1、set routing-options staticset system login user admin class super-userset system login user admin authentication plain-text-password 输入密码set system services sshset security zones security-zone untrust host-inbound-traffic system-services ssh/pingset security zones security-zone untrust interfaces ge
2、-0/0/0.0 host-inbound-traffic system-services ssh /telnet/pingset security zones security-zone trust host-inbound-traffic system-services ssh /telnet /pingset security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh /telnet/pingset security zones security-zon
3、e untrust interfaces ge-0/0/0 (不定义区域,无法配置NAT)set security zones security-zone trust interfaces ge-0/0/1# set security zones security-zone trust interfaces ge-0/0/1 ?# set interfaces interface-range interfaces-trust member ge-0/0/1 #静态NAT:set security nat source rule-set interface-nat from zone trust
4、set security nat source rule-set interface-nat to zone untrustset security nat source rule-set interface-nat rule rule1 match source-address 192.168.0.0/23set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0set security nat source rule-set interface-nat rule
5、rule1 then source-nat interfaceset security zones security-zone trust address-book address 192 192.168.0.0/23set security zones security-zone trust address-book address-set 192nat address 192set security policies from-zone trust to-zone untrust policy 192nat match source-address anyset security poli
6、cies from-zone trust to-zone untrust policy 192nat match destination-address anyset security policies from-zone trust to-zone untrust policy 192nat match application anyset security policies from-zone trust to-zone untrust policy 192nat then permit#强制172.16.0.12走150出去(默认走物理接口146出去)set security nat s
7、ource pool pool-1 address 121.9.255.112set security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.12/32set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0set security nat source rule-set sou-nat rule rule-mail then source-nat pool po
8、ol-1insert security nat source rule-set sou-nat rule rule-mail before rule rule-sou#端口映射 静态PAT: 从外到内set security nat proxy-arp interface ge-0/0/0.0 address 10.1.1.100/24set security nat proxy-arp interface ge-0/0/3.0 address 10.1.2.100/24set security nat destination pool dnat-pool-1 address 192.168.
9、0.9/32set security nat destination pool dnat-pool-2 address 172.16.0.12/32set security nat destination rule-set dst-nat from zone untrustset security nat destination rule-set dst-nat rule rule3 match destination-address 10.1.1.100/24set security nat destination rule-set dst-nat rule rule3 match dest
10、ination-port 21set security nat destination rule-set dst-nat rule rule3 then destination-nat pool dnat-pool-1set security nat destination rule-set dst-nat rule rule2 match destination-address 10.1.2.100/24set security nat destination rule-set dst-nat rule rule2 match destination-port 443set security
11、 nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-pool-2set security zones security-zone trust address-book address ftpserver 192.168.0.9set security zones security-zone trust address-book address mailserver 172.16.0.12set security zones security-zone trust address-book add
12、ress-set servergroup address ftpserverset security zones security-zone trust address-book address-set servergroup address mailserverset security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-httpset security poli
13、cies from-zone untrust to-zone trust policy static-nat match application junos-pop3set security policies from-zone untrust to-zone trust policy static-nat then permitset applications application 443 protocol tcpset applications application 443 destination-port 443#set security nat source rule-set so
14、u-nat from zone trustset security nat source rule-set sou-nat to zone untrustset security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.30/32管理端口:set system services web-management httpsset system services web-management httpset system services web-management http port 808
15、4set system services web-management http interface allset system services web-management https system-generated-certificateset system services web-management http interface ge-0/0/0.0set system services web-management https interface ge-0/0/0.0#定义端口地址池XXX_group:set applications application smtp_25 d
16、estination-port 25 protocol tcpset applications application pop3_110 destination-port 110 protocol tcpset applications application exchange_135 destination-port 135 protocol tcpset applications application smtp_465 destination-port 465 protocol tcpset applications application imap_993 destination-po
17、rt 993 protocol tcp set applications application pop3_995 destination-port 995 protocol tcpset applications application-set mail_port_group application smtp_25set applications application-set XXX_group application smtpset applications application-set XXX_group application pop3引用XXX_group:set securit
18、y policies from-zone untrust to-zone trust policy mail-policy match application XXX_group#反向静态NAT:从外到内set security nat static rule-set mail-static-nat from zone untrustset security nat static rule-set mail-static-nat rule mail1 match destination-address 121.9.255.150/32set security nat static rule-s
19、et mail-static-nat rule mail1 then static-nat prefix 172.16.0.12/32返回的安全Policy:set security policies from-zone untrust to-zone trust policy mail-policy match source-address anyset security policies from-zone untrust to-zone trust policy mail-policy match destination-address Mail_serset security poli
20、cies from-zone untrust to-zone trust policy mail-policy match application any (XXX_group)set security policies from-zone untrust to-zone trust policy mail-policy then permit插入insert Policy: set security zones security-zone trust address-book address deny_172 172.16.0.155set security policies from-zo
21、ne trust to-zone untrust policy deny_172 match source-address deny_172set security policies from-zone trust to-zone untrust policy deny_172 match destination-address anyset security policies from-zone trust to-zone untrust policy deny_172 match application anyset security policies from-zone trust to
22、-zone untrust policy deny_172 then denyinsert security policies from-zone trust to-zone untrust policy deny_172 before policy Trust2Utrust (Trust2Utrust允许上公网策略)#禁止192网段上网,只允许192.168.0.2,192.168.0.121上网set security zones security-zone trust address-book address deny_192 192.168.0.0/23set security zon
23、es security-zone trust address-book address permit_host_2 192.168.0.2/32set security zones security-zone trust address-book address permit_host_121 192.168.0.121/32set security zones security-zone trust address-book address-set permit_192_online address FTP_serset security zones security-zone trust
24、address-book address-set permit_192_online address permit_host_2set security zones security-zone trust address-book address-set permit_192_online address permit_host_121set security zones security-zone trust address-book address-set deny_192_online address deny_192set security policies from-zone tru
25、st to-zone untrust policy permit_192_online match source-address permit_192_onlineset security policies from-zone trust to-zone untrust policy permit_192_online match destination-address anyset security policies from-zone trust to-zone untrust policy permit_192_online match application anyset securi
26、ty policies from-zone trust to-zone untrust policy permit_192_online then permitset security policies from-zone trust to-zone untrust policy deny_192_online match source-address deny_192_onlineset security policies from-zone trust to-zone untrust policy deny_192_online match destination-address anys
27、et security policies from-zone trust to-zone untrust policy deny_192_online match application anyset security policies from-zone trust to-zone untrust policy deny_192_online then denyinsert security policies from-zone trust to-zone untrust policy permit_192_online before policy deny_172insert securi
28、ty policies from-zone trust to-zone untrust policy deny_192_online before policy deny_172配置WEB管理set system host-name Testset system root-authentication encrypted-password $1$XKPZUqwc$/WdxM1Cc1GAB8gJ0nNCOt.set system name-server 202.96.128.166set system name-server 202.96.128.86set system login user admin uid 2001set system login user admin
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1