Ok.
I am assuming you have a Juniper Firewall.
I bought the SRX100B as it was the cheapest.
Simply plug the LAN laptop to a port.
then plug the WAN laptop to a port
then plug the WAN Cisco router to a port.
The logical idea is simple.
The LAN PC at the bottom will open a HTTP/FTP session to the WAN PC.
At that point the session will be intercepted by the SRX which will present you
with his localdatabase user and password login.
After the LAN PC is authenticated it will remain authenticated for the firewall until 10 minutes elapse.
set interface fe-0/0/8 unit 0 family inet address 192.168.0.1/24
set interface fe-0/0/0 unit 0 family inet address 10.0.0.1/24
set interface fe-0/0/1 unit 0 family inet address 11.0.0.1/24
So now it should look like this
the next step is creating the zones.
We will create two
LAN and INTERNET.
set security zone security-zone LAN interface fe-0/0/8 host-inbound-traffic system-services ping
so, that created a LAN security zone, it made interface fe-0/0/8 belong to it
and I enabled the interface to respond to ping so I can test it if I have issues.
set security zone security-zone INTERNET interface fe-0/0/0
set security zone security-zone INTERNET interface fe-0/0/1
same thing.
Create a security zone called INTERNET and added two interfaces to it.
Alright,
Now we need to set up a NAT.
The NAT will be a source NAT.
Traffic from LAN will be natted
set security nat source rule-set translate_lan from zone LAN
set security nat source rule-set translate_lan from to zone INTERNET
set security nat source rule-set translate_lan rule ALL_to_10.0.0.1
so we created a NAT source rule-set
it goes from zone LAN to zone INTERNET
the first rule is.
set security nat source rule-set translate_lan rule ALL_to_10.0.0.1 match source-address 192.168.0.0/24
set security nat source rule-set translate_lan rule ALL_to_10.0.0.1 then source-nat pool ip_1
so we told it to look for the source address IP of our LAN
and if it matches give the outgoing packet the NAT ip from pool ip_1
now we can create that pool
set security nat source pool ip_1 address 10.0.0.1/24
so let's review again.
if a packet comes from LAN to INTERNET and it has an ip inside 192.168.0.0/24
then NAT it using the pool ip_1 .
Ok.
set security policy from-zone LAN to-zone INTERNET policy allow_http
match {
source-address any
destination-address any
application junos-http
then {
permit
firewall-authentication
pass-through
client-match saar
ok, simple policy that allows http traffic to flow. The traffic flow will trigger Firewall authentication
of the type pass-through when you check for permissions client "saar" will be allowed out.
this is how we set up
The Firewall-Authentication part.
set access firewall-authentication
pass-through {
default-profile Access_pass_through;
ftp {
banner {
login "ftp secure access";
}
}
telnet {
banner {
login "you are now trying to enter a secure facility";
success "Telnet login banner";
fail "Telnet fail login banner!!!!!";
}
}
http {
banner {
login "HTTP login banner";
success " HTTP success banner";
}
}
}
The last part is setting up ONE user for now.
set access profile Access_pass_through client saar firewall-user password #password#
Results:
Based on the above you can set up TELNET.;
The TELNET works easily and seamlessly .
HTTP. When I used a browser I got a nice user and password prompt.
FTP, I couldn't get this to work.
Based on the above you can set up TELNET.;
The TELNET works easily and seamlessly .
HTTP. When I used a browser I got a nice user and password prompt.
FTP, I couldn't get this to work.
question: why did you have the Cisco device? Was there a purpose? Also, not sure what you mean by: "The last part is setting up ONE user for now." I don't know where you're going with this. Otherwise, your walkthrough has been useful, in contrast to the dryness of the textbooks!
ReplyDeleteHello Ryan,
ReplyDeleteThe Cisco device was used as a workstation. You can keep a console cable and then use it as a host. I have a PC with 4 Serial ports as the "terminal server".
It does ping, trace route and even telnet 80 which is the HTTP part.
If you use a laptop you have to be there in person and the gear was a bit far.
The
set access profile Access_pass_through client saar firewall-user password
Creates One User.
If you were deploying this in a real environment you would have to create many users on the firewall which is a bit unrealistic.
So if you actually wanted to use the Firewall to control user access, you would probably invest in a different appliance.
Like the MAG from Juniper or a barracuda web filter appliance
Or anything that does not involve manual labor.
I was going to try the FTP again but forgot about it once I passed.
Good luck, my colleague just barely passed with a 69 I think.
I am afraid that I am having some issues here. I attempted to follow your configurations, and I am not even getting the nat translations. The WAN pc is on a different domain (work pc), so that might have something to do with it.
ReplyDeleteI can ping the fw from each of the three devices, WAN PC, CISCO router, LAN PC.
I began to get desperate so I tried to add a policy that allowed me to go from INTERNET zone to INTERNET zone to see if I could have those devices talk.
That didn't quite work, either. I feel like I'm certainly missing some things. Will try again!
So, I tried again at this lab, I had two PCs, and a Cisco device. I was able to get the HTTP to work from a browser, where I got the nice pop-up. Neither telnet/ftp from the LAN PC to either WAN device worked, yet, when I used the "show security flow session" command, I always saw that there was activity, and that the policy was being matched.
ReplyDeleteAny idea?