JuniperSRX詳細(xì)配置手冊(cè)含注釋

1、Juniper SRX 標(biāo)準(zhǔn)配置第一節(jié)系統(tǒng)配置 31.1 、設(shè)備初始化 31.1.1 登陸 31.1.2 設(shè)置 root 用戶口令 31.1.3 設(shè)置遠(yuǎn)程登陸管理用戶 32、系統(tǒng)管理 41.2.1 選擇時(shí)區(qū) 41.2.2 系統(tǒng)時(shí)間 41.2.3 DNS 服務(wù)器 51.2.4 系統(tǒng)重啟 51.2.5 Alarm 告警處理 51.2.6 Root 密碼重置 6第二節(jié)網(wǎng)絡(luò)設(shè)置 72.1 、 Interface 72.1.1 PPPOE 72.1.2 Manual 82.1.3 DHCP 82.2 、 Routing 9Static Route 92.3、 SNMP 9第三節(jié)高級(jí)設(shè)置 93.1.1 修

2、改服務(wù)端口 93.1.2 檢查硬件序列號(hào) 93.1.3 內(nèi)外網(wǎng)接口啟用端口服務(wù) 103.1.4 創(chuàng)建端口服務(wù) 103.1.5 VIP 端口映射 103.1.6 MIP 映射 113.1.7 禁用 console 口 123.1.8 Juniper SRX 帶源 ping 外網(wǎng)默認(rèn)不通，需要做源地址 NAT 123.1.9 設(shè)置 SRX 管理 IP 123.2.0 配置回退 133.2.1 UTM 調(diào)用 133.2.2 網(wǎng)絡(luò)訪問(wèn)緩慢解決 13第四節(jié) VPN 設(shè)置 144.1 、點(diǎn)對(duì)點(diǎn) IPSec VPN 144.1.1 Route Basiced 144.1.2 Policy Basiced 1

3、74.2 、 Remote VPN 194.2.1 SRX 端配置 194.2.2 客戶端配置 20第一節(jié)系統(tǒng)配置1.1 、設(shè)備初始化1.1.1 登陸首次登錄需要使用 Console 口連接 SRX ， root 用戶登陸，密碼為空 login: rootPassword:- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTC root% cli /* 進(jìn)入操作模式 */ root>root> configureEntering configuration mode/* 進(jìn)入配置模式 */editRoot#1.1.2 設(shè)置 root 用戶口令（必

4、須配置 root 帳號(hào)密碼，否則后續(xù)所有配置及修改都無(wú)法提交）root# set system root-authentication plain-text-passwordroot# new password : root123root# retype new password: root123 密碼將以密文方式顯示root# show system root-authentication encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6." # SECRET-DATA 注意： 強(qiáng)烈建議不要使用其它加密選項(xiàng)來(lái)加密

5、root 和其它 user 口令 （ 如 encrypted-password 加密方式 ），此配置參數(shù)要求輸入的口令應(yīng)是經(jīng)加密算法加密后的字符串，采用這種加密方 式手工輸入時(shí)存在密碼無(wú)法通過(guò)驗(yàn)證風(fēng)險(xiǎn)。注： root 用戶僅用于 console 連接本地管理 SRX ，不能通過(guò)遠(yuǎn)程登陸管理SRX ，必須成功設(shè)置 root 口令后，才能執(zhí)行 commit 提交后續(xù)配置命令。1.1.3 設(shè)置遠(yuǎn)程登陸管理用戶root# set system login user lab class super-user authentication plain-text-password root# new pas

6、sword : juniper root# retype new password: srx123注：此 juniper 用戶擁有超級(jí)管理員權(quán)限， 可用于 console 和遠(yuǎn)程管理訪問(wèn)， 另也可自行靈活定義 其它不同管理權(quán)限用戶。2、系統(tǒng)管理/* 亞洲 / 上海 */1.2.1 選擇時(shí)區(qū)srx_admin# set system time-zone Asia/Shanghai1.2.2 系統(tǒng)時(shí)間 手動(dòng)設(shè)定srx_admin> set date 201511201537.00srx_admin> show system uptimeCurrent time: 2015

7、-11-20 15:37:14 UTCSystem booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago)Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago)Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin3:37PM up 2 days, 15 mins, 3 users, load averages: 0.07, 0.17, .2 NTP 同步一次srx_admin> set da

8、te ntp 018 Feb 15:49:50 ntpdate6616: step time server 01 offset -28796.357071 sec NTP 服務(wù)器srx_admin# set system ntp server srx_admin#set system ntp server ntp.api.bz/*SRX 系統(tǒng) NTP 服務(wù)器，設(shè)備需要聯(lián)網(wǎng)可以解 ntp 地址，不然命令無(wú)法輸入 */ 析srx_admin> show ntp statusstatus=c011 sync_

9、alarm, sync_unspec, 1 event, event_restart,version="ntpd 4.2.0-a FriNov2015:44:16 UTC 2014 (1)",processor="octeon", system="JUNOS12.1X44-D35.5", leap=11, stratum=16,precision=-17, rootdelay=0.000, rootdispersion=0.105, peer=0,refid=INIT, reftime=00000000.00000000 Thu, F

10、eb 7 2036 14:28:16.000,poll=4, clock=d88195bc.562dc2db Sun, Feb 8 2015 7:58:52.336, state=0, offset=0.000, frequency=0.000, jitter=0.008, stability=0.000 srx_adminholy-shit> show ntp associations 483 - 16 645.473 -0.953 0.008 .INIT.16 -64 00.000 0.000 4000.00/*SRX 系統(tǒng) DNS*

11、/1.2.3 DNS 服務(wù)器srx_admin# set system name-server 1.2.4 系統(tǒng)重啟 重啟系統(tǒng)srx_admin>request system reboot 關(guān)閉系統(tǒng)srx_admin>request system power-off1.2.5 Alarm 告警處理 告警查看root# run show system alarms2 alarms currently activeDescriptionAutorecovery information needs to be savedR

12、escue configuration is not setAlarm time Class 2015-11-20 14:21:49 UTCMinor2015-11-20 14:21:49 UTCMinor 告警處理告警一處理root> request system autorecovery state saveSaving config recovery informationSaving license recovery informationSaving BSD label recovery information 告警二處理root> request syst

13、em configuration rescue save1.2.6Root密碼重置該操作需要SRX Root密碼丟失，并且沒(méi)有其他的超級(jí)用戶權(quán)限，那么就需要執(zhí)行密碼恢復(fù)， 中斷設(shè)備正常運(yùn)行，但不會(huì)丟失配置信息。操作步驟如下：1. 重啟防火墻，CRT上出現(xiàn)下面提示時(shí)，按空格鍵中斷正常啟動(dòng)，然后再進(jìn)入單用戶狀態(tài)， 并輸入：boot - sLoad ing /boot/defaults/loader.c onf/kernel data=0xb15b3c+0x13464c syms=0x4+0x8bb00+0x4+0xcac15Hit E nter to boot immediately, or sp

14、ace bar for comma nd prompt.loaderloader> boot -s2. 執(zhí)行密碼恢復(fù)：在以下提示文字后輸入recovery，設(shè)備將自動(dòng)進(jìn)行重啟En ter full path name of shell or 'recovery' for root password recovery or RETURN for /bin/sh:recovery* FILE SY STEM WAS MODIFIED *System watchdog timer disabledEn ter full path name of shell or 're

15、covery' for root password recovery or RETURN for /bin/sh: recovery3. 進(jìn)入配置模式，刪除root密碼后重新設(shè)置root密碼，并保存重啟root> con figureEntering configuration modeeditroot# delete system root-authe nticatio neditroot# set system root-authe nticati on pla in-text-passwordNew password:Retype new password:editroot

16、# commitcommit completeeditroot# exitExiting configuration moderoot> request system rebootReboot the system ? yes, no (no) yes第二節(jié)網(wǎng)絡(luò)設(shè)置2.1 、 Interface2.1.1 PPPOE在外網(wǎng)接口( fe-O/O/O )下封裝 PPPsrx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over- ether CHAP 認(rèn)證配置srx_admin# set interfaces ppO uni

17、t O ppp-options chap default-chap-secret123456789O/*PPPOE 的密碼 */srx_admin# set interfaces ppO unit O ppp-options chap local-name rxgjhygs163/*PPPOE 的帳號(hào) */srx_admin# set interfaces ppO unit O ppp-options chap passive /* 采用被動(dòng)模式 */ PAP 認(rèn)證配置srx_admin# set interfaces ppO unit O ppp-options pap default-pa

18、ssword123456789O/*PPPOE 的密碼 */srx_admin# set interfaces ppO unit O ppp-options pap local-name rxgjhygs163/*PPPOE 的帳號(hào) */srx_admin# set interfaces ppO unit O ppp-options pap local-password123456789O/*PPPOE 的密碼 */srx_admin# set interfaces ppO unit O ppp-options pap passive/* 采用被動(dòng)模式 */ PPP 接口調(diào)用srx_admin

19、# set interfaces ppO unit O pppoe-options underlying-interface fe-O/O/O.O/* 在外網(wǎng)接口( fe-O/O/O )下啟用 PPPOE 撥號(hào) */ PPPOE 撥號(hào)屬性配置srx_admin# set interfaces ppO unit O pppoe-options idle-timeout O/* 空閑超時(shí)值 */srx_admin# set interfaces ppO unit O pppoe-options auto-reconnect 3/*3 秒自動(dòng)重?fù)?*/srx_admin# set interface

20、s ppO unit O pppoe-options client/* 表示為 PPPOE 客戶端 */srx_admin# set interfaces ppO unit O family inet mtu 1492/* 修改此接口的 MTU 值，改成 1492 。因?yàn)?PPPOE 的報(bào)頭會(huì)有一點(diǎn)的開(kāi)銷 */srx_admin# set interfaces ppO unit O family inet negotiate-address/* 自動(dòng)協(xié)商地址，即由服務(wù)端分配動(dòng)態(tài)地址 */默認(rèn)路由srx_admin# set routing-options static route O.O.O.

21、O/O next-hop ppO.O PPPOE 接口劃入 untrust 接口srx_admin# set security zones security-zone untrust interfaces pp0.0PPPOE 撥號(hào)成功后需要調(diào)整MTU 值，使上網(wǎng)體驗(yàn)達(dá)到最佳（MTU 值不合適的話上網(wǎng)會(huì)卡）驗(yàn)證 PPPoE 是否已經(jīng)拔通，是否獲得 IP 地址srx_admin#run show interfaces terse | match pppp0upuppp0.0upup inet-> ppd0upupppe0upup注：/* 調(diào)整 MTU

22、 大小 */* 調(diào)整 TCP 分片大小 */srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 srx_admin# set security flow tcp-mss all-tcp mss 13042.1.2 Manualsrx_admin# set interfaces fe-0/0/0 unit 0 family inet address 38/292.1.3 DHCP啟用 DHCP 地址池srx_admin# set system services dhcp pool /24

23、 router /*DHCP 網(wǎng)關(guān) */srx_admin# set system services dhcp pool /24 address-range low /*DHCP 地址池第一個(gè)地址 */srx_admin# set system services dhcp pool /24 address-range high 54 /*DHCP 地址池最后一個(gè)地址 */srx_admin# set system services dhcp pool /24 d

24、efault-lease-time 36000/*DHCP 地址租期 */srx_admin# set system services dhcp pool /24 domain-name /*DHCP 域名 */srx_admin# set system services dhcp pool /24 name-server 33 /*DHCP 分配 DNS*/srx_admin# set system services dhcp pool /24 name-server srx_

25、admin# set system services dhcp propagate-settings vlan.0/*DHCP 分發(fā)端口 */配置內(nèi)網(wǎng)接口地址srx_admin# set interfaces vlan unit 0 family inet address /24內(nèi)網(wǎng)接口調(diào)用 DHCP 地址池srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system- servicesdhcp2.2 、 RoutingStatic Routes

26、rx_admin# set route-option static route /0 next-hop 53 /* 默認(rèn)路由 */srx_admin# set route-option static route /24 next-hop st0.0/*Route Basiced VPN路由 */2.3 、 SNMPsrx_admin# set snmp community Ajitec authorization read-only/read-write/*SNMP 監(jiān)控權(quán)限 */srx_admin# set snmp client-l

27、ist snmp_srx240 9/32 /*SNMP 監(jiān)控主機(jī) */第三節(jié)高級(jí)設(shè)置3.1.1 修改服務(wù)端口srx_admin# set system services web-management http port 8000 /* 更改 web 的 http 管理端口號(hào) */srx_admin# set system services web-management https port 1443 /* 更改 web 的 https 管理端口號(hào) */3.1.2 檢查硬件序列號(hào)srx# run show chassis hardwareHardware inventory:

28、ItemChassisRouting EngineFPC 0PIC 0Power Supply 0Version Part numberBZ2615AF0491REV 05 650-048781FPCSerial numberSRX100H2BZ2615AF0491DescriptionRE-SRX100H28x FE Base PIC3.1.3內(nèi)外網(wǎng)接口啟用端口服務(wù)定義系統(tǒng)服務(wù)srx_adm in# set system services sshsrx_admin# set system services tel netsrx_adm in# set system services web-

29、ma nageme nt http in terface via n.Osrx_adm in# set system services web-ma nageme nt http in terface fe-0/0/0.0srx_adm in# set system services web-ma nageme nt https in terface via n.Osrx_adm in# set system services web-ma nageme nt man ageme nt-url admin/*后期用https:/ip/admi n就可以登錄管理頁(yè)面，不加就直接跳轉(zhuǎn)*/內(nèi)網(wǎng)接口啟

30、用端口服務(wù)srx_admi n#setsecurityzonessecurity-z onetrustin terfacesvia n.Ohost-i nboun d-trafficsystem-services ping /* 幵啟 pi ng */srx_admi n#setsecurityzonessecurity-z onetrustin terfacesvia n.Ohost-i nboun d-trafficsystem-services http /* 幵啟 http */srx_admi n#setsecurity zones security-z one trust in t

31、erfaces via n.Ohost-i nboun d-trafficsystem-services teinet /* 幵啟 teinet */外網(wǎng)接口啟用端口服務(wù)srx_adm in# set securityzones security-z oneun trustin terfacesfe-0/0/0.0host-i nboun d-trafficsystem-services ping /*幵啟 ping */srx_adm in #setsecurityzones security-z oneun trustin terfacesfe-0/0/0.0host-i nboun d-

32、trafficsystem-services teinet /* 幵啟 teinet */srx_adm in #setsecurityzones security-z oneun trustin terfacesfe-0/0/0.0host-i nboun d-trafficsystem-services http /*幵啟 http */srx_adm in #setsecurityzones security-z oneun trustin terfacesfe-0/0/0.0host-i nboun d-trafficsystem-services aii /*幵啟所有服務(wù)*/3.1.

33、4創(chuàng)建系統(tǒng)服務(wù)/*協(xié)議選擇tcp*/* 源端口 */*目的端口 */*協(xié)議選擇udp*/* 源端口 */*目的端口 */srx_adm in #set appiicati ons appiicati on RDP protocoi tcp srx_admi n#set appiicati ons appiicatio n RDP source-port 0-65535 srx_adm in #set appiicati ons appiicati on RDP dest in ati on-port 3389 srx_adm in #set appiicati ons appiicati on

34、 RDP protocoi udp srx_admi n#set appiicati ons appiicatio n RDP source-port 0-65535 srx_adm in #set appiicati ons appiicati on RDP dest in ati on-port 33893.1.5 VIP端口映射探 DestinationNAT配置srx_admi n#set security nat dest in ation pooi 22 address 0/32/*Desti nation NAT pooi設(shè)置，為真實(shí)內(nèi)網(wǎng)地址*/srx_ad

35、m in #set security nat dest in ati on pooi 22 address port 3389/*Destination NAT pool 設(shè)置，為內(nèi)網(wǎng)地址的端口號(hào) */srx_admin#set security nat destination rule-set 2 from zone untrust/* Destination NAT Rule 設(shè)置，訪問(wèn)流量從 untrust 區(qū)域過(guò)來(lái) */srx_admin#set security nat destination rule-set 2 rule 111 match source-address 0.0.

36、0.0/0/* Destination NAT Rule 設(shè)置，訪問(wèn)流量可以任意地址 */srx_admin#set security nat destination rule-set 2 rule 111 match destination-address 54/32/* Destination NAT Rule 設(shè)置，訪問(wèn)的目的地址是 57*/srx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389/* Destination

37、NAT Rule 設(shè)置，訪問(wèn)的目的地址的端口號(hào) */srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22/*Destination NAT Rule 設(shè)置，調(diào)用 pool 地址 */策略配置srx_admin#set security policies from-zone untrust to-zone trust policy vip match sourceaddress anysrx_admin#set security policies from-zone untr

38、ust to-zone trust policy vip match destination-address H0/32srx_admin#set security policies from-zone untrust to-zone trust policy vip match application any srx_admin#set security policies from-zone untrust to-zone trust policy vip then permitsrx_admin#set security zones security-zone tru

39、st address-book address H0/32 0/323.1.6 MIP 映射 Destination NAT 設(shè)置srx_admin#set security nat destination pool 111 address /32/*Destination NAT pool 設(shè)置，為真實(shí)內(nèi)網(wǎng)地址 */ srx_admin#set security nat destination rule-set 1 from zone untrust/*Destination NAT Rule 設(shè)置，訪問(wèn)流量從 untrust

40、 區(qū)域過(guò)來(lái) */srx_admin#set security nat destination rule-set 1 rule 111 match source-address /0/*Destination NAT Rule 設(shè)置，訪問(wèn)流量可以任意地址 */srx_admin#set security nat destination rule-set 1 rule match destination-address 1157/32/*Destination NAT Rule 設(shè)置，訪問(wèn)的目的地址是 57*/srx_admin#set

41、 security nat destination rule-set 1 rule 11 then destination-nat pool 11/*Destination NAT Rule 設(shè)置，調(diào)用 pool 地址 */配置 ARP 代理srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 57/32策略配置srx_admin#set security policies from-zone untrust to-zone trust policy mip match sourceaddre

42、ss anysrx_admin#set security policies from-zone untrust to-zone trust policy mip match destinationaddress H0/32srx_admin#set security policies from-zone untrust to-zone trust policy mip match application anysrx_admi n#set security policies from-z one un trust to-z one trust policy mip the

43、n permit3.1.7 禁用 console 口jun iper-srxSRX100H2# edit system ports con sole/*進(jìn)入 con sole 接口 */juniper-srxSRX100H2# set disable/*關(guān)閉端口 */jun iper-srxSRX100H2# commit c on firmed 3/* 提交 3 分鐘，3 分鐘后回退 */3.1.8 Juniper SRX 帶源ping 外網(wǎng)默認(rèn)不通，需要做源地址NATset security nat source rule-set LOCAL from zone juno s-hostse

44、t security nat source rule-set LOCAL to zone un trustset security nat source rule-set LOCAL rule LOCAL match source-address /32set security nat source rule-set LOCAL rule LOCAL match dest in ati on-address /0set security nat source rule-set LOCAL rule LOCAL the n source-nat in terf

45、aceset security nat source rule-set trust-to-un trust from zone trustset security nat source rule-set trust-to-un trust to zone un trustset security nat source rule-set trust-to-un trust rule source-nat-rule match source-address /0set security nat source rule-set trust-to-un trust rule source

46、-nat-rule the n source-nat in terface3.1.9設(shè)置SRX管理IP參照防火墻外網(wǎng)接口的端口服務(wù)set security zones security-z oneun trustin terfaces fe-0/0/0.0host-inboun d-trafficsystem-services ikeset security zones security-z oneun trustin terfaces fe-0/0/0.0host-inboun d-trafficsystem-services pingset security zones security-

47、z oneun trustin terfaces fe-0/0/0.0host- inboun d-trafficsystem-services ssh定義防火墻 filter，設(shè)定允許訪問(wèn)的地址和端口set firewall filter Outside_access_in term Permit_IP from source-address 58/32set firewall filter Outside_access_in term Permit_IP from dest in atio n-address 14/32set firewall

48、 filter Outside_access_in term Permit_IP from protocol tcpset firewall filter Outside_access_i n term Permit_IP from desti nati on-port sshset firewall filter Outside_access_in term Permit_IP then accept/*設(shè)置允許訪問(wèn)的地址和地址*/set firewall filter Outside_access_in term Deny_ANY from desti natio n-address 59

49、.46.184.114/32 set firewall filter Outside_access_i n term Deny_ANY from protocol tcp set firewall filter Outside_access_i n term Deny_ANY from desti nati on-port ssh set firewall filter Outside_access_i n term Deny_ANY the n discard set firewall filter Outside_access_i n term Permit_A NY the n acce

50、pt/*其他流量全部拒絕*/防火墻外網(wǎng)接口調(diào)用 filter ，在接口上啟用限制set interfaces fe-0/0/0 unit 0 family inet filter inputOutside_access_in注：在配置拒絕流量時(shí)注意在拒絕的端口后面放行其他流量，因?yàn)檫@個(gè)拒絕會(huì)把所有流 量都拒絕掉。在配置拒絕流量時(shí)不能配置 all ，不然會(huì)把所有流量都拒絕掉。3.2.0 配置回退查看提交過(guò)的配置srx_admin# run show system commit0 2016-05-04 11:47:46 UTC by root via junoscript1 2016-05-04

51、11:40:11 UTC by root via cli2 2016-05-04 11:38:36 UTC by root via cli3 2016-04-27 11:41:07 UTC by root via cli4 2016-04-01 17:37:22 UTC by root via buttonsrx_admin # rollback Possible completions: <Enter>01234|回退配置(“ ROLLBACK 0 ”)Execute this command2016-05-04 11:47:46 UTC by root via junoscri

52、pt2016-05-04 11:40:11 UTC by root via cli2016-05-04 11:38:36 UTC by root via cli2016-04-27 11:41:07 UTC by root via cli2016-04-01 17:37:22 UTC by root via buttonPipe through a command3.2.1 UTM 調(diào)用在策略中調(diào)用 UTMsrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match

53、sourceaddress anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match application anysrx_admin #set security policies from-zone trust to-zon

54、e untrust policy trust-to-untrust then permit application-services utm-policy junos-av-policy3.2.2 網(wǎng)絡(luò)訪問(wèn)緩慢解決srx_admin #set security flow syn-flood-protection-mode syn-cookie srx_admin #set security flow tcp-mss all-tcpmss 1300srx_admin #set security flow tcp-sessi on rst-seque nce-check srx_admin #se

55、t security flow tcp-sessi on strict-s yn-check srx_adm in #set security flow tcp-sessi on no-seque nce-check第四節(jié)VPN設(shè)置4.1、點(diǎn)對(duì)點(diǎn) IPSec VPN4.1.1 Route Basiced/* standard or compatible 模式 */創(chuàng)建tunnel接口srx_admi n#set in terfaces st0 unit 0 family inet/* 新建 st0.0 接口 */srx_adm in #set security zones security-z one un trust in terfaces st0.0/* 定義 tunnel 接口 st0.0 為 untrust 接口 */創(chuàng)建去往VPN對(duì)端內(nèi)網(wǎng)的路由srx_admi n#srx_admi n#set rout in g-opti ons static route /24 n ext-hop st0.0探VPN第一階段IK