1、Juniper SRX原则配备第一节 系统配备31.1、设备初始化31.1.1登陆31.1.2设立root顾客口令31.1.3设立远程登陆管理顾客32、系统管理41.2.1 选取时区41.2.2 系统时间41.2.3 DNS服务器51.2.4系统重启51.2.5 Alarm告警解决51.2.6 Root密码重置6第二节 网络设立72.1、Interface72.1.1 PPPOE72.1.2 Manual82.1.3 DHCP82.2、Routing9Static Route92.3、SNMP9第三节 高档设立93.1.1 修改服务端口93.1.2 检查硬件序列号93.1.3 内外网接口启用端
2、口服务103.1.4 创立端口服务103.1.5 VIP端口映射103.1.6 MIP映射113.1.7禁用console口123.1.8 Juniper SRX带源ping外网默认不通,需要做源地址NAT123.1.9 设立SRX管理IP123.2.0 配备回退133.2.1 UTM调用133.2.2 网络访问缓慢解决13第四节 VPN设立144.1、点对点IPSec VPN144.1.1 Route Basiced144.1.2 Policy Basiced174.2、Remote VPN194.2.1 SRX端配备194.2.2 客户端配备20第一节 系统配备1.1、设备初始化1.1.1
3、登陆初次登录需要使用Console口连接SRX,root顾客登陆,密码为空login:rootPassword:- JUNOS 9.5R1.8 built -07-16 15:04:30 UTCroot% cli /*进入操作模式*/rootroot configureEntering configuration mode /*进入配备模式*/editRoot#1.1.2设立root顾客口令(必要配备root帐号密码,否则后续所有配备及修改都无法提交)root# set system root-authentication plain-text-passwordroot# new passwo
4、rd :root123root# retype new password:root123密码将以密文方式显示root# show system root-authenticationencrypted-password $1$xavDeUe6$fNM6olGU.8.M7B62u05D6.;# SECRET-DATA注意:强烈建议不要使用其他加密选项来加密root和其他user口令(如encrypted-password加密方式),此配备参数规定输入口令应是经加密算法加密后字符串,采用这种加密方式手工输入时存在密码无法通过验证风险。注:root顾客仅用于console连接本地管理SRX,不能通过
5、远程登陆管理SRX,必要成功设立root口令后,才干执行commit提交后续配备命令。1.1.3设立远程登陆管理顾客root# set system login user lab class super-user authentication plain-text-passwordroot# new password :juniperroot# retype new password:srx123注:此juniper顾客拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其他不同管理权限顾客。2、系统管理1.2.1 选取时区srx_admin# set system ti
6、me-zone Asia/Shanghai /*亚洲/上海*/1.2.2 系统时间1.2.2.1 手动设定srx_admin set date 1137.00srx_admin show system uptime Current time:-11-20 15:37:14 UTCSystem booted:-11-20 15:21:48 UTC (2d 00:15 ago)Protocols started:-11-20 15:24:45 UTC (2d 00:12 ago)Last configured:-11-20 15:30:38 UTC (00:06:36 ago) by srx_ad
7、min 3:37PM up 2 days,15 mins,3 users,load averages:0.07,0.17,0.141.2.2.2 NTP同步一次srx_admin set date ntp 202.120.2.101 8 Feb 15:49:50 ntpdate6616:step time server 202.120.2.101 offset -28796.357071 sec1.2.2.3 NTP服务器srx_admin# set system ntp server 202.100.102.1srx_admin#set system ntp server ntp.api.b
8、z/*SRX系统NTP服务器,设备需要联网可以解析ntp地址,否则命令无法输入*/srx_admin show ntp status status=c011 sync_alarm,sync_unspec,1 event,event_restart,version=ntpd 4.2.0-a Fri Nov 20 15:44:16 UTC (1),processor=octeon,system=JUNOS12.1X44-D35.5,leap=11,stratum=16,precision=-17,rootdelay=0.000,rootdispersion=0.105,peer=0,refid=I
9、NIT,reftime=00000000.00000000 Thu,Feb 7 2036 14:28:16.000,poll=4,clock=d88195bc.562dc2db Sun,Feb 8 7:58:52.336,state=0,offset=0.000,frequency=0.000,jitter=0.008,stability=0.000srx_adminholy-shit show ntp associations remote refid st t when poll reach delay offset jitter= 15.179.156.248 3 - 16 64 1 5
10、.473 -0.953 0.008 202.100.102.1 .INIT. 16 - - 64 0 0.000 0.000 4000.001.2.3 DNS服务器srx_admin# set system name-server 202.96.209.5 /*SRX系统DNS*/1.2.4 系统重启1.2.4.1重启系统srx_admin request system reboot1.2.4.2关闭系统srx_admin request system power-off1.2.5 Alarm告警解决1.2.5.1告警查看root# run show system alarms 2 alarm
11、s currently activeAlarm time Class Description-11-20 14:21:49 UTC Minor Autorecovery information needs to be saved-11-20 14:21:49 UTC Minor Rescue configuration is not set1.2.5.2 告警解决告警一解决root request system autorecovery state save Saving config recovery informationSaving license recovery informatio
12、nSaving BSD label recovery information告警二解决root request system configuration rescue save1.2.6 Root密码重置SRX Root密码丢失,并且没有其她超级顾客权限,那么就需要执行密码恢复,该操作需要中断设备正常运营,但不会丢失配备信息。操作环节如下:1.重启防火墙,CRT上浮现下面提示时,按空格键中断正常启动,然后再进入单顾客状态,并输入:boot sLoading /boot/defaults/loader.conf /kernel data=0xb15b3c+0x13464c syms=0x4+0x
13、8bb00+0x4+0xcac15Hit Enter to boot immediately,or space bar for command prompt.loader loader boot -s2. 执行密码恢复:在如下提示文字后输入recovery,设备将自动进行重启 Enter full pathname of shell or recovery for root password recovery or RETURN for /bin/sh:recovery* FILE SYSTEM WAS MODIFIED *System watchdog timer disabledEnter
14、 full pathname of shell or recovery for root password recovery or RETURN for /bin/sh:recovery3. 进入配备模式,删除root密码后重新设立root密码,并保存重启root configure Entering configuration modeeditroot# delete system root-authentication editroot# set system root-authentication plain-text-passwordNew password:Retype new pa
15、ssword:editroot# commitcommit completeeditroot# exitExiting configuration moderoot request system rebootReboot the system ?yes,no (no) yes 第二节 网络设立2.1、Interface2.1.1 PPPOE在外网接口(fe-0/0/0)下封装PPPsrx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-etherCHAP认证配备srx_admin# set interfaces pp0
16、unit 0 ppp-options chap default-chap-secret /*PPPOE密码*/srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs163 /*PPPOE帐号*/srx_admin# set interfaces pp0 unit 0 ppp-options chap passive/*采用被动模式*/PAP认证配备srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password /*PPPOE密码
17、*/srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs163 /*PPPOE帐号*/srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password /*PPPOE密码*/srx_admin# set interfaces pp0 unit 0 ppp-options pap passive /*采用被动模式*/PPP接口调用srx_admin# set interfaces pp0 unit 0 pppoe-options und
18、erlying-interface fe-0/0/0.0/*在外网接口(fe-0/0/0)下启用PPPOE拨号*/PPPOE拨号属性配备srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0/*空闲超时值*/srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3 /*3秒自动重拨*/srx_admin# set interfaces pp0 unit 0 pppoe-options client /*表达为PPPOE客户端*/srx_adm
19、in# set interfaces pp0 unit 0 family inet mtu 1492 /*修改此接口MTU值,改成1492。由于PPPOE报头会有一点开销*/srx_admin# set interfaces pp0 unit 0 family inet negotiate-address /*自动协商地址,即由服务端分派动态地址*/默认路由srx_admin# set routing-options static route 0.0.0.0/0 next-hop pp0.0PPPOE接口划入untrust接口srx_admin# set security zones secu
20、rity-zone untrust interfaces pp0.0验证PPPoE与否已经拔通,与否获得IP地址srx_admin#run show interfaces terse | match pppp0 up up pp0.0 up up inet 192.168.163.1 - 1.1.1.1ppd0 up up ppe0 up up 注:PPPOE拨号成功后需要调节MTU值,使上网体验达到最佳(MTU值不适当话上网会卡)srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 /*调节MTU大小*/srx_admin# se
21、t security flow tcp-mss all-tcp mss 1304 /*调节TCP分片大小*/2.1.2 Manualsrx_admin# set interfaces fe-0/0/0 unit 0 family inet address 202.105.41.138/292.1.3 DHCP启用DHCP地址池srx_admin# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1 /*DHCP网关*/srx_admin# set system services dhcp pool 192.168.1.
22、0/24 address-range low 192.168.1.2 /*DHCP地址池第一种地址*/srx_admin# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254/*DHCP地址池最后一种地址*/srx_admin# set system services dhcp pool 192.168.1.0/24 default-lease-time 36000/*DHCP地址租期*/srx_admin# set system services dhcp pool 192.168.1.0
23、/24 domain-name /*DHCP域名*/srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.133 /*DHCP 分派DNS*/srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.5srx_admin# set system services dhcp propagate-settings vlan.0 /*DHCP分发端口*/配备内网接口地址srx_admin# set
24、interfaces vlan unit 0 family inet address 192.168.1.1/24内网接口调用DHCP地址池srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services dhcp2.2、RoutingStatic Routesrx_admin# set route-option static route 0.0.0.0/0 next-hop 116.228.60.153 /*默认路由*/srx_admin# set r
25、oute-option static route 10.50.10.0/24 next-hop st0.0 /*Route Basiced VPN路由*/2.3、SNMPsrx_admin# set snmp community Ajitec authorization read-only/read-write /*SNMP监控权限*/srx_admin# set snmp client-list snmp_srx240 10.192.8.99/32 /*SNMP监控主机*/第三节 高档设立3.1.1 修改服务端口srx_admin# set system services web-manag
26、ement http port 8000 /*更改webhttp管理端标语*/srx_admin# set system services web-management https port 1443 /*更改webhttps管理端标语*/3.1.2 检查硬件序列号srx# run show chassis hardware Hardware inventory:Item Version Part number Serial number DescriptionChassis BZ2615AF0491 SRX100H2Routing Engine REV 05 BZ2615AF0491 RE-
27、SRX100H2FPC 0 FPCPIC 0 8x FE Base PICPower Supply 0 3.1.3 内外网接口启用端口服务定义系统服务srx_admin# set system services sshsrx_admin# set system services telnetsrx_admin# set system services web-management http interface vlan.0srx_admin# set system services web-management http interface fe-0/0/0.0srx_admin# set s
28、ystem services web-management https interface vlan.0srx_admin# set system services web-management management-url admin/*后期用https:/ip/admin就可以登录管理页面,不加就直接跳转*/内网接口启用端口服务srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ping /*启动ping */srx_admin#set
29、 security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services http /*启动http */srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services telnet /*启动telnet */外网接口启用端口服务srx_admin# set security zones security-zone untrust interfa
30、ces fe-0/0/0.0 host-inbound-traffic system-services ping /*启动ping */srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services telnet /*启动telnet */srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-s
31、ervices http /*启动http */srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all /*启动所有服务*/3.1.4 创立系统服务srx_admin#set applications application RDP protocol tcp /*合同选取tcp*/srx_admin#set applications application RDP source-port 0-65535 /*源端口*/srx
32、_admin#set applications application RDP destination-port 3389 /*目端口*/srx_admin#set applications application RDP protocol udp /*合同选取udp*/srx_admin#set applications application RDP source-port 0-65535 /*源端口*/srx_admin#set applications application RDP destination-port 3389 /*目端口*/3.1.5 VIP端口映射Destinati
33、on NAT配备srx_admin#set security nat destination pool 22 address 192.168.1.20/32/*Destination NAT pool设立,为真实内网地址*/srx_admin#set security nat destination pool 22 address port 3389/*Destination NAT pool设立,为内网地址端标语*/srx_admin#set security nat destination rule-set 2 from zone untrust/* Destination NAT Rul
34、e设立,访问流量从untrust区域过来*/srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.0.0/0/* Destination NAT Rule设立,访问流量可以任意地址*/srx_admin#set security nat destination rule-set 2 rule 111 match destination-address 116.228.60.154/32/* Destination NAT Rule设立,访问目地址是116.228.60.157*/s
35、rx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389/* Destination NAT Rule设立,访问目地址端标语*/srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22/*Destination NAT Rule设立,调用pool地址*/方略配备srx_admin#set security policies from-zone untrust to-
36、zone trust policy vip match source-address anysrx_admin#set security policies from-zone untrust to-zone trust policy vip match destination-address H192.168.1.20/32srx_admin#set security policies from-zone untrust to-zone trust policy vip match application anysrx_admin#set security policies from-zone
37、 untrust to-zone trust policy vip then permitsrx_admin#set security zones security-zone trust address-book address H192.168.1.20/32 192.168.1.20/323.1.6 MIP映射Destination NAT设立srx_admin#set security nat destination pool 111 address 192.168.1.3/32 /*Destination NAT pool设立,为真实内网地址*/srx_admin#set securi
38、ty nat destination rule-set 1 from zone untrust /*Destination NAT Rule设立,访问流量从untrust区域过来*/srx_admin#set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0/*Destination NAT Rule设立,访问流量可以任意地址*/srx_admin#set security nat destination rule-set 1 rule 11 match destination-address
39、 116.228.60.157/32/*Destination NAT Rule设立,访问目地址是116.228.60.157*/srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11/*Destination NAT Rule设立,调用pool地址*/配备ARP代理srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 116.228.60.157/32方略配备srx_admin#set securi
40、ty policies from-zone untrust to-zone trust policy mip match source-address anysrx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address H192.168.1.20/32srx_admin#set security policies from-zone untrust to-zone trust policy mip match application anysrx_admi
41、n#set security policies from-zone untrust to-zone trust policy mip then permit3.1.7禁用console口juniper-srxSRX100H2# edit system ports console /*进入console接口*/juniper-srxSRX100H2# set disable /*关闭端口*/juniper-srxSRX100H2# commit confirmed 3 /*提交3分钟,3分钟后回退*/3.1.8 Juniper SRX带源ping外网默认不通,需要做源地址NATset secur
42、ity nat source rule-set LOCAL from zone junos-hostset security nat source rule-set LOCAL to zone untrustset security nat source rule-set LOCAL rule LOCAL match source-address 192.168.1.1/32set security nat source rule-set LOCAL rule LOCAL match destination-address 0.0.0.0/0set security nat source ru
43、le-set LOCAL rule LOCAL then source-nat interfaceset security nat source rule-set trust-to-untrust from zone trustset security nat source rule-set trust-to-untrust to zone untrustset security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0set security nat sou
44、rce rule-set trust-to-untrust rule source-nat-rule then source-nat interface3.1.9 设立SRX管理IP 参照防火墙外网接口端口服务set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services pingset security zones security-z