I treated myself with a juniper srx220 and an ex4200 for my homelab. I was googleing but couldn’t really find anyone who wrote how to configure the srx 220 after a factory reset via cli as an internet gateway. Here is my config for JUNOS 12.1X44-D45.2 after the factory reset.
1. login into your srx via serial cable (the username is root without a password)
login:
2. go into cli mode
root@core% cli
3. go into edit mode
root@core> edit Entering configuration mode [edit] root@core#
4. Now we can begin with the General config. First lets set the root password
root@core# set system root-authentication plain-text-password
5. Next set the host name, name server and ntp for the router
root@core# set system host-name core root@core# set system name-server 192.168.1.3 (this is my nameserver) root@core# set system name-server 8.8.8.8 (in case my nameserver fails) root@core# set system ntp server 66.219.116.140
6. Create an admin user
root@core# set system login user ldomb uid 1500 root@core# set system login user ldomb class super-user root@core# set system login user ldomb authentication plain-text-password
7. Configure the uplink for the internet provider. I don't have a static ip so we will configure dhcp
root@core# set interfaces ge-0/0/0 description Internet_Uplink root@core# set interfaces ge-0/0/0 unit 0 family inet dhcp update-server
8. We do not need to create a vlan as the factory default created the mgmt vlan vlan.0 for us with tag id 3. But ping on the ge-0/0/0.0 interface was not enabled so I will enable that.
root@core# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
9. Lets check if we got a dhcp address from the cable modem
root@core> show system services dhcp client
Logical Interface name ge-0/0/0.0
Hardware address 10:0f:7f:db:23:00
Client status bound
Address obtained 69.194.42.6
Update server enabled
Lease obtained at 2015-06-19 22:24:17 UTC
Lease expires at 2015-06-20 04:24:17 UTC
DHCP options:
Name: router, Value: [ 69.194.40.1 ]
Code: 1, Type: ip-address, Value: 255.255.252.0
Name: name-server, Value: [ 167.206.245.135, 167.206.245.136 ]
Name: server-identifier, Value: 167.206.195.54
10. Lets modify the default dhcp scope as its set from .2-254.
root@core# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.100 root@core# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.150
11. The default route was not set in my case so I set it
root@core# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
12. We do not need to configure anything else as the dhcp settings are already propagated.
13. You should now be able to see dhcp clients if you provided them a lease.
root@core> show system services dhcp binding IP address Hardware address Type Lease expires at 192.168.1.100 c8:0a:a9:b0:90:20 dynamic 2015-06-20 20:53:43 UTC
14. For dynamic dns with dyndns.org add the following config
root@core# set system services dynamic-dns client rotehuet.my-host.com server dyndns root@core# set system services dynamic-dns client rotehuet.my-host.com username ilove root@core# set system services dynamic-dns client rotehuet.my-host.com password "opensource" root@core# set system services dynamic-dns client rotehuet.my-host.com interface ge-0/0/0.0
15. Check if it worked
root@core> show system services dynamic-dns client detail Hostname : rotehuet.my-host.com Server : members.dyndns.org Last response: nochg Last update : 2015-06-19 22:24:34 UTC Username : ilove Interface : ge-0/0/0.0 Agent : ddns-0.1 JUNOS [Model #] (Firmware version)
18. To be able to refer to the destination host we need to create an address book entry
root@core# set security zones security-zone trust address-book address dobby 192.168.1.40/32
17. I also want to be able to forward all incoming traffic from ge-0/0/0.0 port 2222 to my internal ip 192.168.1.40 port 22. Create the dst nat pool
root@core# set security nat destination pool trust-192_168_1_40 address 192.168.1.40 root@core# set security nat destination pool trust-192_168_1_40 address port 22
18. Edit the nat destination address and port.
root@core# set security nat destination rule-set on_ge0_0_0 from interface ge-0/0/0.0 root@core# set security nat destination rule-set on_ge0_0_0 rule 1 match destination-address 0.0.0.0/0 root@core# set security nat destination rule-set on_ge0_0_0 rule 1 match destination-port 2222 root@core# set security nat destination rule-set on_ge0_0_0 rule 1 then destination-nat pool trust-192_168_1_40
19. Then set the rule set on the interface and make sure you add drop-untranslated prevents you from forwarding unwanted ports
and addresses.
root@core# set security policies from-zone untrust to-zone trust policy on_ge0_0_0 match source-address any root@core# set security policies from-zone untrust to-zone trust policy on_ge0_0_0 match destination-address dobby root@core# set security policies from-zone untrust to-zone trust policy on_ge0_0_0 match application any root@core# set security policies from-zone untrust to-zone trust policy on_ge0_0_0 then permit destination-address drop-untranslated
20. Make sure you didn’t do a mistake and do a simulate commit
root@core# commit check configuration check succeeds [edit]
21. Commit your change
root@core# commit