JuniperSRX详细配置手册含注释_第1页
JuniperSRX详细配置手册含注释_第2页
JuniperSRX详细配置手册含注释_第3页
JuniperSRX详细配置手册含注释_第4页
JuniperSRX详细配置手册含注释_第5页
已阅读5页,还剩16页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

1、百度文库让每个人平等地提升自我Juniper SRX标准配置第一节系统配置3、设备初始化3登陆3设置root用户口令3设置远程登陆管理用户32、系统管理4选择时区4系统时间4DNS服务器5系统重启5Alarm告警处理5Root密码重置6第二节网络设置7、Interface7PPPOE7Manual8srx_admin# set interfaces fe-0/0/0 unit 0 family inet address DHCP8、Routing8Static Route8、SNMP9第三节高级设置9修改服务端口9检查硬件序列号9内外网接口启用端口服务9创建系统服务10VIP端口映射10srx

2、_admin#set security zones security-zone trust address-book address MIP 映射.11禁用 console 口11Juniper SRX带源ping外网默认不通,需要做源地址NAT11设置SRX管理IP12配置回退12UTM调用13网络访问缓慢解决13第四节VPN设置13、点对点 IPSecVPN13Route Basiced13Policy Basiced16、Remote VPN19SRX端配置19客户端配置204百度文库让每个人平等地提升自我4第一节系统配置、设备初始化登陆首次登录需要使用Console 口连接SRX, r

3、oot用户登陆,密码为空 login: rootPassword: JUNOS built 2009-07-16 15:04:30 UTC root configureroot% cliroot/*进入操作模式*/Entering configuration mode/*,*进入配置模式*,*/editRoot#设置root用户口令(必须配置root帐号密码,否则后续所有配置及修改都无法提交)root# set system root-authentication plain-text-passwordroot# new password : rootl23root# retype new p

4、assword: rootl23密码将以密文方式显示root# show system root-authenticationencrypted-password $l$xavDeUe6$; # SECRET-DATA注意:强烈建议不要使用其它加密选项来加密root和其它user 口令(如encrypted-password 加密方式),此配置参数要求输入的口令应是经加密算法加密后的字符串,采用这种加密方 式手工输入时存在密码无法通过验证风险。注:。七用户仅用于console连接本地管理SRX,不能通过远程登陆管理SRX,必须成功设 置root 口令后,才能执行commit提交后续配置命令。设

5、置远程登陆管理用户root# set system login user lab class super-user authentication plain-text-passwordroot# new password : juniperroot# retype new password: srxl23注:此juniper用户拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活 定义其它不同管理权限用户。2、系统管理选择时区srx_admin# set system time-zone Asia/Shanghai/*.亚洲/上海*/系统时间手动设定srx_admin set

6、 datesrx_admin show system uptime Current time: 2015-11-20 15:37:14 UTC System booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago) Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago) Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin3:37PM up 2 days, 15 mins, 3 users, load average

7、s: 一NTP同步一次srx_admin set date ntp 8 Feb 15:49:50 ntpdate6616: step time server offset secNTP服务器srx-admin# set system ntp server system ntp server 系统 NTP 服务器,设备需要联网可以解 析ntp地址,不然命令无法输入*/srx_admin show ntp status status=c011 sync-alarm, sync_unspec, 1 event, event_restart, version=Mntpd Fri Nov 20 15:4

8、4:16 UTC 2014 ”, processor=octeon,/ system* leap= 11, stratum=16/ precision=17, rootdelays rootdispersion=, peer=0, refid=INI1; reftime= Thuz Feb 7 2036 14:28:,poll=4, clock= Sun, Feb 8 2015 7:58:, state=O, offset二,frequency二,jitter:, stability= srx_adminholy-shit show ntp associationsremoterefid st

9、 t when poll reach delay offset jitter百度文库让每个人平等地提升自我3 -16641.INIT.16-640DNS服务器srx_admin# set system name-server /*SRX 系统 DNS*/系统重启重启系统srx_admin request system reboot关闭系统srx_admin request system power-offAlarm告警处理告警查看root# run show system alarms2 alarms currently activeAlarm timeClass Description201

10、5-11-20 14:21:49 UTC Minor Autorecovery information needs to be saved2015-11-20 14:21:49 UTC Minor Rescue configuration is not set告警处理告警一处理root request system autorecovery state saveSaving config recovery informationSaving license recovery informationSaving BSD label recovery information告警二处理root re

11、quest system configuration rescue saveRoot密码重,IX-SRX Root密码丢失,并且没有其他的超级用户权限,那么就需要执行密码恢复,该操作需要 中断设备正常运行,但不会丢失配置信息。操作步骤如下:1 .重启防火墙,CRT上出现下而提示时,按空格键中断正常启动,然后再进入单用户状态, 并输入:boot -sLoading /boot/d efaults/kernel data=0xbl5b3c+0xl3464c syms=0x4+0x8bb00+0x4+0xcacl5Hit Enter to boot immediately, or space bar

12、 for command prompt.Ioaderloader boot -s2 .执行密码恢复:在以下提示文字后输入recovery,设备将自动进行重启Enter full pathname of shell or recovery1 for root password recovery or RETURN for /bin/sh:recovery* FILE SYSTEM WAS MODIFIED *System watchdog timer disabledEnter full pathname of shell or recovery* for root password recov

13、ery or RETURN for /bin/sh: recovery3.进入配置模式,删除root密码后重新设置root密码,并保存重启root configureEntering configuration modeeditroot# delete system root-authentication editroot# set system root-authentication plain-text-passwordNew password:Retype new password:(editroot# commitcommit complete(edit)root# exitExiti

14、ng configuration moderoot request system rebootReboot the system ? yes,no (no) yes第二节网络设置、InterfacePPPOE在外网接口 (feQ/0/O)下封装PPPsrx_admin# set interfaces fe-O/O/O unit 0 encapsulation ppp-over-etherXCHAP认证配置srx_admin# set interfaces ppO unit 0 ppp-options chap default-chap-secret 90/PPPOE 的密码“*/srx_adm

15、in# set interfaces ppO unit 0 ppp-options chap local-name rxgjhygs163 叩PPOE的帐号*/srx_admin# set interfaces ppO unit 0 ppp-options chap passive/*采用被动模式X PAP认证配置srx_admin# set interfaces ppO unit 0 ppp-options pap default-password 90/-PPPOE的密码,冷/srx_admin# set interfaces ppO unit 0 ppp-options pap loca

16、l-name rxgjhygs163/PPPOE 的帐号“*/srx_admin# set interfaces ppO unit 0 ppp-options pap local-password 90/PPPOE的密码*/srx_admin# set interfaces ppO unit 0 ppp-options pap passive/” 采用被动模式一,/XPPP接口调用srx_admin# set interfaces ppO unit 0 pppoe-options underlying-interface fe-O/O/”,在外网接口(fe-O/O/O)下启用PPPOE拨号*/

17、XPPPOE拨号属性配置srx_admin# set interfaces ppO unit 0 pppoe-options idle-timeout 0空闲超时值*/srx_admin# set interfaces ppO unit 0 pppoe-options auto-reconnect 3*3秒自动重拨*/srx_admin# set interfaces ppO unit 0 pppoe-options client/”表示为PPPOE客户端*/srx_admin# set interfaces ppO unit 0 family inet mtu 1492修改此接口的MTU值,

18、改成1492c因为PPPOE的报头会有一点的开销*”/srx_admin# set interfaces ppO unit 0 family inet negotiate-address/”“自动协商地址,即由服务端分配动态地址*”/默认路由srx_admin# set routing-options static route next-hopXPPPOE 接口划入 untrust 接口srx_admin# set security zones security-zone untrust interfaces 验证PPPoE是否已经拔通,是否获得IP地址 srx_admin#run show

19、interfaces terse | match ppppOupup upppeOup叩inet-up upup注:PPPOE拨号成功后需要调整MTU值,使上网体验达到最佳(MTU值不合适的话上网会卡)/*调整TCP分片大小*/srx_admin# set interfaces ppO unit 0 family inet mtu 1304/*调整 MTU 大小*/srx_admin# set security flow tcp-mss all-tcp mss 1304Manual srx_admin# set interfaces fe-0/0/0 unit 0 family inet ad

20、dress启用DHCP地址池srx_admin# set system services dhcp pool /”,DHCP 网关srx_admin# set system services dhcp pool /-,DHCP地址池第一个地址*”/srx_admin# set system services dhcp pool srx_admin# set system services dhcp pool /”*DHCP地址租期*,/srx_admin# set system services dhcp pool srx_admin# set system services dhcp poo

21、l/DHCP 分配 DNS*/srx_admin# set system services dhcpDHCProuteraddress-range lowaddress-range high地址池最后一个地址*/default-lease-time 36000domain-name 域名*/name-serverpool name-server set system services dhcp propagate-settings /*,DHCP 分发端口*/配置内网接口地址srx_admin# set interfaces vlan unit 0 family inet address 内网

22、接口调用 DHCP 地址池srx_admin#set security zones security-zone trust interfaces host-inbound-traffic system-services dhcp、RoutingStatic Routesrx_admin# set route-option static route next-hop/默认路由/srx_admin# set route-option static route next-hop/-,Route Basiced VPN 路由*/、SNMPsrx_admin# set snmp community Aj

23、itec authorization read-only/read-write/1-SNMP监控权限”/srx_admin# set snmp client-list snmp_srx240/*SNMP监控主机第三节高级设置修改服务端口srx_admin# set system services web-management http port 8000/”“更改web的http管理端口号*/srx_admin# set system services web-management https port 1443 更改web的https管理端口号检查硬件序列号srx# run show cha

24、ssis hardwareHardware inventory:Serial numberBZ2615AF0491BZ2615AF0491FPC8x FE Base PICDescriptionSRX100H2RE-SRX100H2ItemVersion Part numberChassisRouting EngineREV 05650-048781FPCOPICOPower Supply 0内外网接口启用端口服务定义系统服务srx_admin# set system services sshsrx_admin# set system services telnetsrx_admin# set

25、 system services web-management http interfacesrx_admin# set system services web-management http interface fe-0/0/srx_admin# set system services web-management https interfacesrx_admin# set system services web-management management-url admin/*“后期用,不加就直接跳转“ 内网接口启用端口服务srx_admin#set securityzones secur

26、ity-zonetrustinterfaceshost-inbound-trafficsystem-services pingsrx_admin#set security/“开启 ping /zones security-zonetrustinterfaceshost-inbound-trafficsystem-services httpsrx_admin#set security/*开启 http*,*/ zones security-zonetrustinterfaceshost-inbound-trafficsystem-services telnet/*开启 telnet ,*/hos

27、t-inbound-traffic外网接口启用端口服务srx_admin# set security zones security-zone untrust interfaces fe-0/0/system-services ping srx_admin#set security system-services telnet srx_admin#set security system-services http srx_admin#set security system-services all/*开启 ping*/zones security-zone untrust/*开启 telnet*

28、/zones security-zone untrust*开启 http,*/zones security-zone untrust/*开启所有服务*/interfacesinterfacesinterfacesfe-0/0/fe-0/0/fe-0/0/host-inbound-traffichost-inbound-traffichost-inbound-traffic21创建系统服务/”协议选择tcp*/* 源端口 */目的端口,*/*协议选择udp*/源端口*/*目的端口 */srx_admin#set applications application RDP protocol tcp

29、srx_admin#set applications application RDP source-port 0-65535 srx_admin#set applications application RDP destination-port 3389 srx_admin#set applications application RDP protocol udp srx_admin#set applications application RDP source-port 0-65535 srx_admin#set applications application RDP destinatio

30、n-port 3389VIP端口映射派 Destination NAT 配置srx_admin#set security nat destination pool 22 address NAT pool 设置,为真实内网地址*/srx_admin#set security nat destination pool 22 address port 3389jDestination NAT pool设置,为内网地址的端口号*/srx_admin#set security nat destination rule-set 2 from zone untrust/Destination NAT Rul

31、e设置,访问流量从untrust区域过来*/srx_admin#set security nat destination rule-set 2 rule 111 match source-address Destination NAT Rule设置,访问流量可以任意地址*/srx_admin#set security nat destination rule-set 2 rule 111 match destination-address Destination NAT Rule 设置,访问的目的地址是 security nat destination rule-set 2 rule 111

32、match destination-port 3389/Destination NAT Rule设置,访问的目的地址的端口号*/srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22Destination NAT Rule 设置,调用 pool 地址本*/策略配置srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-address anysrx_admin

33、#set security policies from-zone untrust to-zone trust policy vip match destination-address security policies from-zone untrust to-zone trust policy vip match application anysrx_admin#set security policies from-zone untrust to-zone trust policy vip then permitsrx_admin#set security zones security-zo

34、ne trustaddress-book addressMIP映射Destination NAT 设置srx_admin#set security nat destination pool 111 addressDestination NAT pool设置,为真实内网地址*”/srx_admin#set security nat destination rule-set 1 from zone untrustDestination NAT Rule 设置,访问流里:从 untrust 区域过来*/srx_admin#set security nat destination rule-set 1

35、 rule 111 match source-address NAT Rule 设置, 访问流量可以任意地址*/srx_admin#set security nat destination rule-set 1 rule 11 match destination-address NAT Rule 设 置,访问的目的地址是 security nat destination rule-set 1 rule 11 then destination-nat pool 11 Destination NAT Rule 设置,调用 pool 地址*/配置ARP代理srx_admin#set security

36、 nat proxy-arp interface fe-O/O/ address 策略配置srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-address anysrx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address security policies from-zone untrust to-zone trust polic

37、y mip match application anysrx_admin#set security policies from-zone untrust to-zone trust policy mip then permit/*进入 console 接口*/*关闭端口 */*提交3分钟,3分钟后回退*/禁用 console 口juniper-srxSRX100H2# edit system ports consolejuniper-srxSRX100H2# set disablejuniper-srxSRX100H2# commit confirmed 3Juniper SRX带源ping外

38、网默认不通,需要做源地址NATset security nat source rule-set LOCAL from zone junos-hostset security nat source rule-set LOCAL to zone untrustset security nat source rule-set LOCAL rule LOCAL match source-address security nat source rule-set LOCAL rule LOCAL match destination-address security nat source rule-set

39、LOCAL rule LOCAL then source-nat interfaceset security nat source rule-set trust-to-untrust from zone trustset security nat source rule-set trust-to-untrust to zone untrustset security nat source rule-set trust-to-untrust rule source-nat-rule match source-address security nat source rule-set trust-t

40、o-untrust rule source-nat-rule then source-nat interface设置SRX管理IP参照防火墙外网接口的端口服务set security zones security-zone untrust interfaces fe-O/O/ host-inbound-traffic system-services ike set security zones security-zone untrust interfaces fe-O/O/ host-inbound-traffic system-services ping set security zones

41、 security-zone untrust interfaces fe-O/O/ host-inbound-traffic system-services ssh定义防火墙filter,设定允许访问的地址和端口set firewall filter Outside_access_in term PermitJP from source-address firewall filter Outside_accessjn term Permit J P from destination-address firewall filter Outside_access_in term PermitJP

42、from protocol tcpset firewall filter Outside_access_in term Permit J P from destination-port sshset firewall filter Outside_access_in term Permit J P then accept/设置允许访问的地址和地址*/set firewall filter Outside_accessjn term Deny_ANY from destination-address firewall filter Outside_accessjn term Deny_ANY f

43、rom protocol tcpset firewall filter Outside_access_in term Deny_ANY from destination-port sshset firewall filter Outside_access_in term Deny_ANY then discardset firewall filter Outside accessjn term Permit_ANY then accept其他流量全部拒绝”/防火墙外网接口调用filter,在接口上启用限制set interfaces fe-O/O/O unit 0 family inet fi

44、lter input Outside_access_in注:在配置拒绝流量时注意在拒绝的端口后面放行其他流量,因为这个拒绝会把所有流 量都拒绝掉。在配置拒绝流量时不能配置all,不然会把所有流量都拒绝掉配置回退查看提交过的配置srx_admin # run show system commit02016-05-04 11:47:46 UTC by root via junoscript12016-05-04 11:40:11 UTC by root via cli22016-05-04 11:38:36 UTC by root via cli32016-04-27 11:41:07 UTC b

45、y root via cli42016-04-01 17:37:22 UTC by root via button回退配置(ROLLBACK 0”)srx_admin # rollback ?Possible completions:012341Execute this command2016-05-04 11:47:46 UTC by root via junoscript2016-05-04 11:40:11 UTC by root via cli2016-05-04 11:38:36 UTC by root via cli2016-04-27 11:41:07 UTC by root v

46、ia cli2016-04-01 17:37:22 UTC by root via button Pipe through a commandUTM调用在策略中调用UTMsrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match destina

47、tion-address anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match application anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services utm-policy junos-av-policy网络访问缓慢解决srx_admin #set sec

48、urity flow syn-flood-protection-mode syn-cookie srx_admin #set security flow tcp-mss all-tcp mss 1300 srx_admin #set security flow tcp-session rst-sequence-check srx_admin #set security flow tcp-session strict-syn-check srx_admin #set security flow tcp-session no-sequence-check第四节VPN设置、点对点IPSecVPNRo

49、ute Basiced/*standard or compatible 模式*/创建tunnel接口srx_admin#set interfaces stO unit 0 family inet/” 新建接口*/srx_admin#set security zones security-zone untrust interfaces定义 tunnel 接口为 untrust 接口/创建去往VPN对端内网的路由srx_admin#srx_admin#set routing-options static route next-hopXVPN第一阶段IKE配置srx_admin#set securi

50、ty ike policy lead mode main/*,协商模式 main or aggressive */srx_admin#set security ike policy lead proposal-set standard/compatible协商加密算法*/srx_admin#set security ike policy lead pre-shared-key ascii-text juniperl23/” 预共享密钥*/XVPN第一阶段IKE配置srx_admin#set security ike gateway gwl ike-policy lead/*调用第一阶段IKE配

51、置”/srx_admin#set security ike gateway gwl address/” ,对端网关地址*/srx_admin#set security ike gateway gwl external-interface fe-O/O/*,VPN 出接口*/注x如果使用PPPOE拨号上网,出接口必须使用ppp接口srx_admin#set security ike gateway gwl external-interfaceXVPN第二阶段IPSEC配置srx_admin#set security ipsec policy abc proposal-set standard/c

52、ompatible/”协商加密算法*/srx_admin#set security ipsec vpn test bind-interface/*绑定VPN接口/srx_admin#set security ipsec vpn test ike gateway gwl/*调用网关*/srx_admin#set security ipsec vpn test ike ipsec-policy abc/” 调用加密算法的策略,*/srx_admin#set security ipsec vpn test establish-tunnels immediately/” 立即开始协商*/外网接口开启I

53、KE服务srx_admin#set security zones security-zone untrust interfaces fe-0/0/ host-inbound-traffic system-services 汰e双向流量策略trust-untrustsrx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy match srx_admin#source-address anysrx_admin#set securitypolicies from-zonetrust to-zon

54、e untrustpolicyvpn-policymatchdestination-address anysrx_admin#set securitypolicies from-zonetrust to-zone untrustpolicyvpn-policymatchapplication anysrx_admin#set security policies from-zone trust to-zone untrust policy vpn-policy then permituntrust-trustsrx_admin#set security policies from-zone un

55、trust to-zone trust policy vpn-policy match source-address anysrx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address anysrx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy match application anysrx_admin#set security policies from-zone untrust to-zone trust policy vpn-policy then permit/*custom 模式*/创建tunnel接口srx_admin#set interfaces stO unit 0 family inet/*新建接口*,/srx_admin#set se

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

评论

0/150

提交评论