发布时间 : 星期五 文章Juniper SRX3000工程开工指导书更新完毕开始阅读6612c87fa26925c52cc5bfaa
Juniper防火墙工程开通指导书
set interfaces ge-0/0/4 gigether-options redundant-parent reth4 set interfaces ge-13/0/1 gigether-options redundant-parent reth1 set interfaces ge-13/0/2 gigether-options redundant-parent reth2 set interfaces ge-13/0/3 gigether-options redundant-parent reth3 set interfaces ge-13/0/4 gigether-options redundant-parent reth4
set interfaces fab0 fabric-options member-interfaces ge-0/0/0 set interfaces fab1 fabric-options member-interfaces ge-13/0/0
set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 192.168.100.1/24 set interfaces reth2 redundant-ether-options redundancy-group 1 set interfaces reth2 unit 0 family inet address 192.168.200.1/24 set interfaces reth3 redundant-ether-options redundancy-group 1 set interfaces reth3 unit 0 family inet address 220.1.1.18/24 set interfaces reth4 redundant-ether-options redundancy-group 1 set interfaces reth4 unit 0 family inet address 221.1.1.18/24
新建trust/untrust区域,并把接口放入相关区域并开放相关服务。(trust区域接口服务都打开,如telnet、ping、snmp、http)
set security zones security-zone trust interfaces reth1.0 host-inbound-traffic system-services all
set security zones security-zone trus tinterfaces reth2.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces reth3.0 host-inbound-traffic protocols ping
set security zones security-zone untrust interfaces reth4.0 host-inbound-traffic protocols ping
3 .配置外网NAT地址池
set security nat source pool Pool-1 address 220.1.1.1 to 220.1.1.7 set security nat source pool Pool-2 address 221.1.1.1 to 221.1.1.7 set security nat source rule-set Rule-Pool-1 from zone trust
set security nat source rule-set Rule-Pool-1 to interface reth3.0 set security nat source rule-set Rule-Pool-2 from zone trust
set security nat source rule-set Rule-Pool-2 to interface reth4.0
set security nat source rule-set Rule-Pool-1 rule interface-nat match source-address 0.0.0.0/0
set security nat source rule-set Rule-Pool-1 rule interface-nat match destination-address 0.0.0.0/0
set security nat source rule-set Rule-Pool-1 rule interface-nat then source-nat pool poole-1
第49页
Juniper防火墙工程开通指导书
set security nat source rule-set Rule-Pool-2 rule interface-nat match source-address 0.0.0.0/0
set security nat source rule-set Rule-Pool-2 rule interface-nat match destination-address 0.0.0.0/0 set security nat source rule-set Rule-Pool-1 rule interface-nat then source-nat pool poole-2
由于dip地址池ip与接口在同一网段,需要配置proxy-arp
set security nat proxy-arp interface reth3.0 address 220.1.1.0/29 set security nat proxy-arp interface reth4.0 address 221.1.1.0/29
4.添加地址
set security zones security-zone trust address-book address mobile-address 10.0.0.0/8
5、配置内外网路由,并实现选录负载均衡
set routing-options forwarding-table export load-balance
set policy-options policy-statement load-balance then load-balance per-packet set routing-options static route 0.0.0.0/0 qualified-next-hop 220.1.1.254 set routing-options static route 0.0.0.0/0 qualified-next-hop 221.1.1.254
set routing-options static route 10.0.0.0/8 qualified-next-hop 192.168.100.254 set routing-options static route 10.0.0.0/8 qualified-next-hop 192.168.200.254
6、配置policy策略 A:设置从内到外的安全策略
set security policies from-zone trust to-zone untrust policy 1 match source-address mobile-address
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
第50页