Evil_TTL> show | s

Juniper SRX Remote Login

Category:Juniper -> Security

To enable basic login without routing on dedicated management interface fxp0:

//enable ssh
set system services ssh

//configure IP address on fxp0
set interfaces fxp0 unit 0 family inet address <IP_address

fxp0 is pingable by deafult.

To enable basic login without routing on non-management interface xe-11/0/0:

//configure IP address on xe-11/0/0
set interfaces xe-11/0/0 unit 0 family inet address <IP_address>

//allocate security zone and allow inbound SSH service on the interface
set security zones security-zone MGMT interfaces xe-11/0/0.0 host-inbound-traffic system-services ssh 

Non-management interfaces are not pingable by default. To enable ping:

set security zones security-zone MGMT interfaces xe-11/0/0.0 host-inbound-traffic system-services ping 

Example on how to configure remote access on a tagged interface with applied filter/access list which will allow only SSH and ICMP:

set interfaces reth2 unit 102 vlan-id 102
set interfaces reth2 unit 102 family inet filter input MGMT_IN
set interfaces reth2 unit 102 family inet address 192.168.1.9
/30
set security zones security
-zone MGMT interfaces reth2.102 host-inbound-traffic system-services ping  // this one is necessary
set security zones security-zone MGMT interfaces reth2.102 host-inbound-traffic system-services ssh // and this line is necessary also
set firewall family inet filter MGMT_IN term terminal_access from protocol tcp
set firewall family inet filter MGMT_IN term terminal_access from port ssh
set firewall family inet filter MGMT_IN term terminal_access then accept
set firewall family inet filter MGMT_IN term ping from protocol icmp 
// ICMP must go under a separate "term" statement, else everything will be denied due to FW rule evaluation
set firewall family inet filter MGMT_IN term ping then accept 

Enable MGMT Access on Loopback

—-inbound traffic—->[reth]-[PFE(datal plane)]—Lo0.#—[RE(control plane)]

Applying ACL to Loopback (any) will control access from the Data Plane to Control Plane on SRX.

The filter below allows ssh/https access to control plane from 192.168.0.0/16, then denies ssh access from other IP subnets, then allows other services traffic between PFE and Routing Engine (this last step is important):

set interfaces lo0 unit 0 family inet filter input Lo0_IN
set firewall family inet filter Lo0_IN term terminal_access from source
-address 192.168.0.0/16
set firewall family inet filter Lo0_IN term terminal_access from protocol tcp
set firewall family inet filter Lo0_IN term terminal_access from port ssh
set firewall family inet filter Lo0_IN term terminal_access from port https
set firewall family inet filter Lo0_IN term terminal_access then accept
set firewall family inet filter Lo0_IN term terminal_access_denied from protocol tcp
set firewall family inet filter Lo0_IN term terminal_access_denied from port ssh
set firewall family inet filter Lo0_IN term terminal_access_denied then log
set firewall family inet filter Lo0_IN term terminal_access_denied then reject
set firewall family inet filter Lo0_IN term 
default-term then accept 

After implementing ACL on Loopback, the ACL on physical interface is no longer required.

 

By privilege15