1、第一次配置juniper第一次配置juniper-SSG140 (2010-04-27 10:10:43)标签: juniper it简述环境:1.双ISP,两个服务器6.6和6.8对外开放17991端口2.trust-vr和untrust-vr同在,zone untrust被修改到untrust-vr中3.6.6 VIP 180的地址,6.8 MIP 221的地址,应用源路由其实东西也不多,不过没配过的我开始真不知道如何配置juniper的地址转换 set clock ntpset clock timezone 8set clock dst recurring start-weekday 2
2、 0 3 02:00 end-weekday 1 0 11 02:00set vrouter trust-vr sharableset vrouter untrust-vrexitset vrouter trust-vrunset auto-route-exportexit-若防火墙里没有你所用的服务就自己加吧-set service 17991 protocol tcp src-port 0-65535 dst-port 17991-17991set service 3389 protocol tcp src-port 0-65535 dst-port 3389-3389set alg ap
3、pleichat enableunset alg appleichat re-assembly enableset alg sctp enableset auth-server Local id 0set auth-server Local server-name Localset auth default auth server Localset auth radius accounting port 1646set admin name netscreenset admin password nJqNNxrLGyrLc0lEtsCBqfDtDMA/Pnset admin user hong
4、yuan password nNnfG0rrJIWDcc8EysvMuSCt+LBiDn privilege all-如果要添加管理ip,别忘了添加内部网段地址,第一次我只加了远端的公网地址,导致内部要配置却进不去,只能console了。-set admin manager-ip 192.168.6.0 255.255.255.0set admin manager-ip 114.255.150.140 255.255.255.255set admin manager-ip 219.141.171.130 255.255.255.255set admin auth web timeout 10s
5、et admin auth server Localset admin format dosset zone Trust vrouter trust-vr-Untrust默认是在 trust-vr里的,我给改了-set zone Untrust vrouter untrust-vrset zone DMZ vrouter trust-vrset zone VLAN vrouter trust-vrset zone Untrust-Tun vrouter trust-vrset zone Trust tcp-rstset zone Untrust blockunset zone Untrust
6、tcp-rstset zone MGT blockset zone DMZ tcp-rstset zone VLAN blockunset zone VLAN tcp-rstset zone Trust screen limit-session source-ip-basedset zone Trust screen limit-session destination-ip-basedset zone Untrust screen alarm-without-dropset zone Untrust screen on-tunnelset zone Untrust screen icmp-fl
7、oodset zone Untrust screen udp-floodset zone Untrust screen winnukeset zone Untrust screen port-scanset zone Untrust screen ip-sweepset zone Untrust screen tear-dropset zone Untrust screen syn-floodset zone Untrust screen ip-spoofingset zone Untrust screen ping-deathset zone Untrust screen ip-filter
8、-srcset zone Untrust screen landset zone Untrust screen syn-fragset zone Untrust screen tcp-no-flagset zone Untrust screen unknown-protocolset zone Untrust screen ip-bad-optionset zone Untrust screen ip-record-routeset zone Untrust screen ip-timestamp-optset zone Untrust screen ip-security-optset zo
9、ne Untrust screen ip-loose-src-routeset zone Untrust screen ip-strict-src-routeset zone Untrust screen ip-stream-optset zone Untrust screen icmp-fragmentset zone Untrust screen icmp-largeset zone Untrust screen syn-finset zone Untrust screen fin-no-ackset zone Untrust screen limit-session source-ip-
10、basedset zone Untrust screen syn-ack-ack-proxyset zone Untrust screen block-fragset zone Untrust screen limit-session destination-ip-basedset zone Untrust screen icmp-idset zone V1-Untrust screen tear-dropset zone V1-Untrust screen syn-floodset zone V1-Untrust screen ping-deathset zone V1-Untrust sc
11、reen ip-filter-srcset zone V1-Untrust screen landset zone Untrust screen limit-session source-ip-based 512set zone Untrust screen limit-session destination-ip-based 512set interface ethernet0/0 zone Trustset interface ethernet0/1 zone V1-Trustset interface ethernet0/2 zone V1-Trustset interface ethe
12、rnet0/8 zone Untrustset interface ethernet0/9 zone Untrust-两条互联网在一个区域set interface ethernet0/0 ip 192.168.6.2/24set interface ethernet0/0 nat-内网口启动NAT,去往untrust区或dmz区都 会触发nat,除非把防火墙配成透传模式unset interface vlan1 ipset interface ethernet0/8 ip 221.7.199.182/29set interface ethernet0/8 routeset interface
13、 ethernet0/9 ip 180.136.240.114/30set interface ethernet0/9 routeunset interface vlan1 bypass-others-ipsecunset interface vlan1 bypass-non-ipset interface ethernet0/9 manage-ip 180.136.240.113set interface ethernet0/0 ip manageableset interface ethernet0/8 ip manageableset interface ethernet0/9 ip m
14、anageableset interface ethernet0/8 manage pingset interface ethernet0/8 manage telnetset interface ethernet0/8 manage webset interface ethernet0/9 manage pingset interface ethernet0/9 manage telnetset interface ethernet0/9 manage web-server auto detection开启,防火墙会自动ping这台内部地址,如果无法通信,status就是down-set i
15、nterface ethernet0/9 vip interface-ip 3389 3389 192.168.6.6set interface ethernet0/9 vip interface-ip 17991 17991 192.168.6.6set interface ethernet0/8 vip interface-ip 3389 3389 192.168.6.21-看,是这里-若你有同网段多个ip地址可以用mip,注意我把它放在untrust-vr了-set interface ethernet0/8 mip 221.7.199.179 host 192.168.6.8 netm
16、ask 255.255.255.255 vr untrust-vrunset flow no-tcp-seq-checkset flow tcp-syn-checkunset flow tcp-syn-bit-checkset flow reverse-route clear-text preferset flow reverse-route tunnel alwaysset pki authority default scep mode autoset pki x509 default cert-path partialset address Trust 221.7.199.180/32 2
17、21.7.199.180 255.255.255.255set ike respond-bad-spi 1set ike ikev2 ike-sa-soft-lifetime 60unset ike ikeid-enumerationunset ike dos-protectionunset ipsec access-session enableset ipsec access-session maximum 5000set ipsec access-session upper-threshold 0set ipsec access-session lower-threshold 0set i
18、psec access-session dead-p2-sa-timeout 0unset ipsec access-session log-errorunset ipsec access-session info-exch-connectedunset ipsec access-session use-error-logset vrouter untrust-vrexitset vrouter trust-vrexitset url protocol websenseexit-juniper也有隐藏deny any any 所以,从trust到untrust要配置permit any any
19、-set policy id 1 name PERMIT_ANY from Trust to Untrust Any Any ANY permitset policy id 1exitset policy id 2 name PERMIT_PING from Untrust to Trust Any MIP(221.7.199.179) PING permitset policy id 2exitset policy id 4 name PERMIT_CT from Untrust to Trust Any VIP(ethernet0/9) 3389 permit logset policy
20、id 4exitset policy id 5 name PERMIT_CNC from Untrust to Trust Any MIP(221.7.199.179) 3389 permit logset policy id 5exitset policy id 6 name test from Untrust to Trust Any VIP(ethernet0/8) 3389 permit logset policy id 6exitset policy id 7 name PERMIT_CT_17991 from Untrust to Trust Any VIP(ethernet0/9
21、) 17991 permit logset policy id 7exitset policy id 8 name PERMIT_CNC_17991 from Untrust to Trust Any MIP(221.7.199.179) 17991 permit logset policy id 8exitset nsmgmt bulkcli reboot-timeout 60set ssh version v2set config lock timeout 5unset license-key auto-updateset ntp server 210.72.145.44set snmp
22、port listen 161set snmp port trap 162-set vrouter untrust-vr-以下是untrust-vr里的路由set source-routing enableset route 0.0.0.0/0 interface ethernet0/8 gateway 221.7.199.177set route 0.0.0.0/0 interface ethernet0/9 gateway 180.136.240.113set route source 192.168.6.6/32 interface ethernet0/9 gateway 180.136
23、.240.113set route source 192.168.6.8/32 interface ethernet0/8 gateway 221.7.199.177set route 192.168.6.0/24 vrouter trust-vr preference 20 metric 1exitset vrouter trust-vr-以下是trust-vr里的路由unset add-default-routeset route 0.0.0.0/0 vrouter untrust-vr preference 20 metric 1exitset vrouter untrust-vrexitset vrouter trust-vrexit
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1