第一次配置juniper.docx
《第一次配置juniper.docx》由会员分享,可在线阅读,更多相关《第一次配置juniper.docx(11页珍藏版)》请在冰豆网上搜索。
第一次配置juniper
第一次配置juniper-SSG140
(2010-04-2710:
10:
43)
标签:
juniper
it
简述环境:
1.双ISP,两个服务器6.6和6.8对外开放17991端口
2.trust-vr和untrust-vr同在,zoneuntrust被修改到untrust-vr中
3.6.6VIP180的地址,6.8MIP221的地址,应用源路由
其实东西也不多,不过没配过的我开始真不知道如何配置juniper的地址转换
setclockntp
setclocktimezone8
setclockdstrecurringstart-weekday20302:
00end-weekday101102:
00
setvroutertrust-vrsharable
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
unsetauto-route-export
exit
------------------------------------------------------------------------------
若防火墙里没有你所用的服务就自己加吧
-------------------------------------------------------------------------------------------------
setservice"17991"protocoltcpsrc-port0-65535dst-port17991-17991
setservice"3389"protocoltcpsrc-port0-65535dst-port3389-3389setalgappleichatenable
unsetalgappleichatre-assemblyenable
setalgsctpenable
setauth-server"Local"id0
setauth-server"Local"server-name"Local"
setauthdefaultauthserver"Local"
setauthradiusaccountingport1646
setadminname"netscreen"
setadminpassword"nJqNNxrLGyrLc0lEtsCBqfDtDMA/Pn"
setadminuser"hongyuan"password"nNnfG0rrJIWDcc8EysvMuSCt+LBiDn"privilege"all"
-----------------------------------------------------------------------------------------
如果要添加管理ip,别忘了添加内部网段地址,第一次我只加了远端的公网地址,导致内部要配置却进不去,只能console了。
--------------------------------------------------------------------------------------------------
setadminmanager-ip192.168.6.0255.255.255.0
setadminmanager-ip114.255.150.140255.255.255.255
setadminmanager-ip219.141.171.130255.255.255.255setadminauthwebtimeout10
setadminauthserver"Local"
setadminformatdos
setzone"Trust"vrouter"trust-vr"
-------------------------------------------------------------------------------------------------
"Untrust"默认是在"trust-vr"里的,我给改了
--------------------------------------------------------------------------------------------------
setzone"Untrust"vrouter"untrust-vr"setzone"DMZ"vrouter"trust-vr"
setzone"VLAN"vrouter"trust-vr"
setzone"Untrust-Tun"vrouter"trust-vr"
setzone"Trust"tcp-rst
setzone"Untrust"block
unsetzone"Untrust"tcp-rst
setzone"MGT"block
setzone"DMZ"tcp-rst
setzone"VLAN"block
unsetzone"VLAN"tcp-rst
setzone"Trust"screenlimit-sessionsource-ip-based
setzone"Trust"screenlimit-sessiondestination-ip-based
setzone"Untrust"screenalarm-without-drop
setzone"Untrust"screenon-tunnel
setzone"Untrust"screenicmp-flood
setzone"Untrust"screenudp-flood
setzone"Untrust"screenwinnuke
setzone"Untrust"screenport-scan
setzone"Untrust"screenip-sweep
setzone"Untrust"screentear-drop
setzone"Untrust"screensyn-flood
setzone"Untrust"screenip-spoofing
setzone"Untrust"screenping-death
setzone"Untrust"screenip-filter-src
setzone"Untrust"screenland
setzone"Untrust"screensyn-frag
setzone"Untrust"screentcp-no-flag
setzone"Untrust"screenunknown-protocol
setzone"Untrust"screenip-bad-option
setzone"Untrust"screenip-record-route
setzone"Untrust"screenip-timestamp-opt
setzone"Untrust"screenip-security-opt
setzone"Untrust"screenip-loose-src-route
setzone"Untrust"screenip-strict-src-route
setzone"Untrust"screenip-stream-opt
setzone"Untrust"screenicmp-fragment
setzone"Untrust"screenicmp-large
setzone"Untrust"screensyn-fin
setzone"Untrust"screenfin-no-ack
setzone"Untrust"screenlimit-sessionsource-ip-based
setzone"Untrust"screensyn-ack-ack-proxy
setzone"Untrust"screenblock-frag
setzone"Untrust"screenlimit-sessiondestination-ip-based
setzone"Untrust"screenicmp-id
setzone"V1-Untrust"screentear-drop
setzone"V1-Untrust"screensyn-flood
setzone"V1-Untrust"screenping-death
setzone"V1-Untrust"screenip-filter-src
setzone"V1-Untrust"screenland
setzone"Untrust"screenlimit-sessionsource-ip-based512
setzone"Untrust"screenlimit-sessiondestination-ip-based512
setinterface"ethernet0/0"zone"Trust"setinterface"ethernet0/1"zone"V1-Trust"
setinterface"ethernet0/2"zone"V1-Trust"
setinterface"ethernet0/8"zone"Untrust"
setinterface"ethernet0/9"zone"Untrust"----------------两条互联网在一个区域setinterfaceethernet0/0ip192.168.6.2/24
setinterfaceethernet0/0nat-----------------------------内网口启动NAT,去往untrust区或dmz区都会触发nat,除非把防火墙配成透传模式unsetinterfacevlan1ip
setinterfaceethernet0/8ip221.7.199.182/29
setinterfaceethernet0/8route
setinterfaceethernet0/9ip180.136.240.114/30
setinterfaceethernet0/9route
unsetinterfacevlan1bypass-others-ipsec
unsetinterfacevlan1bypass-non-ip
setinterfaceethernet0/9manage-ip180.136.240.113
setinterfaceethernet0/0ipmanageable
setinterfaceethernet0/8ipmanageable
setinterfaceethernet0/9ipmanageablesetinterfaceethernet0/8manageping
setinterfaceethernet0/8managetelnet
setinterfaceethernet0/8manageweb
setinterfaceethernet0/9manageping
setinterfaceethernet0/9managetelnet
setinterfaceethernet0/9manageweb
-------------------------------------------------------------------------------------------------
serverautodetection开启,防火墙会自动ping这台内部地址,如果无法通信,status就是down
--------------------------------------------------------------------------------------------------
setinterfaceethernet0/9vipinterface-ip3389"3389"192.168.6.6
setinterfaceethernet0/9vipinterface-ip17991"17991"192.168.6.6
setinterfaceethernet0/8vipinterface-ip3389"3389"192.168.6.21-------看,是这里-------------------------------------------------------------------------------------------------
若你有同网段多个ip地址可以用mip,注意我把它放在untrust-vr了
-------------------------------------------------------------------------------------------------
setinterface"ethernet0/8"mip221.7.199.179host192.168.6.8netmask255.255.255.255vr"untrust-vr"
unsetflowno-tcp-seq-check
setflowtcp-syn-check
unsetflowtcp-syn-bit-check
setflowreverse-routeclear-textprefer
setflowreverse-routetunnelalways
setpkiauthoritydefaultscepmode"auto"
setpkix509defaultcert-pathpartial
setaddress"Trust""221.7.199.180/32"221.7.199.180255.255.255.255
setikerespond-bad-spi1
setikeikev2ike-sa-soft-lifetime60
unsetikeikeid-enumeration
unsetikedos-protection
unsetipsecaccess-sessionenable
setipsecaccess-sessionmaximum5000
setipsecaccess-sessionupper-threshold0
setipsecaccess-sessionlower-threshold0
setipsecaccess-sessiondead-p2-sa-timeout0
unsetipsecaccess-sessionlog-error
unsetipsecaccess-sessioninfo-exch-connected
unsetipsecaccess-sessionuse-error-log
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
exit
seturlprotocolwebsense
exit
------------------------------------------------------------------------------------------------
juniper也有隐藏denyanyany所以,从trust到untrust要配置permitanyany
-----------------------------------------------------------------------------------------------
setpolicyid1name"PERMIT_ANY"from"Trust"to"Untrust""Any""Any""ANY"permit
setpolicyid1
exit
setpolicyid2name"PERMIT_PING"from"Untrust"to"Trust""Any""MIP(221.7.199.179)""PING"permit
setpolicyid2
exit
setpolicyid4name"PERMIT_CT"from"Untrust"to"Trust""Any""VIP(ethernet0/9)""3389"permitlog
setpolicyid4
exit
setpolicyid5name"PERMIT_CNC"from"Untrust"to"Trust""Any""MIP(221.7.199.179)""3389"permitlog
setpolicyid5
exit
setpolicyid6name"test"from"Untrust"to"Trust""Any""VIP(ethernet0/8)""3389"permitlog
setpolicyid6
exit
setpolicyid7name"PERMIT_CT_17991"from"Untrust"to"Trust""Any""VIP(ethernet0/9)""17991"permitlog
setpolicyid7
exit
setpolicyid8name"PERMIT_CNC_17991"from"Untrust"to"Trust""Any""MIP(221.7.199.179)""17991"permitlog
setpolicyid8
exitsetnsmgmtbulkclireboot-timeout60
setsshversionv2
setconfiglocktimeout5
unsetlicense-keyauto-update
setntpserver"210.72.145.44"
setsnmpportlisten161
setsnmpporttrap162
------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
setvrouter"untrust-vr"-----------------------------------以下是untrust-vr里的路由setsource-routingenable
setroute0.0.0.0/0interfaceethernet0/8gateway221.7.199.177
setroute0.0.0.0/0interfaceethernet0/9gateway180.136.240.113
setroutesource192.168.6.6/32interfaceethernet0/9gateway180.136.240.113
setroutesource192.168.6.8/32interfaceethernet0/8gateway221.7.199.177setroute192.168.6.0/24vrouter"trust-vr"preference20metric1
exit
setvrouter"trust-vr"-------------------------------------以下是trust-vr里的路由unsetadd-default-route
setroute0.0.0.0/0vrouter"untrust-vr"preference20metric1
exit
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
exit
升级会员 