收藏 分销(赏)
立即下载 开通VIP

JuniperSRX详细配置基础手册含注释.doc

上传人:快乐****生活 文档编号:3032586 上传时间:2024-06-13 格式:DOC 页数:32 大小:320.54KB
下载 相关 举报
JuniperSRX详细配置基础手册含注释.doc_第1页
第1页 / 共32页
JuniperSRX详细配置基础手册含注释.doc_第2页
第2页 / 共32页
JuniperSRX详细配置基础手册含注释.doc_第3页
第3页 / 共32页
JuniperSRX详细配置基础手册含注释.doc_第4页
第4页 / 共32页
JuniperSRX详细配置基础手册含注释.doc_第5页
第5页 / 共32页
点击查看更多>>
资源描述

1、Juniper SRX原则配备第一节 系统配备31.1、设备初始化31.1.1登陆31.1.2设立root顾客口令31.1.3设立远程登陆管理顾客32、系统管理41.2.1 选取时区41.2.2 系统时间41.2.3 DNS服务器51.2.4系统重启51.2.5 Alarm告警解决51.2.6 Root密码重置6第二节 网络设立72.1、Interface72.1.1 PPPOE72.1.2 Manual82.1.3 DHCP82.2、Routing9Static Route92.3、SNMP9第三节 高档设立93.1.1 修改服务端口93.1.2 检查硬件序列号93.1.3 内外网接口启用端

2、口服务103.1.4 创立端口服务103.1.5 VIP端口映射103.1.6 MIP映射113.1.7禁用console口123.1.8 Juniper SRX带源ping外网默认不通,需要做源地址NAT123.1.9 设立SRX管理IP123.2.0 配备回退133.2.1 UTM调用133.2.2 网络访问缓慢解决13第四节 VPN设立144.1、点对点IPSec VPN144.1.1 Route Basiced144.1.2 Policy Basiced174.2、Remote VPN194.2.1 SRX端配备194.2.2 客户端配备20第一节 系统配备1.1、设备初始化1.1.1

3、登陆初次登录需要使用Console口连接SRX,root顾客登陆,密码为空login:rootPassword:- JUNOS 9.5R1.8 built -07-16 15:04:30 UTCroot% cli /*进入操作模式*/rootroot configureEntering configuration mode /*进入配备模式*/editRoot#1.1.2设立root顾客口令(必要配备root帐号密码,否则后续所有配备及修改都无法提交)root# set system root-authentication plain-text-passwordroot# new passwo

4、rd :root123root# retype new password:root123密码将以密文方式显示root# show system root-authenticationencrypted-password $1$xavDeUe6$fNM6olGU.8.M7B62u05D6.;# SECRET-DATA注意:强烈建议不要使用其他加密选项来加密root和其他user口令(如encrypted-password加密方式),此配备参数规定输入口令应是经加密算法加密后字符串,采用这种加密方式手工输入时存在密码无法通过验证风险。注:root顾客仅用于console连接本地管理SRX,不能通过

5、远程登陆管理SRX,必要成功设立root口令后,才干执行commit提交后续配备命令。1.1.3设立远程登陆管理顾客root# set system login user lab class super-user authentication plain-text-passwordroot# new password :juniperroot# retype new password:srx123注:此juniper顾客拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其他不同管理权限顾客。2、系统管理1.2.1 选取时区srx_admin# set system ti

6、me-zone Asia/Shanghai /*亚洲/上海*/1.2.2 系统时间1.2.2.1 手动设定srx_admin set date 1137.00srx_admin show system uptime Current time:-11-20 15:37:14 UTCSystem booted:-11-20 15:21:48 UTC (2d 00:15 ago)Protocols started:-11-20 15:24:45 UTC (2d 00:12 ago)Last configured:-11-20 15:30:38 UTC (00:06:36 ago) by srx_ad

7、min 3:37PM up 2 days,15 mins,3 users,load averages:0.07,0.17,0.141.2.2.2 NTP同步一次srx_admin set date ntp 202.120.2.101 8 Feb 15:49:50 ntpdate6616:step time server 202.120.2.101 offset -28796.357071 sec1.2.2.3 NTP服务器srx_admin# set system ntp server 202.100.102.1srx_admin#set system ntp server ntp.api.b

8、z/*SRX系统NTP服务器,设备需要联网可以解析ntp地址,否则命令无法输入*/srx_admin show ntp status status=c011 sync_alarm,sync_unspec,1 event,event_restart,version=ntpd 4.2.0-a Fri Nov 20 15:44:16 UTC (1),processor=octeon,system=JUNOS12.1X44-D35.5,leap=11,stratum=16,precision=-17,rootdelay=0.000,rootdispersion=0.105,peer=0,refid=I

9、NIT,reftime=00000000.00000000 Thu,Feb 7 2036 14:28:16.000,poll=4,clock=d88195bc.562dc2db Sun,Feb 8 7:58:52.336,state=0,offset=0.000,frequency=0.000,jitter=0.008,stability=0.000srx_adminholy-shit show ntp associations remote refid st t when poll reach delay offset jitter= 15.179.156.248 3 - 16 64 1 5

10、.473 -0.953 0.008 202.100.102.1 .INIT. 16 - - 64 0 0.000 0.000 4000.001.2.3 DNS服务器srx_admin# set system name-server 202.96.209.5 /*SRX系统DNS*/1.2.4 系统重启1.2.4.1重启系统srx_admin request system reboot1.2.4.2关闭系统srx_admin request system power-off1.2.5 Alarm告警解决1.2.5.1告警查看root# run show system alarms 2 alarm

11、s currently activeAlarm time Class Description-11-20 14:21:49 UTC Minor Autorecovery information needs to be saved-11-20 14:21:49 UTC Minor Rescue configuration is not set1.2.5.2 告警解决告警一解决root request system autorecovery state save Saving config recovery informationSaving license recovery informatio

12、nSaving BSD label recovery information告警二解决root request system configuration rescue save1.2.6 Root密码重置SRX Root密码丢失,并且没有其她超级顾客权限,那么就需要执行密码恢复,该操作需要中断设备正常运营,但不会丢失配备信息。操作环节如下:1.重启防火墙,CRT上浮现下面提示时,按空格键中断正常启动,然后再进入单顾客状态,并输入:boot sLoading /boot/defaults/loader.conf /kernel data=0xb15b3c+0x13464c syms=0x4+0x

13、8bb00+0x4+0xcac15Hit Enter to boot immediately,or space bar for command prompt.loader loader boot -s2. 执行密码恢复:在如下提示文字后输入recovery,设备将自动进行重启 Enter full pathname of shell or recovery for root password recovery or RETURN for /bin/sh:recovery* FILE SYSTEM WAS MODIFIED *System watchdog timer disabledEnter

14、 full pathname of shell or recovery for root password recovery or RETURN for /bin/sh:recovery3. 进入配备模式,删除root密码后重新设立root密码,并保存重启root configure Entering configuration modeeditroot# delete system root-authentication editroot# set system root-authentication plain-text-passwordNew password:Retype new pa

15、ssword:editroot# commitcommit completeeditroot# exitExiting configuration moderoot request system rebootReboot the system ?yes,no (no) yes 第二节 网络设立2.1、Interface2.1.1 PPPOE在外网接口(fe-0/0/0)下封装PPPsrx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-etherCHAP认证配备srx_admin# set interfaces pp0

16、unit 0 ppp-options chap default-chap-secret /*PPPOE密码*/srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs163 /*PPPOE帐号*/srx_admin# set interfaces pp0 unit 0 ppp-options chap passive/*采用被动模式*/PAP认证配备srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password /*PPPOE密码

17、*/srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs163 /*PPPOE帐号*/srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password /*PPPOE密码*/srx_admin# set interfaces pp0 unit 0 ppp-options pap passive /*采用被动模式*/PPP接口调用srx_admin# set interfaces pp0 unit 0 pppoe-options und

18、erlying-interface fe-0/0/0.0/*在外网接口(fe-0/0/0)下启用PPPOE拨号*/PPPOE拨号属性配备srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0/*空闲超时值*/srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3 /*3秒自动重拨*/srx_admin# set interfaces pp0 unit 0 pppoe-options client /*表达为PPPOE客户端*/srx_adm

19、in# set interfaces pp0 unit 0 family inet mtu 1492 /*修改此接口MTU值,改成1492。由于PPPOE报头会有一点开销*/srx_admin# set interfaces pp0 unit 0 family inet negotiate-address /*自动协商地址,即由服务端分派动态地址*/默认路由srx_admin# set routing-options static route 0.0.0.0/0 next-hop pp0.0PPPOE接口划入untrust接口srx_admin# set security zones secu

20、rity-zone untrust interfaces pp0.0验证PPPoE与否已经拔通,与否获得IP地址srx_admin#run show interfaces terse | match pppp0 up up pp0.0 up up inet 192.168.163.1 - 1.1.1.1ppd0 up up ppe0 up up 注:PPPOE拨号成功后需要调节MTU值,使上网体验达到最佳(MTU值不适当话上网会卡)srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 /*调节MTU大小*/srx_admin# se

21、t security flow tcp-mss all-tcp mss 1304 /*调节TCP分片大小*/2.1.2 Manualsrx_admin# set interfaces fe-0/0/0 unit 0 family inet address 202.105.41.138/292.1.3 DHCP启用DHCP地址池srx_admin# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1 /*DHCP网关*/srx_admin# set system services dhcp pool 192.168.1.

22、0/24 address-range low 192.168.1.2 /*DHCP地址池第一种地址*/srx_admin# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254/*DHCP地址池最后一种地址*/srx_admin# set system services dhcp pool 192.168.1.0/24 default-lease-time 36000/*DHCP地址租期*/srx_admin# set system services dhcp pool 192.168.1.0

23、/24 domain-name /*DHCP域名*/srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.133 /*DHCP 分派DNS*/srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.5srx_admin# set system services dhcp propagate-settings vlan.0 /*DHCP分发端口*/配备内网接口地址srx_admin# set

24、interfaces vlan unit 0 family inet address 192.168.1.1/24内网接口调用DHCP地址池srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services dhcp2.2、RoutingStatic Routesrx_admin# set route-option static route 0.0.0.0/0 next-hop 116.228.60.153 /*默认路由*/srx_admin# set r

25、oute-option static route 10.50.10.0/24 next-hop st0.0 /*Route Basiced VPN路由*/2.3、SNMPsrx_admin# set snmp community Ajitec authorization read-only/read-write /*SNMP监控权限*/srx_admin# set snmp client-list snmp_srx240 10.192.8.99/32 /*SNMP监控主机*/第三节 高档设立3.1.1 修改服务端口srx_admin# set system services web-manag

26、ement http port 8000 /*更改webhttp管理端标语*/srx_admin# set system services web-management https port 1443 /*更改webhttps管理端标语*/3.1.2 检查硬件序列号srx# run show chassis hardware Hardware inventory:Item Version Part number Serial number DescriptionChassis BZ2615AF0491 SRX100H2Routing Engine REV 05 BZ2615AF0491 RE-

27、SRX100H2FPC 0 FPCPIC 0 8x FE Base PICPower Supply 0 3.1.3 内外网接口启用端口服务定义系统服务srx_admin# set system services sshsrx_admin# set system services telnetsrx_admin# set system services web-management http interface vlan.0srx_admin# set system services web-management http interface fe-0/0/0.0srx_admin# set s

28、ystem services web-management https interface vlan.0srx_admin# set system services web-management management-url admin/*后期用https:/ip/admin就可以登录管理页面,不加就直接跳转*/内网接口启用端口服务srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ping /*启动ping */srx_admin#set

29、 security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services http /*启动http */srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services telnet /*启动telnet */外网接口启用端口服务srx_admin# set security zones security-zone untrust interfa

30、ces fe-0/0/0.0 host-inbound-traffic system-services ping /*启动ping */srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services telnet /*启动telnet */srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-s

31、ervices http /*启动http */srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all /*启动所有服务*/3.1.4 创立系统服务srx_admin#set applications application RDP protocol tcp /*合同选取tcp*/srx_admin#set applications application RDP source-port 0-65535 /*源端口*/srx

32、_admin#set applications application RDP destination-port 3389 /*目端口*/srx_admin#set applications application RDP protocol udp /*合同选取udp*/srx_admin#set applications application RDP source-port 0-65535 /*源端口*/srx_admin#set applications application RDP destination-port 3389 /*目端口*/3.1.5 VIP端口映射Destinati

33、on NAT配备srx_admin#set security nat destination pool 22 address 192.168.1.20/32/*Destination NAT pool设立,为真实内网地址*/srx_admin#set security nat destination pool 22 address port 3389/*Destination NAT pool设立,为内网地址端标语*/srx_admin#set security nat destination rule-set 2 from zone untrust/* Destination NAT Rul

34、e设立,访问流量从untrust区域过来*/srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.0.0/0/* Destination NAT Rule设立,访问流量可以任意地址*/srx_admin#set security nat destination rule-set 2 rule 111 match destination-address 116.228.60.154/32/* Destination NAT Rule设立,访问目地址是116.228.60.157*/s

35、rx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389/* Destination NAT Rule设立,访问目地址端标语*/srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22/*Destination NAT Rule设立,调用pool地址*/方略配备srx_admin#set security policies from-zone untrust to-

36、zone trust policy vip match source-address anysrx_admin#set security policies from-zone untrust to-zone trust policy vip match destination-address H192.168.1.20/32srx_admin#set security policies from-zone untrust to-zone trust policy vip match application anysrx_admin#set security policies from-zone

37、 untrust to-zone trust policy vip then permitsrx_admin#set security zones security-zone trust address-book address H192.168.1.20/32 192.168.1.20/323.1.6 MIP映射Destination NAT设立srx_admin#set security nat destination pool 111 address 192.168.1.3/32 /*Destination NAT pool设立,为真实内网地址*/srx_admin#set securi

38、ty nat destination rule-set 1 from zone untrust /*Destination NAT Rule设立,访问流量从untrust区域过来*/srx_admin#set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0/*Destination NAT Rule设立,访问流量可以任意地址*/srx_admin#set security nat destination rule-set 1 rule 11 match destination-address

39、 116.228.60.157/32/*Destination NAT Rule设立,访问目地址是116.228.60.157*/srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11/*Destination NAT Rule设立,调用pool地址*/配备ARP代理srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 116.228.60.157/32方略配备srx_admin#set securi

40、ty policies from-zone untrust to-zone trust policy mip match source-address anysrx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address H192.168.1.20/32srx_admin#set security policies from-zone untrust to-zone trust policy mip match application anysrx_admi

41、n#set security policies from-zone untrust to-zone trust policy mip then permit3.1.7禁用console口juniper-srxSRX100H2# edit system ports console /*进入console接口*/juniper-srxSRX100H2# set disable /*关闭端口*/juniper-srxSRX100H2# commit confirmed 3 /*提交3分钟,3分钟后回退*/3.1.8 Juniper SRX带源ping外网默认不通,需要做源地址NATset secur

42、ity nat source rule-set LOCAL from zone junos-hostset security nat source rule-set LOCAL to zone untrustset security nat source rule-set LOCAL rule LOCAL match source-address 192.168.1.1/32set security nat source rule-set LOCAL rule LOCAL match destination-address 0.0.0.0/0set security nat source ru

43、le-set LOCAL rule LOCAL then source-nat interfaceset security nat source rule-set trust-to-untrust from zone trustset security nat source rule-set trust-to-untrust to zone untrustset security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0set security nat sou

44、rce rule-set trust-to-untrust rule source-nat-rule then source-nat interface3.1.9 设立SRX管理IP 参照防火墙外网接口端口服务set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services pingset security zones security-z

展开阅读全文
相似文档                                   自信AI助手自信AI助手
猜你喜欢                                   自信AI导航自信AI导航
  • 2023年第二批教育专题个人围绕“学习贯彻党的创新理论党性修养提高联系服务群众发挥先锋模范作用情况”等四个方面剖析材料3篇文【供参考】.docx 2023年第二批教育专题个人围绕“学习贯彻党的创新理论党性修养提高联系服务群众发挥先锋模范作用情况”等四个方面剖析材料3篇文【供参考】.docx
  • 2024年纪检监察干部围绕锻炼过硬作风、强化严管责任、筑牢对党忠诚、勇于担当作为等“五个方面”教育整顿专题生活会对照检查材料【3篇文】供借鉴.docx 2024年纪检监察干部围绕锻炼过硬作风、强化严管责任、筑牢对党忠诚、勇于担当作为等“五个方面”教育整顿专题生活会对照检查材料【3篇文】供借鉴.docx
  • 纪检监察干部、公司纪委副书记2024年围绕“筑牢对党忠诚、深化理论武装、锤炼过硬作风”等五个方面教育整顿专题对照检查材料【3篇】供借鉴.docx 纪检监察干部、公司纪委副书记2024年围绕“筑牢对党忠诚、深化理论武装、锤炼过硬作风”等五个方面教育整顿专题对照检查材料【3篇】供借鉴.docx
  • 2024年【三篇文】第二批教育对照“学习贯彻党的创新理论党性修养提高联系服务群众发挥先锋模范作用”等四个方面专题检查材料.docx 2024年【三篇文】第二批教育对照“学习贯彻党的创新理论党性修养提高联系服务群众发挥先锋模范作用”等四个方面专题检查材料.docx
  • 纪检监察干部、领导班子、市纪委书记2024年深化理论武装、筑牢对党忠诚、锻炼过硬作风、强化严管责任等“五个方面”专题生活会个人对照检查材料【3篇文】供参考.docx 纪检监察干部、领导班子、市纪委书记2024年深化理论武装、筑牢对党忠诚、锻炼过硬作风、强化严管责任等“五个方面”专题生活会个人对照检查材料【3篇文】供参考.docx
  • 党支部书记与纪检监察干部2024年重点围绕“筑牢对党忠诚、强化严管责任、深化理论武装、锤炼过硬作风”等五个方面教育整顿专题生活会对照检查材料【3篇范文】供参考.docx 党支部书记与纪检监察干部2024年重点围绕“筑牢对党忠诚、强化严管责任、深化理论武装、锤炼过硬作风”等五个方面教育整顿专题生活会对照检查材料【3篇范文】供参考.docx
  • 2024年第二批题教育专题重点围绕“党性修养提高、联系服务群众、党员发挥先锋模范作用”等四个方面对照检查材料3篇文【供参考】.docx 2024年第二批题教育专题重点围绕“党性修养提高、联系服务群众、党员发挥先锋模范作用”等四个方面对照检查材料3篇文【供参考】.docx
  • 【3篇】重点围绕2024年“勇于担当作为、筑牢对党忠诚、强化严管责任、深化理论武装、锤炼过硬作风”五个方面教育整顿专题生活会对照检查材料(供参考).docx 【3篇】重点围绕2024年“勇于担当作为、筑牢对党忠诚、强化严管责任、深化理论武装、锤炼过硬作风”五个方面教育整顿专题生活会对照检查材料(供参考).docx
  • 三篇文:重点围绕“深化理论武装、强化严管责任、勇于担当作为、锤炼过硬作风”等五个方面专题生活会对照检查材料发言提纲(2024年).docx 三篇文:重点围绕“深化理论武装、强化严管责任、勇于担当作为、锤炼过硬作风”等五个方面专题生活会对照检查材料发言提纲(2024年).docx
    • 搜索标签

    当前位置:首页 > 包罗万象 > 大杂烩

    移动网页_全站_页脚广告1

    关于我们      便捷服务       自信AI       AI导航        获赠5币

    ©2010-2024 宁波自信网络信息技术有限公司  版权所有

    客服电话:4008-655-100  投诉/维权电话:4009-655-100

    gongan.png浙公网安备33021202000488号   

    icp.png浙ICP备2021020529号-1  |  浙B2-20240490  

    关注我们 :gzh.png    weibo.png    LOFTER.png 

    客服