井场服务器组网配置Juniper防火墙配置手册.docx
《井场服务器组网配置Juniper防火墙配置手册.docx》由会员分享,可在线阅读,更多相关《井场服务器组网配置Juniper防火墙配置手册.docx(17页珍藏版)》请在冰点文库上搜索。
井场服务器组网配置Juniper防火墙配置手册
编号:
005
版本:
1.0
井场服务器组网配置
—Juniper防火墙配置手册
目录
1.1juniperSRX240防火墙配置说明1
1.1.1初始安装1
1.1.2Policy2
1.1.3NAT6
1.1.4IPSECVPN10
1.1juniperSRX240防火墙配置说明
1.1.1初始安装
1.1.1.1登陆
Console口(通用超级终端缺省配置)连接SRX,root用户登陆,密码为root123
login:
root
Password:
---JUNOS9.5R1.8built2009-07-1615:
04:
30UTC
root%cli/***进入操作模式***/
root>
root>configure
Enteringconfigurationmode/***进入配置模式***/
[edit]
Root#
1.1.1.2设置root用户口令
设置root用户口令
setsystemroot-authenticationencrypted-password
密码将以密文方式显示
"$1$rA9jkLwN$jMkZts1WXVc.Sx6NtZTLQ0"
注意:
强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式),此配置参数要求输入的口令应是经加密算法加密后的字符串,采用这种加密方式手工输入时存在密码无法通过验证风险。
注:
root用户仅用于console连接本地管理SRX,不能通过远程登陆管理SRX,必须成功设置root口令后,才能执行commit提交后续配置命令。
1.1.1.3设置远程登陆管理用户
root#setsystemloginuserlabuid2000
setsystemloginuserlabclasssuper-user
setsystemloginuserlabauthenticationencrypted-password
root#newpassword:
lab123
root#retypenewpassword:
lab123
注:
此lab用户拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其它不同管理权限用户。
1.1.1.4远程管理SRX相关配置
runsetdateYYYYMMDDhhmm.ss /***设置系统时钟***/
setsystemtime-zoneAsia/Shanghai /***设置时区为上海***/
setsystemhost-nameSRX3400-A /***设置主机名***/
setsystemname-server1.1.1.1 /***设置DNS服务器***/
setsystemservicesftp
setsystemservicestelnet
setsystemservicesweb-managementhttp
/***在系统级开启ftp/telnet/http远程接入管理服务***/
1.1.2Policy
Policy配置方法与ScreenOS基本一致,仅在配置命令上有所区别,其中策略的允许/拒绝的动作(Action)需要额外配置一条then语句(将ScreenOS的一条策略分解成两条及以上配置语句)。
Policy需要手动配置policyname,policyname可以是字符串,也可以是数字(与ScreenOS的policyID类似,只不过需要手工指定)。
//由trust区到Untrust区的策略
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicytrust-to-untrustmatchsource-addressany(匹配任意源地址)
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicytrust-to-untrustmatchdestination-addressany(匹配任意目标地址)
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicytrust-to-untrustmatchapplicationany(匹配任意应用)
setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicytrust-to-untrustthenpermit(策略允许)
//由Untrust到trust区的策略
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-3389matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-3389matchdestination-addressoracle-server(匹配目的地址为oracle-server的组)
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-3389matchapplicationtcp-3389(匹配为tcp-3389的应用)
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-3389thenpermit
//以下同理
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-6000matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-6000matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-6000matchapplicationtcp-6000
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-6000thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50001matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50001matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50001matchapplicationtcp-50001
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50001thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50002matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50002matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50002matchapplicationtcp-50002
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50002thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50003matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50003matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50003matchapplicationtcp-50003
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50003thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50004matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50004matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50004matchapplicationtcp-50004
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50004thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50005matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50005matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50005matchapplicationtcp-50005
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50005thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50006matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50006matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50006matchapplicationtcp-50006
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-50006thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7009matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7009matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7009matchapplicationudp-7009
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7009thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7010matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7010matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7010matchapplicationudp-7010
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7010thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7011matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7011matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7011matchapplicationudp-7011
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7011thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7012matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7012matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7012matchapplicationudp-7012
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-7012thenpermit
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-1521matchsource-addressany
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-1521matchdestination-addressoracle-server
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-1521matchapplicationtcp-1521
setsecuritypoliciesfrom-zoneuntrustto-zonetrustpolicyoracle-1521thenpermit
setsecuritypoliciesfrom-zonetrustto-zonetrustpolicytrust-trustmatchsource-addressany
setsecuritypoliciesfrom-zonetrustto-zonetrustpolicytrust-trustmatchdestination-addressany
setsecuritypoliciesfrom-zonetrustto-zonetrustpolicytrust-trustmatchapplicationany
setsecuritypoliciesfrom-zonetrustto-zonetrustpolicytrust-trustthenpermit
setsecuritypoliciesfrom-zonetrustto-zonevpnpolicyvpn1matchsource-addressany
setsecuritypoliciesfrom-zonetrustto-zonevpnpolicyvpn1matchdestination-addressany
setsecuritypoliciesfrom-zonetrustto-zonevpnpolicyvpn1matchapplicationany
setsecuritypoliciesfrom-zonetrustto-zonevpnpolicyvpn1thenpermit
setsecuritypoliciesfrom-zonevpnto-zonetrustpolicyvpn1matchsource-addressany
setsecuritypoliciesfrom-zonevpnto-zonetrustpolicyvpn1matchdestination-addressany
setsecuritypoliciesfrom-zonevpnto-zonetrustpolicyvpn1matchapplicationany
setsecuritypoliciesfrom-zonevpnto-zonetrustpolicyvpn1thenpermit
//配置安全区trust
setsecurityzonessecurity-zonetrustaddress-bookaddressoracle-server192.168.250.10/32(配置trust区地址池)
setsecurityzonessecurity-zonetrusthost-inbound-trafficsystem-servicesall(配置trust区允许的服务)
setsecurityzonessecurity-zonetrusthost-inbound-trafficprotocolsall(配置trust区允许的协议)
setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficsystem-servicesall(配置trust区的接口)
setsecurityzonessecurity-zonetrustinterfacesvlan.0host-inbound-trafficprotocolsall
(配置trust区Untrust
setsecurityzonessecurity-zoneuntrustaddress-bookaddressdyn-vpn172.16.1.0/24
setsecurityzonessecurity-zoneuntrustaddress-bookaddress172.31.10.0172.31.10.0/24
setsecurityzonessecurity-zoneuntrustinterfacesge-0/0/0.0host-inbound-trafficsystem-servicesssh
setsecurityzonessecurity-zoneuntrustinterfacesge-0/0/0.0host-inbound-trafficsystem-servicesping
setsecurityzonessecurity-zoneuntrustinterfacesge-0/0/0.0host-inbound-trafficsystem-servicesike
setsecurityzonessecurity-zoneuntrustinterfacesge-0/0/0.0host-inbound-trafficprotocolsall
//配置安全区vpn
setsecurityzonessecurity-zonevpnhost-inbound-trafficsystem-servicesall
setsecurityzonessecurity-zonevpninterfacesst0.1001
//配置应用
setapplicationsapplicationtcp-1521protocoltcp(协议tcp)
setapplicationsapplicationtcp-1521destination-port1521(端口1521)
setapplicationsapplicationtcp-3389protocoltcp
setapplicationsapplicationtcp-3389destination-port3389
setapplicationsapplicationtcp-600
升级会员 