4 Define the IKE Phase 1 gateway, named IkeGateway. Campus Interconnectivity IPSec VPNs (Detailed) Lab 4 3

100 Question: What address must you specify for the gateway? [edit security ike] show gateway IkeGateway ike-policy IkePolicy; address ; external-interface se-1/0/1.602; [edit security ike] up [edit security] Part 2: Configuring IKE Phase 2 Parameters Step 2.1 Answer: The address of the gateway is the IP address of the serial link across the Internet. For example, for Tokyo s specification of the gateway, the address is , which is the IP address of London s serial interface that faces Tokyo via the Internet. In this part of the lab you will configure Phase 2 IKE parameters for the IPSec VPN tunnel. Specifically, you will configure the IPSec proposal, the IPSec policy, and the IPSec VPN. Configure the IPSec proposal, named ProposalIke2, using the following parameters: The protocol is ESP; The authentication algorithm is HMAC-MD5-96; The encryption algorithm is 3DES-CBC; and The lifetime of the proposal is 4800 seconds. Here is the sample configuration for the Tokyo router: [edit security] lab@tokyo# edit ipsec [edit security ipsec] lab@tokyo# show proposal ProposalIke2 protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 4800; lab@tokyo#not For [edit security ipsec] Reproduction Lab 4 4 Campus Interconnectivity IPSec VPNs (Detailed)

101 Step 2.2 Define the IPSec policy, called IPSecPolicy, to use the Group 5 perfect-forward-secrecy key. Here is the sample configuration for the Tokyo router: [edit security ipsec] lab@tokyo# show policy IPSecPolicy perfect-forward-secrecy { keys group5; [edit security ipsec] lab@tokyo# Step 2.3 Assign the proposal, named ProposalIke2, to the policy defined in Step 2.2. [edit security ipsec] lab@tokyo# set policy IPSecPolicy proposals ProposalIke2 Step 2.4 Define the IPSec VPN, called IPSecVPN. Ensure that the IPSec tunnel is established only when there is traffic that needs to go through the tunnel. [edit security ipsec] lab@tokyo# show vpn IPSecVPN ike { gateway IkeGateway; ipsec-policy IPSecPolicy; establish-tunnels on-traffic; [edit security ipsec] lab@tokyo# Step 2.5 Question: How do you ensure that an IPSec tunnel is established without waiting for any traffic? Answer: To ensure that an IPSec tunnel is established without waiting for any traffic, use the establish-tunnels immediately knob. Bind the configured IPSec VPN to the st0.0 interface. [edit security ipsec] lab@tokyo# set vpn IPSecVPN bind-interface st0.0 [edit security ipsec] lab@tokyo# Campus Interconnectivity IPSec VPNs (Detailed) Lab 4 5

102 Part 3: Configuring Route-Based IPSec VPN Elements Step 3.1 [edit security ipsec] top In this part of the lab you will configure distinguishing parameters for route-based IPSec VPNs. Configure the st0.0 interface on your router. Use the Lab 4 network diagram for IP address assignment for your group. [edit] lab@tokyo# edit interfaces [edit interfaces] lab@tokyo# set st0 unit 0 family inet address /30 [edit interfaces] lab@tokyo# up [edit] lab@tokyo# Step 3.2 Ensure that routing between the two sites across the Internet is performed across the st0.0 interface. [edit] lab@tokyo# show protocols ospf { export statictoospf; area { interface se-1/0/1.602; interface lo0.0; area { area-range /24; interface ge-0/0/3.100; area { area-range /24; interface ge-0/0/3.200; [edit] Question: To what OSPF area should interface st0.0 belong on your router? Answer: The st0.0 interface should belong to Area 0. Lab 4 6 Campus Interconnectivity IPSec VPNs (Detailed)

103 delete protocols ospf area 0 interface se-1/0/1.602 [edit] lab@tokyo# set protocols ospf area 0 interface st0.0 [edit] lab@tokyo# show protocols ospf { export statictoospf; area { interface lo0.0; interface st0.0; area { area-range /24; interface ge-0/0/3.100; area { area-range /24; interface ge-0/0/3.200; Step 3.3 [edit] lab@tokyo# commit commit complete Step 3.4 Commit the configuration. Check the status of the OSPF routing protocol. Question: Do you see any neighbors across the st0.0 interface? Why or why not? Answer: There are no neighbors across the st0.0 interface because the st0.0 interface has not been assigned to a security zone and, as such, it belongs to the Null zone by default. [edit] lab@tokyo# run show ospf neighbor Address Interface State ID Pri Dead ge-0/0/3.100 Full ge-0/0/3.200 Full [edit] lab@tokyo# run show ospf interface Interface State Area DR ID BDR ID Nbrs lo0.0 DR Campus Interconnectivity IPSec VPNs (Detailed) Lab 4 7

104 st0.0 PtToPt ge-0/0/3.100 BDR ge-0/0/3.200 BDR [edit] lab@tokyo# Step 3.5 Ensure that the problem identified in Step 3.4 is fixed. [edit] lab@tokyo# edit security zones [edit security zones] lab@tokyo# edit security-zone Public [edit security zones security-zone Public] lab@tokyo# show address-book { address TO-VRhost /32; address TO-VRhost /32; address TO-VRhost /32; address TO-VR2host /32; address TO-VR2host /32; address TO-VR2host /32; address LO-VRhost /32; address LO-VRhost /32; address LO-VRhost /32; address LO-VR2host /32; address LO-VR2host /32; address LO-VR2host /32; address PublicAddressRetail /24; address PublicAddressAdmin /24; address PublicAddressHR /24; address PublicAddressFinance /24; address-set TO-VRhosts { address TO-VRhost1; address TO-VRhost2; address TO-VRhost3; address-set LO-VRhosts { address LO-VRhost1; address LO-VRhost2; address LO-VRhost3; address-set TO-VR2hosts { address TO-VR2host1; address TO-VR2host2; address TO-VR2host3; address-set LO-VR2hosts { address LO-VR2host1; address LO-VR2host2; address LO-VR2host3; Lab 4 8 Campus Interconnectivity IPSec VPNs (Detailed)

105 host-inbound-traffic { protocols { ospf; interfaces { lo0.0; se-1/0/1.602; [edit security zones security-zone Public] lab@tokyo# set interfaces st0.0 [edit security zones security-zone Public] lab@tokyo# show interfaces lo0.0; se-1/0/1.602; st0.0; [edit security zones security-zone Public] lab@tokyo# Step 3.6 Commit configuration changes. [edit security zones security-zone Public] lab@tokyo# commit commit complete [edit security zones security-zone Public] lab@tokyo# Step 3.7 Check the OSPF neighbors. Question: Do you see any neighbors across the st0.0 interface? Answer: You should see one OSPF neighbor across the st0.0 interface. [edit security zones security-zone Public] lab@tokyo# run show ospf neighbor Address Interface State ID Pri Dead st0.0 Full ge-0/0/3.100 Full ge-0/0/3.200 Full Campus Interconnectivity IPSec VPNs (Detailed) Lab 4 9

106 [edit security zones security-zone Public] exit [edit security zones] exit [edit] exit Exiting configuration mode Part 4: Troubleshooting the Retail/Finance IPSec VPN Operation Step 4.1 Confirm that IKE Phase 1 security associations (SAs) are formed. Question: In what state is the IKE Phase 1 SA? Why? Answer: IKE Phase 1 SAs are formed because IPSec VPN tunnels are established on the condition of receiving the traffic that must be sent. In our case, it is OSPF traffic that causes IKE Phase 1 SAs to be formed. lab@tokyo> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode UP 1e830b1e240dc921 acc980e867ae1723 Main Step 4.2 Confirm that IKE Phase 2 SAs are formed. lab@tokyo> show security ipsec security-associations total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys < ESP:3des/md5 7583bb6e 4029/ unlim - 0 > ESP:3des/md5 17f / unlim - 0 lab@tokyo> Step 4.3 From your router, use Telnet to access the XX-VR router of your city region. (Recall that XX are the first two letters of your city name. For example, TO-VR is the router name attached to Tokyo. The login name is your router name, router-vr, where router is in lower case letters, and the password is lab123.) Lab 4 10 Campus Interconnectivity IPSec VPNs (Detailed)

107 telnet Trying Connected to Escape character is '^]'. Sydney (ttyp0) login: tokyo-vr Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. Step 4.4 From the XX-VR router, initiate a Telnet session from one of the hosts located in the Retail zone to another host located in the Finance zone. tokyo-vr@sydney> telnet source routing-instance TO-VR Trying ^C tokyo-vr@sydney> Step 4.5 tokyo-vr@sydney> exit Log out from the XX-VR router. Connection closed by foreign host. lab@tokyo> Step 4.6 Question: Is the Telnet session successful? Answer: The Telnet is not successful. Recall that your router and your partner s router is performing NAT. Check the source NAT assignments. Question: With which interfaces are the source NAT addresses associated? Answer: The source NAT addresses are associated with the serial interfaces. Campus Interconnectivity IPSec VPNs (Detailed) Lab 4 11

108 Question: With which interfaces should the source NAT addresses be associated now? Answer: The source NAT addresses should be associated with the tunnel interface, st0.0. show security nat source-nat summary Pool name Address low Address high Interface PAT RetailSourcePool se-1/0/1.602 yes AdminSourcePool se-1/0/1.602 yes show security nat source-nat summary Pool name Address low Address high Interface PAT FinanceSourcePool se-1/0/0.603 yes HRsourcePool se-1/0/0.603 yes Step 4.7 Fix the problem identified in Step 4.6. edit Entering configuration mode [edit] edit security nat [edit security nat] show destination-nat RetailDestNAT address-range low high ; destination-nat AdminDestNAT address-range low high ; interface se-1/0/1.602 { source-nat { pool RetailSourcePool { address { ; pool AdminSourcePool { address { ; [edit security nat] lab@tokyo# rename interface se-1/0/1.602 to interface st0.0 [edit security nat] Lab 4 12 Campus Interconnectivity IPSec VPNs (Detailed)

109 show destination-nat RetailDestNAT address-range low high ; destination-nat AdminDestNAT address-range low high ; interface st0.0 { source-nat { pool RetailSourcePool { address { ; pool AdminSourcePool { address { ; [edit security nat] lab@tokyo# Step 4.8 [edit security nat] lab@tokyo# commit commit complete [edit security nat] lab@tokyo# exit Commit the configuration changes. [edit] lab@tokyo# exit Exiting configuration mode lab@tokyo> Step 4.9 Repeat Steps 4.3 and 4.4. Question: Is the Telnet session successful? lab@tokyo> telnet Trying Connected to Escape character is '^]'. Sydney (ttyp0) Answer: The Telnet should now be successful. Campus Interconnectivity IPSec VPNs (Detailed) Lab 4 13

110 login: tokyo-vr Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. telnet source routing-instance TO-VR Trying Connected to Escape character is '^]'. Sydney (ttyp1) login: ^CClient aborted login Connection closed by foreign host. Step 4.10 Exit the Telnet session. exit Connection closed by foreign host. Step 4.11 From your router, use Telnet to access the XX-VR2 router of your city region. (Recall that XX are the first two letters of your city name. For example, TO-VR2 is the router name attached to Tokyo. The login name is your router name, router-vr2, where router is in lower case letters, and the password is lab123.) telnet Trying Connected to Escape character is '^]'. Sydney (ttyp0) login: tokyo-vr2 Password: --- JUNOS 9.0R1.10 built :13:25 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. Lab 4 14 Campus Interconnectivity IPSec VPNs (Detailed)

111 You must use 'configure private' to configure this router. Step 4.12 Ensure that the established IPSec tunnel works for Admin/HR zones connection as well, which you can do by establishing a Telnet session originating from a host located in Admin zone to a host located in HR zone. tokyo-vr2@sydney> telnet source routing-instance TO-VR2 Trying Connected to Escape character is '^]'. Sydney (ttyp1) login: Step 4.13 Question: Is the Telnet session successful? Answer: The Telnet should be successful. Observe the statistics of the IPSec tunnel on another router of your pod. lab@london> show security ipsec statistics ESP Statistics: Encrypted bytes: Decrypted bytes: Encrypted packets: 414 Decrypted packets: 421 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 lab@london> show security ipsec statistics ESP Statistics: Encrypted bytes: Decrypted bytes: Encrypted packets: 414 Decrypted packets: 422 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Campus Interconnectivity IPSec VPNs (Detailed) Lab 4 15

112 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 lab@london> STOP Tell your instructor that you have completed Lab 4. Lab 4 16 Campus Interconnectivity IPSec VPNs (Detailed)

113 Operating Enhanced Services for JUNOS Software Appendix A: Lab Diagrams

114 A 2 Lab Diagrams

115 Lab Diagrams A 3

116 A 4 Lab Diagrams

117 Lab Diagrams A 5

118 A 6 Lab Diagrams

119 Lab Diagrams A 7

120 A 8 Lab Diagrams

121 Lab Diagrams A 9

122 A 10 Lab Diagrams