TAA Configuring Juniper Networks Firewall/IPSec VPN Products 5.b High-Level Lab Guide = . e i Juniper 7 Course Number: EDUJUN-CHFVTEE EE Lab 4: Initial Configuration . Par: Basie Connectiy Lab2: Device Administration ... : Part: Devoe Administration 22 Pan 2: Configuration Management ..ssses0- ee cn 23 Part 3: Asset Recovry optonal) 2a Lab3: Layer 3 Operations. . Para: Recess the Management Network vv vvvsrowse : 33 Lab 4: Basie Policy Configuration... Part: Basic Poy Cantguation| Lab5: Policy Options... Pat 3 Policy Options : 53 Part2:Weokuth 53. Lab 6: Address Translation Part NAT. Part 2: Destination NAT Part 3: VP Adress, Part MP Adress Lab 7: Transparent Mode cece Part: Transparent Mose . 73 Lab: Policy-Based VPNs a - 84 Part: Bese Connectivity 83 Pare 2:VPN Coniguraton ea Part 3: Demo: VN Manager S86 Lab9: — Route-Based VPNs. é Pore: Base Connecti 8s Part 2:VPN Configuration : fea Part 3: Dero: Using VPN Manag 96 Buniper CoLab1 Initial Configuration Overview Tis ab ab expores the nal unin Netrks vce configuration. Fst, you wil sees the divice and reset the contiguraion, hen yu wil enfgue your device for network connesti. ‘You hae the option to switch ovr ana use Secuy Manage forthe est ofthe contauration ‘This is available in two formats: a high vet format that designed to make you think ‘trough eoch ste and tated format that offers step stp neructons complete with sample cutout fem mest commands. .2y completing ths ab you wil perfor the following asks: ‘+ Aocess your Juniper Networks device fom ts console pert and eset the ‘configuration on he yout Juniper Networks devi tos defaut made + Access your Juniper Networks device trough the WebLI and vey configuation sotings. + Uso the Cu ore WeDutte configure ntrusto th0/ntertace and route, + Use tne cu tne webu or Secunty Manager to complete intial configuration ‘This requires yout use te student PC to configu the niper Notworks device through the sera port. You will ese the instructor router as © default gateway of your dec, DEED Ed ial Configuration * Tab I-T 5854 Juniper tHe 1 ina nfoematon 3sConriguring Juniper Networks Frewal/IPSec VPN Products Network Diagram The classroom networks vided into four workgroups with each workgroup connected to @ orton an NS-208 device a @ hub. AworKgaup, es shown hee, contains four SSG5 devices, [NSS.XT devices, of NS-SGT devices and four POs. Each PC in the workgroup is connected @ Juniper Networks deve via he rst interface ana the console pot. The reruetor wil ssn teach student to a workgroup, and each werkgrou wl orrespene toa pert onthe NS208 dco. For example you are In Workgsoup 1, your hub i connected to port EL onthe NS208, evee Filin your assigned X an Y values blow x X= Row/Group/Portt inet 7 | | 5 QB BeiJuniper DOD EEO DDD LD Configuring Juniper Networks Frowal/IPSec VPN Products Part 4: Basic Connectivity Step 1 ‘Step 1.2 Step 1.3 Step 1.4 ‘Step 15 ‘Step 1.6 uni Cont tat the IP coniguration of your PCs correct as por the lb agra. not asignod read, obtain your Xan ¥ value fom the ister and wrt in the following space provised. Mase values willbe assigned to you Tor the remainder ofthe couse + PCW acares: 10.45 —xXis your row and oup. Ys your workstation. + PC mask: 255.255:255.0 + PO gateway: 10.44 (the Trust interface on your SGT device) Xvalue (your row) Yvalue (your workstation) PC IP address: PC Gateway Laing the conete connate, rast your the devas t the factons etal configuration Be nat sae the configuration prompted todo 30. ‘Morte dois is ost, gn using the default usemame and password of metecreen. Set ‘the hostname of your device to Groupe, configure your vie with the IP aciesses shown inthe diagram. Enatie Telnet and ping your Untrstnterace + Tse 20x¥4/24 + Uetse 2290/28 Note “the point you can choose to bagi using the Web) GUI oryou can continue using he CLL Seta detaut route using the network siagram. This adress i already configured onthe NS-208 deve, Ensure that a poly exists tallow your PC to access te instructor PC, ar Coraraion > Tab per’Conrigurng Juniper Networks Frewal/IPSee VPN Products Step 7 Step 1.8 Step 1.9 ‘Step 2.10 Step 1:11, Step 1:12 Tab T-a + tia Contain ‘erty P connectivity by issuing ping Hom your PC to the NS-208 netace (12. ory IP connectivity y issuing a ping tom your PC to the classroom sorver(104.75.412), Iryou are using th CU, save your configuration lash mem. you ae using the WebUI your enanges are saved automaticaly Tyou are not ong Seouray Mi te end of ‘pon the Security Manager cnt using the logn Super, passwort nolscreen. The Security Manager server i located at 10:1.75.222. A your device tothe lst of managed devices. Use the syntax Groupk st forthe device name. Import your contiuraton Tell your instructor that you have completed Lab 1. @luniper DODODDDOD DOD DD DOD DODD DDO D odo Lab2 Device Administration Overview This ab exgores the contgueton of he Juniper Neworks device edminsaton. During his Tab, you wil be working. your own device This ais vaiabl in two formats & heel format thats designed to make you think ‘trough each step anda detailed formal that offers step step instructions complete with ‘sample output rem mest commands. By completing tsb, you wl perform te folowing task + configure device acministraton,incuding external mansgement serves, + Manage contguation fs using FTP and contig rolback using the CU. + Partorm asset recovery (option. ‘Tris tb requ you to use the student PC to access the device, You wi use your student PC Bluniper Zz ETON = EITContgurng Juniper Networks Fuewall Pec VPN Products Part 1: Device Administration Step 2.4 ort that your TFTP servers running on our PC by king the flowing lon Step 1.2 Create two administrator user aeounts one reason an the eter having al lege. you re using Securty Manager, update your davies ata his step. ‘Step 1.3 ‘Test each account by loggingin to your Juniper Networks deuce tough the CL or the Web Using the account jut eeatee, {uetion: What isthe ference between oggngin as ‘the rot and ging nae an acminstratr user wth al prieges? Step 1.4 you are using the CU ortho Web logout then log back nas the oot user (that is, lage: petcereen, password: netzcraenl Step 15 you are using te CLL set the console imeout to 60 minutes your using the WebLI etme WebUI timeout to 60 minute, Ifyou are using Secutty Manager, slp Us step; your timeout between your cent and Secuty Manager defaults to 48 mines, Step 16 Enable ONS on your device. me DNS serve the classroom srr (104.76214.The eres interval ¢ 28 hows. Step 1.7 Enable ssog on your doves. ‘Your PCs the sysog server (a0Daemon Nas syslog Services) + Thesysiog source imertace ie Tas. + Legal vents + Tre security acy is 108826. + Trefaciy + UDP isthe wensport mechanism. eal. Se inper (HE Step 1.8 ‘Step 1.9 ‘Step 1.10 Part Step 24 ‘Step 2.2 step 23 Step 24 Step 25 step 26 Step 2.7 Muniper Configuring Juniper Networks Frewall/IPSee VPN Products ‘reat a host basd pormittd Paros for you PC to manage your device oct Create a nost nase permit adress or the instuctors PC, lcsted at 10-175.250. ‘Question: What would happen if you reversed the order of Stops 18 and 197 ‘Set the clock on your device tothe correct ime none. you have acess to an NTP server, ‘configure the NTP soror if not, st the clock to msich your lal PC you are using Sacunty Manager, update your deve after this stp, configuration Management Note ‘Use te CLI for this portion of the lab ures ‘Seve the configuration to lash memory and then save ito you local PC using TEP. Use your {goup name asthe flenam thats, grounnane cts. Reset your deve to factory detauts ty clearing the contiguation and performing a restart as yeu cid in tho previeus ab. Login as the rot administrator. Vert that preulousy coniured wales, such as hostname and 670g configuration, are rectored to factor etauts, Sot he P aderes on your ust interface te 0.XY.1/24 Restore the coniguration trom TFTP using the merge parameter o update te running ‘configuration and the backup copy in lash memory. ‘Vent hat he coniguation is restored by checking he eyslogconguation. Issue the eave config to 1ast-know-good commana to create a separate rolback coniguation fe Nash memory ace Raa > TaD‘conrauring step 28 Step 29 ‘Step 2.10 Step 2.11 Step 2.12 Juniper Networks Frowal/IPSec VPN Products ‘change the sjstem hostname to TestingRol back. Note hat he prompt changes immediate, Save your changes. From the CL, issue the exec config rolback command When the Unit restarts, og Dacia ‘Question: After rebooting what should he sytem hostname be? Vow the estem event og using your prefered usar intrfaco. Obsare some ofthe recent events that were logged by your device, ‘Question: Lt thee ferent evens shown inthe log ‘onthe Po open the 3CDaemcn aspay window. Clk onthe Sysiog Server tab to aslay ‘ezenty logge ovens, Compare those reus wth te event logon the coves that you splayed nthe previous step, Note me simisrtes. you ar using the Cu or Web save your current copy ofthe coniguration feo flash momary nd to your PC for future use, Note Tis complotes th oqulrea porto oth lab exercise, ry optional exeiee begins nthe felowing stop Part 3: Asset Recovery (optional) ‘Step 3.1 wae Note ‘se te for is potion of eb Uness otherwise instructed ‘Save the software image fom your device to your PC using TTP DIGS RETTIG QeJuniper THEE step 3.2 Step 33 Step 34 step 35, step 3.6 ‘step 3.7 Biluniper ‘conigusing Juniper Networks Fewal/IPSee VPN Prodvts Issuo the cazet commando estar the Juniper Networks doce. Assume thatthe Sereen0S “software age in fash memory is corupts an thatthe device wil at bot complete. Intaupt the boot pocess when the Press ey for Soot Loader message s display, ‘Assign te I aces ofthe Tstintrface as the Sef P spect the address ofthe TTP sorver and ertor th name of he Sereen0S software image that you saved ear. Tho TTP Server must be aeoesebie om he Trust nerfacet \Wite the nowy loaded image to ash memory and activate the downloaded Mle. Once the boot ‘operations compete, ogin and vay that Ye coatguraton fl inact and thatthe Units fat fonctions ‘Question: What i the seri! numberof your Juniper Networks devos? ett st asset recovery Is enabied using the get sami commana. Assume that you have forgotten the oot password and now nee to perform asset recovery. ‘Question: How do you dois? Ls tn steps Below you want odo an actual asetracovery, have the istustr vent your steps before performing the procedure Tell your instructor that you have completed Lab 2. ie Riminvaton > tabConfiguring Juniper Networks Frwal/PSee VPN Products Lab3 Layer 3 Operations Overview Tisab explores the verification of our existing configuration. This abs vail into formas: 2 hghtvel frm that is designed to mako you think trough each step an 2 detailed format that offre sept step strtions complete with ‘sample output fom mest commands. By completing thi nb, you wi perfor the flowing tks: ery your ening I configuration wih get. commands, ping and debus. Ts lab requ you to vert your eantiguraton. CEE adContiguting unier Networks Frewal/lPSec VPN Products Network Diagram ‘ou wil uss the Gun adation your prefered Interface forth a, TRBS-2 + Layer 3 Operations euniper DODD Contguring Juniper Networks Fxowal/IPSec VPN Prosucs. Part 1: Access the Management Network Step 11 ‘Step 1.2 Step 1.3 Step 1.4 Step 1.5 Step 1.6 Step 1.7 BJuniper ew the current interface coniguraton to answer the following question. ‘Question: n what modes the Tst interface? n what ‘mode the Unis intrtce? ‘Question: Should ou be able to png your worgoun's orton the NS-208 device em You PC? Why oF wy ot (Hin Tink outing an polis) ‘erty your answer by issuing 8 continuous ping fom your PCto yur group's pot onthe NS 208 deve, then wing the session on your deuce withthe get. session command ‘tom ather the CLI or the woubleshooting interface of Secunty Manager (Question: Whats the destination adress ofthe etn poke ana way? From your PC, ping the Unrut interfaces of al the Juniper Networks devioes in your \werkgjoup. Werk with ther members of your workgoup to reso ey connect issues, (Hint Tink abot interface management settings) From your PC, ping neighboring PC within your workgroup ‘Question: Waste png successur? Why or why nat? Use the get route Sp address commandto very outing to other PCsin your workgroup ‘fom ether hs CL or te troubleshooting interface of Securty Mat (Question: the ruting coment? Conrigure your rst intertace fr routs mode Contigure ute to reach al other PCs in your workgroup. The exsting defo route allows you to each Ps nether warkazoups you are using Secury Manager. updste your devo star this ste, ayer SOparatons + Tab SSConriguring Juniper Networks Frewal/ IPSec PN Products Step 1.8 Step 19 TaBS-E + Layer 3 Operations ery hatyour devioe has correct routing using the commands get route 4p, ping, {and traceroute from your device, Note that the Ping wil ot be success ‘Question: Is the watficeaching he corect rows? (It ot, correct your routing unt it) ‘Quostion: atts being dropped, what ose could be the problem? \Work wth another indian your workgroup for this step. Use the debug command to vriy ‘your answer tthe previous question, Both of you mus se the appropiate flow fiers, then ‘2nable cobugging. One you ten nats a ing rom your PC to your neigbr’s PC. Stop the debug and compare your dupa to your neighbors Tell your instructor that you have completed Lab 3. @iJuniper DODQRDODDDDODDD ODDO DDD DODD aa Lab 4 Basic Policy Configuration Ts ab explores poicycontguraton. st, you wl create adress bookonties, then you wil ‘9d groupe to your device. Fly, you wl establish polices required acsass the management network ‘This ibis avai in two fom: igheve format hats designed to make you think ‘trough each stp anda detain format that offers sepby stp instrctions compte with ‘sarnple cutout fom most commends 8y completing this ab, you wl perform the following tasks: + crests aderes book tes, service groups, ae policies that convlaccoes to the lasroom management network an tothe Irtamet ‘This require you to scooss the classroom management network ‘asic Paley Configuration > Lab ai Wuuniper eeConfiguring Juniper Networks Frewall/IPSce VPN Products Network Diagram (Group / Port ‘aba-2 + Bae Poey Configuration DODOQUQDDDD EDD D ODDO Configuring sniper Networks Frowal/IPSec VPN Prosucs Part 1: Basic Policy Configuration ‘Create adress book ents forte following + Yourre-nast erty, + Te classroom server-nost ent +The Security Manager srver-hos erty: + Theinstucter PC-host ony and + Themanagement subnet (10:1.75.0/24) Create a custom service called NSMetlent. Use the following parameter: + Protocol ToP + Source pots: a + Destnston port 7802 Create a service group ofthe following predefined services: DNS, FT, HTTP Cait ‘haesSeries Create polices to match the folowing cera + YourPo can acooss the Secunty Manager server using the folowing senioes: = NS etient ona = ing + Your PC can access the classroom server using the ClassSarvices service group + fatotner wat to the management network's denied ‘+ _Thelnstructor PC an access your PC using any service. + Your Po can access the Internet using the following services (use multiollto cyeate onl = ONS: - FR =i = Telnet: + Allothor ate shouldbe denied (let your deta pote). Ripe ee‘Configuring unipar Netwarks Fewal/IPSec VPN Products Step 1.5 Step 16 Step 1.7 Step 1.8 Cab a-2-+ Basie PaeyCoiiguaion Use the ftlowing space to plan your polices. Careful considar te poly ore you are using Securty Manager, update your device aftr tis step. (You wil ose the enneatlon tthe Secuty Manager server erty the oles server poy by using png. FTP, TET, and HTT tothe classroom server The ping should a the other series shouldbe avaible. Very he poi denying acess to ther devices onthe management network by tying to connect tothe nett Pe. Very tne internet pole by assessing te Interne. ak te instructor to ventyyour poly alowing the instructor PCto connect o your PC. Tell your instructor that you have completed Lab 4. Muniper DODD COD ODODE Lab5 Policy Options Overview This ab expores the poly options avalable usinga Juniper Networks device. You wi contgure end vel lgging and counters. You wl alo expire WebALR. “Thi nis avaible in two formats: high tev format hat is designed to make you thnk ‘hough each stop anda Stated format that offers step sto nstrctons complete with ‘sample output fom mest commands. By complating tis lb, yu ill parfrm te following tasks: + Contigure and vey logging and counters, Conigure ana tet Webaat ‘This lab aqui you to use your Soreen0S dvice to very logging and counters.Contigutng Juniper Networks Frewal/PSec VPN Products Configuring Juniper Networks Frewal/IPSec VPN Products Network Diagram Part 4: Polley Options step 11 Eee logging and counting ool your poe. Enable logging on both session start and session fe -fesear foce — esos Clone are ang Scury Manger update your dee ate th ep wos he iinet s Sonos othe Soeur Manag sere) a Step 1.2 ee : se ner Aces te cssoom sera te rie agin usngpingand HTP alae fi —o : heck the cuts rom the WeBUL ors 20 ‘Question: What is the peak value for bytes/second? (ues: Whats pook vate Kyi? step 14 checkin oes. Cueson: How mary seins wae etait tthe ‘Question: wnat is the curation othe longest session? Part 2: WebAuth Step 22. Crest a user entry for yourset. The usemame and pazaverd canbe whstever you want, ang the user type is Authentation user. Step 2.2 Contguree Websuthaasrosson your Trust intertace. The adress 10.110, where Nisyour workgroup number and Y's your workstation number Step 23 ‘Ad Webauth tothe poi tat conrls access othe classroom server Lit WeDAIh fo the User ou defined previous you are using Secury Msnager, update our deves after the ‘top (Yu wl los the connection to te Securty Manager server) Patay tans ‘Tab 5-2 + Policy Options Tab 5-3 a Béuniper’ POCAConfiguring unipe Networks Frewal/ IPSec VPN Products Step 2.4 Step 25 Step 2.6 ‘Step 2.7 step 28 es Using the Cu cear al existing sessions using he clear sesaton ali commend. Thy to aooees the oatsroom servor again If Webfuth is prpery configure, you willbe unable to each the classroom server Browse othe WebAuth adores and authenticate using the Username and password you created in Step 2. Vor that he poe i now atoning you to acces the nstuctr PC Use tne got Yr nane and get auth table commands to view information about your Tell your instructor that you have completed Lab 5. EE EE Lab 6 Address Translation Tis ab explores multiple NAT configurations. Tis nb avaiable in two formats high evel format thats designed to make you think ‘through each step anda detaiod format that offers step by step instructions complete with ‘sample ouput rom most commands. By completing tis ib, yu wll perform the following tasks: + configure source NAT (NAT + contigs destination NAT (NAT, + configure wetua 1 (VP adress. + configure a mapped (MIP) adres. Tis ab requires you to configure NAT. ‘areas Wanslaton > (ab6=T Qiluniper SheaContgurng Juniper Networks Frewa/IPSec VPN Products Network Diagram Tab6-3 > Raster Wanalaton = ODOT OTE DODO DODD Contiguring Juniper Networks Frewal/ IPSec VPN Products Part 4: NAT-sre Step 1.4 ‘Step 1.2 ‘Step 1.3 Step 1.4 Step 15, ‘step 1.6 Step 1.7 ‘Step 18 Step 1.9 LZ x= Remove ll poses crstedin previous abs. Remove al stati routes created in provous lbs ecopt te dtaut out ‘ory hat the Trust meta isn rute mode. sing basic Narre (hat i, ransation tothe cutbound intrace adress, creat a poly set ‘tat allons access othe management network. you are ving Secunly Manager upeate Your device after hi step, You wil ns the connection tothe Securty Managar server) ory your configuration by connecting ote classroom server using png ang HTP, From your Pc, beg a continuous ping (png ~t at the command prompt tothe classroom soqor Issue ine get eeeeson command cn your fowl ‘Question: wnat she psttransiaion source acess? Create @ one entry DIP atéress poo on the Untrst interface using an adress that is one higher sna te terface P accross. For exam the Unrust interface IP adresse 111.610, the DIP access pool wil be 1.16.43-11.6.11. Enabe por tranelaton Iryou ar using Securty Manager. ad this DIP cress toe global DIP adress wsing your ame othe gota DIP adress. Modiy your policy to se the DIP adress you ust restad. you are using Secuty Manager, update your device ater completing this stp. (ou wl lese your connection to Secu Manager) From yourPC, begin 8 continuous pingiping_-t atthe commang prompt) tone of the Untrst interfaces tue a get session command on your device and vty tat your PC fxdress wes ransiated to Ue adress coming rom the OI adress poo athor tan he ‘aes intortace. ‘ess Tansaion Lab 6-3Configuring Sniper Networks Frewal/IPSec VPN Products Step 1.10 Create 2 fourenty DIP adress pool on the UntvustIntrface, using an adress thet stats two higher than the interface P acess. Fr example, the Uneust interface IP accress is 1111640, th DP adress pool wi be 13.6:12:1.8.15. you ar using Securty Menager, ‘modi the sobs! DI access to incl his new OP adress pool and remove the IP _28cress peal rom the prouous step. Step 141 Moat your Nae poly to use the mute DIP adress pool. you are using Sacurty Manager you do nt need to modi your ply: simply update your davies. (You wl eee the conneetion to Secunty Manager) ‘Step 112 From your P, begin 2 continuous ping ping tat the command prompt tone of the Untrstintertoces. sue a get session comma ‘Quostion: Which adres inthe DIP adéress pools Dong sed for transition? Step 1.13 Issue the get. session commans again. (Question: Dis the ders usd for tanaaton change? \Whyerwny noe? Part 2: Destination NAT Trust | Untrust Sy soxy, jai xy0 Torestot Cc —2— ‘workgroup/ Classroom veal st Real adaraes 10 XY Publ adress 2.17 Step 2.1 Reconfigure NAT toute the interface adress for tantation. Step 2.2 Tho pubic adres for your PCs 4 X76. For example, Ifyou are PC2 In Group 1 your PC's public adress wil be 1.42.26. Create an adores book enty for your publi PC adress in the Tut zone Bluniper per RODOQDODDDDDDDDDDDDDDDDD DODD aoD Ccontiguring Juniper Networks Feowal/IPSec VPN Products Creat a stati route to ths ost adores using the Tus interfaces the outbound interace (ou donot need to spectyanextinop adres; this route wil be used fr transation oni) Using Nats dress transation, erate api that allows ay dees to ping your PC by ‘coasting the publ adaress. Enable logging inthe ply Work with a nelghbor to tst each others configurations using ping. When you nave 3 socessfl ping. ese the get geaion command and vet that wanslton taking place. [ter you lose your session, ow ta taf og. Note TFyou are afing te cass vio ea/ng aah the instuctor to test your configuration. ‘Question: Should ou be abl to ping the instructor PC from your PC? Why or why nat? Torest of workgroup/ classroom ‘The VP acess is 44.0. Crate the VIP across onthe Unrustnterace using the fotowing ort mappings: + HTTP maps toyour PC (20.45) port 80, FTP mapa te 10.45 port 21. Ifyou are using Seeury Manager, 24d tis VIP adress oa global VP direst, sing your ‘ame as the name of te global VP adress. ‘eae Wanelaton > Tab 6-5Configuting Juniper Networks Ftewal/IPSce VPN Products Step 3.2 ‘create adress book ete forthe oer Posinthe dassroom. (Hint NAT stilin place on fllstudentfrewss) step 33 ‘create a poly tat allows oter PCs inthe eassroom,ncuding the instructor PC to access {he VIP adstens and services, ypu are using Seouty Manager, update your device after tis ep. Step 34 ‘Start the Xtal and 3¢Daemon applestions on your PC. These applcatons open ports 80 and 21 respectively step 35 Work wit @ neighbor totst each others configuration When somacne has sucessfully ‘pened a browser sasson fo your VP addres, ssue the get. session command to vey ‘hat anelton i taking place, ‘question: When browsing your neighbor's PC, whats the source aseress your neigbor see, and wh? Part 4: MIP Address Trust | Untrust Step 4. Remove al polis, Me ony poy that should ext on your Juniper Networks device souls be om Tus ta Unit ary ary any eer Step 4.2 Croat @ MIP adres onthe Unt interfae. Use 1X17 a the MIP adres, Step 4.3 Create paces to ato the folowing: + IPCs nthe clastom shoulbe able to actess your PC usingyour MIP adress + Youshould be abe to reach all PCs inthe classroom using ter MIP adress, Bluniper HODDDODDD DD DODD DODD ODDO a a Configuring Junner Networks Frowal/IPSec VPN Products step 44 ork wha neighbor tts cach thers configurations singing When ou have 2 suozesfpng bagn a continuous pings sane ads then sue te get seseton conan to vey ot eutboindaacessvanlston f ocuing Be suet vrky ‘ensiaion in bath dectos (ound and outbound). ote youre aking is cas wo olarang ook ibe testo test your configuration Step 45 Questor: bath NASI and 2 MIP adres aro configures hich takespocedenos? Aurea the tameinqueson anes he NAae ply ont the pens iarfoce isa MIP ares conte or the trate sours areas step 46 ‘ery your answer reenable base NATin you Tso nts poe, and au a Continous png he acta Po. & Tell your instructor that you have completed Lab 6. ri "raaaton * TaSE- JuniperConfiguring niper Networks Frewal/IPSec VPN Products TabS-S + fase Tansiaton Juni per DOOD ODDIOTDDTODIQIaHHHH Lab7 Transparent Mode Overview ‘This optional lab explores the configuration of transparent mode ‘This is avalale in two formats: igh teve format nat is designed to make you think ‘trough each step anda detates format that offers step by step instructions compte with sample output fam mest commands 8y competing this ib, you wll perform te following tasks + Configure the Trust anc Untustinteraoes fr use in transparent mode + Uses zone an ress Scheme rom the flowing diagram, + Alow management on VLANS for Web ony. erty transparent mode functionality, ‘Thi ptona lah nui yout neg wana de, “Taneparent Megs > Tab TT B54coniguingunper Networks FrewaliPSec VPN Prods Configuring Sunipo Networks Frawal/PSec VPN roduts Network Diagram Part 1: Transparent Mode ‘Tne lsc networked no for workgroups. wth eBchwergoun connec ta Stop 14 orton an NS208 device via. Aworngoup a8 shown ner, soni four NS-XP, ee SEX or NS-SGT cevees anc four Pox. Each Fin the wogrovps comet oe unper yous 10 factory eta Netwotis device vate rs interac a he conse port The instar wil assign each Step 12 {Mudent os wovgoup and each worgoun wi covespon t's pot on the NS 20 dea Fer exami yu aren Wrgyoup 3 yur hubs connects pr En tho NS-208, connawe your P wth the fobowng accesses: cove seroerars Flin your signed Xan ¥ values below + Maak256.258.2860 x ve + Gateways Step 1.3 singe consol connection put the itrace inh eepectve Layer 2 zones a a — oa + UneethePacss onthe Tustinirtecs unset int trust 3p [Be sign ne Tus intrac tothe Virus on, a the Dots ntertae tothe fesse mat one [re Question: Wil te Juniper Networs dei aw outa contre ary ares onthe Untstmertace? Step 1.4 | SS Using consol connection ge the Sreen0S deve an IP adoss You wil us thi IP cree: = ‘ess 80 your PC ean Telnet othe SereenOS doves Notrettnasee/24 + Wee A.na0/08 (Question On which inertae a ou cong the tens inte previous step? = = Step 1.5, — el sav on he WAN nertace eet Tet. = {questo Can you open Tete session? = =a Question: Can you epen a Web esion? = Step 16 = Display the MAC table on the Juniper Networks device. = Question: To wnih doves dos ha Trust one MAC Sere tong? = ab 7-2 + Tasparereoae ———— =a a meee Be Juniper luniper’ = =Contgurng luniper Networks Frowal/PSec VPN Products Step 17 Step 1.8 Step 1.9 Step 140 Step 144 ‘Step 1.42 Step 1.43 Tab 7-F + Transparent Mode Disp the management settings for the VITUS 2one. ‘Question: What services are enabled? Disable Tenet onthe Vicrust zon, ‘Answer the folowing question ‘Quostion: Can you now use Tenet to access the doves? wy? Ping the NS 208 device from your CU Answer the flloving question ‘Question: Whose MAC adress shoul you expect to see ‘ec inti abi? ‘Question: Can you now ping the NS-208 device fom Your PC? Why or why nt? From your PC, ping the instructors PC. t should not work. Contigure poi to aow only png to reach the instructor PC Use /32 masks for your srostee Generates continuous ping trom your PC (eommand: ping 10.2.75.250 -e}tothe Instuctor PC From the concle, sue aget seeeion command. ‘Question: What isthe destination acess of he return achat, and why? Tell your instructor that you have completed Lab 7. DODD DDDDDDOD 222A Lab8& Policy-Based VPNs Overview ‘This lb exlores the configuration of pois based VPN “This ab is avalale in two formats: a high ve format hat ls designe to make you think mough each stop anda detaed format that offers sep by stp ineructons completa with ‘sample output em most commands '8y completing this nb, you wil perfor the flowing tasks + Configure your rewal fr base connectivity: = Peeschabity: nd ~ Ply lowing your PC to communicate withthe Secunty Manager server, * conrigre a VEN betncen your deuce athe contra firewall device ung pol Deaed VPNs on you rowal + Demo: sing VPN Manager to crest ple based VPNs : as VPN > Tab =T QeJuniper SheaContigutng Juniper Networks Frewal/IPSec VN Products Network Diagram Tis ab requires yout able @ VPN on your docs, ‘Mat Zone oxys Tat 0M ys — ier gy oxy = AK Xis your group number ma Yis your workstation number TbE-2 + Poliey Based VERE Meduniper MOQQROODD DODD D ODDO DDD ‘Configuring unier Networks Frowal/ IPSec VPN Products Part 4: Basic Connectivity Step 11 Contr tate Padres coniguration of your PCs caret as por tho lb agra. not ‘assigned already, obtain our x and Y value fom the instructor and wit in he space ‘Provided. These values willbe assigned to you forthe remainder of he course + Padres: 10.4¥: 1s you rowand group. Vis your workstation, + Gateway: 10.68 (the Trost interface on your NSSGT device Xvalue Yvalue PCIP, address | Pc Gateway Step 1.2 Using he conoteconneton, rset your the viet the factory deta ontguation Do not save the configuration promod todo so. ‘Step 1.3 Aer the device treet, login using the detaut usemame/assword of notcreen. Set the hostname of your daveo te Greunxey Step 1.4 Congure your device with he IP sdaresses shown inte ogra + Tust:t0.%va/2¢ + Untrse 220/28 Note Tc the pointy can choose to begin using the WeDUt- or you can continue using te Cl ‘Step 15 ‘Seta detout out using he gateway address specied previous Ths address aready ‘configured onthe NS208 coves. ‘Step 1.6 Enable Tenet, Wed, and ping management onthe Unvust itrtce. PoneBased VRE TabContguring sniper Networks Frew See VPN Products ‘Step 1.7 Ensure that pole exists to allow your PC to access the Instructor network, Step 1.8 ‘att P connectivity by issuing apg tom your PC tothe NS-208 netace (14%) Step 1.9 ‘erty P connect by ising a png tom your PCto the classroom server (10.75.13 Step 1.10 tfyou are using the CLL, sve your coniguraton to ash memory. you ao using the WobUL your changes are saved automaticaly, Note Tryou are not cing Seoul Managar,prossed Part 2 ofthis ab Step 141, ‘pen the Security Manager clot and use the log super and the password notscreen. ‘Step 1.12 [Add your doit the list of managed deuce. Use the sytax Group or the device name. Step 1.13 Part 2: VPN Configuration you re using Senury Manage, donot use VPN ‘Manager fo this porbn ofthe a, ee Xis your group number ine ‘Y's your workstation number QOO00G002 Aa Conriaring Juniper Networks Frewal/IPSee VPN Products Step 24 Contigure an IKE gateway on your firewall eves using te folowing parameters + Gateway name: GroupX-gt-GW (or examote, sfoupt 1-6 + Remote gateway ype: State IP adress + Remote Padres: See cagram, + outbouna interiae: See ingam, + Prechared hay: Ask the instructor wna ston the Instructor NS 208 doce + Securty lov: Standar. Note "The near wil configure the VPN configuration con the nsiucor NS-208 device Ash your nstrutar what presharod oy to us Step 22 ‘Configure an Autokey IKE VPN on your device using the folowing parameters: + VPN name: Groupkgt-VPN (or example, group s.VPN, + secunty eve Stondars, nd Phase 1. gateway Groups gW (the gatoway you created in Step 2. step 23 ‘onme access onjcts or your PC and forthe classroom server at 20:2.75.113, Step 24 Contigure poe on your ewe that tune! trafic fom your PC the eissroom server at 10..75.111 and vce versa. Make sure your policies ate paced atthe tap of he poly Is. Step 25 Iryou are using the CU save your coniguration on both devices. yeu are using Securty Manage. update the configuration of bath caves. ‘step 2.6 erty connect ty ssulng apg rom your PC to the classroom server he tunnet not established use the troubleshooting commands we dscussed inthe class lcture to eso} ‘Step 2.7 Use the commands discussed in class to anwar tne flowing question: ‘Question: What encryption algorithm I sed a ase? Which command id you use to verity his? Munir’Conrguring Juniper Networks Feewal/PSec VPN Products ‘Step 28 (Question: wnat autnentiaton sort is wed in ‘Phase 2? Which command da you use vey this? ‘Question: Wha policy numbers bling useafor each SA ‘Generate continuous png fom your PC: ‘onyour PO ssve the command get. set ‘me png the classroom sanver(ping 10.1.75.212 -t ion. tunnel When you have the tpt, cance ‘Question: What IP protocols beng used fo the tanner? Part 3: Demo: VPN Manager Step 3. TRB EG > Poy anea PRE stone demo using VPN Manager to create policy-based VPNS Tell your instructor that you have completed Lab 8. Wuniper’ QOQQDOOCDDODD ODDO DOOD DD DOA o aoa Lab9 Route-Based VPNs This lab explores the configuration of route based VP Tisai valle nto formats: a hgheve format that i designed to make you think tiwough each step anda detailed format that offers step step istrucons complete with sampe ouput rom most commands. By complting thi a, youl perfor the following take: + configure rote‘ossed and tunnebased AutoKey KE VPN fom your local PC erty VPN funetionaty + Demo: Using VPN Manager to create route-basod VPN. ‘This requires you to enable VPN on your dvce. Route Based VPN > [ab o=E ShsTab 9-2 + Rowe based VE Contiguring Juniper Networks Frewal/IPS2c VPN Products Network Diagram ‘The clastoam network i ied into four workgroups with each workgroup connected to 8 port on an NS-208 devie via a hub. Aworjoup, 88 shown ners, conan four NS-SKP, INS5.XT, 0 NS-SGT devices and four PCs. Each PC inthe workyoup is connected toa Juniper Networks deve va the Trust interface ana the console por. The Instuctor wil assign each ‘agent to @ wortgfoup and eaen workgroup wl crrospond toa pot onthe NS:208 devioe. For example, your aren Workgroup 3, our Mu Is Coanecod topo E1 onthe NS208, eves Fin your assigned Xand Y values below: xe ve foros gouz X= Row/Group/Portt @luniper BOOP D DDH HF Config Juniper Networks Frewal/IPSec VPA Products Part 1: Basic Connectivity Step 14 Step 12 Step 1.3 Step 1.4 Step 15 Step 1.6 @Juniper Contr that tho IP contigurtion of your Ps correct as pe he Ib agar, not aeslgned ead, obtain your Xana Y value rom the instructor end wie inthe Space provided, These ‘ales wil be assigned to yu forte remainer ofthe course: + esas: 10.675! 18 your ow and group: i your workstation, + Mask: 255:255.255.0 + Gateway 10.4 the Trust itrtace on your ST dele. Xvalue Yvalue PoIP address PC Gateway Erase tne coniguration of your Juniper Networks dewee. ‘tor ho dove I rset, login using the default username and password of netscreen, Set ‘be hostname of your vce to Groupe Configure your Serecn0S device with he IP adaresing as pe the lab diagram, Trestsoxys/24 Untrust.1y0/28 Note ‘Artis pont you can choose begin usngthe WeDUI, or you can continuo using the CL Seta detout route using the gateway address specie’ previously Th ‘configured onthe WS-208 dees. Enable Telnet, Web, and ping management onthe Untrust interfaceConfiguring Step 1.7 Step 1.8 ‘Step 1.9 Step 1.10 Step 144 Step 1:12 Step 1.13 Part Step 24 + Junipar Networks Frewal/PSec VPN Prodvcts Ensure that polio exsts to alow your PC ta access te Instructor network Vor I connoctity by issuing ping rom your PCto the NS:208 interface (2.2. ‘ent ° connect by isting. ping fom your PC the lastoam serve (10.75.14, Ifyou are using the CU save your contgurtion i lsh memag. you ae using the WeDU, your changes are saved automaticaly. Note Tiyou ae not ug Sesury Manager proveedt@ ar 2 ofthe ‘Open ne Securty Manage lot using the og super and the password elscreen, ‘As your device to theist of managed deices, Use the syntax GrounX gt forthe devi name. /PN Configuration Note Tiyou are using Scour Manager donot use VPN Manager fortis potion of te ab. oxy TaRt Zane yo X's your group number “Yi your workstation number ‘contigue a tunne interface on your Screen device, The interface should be nthe Tusk zoe, I adress unnumbered using the Ts Intrfoce Route Based Vine GORORORODD DODO LODO ODDO D Dada Step 22 Step 23 step 2.4 ‘step 25 ‘step 2.6 Step 2.7 Step 28 iaJuniper ‘Configuring Juniper Networks Frewal/IPSce VPA Products (nthe instructor NS-208 device, rernove the VPN pales from the prelous abit present Contigure a tunel interface on the instructor NS-208 deve. Te nterace shouldbe the Instructor zoe, IP unnumbered adress using the interface bound the natu zone, Note te numberof your tune! ntrtace. You wl pt configure the instructor NS-208 device using Securty Manager Note ‘Mulupio users wil simultaneous be configuinathe Instr NS-20 device, Make sure you not the umber of your awn tune! interface Conrigure a route erzy on your Sereen0 dec tha ects ae 10:.75.0/24 va tne tuna intertace Configure a route entry onthe instructor NS-208 device that ects trate to your 10.60/26 ‘subnet va the tune! ntrace. You wll nat eonfigue the Instructor NE-208 device using ‘Security Manager. Note ‘Mulpe user wil amultansoualy be contiguangihe inertaoe Contigure an Ike gateway on both your Sereen0S device andthe astute NS-208 deve, Use Standasa secu owl You wil ot configu the instructor NS-208 device using Secuy Manager. ‘onrigureanAutokey IKE enty on both your SereenOS doves and the instructor NS-208 ‘eve. nthe Advanced screen nd the VPN ent to the tunnel interface you created in ‘revous steps You wl ot configure te instruct NS-208 deve using Securty Manage. Note ‘tiple users wi amultanaoualy ba conigurngtne Instutor NS-208 device. Make sure you use your tonne mertace, Verity connesivy by issuing ping rom you PC tothe instructor Server, 10.78.414. Rae Base VPN > TaCongurng Juniper Neworks Frewal/ IPSec VPN Products ‘step 2.9 ‘Question: erty tat he correct rout f chosen fr png 10.1 75.111 What command do you use? Whats the ‘ress interface? Step 2.10 Very that KE Phase 4 and Phase 2 nave complete (Question: what commands id you use? ‘Question: What policies are rue for this network design? ‘Step 2.41, Entertheget sa active command ‘Question: Whats iste forthe PID? Step 2.12 Save your contiguration to fash memory. Part 3: Demo: Using VPN Manager Step 3.1 Watch the demo of VPN Manage © —_etvourinstructr that you nave completed Lab 9 (Spo Ramses uniper