收藏
下载资源下载资源 加入VIP,免费下载

NetscreenJuniper防火墙VPN配置说明.docx

上传人:b****7 文档编号:9321794 上传时间:2023-02-04 格式:DOCX 页数:31 大小:20.53KB
下载 相关 举报
NetscreenJuniper防火墙VPN配置说明.docx_第1页
第1页 / 共31页
NetscreenJuniper防火墙VPN配置说明.docx_第2页
第2页 / 共31页
NetscreenJuniper防火墙VPN配置说明.docx_第3页
第3页 / 共31页
NetscreenJuniper防火墙VPN配置说明.docx_第4页
第4页 / 共31页
NetscreenJuniper防火墙VPN配置说明.docx_第5页
第5页 / 共31页
点击查看更多>>
下载资源
资源描述

NetscreenJuniper防火墙VPN配置说明.docx

《NetscreenJuniper防火墙VPN配置说明.docx》由会员分享,可在线阅读,更多相关《NetscreenJuniper防火墙VPN配置说明.docx(31页珍藏版)》请在冰豆网上搜索。

NetscreenJuniper防火墙VPN配置说明.docx

NetscreenJuniper防火墙VPN配置说明

目录

1.概述4

2.设备型号及连接说明4

2.1.设备型号4

3.需求说明4

4.配置说明4

4.1.Netscreen208配置说明4

4.2.Netscreen50B配置说明(国研机房)6

4.3.Netscreen5gt配置说明(办公网)6

5.配置附表6

5.1.Netscreen2086

5.2.Netscreen50B10

5.3.Netscreen5GT15

NetscreenJuniper防火墙VPN配置说明

1.概述

此文档主要是描述国研机房及办公网防火墙以下几点:

型号说明

安装和配置说明

应用策略说明

VPN连接说明

2.设备型号及连接说明

2.1.设备型号

公司总共的防火墙设备列表

设备名称\型号

数量

概述

网络防火墙Nescreen208

1

IDC主过滤防火墙

网络防火墙Netscreen50B

2

IDC\办公区VPN端设备

网络防火墙Netscreen5GT

2

办公网VPN端设备

机房连接使用的防火墙设备列表

设备名称\型号

数量

概述

网络防火墙Nescreen208

1

IDC主过滤防火墙

网络防火墙Netscreen50B

IDC

网络防火墙Netscreen5GT

办公网VPN端设备

3.需求说明

我们的防火墙主要有两个大的用途:

1.将内部的Web服务器向外提供映射及IDC服务器出局访问

2.VPN互通

在上面的列表中,netscreen208主要用向外映射WEB服务器及控制IDC服务器出局访问

50B主要用于与办公网5GT的VPN互通

4.配置说明

4.1.Netscreen208配置说明

映射说明:

setinterfaceethernet1vip211.144.149.1125"MAIL"172.16.12.8   #映射25端口

setinterfaceethernet1vip211.144.149.11+80"HTTP"172.16.12.8  #映射80端口

setinterfaceethernet1vip211.144.149.11+110"POP3"172.16.12.8#映射110端口

setinterfaceethernet1vip211.144.149.1280"HTTP"172.16.1.21#映射80端口网站

setinterfaceethernet1vip211.144.149.1380"HTTP"172.16.1.23  #映射80端口网站

setinterfaceethernet1vip211.144.149.1480"HTTP"172.16.4.14    #映射80端口网站

策略说明:

setpolicyid1name"webnat"from"Trust"to"Untrust""172.16.1.1/25""Any""HTTP"permit

setpolicyid1

setservice"ICMP-ANY"

exit

#内网所有出局80及icmp访问均可

setpolicyid3name"smtp"from"Trust"to"Untrust""network""Any""ANY"permit

setpolicyid3

setsrc-address"network2"

setsrc-address"smtp"

exit

#允许内网地址network(172.16.12.9)网管服务器及network2(172.16.12.8)邮件服务器全部访问出局

setpolicyid5from"Untrust"to"Global""Any""VIP(211.144.149.11)""HTTP"permitlog

setpolicyid5

setservice"POP3"

setservice"SMTP"

exit

#允许外部访问VIP(211.144.149.11)mail/web服务

setpolicyid6from"Untrust"to"Global""Any""VIP(211.144.149.12)""HTTP"permitlog

setpolicyid6

exit

#允许外部访问VIP(211.144.149.12)web服务

setpolicyid7from"Untrust"to"Global""Any""VIP(211.144.149.13)""HTTP"permit

setpolicyid7

exit

#允许外部访问VIP(211.144.149.13)web服务

setpolicyid8from"Untrust"to"Global""Any""VIP(211.144.149.14)""HTTP"permitlog

setpolicyid8

exit

#允许外部访问VIP(211.144.149.14)web服务

setpolicyid9from"Trust"to"Untrust""172.16.4.14/32""Any""HTTP"permit

setpolicyid9

exit

#暂时不生效

setpolicyid10from"Trust"to"Untrust""172.16.1.25""211.144.158.218/32""ANY"permit

setpolicyid10

exit

#暂时不生效

setpolicyid11from"Untrust"to"Global""211.144.158.218/32""MIP(211.144.149.6)""ANY"permit

setpolicyid11

exit

#暂时不生效,以后用于主从DNS服务器

setpolicyid12name"deny"from"Untrust"to"Trust""203.196.128.49/32""Any""ANY"denylog

setpolicyid12

4.2.Netscreen50B配置说明(国研机房)

50B主要是用于跟办公网的VPN通信,主要是用于VPN策略

详细配置说明相对较复杂,我们只在附表中给出配置文件。

4.3.Netscreen5gt配置说明(办公网)

5GT主要是用于跟国研机房的VPN通信,主要是用于VPN策略

详细配置说明相对较复杂,我们只在附表中给出配置文件。

5.配置附表

5.1.Netscreen208

setclocktimezone7

setvroutertrust-vrsharable

setvrouter"untrust-vr"

exit

setvrouter"trust-vr"

unsetauto-route-export

exit

setservice"8080"protocoltcpsrc-port0-65535dst-port8080-8080

setauth-server"Local"id0

setauth-server"Local"server-name"Local"

setauthdefaultauthserver"Local"

setauthradiusaccountingport1646

setadminname"testadmin"

setadminpassword"nGV2PirHHhcNcrOM9sTB+rJt/6OPrn"

setadminport8000

setadminauthtimeout10

setadminauthserver"Local"

setadminformatdos

setzone"Trust"vrouter"trust-vr"

setzone"Untrust"vrouter"trust-vr"

setzone"DMZ"vrouter"trust-vr"

setzone"VLAN"vrouter"trust-vr"

setzone"Untrust-Tun"vrouter"trust-vr"

setzone"Trust"tcp-rst

setzone"Untrust"block

unsetzone"Untrust"tcp-rst

setzone"MGT"block

setzone"DMZ"tcp-rst

setzone"VLAN"block

unsetzone"VLAN"tcp-rst

unsetzone"Untrust"screentear-drop

unsetzone"Untrust"screensyn-flood

unsetzone"Untrust"screenping-death

unsetzone"Untrust"screenip-filter-src

unsetzone"Untrust"screenland

setzone"V1-Untrust"screentear-drop

setzone"V1-Untrust"screensyn-flood

setzone"V1-Untrust"screenping-death

setzone"V1-Untrust"screenip-filter-src

setzone"V1-Untrust"screenland

setzone"Untrust"screenlimit-sessionsource-ip-based1000

setzone"Untrust"screenlimit-sessiondestination-ip-based1000

setzone"Untrust"screensyn-ack-ackthreshold1000

setinterface"ethernet1"zone"Untrust"

setinterface"ethernet2"zone"Trust"

setinterface"ethernet3"zone"Untrust"

unsetinterfacevlan1ip

setinterfaceethernet1ip211.144.149.2/25

setinterfaceethernet1route

setinterfaceethernet2ip172.16.1.2/24

setinterfaceethernet2nat

unsetinterfacevlan1bypass-others-ipsec

unsetinterfacevlan1bypass-non-ip

setinterfaceethernet1ipmanageable

setinterfaceethernet2ipmanageable

setinterfaceethernet1managessh

setinterfaceethernet1managessl

setinterfaceethernet1vip211.144.149.1125"MAIL"172.16.12.8

setinterfaceethernet1vip211.144.149.11+80"HTTP"172.16.12.8

setinterfaceethernet1vip211.144.149.11+110"POP3"172.16.12.8

setinterfaceethernet1vip211.144.149.1280"HTTP"172.16.1.21

setinterfaceethernet1vip211.144.149.1380"HTTP"172.16.1.23

setinterfaceethernet1vip211.144.149.1480"HTTP"172.16.4.14

setinterface"ethernet1"mip211.144.149.6host172.16.1.25netmask255.255.255.255vr"trust-vr"

unsetflowno-tcp-seq-check

setflowtcp-syn-check

setaddress"Trust""172.16.1.1/25"172.16.1.1255.255.255.128

setaddress"Trust""172.16.1.25"172.16.1.25255.255.255.255

setaddress"Trust""172.16.12.0/24"172.16.12.0255.255.255.0

setaddress"Trust""172.16.4.14/32"172.16.4.14255.255.255.255

setaddress"Trust""bbs"172.16.4.14255.255.255.255

setaddress"Trust""network"172.16.12.9255.255.255.255

setaddress"Trust""network2"172.16.12.10255.255.255.255

setaddress"Trust""smtp"172.16.12.8255.255.255.255

setaddress"Untrust""203.196.128.49/32"203.196.128.49255.255.255.255

setaddress"Untrust""211.144.158.218/32"211.144.158.218255.255.255.255

setikerespond-bad-spi1

unsetikeikeid-enumeration

unsetikedos-protection

unsetipsecaccess-sessionenable

setipsecaccess-sessionmaximum5000

setipsecaccess-sessionupper-threshold0

setipsecaccess-sessionlower-threshold0

setipsecaccess-sessiondead-p2-sa-timeout0

unsetipsecaccess-sessionlog-error

unsetipsecaccess-sessioninfo-exch-connected

unsetipsecaccess-sessionuse-error-log

seturlprotocolwebsense

exit

setpolicyid1name"webnat"from"Trust"to"Untrust""172.16.1.1/25""Any""HTTP"permit

setpolicyid1

setservice"ICMP-ANY"

exit

setpolicyid3name"smtp"from"Trust"to"Untrust""network""Any""ANY"permit

setpolicyid3

setsrc-address"network2"

setsrc-address"smtp"

exit

setpolicyid5from"Untrust"to"Global""Any""VIP(211.144.149.11)""HTTP"permitlog

setpolicyid5

setservice"POP3"

setservice"SMTP"

exit

setpolicyid6from"Untrust"to"Global""Any""VIP(211.144.149.12)""HTTP"permitlog

setpolicyid6

exit

setpolicyid7from"Untrust"to"Global""Any""VIP(211.144.149.13)""HTTP"permit

setpolicyid7

exit

setpolicyid8from"Untrust"to"Global""Any""VIP(211.144.149.14)""HTTP"permitlog

setpolicyid8

exit

setpolicyid9from"Trust"to"Untrust""172.16.4.14/32""Any""HTTP"permit

setpolicyid9

exit

setpolicyid10from"Trust"to"Untrust""172.16.1.25""211.144.158.218/32""ANY"permit

setpolicyid10

exit

setpolicyid11from"Untrust"to"Global""211.144.158.218/32""MIP(211.144.149.6)""ANY"permit

setpolicyid11

exit

setpolicyid12name"deny"from"Untrust"to"Trust""203.196.128.49/32""Any""ANY"denylog

setpolicyid12

exit

setpkiauthoritydefaultscepmode"auto"

setpkix509defaultcert-pathpartial

setsyslogconfig"172.16.12.9"

setsyslogconfig"172.16.12.9"facilitieslocal0local0

setsyslogsrc-interfaceethernet2

setsyslogenable

unsetlogmodulesystemlevelnotificationdestinationsyslog

unsetlogmodulesystemlevelinformationdestinationsyslog

unsetlogmodulesystemleveldebuggingdestinationsyslog

setnsmgmtbulkclireboot-timeout60

setsshversionv2

setsshenable

setconfiglocktimeout5

setsnmpcommunity"testsnmp"Read-WriteTrap-ontrafficversionv2c

setsnmphost"testsnmp"172.16.12.9255.255.255.255src-interfaceethernet2trapv2

setsnmphost"testsnmp"192.168.21.102255.255.255.255src-interfaceethernet2trapv2

setsnmpname"uns208"

setsnmpportlisten161

setsnmpporttrap162

setvrouter"untrust-vr"

exit

setvrouter"trust-vr"

unsetadd-default-route

setroute172.16.12.0/24interfaceethernet2gateway172.16.1.1preference20

setroute0.0.0.0/0interfaceethernet1gateway211.144.149.1preference20

setroute192.168.0.0/16interfaceethernet2gateway172.16.1.3preference20

setroute172.16.4.14/32interfaceethernet2gateway172.16.1.1preference20

exit

setvrouter"untrust-vr"

exit

setvrouter"trust-vr"

exit

5.2.Netscreen50B

setclocktimezone7

setvroutertrust-vrsharable

setvrouter"untrust-vr"

exit

setvrouter"trust-vr"

unsetauto-route-export

exit

setservice"5222"protocoltcpsrc-port0-65535dst-port5222-5222

setservice"6664"protocoltcpsrc-port0-65535dst-port6664-6664

setauth-server"Local"id0

setauth-server"Local"server-name"Local"

setauthdefaultauthserver"Local"

setauthradiusaccountingport1646

setadminname"testadmin"

setadminpassword"nGV2PirHHhcNcrOM9sTB+rJt/6OPrn"

setadminauthtimeout10

setadminauthserver"Local"

setadminformatdos

setzone"Trust"vrouter"trust-vr"

setzone"Untrust"vrouter"trust-vr"

setzone"DMZ"vrouter"t

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 高等教育 > 医学

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1