Juniper-SRX详细配置手册(含注释).doc

Juniper SRX标准配置 第一节 系统配置 3 1.1、设备初始化 3 1.1.1登陆 3 1.1.2设置root用户口令 3 1.1.3设置远程登陆管理用户 3 2、系统管理 4 1.2.1 选择时区 4 1.2.2 系统时间 4 1.2.3 DNS服务器 5 1.2.4系统重启 5 1.2.5 Alarm告警处理 5 1.2.6 Root密码重置 6 第二节 网络设置 7 2.1、Interface 7 2.1.1 PPPOE 7 2.1.2 Manual 8 2.1.3 DHCP 8 2.2、Routing 9 Static Route 9 2.3、SNMP 9 第三节 高级设置 9 3.1.1 修改服务端口 9 3.1.2 检查硬件序列号 9 3.1.3 内外网接口启用端口服务 10 3.1.4 创建端口服务 10 3.1.5 VIP端口映射 10 3.1.6 MIP映射 11 3.1.7禁用console口 12 3.1.8 Juniper SRX带源ping外网默认不通，需要做源地址NAT 12 3.1.9 设置SRX管理IP 12 3.2.0 配置回退 13 3.2.1 UTM调用 13 3.2.2 网络访问缓慢解决 13 第四节 VPN设置 14 4.1、点对点IPSec VPN 14 4.1.1 Route Basiced 14 4.1.2 Policy Basiced 17 4.2、Remote VPN 19 4.2.1 SRX端配置 19 4.2.2 客户端配置 20 第一节 系统配置 1.1、设备初始化 1.1.1登陆 首次登录需要使用Console口连接SRX，root用户登陆，密码为空 login: root Password: --- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTC root% cli                   /***进入操作模式***/ root> root> configure Entering configuration mode   /***进入配置模式***/ [edit] Root# 1.1.2设置root用户口令 （必须配置root帐号密码，否则后续所有配置及修改都无法提交） root# set system root-authentication plain-text-password root# new password : root123 root# retype new password: root123 密码将以密文方式显示 root# show system root-authentication encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA 注意：强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式)，此配置参数要求输入的口令应是经加密算法加密后的字符串，采用这种加密方式手工输入时存在密码无法通过验证风险。 注：root用户仅用于console连接本地管理SRX，不能通过远程登陆管理SRX，必须成功设置root口令后，才能执行commit提交后续配置命令。 1.1.3设置远程登陆管理用户 root# set system login user lab class super-user authentication plain-text-password root# new password : juniper root# retype new password: srx123 注：此juniper用户拥有超级管理员权限，可用于console和远程管理访问，另也可自行灵活定义其它不同管理权限用户。 2、系统管理 1.2.1 选择时区 srx_admin# set system time-zone Asia/Shanghai /***亚洲/上海***/ 1.2.2 系统时间 1.2.2.1 手动设定 srx_admin> set date 201511201537.00 srx_admin> show system uptime Current time: 2015-11-20 15:37:14 UTC System booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago) Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago) Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin 3:37PM up 2 days, 15 mins, 3 users, load averages: 0.07, 0.17, 0.14 1.2.2.2 NTP同步一次 srx_admin> set date ntp 202.120.2.101 8 Feb 15:49:50 ntpdate[6616]: step time server 202.120.2.101 offset -28796.357071 sec 1.2.2.3 NTP服务器 srx_admin# set system ntp server 202.100.102.1 srx_admin#set system ntp server ntp.api.bz /***SRX系统NTP服务器，设备需要联网可以解析ntp地址，不然命令无法输入***/ srx_admin> show ntp status status=c011 sync_alarm, sync_unspec, 1 event, event_restart, version="ntpd 4.2.0-a Fri Nov 20 15:44:16 UTC 2014 (1)", processor="octeon", system="JUNOS12.1X44-D35.5", leap=11, stratum=16, precision=-17, rootdelay=0.000, rootdispersion=0.105, peer=0, refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 14:28:16.000, poll=4, clock=d88195bc.562dc2db Sun, Feb 8 2015 7:58:52.336, state=0, offset=0.000, frequency=0.000, jitter=0.008, stability=0.000 srx_admin@holy-shit> show ntp associations remote refid st t when poll reach delay offset jitter ============================================================================== 15.179.156.248 3 - 16 64 1 5.473 -0.953 0.008 202.100.102.1 .INIT. 16 - - 64 0 0.000 0.000 4000.00 1.2.3 DNS服务器 srx_admin# set system name-server 202.96.209.5 /***SRX系统DNS***/ 1.2.4 系统重启 1.2.4.1重启系统 srx_admin >request system reboot 1.2.4.2关闭系统 srx_admin >request system power-off 1.2.5 Alarm告警处理 1.2.5.1告警查看 root# run show system alarms 2 alarms currently active Alarm time Class Description 2015-11-20 14:21:49 UTC Minor Autorecovery information needs to be saved 2015-11-20 14:21:49 UTC Minor Rescue configuration is not set 1.2.5.2 告警处理 告警一处理 root> request system autorecovery state save Saving config recovery information Saving license recovery information Saving BSD label recovery information 告警二处理 root> request system configuration rescue save 1.2.6 Root密码重置 SRX Root密码丢失，并且没有其他的超级用户权限，那么就需要执行密码恢复，该操作需要中断设备正常运行，但不会丢失配置信息。操作步骤如下： 1.重启防火墙，CRT上出现下面提示时，按空格键中断正常启动，然后再进入单用户状态，并输入：boot –s Loading /boot/defaults/loader.conf /kernel data=0xb15b3c+0x13464c syms=[0x4+0x8bb00+0x4+0xcac15] Hit [Enter] to boot immediately, or space bar for command prompt. loader> loader> boot -s 2. 执行密码恢复：在以下提示文字后输入recovery，设备将自动进行重启 Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery ***** FILE SYSTEM WAS MODIFIED ***** System watchdog timer disabled Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery 3. 进入配置模式，删除root密码后重新设置root密码，并保存重启 root> configure Entering configuration mode [edit] root# delete system root-authentication [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit commit complete [edit] root# exit Exiting configuration mode root> request system reboot Reboot the system ? [yes,no] (no) yes 第二节 网络设置 2.1、Interface 2.1.1 PPPOE ※在外网接口（fe-0/0/0）下封装PPP srx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-ether ※CHAP认证配置 srx_admin# set interfaces pp0 unit 0 ppp-options chap default-chap-secret 1234567890 /***PPPOE的密码***/ srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs@163 /***PPPOE的帐号***/ srx_admin# set interfaces pp0 unit 0 ppp-options chap passive /***采用被动模式***/ ※PAP认证配置 srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password 1234567890 /***PPPOE的密码***/ srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs@163 /***PPPOE的帐号***/ srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password 1234567890 /***PPPOE的密码***/ srx_admin# set interfaces pp0 unit 0 ppp-options pap passive /***采用被动模式***/ ※PPP接口调用 srx_admin# set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0 /***在外网接口（fe-0/0/0）下启用PPPOE拨号***/ ※PPPOE拨号属性配置 srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0 /***空闲超时值***/ srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3 /***3秒自动重拨***/ srx_admin# set interfaces pp0 unit 0 pppoe-options client /***表示为PPPOE客户端***/ srx_admin# set interfaces pp0 unit 0 family inet mtu 1492 /***修改此接口的MTU值，改成1492。因为PPPOE的报头会有一点的开销***/ srx_admin# set interfaces pp0 unit 0 family inet negotiate-address /***自动协商地址，即由服务端分配动态地址***/ ※默认路由 srx_admin# set routing-options static route 0.0.0.0/0 next-hop pp0.0 ※PPPOE接口划入untrust接口 srx_admin# set security zones security-zone untrust interfaces pp0.0 ※验证PPPoE是否已经拔通，是否获得IP地址 srx_admin#run show interfaces terse | match pp pp0 up up pp0.0 up up inet 192.168.163.1 --> 1.1.1.1 ppd0 up up ppe0 up up 注： PPPOE拨号成功后需要调整MTU值，使上网体验达到最佳（MTU值不合适的话上网会卡） srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 /***调整MTU大小***/ srx_admin# set security flow tcp-mss all-tcp mss 1304 /***调整TCP分片大小***/ 2.1.2 Manual srx_admin# set interfaces fe-0/0/0 unit 0 family inet address 202.105.41.138/29 2.1.3 DHCP ※启用DHCP地址池 srx_admin# set system services dhcp pool 192.168.1.0/24 router 192.168.1.1 /***DHCP网关***/ srx_admin# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2 /***DHCP地址池第一个地址***/ srx_admin# set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254 /***DHCP地址池最后一个地址***/ srx_admin# set system services dhcp pool 192.168.1.0/24 default-lease-time 36000 /***DHCP地址租期***/ srx_admin# set system services dhcp pool 192.168.1.0/24 domain-name /***DHCP域名***/ srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.133 /***DHCP 分配DNS***/ srx_admin# set system services dhcp pool 192.168.1.0/24 name-server 202.96.209.5 srx_admin# set system services dhcp propagate-settings vlan.0 /***DHCP分发端口***/ ※配置内网接口地址 srx_admin# set interfaces vlan unit 0 family inet address 192.168.1.1/24 ※内网接口调用DHCP地址池 srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services dhcp 2.2、Routing Static Route srx_admin# set route-option static route 0.0.0.0/0 next-hop 116.228.60.153 /***默认路由***/ srx_admin# set route-option static route 10.50.10.0/24 next-hop st0.0 /***Route Basiced VPN路由***/ 2.3、SNMP srx_admin# set snmp community Ajitec authorization read-only/read-write /***SNMP监控权限***/ srx_admin# set snmp client-list snmp_srx240 10.192.8.99/32 /***SNMP监控主机***/ 第三节 高级设置 3.1.1 修改服务端口 srx_admin# set system services web-management http port 8000 /***更改web的http管理端口号***/ srx_admin# set system services web-management https port 1443 /***更改web的https管理端口号***/ 3.1.2 检查硬件序列号 srx# run show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis BZ2615AF0491 SRX100H2 Routing Engine REV 05 650-048781 BZ2615AF0491 RE-SRX100H2 FPC 0 FPC PIC 0 8x FE Base PIC Power Supply 0 3.1.3 内外网接口启用端口服务 ※定义系统服务 srx_admin# set system services ssh srx_admin# set system services telnet srx_admin# set system services web-management http interface vlan.0 srx_admin# set system services web-management http interface fe-0/0/0.0 srx_admin# set system services web-management https interface vlan.0 srx_admin# set system services web-management management-url admin /***后期用https://ip/admin就可以登录管理页面，不加就直接跳转***/ ※内网接口启用端口服务 srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ping /***开启ping ***/ srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services http /***开启http ***/ srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services telnet /***开启telnet ***/ ※外网接口启用端口服务 srx_admin# set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping /***开启ping ***/ srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services telnet /***开启telnet ***/ srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services http /***开启http ***/ srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all /***开启所有服务***/ 3.1.4 创建系统服务 srx_admin#set applications application RDP protocol tcp /***协议选择tcp***/ srx_admin#set applications application RDP source-port 0-65535 /***源端口***/ srx_admin#set applications application RDP destination-port 3389 /***目的端口***/ srx_admin#set applications application RDP protocol udp /***协议选择udp***/ srx_admin#set applications application RDP source-port 0-65535 /***源端口***/ srx_admin#set applications application RDP destination-port 3389 /***目的端口***/ 3.1.5 VIP端口映射 ※Destination NAT配置 srx_admin#set security nat destination pool 22 address 192.168.1.20/32 /***Destination NAT pool设置，为真实内网地址***/ srx_admin#set security nat destination pool 22 address port 3389 /***Destination NAT pool设置，为内网地址的端口号***/ srx_admin#set security nat destination rule-set 2 from zone untrust /*** Destination NAT Rule设置，访问流量从untrust区域过来***/ srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.0.0/0 /*** Destination NAT Rule设置，访问流量可以任意地址***/ srx_admin#set security nat destination rule-set 2 rule 111 match destination-address 116.228.60.154/32 /*** Destination NAT Rule设置，访问的目的地址是116.228.60.157***/ srx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389 /*** Destination NAT Rule设置，访问的目的地址的端口号***/ srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22 /***Destination NAT Rule设置，调用pool地址***/ ※策略配置 srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-address any srx_admin#set security policies from-zone untrust to-zone trust policy vip match destination-address H192.168.1.20/32 srx_admin#set security policies from-zone untrust to-zone trust policy vip match application any srx_admin#set security policies from-zone untrust to-zone trust policy vip then permit srx_admin#set security zones security-zone trust address-book address H192.168.1.20/32 192.168.1.20/32 3.1.6 MIP映射 ※Destination NAT设置 srx_admin#set security nat destination pool 111 address 192.168.1.3/32 /***Destination NAT pool设置，为真实内网地址***/ srx_admin#set security nat destination rule-set 1 from zone untrust /***Destination NAT Rule设置，访问流量从untrust区域过来***/ srx_admin#set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0 /***Destination NAT Rule设置，访问流量可以任意地址***/ srx_admin#set security nat destination rule-set 1 rule 11 match destination-address 116.228.60.157/32 /***Destination NAT Rule设置，访问的目的地址是116.228.60.157***/ srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11 /***Destination NAT Rule设置，调用pool地址***/ ※配置ARP代理 srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 116.228.60.157/32 ※策略配置 srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-address any srx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address H192.168.1.20/32 srx_admin#set security policies from-zone untrust to-zone trust policy mip match application any srx_admin#set security policies from-zone untrust to-zone trust policy mip then permit 3.1.7禁用console口 juniper-srx@SRX100H2# edit system ports console /***进入console接口***/ juniper-srx@SRX100H2# set disable /***关闭端口***/ juniper-srx@SRX100H2# commit confirmed 3 /***提交3分钟，3分钟后回退***/ 3.1.8 Juniper SRX带源ping外网默认不通，需要做源地址NAT set security nat source rule-set LOCAL from zone junos-host set security nat source rule-set LOCAL to zone untrust set security nat source rule-set LOCAL rule LOCAL match source-address 192.168.1.1/32 set security nat source rule-set LOCAL rule LOCAL match destination-address 0.0.0.0/0 set security nat source rule-set LOCAL rule LOCAL then source-nat interface set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface 3.1.9 设置SRX管理IP ※参照防火墙外网接口的端口服务 set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-