SRX基本配置.docx

1、SRX基本配置SRX 300配置上网（WLAN与VLAN都为内部IP）环境介绍设备ge-0/0/0口为外网口,即第一个口，地址/24，下一跳地址设备ge-0/0/2口为内网口即第三个口，地址/24，内网口作为PC网关来用，设置DHCP，DHCP设置参数如下：地址段-网关DNS ；设置源NAT，用、两个地址做转换NAT地址设置策略允许内网上网创建超级用户root 密码TS.具体步骤用串口线连接设备console口，设置参数如下：这台设备是有配置的，所以要先清空设备配置，清空完设备配置，需要直接设备初始超级用户的密码，然后保存，才可以完成恢复出厂设置登入设备出现以下rootrootrootroot

2、configure进入配置模式Entering configuration modeeditrootroot# load factory-default恢复出厂设备warning: activating factory configurationeditrootroot# set system root-authentication plain-text-password设置超级用户密码New password:Retype new password:editrootroot# commitcommit completeedit此时回复出厂设置完成，下一步开始配置login: root输入默认

3、用户名rootPassword:输入重置设备前输入的密码rootroot% cli敲入cli进入执行模式rootroot configure敲入configure进入配置模式，执行模式代表符号“”Entering configuration modeeditrootroot#配置模式“#”rootroot# set system login user lvlin class super-user authentication plain-text-password建立用户名为“wangjian”的超级用户New password:为用户“root”设置密码Retype new password

4、:重复输入密码editrootroot# delete interfaces ge-0/0/删除接口相关配置，接口默认处于交换edit模式Ethernet-switching模式下，要想设置成三层必须先把这个属rootroot# delete interfaces fe-0/0/2 unit 0性删除，“.0”和unit0在意义上一样editwangjian# set interfaces ge-0/0/ family inet address /24edit设置ge-0/0/为三层接口地址 set interfaces ge-0/0/ family inet address /24wangj

5、ian# set interfaces fe-0/0/ family inet address /24edit设置Ge-0/0/为三层接口地址wangjian# set routing-options static route /0 next-hop set routing-options static route /0 next-hop edit设置默认路由wangjian# set security zones security-zone untrust interfaces ge-0/0/edit设置ge-0/0/口为untrust安全域接口wangjian# set security

6、zones security-zone trust interfaces ge-0/0/edit设置fe-0/0/口为trust安全域接口wangjian# delete security nat source rule-set trust-to-untrustedit删除系统自带的源nat规则wangjian# set security nat source pool wangjian address to 设置源nat地址池set security nat source pool wangjian address to editwangjian# set security nat sour

7、ce rule-set wangjiannat from zone trustedit设置nat源安全域wangjian# set security nat source rule-set wangjiannat to zone untrustedit设置nat目的安全域wangjian# set security nat source rule-set wangjiannat rule wangjiannat1match source-address /0设置nat源地址editwangjian# set security nat source rule-set wangjiannat ru

8、le wangjiannat1 then source-nat pool wangjian设置nat关联地址池editwangjian# set security zones security-zone untrust interface ge-0/0/ host-inbound-traffic system-services httpedit打开接口http管理wangjian# set system services web-management httpedit打开http全局开关wangjian# delete security policies from-zone trust to-

9、zone untrust policy trust-to untrust删除系统自带策略delete security policies from-zone trust to-zone untrust policy trust-to untrusteditwangjian# set security policies from-zone trust to-zone untrust policy wangjian match source-address anyedit配置策略源地址wangjian# set security policies from-zone trust to-zone u

10、ntrust policy wangjian match destination-address any配置策略目的地址editwangjian# set security policies from-zone trust to-zone untrust policy wangjian match application any配置策略应用editwangjian# set security policies from-zone trust to-zone untrust policy wangjian then permit配置策略动作editwangjian# set security p

11、olicies from-zone trust to-zone untrust policy wangjian then log session-init开启策略日志会话开始editwangjian# set security policies from-zone trust to-zone untrust policy wangjian then log session-close开启策略日志会话结束editwangjian# delete system services dhcpedit删除系统默认dhcpwangjian# set system services dhcp router

12、editDHCP参数默认网关wangjian# set system services dhcp pool /24 address-range low DHCP参数地址池开始地址editwangjian# set system services dhcp pool /24 address-range high DHCP参数地址池结束地址editwangjian# set system services dhcp maximum-lease-time 95editDHCP参数分配地址租约时间wangjian# set system services dhcp name-server editDH

13、CP参数DNS服务器wangjian# set system services dhcp name-server editDHCP参数DNS服务器wangjian# set system services dhcp propagate-settings ge-0/0/edit设置DHCP信号发散端口wangjian# delete interfaces ge-0/0/edit删除接口fe-0/0/所有属性wangjian# set security zones security-zone trust interfaces ge-0/0/ host-inbound-traffic system-

14、services alledit设置接口ge-0/0/接口为trust安全域wangjian# set security nat proxy-arp interface ge-0/0/0 address to nat地址池地址在外网接口上做arp代理set security nat proxy-arp interface ge-0/0/0 address to editwangjian# delete interfaces vlanedit删除vlan接口wangjian# delete interfaces ge-0/0/3edit删除物理接口属性wangjian# delete inter

15、faces fe-0/0/4editwangjian# delete interfaces fe-0/0/5editwangjian# delete interfaces fe-0/0/6editwangjian# delete interfaces fe-0/0/7editwangjian# delete interfaces ge-0/0/1editwangjian# delete vlansedit删除vlan这样就可以了，DHCP获取到地址Ping外网附加show命令wangjian# run show interfaces terse查看物理接口属性InterfaceAdmin Li

16、nk ProtoLocalRemotege-0/0/0upupge-0/0/upupinet/24gr-0/0/0upupip-0/0/0upuplsq-0/0/0upuplt-0/0/0upupmt-0/0/0upupsp-0/0/0upupsp-0/0/upupinetsp-0/0/upupinet- - 0/0- - 0/0ge-0/0/1updownfe-0/0/2upupfe-0/0/upupinet/24fe-0/0/3updownfe-0/0/4updownfe-0/0/5updownfe-0/0/6updownfe-0/0/7updownfxp2upupupuptnp0x1gr

17、eupupipipupupirbupuplo0upupupupinet- 0/0upupinet- 0/0- 0/0- 0/0- 0/0- 0/0upuplsiupupmtunupuppimdupuppimeupuppp0upupppd0upupppe0upupst0upuptapupupvlanupupeditwangjian# show | compare跟上次commit前对比敲过的命令edit security zones security-zone untrust interfacesge-0/0/ . +ge-0/0/;editwangjian# rollback 0返回上次commit时的配置load completeedit