JuniperSRX详细配置手册含注释

1、百度文库让每个人平等地提升自我Juniper SRX标准配置第一节系统配置3、设备初始化3登陆3设置root用户口令3设置远程登陆管理用户32、系统管理4选择时区4系统时间4DNS服务器5系统重启5Alarm告警处理5Root密码重置6第二节网络设置7、Interface7PPPOE7Manual8srx_admin# set interfaces fe-0/0/0 unit 0 family inet address DHCP8、Routing8Static Route8、SNMP9第三节高级设置9修改服务端口9检查硬件序列号9内外网接口启用端口服务9创建系统服务10VIP端口映射10srx

2、_admin#set security zones security-zone trust address-book address MIP 映射.11禁用 console 口11Juniper SRX带源ping外网默认不通，需要做源地址NAT11设置SRX管理IP12配置回退12UTM调用13网络访问缓慢解决13第四节VPN设置13、点对点 IPSecVPN13Route Basiced13Policy Basiced16、Remote VPN19SRX端配置19客户端配置204百度文库让每个人平等地提升自我4第一节系统配置、设备初始化登陆首次登录需要使用Console 口连接SRX, r

3、oot用户登陆，密码为空 login: rootPassword: JUNOS built 2009-07-16 15:04:30 UTC root configureroot% cliroot/*进入操作模式*/Entering configuration mode/*，*进入配置模式*，*/editRoot#设置root用户口令（必须配置root帐号密码，否则后续所有配置及修改都无法提交）root# set system root-authentication plain-text-passwordroot# new password : rootl23root# retype new p

4、assword: rootl23密码将以密文方式显示root# show system root-authenticationencrypted-password $l$xavDeUe6$; # SECRET-DATA注意：强烈建议不要使用其它加密选项来加密root和其它user 口令（如encrypted-password 加密方式），此配置参数要求输入的口令应是经加密算法加密后的字符串，采用这种加密方 式手工输入时存在密码无法通过验证风险。注：。七用户仅用于console连接本地管理SRX,不能通过远程登陆管理SRX,必须成功设 置root 口令后，才能执行commit提交后续配置命令。设

5、置远程登陆管理用户root# set system login user lab class super-user authentication plain-text-passwordroot# new password : juniperroot# retype new password: srxl23注：此juniper用户拥有超级管理员权限，可用于console和远程管理访问，另也可自行灵活 定义其它不同管理权限用户。2、系统管理选择时区srx_admin# set system time-zone Asia/Shanghai/*.亚洲/上海*/系统时间手动设定srx_admin set

6、 datesrx_admin show system uptime Current time: 2015-11-20 15:37:14 UTC System booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago) Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago) Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin3:37PM up 2 days, 15 mins, 3 users, load average

7、s: 一NTP同步一次srx_admin set date ntp 8 Feb 15:49:50 ntpdate6616: step time server offset secNTP服务器srx-admin# set system ntp server system ntp server 系统 NTP 服务器，设备需要联网可以解 析ntp地址，不然命令无法输入*/srx_admin show ntp status status=c011 sync-alarm, sync_unspec, 1 event, event_restart, version=Mntpd Fri Nov 20 15:4

8、4:16 UTC 2014 ”, processor=octeon,/ system* leap= 11, stratum=16/ precision=17, rootdelays rootdispersion=, peer=0, refid=INI1； reftime= Thuz Feb 7 2036 14:28:,poll=4, clock= Sun, Feb 8 2015 7:58:, state=O, offset二，frequency二,jitter：, stability= srx_adminholy-shit show ntp associationsremoterefid st

9、 t when poll reach delay offset jitter百度文库让每个人平等地提升自我3 -16641.INIT.16-640DNS服务器srx_admin# set system name-server /*SRX 系统 DNS*/系统重启重启系统srx_admin request system reboot关闭系统srx_admin request system power-offAlarm告警处理告警查看root# run show system alarms2 alarms currently activeAlarm timeClass Description201

10、5-11-20 14:21:49 UTC Minor Autorecovery information needs to be saved2015-11-20 14:21:49 UTC Minor Rescue configuration is not set告警处理告警一处理root request system autorecovery state saveSaving config recovery informationSaving license recovery informationSaving BSD label recovery information告警二处理root re

11、quest system configuration rescue saveRoot密码重，IX-SRX Root密码丢失，并且没有其他的超级用户权限，那么就需要执行密码恢复，该操作需要 中断设备正常运行，但不会丢失配置信息。操作步骤如下：1 .重启防火墙，CRT上出现下而提示时，按空格键中断正常启动，然后再进入单用户状态, 并输入：boot -sLoading /boot/d efaults/kernel data=0xbl5b3c+0xl3464c syms=0x4+0x8bb00+0x4+0xcacl5Hit Enter to boot immediately, or space bar

12、 for command prompt.Ioaderloader boot -s2 .执行密码恢复：在以下提示文字后输入recovery,设备将自动进行重启Enter full pathname of shell or recovery1 for root password recovery or RETURN for /bin/sh:recovery* FILE SYSTEM WAS MODIFIED *System watchdog timer disabledEnter full pathname of shell or recovery* for root password recov

13、ery or RETURN for /bin/sh: recovery3.进入配置模式，删除root密码后重新设置root密码，并保存重启root configureEntering configuration modeeditroot# delete system root-authentication editroot# set system root-authentication plain-text-passwordNew password:Retype new password:(editroot# commitcommit complete(edit)root# exitExiti

14、ng configuration moderoot request system rebootReboot the system ? yes,no (no) yes第二节网络设置、InterfacePPPOE在外网接口 (feQ/0/O)下封装PPPsrx_admin# set interfaces fe-O/O/O unit 0 encapsulation ppp-over-etherXCHAP认证配置srx_admin# set interfaces ppO unit 0 ppp-options chap default-chap-secret 90/PPPOE 的密码“*/srx_adm

15、in# set interfaces ppO unit 0 ppp-options chap local-name rxgjhygs163 叩PPOE的帐号*/srx_admin# set interfaces ppO unit 0 ppp-options chap passive/*采用被动模式X PAP认证配置srx_admin# set interfaces ppO unit 0 ppp-options pap default-password 90/-PPPOE的密码,冷/srx_admin# set interfaces ppO unit 0 ppp-options pap loca

16、l-name rxgjhygs163/PPPOE 的帐号“*/srx_admin# set interfaces ppO unit 0 ppp-options pap local-password 90/PPPOE的密码*/srx_admin# set interfaces ppO unit 0 ppp-options pap passive/” 采用被动模式一,/XPPP接口调用srx_admin# set interfaces ppO unit 0 pppoe-options underlying-interface fe-O/O/”,在外网接口(fe-O/O/O)下启用PPPOE拨号*/

17、XPPPOE拨号属性配置srx_admin# set interfaces ppO unit 0 pppoe-options idle-timeout 0空闲超时值*/srx_admin# set interfaces ppO unit 0 pppoe-options auto-reconnect 3*3秒自动重拨*/srx_admin# set interfaces ppO unit 0 pppoe-options client/”表示为PPPOE客户端*/srx_admin# set interfaces ppO unit 0 family inet mtu 1492修改此接口的MTU值，

18、改成1492c因为PPPOE的报头会有一点的开销*”/srx_admin# set interfaces ppO unit 0 family inet negotiate-address/”“自动协商地址，即由服务端分配动态地址*”/默认路由srx_admin# set routing-options static route next-hopXPPPOE 接口划入 untrust 接口srx_admin# set security zones security-zone untrust interfaces 验证PPPoE是否已经拔通，是否获得IP地址 srx_admin#run show

19、interfaces terse | match ppppOupup upppeOup叩inet-up upup注：PPPOE拨号成功后需要调整MTU值，使上网体验达到最佳（MTU值不合适的话上网会卡）/*调整TCP分片大小*/srx_admin# set interfaces ppO unit 0 family inet mtu 1304/*调整 MTU 大小*/srx_admin# set security flow tcp-mss all-tcp mss 1304Manual srx_admin# set interfaces fe-0/0/0 unit 0 family inet ad

20、dress启用DHCP地址池srx_admin# set system services dhcp pool /”，DHCP 网关srx_admin# set system services dhcp pool /-,DHCP地址池第一个地址*”/srx_admin# set system services dhcp pool srx_admin# set system services dhcp pool /”*DHCP地址租期*，/srx_admin# set system services dhcp pool srx_admin# set system services dhcp poo

21、l/DHCP 分配 DNS*/srx_admin# set system services dhcpDHCProuteraddress-range lowaddress-range high地址池最后一个地址*/default-lease-time 36000domain-name 域名*/name-serverpool name-server set system services dhcp propagate-settings /*，DHCP 分发端口*/配置内网接口地址srx_admin# set interfaces vlan unit 0 family inet address 内网

22、接口调用 DHCP 地址池srx_admin#set security zones security-zone trust interfaces host-inbound-traffic system-services dhcp、RoutingStatic Routesrx_admin# set route-option static route next-hop/默认路由/srx_admin# set route-option static route next-hop/-,Route Basiced VPN 路由*/、SNMPsrx_admin# set snmp community Aj

23、itec authorization read-only/read-write/1-SNMP监控权限”/srx_admin# set snmp client-list snmp_srx240/*SNMP监控主机第三节高级设置修改服务端口srx_admin# set system services web-management http port 8000/”“更改web的http管理端口号*/srx_admin# set system services web-management https port 1443 更改web的https管理端口号检查硬件序列号srx# run show cha

24、ssis hardwareHardware inventory:Serial numberBZ2615AF0491BZ2615AF0491FPC8x FE Base PICDescriptionSRX100H2RE-SRX100H2ItemVersion Part numberChassisRouting EngineREV 05650-048781FPCOPICOPower Supply 0内外网接口启用端口服务定义系统服务srx_admin# set system services sshsrx_admin# set system services telnetsrx_admin# set

25、 system services web-management http interfacesrx_admin# set system services web-management http interface fe-0/0/srx_admin# set system services web-management https interfacesrx_admin# set system services web-management management-url admin/*“后期用，不加就直接跳转“ 内网接口启用端口服务srx_admin#set securityzones secur

26、ity-zonetrustinterfaceshost-inbound-trafficsystem-services pingsrx_admin#set security/“开启 ping /zones security-zonetrustinterfaceshost-inbound-trafficsystem-services httpsrx_admin#set security/*开启 http*，*/ zones security-zonetrustinterfaceshost-inbound-trafficsystem-services telnet/*开启 telnet ，*/hos

27、t-inbound-traffic外网接口启用端口服务srx_admin# set security zones security-zone untrust interfaces fe-0/0/system-services ping srx_admin#set security system-services telnet srx_admin#set security system-services http srx_admin#set security system-services all/*开启 ping*/zones security-zone untrust/*开启 telnet*

28、/zones security-zone untrust*开启 http，*/zones security-zone untrust/*开启所有服务*/interfacesinterfacesinterfacesfe-0/0/fe-0/0/fe-0/0/host-inbound-traffichost-inbound-traffichost-inbound-traffic21创建系统服务/”协议选择tcp*/* 源端口 */目的端口，*/*协议选择udp*/源端口*/*目的端口 */srx_admin#set applications application RDP protocol tcp

29、srx_admin#set applications application RDP source-port 0-65535 srx_admin#set applications application RDP destination-port 3389 srx_admin#set applications application RDP protocol udp srx_admin#set applications application RDP source-port 0-65535 srx_admin#set applications application RDP destinatio

30、n-port 3389VIP端口映射派 Destination NAT 配置srx_admin#set security nat destination pool 22 address NAT pool 设置，为真实内网地址*/srx_admin#set security nat destination pool 22 address port 3389jDestination NAT pool设置，为内网地址的端口号*/srx_admin#set security nat destination rule-set 2 from zone untrust/Destination NAT Rul

31、e设置,访问流量从untrust区域过来*/srx_admin#set security nat destination rule-set 2 rule 111 match source-address Destination NAT Rule设置，访问流量可以任意地址*/srx_admin#set security nat destination rule-set 2 rule 111 match destination-address Destination NAT Rule 设置，访问的目的地址是 security nat destination rule-set 2 rule 111

32、match destination-port 3389/Destination NAT Rule设置,访问的目的地址的端口号*/srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22Destination NAT Rule 设置，调用 pool 地址本*/策略配置srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-address anysrx_admin

33、#set security policies from-zone untrust to-zone trust policy vip match destination-address security policies from-zone untrust to-zone trust policy vip match application anysrx_admin#set security policies from-zone untrust to-zone trust policy vip then permitsrx_admin#set security zones security-zo

34、ne trustaddress-book addressMIP映射Destination NAT 设置srx_admin#set security nat destination pool 111 addressDestination NAT pool设置，为真实内网地址*”/srx_admin#set security nat destination rule-set 1 from zone untrustDestination NAT Rule 设置，访问流里:从 untrust 区域过来*/srx_admin#set security nat destination rule-set 1

35、 rule 111 match source-address NAT Rule 设置， 访问流量可以任意地址*/srx_admin#set security nat destination rule-set 1 rule 11 match destination-address NAT Rule 设 置，访问的目的地址是 security nat destination rule-set 1 rule 11 then destination-nat pool 11 Destination NAT Rule 设置，调用 pool 地址*/配置ARP代理srx_admin#set security

36、 nat proxy-arp interface fe-O/O/ address 策略配置srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-address anysrx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address security policies from-zone untrust to-zone trust polic

37、y mip match application anysrx_admin#set security policies from-zone untrust to-zone trust policy mip then permit/*进入 console 接口*/*关闭端口 */*提交3分钟，3分钟后回退*/禁用 console 口juniper-srxSRX100H2# edit system ports consolejuniper-srxSRX100H2# set disablejuniper-srxSRX100H2# commit confirmed 3Juniper SRX带源ping外

38、网默认不通，需要做源地址NATset security nat source rule-set LOCAL from zone junos-hostset security nat source rule-set LOCAL to zone untrustset security nat source rule-set LOCAL rule LOCAL match source-address security nat source rule-set LOCAL rule LOCAL match destination-address security nat source rule-set

39、LOCAL rule LOCAL then source-nat interfaceset security nat source rule-set trust-to-untrust from zone trustset security nat source rule-set trust-to-untrust to zone untrustset security nat source rule-set trust-to-untrust rule source-nat-rule match source-address security nat source rule-set trust-t

40、o-untrust rule source-nat-rule then source-nat interface设置SRX管理IP参照防火墙外网接口的端口服务set security zones security-zone untrust interfaces fe-O/O/ host-inbound-traffic system-services ike set security zones security-zone untrust interfaces fe-O/O/ host-inbound-traffic system-services ping set security zones

41、 security-zone untrust interfaces fe-O/O/ host-inbound-traffic system-services ssh定义防火墙filter,设定允许访问的地址和端口set firewall filter Outside_access_in term PermitJP from source-address firewall filter Outside_accessjn term Permit J P from destination-address firewall filter Outside_access_in term PermitJP

42、from protocol tcpset firewall filter Outside_access_in term Permit J P from destination-port sshset firewall filter Outside_access_in term Permit J P then accept/设置允许访问的地址和地址*/set firewall filter Outside_accessjn term Deny_ANY from destination-address firewall filter Outside_accessjn term Deny_ANY f

43、rom protocol tcpset firewall filter Outside_access_in term Deny_ANY from destination-port sshset firewall filter Outside_access_in term Deny_ANY then discardset firewall filter Outside accessjn term Permit_ANY then accept其他流量全部拒绝”/防火墙外网接口调用filter,在接口上启用限制set interfaces fe-O/O/O unit 0 family inet fi

44、lter input Outside_access_in注：在配置拒绝流量时注意在拒绝的端口后面放行其他流量，因为这个拒绝会把所有流 量都拒绝掉。在配置拒绝流量时不能配置all,不然会把所有流量都拒绝掉配置回退查看提交过的配置srx_admin # run show system commit02016-05-04 11:47:46 UTC by root via junoscript12016-05-04 11:40:11 UTC by root via cli22016-05-04 11:38:36 UTC by root via cli32016-04-27 11:41:07 UTC b

45、y root via cli42016-04-01 17:37:22 UTC by root via button回退配置(ROLLBACK 0”)srx_admin # rollback ?Possible completions:012341Execute this command2016-05-04 11:47:46 UTC by root via junoscript2016-05-04 11:40:11 UTC by root via cli2016-05-04 11:38:36 UTC by root via cli2016-04-27 11:41:07 UTC by root v

46、ia cli2016-04-01 17:37:22 UTC by root via button Pipe through a commandUTM调用在策略中调用UTMsrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match destina

47、tion-address anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match application anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services utm-policy junos-av-policy网络访问缓慢解决srx_admin #set sec

48、urity flow syn-flood-protection-mode syn-cookie srx_admin #set security flow tcp-mss all-tcp mss 1300 srx_admin #set security flow tcp-session rst-sequence-check srx_admin #set security flow tcp-session strict-syn-check srx_admin #set security flow tcp-session no-sequence-check第四节VPN设置、点对点IPSecVPNRo

49、ute Basiced/*standard or compatible 模式*/创建tunnel接口srx_admin#set interfaces stO unit 0 family inet/” 新建接口*/srx_admin#set security zones security-zone untrust interfaces定义 tunnel 接口为 untrust 接口/创建去往VPN对端内网的路由srx_admin#srx_admin#set routing-options static route next-hopXVPN第一阶段IKE配置srx_admin#set securi

50、ty ike policy lead mode main/*，协商模式 main or aggressive */srx_admin#set security ike policy lead proposal-set standard/compatible协商加密算法*/srx_admin#set security ike policy lead pre-shared-key ascii-text juniperl23/” 预共享密钥*/XVPN第一阶段IKE配置srx_admin#set security ike gateway gwl ike-policy lead/*调用第一阶段IKE配

51、置”/srx_admin#set security ike gateway gwl address/” ,对端网关地址*/srx_admin#set security ike gateway gwl external-interface fe-O/O/*，VPN 出接口*/注x如果使用PPPOE拨号上网，出接口必须使用ppp接口srx_admin#set security ike gateway gwl external-interfaceXVPN第二阶段IPSEC配置srx_admin#set security ipsec policy abc proposal-set standard/c

52、ompatible/”协商加密算法*/srx_admin#set security ipsec vpn test bind-interface/*绑定VPN接口/srx_admin#set security ipsec vpn test ike gateway gwl/*调用网关*/srx_admin#set security ipsec vpn test ike ipsec-policy abc/” 调用加密算法的策略,*/srx_admin#set security ipsec vpn test establish-tunnels immediately/” 立即开始协商*/外网接口开启I

53、KE服务srx_admin#set security zones security-zone untrust interfaces fe-0/0/ host-inbound-traffic system-services 汰e双向流量策略trust-untrustsrx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match srx_admin#source-address anysrx_admin#set securitypolicies from-zonetrust to-zon

54、e untrustpolicyvpn-policymatchdestination-address anysrx_admin#set securitypolicies from-zonetrust to-zone untrustpolicyvpn-policymatchapplication anysrx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then permituntrust-trustsrx_admin#set security policies from-zone un

55、trust to-zone trust policy vpn-policy match source-address anysrx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address anysrx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match application anysrx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit/*custom 模式*/创建tunnel接口srx_admin#set interfaces stO unit 0 family inet/*新建接口*,/srx_admin#set se