防火墻配置手冊(cè)和操作系統(tǒng)介紹

...wd......wd......wd...JuniperSRX防火墻配置手冊(cè)一、JUNOS操作系統(tǒng)介紹1.1層次化配置構(gòu)造JUNOS采用基于FreeBSD內(nèi)核的軟件模塊化操作系統(tǒng)，支持CLI命令行和WEBUI兩種接口配置方式，本文主要對(duì)CLI命令行方式進(jìn)展配置說明。JUNOSCLI使用層次化配置構(gòu)造，分為操作〔operational〕和配置〔configure〕兩類模式，在操作模式下可對(duì)當(dāng)前配置、設(shè)備運(yùn)行狀態(tài)、路由及會(huì)話表等狀態(tài)進(jìn)展查看及設(shè)備運(yùn)維操作，并通過執(zhí)行config或edit命令進(jìn)入配置模式，在配置模式下可對(duì)各相關(guān)模塊進(jìn)展配置并能夠執(zhí)行操作模式下的所有命令〔run〕。在配置模式下JUNOS采用分層分級(jí)模塊下配置構(gòu)造，如以下列圖所示，edit命令進(jìn)入下一級(jí)配置〔類似unixcd命令〕,exit命令退回上一級(jí)，top命令回到根級(jí)。1.2JunOS配置管理JUNOS通過set語(yǔ)句進(jìn)展配置，配置輸入后并不會(huì)立即生效，而是作為候選配置〔CandidateConfig〕等待管理員提交確認(rèn)，管理員通過輸入commit命令來提交配置，配置內(nèi)容在通過SRX語(yǔ)法檢查后才會(huì)生效，一旦commit通過后當(dāng)前配置即成為有效配置〔Activeconfig〕。另外，JUNOS允許執(zhí)行commit命令時(shí)要求管理員對(duì)提交的配置進(jìn)展兩次確認(rèn)，如執(zhí)行commitconfirmed2命令要求管理員必須在輸入此命令后2分鐘內(nèi)再次輸入commit以確認(rèn)提交，否則2分鐘后配置將自動(dòng)回退，這樣可以防止遠(yuǎn)程配置變更時(shí)管理員失去對(duì)SRX的遠(yuǎn)程連接風(fēng)險(xiǎn)。在執(zhí)行commit命令前可通過配置模式下show命令查看當(dāng)前候選配置〔CandidateConfig〕，在執(zhí)行commit后配置模式下可通過runshowconfig命令查看當(dāng)前有效配置〔Activeconfig〕。此外可通過執(zhí)行show|compare比對(duì)候選配置和有效配置的差異。SRX上由于配備大容量硬盤存儲(chǔ)器，缺省按先后commit順序自動(dòng)保存50份有效配置，并可通過執(zhí)行rolback和commit命令返回到以前配置〔如rollback0/commit可返回到前一commit配置〕；也可以直接通過執(zhí)行saveconfigname.conf手動(dòng)保存當(dāng)前配置，并執(zhí)行l(wèi)oadoverrideconfigname.conf/commit調(diào)用前期手動(dòng)保存的配置。執(zhí)行l(wèi)oadfactory-default/commit命令可恢復(fù)到出廠缺省配置。SRX可對(duì)模塊化配置進(jìn)展功能關(guān)閉與激活，如執(zhí)行deactivatesecuritynat/comit命令可使NAT相關(guān)配置不生效，并可通過執(zhí)行activatesecuritynat/commit使NAT配置再次生效。SRX通過set語(yǔ)句來配置防火墻，通過delete語(yǔ)句來刪除配置，如deletesecuritynat和editsecuritynat/delete一樣，均可刪除security防火墻層級(jí)下所有NAT相關(guān)配置，刪除配置和ScreenOS不同，配置過程中需加以留意。1.3SRX主要配置內(nèi)容部署SRX防火墻主要有以下幾個(gè)方面需要進(jìn)展配置：System：主要是系統(tǒng)級(jí)內(nèi)容配置，如主機(jī)名、管理員賬號(hào)口令及權(quán)限、時(shí)鐘時(shí)區(qū)、Syslog、SNMP、系統(tǒng)級(jí)開放的遠(yuǎn)程管理服務(wù)〔如telnet〕等內(nèi)容。Interface:接口相關(guān)配置內(nèi)容。Security:是SRX防火墻的主要配置內(nèi)容，安全相關(guān)局部?jī)?nèi)容全部在Security層級(jí)下完成配置，如NAT、Zone、Policy、Address-book、Ipsec、Screen、Idp等，可簡(jiǎn)單理解為ScreenOS防火墻安全相關(guān)內(nèi)容都遷移至此配置層次下，除了Application自定義服務(wù)。Application：自定義服務(wù)單獨(dú)在此進(jìn)展配置，配置內(nèi)容與ScreenOS根本一致。routing-options：配置靜態(tài)路由或router-id等系統(tǒng)全局路由屬性配置。二、SRX防火墻配置對(duì)照說明策略處理流程圖2.1初始安裝2.1.1登陸Console口(通用超級(jí)終端缺省配置)連接SRX，root用戶登陸，密碼為空l(shuí)ogin:rootPassword:---JUNOS9.5R1.8built2009-07-1615:04:30UTCroot%cli//進(jìn)入操作模式root>root>configure//進(jìn)入配置模式[edit]Root#2.1.2設(shè)置root用戶口令設(shè)置root用戶口令root#setsystemroot-authenticationplain-text-passwordroot#newpassword:root123root#retypenewpassword:root123[edit]root#setsystemloginclasssuper-useridle-timeout3設(shè)置當(dāng)前用戶超時(shí)時(shí)間密碼將以密文方式顯示root#showsystemroot-authenticationencrypted-password"$1$xavDeUe6$fNM6olGU.8.M7B62u05D6.";#SECRET-DATA注意：強(qiáng)烈建議不要使用其它加密選項(xiàng)來加密root和其它user口令(如encrypted-password加密方式)，此配置參數(shù)要求輸入的口令應(yīng)是經(jīng)加密算法加密后的字符串，采用這種加密方式手工輸入時(shí)存在密碼無(wú)法通過驗(yàn)證風(fēng)險(xiǎn)。2.1.3設(shè)置遠(yuǎn)程登陸管理用戶root#setsystemloginuserlabclasssuper-userauthenticationplain-text-password//創(chuàng)立用戶labroot#newpassword:lab123//配置用戶lab密碼root#retypenewpassword:lab123注：此lab用戶擁有超級(jí)管理員權(quán)限，可用于console和遠(yuǎn)程管理訪問，另也可自行靈活定義其它不同管理權(quán)限用戶。2.1.4管理SRX相關(guān)配置root>showsystemuptime//查看時(shí)間root#runsetdateYYYYMMDDhhmm.ss//設(shè)置系統(tǒng)時(shí)鐘root#setsystemtime-zoneAsia/beijing//設(shè)置時(shí)區(qū)為北京root#setsystemhost-nameSRX3400-A//設(shè)置主機(jī)名root#setsystemname-server//設(shè)置DNS服務(wù)器root#setsystemntpserver01//設(shè)置NTP服務(wù)器root>showntpassociationsroot>showntpstatus//查看NTProot>showsecurityalgstatus//查看ALG狀態(tài)ALGStatus:DNS:EnabledFTP:EnabledH323:EnabledMGCP:EnabledMSRPC:EnabledPPTP:EnabledRSH:EnabledRTSP:EnabledSCCP:EnabledSIP:EnabledSQL:EnabledSUNRPC:EnabledTALK:EnabledTFTP:EnabledIKE-ESP:Disabledroot#setsystemservicesftproot#setsystemservicestelnetroot#setsystemservicesweb-management//在系統(tǒng)級(jí)開啟ftp/telnet/遠(yuǎn)程接入管理服務(wù)root>requestsystemreboot//重啟系統(tǒng)root>requestsystempower-off//關(guān)閉系統(tǒng)root>showversion//查看版本信息Model:srx210bJUNOSSoftwareRelease[10.4R5.5]root>showsystemuptime//查看系統(tǒng)啟動(dòng)時(shí)間Currenttime:2011-08-1105:09:15UTCSystembooted:2011-08-1101:12:48UTC(03:56:27ago)Protocolsstarted:2011-08-1101:15:28UTC(03:53:47ago)Lastconfigured:2011-08-1103:11:08UTC(01:58:07ago)byroot5:09AMup3:56,1user,loadaverages:0.01,0.02,0.00root>Showchassisharedware//查看硬件板卡及序列號(hào)Hardwareinventory:ItemVersionPartnumberSerialnumberDescriptionChassisAC5210AA0079SRX210bRoutingEngineREV40750-021778AACN5249RE-SRX210BFPC0FPCPIC02xGE,6xFE,1x3GPowerSupply0root>showchassisenvironment//查看硬件板卡當(dāng)前狀態(tài)ClassItemStatusMeasurementTempRoutingEngineOK52degreesC/125degreesFRoutingEngineCPUAbsentFansSRX210ChassisfanOKSpinningatnormalspeedPowerPowerSupply0OKroot>showchassisrouting-engine//查看主控板〔RE〕資源使用及狀態(tài)RoutingEnginestatus:Temperature52degreesC/125degreesFTotalmemory512MBMax415MBused(81percent)Controlplanememory336MBMax306MBused(91percent)Dataplanememory176MBMax107MBused(61percent)CPUutilization:User4percentBackground0percentKernel5percentInterrupt0percentIdle91percentModelRE-SRX210BSerialIDAACN5249Starttime2011-08-1101:12:47UTCUptime4hours,17minutes,57secondsLastrebootreason0x200:chassiscontrolresetLoadaverages:1minute5minute15minute0.090.050.01root>showsystemlicense//查看授權(quán)Licenseusage:LicensesLicensesLicensesExpiryFeaturenameusedinstalledneededax411-wlan-ap020permanentroot>showsystemprocessesextensive//查看系統(tǒng)利用率lastpid:1968;loadaverages:0.01,0.03,0.00up0+04:20:2805:32:46111processes:17running,83sleeping,11waitingMem:120MActive,87MInact,231MWired,30MCache,61MBuf,1356KFreeSwap:PIDUSERNAMETHRPRINICESIZERESSTATECTIMEWCPUCOMMAND1097root4760194M34836Kselect0298:0598.44%flowd_octeon22root1171520K16KRUN0203:4784.96%idle:cpu024root1-20-1390K16KRUN05:420.00%swi7:clock21root1171520K16KRUN12:210.00%idle:cpu15root1-8400K16Krtfifo01:020.00%rtfifo_kern_recv1109root17609724K3796Kselect00:460.00%rtlogd868root17607004K2588Kselect00:370.00%eventd52root1-800K16Kmdwait00:340.00%md01085root176016984K10676Kselect00:290.00%snmpd1088root176014288K4788Kselect00:230.00%l2ald1090root276020124K6476Kselect00:220.00%pfed1115root17604180K1104Kselect00:190.00%license-check1087root14039620K20172Kkqread00:150.00%rpd23root1-40-1590K16KWAIT00:150.00%swi2:net---(more39%)---root>monitorinterfacege-0/0/0//動(dòng)態(tài)統(tǒng)計(jì)接口數(shù)據(jù)包轉(zhuǎn)發(fā)信息Interface:ge-0/0/0.0,Enabled,LinkisUpFlags:SNMP-TrapsEncapsulation:ENET2Localstatistics:CurrentdeltaInputbytes:2986416[4121]Outputbytes:47303[90]Inputpackets:47631[64]Outputpackets:969[1]Remotestatistics:Inputbytes:94404820(1896bps)[6685]Outputbytes:9553700(952bps)[2078]Inputpackets:111689(4pps)[50]Outputpackets:59369(2pps)[29]Trafficstatistics:Inputbytes:97391236Outputbytes:,[10806]Next='n',Quit='q'orESC,Freeze='f',Thaw='t',Clear='c',Interface='i'root>monitortrafficinterfacege-0/0/0//動(dòng)態(tài)報(bào)文抓取verboseoutputsuppressed,use<detail>or<extensive>forfullprotocoldecodeAddressresolutionisON.Use<no-resolve>toavoidanyreverselookupdelay.Addressresolutiontimeoutis4s.Listeningonge-0/0/0.0,capturesize96bytesReverselookupfor3failed(checkDNSreachability).Otherreverselookupfailureswillnotbereported.Use<no-resolve>toavoidreverselookupsonIPaddresses.05:41:02.773631Inarpwho-has3tell405:41:02.783007Inarpwho-has1tell405:41:02.787524Inarpwho-has35tell05:41:02.884849InIPX00000000.00:13:8f:74:bc:19.0455>00000000.ff:ff:ff:ff:ff:ff.0455:ipx-netbios5005:41:03.437039Inarpwho-has1tell405:41:03.509837OutIPtruncated-ip-10bytesmissing!4.55730>.domain:51866+[|domain]05:41:03.568547InSTP802.1d,Config,Flags[none],bridge-id8000.00:06:53:48:8a:80.8010,length4305:41:03.678096InIPX00000000.00:13:8f:74:bc:19.0455>00000000.ff:ff:ff:ff:ff:ff.0455:ipx-netbios502.1.5接口的初始化接口說明：root%cli//進(jìn)入操作模式root>root>showinterfaces//查看接口狀態(tài)調(diào)整輸出詳細(xì)程度root>showintefacesterseroot>showinterfacesbriefroot>showinterfacesdetailroot>showinterfacesextensive//由上到下查看接口的信息越來越詳細(xì)root>showinterfacesdetail|matchfe-0/0/0//使用管道符匹配特定關(guān)鍵字root>helpreferencesecuritypolicy-security//查看配置參考信息root>helpapropossecurity//幫助搜索關(guān)鍵字相關(guān)的操作命令root>configure//進(jìn)入配置模式[edit]root#root#showinterfaces//查看接口配置狀態(tài)為接口配置IP地址的兩種方法：set配置：root#setinterfacesge-0/0/0.0familyinetaddress/24//為接口配置IP地址root#showinterfacesge-0/0/0.0familyinet//查看接口配置address./24edit配置直接指定到某個(gè)層級(jí)：[edit]root#editinterfacesge-0/0/0.0familyinet//在該層級(jí)下為接口配置[editinterfacesge-0/0/0.0familyinet]root#setaddress/24//配置IP地址[editinterfacesge-0/0/0.0familyinet]root#up//返回上一級(jí)，一層一層的退出〔也可以使用exit和top退出到[edit]〕[editinterfaces]Root#showroot#setsystemsyslogfilemonitor-loganyany//創(chuàng)立名字為monitor-log的日志root#setsystemsyslogfilemonitor-logmatch"4"http://監(jiān)控接口root#runmonitorstartmonitor-log//開場(chǎng)監(jiān)控root#runmonitorstop//停頓監(jiān)控刪除配置：root#deleteinterfacesge-0/0/0.0//普通刪除配置命令root#wildcarddeleteinterfacesfe-0*//通配符匹配刪除配置命令matched：fe-0/0/0matched：fe-0/0/1matched：fe-0/0/2matched：fe-0/0/3matched：fe-0/0/4matched：fe-0/0/5matched：fe-0/0/6matched：fe-0/0/7delete8objecgts?[yes,no](no)yes配置address-book〔address-book就是為地址命名，以便調(diào)用〕[edit]root#editsecurityzonessecurity-zoneoutside//配置outside區(qū)域address-book[editsecurityzonessecurity-zoneoutside]root#setaddress-bookaddressout-address/16//把接口IP放入地址薄out-address[editsecurityzonessecurity-zoneoutside]root#up[editsecurityzones]root#editsecurity-zoneinside//配置inside區(qū)域address-book[editsecurityzonessecurity-zoneinside]root#setaddress-bookaddressin-address/24//把接口IP放入地址薄in-address[editsecurityzonessecurity-zoneinside]root#exit[editsecurityzones]root#exit配置application[edit]root#editapplicationsapplicationtcp-1752//定義服務(wù)名字[editapplicationsapplicationtcp-1752]root#setprotocoltcpsource-port1752destination-port1752//定義協(xié)議及端口號(hào)[edit]root#showapplicationsapplicationtcp-1752{protocoltcp;source-port1752;destination-port1752;配置application-set[edit]root#setapplicationsapplication-setweb-mgtapplicationjunos-ssh//配置應(yīng)用服務(wù)集web-mgt[edit]root#setapplicationsapplication-setweb-mgtapplicationjunos-ping[edit]root#setapplicationsapplication-setweb-mgtapplicationjunos-pc-anywhere[edit]root#setapplicationsapplication-setweb-mgtapplicationjunos-[edit]root#setapplicationsapplication-setweb-mgtapplicationjunos-ftproot#showapplications//查看applicationsapplication-setweb-mgt{applicationjunos-ssh;applicationjunos-ping;applicationjunos-pc-anywhere;applicationjunos-;applicationjunos-ftp;}替換配置：root#setinterfacesge-0/0/0.0familyinetaddress/24root#showinterfacesge-0/0/0ge-0/0/0{unit0{familyinet{address/24root#replacepatternge-0/0/0withge-0/0/1//一個(gè)接口取代另一個(gè)接口的配置root#showinterfacesge-0/0/1ge-0/0/1{unit0{familyinet{address/24復(fù)制配置：root#setinterfacesge-0/0/0.0familyEthernet-swithingvlanroot#copyinterfacesge-0/0/0.0toge-0/0/1.0//復(fù)制接口配置配置模式下的showroot#show//查看配置root#show|displayset//查看set格式的配置setversion10.4R5.5setsystemtime-zoneasia/beijingsetsystemroot-authenticationencrypted-password"$1$XyydlG84$f46l82dR8C/JHUvzFuq9o."setsystemname-server33setsystemloginuserlabuid2002setsystemloginuserlabclasssuper-usersetsystemloginuserlabauthenticationencrypted-password"$1$Y0X8gbap$GZNvirOuGhW.4ZAq4xwHF."setsystemservicessshsetsystemservicestelnetsetsystemservicesweb-managementinterfacevlan.0setsystemservicesweb-managementinterfacege-0/0/1.0setsystemservicesweb-managementinterfacevlan.3setsystemservicesweb-managementinterfacege-0/0/0.0setsystemservicesweb-managementinterfacefe-0/0/4.0setsystemservicesweb-managementssystem-generated-certificatesetsystemservicesweb-managementsinterfacevlan.0setsystemservicesweb-managementsinterfacege-0/0/1.0setsystemsyslogfilenat-loganyanysetsystemsyslogfilenat-logmatchRT_FLOW_SESSIONsetsystemsyslogfilemonitor-loganyanysetsystemsyslogfilemonitor-logmatch4---(more)---根本提交與恢復(fù)配置命令：root#commit//最根本的提交配置命令root#show|compare//查對(duì)待提交的配置與當(dāng)前運(yùn)行的配置差異(+表示增加的，-表示減少的)-encrypted-password"$1$XyydlG84$f46l82dR8C/JHUvzFuq9o.";##SECRET-DATA+encrypted-password"$1$PRX8HyIJ$X0uFTlOJ4yn.DQYeDiHl10";##SECRET-DATA[editsystemservicesweb-management]-interface[vlan.0ge-0/0/1.0vlan.3ge-0/0/0.0fe-0/0/3.0];+interface[vlan.0ge-0/0/1.0vlan.3ge-0/0/0.0fe-0/0/4.0];[editinterfaces]+fe-0/0/4{+unit0{+familyinet;+familyethernet-switching;+}+}[editsecurityzonessecurity-zoneinsideinterfaces]vlan.3{...}+fe-0/0/4.0{+host-inbound-traffic{+system-services{+;+}+}+}-fe-0/0/3.0{-host-inbound-traffic{-system-services{-;root#rollback//查看可恢復(fù)的配置〔注意：使用loadfacroty-default命令恢復(fù)到出廠配置〕Possiblecompletions:<[Enter]>Executethiscommand02011-08-1103:11:08UTCbylabviacli12011-08-1009:39:44UTCbylabviacli22011-08-1007:48:34UTCbylabviacli32011-08-1007:40:08UTCbylabviacli42011-08-1007:36:20UTCbylabviacli52011-08-1007:31:18UTCbylabviacli62011-08-1007:25:45UTCbylabviacli72011-08-1007:21:26UTCbylabviacli82011-08-1007:20:15UTCbylabviacli92011-08-1006:51:14UTCbylabviacli102011-08-1006:50:16UTCbylabviacli112011-08-1006:31:23UTCbylabviacli122011-08-1006:29:02UTCbylabviacli[abort]---(more42%)---[edit]root#rollback4//恢復(fù)某一配置〔注意：需要commit之后恢復(fù)配置才能生效〕root#commitat“2012-01-0118:00:00〞//在某一日期或時(shí)間提交配置命令root>clearsystemcommit//去除未被提交的配置root#commitcomment“only-configuration-interfaces〞//為提交的配置進(jìn)展說明調(diào)換策略順序Insertsecuritypoliciesfrom-zonezone-nameto-zonezone-namepolicyname[before|after]policyname配置SNMP配置系統(tǒng)信息〔可配可不配〕

setsnmplocationlab〔設(shè)備位置〕

setsnmpcontact"labguy@"〔管理員聯(lián)系方式〕配置SNMP通訊的“團(tuán)體名〞〔可理解為通訊密碼，必須配置〕

setsnmpcommunitypublicauthorizationread-write

在接口上啟用SNMP訪問〔必須配置〕

setsecurityzonessecurity-zonetrustinterfacesge-0/0/0.0host-inbound-trafficsystem-servicessnmp(Pleaseaddotherservicesasneeded)

訪問控制〔可配可不配，建議配置〕

setsnmpcommunitypublicclients/16

setsnmpcommunitypublicclients/0restrict2.1.6配置安全策略圖解：定義outside屬于Internet，inside屬于內(nèi)部局域網(wǎng)，通過juniper訪問Internet。接口的配置及創(chuàng)立不同的區(qū)域：root#setinterfacesge-0/0/0.0familyinetaddress4/16root#setinterfacesge-0/0/1.0familyinetaddress0/24//為接口ge-0/0/0、ge-0/0/1配置IP地址root#setsecurityzonessecurity-zoneoutsideinterfacesge-0/0/0.0root#setsecurityzonessecurity-zoneinsideinterfacesge-0/0/1.0//把接口放在不同的區(qū)域(outside/inside)中root#commit//提交配置root#showinterfaces//查看接口配置信息ge-0/0/0{unit0{familyinet{address4/16}}}ge-0/0/1{unit0{familyinet{address/24;}root#showsecurityzones//查看zones的配置信息security-zoneinside{interfaces{ge-0/0/1.0;}}security-zoneoutside{interfaces{ge-0/0/0.0;}配置路由:[edit]root#editrouting-options[editrouting-options]root#setstaticroute/0next-hop//配置靜態(tài)路由root#commit[editrouting-options]root#show//查看路由條目static{route/0next-hop[];}root#runshowroute//查看路由inet.0:5destinations,5routes(5active,0holddown,0hidden)+=ActiveRoute,-=LastActive,*=Both/0*[Static/5]00:34:17>toviage-0/0/0.0/24*[Direct/0]00:34:16>viage-0/0/1.0/32*[Local/0]00:34:23Localviage-0/0/1.0/16*[Direct/0]00:34:17>viage-0/0/0.04/32*[Local/0]00:34:23Localviage-0/0/0.0配置策略:[edit]root#editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all//定義zoneinside到zoneoutside的策略[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#setmatchsource-addressany//設(shè)置源地址為any[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#setmatchdestination-addressany//設(shè)置目標(biāo)地址為any[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#setmatchapplicationany//設(shè)置策略允許的服務(wù)為any[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#setthenpermit//設(shè)置的動(dòng)作是允許通過root#commit[edit]root#showsecuritypolicies//查看安全策略from-zoneinsideto-zoneoutside{policypermit-all{match{source-addressany;destination-addressany;applicationany;}then{permit;}Example1:源地址轉(zhuǎn)換(NAT)多對(duì)一，使得所有出向的流量源IP地址轉(zhuǎn)換為外部接口地址IP[edit]root#editsecuritynatsourcerule-setnat-policy//定義名字為nat-policy的nat策略[editsecuritynatsourcerule-setnat-policy]root#setfromzoneinsidetozoneoutside//設(shè)置策略來自inside去往outside[editsecuritynatsourcerule-setnat-policy]root#editruleinside-to-outside-nat//定義規(guī)則名字為inside-to-outside-nat[editsecuritynatsourcerule-setnat-policyruleinside-to-outside-nat]root#setmatchdestination-address4/16//設(shè)置規(guī)則中目的IP地址[editsecuritynatsourcerule-setnat-policyruleinside-to-outside-nat]root#setthensource-natinterface//設(shè)置轉(zhuǎn)換源的nat[editsecuritynatsourcerule-setnat-policyruleinside-to-outside-nat]root#setthenlogsession-initsession-close//設(shè)置啟用日志,記錄會(huì)話開場(chǎng)與完畢[editsecuritynatsourcerule-setnat-policy]root#exit[edit]root#editsystemsyslogfilenat-log//設(shè)置一個(gè)日志文件名字為nat-log[editsystemsyslogfilenat-log]root#setanyany//匹配任何logroot#setmatchRT_FLOW_SESSION//匹配日志中關(guān)鍵字RT_FLOW_SESSIONroot#runshowsecurityflowsession//查看會(huì)話的狀態(tài)信息In:/55249-->01/161;udp,If:ge-0/0/1.0,Pkts:166,Bytes:17596Out:01/161-->/55249;udp,If:ge-0/0/0.0,Pkts:0,Bytes:0SessionID:50,Policyname:permit-all/4,Timeout:52,ValidIn:/55249-->00/161;udp,If:ge-0/0/1.0,Pkts:167,Bytes:17702Out:00/161-->/55249;udp,If:ge-0/0/0.0,Pkts:0,Bytes:0Totalsessions:2root#runshowsecurityflowsessionsummary//查看會(huì)話數(shù)Unicast-sessions:4Multicast-sessions:0Failed-sessions:0Sessions-in-use:10Validsessions:4Pendingsessions:0Invalidatedsessions:6Sessionsinotherstates:0Maximum-sessions:32768root#runshowlognat-log//查看日志信息Aug217:46:43RT_FLOW:RT_FLOW_SESSION_CREATE:sessioncreated/52896->33/53junos-dns-udp/52896->33/53NoneNone17permit-allinsideoutside3048Aug217:46:43RT_FLOW:RT_FLOW_SESSION_CREATE:sessioncreated/50439->78/80junos-/50439->78/80NoneNone6permit-allinsideoutside3049Aug217:46:43RT_FLOW:RT_FLOW_SESSION_CREATE:sessioncreated/50440->78/80junos-/50440->78/80NoneNone6permit-allinsideoutside3050Aug217:46:45RT_FLOW:RT_FLOW_SESSION_CLOSE:sessionclosedunset:/52896->33/53junos-dns-udp/52896->33/53NoneNone17permit-allinsideoutside30481(61)1(180)3root#showsecuritynat//查看nat的策略信息source{rule-setnat-policy{fromzoneinside;tozoneoutside;ruleinside-to-outside-nat{match{destination-address[4/16];}then{source-nat{interface;}[edit]root#editsecuritypoliciesfrom-zoneinsideto-zoneoutside[editsecuritypoliciesfrom-zoneinsideto-zoneoutside]root#editpolicypermit-all[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#setthencount//為policy配置count行為[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#commitcommitcomplete[editsecuritypoliciesfrom-zoneinsideto-zoneoutsidepolicypermit-all]root#showmatch{source-addressany;destination-addressany;applicationany;}then{permit;log{session-init;session-close;}count;root>showsecuritypoliciespolicy-namepermit-alldetail//使用show查看count結(jié)果Policy:permit-all,action-type:permit,State:enabled,Index:4,ScopePolicy:0PolicyType:ConfiguredSequencenumber:1Fromzone:inside,Tozone:outsideSourceaddresses:any-ipv4:/0any-ipv6:::/0Destinationaddresses:any-ipv4:/0any-ipv6:::/0Application:anyIPprotocol:0,ALG:0,Inactivitytimeout:0Sourceportrange:[0-0]Destinationportrange:[0-0]PerpolicyTCPOptions:SYNcheck:No,SEQcheck:NoSessionlog:at-create,at-closePolicystatistics:Inputbytes:269698414509bpsOutputbytes:268333814443bpsInputpackets:453728ppsOutputpackets:443327ppsSessionrate:2341spsActivesessions:9Sessiondeletions:225Policylookups:230Example2:源地址轉(zhuǎn)換(NAT)多對(duì)一，使得所有出向的流量源IP地址轉(zhuǎn)換為公網(wǎng)地址池/24配置:[editsecuritynatsource]root#showpoolA{address{/24to54/24;}host-address-base/24;}rule-set1A{fromzoneinside;tozoneoutside;rule1{match{source-address/24;}then{source-natpoolA;root>showsecurityflowsessionSessionID:57737,Policyname:default-permit/4,Timeout:1772In:/2023-->/24;tcp,If:ge-0/0/2.0Out:/24-->/2023;tcp,If:ge-0/0/3.10root>showsecuritynatsourcepoolallTotalpools:1Poolname:APoolid:4Routinginstance:defaultHostaddressbase:Port:notranslationTotaladdresses:254Translationhits:6Example3:目的地址轉(zhuǎn)換〔NAT〕一對(duì)一，使所有進(jìn)方向訪問公網(wǎng)IP〔/32〕地址的流量都轉(zhuǎn)換為內(nèi)網(wǎng)的一個(gè)IP(/32)地址配置：[editsecuritynatdestination]root#showpoolA{address/24;}rule-set1{fromzoneoutside;rule1A{match{destination-address/32;}Then{destination-natpoolA;Example4:目的地址轉(zhuǎn)換〔NAT〕一對(duì)多，使所有進(jìn)方向訪問公網(wǎng)IP〔/32port：80/81〕地址的流量都轉(zhuǎn)換為內(nèi)網(wǎng)的多個(gè)IP(/32port：8080/32port：8181)地址圖解：將訪問公網(wǎng)ipport80轉(zhuǎn)換為內(nèi)網(wǎng)ipport8080將訪問公網(wǎng)ipport81轉(zhuǎn)換為內(nèi)網(wǎng)ipport8181配置：[editsecuritynatdestination]root#showpoolA{address/24port8080;poolB{address/24port8181;}rule-set1{fromzoneoutside;rule1A{match{destination-address/32;destination-port80;}then{destination-natpoolA;rule1B{match{destination-address/32;destination-port81;}then{destination-natpoolB;root>showsecurityflowsessionSessionID:12554,Policyname:default-permit/4,Timeout:14In:/58204-->/80;tcp,If:ge-0/0/3.10Out:/8080-->/58204;tcp,If:ge-0/0/2.01sessionsdisplayedSessionID:12554,Policyname:default-permit/4,Timeout:14In:/58304-->/81;tcp,If:ge-0/0/3.10Out:/8181-->/58304;tcp,If:ge-0/0/2.01sessionsdisplayed2.2透明模式的配置1.配置BridgeDomains橋接域〔BridgeDomains〕:屬于同一泛洪或播送域的一組邏輯接口。在同一個(gè)Vlan里，橋接域可以跨越多個(gè)設(shè)備的一個(gè)或多個(gè)接口。默認(rèn)情況下，每個(gè)橋接域都維護(hù)著自己的MAC地址轉(zhuǎn)發(fā)表，附屬