JuniperSRX详细配置基础手册含注释.doc

Juniper SRX原则配备 第一节 系统配备 3 1.1、设备初始化 3 1.1.1登陆 3 1.1.2设立root顾客口令 3 1.1.3设立远程登陆管理顾客 3 2、系统管理 4 1.2.1 选取时区 4 1.2.2 系统时间 4 1.2.3 DNS服务器 5 1.2.4系统重启 5 1.2.5 Alarm告警解决 5 1.2.6 Root密码重置 6 第二节 网络设立 7 2.1、Interface 7 2.1.1 PPPOE 7 2.1.2 Manual 8 2.1.3 DHCP 8 2.2、Routing 9 Static Route 9 2.3、SNMP 9 第三节 高档设立 9 3.1.1 修改服务端口 9 3.1.2 检查硬件序列号 9 3.1.3 内外网接口启用端口服务 10 3.1.4 创立端口服务 10 3.1.5 VIP端口映射 10 3.1.6 MIP映射 11 3.1.7禁用console口 12 3.1.8 Juniper SRX带源ping外网默认不通，需要做源地址NAT 12 3.1.9 设立SRX管理IP 12 3.2.0 配备回退 13 3.2.1 UTM调用 13 3.2.2 网络访问缓慢解决 13 第四节 VPN设立 14 4.1、点对点IPSec VPN 14 4.1.1 Route Basiced 14 4.1.2 Policy Basiced 17 4.2、Remote VPN 19 4.2.1 SRX端配备 19 4.2.2 客户端配备 20 第一节 系统配备 1.1、设备初始化 1.1.1登陆 初次登录需要使用Console口连接SRX，root顾客登陆，密码为空 login：root Password: --- JUNOS 9.5R1.8 built -07-16 15:04:30 UTC root% cli                   /***进入操作模式***/ root> root> configure Entering configuration mode   /***进入配备模式***/ [edit] Root# 1.1.2设立root顾客口令 （必要配备root帐号密码，否则后续所有配备及修改都无法提交） root# set system root-authentication plain-text-password root# new password ：root123 root# retype new password：root123 密码将以密文方式显示 root# show system root-authentication encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."；# SECRET-DATA 注意：强烈建议不要使用其他加密选项来加密root和其他user口令(如encrypted-password加密方式)，此配备参数规定输入口令应是经加密算法加密后字符串，采用这种加密方式手工输入时存在密码无法通过验证风险。 注：root顾客仅用于console连接本地管理SRX，不能通过远程登陆管理SRX，必要成功设立root口令后，才干执行commit提交后续配备命令。 1.1.3设立远程登陆管理顾客 root# set system login user lab class super-user authentication plain-text-password root# new password ：juniper root# retype new password：srx123 注：此juniper顾客拥有超级管理员权限，可用于console和远程管理访问，另也可自行灵活定义其他不同管理权限顾客。 2、系统管理 1.2.1 选取时区 srx_admin# set system time-zone Asia/Shanghai /***亚洲/上海***/ 1.2.2 系统时间 1.2.2.1 手动设定 srx_admin> set date 1137.00 srx_admin> show system uptime Current time：-11-20 15:37:14 UTC System booted：-11-20 15:21:48 UTC (2d 00:15 ago) Protocols started：-11-20 15:24:45 UTC (2d 00:12 ago) Last configured：-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin 3:37PM up 2 days，15 mins，3 users，load averages：0.07，0.17，0.14 1.2.2.2 NTP同步一次 srx_admin> set date ntp 202.120.2.101 8 Feb 15:49:50 ntpdate[6616]：step time server 202.120.2.101 offset -28796.357071 sec 1.2.2.3 NTP服务器 srx_admin# set system ntp server 202.100.102.1 srx_admin#set system ntp server ntp.api.bz /***SRX系统NTP服务器，设备需要联网可以解析ntp地址，否则命令无法输入***/ srx_admin> show ntp status status=c011 sync_alarm，sync_unspec，1 event，event_restart, version="ntpd 4.2.0-a Fri Nov 20 15:44:16 UTC (1)", processor="octeon"，system="JUNOS12.1X44-D35.5"，leap=11，stratum=16, precision=-17，rootdelay=0.000，rootdispersion=0.105，peer=0, refid=INIT，reftime=00000000.00000000 Thu，Feb 7 2036 14:28:16.000, poll=4，clock=d88195bc.562dc2db Sun，Feb 8 7:58:52.336，state=0, offset=0.000，frequency=0.000，jitter=0.008，stability=0.000 srx_admin@holy-shit> show ntp associations remote refid st t when poll reach delay offset jitter ============================================================================== 15.179.156.248 3 - 16 64 1 5.473 -0.953 0.008 202.100.102.1 .INIT. 16 - - 64 0 0.000 0.000 4000.00 1.2.3 DNS服务器 srx_admin# set system name-server 202.96.209.5 /***SRX系统DNS***/ 1.2.4 系统重启 1.2.4.1重启系统 srx_admin >request system reboot 1.2.4.2关闭系统 srx_admin >request system power-off 1.2.5 Alarm告警解决 1.2.5.1告警查看 root# run show system alarms 2 alarms currently active Alarm time Class Description -11-20 14:21:49 UTC Minor Autorecovery information needs to be saved -11-20 14:21:49 UTC Minor Rescue configuration is not set 1.2.5.2 告警解决 告警一解决 root> request system autorecovery state save Saving config recovery information Saving license recovery information Saving BSD label recovery information 告警二解决 root> request system configuration rescue save 1.2.6 Root密码重置 SRX Root密码丢失，并且没有其她超级顾客权限，那么就需要执行密码恢复，该操作需要中断设备正常运营，但不会丢失配备信息。操作环节如下： 1.重启防火墙，CRT上浮现下面提示时，按空格键中断正常启动，然后再进入单顾客状态，并输入：boot –s Loading /boot/defaults/loader.conf /kernel data=0xb15b3c+0x13464c syms=[0x4+0x8bb00+0x4+0xcac15] Hit [Enter] to boot immediately，or space bar for command prompt. loader> loader> boot -s 2. 执行密码恢复：在如下提示文字后输入recovery，设备将自动进行重启 Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh：recovery ***** FILE SYSTEM WAS MODIFIED ***** System watchdog timer disabled Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh：recovery 3. 进入配备模式，删除root密码后重新设立root密码，并保存重启 root> configure Entering configuration mode [edit] root# delete system root-authentication [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit commit complete [edit] root# exit Exiting configuration mode root> request system reboot Reboot the system ?[yes,no] (no) yes 第二节 网络设立 2.1、Interface 2.1.1 PPPOE ※在外网接口（fe-0/0/0）下封装PPP srx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether ※CHAP认证配备 srx_admin# set interfaces pp0 unit 0 ppp-options chap default-chap-secret /***PPPOE密码***/ srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs@163 /***PPPOE帐号***/ srx_admin# set interfaces pp0 unit 0 ppp-options chap passive /***采用被动模式***/ ※PAP认证配备 srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password /***PPPOE密码***/ srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs@163 /***PPPOE帐号***/ srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password /***PPPOE密码***/ srx_admin# set interfaces pp0 unit 0 ppp-options pap passive /***采用被动模式***/ ※PPP接口调用 srx_admin# set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0 /***在外网接口（fe-0/0/0）下启用PPPOE拨号***/ ※PPPOE拨号属性配备 srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0 /***空闲超时值***/ srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3 /***3秒自动重拨***/ srx_admin# set interfaces pp0 unit 0 pppoe-options client /***表达为PPPOE客户端***/ srx_admin# set interfaces pp0 unit 0 family inet mtu 1492 /***修改此接口MTU值，改成1492。由于PPPOE报头会有一点开销***/ srx_admin# set interfaces pp0 unit 0 family inet negotiate-address /***自动协商地址，即由服务端分派动态地址***/ ※默认路由 srx_admin# set routing-options static route 0.0.0.0/0 next-hop pp0.0 ※PPPOE接口划入untrust接口 srx_admin# set security zones security-zone untrust interfaces pp0.0 ※验证PPPoE与否已经拔通，与否获得IP地址 srx_admin#run show interfaces terse | match pp pp0 up up pp0.0 up up inet 192.168.163.1 --> 1.1.1.1 ppd0 up up ppe0 up up 注： PPPOE拨号成功后需要调节MTU值，使上网体验达到最佳（MTU值不适当话上网会卡） srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 /***调节MTU大小***/ srx_admin# set security flow tcp-mss all-tcp mss 1304 /***调节TCP分片大小***/ 2.1.2 Manual srx_admin# set interfaces fe-0/0/0 unit 0 family inet address 202.105.41.138/29 2.1.3 DHCP ※启用DHCP地址池 srx_admin# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1 /***DHCP网关***/ srx_admin# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2 /***DHCP地址池第一种地址***/ srx_admin# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254 /***DHCP地址池最后一种地址***/ srx_admin# set system services dhcp pool 192.168.1.0/24 default-lease-time 36000 /***DHCP地址租期***/ srx_admin# set system services dhcp pool 192.168.1.0/24 domain-name /***DHCP域名***/ srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.133 /***DHCP 分派DNS***/ srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.5 srx_admin# set system services dhcp propagate-settings vlan.0 /***DHCP分发端口***/ ※配备内网接口地址 srx_admin# set interfaces vlan unit 0 family inet address 192.168.1.1/24 ※内网接口调用DHCP地址池 srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services dhcp 2.2、Routing Static Route srx_admin# set route-option static route 0.0.0.0/0 next-hop 116.228.60.153 /***默认路由***/ srx_admin# set route-option static route 10.50.10.0/24 next-hop st0.0 /***Route Basiced VPN路由***/ 2.3、SNMP srx_admin# set snmp community Ajitec authorization read-only/read-write /***SNMP监控权限***/ srx_admin# set snmp client-list snmp_srx240 10.192.8.99/32 /***SNMP监控主机***/ 第三节 高档设立 3.1.1 修改服务端口 srx_admin# set system services web-management http port 8000 /***更改webhttp管理端标语***/ srx_admin# set system services web-management https port 1443 /***更改webhttps管理端标语***/ 3.1.2 检查硬件序列号 srx# run show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis BZ2615AF0491 SRX100H2 Routing Engine REV 05 BZ2615AF0491 RE-SRX100H2 FPC 0 FPC PIC 0 8x FE Base PIC Power Supply 0 3.1.3 内外网接口启用端口服务 ※定义系统服务 srx_admin# set system services ssh srx_admin# set system services telnet srx_admin# set system services web-management http interface vlan.0 srx_admin# set system services web-management http interface fe-0/0/0.0 srx_admin# set system services web-management https interface vlan.0 srx_admin# set system services web-management management-url admin /***后期用https://ip/admin就可以登录管理页面，不加就直接跳转***/ ※内网接口启用端口服务 srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ping /***启动ping ***/ srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services http /***启动http ***/ srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services telnet /***启动telnet ***/ ※外网接口启用端口服务 srx_admin# set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping /***启动ping ***/ srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services telnet /***启动telnet ***/ srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services http /***启动http ***/ srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all /***启动所有服务***/ 3.1.4 创立系统服务 srx_admin#set applications application RDP protocol tcp /***合同选取tcp***/ srx_admin#set applications application RDP source-port 0-65535 /***源端口***/ srx_admin#set applications application RDP destination-port 3389 /***目端口***/ srx_admin#set applications application RDP protocol udp /***合同选取udp***/ srx_admin#set applications application RDP source-port 0-65535 /***源端口***/ srx_admin#set applications application RDP destination-port 3389 /***目端口***/ 3.1.5 VIP端口映射 ※Destination NAT配备 srx_admin#set security nat destination pool 22 address 192.168.1.20/32 /***Destination NAT pool设立，为真实内网地址***/ srx_admin#set security nat destination pool 22 address port 3389 /***Destination NAT pool设立，为内网地址端标语***/ srx_admin#set security nat destination rule-set 2 from zone untrust /*** Destination NAT Rule设立，访问流量从untrust区域过来***/ srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.0.0/0 /*** Destination NAT Rule设立，访问流量可以任意地址***/ srx_admin#set security nat destination rule-set 2 rule 111 match destination-address 116.228.60.154/32 /*** Destination NAT Rule设立，访问目地址是116.228.60.157***/ srx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389 /*** Destination NAT Rule设立，访问目地址端标语***/ srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22 /***Destination NAT Rule设立，调用pool地址***/ ※方略配备 srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-address any srx_admin#set security policies from-zone untrust to-zone trust policy vip match destination-address H192.168.1.20/32 srx_admin#set security policies from-zone untrust to-zone trust policy vip match application any srx_admin#set security policies from-zone untrust to-zone trust policy vip then permit srx_admin#set security zones security-zone trust address-book address H192.168.1.20/32 192.168.1.20/32 3.1.6 MIP映射 ※Destination NAT设立 srx_admin#set security nat destination pool 111 address 192.168.1.3/32 /***Destination NAT pool设立，为真实内网地址***/ srx_admin#set security nat destination rule-set 1 from zone untrust /***Destination NAT Rule设立，访问流量从untrust区域过来***/ srx_admin#set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0 /***Destination NAT Rule设立，访问流量可以任意地址***/ srx_admin#set security nat destination rule-set 1 rule 11 match destination-address 116.228.60.157/32 /***Destination NAT Rule设立，访问目地址是116.228.60.157***/ srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11 /***Destination NAT Rule设立，调用pool地址***/ ※配备ARP代理 srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 116.228.60.157/32 ※方略配备 srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-address any srx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address H192.168.1.20/32 srx_admin#set security policies from-zone untrust to-zone trust policy mip match application any srx_admin#set security policies from-zone untrust to-zone trust policy mip then permit 3.1.7禁用console口 juniper-srx@SRX100H2# edit system ports console /***进入console接口***/ juniper-srx@SRX100H2# set disable /***关闭端口***/ juniper-srx@SRX100H2# commit confirmed 3 /***提交3分钟，3分钟后回退***/ 3.1.8 Juniper SRX带源ping外网默认不通，需要做源地址NAT set security nat source rule-set LOCAL from zone junos-host set security nat source rule-set LOCAL to zone untrust set security nat source rule-set LOCAL rule LOCAL match source-address 192.168.1.1/32 set security nat source rule-set LOCAL rule LOCAL match destination-address 0.0.0.0/0 set security nat source rule-set LOCAL rule LOCAL then source-nat interface set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface 3.1.9 设立SRX管理IP ※参照防火墙外网接口端口服务 set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping set security zones security-z