1、NetscreenJuniper防火墙VPN配置说明目录1. 概述 42. 设备型号及连接说明 42.1. 设备型号 43. 需求说明 44. 配置说明 44.1. Netscreen208配置说明 44.2. Netscreen50B配置说明(国研机房) 64.3. Netscreen5gt配置说明(办公网) 65. 配置附表 65.1. Netscreen208 65.2. Netscreen50B 105.3. Netscreen5GT 15NetscreenJuniper防火墙VPN配置说明1. 概述此文档主要是描述国研机房及办公网防火墙以下几点:型号说明安装和配置说明应用策略说明VP
2、N连接说明2. 设备型号及连接说明2.1. 设备型号公司总共的防火墙设备列表设备名称型号数量概述网络防火墙Nescreen2081IDC主过滤防火墙网络防火墙Netscreen 50B2IDC办公区VPN端设备网络防火墙Netscreen 5GT2办公网VPN端设备机房连接使用的防火墙设备列表设备名称型号数量概述网络防火墙Nescreen2081IDC主过滤防火墙网络防火墙Netscreen 50BIDC网络防火墙Netscreen 5GT办公网VPN端设备3. 需求说明我们的防火墙主要有两个大的用途:1 将内部的Web服务器向外提供映射及IDC服务器出局访问2 VPN互通在上面的列表中,ne
3、tscreen208主要用向外映射WEB服务器及控制IDC服务器出局访问50B主要用于与办公网5GT的VPN互通4. 配置说明4.1. Netscreen208配置说明映射说明:set interface ethernet1 vip 211.144.149.11 25 MAIL 172.16.12.8映射25端口set interface ethernet1 vip 211.144.149.11 + 80 HTTP 172.16.12.8映射80端口set interface ethernet1 vip 211.144.149.11 + 110 POP3 172.16.12.8 映射110端口
4、set interface ethernet1 vip 211.144.149.12 80 HTTP 172.16.1.21 映射80端口网站set interface ethernet1 vip 211.144.149.13 80 HTTP 172.16.1.23映射80端口网站set interface ethernet1 vip 211.144.149.14 80 HTTP 172.16.4.14映射80端口网站策略说明:set policy id 1 name webnat from Trust to Untrust 172.16.1.1/25 Any HTTP permit set
5、policy id 1set service ICMP-ANYexit内网所有出局80及icmp访问均可set policy id 3 name smtp from Trust to Untrust network Any ANY permit set policy id 3set src-address network2set src-address smtpexit允许内网地址network(172.16.12.9)网管服务器及network2(172.16.12.8)邮件服务器全部访问出局set policy id 5 from Untrust to Global Any VIP(211
6、.144.149.11) HTTP permit log set policy id 5set service POP3set service SMTPexit允许外部访问VIP(211.144.149.11)mail/web服务set policy id 6 from Untrust to Global Any VIP(211.144.149.12) HTTP permit log set policy id 6exit允许外部访问VIP(211.144.149.12)web服务set policy id 7 from Untrust to Global Any VIP(211.144.14
7、9.13) HTTP permit set policy id 7exit允许外部访问VIP(211.144.149.13)web服务set policy id 8 from Untrust to Global Any VIP(211.144.149.14) HTTP permit log set policy id 8exit允许外部访问VIP(211.144.149.14)web服务set policy id 9 from Trust to Untrust 172.16.4.14/32 Any HTTP permit set policy id 9exit暂时不生效set policy i
8、d 10 from Trust to Untrust 172.16.1.25 211.144.158.218/32 ANY permit set policy id 10exit暂时不生效set policy id 11 from Untrust to Global 211.144.158.218/32 MIP(211.144.149.6) ANY permit set policy id 11exit暂时不生效,以后用于主从DNS服务器set policy id 12 name deny from Untrust to Trust 203.196.128.49/32 Any ANY deny
9、 log set policy id 124.2. Netscreen50B配置说明(国研机房)50B主要是用于跟办公网的VPN通信,主要是用于VPN策略详细配置说明相对较复杂,我们只在附表中给出配置文件。4.3. Netscreen5gt配置说明(办公网)5GT主要是用于跟国研机房的VPN通信,主要是用于VPN策略详细配置说明相对较复杂,我们只在附表中给出配置文件。5. 配置附表5.1. Netscreen208set clock timezone 7set vrouter trust-vr sharableset vrouter untrust-vrexitset vrouter trus
10、t-vrunset auto-route-exportexitset service 8080 protocol tcpsrc-port 0-65535 dst-port 8080-8080 set auth-server Local id 0set auth-server Local server-name Localset auth default auth server Localset auth radius accounting port 1646set admin name testadminset admin password nGV2PirHHhcNcrOM9sTB+rJt/6
11、OPrnset admin port 8000set admin auth timeout 10set admin auth server Localset admin format dosset zone Trust vrouter trust-vrset zone Untrust vrouter trust-vrset zone DMZ vrouter trust-vrset zone VLAN vrouter trust-vrset zone Untrust-Tun vrouter trust-vrset zone Trust tcp-rstset zone Untrust block
12、unset zone Untrust tcp-rstset zone MGT block set zone DMZ tcp-rstset zone VLAN block unset zone VLAN tcp-rstunset zone Untrust screen tear-dropunset zone Untrust screen syn-floodunset zone Untrust screen ping-deathunset zone Untrust screen ip-filter-srcunset zone Untrust screen landset zone V1-Untru
13、st screen tear-dropset zone V1-Untrust screen syn-floodset zone V1-Untrust screen ping-deathset zone V1-Untrust screen ip-filter-srcset zone V1-Untrust screen landset zone Untrust screen limit-session source-ip-based 1000set zone Untrust screen limit-session destination-ip-based 1000set zone Untrust
14、 screen syn-ack-ack threshold 1000set interface ethernet1 zone Untrustset interface ethernet2 zone Trustset interface ethernet3 zone Untrustunset interface vlan1 ipset interface ethernet1 ip 211.144.149.2/25set interface ethernet1 routeset interface ethernet2 ip 172.16.1.2/24set interface ethernet2
15、natunset interface vlan1 bypass-others-ipsecunset interface vlan1 bypass-non-ipset interface ethernet1 ip manageableset interface ethernet2 ip manageableset interface ethernet1 manage sshset interface ethernet1 manage sslset interface ethernet1 vip 211.144.149.11 25 MAIL 172.16.12.8set interface eth
16、ernet1 vip 211.144.149.11 + 80 HTTP 172.16.12.8set interface ethernet1 vip 211.144.149.11 + 110 POP3 172.16.12.8set interface ethernet1 vip 211.144.149.12 80 HTTP 172.16.1.21set interface ethernet1 vip 211.144.149.13 80 HTTP 172.16.1.23set interface ethernet1 vip 211.144.149.14 80 HTTP 172.16.4.14se
17、t interface ethernet1 mip 211.144.149.6 host 172.16.1.25 netmask 255.255.255.255 vr trust-vrunset flow no-tcp-seq-checkset flow tcp-syn-checkset address Trust 172.16.1.1/25 172.16.1.1 255.255.255.128set address Trust 172.16.1.25 172.16.1.25 255.255.255.255set address Trust 172.16.12.0/24 172.16.12.0
18、 255.255.255.0set address Trust 172.16.4.14/32 172.16.4.14 255.255.255.255set address Trust bbs 172.16.4.14 255.255.255.255set address Trust network 172.16.12.9 255.255.255.255set address Trust network2 172.16.12.10 255.255.255.255set address Trust smtp 172.16.12.8 255.255.255.255set address Untrust
19、 203.196.128.49/32 203.196.128.49 255.255.255.255set address Untrust 211.144.158.218/32 211.144.158.218 255.255.255.255set ike respond-bad-spi 1unset ikeikeid-enumerationunset ike dos-protectionunset ipsec access-session enableset ipsec access-session maximum 5000set ipsec access-session upper-thres
20、hold 0set ipsec access-session lower-threshold 0set ipsec access-session dead-p2-sa-timeout 0unset ipsec access-session log-errorunset ipsec access-session info-exch-connectedunset ipsec access-session use-error-logset url protocol websenseexitset policy id 1 name webnat from Trust to Untrust 172.16
21、.1.1/25 Any HTTP permit set policy id 1set service ICMP-ANYexitset policy id 3 name smtp from Trust to Untrust network Any ANY permit set policy id 3set src-address network2set src-address smtpexitset policy id 5 from Untrust to Global Any VIP(211.144.149.11) HTTP permit log set policy id 5set servi
22、ce POP3set service SMTPexitset policy id 6 from Untrust to Global Any VIP(211.144.149.12) HTTP permit log set policy id 6exitset policy id 7 from Untrust to Global Any VIP(211.144.149.13) HTTP permit set policy id 7exitset policy id 8 from Untrust to Global Any VIP(211.144.149.14) HTTP permit log se
23、t policy id 8exitset policy id 9 from Trust to Untrust 172.16.4.14/32 Any HTTP permit set policy id 9exitset policy id 10 from Trust to Untrust 172.16.1.25 211.144.158.218/32 ANY permit set policy id 10exitset policy id 11 from Untrust to Global 211.144.158.218/32 MIP(211.144.149.6) ANY permit set p
24、olicy id 11exitset policy id 12 name deny from Untrust to Trust 203.196.128.49/32 Any ANY deny log set policy id 12exitset pki authority default scep mode autoset pki x509 default cert-path partialset syslog config 172.16.12.9set syslog config 172.16.12.9 facilities local0 local0set syslog src-inter
25、face ethernet2set syslog enableunset log module system level notification destination syslogunset log module system level information destination syslogunset log module system level debugging destination syslogset nsmgmtbulkcli reboot-timeout 60set ssh version v2set ssh enableset config lock timeout
26、 5set snmp community testsnmp Read-Write Trap-on traffic version v2cset snmp host testsnmp 172.16.12.9 255.255.255.255 src-interface ethernet2 trap v2set snmp host testsnmp 192.168.21.102 255.255.255.255 src-interface ethernet2 trap v2set snmp name uns208set snmp port listen 161set snmp port trap 16
27、2set vrouter untrust-vrexitset vrouter trust-vrunset add-default-routeset route 172.16.12.0/24 interface ethernet2 gateway 172.16.1.1 preference 20set route 0.0.0.0/0 interface ethernet1 gateway 211.144.149.1 preference 20set route 192.168.0.0/16 interface ethernet2 gateway 172.16.1.3 preference 20s
28、et route 172.16.4.14/32 interface ethernet2 gateway 172.16.1.1 preference 20exitset vrouter untrust-vrexitset vrouter trust-vrexit5.2. Netscreen50Bset clock timezone 7set vrouter trust-vr sharableset vrouter untrust-vrexitset vrouter trust-vrunset auto-route-exportexitset service 5222 protocol tcpsr
29、c-port 0-65535 dst-port 5222-5222 set service 6664 protocol tcpsrc-port 0-65535 dst-port 6664-6664 set auth-server Local id 0set auth-server Local server-name Localset auth default auth server Localset auth radius accounting port 1646set admin name testadminset admin password nGV2PirHHhcNcrOM9sTB+rJt/6OPrnset admin auth timeout 10set admin auth server Localset admin format dosset zone Trust vrouter trust-vrset zone Untrust vrouter trust-vrset zone DMZ vrouter t
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1