ImageVerifierCode 换一换
格式:DOCX , 页数:31 ,大小:20.53KB ,
资源ID:9321794      下载积分:3 金币
快捷下载
登录下载
邮箱/手机:
温馨提示:
快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。 如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝    微信支付   
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【https://www.bdocx.com/down/9321794.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录   QQ登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(NetscreenJuniper防火墙VPN配置说明.docx)为本站会员(b****7)主动上传,冰豆网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知冰豆网(发送邮件至service@bdocx.com或直接QQ联系客服),我们立即给予删除!

NetscreenJuniper防火墙VPN配置说明.docx

1、NetscreenJuniper防火墙VPN配置说明目录1. 概述 42. 设备型号及连接说明 42.1. 设备型号 43. 需求说明 44. 配置说明 44.1. Netscreen208配置说明 44.2. Netscreen50B配置说明(国研机房) 64.3. Netscreen5gt配置说明(办公网) 65. 配置附表 65.1. Netscreen208 65.2. Netscreen50B 105.3. Netscreen5GT 15NetscreenJuniper防火墙VPN配置说明1. 概述此文档主要是描述国研机房及办公网防火墙以下几点:型号说明安装和配置说明应用策略说明VP

2、N连接说明2. 设备型号及连接说明2.1. 设备型号公司总共的防火墙设备列表设备名称型号数量概述网络防火墙Nescreen2081IDC主过滤防火墙网络防火墙Netscreen 50B2IDC办公区VPN端设备网络防火墙Netscreen 5GT2办公网VPN端设备机房连接使用的防火墙设备列表设备名称型号数量概述网络防火墙Nescreen2081IDC主过滤防火墙网络防火墙Netscreen 50BIDC网络防火墙Netscreen 5GT办公网VPN端设备3. 需求说明我们的防火墙主要有两个大的用途:1 将内部的Web服务器向外提供映射及IDC服务器出局访问2 VPN互通在上面的列表中,ne

3、tscreen208主要用向外映射WEB服务器及控制IDC服务器出局访问50B主要用于与办公网5GT的VPN互通4. 配置说明4.1. Netscreen208配置说明映射说明:set interface ethernet1 vip 211.144.149.11 25 MAIL 172.16.12.8映射25端口set interface ethernet1 vip 211.144.149.11 + 80 HTTP 172.16.12.8映射80端口set interface ethernet1 vip 211.144.149.11 + 110 POP3 172.16.12.8 映射110端口

4、set interface ethernet1 vip 211.144.149.12 80 HTTP 172.16.1.21 映射80端口网站set interface ethernet1 vip 211.144.149.13 80 HTTP 172.16.1.23映射80端口网站set interface ethernet1 vip 211.144.149.14 80 HTTP 172.16.4.14映射80端口网站策略说明:set policy id 1 name webnat from Trust to Untrust 172.16.1.1/25 Any HTTP permit set

5、policy id 1set service ICMP-ANYexit内网所有出局80及icmp访问均可set policy id 3 name smtp from Trust to Untrust network Any ANY permit set policy id 3set src-address network2set src-address smtpexit允许内网地址network(172.16.12.9)网管服务器及network2(172.16.12.8)邮件服务器全部访问出局set policy id 5 from Untrust to Global Any VIP(211

6、.144.149.11) HTTP permit log set policy id 5set service POP3set service SMTPexit允许外部访问VIP(211.144.149.11)mail/web服务set policy id 6 from Untrust to Global Any VIP(211.144.149.12) HTTP permit log set policy id 6exit允许外部访问VIP(211.144.149.12)web服务set policy id 7 from Untrust to Global Any VIP(211.144.14

7、9.13) HTTP permit set policy id 7exit允许外部访问VIP(211.144.149.13)web服务set policy id 8 from Untrust to Global Any VIP(211.144.149.14) HTTP permit log set policy id 8exit允许外部访问VIP(211.144.149.14)web服务set policy id 9 from Trust to Untrust 172.16.4.14/32 Any HTTP permit set policy id 9exit暂时不生效set policy i

8、d 10 from Trust to Untrust 172.16.1.25 211.144.158.218/32 ANY permit set policy id 10exit暂时不生效set policy id 11 from Untrust to Global 211.144.158.218/32 MIP(211.144.149.6) ANY permit set policy id 11exit暂时不生效,以后用于主从DNS服务器set policy id 12 name deny from Untrust to Trust 203.196.128.49/32 Any ANY deny

9、 log set policy id 124.2. Netscreen50B配置说明(国研机房)50B主要是用于跟办公网的VPN通信,主要是用于VPN策略详细配置说明相对较复杂,我们只在附表中给出配置文件。4.3. Netscreen5gt配置说明(办公网)5GT主要是用于跟国研机房的VPN通信,主要是用于VPN策略详细配置说明相对较复杂,我们只在附表中给出配置文件。5. 配置附表5.1. Netscreen208set clock timezone 7set vrouter trust-vr sharableset vrouter untrust-vrexitset vrouter trus

10、t-vrunset auto-route-exportexitset service 8080 protocol tcpsrc-port 0-65535 dst-port 8080-8080 set auth-server Local id 0set auth-server Local server-name Localset auth default auth server Localset auth radius accounting port 1646set admin name testadminset admin password nGV2PirHHhcNcrOM9sTB+rJt/6

11、OPrnset admin port 8000set admin auth timeout 10set admin auth server Localset admin format dosset zone Trust vrouter trust-vrset zone Untrust vrouter trust-vrset zone DMZ vrouter trust-vrset zone VLAN vrouter trust-vrset zone Untrust-Tun vrouter trust-vrset zone Trust tcp-rstset zone Untrust block

12、unset zone Untrust tcp-rstset zone MGT block set zone DMZ tcp-rstset zone VLAN block unset zone VLAN tcp-rstunset zone Untrust screen tear-dropunset zone Untrust screen syn-floodunset zone Untrust screen ping-deathunset zone Untrust screen ip-filter-srcunset zone Untrust screen landset zone V1-Untru

13、st screen tear-dropset zone V1-Untrust screen syn-floodset zone V1-Untrust screen ping-deathset zone V1-Untrust screen ip-filter-srcset zone V1-Untrust screen landset zone Untrust screen limit-session source-ip-based 1000set zone Untrust screen limit-session destination-ip-based 1000set zone Untrust

14、 screen syn-ack-ack threshold 1000set interface ethernet1 zone Untrustset interface ethernet2 zone Trustset interface ethernet3 zone Untrustunset interface vlan1 ipset interface ethernet1 ip 211.144.149.2/25set interface ethernet1 routeset interface ethernet2 ip 172.16.1.2/24set interface ethernet2

15、natunset interface vlan1 bypass-others-ipsecunset interface vlan1 bypass-non-ipset interface ethernet1 ip manageableset interface ethernet2 ip manageableset interface ethernet1 manage sshset interface ethernet1 manage sslset interface ethernet1 vip 211.144.149.11 25 MAIL 172.16.12.8set interface eth

16、ernet1 vip 211.144.149.11 + 80 HTTP 172.16.12.8set interface ethernet1 vip 211.144.149.11 + 110 POP3 172.16.12.8set interface ethernet1 vip 211.144.149.12 80 HTTP 172.16.1.21set interface ethernet1 vip 211.144.149.13 80 HTTP 172.16.1.23set interface ethernet1 vip 211.144.149.14 80 HTTP 172.16.4.14se

17、t interface ethernet1 mip 211.144.149.6 host 172.16.1.25 netmask 255.255.255.255 vr trust-vrunset flow no-tcp-seq-checkset flow tcp-syn-checkset address Trust 172.16.1.1/25 172.16.1.1 255.255.255.128set address Trust 172.16.1.25 172.16.1.25 255.255.255.255set address Trust 172.16.12.0/24 172.16.12.0

18、 255.255.255.0set address Trust 172.16.4.14/32 172.16.4.14 255.255.255.255set address Trust bbs 172.16.4.14 255.255.255.255set address Trust network 172.16.12.9 255.255.255.255set address Trust network2 172.16.12.10 255.255.255.255set address Trust smtp 172.16.12.8 255.255.255.255set address Untrust

19、 203.196.128.49/32 203.196.128.49 255.255.255.255set address Untrust 211.144.158.218/32 211.144.158.218 255.255.255.255set ike respond-bad-spi 1unset ikeikeid-enumerationunset ike dos-protectionunset ipsec access-session enableset ipsec access-session maximum 5000set ipsec access-session upper-thres

20、hold 0set ipsec access-session lower-threshold 0set ipsec access-session dead-p2-sa-timeout 0unset ipsec access-session log-errorunset ipsec access-session info-exch-connectedunset ipsec access-session use-error-logset url protocol websenseexitset policy id 1 name webnat from Trust to Untrust 172.16

21、.1.1/25 Any HTTP permit set policy id 1set service ICMP-ANYexitset policy id 3 name smtp from Trust to Untrust network Any ANY permit set policy id 3set src-address network2set src-address smtpexitset policy id 5 from Untrust to Global Any VIP(211.144.149.11) HTTP permit log set policy id 5set servi

22、ce POP3set service SMTPexitset policy id 6 from Untrust to Global Any VIP(211.144.149.12) HTTP permit log set policy id 6exitset policy id 7 from Untrust to Global Any VIP(211.144.149.13) HTTP permit set policy id 7exitset policy id 8 from Untrust to Global Any VIP(211.144.149.14) HTTP permit log se

23、t policy id 8exitset policy id 9 from Trust to Untrust 172.16.4.14/32 Any HTTP permit set policy id 9exitset policy id 10 from Trust to Untrust 172.16.1.25 211.144.158.218/32 ANY permit set policy id 10exitset policy id 11 from Untrust to Global 211.144.158.218/32 MIP(211.144.149.6) ANY permit set p

24、olicy id 11exitset policy id 12 name deny from Untrust to Trust 203.196.128.49/32 Any ANY deny log set policy id 12exitset pki authority default scep mode autoset pki x509 default cert-path partialset syslog config 172.16.12.9set syslog config 172.16.12.9 facilities local0 local0set syslog src-inter

25、face ethernet2set syslog enableunset log module system level notification destination syslogunset log module system level information destination syslogunset log module system level debugging destination syslogset nsmgmtbulkcli reboot-timeout 60set ssh version v2set ssh enableset config lock timeout

26、 5set snmp community testsnmp Read-Write Trap-on traffic version v2cset snmp host testsnmp 172.16.12.9 255.255.255.255 src-interface ethernet2 trap v2set snmp host testsnmp 192.168.21.102 255.255.255.255 src-interface ethernet2 trap v2set snmp name uns208set snmp port listen 161set snmp port trap 16

27、2set vrouter untrust-vrexitset vrouter trust-vrunset add-default-routeset route 172.16.12.0/24 interface ethernet2 gateway 172.16.1.1 preference 20set route 0.0.0.0/0 interface ethernet1 gateway 211.144.149.1 preference 20set route 192.168.0.0/16 interface ethernet2 gateway 172.16.1.3 preference 20s

28、et route 172.16.4.14/32 interface ethernet2 gateway 172.16.1.1 preference 20exitset vrouter untrust-vrexitset vrouter trust-vrexit5.2. Netscreen50Bset clock timezone 7set vrouter trust-vr sharableset vrouter untrust-vrexitset vrouter trust-vrunset auto-route-exportexitset service 5222 protocol tcpsr

29、c-port 0-65535 dst-port 5222-5222 set service 6664 protocol tcpsrc-port 0-65535 dst-port 6664-6664 set auth-server Local id 0set auth-server Local server-name Localset auth default auth server Localset auth radius accounting port 1646set admin name testadminset admin password nGV2PirHHhcNcrOM9sTB+rJt/6OPrnset admin auth timeout 10set admin auth server Localset admin format dosset zone Trust vrouter trust-vrset zone Untrust vrouter trust-vrset zone DMZ vrouter t

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1