防火墙配置手册和操作系统介绍

上传人：鑫*** IP属地：安徽上传时间：2023-09-30 格式：DOC 页数：20 大小：105KB 积分：25 举报 版权申诉

已阅读5页，还剩15页未读，继续免费阅读

版权说明：本文档由用户提供并上传，收益归属内容提供方，若内容存在侵权，请进行举报或认领

文档简介

...wd......wd......wd...JuniperSRX防火墙配置手册一、JUNOS操作系统介绍1.1层次化配置构造JUNOS采用基于FreeBSD内核的软件模块化操作系统，支持CLI命令行和WEBUI两种接口配置方式，本文主要对CLI命令行方式进展配置说明。JUNOSCLI使用层次化配置构造，分为操作〔operational〕和配置〔configure〕两类模式，在操作模式下可对当前配置、设备运行状态、路由及会话表等状态进展查看及设备运维操作，并通过执行config或edit命令进入配置模式，在配置模式下可对各相关模块进展配置并能够执行操作模式下的所有命令〔run〕。在配置模式下JUNOS采用分层分级模块下配置构造，如以下列图所示，edit命令进入下一级配置〔类似unixcd命令〕,exit命令退回上一级，top命令回到根级。1.2JunOS配置管理JUNOS通过set语句进展配置，配置输入后并不会立即生效，而是作为候选配置〔CandidateConfig〕等待管理员提交确认，管理员通过输入commit命令来提交配置，配置内容在通过SRX语法检查后才会生效，一旦commit通过后当前配置即成为有效配置〔Activeconfig〕。另外，JUNOS允许执行commit命令时要求管理员对提交的配置进展两次确认，如执行commitconfirmed2命令要求管理员必须在输入此命令后2分钟内再次输入commit以确认提交，否则2分钟后配置将自动回退，这样可以防止远程配置变更时管理员失去对SRX的远程连接风险。在执行commit命令前可通过配置模式下show命令查看当前候选配置〔CandidateConfig〕，在执行commit后配置模式下可通过runshowconfig命令查看当前有效配置〔Activeconfig〕。此外可通过执行show|compare比对候选配置和有效配置的差异。SRX上由于配备大容量硬盘存储器，缺省按先后commit顺序自动保存50份有效配置，并可通过执行rolback和commit命令返回到以前配置〔如rollback0/commit可返回到前一commit配置〕；也可以直接通过执行saveconfigname.conf手动保存当前配置，并执行loadoverrideconfigname.conf/commit调用前期手动保存的配置。执行loadfactory-default/commit命令可恢复到出厂缺省配置。SRX可对模块化配置进展功能关闭与激活，如执行deactivatesecuritynat/comit命令可使NAT相关配置不生效，并可通过执行activatesecuritynat/commit使NAT配置再次生效。SRX通过set语句来配置防火墙，通过delete语句来删除配置，如deletesecuritynat和editsecuritynat/delete一样，均可删除security防火墙层级下所有NAT相关配置，删除配置和ScreenOS不同，配置过程中需加以留意。1.3SRX主要配置内容部署SRX防火墙主要有以下几个方面需要进展配置：System：主要是系统级内容配置，如主机名、管理员账号口令及权限、时钟时区、Syslog、SNMP、系统级开放的远程管理服务〔如telnet〕等内容。Interface:接口相关配置内容。Security:是SRX防火墙的主要配置内容，安全相关局部内容全部在Security层级下完成配置，如NAT、Zone、Policy、Address-book、Ipsec、Screen、Idp等，可简单理解为ScreenOS防火墙安全相关内容都迁移至此配置层次下，除了Application自定义服务。Application：自定义服务单独在此进展配置，配置内容与ScreenOS根本一致。routing-options：配置静态路由或router-id等系统全局路由属性配置。二、SRX防火墙配置对照说明策略处理流程图2.1初始安装2.1.1登陆Console口(通用超级终端缺省配置)连接SRX，root用户登陆，密码为空login:rootPassword:---JUNOS9.5R1.8built2009-07-1615:04:30UTCroot%cli//进入操作模式root>root>configure//进入配置模式[edit]Root#2.1.2设置root用户口令设置root用户口令root#setsystemroot-authenticationplain-text-passwordroot#newpassword:root123root#retypenewpassword:root123[edit]root#setsystemloginclasssuper-useridle-timeout3设置当前用户超时时间密码将以密文方式显示root#showsystemroot-authenticationencrypted-password"$1$xavDeUe6$fNM6olGU.8.M7B62u05D6.";#SECRET-DATA注意：强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式)，此配置参数要求输入的口令应是经加密算法加密后的字符串，采用这种加密方式手工输入时存在密码无法通过验证风险。2.1.3设置远程登陆管理用户root#setsystemloginuserlabclasssuper-userauthenticationplain-text-password//创立用户labroot#newpassword:lab123//配置用户lab密码root#retypenewpassword:lab123注：此lab用户拥有超级管理员权限，可用于console和远程管理访问，另也可自行灵活定义其它不同管理权限用户。2.1.4管理SRX相关配置root>showsystemuptime//查看时间root#runsetdateYYYYMMDDhhmm.ss//设置系统时钟root#setsystemtime-zoneAsia/beijing//设置时区为北京root#setsystemhost-nameSRX3400-A//设置主机名root#setsystemname-server//设置DNS服务器root#setsystemntpserver01//设置NTP服务器root>showntpassociationsroot>showntpstatus//查看NTProot>showsecurityalgstatus//查看ALG状态ALGStatus:DNS:EnabledFTP:EnabledH323:EnabledMGCP:EnabledMSRPC:EnabledPPTP:EnabledRSH:EnabledRTSP:EnabledSCCP:EnabledSIP:EnabledSQL:EnabledSUNRPC:EnabledTALK:EnabledTFTP:EnabledIKE-ESP:Disabledroot#setsystemservicesftproot#setsystemservicestelnetroot#setsystemservicesweb-management//在系统级开启ftp/telnet/远程接入管理服务root>requestsystemreboot//重启系统root>requestsystempower-off//关闭系统root>showversion//查看版本信息Model:srx210bJUNOSSoftwareRelease[10.4R5.5]root>showsystemuptime//查看系统启动时间Currenttime:2011-08-1105:09:15UTCSystembooted:2011-08-1101:12:48UTC(03:56:27ago)Protocolsstarted:2011-08-1101:15:28UTC(03:53:47ago)Lastconfigured:2011-08-1103:11:08UTC(01:58:07ago)byroot5:09AMup3:56,1user,loadaverages:0.01,0.02,0.00root>Showchassisharedware//查看硬件板卡及序列号Hardwareinventory:ItemVersionPartnumberSerialnumberDescriptionChassisAC5210AA0079SRX210bRoutingEngineREV40750-021778AACN5249RE-SRX210BFPC0FPCPIC02xGE,6xFE,1x3GPowerSupply0root>showchassisenvironment//查看硬件板卡当前状态ClassItemStatusMeasurementTempRoutingEngineOK52degreesC/125degreesFRoutingEngineCPUAbsentFansSRX210ChassisfanOKSpinningatnormalspeedPowerPowerSupply0OKroot>showchassisrouting-engine//查看主控板〔RE〕资源使用及状态RoutingEnginestatus:Temperature52degreesC/125degreesFTotalmemory512MBMax415MBused(81percent)Controlplanememory336MBMax306MBused(91percent)Dataplanememory176MBMax107MBused(61percent)CPUutilization:User4percentBackground0percentKernel5percentInterrupt0percentIdle91percentModelRE-SRX210BSerialIDAACN5249Starttime2011-08-1101:12:47UTCUptime4hours,17minutes,57secondsLastrebootreason0x200:chassiscontrolresetLoadaverages:1minute5minute15minute0.090.050.01root>showsystemlicense//查看授权Licenseusage:LicensesLicensesLicensesExpiryFeaturenameusedinstalledneededax411-wlan-ap020permanentroot>showsystemprocessesextensive//查看系统利用率lastpid:1968;loadaverages:0.01,0.03,0.00up0+04:20:2805:32:46111processes:17running,83sleeping,11waitingMem:120MActive,87MInact,231MWired,30MCache,61MBuf,1356KFreeSwap:PIDUSERNAMETHRPRINICESIZERESSTATECTIMEWCPUCOMMAND1097root4760194M34836Kselect0298:0598.44%flowd_octeon22root1171520K16KRUN0203:4784.96%idle:cpu024root1-20-1390K16KRUN05:420.00%swi7:clock21root1171520K16KRUN12:210.00%idle:cpu15root1-8400K16Krtfifo01:020.00%rtfifo_kern_recv1109root17609724K3796Kselect00:460.00%rtlogd868root17607004K2588Kselect00:370.00%eventd52root1-800K16Kmdwait00:340.00%md01085root176016984K10676Kselect00:290.00%snmpd1088root176014288K4788Kselect00:230.00%l2ald1090root276020124K6476Kselect00:220.00%pfed1115root17604180K1104Kselect00:190.00%license-check1087root14039620K20172Kkqread00:150.00%rpd23root1-40-1590K16KWAIT00:150.00%swi2:net---(more39%)---root>monitorinterfacege-0/0/0//动态统计接口数据包转发信息Interface:ge-0/0/0.0,Enabled,LinkisUpFlags:SNMP-TrapsEncapsulation:ENET2Localstatistics:CurrentdeltaInputbytes:2986416[4121]Outputbytes:47303[90]Inputpackets:47631[64]Outputpackets:969[1]Remotestatistics:Inputbytes:94404820(1896bps)[6685]Outputbytes:9553700(952bps)[2078]Inputpackets:111689(4pps)[50]Outputpackets:59369(2pps)[29]Trafficstatistics:Inputbytes:97391236Outputbytes:,[10806]Next='n',Quit='q'orESC,Freeze='f',Thaw='t',Clear='c',Interface='i'root>monitortrafficinterfacege-0/0/0//动态报文抓取verboseoutputsuppressed,use<detail>or<extensive>forfullprotocoldecodeAddressresolutionisON.Use<no-resolve>toavoidanyreverselookupdelay.Addressresolutiontimeoutis4s.Listeningonge-0/0/0.0,capturesize96bytesReverselookupfor3failed(checkDNSreachability).Otherreverselookupfailureswillnotbereported.Use<no-resolve>toavoidreverselookupsonIPaddresses.05:41:02.773631Inarpwho-has3tell405:41:02.783007Inarpwho-has1tell405:41:02.787524Inarpwho-has35tell05:41:02.884849InIPX00000000.00:13:8f:74:bc:19.0455>00000000.ff:ff:ff:ff:ff:ff.0455:ipx-netbios5005:41:03.437039Inarpwho-has1tell405:41:03.509837OutIPtruncated-ip-10bytesmissing!4.55730>.domain:51866+[|domain]05:41:03.568547InSTP802.1d,Config,Flags[none],bridge-id8000.00:06:53:48:8a:80.8010,length4305:41:03.678096InIPX00000000.00:13:8f:74:bc:19.0455>00000000.ff:ff:ff:ff:ff:ff.0455:ipx-netbios502.1.5接口的初始化接口说明：root%cli//进入操作模式root>root>showinterfaces//查看接口状态调整输出详细程度root>showintefacesterseroot>showinterfacesbriefroot>showinterfacesdetailroot>showinterfacesextensive//由上到下查看接口的信息越来越详细root>showinterfacesdetail|matchfe-0/0/0//使用管道符匹配特定关键字root>helpreferencesecuritypolicy-security//查看配置参考信息root>helpapropossecurity//帮助搜索关键字相关的操作命令root>configure//进入配置模式[edit]root#root#showinterfaces//查看接口配置状态为接口配置IP地址的两种方法：set配置：root#setinterfacesge-0/0/0.0familyinetaddress/24//为接口配置IP地址root#showinterfacesge-0/0/0.0familyinet//查看接口配置address./24edit配置直接指定到某个层级：[edit]root#editinterfacesge-0/0/0.0familyinet//在该层级下为接口配置[editinterfacesge-0/0/0.0familyinet]root#setaddress/24//配置IP地址[editinterfacesge-0/0/0.0familyinet]root#up//返回上一级，一层一层的退出〔也可以使用exit和top退出到[edit]〕[editinterfaces]Root#showroot#setsystemsyslogfilemonitor-loganyany//创立名字为monitor-log的日志root#setsystemsyslogfilemonitor-logmatch"4"//监控接口root#runmonitorstartmonitor-log//开场监控root#runmonitorstop//停顿监控删除配置：root#deleteinterfacesge-0/0/0.0//普通删除配置命令root#wildcarddeleteinterfacesfe-0*//通配符匹配删除配置命令matched：fe-0/0/0matched：fe-0/0/1matched：fe-0/0/2matched：fe-0/0/3matched：fe-0/0/4matched：fe-0/0/5matched：fe-0/0/6matched：fe-0/0/7delete8objecgts?[yes,no](no)yes配置address-book〔address-book就是为地址命名，以便调用〕[edit]root#editsecurityzonessecurity-zoneoutside//配置outside区域address-book[editsecurityzonessecurity-zoneoutside]root#setaddress-bookaddressout-address/16//把接口IP放入地址薄out-address[editsecurityzonessecurity-zoneoutside]root#up[editsecurityzones]root#editsecurity-zoneinside//配置inside区域address-book[editsecurityzonessecurity-zoneinside]root#setaddress-bookaddressin-address/24//把接口IP放入地址薄in-address[editsecurityzonessecurity-zoneinside]root#exit[editsecurityzones]root#exit配置application[edit]root#editapplicationsapplicationtcp-1752//定义服务名字[editapplicationsapplicationtcp-1752]root#setprotocoltcpsource-port1752destination-port1752//定义协议及端口号[edit]root#showapplicationsapplicationtcp-1752{protocoltcp;source-port1752;destination-port1752;配置application-set[edit]root#setapplicationsapplication-setweb-mgtapplicationjunos-ssh//配置应用服务集web-mgt[edit]root#setapplicationsapplication-setweb-mgtapplicationjunos-ping[edit]root#setapplicationsapplication-setweb-mgtapplicationjunos-pc-anywhere[edit]root#setapplicationsapplication-setweb-mgtapplicationjunos-[edit]root#setapplicationsapplication-setweb-mgtapplicationjunos-ftproot#showapplications//查看applicationsapplication-setweb-mgt{applicationjunos-ssh;applicationjunos-ping;applicationjunos-pc-anywhere;applicationjunos-;applicationjunos-ftp;}替换配置：root#setinterfacesge-0/0/0.0familyinetaddress/24root#showinterfacesge-0/0/0ge-0/0/0{unit0{familyinet{address/24root#replacepatternge-0/0/0withge-0/0/1//一个接口取代另一个接口的配置root#showinterfacesge-0/0/1ge-0/0/1{unit0{familyinet{address/24复制配置：root#setinterfacesge-0/0/0.0familyEthernet-swithingvlanroot#copyinterfacesge-0/0/0.0toge-0/0/1.0//复制接口配置配置模式下的showroot#show//查看配置root#show|displayset//查看set格式的配置setversion10.4R5.5setsystemtime-zoneasia/beijingsetsystemroot-authenticationencrypted-password"$1$XyydlG84$f46l82dR8C/JHUvzFuq9o."setsystemname-server33setsystemloginuserlabuid2002setsystemloginuserlabclasssuper-usersetsystemloginuserlabauthenticationencrypted-password"$1$Y0X8gbap$GZNvirOuGhW.4ZAq4xwHF."setsystemservicessshsetsystemservicestelnetsetsystemservicesweb-managementinterfacevlan.0setsystemservicesweb-managementinterfacege-0/0/1.0setsystemservicesweb-managementinterfacevlan.3setsystemservicesweb-managementinterfacege-0/0/0.0setsystemservicesweb-managementinterfacefe-0/0/4.0setsystemservicesweb-managementssystem-generated-certificatesetsystemservicesweb-managementsinterfacevlan.0setsystemservicesweb-managementsinterfacege-0/0/1.0setsystemsyslogfilenat-loganyanysetsystemsyslogfilenat-logmatchRT_FLOW_SESSIONsetsystemsyslogfilemonitor-loganyanysetsystemsyslogfilemonitor-logmatch4---(more)---根本提交与恢复配置命令：root#commit//最根本的提交配置命令root#show|compare//查对待提交的配置与当前运行的配置差异(+表示增加的，-表示减少的)-encrypted-password"$1$XyydlG84$f46l82dR8C/JHUvzFuq9o.";##SECRET-DATA+encrypted-password"$1$PRX8HyIJ$X0uFTlOJ4yn.DQYeDiHl10";##SECRET-DATA[editsystemservicesweb-management]-interface[vlan.0ge-0/0/1.0vlan.3ge-0/0/0.0fe-0/0/3.0];+interface[vlan.0ge-0/0/1.0vlan.3ge-0/0/0.0fe-0/0/4.0];[editinterfaces]+fe-0/0/4{+unit0{+familyinet;+familyethernet-switching;+}+}[editsecurityzonessecurity-zoneinsideinterfaces]vlan.3{...}+fe-0/0/4.0{+host-inbound-traffic{+system-services{+;+}+}+}-fe-0/0/3.0{-host-inbound-traffic{-system-services{-;root#rollback//查看可恢复的配置〔注意：使用loadfacroty-default命令恢复到出厂配置〕Possiblecompletions:<[Enter]>Executethiscommand02011-08-1103:11:08UTCbylabviacli12011-08-1009:39:44UTCbylabviacli22011-08-1007:48:34UTCbylabviacli32011-08-1007:40:08UTCbylabviacli42011-08-1007:36:20UTCbylabviacli52011-08-1007:31:18UTCbylabviacli62011-08-1007:25:45UTCbylabviacli72011-08-1007:21:26UTCbylabviacli82011-08-1007:20:15UTCbylabviacli92011-08-1006:51:14UTCbylabviacli102011-08-1006:50:16UTCbylabviacli112011-08-1006:31:23UTCbylabviacli122011-08-1006:29:02UTCbylabviacli[abort]---(more42%)---[edit]root#rollback4//恢复某一配置〔注意：需要commit之后恢复配置才能生效〕root#commitat“2012-01-0118:00:00〞//在某一日期或时间提交配置命令root>clearsystemcommit//去除未被提交的配置root#commitcomment“only-configuration-interfaces〞//为提交的配置进展说明调换策略顺序Insertsecuritypoliciesfrom-zonezone-nameto-zonezone-namepolicyname[before|after]policyname配置SNMP配置系统信息〔可配可不配〕

setsnmplocationlab〔设备位置〕

setsnmpcontact"labguy@"〔管理员联系方式〕配置SNMP通讯的“团体名〞〔可理解为通讯密码，必须配置〕

setsnmpcommunitypublicauthorizationread-write

在接口上启用SNMP访问〔必须配置〕

setsecurityzonessecurity-zonetrustinterfacesge-0/0/0.0host-inbound-trafficsystem-servicessnmp(Pleaseaddotherservicesasneeded)

访问控制〔可配可不配，建议配置〕

setsnmpcommunitypublicclients/16

setsnmpcommunitypublicclients/0restrict2.1.6配置安全策略图解：定义outside属于Internet，inside属于内部局域网，通过juniper访问Internet。接口的配置及创立不同的区域：root#setinterfacesge-0/0/0.0familyinetaddress4/16root#setinterfacesge-0/0/1.0familyinetaddress0/24//为接口ge-0/0/0、ge-0/0/1配置IP地址root#setsecurityzonessecurity-zoneoutsideinterfacesge-0/0/0.0root#setsecurityzonessecurity-zoneinsideinterfacesge-0/0/1.0//把接口放在不同的区域(outside/inside)中root#commit//提交配置root#showinterfaces//查看接口配置信息ge-0/0/0{unit0{familyinet{address4/16}}}ge-0/0/1{unit0{familyinet{address/24;}root#showsecurityzones//查看zones的配置信息security-zoneinside{interfaces{ge-0/0/1.0;}}security-zoneoutside{interfaces{ge-0/0/0.0;}配置路由:[edit]root#editrouting-options[editrouting-options]root#setstaticroute/0next-hop//配置静态路由root#commit[editrouting-options]root#show//查看路由条目static{route/0next-hop[];}root#runshowroute//查看路由inet.0:5destinations,5routes(5active,0holddown,0hidden)+=ActiveRoute,-=LastActive,*=Both/0*[Static/5]00:34:17>toviage-0/0/0.0/24*[Direct/0]00:34:16>viage-0/0/1.0/32*[Local/0]00:34:23Localviage-0/0/1.0/16*[Direct/0]00:34:17>viage-0/0/0.04/32*[Local/0]00:34:23Localviage-0/0/0.0配置策略:[edit]root#editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all//定义zoneinside到zoneoutside的策略[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#setmatchsource-addressany//设置源地址为any[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#setmatchdestination-addressany//设置目标地址为any[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#setmatchapplicationany//设置策略允许的服务为any[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#setthenpermit//设置的动作是允许通过root#commit[edit]root#showsecuritypolicies//查看安全策略from-zoneinsideto-zoneoutside{policypermit-all{match{source-addressany;destination-addressany;applicationany;}then{permit;}Example1:源地址转换(NAT)多对一，使得所有出向的流量源IP地址转换为外部接口地址IP[edit]root#editsecuritynatsourcerule-setnat-policy//定义名字为nat-policy的nat策略[editsecuritynatsourcerule-setnat-policy]root#setfromzoneinsidetozoneoutside//设置策略来自inside去往outside[editsecuritynatsourcerule-setnat-policy]root#editruleinside-to-outside-nat//定义规则名字为inside-to-outside-nat[editsecuritynatsourcerule-setnat-policyruleinside-to-outside-nat]root#setmatchdestination-address4/16//设置规则中目的IP地址[editsecuritynatsourcerule-setnat-policyruleinside-to-outside-nat]root#setthensource-natinterface//设置转换源的nat[editsecuritynatsourcerule-setnat-policyruleinside-to-outside-nat]root#setthenlogsession-initsession-close//设置启用日志,记录会话开场与完毕[editsecuritynatsourcerule-setnat-policy]root#exit[edit]root#editsystemsyslogfilenat-log//设置一个日志文件名字为nat-log[editsystemsyslogfilenat-log]root#setanyany//匹配任何logroot#setmatchRT_FLOW_SESSION//匹配日志中关键字RT_FLOW_SESSIONroot#runshowsecurityflowsession//查看会话的状态信息In:/55249-->01/161;udp,If:ge-0/0/1.0,Pkts:166,Bytes:17596Out:01/161-->/55249;udp,If:ge-0/0/0.0,Pkts:0,Bytes:0SessionID:50,Policyname:permit-all/4,Timeout:52,ValidIn:/55249-->00/161;udp,If:ge-0/0/1.0,Pkts:167,Bytes:17702Out:00/161-->/55249;udp,If:ge-0/0/0.0,Pkts:0,Bytes:0Totalsessions:2root#runshowsecurityflowsessionsummary//查看会话数Unicast-sessions:4Multicast-sessions:0Failed-sessions:0Sessions-in-use:10Validsessions:4Pendingsessions:0Invalidatedsessions:6Sessionsinotherstates:0Maximum-sessions:32768root#runshowlognat-log//查看日志信息Aug217:46:43RT_FLOW:RT_FLOW_SESSION_CREATE:sessioncreated/52896->33/53junos-dns-udp/52896->33/53NoneNone17permit-allinsideoutside3048Aug217:46:43RT_FLOW:RT_FLOW_SESSION_CREATE:sessioncreated/50439->78/80junos-/50439->78/80NoneNone6permit-allinsideoutside3049Aug217:46:43RT_FLOW:RT_FLOW_SESSION_CREATE:sessioncreated/50440->78/80junos-/50440->78/80NoneNone6permit-allinsideoutside3050Aug217:46:45RT_FLOW:RT_FLOW_SESSION_CLOSE:sessionclosedunset:/52896->33/53junos-dns-udp/52896->33/53NoneNone17permit-allinsideoutside30481(61)1(180)3root#showsecuritynat//查看nat的策略信息source{rule-setnat-policy{fromzoneinside;tozoneoutside;ruleinside-to-outside-nat{match{destination-address[4/16];}then{source-nat{interface;}[edit]root#editsecuritypoliciesfrom-zoneinsideto-zoneoutside[editsecuritypoliciesfrom-zoneinsideto-zoneoutside]root#editpolicypermit-all[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#setthencount//为policy配置count行为[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#commitcommitcomplete[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#showmatch{source-addressany;destination-addressany;applicationany;}then{permit;log{session-init;session-close;}count;root>showsecuritypoliciespolicy-namepermit-alldetail//使用show查看count结果Policy:permit-all,action-type:permit,State:enabled,Index:4,ScopePolicy:0PolicyType:ConfiguredSequencenumber:1Fromzone:inside,Tozone:outsideSourceaddresses:any-ipv4:/0any-ipv6:::/0Destinationaddresses:any-ipv4:/0any-ipv6:::/0Application:anyIPprotocol:0,ALG:0,Inactivitytimeout:0Sourceportrange:[0-0]Destinationportrange:[0-0]PerpolicyTCPOptions:SYNcheck:No,SEQcheck:NoSessionlog:at-create,at-closePolicystatistics:Inputbytes:269698414509bpsOutputbytes:268333814443bpsInputpackets:453728ppsOutputpackets:443327ppsSessionrate:2341spsActivesessions:9Sessiondeletions:225Policylookups:230Example2:源地址转换(NAT)多对一，使得所有出向的流量源IP地址转换为公网地址池/24配置:[editsecuritynatsource]root#showpoolA{address{/24to54/24;}host-address-base/24;}rule-set1A{fromzoneinside;tozoneoutside;rule1{match{source-address/24;}then{source-natpoolA;root>showsecurityflowsessionSessionID:57737,Policyname:default-permit/4,Timeout:1772In:/2023-->/24;tcp,If:ge-0/0/2.0Out:/24-->/2023;tcp,If:ge-0/0/3.10root>showsecuritynatsourcepoolallTotalpools:1Poolname:APoolid:4Routinginstance:defaultHostaddressbase:Port:notranslationTotaladdresses:254Translationhits:6Example3:目的地址转换〔NAT〕一对一，使所有进方向访问公网IP〔/32〕地址的流量都转换为内网的一个IP(/32)地址配置：[editsecuritynatdestination]root#showpoolA{address/24;}rule-set1{fromzoneoutside;rule1A{match{destination-address/32;}Then{destination-natpoolA;Example4:目的地址转换〔NAT〕一对多，使所有进方向访问公网IP〔/32port：80/81〕地址的流量都转换为内网的多个IP(/32port：8080/32port：8181)地址图解：将访问公网ipport80转换为内网ipport8080将访问公网ipport81转换为内网ipport8181配置：[editsecuritynatdestination]root#showpoolA{address/24port8080;poolB{address/24port8181;}rule-set1{fromzoneoutside;rule1A{match{destination-address/32;destination-port80;}then{destination-natpoolA;rule1B{match{destination-address/32;destination-port81;}then{destination-natpoolB;root>showsecurityflowsessionSessionID:12554,Policyname:default-permit/4,Timeout:14In:/58204-->/80;tcp,If:ge-0/0/3.10Out:/8080-->/58204;tcp,If:ge-0/0/2.01sessionsdisplayedSessionID:12554,Policyname:default-permit/4,Timeout:14In:/58304-->/81;tcp,If:ge-0/0/3.10Out:/8181-->/58304;tcp,If:ge-0/0/2.01sessionsdisplayed2.2透明模式的配置1.配置BridgeDomains桥接域〔BridgeDomains〕:属于同一泛洪或播送域的一组逻辑接口。在同一个Vlan里，桥接域可以跨越多个设备的一个或多个接口。默认情况下，每个桥接域都维护着自己的MAC地址转发表，附属

人人文库> 全部分类> 行业资料 > 管理策划

温馨提示

1. 本站所有资源如无特殊说明，都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
2. 本站的文档不包含任何第三方提供的附件图纸等，如果需要附件，请联系上传者。文件的所有权益归上传用户所有。
3. 本站RAR压缩包中若带图纸，网页内容里面会有图纸预览，若没有图纸预览就没有图纸。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 人人文库网仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对用户上传分享的文档内容本身不做任何修改或编辑，并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容，请与我们联系，我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

防火墙配置手册和操作系统介绍

文档简介

温馨提示

最新文档

评论

防火墙配置手册和操作系统介绍

文档简介

温馨提示

最新文档

评论

相关文档