Professional Documents
Culture Documents
Interface Configuration: 1. First define tunnel interface st0 unnumbered in our case in Karachi we define st0 and its unnumbered with untrust interface 2. second define sub interface and bind IP address from customer pool of live IP address in our case in Karachi we define sub interface on trust interface like reth1 in Karachi region . This interface is defined as external interface of phase 1 gateway external interface. . Sample Interface configuration on live Equipment set interfaces st0 unit 0 family inet set interfaces reth1 unit 101 vlan-id 101 set interfaces reth1 unit 101 family inet address 202.125.133.46/32
set security ike proposal test dh-group group2 set security ike proposal test authentication-algorithm md5 set security ike proposal test encryption-algorithm 3des-cbc set security ike policy psl mode main set security ike policy psl proposals test set security ike policy psl pre-shared-key ascii-text "$9$Oo2F1IceK8-VYhS-wY2aJ36/tBI" set security ike gateway psl ike-policy psl set security ike gateway psl address 58.65.194.242 set security ike gateway psl external-interface reth1.101
set security ipsec policy psl proposal-set basic set security ipsec vpn psl bind-interface st0.0 set security ipsec vpn psl ike gateway psl set security ipsec vpn psl ike ipsec-policy psl set security ipsec vpn psl establish-tunnels on-traffic
edit security policies from-zone untrust to test-customer policy " name " match destination-address any edit security policies from-zone untrust to test-customer policy " name " match application any edit security policies from-zone untrust to test-customer policy " name " then permit
more polices will need if customer servers are in trust zone we need to allow from trust to self define zone and vis versa Policy from trust to self define zone edit security policies from-zone trust to test-customer policy " name " match source-address any edit security policies from-zone trust to test-customer policy " name " match destination-address any edit security policies from-zone trust to test-customer policy " name " match application any edit security policies from-zone trust to test-customer policy " name " then permit Policy from Self define zone to trust edit security policies from-zone test-customer to trust policy " name " match source-address any edit security policies from-zone test-customer to trust policy " name " match destination-address any edit security policies from-zone test-customer to trust policy " name " match application any edit security policies from-zone test-customer to trust policy " name " then permit
Policies from trust to predefine zone vise versa set security policies from-zone test-cust to-zone trust policy testvpn match source-address any set security policies from-zone test-cust to-zone trust policy testvpn match destination-address any set security policies from-zone test-cust to-zone trust policy testvpn match application any set security policies from-zone test-cust to-zone trust policy testvpn then permit set security policies from-zone trust to-zone test-cust policy testvpn match source-address any set security policies from-zone trust to-zone test-cust policy testvpn match destination-address any set security policies from-zone trust to-zone test-cust policy testvpn match application any set security policies from-zone trust to-zone test-cust policy testvpn then permit
Define default route for remote Lan VPN SRX-01# edit routing-option Set static route 192.168.0.0/16 nex-hop st0.0
if we have live IP address pools we and we are using IP address for sub interface and servers are in trust zone also have live IP address we need some source Nat rule to off netting for particular server ip address
edit security nat source rule-set test from zone test-customer to zone untrust match source address (which will be server on live IP) edit security nat source rule-set test from zone test-customer to zone untrust match destination address 0/0
edit security nat source rule-set test from zone test-customer to zone untrust then source-nat off