I-BLOG

I created this document for somebody else; thought it would be good if I share with all as well;

{10 Minute Configuration of Juniper Firewalls}

One of the basic questions that every administrator have is about configuring static NAT for the services they provide for their customers (mail/web/application/VoIP etc). I have myself answered this question a lot of times in Experts-Exchange. So here is the standard configuration;

Juniper/Netscreen Firewalls :

set interface “<Interface>” mip <PublicIP> host <PrivateIP> netmask 255.255.255.255 vr “<VirtualRouter>”

set policy id <Number> from “<Zone>” to “<Zone>” “<Source IP>” “<Destination IP>” “<Service>” permit

So using the above if I want to allow web server access, the configuration would be as below; Assuming Public IP = 11.12.13.14 and Private IP = 10.10.10.10, Internal Interface = Trust, External Interface = Untrust, Virtual Router = trust-vr

set interface “Untrust” mip 11.12.13.14 host 10.10.10.10 netmask 255.255.255.255 vr “trust-vr”

set policy id 1 from “Untrust” to “Trust” “Any” “MIP(11.12.13.14)” “HTTP” permit log

One of the good features of Juniper Firewalls is the fact that you can have Last-Known-Good configuration in the firewall.

To save a working configuration, do this;

save config to last-known-good

Now the advantage of this is, when you’ve made some modifications and if it messes up the config, all you need is;

exec config recovery

The above will bring it back and you’re up and running in no time!

One of the best thing I like about Juniper Netscreen Firewalls is the fact that you can have multiple ISP’s directly connected to it. The Cisco PIX 500 series lack these and often you would be in trouble if multiple ISP’s are involved and you want both ‘redundancy’ and ‘load balancing’…

Another one is the DI (Deep Inspection) feature. Netscreen boxes has built-in DI capabilities which PIX lacks big time.