Juniper SRX 常用命令.docx

Juniper SRX 常用命令.docx

《Juniper SRX 常用命令.docx》由会员分享，可在线阅读，更多相关《Juniper SRX 常用命令.docx（17页珍藏版）》请在冰豆网上搜索。

JuniperSRX常用命令

JuniperSRX常用命令

2011-09-1116:

11:

15

标签：

SRXjuniper常用命令

原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处、作者信息和本声明。

否则将追究法律责任。

rollback

setinterface 

setrouting-optionsstatic 

setsystemloginuseradminclasssuper-user

setsystemloginuseradminauthenticationplain-text-password输入密码

setsystemservicesssh

setsecurityzonessecurity-zoneuntrusthost-inbound-trafficsystem-servicesssh/ping 

setsecurityzonessecurity-zoneuntrustinterfacesge-0/0/0.0host-inbound-trafficsystem-servicesssh/telnet/ping

setsecurityzonessecurity-zonetrusthost-inbound-trafficsystem-servicesssh/telnet/ping

setsecurityzonessecurity-zonetrustinterfacesge-0/0/1.0host-inbound-trafficsystem-servicesssh/telnet/ping 

setsecurityzonessecurity-zoneuntrustinterfacesge-0/0/0（不定义区域，无法配置NAT）

setsecurityzonessecurity-zonetrustinterfacesge-0/0/1

######setsecurityzonessecurity-zonetrustinterfacesge-0/0/1?

?

?

######setinterfacesinterface-rangeinterfaces-trustmemberge-0/0/1 ?

?

?

?

##################################################

静态NAT：

  setsecuritynatsourcerule-setinterface-natfromzonetrust

  setsecuritynatsourcerule-setinterface-nattozoneuntrust

  setsecuritynatsourcerule-setinterface-natrulerule1matchsource-address192.168.0.0/23 

  setsecuritynatsourcerule-setinterface-natrulerule1matchdestination-address0.0.0.0/0

  setsecuritynatsourcerule-setinterface-natrulerule1thensource-natinterface

setsecurityzonessecurity-zonetrustaddress-bookaddress192192.168.0.0/23

setsecurityzonessecurity-zonetrustaddress-bookaddress-set192nataddress192

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicy192natmatchsource-addressany

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicy192natmatchdestination-addressany

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicy192natmatchapplicationany

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicy192natthenpermit

#######################################################

强制172.16.0.12走150出去（默认走物理接口146出去）

setsecuritynatsourcepoolpool-1address121.9.255.112

setsecuritynatsourcerule-setsou-natrulerule-mailmatchsource-address172.16.0.12/32

setsecuritynatsourcerule-setsou-natrulerule-mailmatchdestination-address0.0.0.0/0

setsecuritynatsourcerule-setsou-natrulerule-mailthensource-natpoolpool-1

insertsecuritynatsourcerule-setsou-natrulerule-mailbeforerulerule-sou

##########################################################

端口映射静态PAT:

从外到内 

setsecuritynatproxy-arpinterfacege-0/0/0.0address10.1.1.100/24

setsecuritynatproxy-arpinterfacege-0/0/3.0address10.1.2.100/24 

setsecuritynatdestinationpooldnat-pool-1address192.168.0.9/32

setsecuritynatdestinationpooldnat-pool-2address172.16.0.12/32

setsecuritynatdestinationrule-setdst-natfromzoneuntrust

setsecuritynatdestinationrule-setdst-natrulerule3matchdestination-address10.1.1.100/24

setsecuritynatdestinationrule-setdst-natrulerule3matchdestination-port21

setsecuritynatdestinationrule-setdst-natrulerule3thendestination-natpooldnat-pool-1

setsecuritynatdestinationrule-setdst-natrulerule2matchdestination-address10.1.2.100/24 

setsecuritynatdestinationrule-setdst-natrulerule2matchdestination-port443

setsecuritynatdestinationrule-setdst-natrulerule2thendestination-natpooldnat-pool-2

setsecurityzonessecurity-zonetrustaddress-bookaddressftpserver192.168.0.9

setsecurityzonessecurity-zonetrustaddress-bookaddressmailserver172.16.0.12

setsecurityzonessecurity-zonetrustaddress-bookaddress-setservergroupaddressftpserver

setsecurityzonessecurity-zonetrustaddress-bookaddress-setservergroupaddressmailserver

setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicystatic-natmatchsource-addressanydestination-addressservergroupapplicationjunos-http

setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicystatic-natmatchapplicationjunos-pop3

setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicystatic-natthenpermit

setapplicationsapplication443protocoltcp

setapplicationsapplication443destination-port443

##############################################################

setsecuritynatsourcerule-setsou-natfromzonetrust

setsecuritynatsourcerule-setsou-nattozoneuntrust

setsecuritynatsourcerule-setsou-natrulerule-mailmatchsource-address172.16.0.30/32

setsecuritynatsourcerule-setsou-natrulerule-mailmatchdestination-address0.0.0.0/0

setsecuritynatsourcerule-setsou-natrulerule-mailthensource-natpoolpool-1

##############################################################

管理端口：

setsystemservicesweb-managementhttps 

setsystemservicesweb-managementhttp

setsystemservicesweb-managementhttpport8084

setsystemservicesweb-managementhttpinterfaceall

setsystemservicesweb-managementhttpssystem-generated-certificate

setsystemservicesweb-managementhttpinterfacege-0/0/0.0

setsystemservicesweb-managementhttpsinterfacege-0/0/0.0

###########################################################################

定义端口地址池XXX_group：

setapplicationsapplicationsmtp_25destination-port25protocoltcp 

setapplicationsapplicationpop3_110destination-port110protocoltcp 

setapplicationsapplicationexchange_135destination-port135protocoltcp

setapplicationsapplicationsmtp_465destination-port465protocoltcp

setapplicationsapplicationimap_993destination-port993protocoltcp  

setapplicationsapplicationpop3_995destination-port995protocoltcp 

setapplicationsapplication-setmail_port_groupapplicationsmtp_25

setapplicationsapplication-setXXX_groupapplicationsmtp

setapplicationsapplication-setXXX_groupapplicationpop3

引用XXX_group:

setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymail-policymatchapplicationXXX_group

##############################################################################

反向静态NAT：

从外到内

setsecuritynatstaticrule-setmail-static-natfromzoneuntrust

setsecuritynatstaticrule-setmail-static-natrulemail1matchdestination-address121.9.255.150/32

setsecuritynatstaticrule-setmail-static-natrulemail1thenstatic-natprefix172.16.0.12/32

返回的安全Policy:

setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymail-policymatchsource-addressany

setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymail-policymatchdestination-addressMail_ser

setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymail-policymatchapplicationany（XXX_group）

setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicymail-policythenpermit

插入insertPolicy:

setsecurityzonessecurity-zonetrustaddress-bookaddressdeny_172172.16.0.155

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_172matchsource-addressdeny_172

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_172matchdestination-addressany

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_172matchapplicationany

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_172thendeny

insertsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_172beforepolicyTrust2Utrust（Trust2Utrust允许上公网策略）

#####################################################

禁止192网段上网，只允许192.168.0.2，192.168.0.121上网

setsecurityzonessecurity-zonetrustaddress-bookaddressdeny_192192.168.0.0/23

setsecurityzonessecurity-zonetrustaddress-bookaddresspermit_host_2192.168.0.2/32

setsecurityzonessecurity-zonetrustaddress-bookaddresspermit_host_121192.168.0.121/32

setsecurityzonessecurity-zonetrustaddress-bookaddress-setpermit_192_onlineaddressFTP_ser

setsecurityzonessecurity-zonetrustaddress-bookaddress-setpermit_192_onlineaddresspermit_host_2

setsecurityzonessecurity-zonetrustaddress-bookaddress-setpermit_192_onlineaddresspermit_host_121

setsecurityzonessecurity-zonetrustaddress-bookaddress-setdeny_192_onlineaddressdeny_192

返回的安全Policy:

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicypermit_192_onlinematchsource-addresspermit_192_online

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicypermit_192_onlinematchdestination-addressany

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicypermit_192_onlinematchapplicationany 

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicypermit_192_onlinethenpermit

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_192_onlinematchsource-addressdeny_192_online

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_192_onlinematchdestination-addressany

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_192_onlinematchapplicationany

setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_192_onlinethendeny

insertsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicypermit_192_onlinebeforepolicydeny_172

insertsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicydeny_192_onlinebeforepolicydeny_172

###########################################################################

配置WEB管理

setsystemhost-nameTest

setsystemroot-authenticationencrypted-password"$1$XKPZUqwc$/WdxM1Cc1GAB8gJ0nNCOt."

setsystemname-server202.96.128.166

setsystemname-server202.96.128.86

setsystemloginuseradminuid2001

setsystemloginuseradminclasssuper-user

setsystemloginuseradmin