Juniper SRX 220 default config with dynamic dns

  • laurent 

I treated myself with a juniper srx220 and an ex4200 for my homelab. I was googleing but couldn’t really find anyone who wrote how to configure the srx 220 after a factory reset via cli as an internet gateway. Here is my config for JUNOS 12.1X44-D45.2 after the factory reset.

1. login into your srx via serial cable (the username is root without a password)

login:

2. go into cli mode

root@core% cli

3. go into edit mode

root@core> edit
Entering configuration mode

[edit]
root@core#

4. Now we can begin with the General config. First lets set the root password

root@core# set system root-authentication plain-text-password

5. Next set the host name, name server and ntp for the router

root@core# set system host-name core
root@core# set system name-server 192.168.1.3 (this is my nameserver)
root@core# set system name-server 8.8.8.8 (in case my nameserver fails)
root@core# set system ntp server 66.219.116.140

6. Create an admin user

root@core# set system login user ldomb uid 1500
root@core# set system login user ldomb class super-user
root@core# set system login user ldomb authentication plain-text-password
7. Configure the uplink for the internet provider. I don't have a static ip so we will configure dhcp
root@core# set interfaces ge-0/0/0 description Internet_Uplink
root@core# set interfaces ge-0/0/0 unit 0 family inet dhcp update-server

8. We do not need to create a vlan as the factory default created the mgmt vlan vlan.0 for us with tag id 3. But ping on the ge-0/0/0.0 interface was not enabled so I will enable that.

root@core# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

9. Lets check if we got a dhcp address from the cable modem

root@core> show system services dhcp client 
Logical Interface name         ge-0/0/0.0
        Hardware address        10:0f:7f:db:23:00
        Client status           bound
        Address obtained        69.194.42.6
        Update server           enabled
        Lease obtained at       2015-06-19 22:24:17 UTC
        Lease expires at        2015-06-20 04:24:17 UTC

DHCP options:
    Name: router, Value: [ 69.194.40.1 ]
    Code: 1, Type: ip-address, Value: 255.255.252.0
    Name: name-server, Value: [ 167.206.245.135, 167.206.245.136 ]
    Name: server-identifier, Value: 167.206.195.54

10. Lets modify the default dhcp scope as its set from .2-254.

root@core# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.100
root@core# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.150

11. The default route was not set in my case so I set it

root@core# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1

12. We do not need to configure anything else as the dhcp settings are already propagated.

13. You should now be able to see dhcp clients if you provided them a lease.

root@core> show system services dhcp binding 
IP address       Hardware address   Type     Lease expires at
192.168.1.100    c8:0a:a9:b0:90:20  dynamic  2015-06-20 20:53:43 UTC

14. For dynamic dns with dyndns.org add the following config

root@core# set system services dynamic-dns client rotehuet.my-host.com server dyndns
root@core# set system services dynamic-dns client rotehuet.my-host.com username ilove
root@core# set system services dynamic-dns client rotehuet.my-host.com password "opensource"
root@core# set system services dynamic-dns client rotehuet.my-host.com interface ge-0/0/0.0 

15. Check if it worked

root@core> show system services dynamic-dns client detail 

Hostname     : rotehuet.my-host.com
Server       : members.dyndns.org
Last response: nochg            
Last update  : 2015-06-19 22:24:34 UTC
Username     : ilove         
Interface    : ge-0/0/0.0       
Agent        : ddns-0.1 JUNOS [Model #] (Firmware version)

18. To be able to refer to the destination host we need to create an address book entry

root@core# set security zones security-zone trust address-book address dobby 192.168.1.40/32

17. I also want to be able to forward all incoming traffic from ge-0/0/0.0 port 2222 to my internal ip 192.168.1.40 port 22. Create the dst nat pool

root@core# set security nat destination pool trust-192_168_1_40 address 192.168.1.40
root@core# set security nat destination pool trust-192_168_1_40 address port 22

18. Edit the nat destination address and port.

root@core# set security nat destination rule-set on_ge0_0_0 from interface ge-0/0/0.0
root@core# set security nat destination rule-set on_ge0_0_0 rule 1 match destination-address 0.0.0.0/0
root@core# set security nat destination rule-set on_ge0_0_0 rule 1 match destination-port 2222
root@core# set security nat destination rule-set on_ge0_0_0 rule 1 then destination-nat pool trust-192_168_1_40

19. Then set the rule set on the interface and make sure you add drop-untranslated prevents you from forwarding unwanted ports
and addresses.

root@core# set security policies from-zone untrust to-zone trust policy on_ge0_0_0 match source-address any
root@core# set security policies from-zone untrust to-zone trust policy on_ge0_0_0 match destination-address dobby
root@core# set security policies from-zone untrust to-zone trust policy on_ge0_0_0 match application any
root@core# set security policies from-zone untrust to-zone trust policy on_ge0_0_0 then permit destination-address drop-untranslated

20. Make sure you didn’t do a mistake and do a simulate commit

 
root@core# commit check
configuration check succeeds

[edit]

21. Commit your change

root@core# commit

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.