GRT532 Advanced Network: Simulation

Download as pdf or txt
Download as pdf or txt
You are on page 1of 20

GRT532

Advanced Network
Simulation
BUILDING TRUSTED ZONES (FIREWALL)

1
Outline
❑Introducing Juniper Networks
❑Installation of vSRX on virtual box
❑Adding the firewall (VB image) to GNS3
❑Building a small network
o Network configuration
o Firewall configuration
o Testing and tracing

2
References
❑The book of GNS3 – Chapter 6

3
Juniper Networks
Develops, sells and support networking products
❑Routers, switches, network management software, network security
products, and software-defined networking technology.
❑Founded in 1996
❑Based in California (https://www.juniper.net/us/en/)

4
Juniper Devices
Juniper devices use the core of FreeBSD operating system
❑An OS designed to power Servers, desktops and Embedded system
o https://www.freebsd.org/
❑Junos OS: Juniper operating system
o based on FreeBSD
o operates Juniper devices
❑Juniper Olive: a PC version of Junos OS
o Designed for internal use only by Juniper team
o GNS3 fully support the integration of Juniper Olive
❖ Giving possibility to add Juniper router to GNS3 projects

5
Juniper SRX firewall
called Juniper vSRX Firefly
Download the image from the link in your moodle

6
Preparing Virtual Box
❑Launch VirtualBox
❑Click new (name, type, version as in figure)
❑Click Next, set memory to 2048
❑Click Next, use an existing virtual hard disk file
❑Create

7
Giving power to your virtual machine
❑Settings
❑System
❑Processor
o Increase to 2
o Needed to be able to configure Ethernet
interfaces
❑Right click on the virtual image (firefly)
and clone to keep a copy.

8
GNS3: adding the firewall
Go to Edit / preferences / VirtualBox VMs
❑Select firefly from the list and click finish
o firefly is now created in GNS3
❑Click on Edit
o Make sure to select “Start VM in headless mode”
o Console type “telnet”
❑Click on Network
o Set the number of adapters to 6
o Set the type to “virtio-net”
o Allow GNS3 to use any configured VirtualBox adapter

9
Creating a project with firefly
Build the following network

It is important to connect interfaces as in the figure

10
Network configuration
Configuration of R1
Interface configuration
❑R1#configure terminal
❑R1(config)#interface f0/0
❑R1(config-if)#ip address 192.168.1.100 255.255.255.0
❑R1(config-if)#no shutdown
All traffic should be sent to the firewall
❑R1(config-if)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
❑R1(config)#exit
❑R1#copy running-config startup-config
❑R1#

11
Network configuration
Configuration of R2
❑R2#configure terminal
❑R2(config)#interface f0/0
❑R2(config-if)#ip address 100.1.1.1 255.255.255.0
❑R2(config-if)#no shutdown
❑R2(config-if)#exit
❑R2(config)#exit
❑R2#copy running-config startup-config

12
Firewall configuration
Start firefly
Open console
❑Login as root (there is no password)
❑root@% cli →this is used to get Junos command prompt
❑root> edit → Or configure
❑root# set system root-authentication plain-text-password
❑New password: firefly1
❑Retype new password: firefly1
❑root# commit

13
Firewall configuration
Configure interfaces
❑root# set interfaces ge-0/0/0.0 family inet address 100.1.1.2/24
❑root# set interfaces ge-0/0/1.0 family inet address 192.168.1.1/24

All traffic is forwarded to gateway 100.1.1.1


❑root# set routing-options static route 0.0.0.0/0 next-hop 100.1.1.1
❑commit

NOTE: before commit, you can use the show interfaces command for validation

14
Firewall configuration
Set trusted and untrusted zones
❑root# set security zones security-zone trust interfaces ge-0/0/1.0
❑root# set security zones security-zone untrust interfaces ge-0/0/0.0
Set NAT
❑root# delete security nat → Optional to delete previous configuration
❑root# set security nat source rule-set interface-nat from zone trust
❑root# set security nat source rule-set interface-nat to zone untrust
❑root# set security nat source rule-set interface-nat rule rule1 match source-address
0.0.0.0/0 destination-address 0.0.0.0/0
❑root# set security nat source rule-set interface-nat rule rule1 then source-nat
interface

15
Firewall configuration
define the type of traffic that’s allowed to go between the
zones
❑allowing all protocols and applications from the trust zone to the untrust
zone
o root#set security policies from-zone trust to-zone untrust policy permit-all match source-
address any destination-address any application any
o root#set security policies from-zone trust to-zone untrust policy permit-all then permit
o commit

16
Useful commands
Once in Junos command prompt
❑root> show interfaces terse To see the interfaces
❑root> show route To see the routing table
❑ root> show security nat source rule all To see the NAT rules
❑root> show security nat source summary
❑root> show security zones To see zones (trusted and untrusted)

17
Useful commands
commit is used to save the current configuration.
❑ root# commit
show is used to see the current configuration that is not committed.
This is useful to verify the configuration before your commit.
❑ root# show
delete is used to delete the current configuration (of a statement in the
configuration) that is not committed.
❑ root# delete
reboot is used to shutdown the machine. It is recommended to
manually stop firefly before closing GNS3
❑ root@% reboot -p

18
Testing and tracing
A successful configuration should allow you to ping
100.1.1.1 from the trusted zone.
❑R1#ping 100.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms
R1#

19
Testing and tracing

20

You might also like