Configuring the WXC ISM 200 Using the CLI

This section describes how to perform the initial configuration of a WXC ISM 200 using the JUNOS software with enhanced services CLI. The WXC ISM 200 in this sample procedure is installed in slots 5 and 6 of the J-series Services Router.

To initially configure the WXC ISM 200:

1. Assign IP addresses to the wx-6/0/0 interface:
   user@host# set interfaces wx-6/0/0 unit 0 family inet address 2.2.2.2/32 destination 10.8.51.2

   The internal IP prefix and netmask 2.2.2.2/32 can be any IP address, but the netmask /32 is required. The primary (destination) IP address 10.8.51.2 can be any real address on the LAN in the same subnet as the router. To use the WXC ISM 200 with NAT, the destination address must be a public WAN IP address.

2. Assign the wx-6/0/0 interface to OSPF area 0.0.0.1; import static routes, direct routes, RIP routes, OSPF routes, and IS-IS routes from the routing table; and create a policy to accept the routes:
   user@host# set protocols ospf export wx-export
   user@host# set protocols ospf area 0.0.0.1 interface wx-6/0/0.0
   user@host# set policy-options policy-statement wx-export from instance master protocol [ static direct rip ospf isis ]
   user@host# set policy-options policy-statement wx-export then accept
3. If the J-series Services Router is operating in a security context, create the following zones and policies. If the router is operating in a router context (one zone), go to Step 4.
   1. Configure a trust security zone and an untrust security zone and assign them to LAN and WAN interfaces, respectively. The router cannot be accessed remotely until you assign at least one interface to the trust zone.
      user@host# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
      user@host# set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
   2. Create the internal zone wx-zone that includes only the wx-6/0/0.0 interface to which all accelerated traffic is to be directed:
      user@host# set security zones security-zone wx-zone interfaces wx-6/0/0.0 host-inbound-traffic system-services all
      user@host# set security zones security-zone wx-zone interfaces wx-6/0/0.0 host-inbound-traffic protocols all
   3. Create the acceleration zone security policy trust–to-untrust to redirect traffic sent from the trust zone to the untrust zone. In the following example, all traffic from the trust to untrust zone is redirected to the WXC ISM 200:
      user@host# set security policies from-zone trust to-zone untrust policy trust–to-untrust match source-address any
      user@host# set security policies from-zone trust to-zone untrust policy trust–to-untrust match destination-address any
      user@host# set security policies from-zone trust to-zone untrust policy trust–to-untrust match application any
      user@host# set security policies from-zone trust to-zone untrust policy trust–to-untrust then permit application-services redirect-wx

      Packets sent from the LAN to the WAN are redirected to the WXC ISM 200 by the application service redirect-wx.

   4. Similarly, specify an untrust–to-trust policy that redirects traffic from the untrust zone to the trust zone:
      user@host# set security policies from-zone untrust to-zone trust policy untrust–to-trust match source-address any
      user@host# set security policies from-zone untrust to-zone trust policy untrust–to-trust match destination-address any
      user@host# set security policies from-zone untrust to-zone trust policy untrust–to-trust match application any
      user@host# set security policies from-zone untrust to-zone trust policy untrust–to-trust then permit application-services reverse-redirect-wx

      Packets sent from the WAN to the LAN are redirected to the WXC ISM 200 by the application service reverse-redirect-wx.

   5. Create security policies wx–to–untrust and untrust-to-wx to allow traffic between the internal zone wx-zone and the untrust zone:
      user@host# set security policies from-zone wx-zone to-zone untrust policy wx–to–untrust match source-address any
      user@host# set security policies from-zone wx-zone to-zone untrust policy wx–to–untrust match destination-address any
      user@host# set security policies from-zone wx-zone to-zone untrust policy wx–to–untrust match application any
      user@host# set security policies from-zone wx-zone to-zone untrust policy wx–to–untrust then permit
      user@host# set security policies from-zone untrust to-zone wx-zone policy untrust-to-wx match source-address any
      user@host# set security policies from-zone untrust to-zone wx-zone policy untrust-to-wx match destination-address any
      user@host# set security policies from-zone untrust to-zone wx-zone policy untrust-to-wx match application any
      user@host# set security policies from-zone untrust to-zone wx-zone policy untrust-to-wx then permit
   6. Create a wx–to–wx policy to allow the WXC ISM 200 to send pings and registration server traffic:
      user@host# set security policies from-zone wx-zone to-zone wx-zone policy wx–to–wx match source-address any
      user@host# set security policies from-zone wx-zone to-zone wx-zone policy wx–to–wx match destination-address any
      user@host# set security policies from-zone wx-zone to-zone wx-zone policy wx–to–wx match application any
      user@host# set security policies from-zone wx-zone to-zone wx-zone policy wx–to–wx then permit
4. If the router is operating in a router context, create one zone and the following policies:
   1. Configure a trust security zone for all interfaces that specifies the local and remote address ranges. For example:
      user@host# set security zones security-zone trust interfaces all
      user@host# set security zones security-zone trust host-inbound-traffic system-services all
      user@host# set security zones security-zone trust host-inbound-traffic protocols all
      user@host# set security zones security-zone trust address-book address local_lan_network 20.10.10.0/30
      user@host# set security zones security-zone trust address-book address remote_lan_network 30.10.10.0/30
   2. Create a security policy redirect so that traffic sent from the local to the remote network is redirected to the WXC ISM 200:
      user@host# set security policies from-zone trust to-zone trust policy redirect match source-address local_lan_network
      user@host# set security policies from-zone trust to-zone trust policy redirect match destination-address remote_lan_network
      user@host# set security policies from-zone trust to-zone trust policy redirect match application any
      user@host# set security policies from-zone trust to-zone trust policy redirect then permit application-services redirect-wx

      The application service redirect-wx redirects each packet to the WXC ISM 200.

   3. Create a security policy reverse so that traffic sent from the remote to the local network is redirected to the WXC ISM 200:
      user@host# set security policies from-zone trust to-zone trust policy reverse match source-address remote_lan_network
      user@host# set security policies from-zone trust to-zone trust policy reverse match destination-address local_lan_network
      user@host# set security policies from-zone trust to-zone trust policy reverse match application any
      user@host# set security policies from-zone trust to-zone trust policy reverse then permit application-services reverse-redirect-wx

      The application service reverse-redirect-wx redirects each packet to the WXC ISM 200.

   4. Specify the following security flows:
      user@host# set security flow allow-dns-reply
      user@host# set security flow tcp-session no-syn-check
      user@host# set security flow tcp-session no-syn-check-in-tunnel
      user@host# set security flow tcp-session no-sequence-check
5. Commit the configuration to make it the operating configuration on the router:
   user@host# commit
6. To check the configuration, go on to Verifying the Initial WXC ISM 200 Configuration.