JuniperSRXVirtualRouter专题.docx

上传人:b****8 文档编号:11462832 上传时间:2023-03-01 格式:DOCX 页数:31 大小:37.86KB
下载 相关 举报
JuniperSRXVirtualRouter专题.docx_第1页
第1页 / 共31页
JuniperSRXVirtualRouter专题.docx_第2页
第2页 / 共31页
JuniperSRXVirtualRouter专题.docx_第3页
第3页 / 共31页
JuniperSRXVirtualRouter专题.docx_第4页
第4页 / 共31页
JuniperSRXVirtualRouter专题.docx_第5页
第5页 / 共31页
点击查看更多>>
下载资源
资源描述

JuniperSRXVirtualRouter专题.docx

《JuniperSRXVirtualRouter专题.docx》由会员分享,可在线阅读,更多相关《JuniperSRXVirtualRouter专题.docx(31页珍藏版)》请在冰豆网上搜索。

JuniperSRXVirtualRouter专题.docx

JuniperSRXVirtualRouter专题

 

JuniperSRX防火墙VirtualRouter专题

 

文档查看须知:

测试环境:

SRX220H

拓扑对应IP:

G-0/0/3:

192.168.3.1/24

G-0/0/4:

192.168.4.1/24

G-0/0/5:

192.168.5.1/24

G-0/0/6:

10.10.30.189/24

F0/1:

192.168.4.2/24

F0/2:

192.168.5.2/24

F0/3:

192.168.100.1/24(模拟遥远互联网)

测试拓扑:

一虚拟路由器(记住来流量入口);

需求:

外网用户访问防火墙的外网接口3389端口NAT到内网服务器192.168.3.5:

3389,流量按原路返回;

放行所有外网用户到主机192.168.3.5的3389端口;(双线接入)

配置:

setrouting-instancesTelinstance-typevirtual-router

setrouting-instancesTelinterfacege-0/0/4.0

setrouting-instancesTelrouting-optionsinterface-routesrib-groupinetBig-rib

setrouting-instancesTelrouting-optionsstaticroute0.0.0.0/0next-hop192.168.4.2

setrouting-instancesCNCinstance-typevirtual-router

setrouting-instancesCNCinterfacege-0/0/5.0

setrouting-instancesCNCrouting-optionsinterface-routesrib-groupinetBig-rib

setrouting-instancesCNCrouting-optionsstaticroute0.0.0.0/0next-hop192.168.5.2

setinterfacesge-0/0/3unit0familyinetaddress192.168.3.1/24

setinterfacesge-0/0/4unit0familyinetaddress192.168.4.1/24

setinterfacesge-0/0/5unit0familyinetaddress192.168.5.1/24

setinterfacesge-0/0/6unit0familyinetaddress10.10.30.189/24

setrouting-optionsinterface-routesrib-groupinetBig-rib

setrouting-optionsstaticroute10.0.0.0/8next-hop10.10.30.1

setrouting-optionsstaticroute0.0.0.0/0next-hop192.168.4.2

setrouting-optionsstaticroute0.0.0.0/0install

setrouting-optionsstaticroute0.0.0.0/0no-readvertise

setrouting-optionsrib-groupsBig-ribimport-ribinet.0

setrouting-optionsrib-groupsBig-ribimport-ribCNC.inet.0

setrouting-optionsrib-groupsBig-ribimport-ribTel.inet.0

setsecuritynatdestinationpool111address192.168.3.5/32

setsecuritynatdestinationrule-set1fromzoneTel-trust

setsecuritynatdestinationrule-set1rule111matchsource-address0.0.0.0/0

setsecuritynatdestinationrule-set1rule111matchdestination-address192.168.4.1/32

setsecuritynatdestinationrule-set1rule111matchdestination-port3389

setsecuritynatdestinationrule-set1rule111thendestination-natpool111

setsecuritynatdestinationrule-set2fromzoneCNC-trust

setsecuritynatdestinationrule-set2rule222matchsource-address0.0.0.0/0

setsecuritynatdestinationrule-set2rule222matchdestination-address192.168.5.1/32

setsecuritynatdestinationrule-set1rule111matchdestination-port3389

setsecuritynatdestinationrule-set2rule222thendestination-natpool111

setapplicationsapplicationtcp_3389protocoltcp

setapplicationsapplicationtcp_3389destination-port3389

setsecurityzonessecurity-zonetrustaddress-bookaddressH_192.168.3.5192.168.3.5/32

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchsource-addressany

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchdestination-addressH_192.168.3.5

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchapplicationtcp_3389

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitthenpermit

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchsource-addressany

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchdestination-addressH_192.168.3.5

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchapplicationtcp_3389

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitthenpermit

setsecurityzonessecurity-zonetrusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zonetrusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zonetrustinterfacesge-0/0/3.0

setsecurityzonessecurity-zoneTel-trusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneTel-trusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneTel-trustinterfacesge-0/0/4.0

setsecurityzonessecurity-zoneCNC-trusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneCNC-trusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneCNC-trustinterfacesge-0/0/5.0

setsecurityzonessecurity-zoneMGThost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneMGThost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneMGTinterfacesge-0/0/6.0

验证:

root@SRX-Ipsec-A>showsecurityflowsession

SessionID:

9696,Policyname:

default-permit/5,Timeout:

1794,Valid

In:

192.168.100.211/57408-->192.168.5.1/3389;tcp,If:

ge-0/0/5.0,Pkts:

2,Bytes:

112

Out:

192.168.3.5/3389-->192.168.100.211/57408;tcp,If:

ge-0/0/3.0,Pkts:

1,Bytes:

60

============================================================================

root@SRX-Ipsec-A>showsecurityflowsession

SessionID:

9697,Policyname:

default-permit/4,Timeout:

1796,Valid

In:

192.168.100.211/57409-->192.168.4.1/3389;tcp,If:

ge-0/0/4.0,Pkts:

2,Bytes:

112

Out:

192.168.3.5/3389-->192.168.100.211/57409;tcp,If:

ge-0/0/3.0,Pkts:

1,Bytes:

60

配置解析:

setrouting-instancesTelinstance-typevirtual-router

//创建虚拟VRTel

setrouting-instancesTelinterfacege-0/0/4.0

//把逻辑接口加入虚拟VR

setrouting-instancesTelrouting-optionsinterface-routesrib-groupinetBig-rib

//定义新增的路由表属于路由组“Big-rib”

setrouting-instancesTelrouting-optionsstaticroute0.0.0.0/0next-hop192.168.4.2

//为Tel路由表配置路由

setrouting-instancesCNCinstance-typevirtual-router

setrouting-instancesCNCinterfacege-0/0/5.0

setrouting-instancesCNCrouting-optionsinterface-routesrib-groupinetBig-rib

setrouting-instancesCNCrouting-optionsstaticroute0.0.0.0/0next-hop192.168.5.2

//配置路由表CNC相关信息

setinterfacesge-0/0/3unit0familyinetaddress192.168.3.1/24

setinterfacesge-0/0/4unit0familyinetaddress192.168.4.1/24

setinterfacesge-0/0/5unit0familyinetaddress192.168.5.1/24

setinterfacesge-0/0/6unit0familyinetaddress10.10.30.189/24

//配置逻辑接口的IP地址

setrouting-optionsinterface-routesrib-groupinetBig-rib

//定义路由表组,并把接口路由加入到Big-rib路由组中

setrouting-optionsstaticroute10.0.0.0/8next-hop10.10.30.1

setrouting-optionsstaticroute0.0.0.0/0next-hop192.168.4.2

//配置全局路由表路由信息

setrouting-optionsstaticroute0.0.0.0/0install

//把路由表安装到转发表

setrouting-optionsstaticroute0.0.0.0/0no-readvertise

//

setrouting-optionsrib-groupsBig-ribimport-ribinet.0

setrouting-optionsrib-groupsBig-ribimport-ribCNC.inet.0

setrouting-optionsrib-groupsBig-ribimport-ribTel.inet.0

//导入三张路由表之间的直连路由到路由表组

setsecuritynatdestinationpool111address192.168.3.5/32

//定义目的NAT后的内部服务器的IP地址

setsecuritynatdestinationrule-set1fromzoneTel-trust

setsecuritynatdestinationrule-set1rule111matchsource-address0.0.0.0/0

setsecuritynatdestinationrule-set1rule111matchdestination-address192.168.4.1/32

setsecuritynatdestinationrule-set1rule111matchdestination-port3389

setsecuritynatdestinationrule-set1rule111thendestination-natpool111

//配置ZONETel-trust的目的NAT

setsecuritynatdestinationrule-set2fromzoneCNC-trust

setsecuritynatdestinationrule-set2rule222matchsource-address0.0.0.0/0

setsecuritynatdestinationrule-set2rule222matchdestination-address192.168.5.1/32

setsecuritynatdestinationrule-set1rule111matchdestination-port3389

setsecuritynatdestinationrule-set2rule222thendestination-natpool111

//配置ZONECNC-trust的目的NAT

setapplicationsapplicationtcp_3389protocoltcp

setapplicationsapplicationtcp_3389destination-port3389

setsecurityzonessecurity-zonetrustaddress-bookaddressH_192.168.3.5192.168.3.5/32

//自定义端口和配置地址表

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchsource-addressany

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchdestination-addressH_192.168.3.5

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchapplicationtcp_3389

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitthenpermit

//配置Tel-trust到trust策略

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchsource-addressany

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchdestination-addressH_192.168.3.5

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchapplicationtcp_3389

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitthenpermit

//配置CNC-trust到trust策略

setsecurityzonessecurity-zonetrusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zonetrusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zonetrustinterfacesge-0/0/3.0

setsecurityzonessecurity-zoneTel-trusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneTel-trusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneTel-trustinterfacesge-0/0/4.0

setsecurityzonessecurity-zoneCNC-trusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneCNC-trusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneCNC-trustinterfacesge-0/0/5.0

setsecurityzonessecurity-zoneMGThost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneMGThost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneMGTinterfacesge-0/0/6.0

//定义逻辑接口到ZONE,并开放所有的协议及服务来访问防火墙的直连接口

二虚拟路由器(多链路负载冗余);

需求:

内网用户访问端口22.3389.8080,走电信,其他所有流量走CNC;

所有内网访问外网的流量NAT为对应外网接口IP地址;

实现负载冗余的功能;

放行所有服务;(双线接入)

配置:

setrouting-instancesTelinstance-typevirtual-router

setrouting-instancesTelinterfacege-0/0/4.0

setrouting-instancesTelrouting-optionsinterface-routesrib-groupinetBig-rib

setrouting-instancesTelrouting-optionsstaticroute0.0.0.0/0next-hop19

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 农林牧渔 > 水产渔业

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1