SRX基本配置.docx
《SRX基本配置.docx》由会员分享,可在线阅读,更多相关《SRX基本配置.docx(10页珍藏版)》请在冰点文库上搜索。
SRX基本配置
SRX300配置上网(WLAN与VLAN都为内部IP)
环境介绍
设备ge-0/0/0口为外网口,即第一个口,地址172.16.65.203/24,下一跳地址172.16.65.1
设备ge-0/0/2口为内网口即第三个口,地址192.168.2.1/24,内网口作为PC网关来用,设置DHCP,DHCP设置参数如下:
地址段 192.168.2.29-192.168.2.39
网关 192.168.1.1
DNS202.103.24.68;8.8.8.8
设置源NAT,用172.16.65.250、172.16.65.251两个地址做转换NAT地址
设置策略允许内网上网
创建超级用户root密码TS…….
具体步骤
用串口线连接设备console口,设置参数如下:
这台设备是有配置的,所以要先清空设备配置,清空完设备配置,需要直接设备初始超级用户的密码,然后保存,才可以完成恢复出厂设置
登入设备出现以下
root@root>
root@root>configure 进入配置模式
Enteringconfigurationmode
[edit]
root@root#loadfactory-default 恢复出厂设备
warning:
activatingfactoryconfiguration
[edit]
root@root#setsystemroot-authenticationplain-text-password 设置超级用户密码
Newpassword:
Retypenewpassword:
[edit]
root@root#commit
commitcomplete
[edit] 此时回复出厂设置完成,下一步开始配置
login:
root 输入默认用户名root
Password:
输入重置设备前输入的密码
root@root%cli 敲入cli进入执行模式
root@root>configure 敲入configure进入配置模式,执行模式代表符号“>”
Enteringconfigurationmode
[edit]
root@root# 配置模式“#”
root@root#setsystemloginuserlvlinclasssuper-userauthenticationplain-text-password 建立用户名为“wangjian”的超级用户
Newpassword:
为用户“root”设置密码
Retypenewpassword:
重复输入密码
[edit]
root@root#deleteinterfacesge-0/0/0.0 删除接口相关配置,接口默认处于交换
[edit] 模式Ethernet-switching模式下,要想设置成三层必须先把这个属
root@root#deleteinterfacesfe-0/0/2unit0 性删除,“.0”和unit0在意义上一样
[edit]
wangjian#setinterfacesge-0/0/0.0familyinetaddress192.168.201.239/24
[edit] 设置ge-0/0/0.0为三层接口地址192.168.201.239
setinterfacesge-0/0/0.0familyinetaddress172.16.65.203/24
wangjian#setinterfacesfe-0/0/2.0familyinetaddress192.168.1.1/24
[edit] 设置Ge-0/0/2.0为三层接口地址192.168.2.1
wangjian#setrouting-optionsstaticroute0.0.0.0/0next-hop192.168.201.250
setrouting-optionsstaticroute0.0.0.0/0next-hop172.16.65.1
[edit] 设置默认路由
wangjian#setsecurityzonessecurity-zoneuntrustinterfacesge-0/0/0.0
[edit] 设置ge-0/0/0.0口为untrust安全域接口
wangjian#setsecurityzonessecurity-zonetrustinterfacesge-0/0/2.0
[edit] 设置fe-0/0/2.0口为trust安全域接口
wangjian#deletesecuritynatsourcerule-settrust-to-untrust
[edit] 删除系统自带的源nat规则
wangjian#setsecuritynatsourcepoolwangjianaddress192.168.201.59to192.168.201.60 设置源nat地址池
setsecuritynatsourcepoolwangjianaddress172.16.65.250to172.16.65.251
[edit]
wangjian#setsecuritynatsourcerule-setwangjiannatfromzonetrust
[edit] 设置nat源安全域
wangjian#setsecuritynatsourcerule-setwangjiannattozoneuntrust
[edit] 设置nat目的安全域
wangjian#setsecuritynatsourcerule-setwangjiannatrulewangjiannat1 matchsource-address0.0.0.0/0 设置nat源地址
[edit]
wangjian#setsecuritynatsourcerule-setwangjiannatrulewangjiannat1thensource-natpoolwangjian 设置nat关联地址池
[edit]
wangjian#setsecurityzonessecurity-zoneuntrustinterfacege-0/0/0.0host-inbound-trafficsystem-serviceshttp
[edit] 打开接口http管理
wangjian#setsystemservicesweb-managementhttp
[edit] 打开http全局开关
wangjian#deletesecuritypoliciesfrom-zonetrustto-zoneuntrustpolicytrust-tountrust 删除系统自带策略
deletesecuritypoliciesfrom-zonetrustto-zoneuntrustpolicytrust-tountrust
[edit]
wangjian#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicywangjianmatchsource-addressany
[edit] 配置策略源地址
wangjian#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicywangjianmatchdestination-addressany 配置策略目的地址
[edit]
wangjian#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicywangjianmatchapplicationany 配置策略应用
[edit]
wangjian#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicywangjianthenpermit 配置策略动作
[edit]
wangjian#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicywangjianthenlogsession-init 开启策略日志—会话开始
[edit]
wangjian#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicywangjianthenlogsession-close 开启策略日志—会话结束
[edit]
wangjian#deletesystemservicesdhcp
[edit] 删除系统默认dhcp
wangjian#setsystemservicesdhcprouter192.168.1.1
[edit] DHCP参数默认网关
wangjian#setsystemservicesdhcppool192.168.2.0/24address-rangelow192.168.2.29 DHCP参数地址池开始地址
[edit]
wangjian#setsystemservicesdhcppool192.168.2.0/24address-rangehigh192.168.2.39 DHCP参数地址池结束地址
[edit]
wangjian#setsystemservicesdhcpmaximum-lease-time4294967295
[edit] DHCP参数分配地址租约时间
wangjian#setsystemservicesdhcpname-server202.106.0.20
[edit] DHCP参数DNS服务器
wangjian#setsystemservicesdhcpname-server8.8.8.8
[edit] DHCP参数DNS服务器
wangjian#setsystemservicesdhcppropagate-settingsge-0/0/2.0
[edit] 设置DHCP信号发散端口
wangjian#deleteinterfacesge-0/0/2.0
[edit] 删除接口fe-0/0/2.0所有属性
wangjian#setsecurityzonessecurity-zonetrustinterfacesge-0/0/2.0host-inbound-trafficsystem-servicesall
[edit] 设置接口ge-0/0/2.0接口为trust安全域
wangjian#setsecuritynatproxy-arpinterfacege-0/0/0address192.168.201.59to192.168.201.60 nat地址池地址在外网接口上做arp代理
setsecuritynatproxy-arpinterfacege-0/0/0address172.16.65.250to172.16.65.251
[edit]
wangjian#deleteinterfacesvlan
[edit] 删除vlan接口
wangjian#deleteinterfacesge-0/0/3
[edit] 删除物理接口属性
wangjian#deleteinterfacesfe-0/0/4
[edit]
wangjian#deleteinterfacesfe-0/0/5
[edit]
wangjian#deleteinterfacesfe-0/0/6
[edit]
wangjian#deleteinterfacesfe-0/0/7
[edit]
wangjian#deleteinterfacesge-0/0/1
[edit]
wangjian#deletevlans
[edit] 删除vlan
这样就可以了,DHCP获取到地址
Ping外网
附加show命令
wangjian#runshowinterfacesterse 查看物理接口属性
Interface AdminLinkProto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 192.168.201.239/24
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
sp-0/0/0.16383 up up inet 10.0.0.1 -->10.0.0.16
10.0.0.6 -->0/0
128.0.0.1 -->128.0.1.16
128.0.0.6 -->0/0
ge-0/0/1 up down
fe-0/0/2 up up
fe-0/0/2.0 up up inet 192.168.1.1/24
fe-0/0/3 up down
fe-0/0/4 up down
fe-0/0/5 up down
fe-0/0/6 up down
fe-0/0/7 up down
fxp2 up up
fxp2.0 up up tnp 0x1
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 -->0/0
lo0.16385 up up inet 10.0.0.1 -->0/0
10.0.0.16 -->0/0
128.0.0.1 -->0/0
128.0.0.4 -->0/0
128.0.1.16 -->0/0
lo0.32768 up up
lsi up up
mtun up up
pimd up up
pime up up
pp0 up up
ppd0 up up
ppe0 up up
st0 up up
tap up up
vlan up up
[edit]
wangjian#show|compare 跟上次commit前对比敲过的命令
[editsecurityzonessecurity-zoneuntrustinterfaces]
ge-0/0/0.0{...}
+ ge-0/0/1.0;
[edit]
wangjian#rollback0 返回上次commit时的配置
loadcomplete
[edit]
(注:
可编辑下载,若有不当之处,请指正,谢谢!
)
升级会员 