《juniper srx基本配置(上网、snat、policy)》由会员分享,可在线阅读,更多相关《juniper srx基本配置(上网、snat、policy)(10页珍藏版)》请在金锄头文库上搜索。
1、SRX基本配置(上网、snat、policy)环境介绍设备ge-0/0/0口为外网口,地址192.168.201.239/24,下一跳地址192.168.201.250设备fe-0/0/2口为内网口,地址192.168.1.1/24,内网口作为PC网关来用,设置DHCP,DHCP设置参数如下:地址段 192.168.1.29-192.168.1.39 网关 192.168.1.1 DNS 202.106.0.20;8.8.8.8设置源NAT,用192.168.201.59、192.168.201.60两个地址做转换NAT地址设置策略允许内网上网创建超级用户wangjian密码wangjian1
2、986具体步骤用串口线连接设备console口,设置参数如下:这台设备是有配置的,所以要先清空设备配置,清空完设备配置,需要直接设备初始超级用户的密码,然后保存,才可以完成恢复出厂设置登入设备出现以下rootrootrootrootconfigure 进入配置模式Entering configuration modeeditrootroot# load factory-default 恢复出厂设备warning: activating factory configurationeditrootroot# set system root-authentication plain-text-pas
3、sword 设置超级用户密码New password: Retype new password:editrootroot# commit commit completeedit 此时回复出厂设置完成,下一步开始配置login: root 输入默认用户名rootPassword: 输入重置设备前输入的密码- JUNOS 10.4R9.2 built 2012-02-02 08:09:42 UTCrootroot% cli 敲入cli进入执行模式rootroot configure 敲入configure进入配置模式,执行模式代表符号“” Entering configuration modeed
4、itrootroot# 配置模式“#”rootroot# set system login user wangjian class super-user authentication plain-text-password 建立用户名为“wangjian”的超级用户New password: 为用户“wangjian”设置密码 Retype new password: 重复输入密码editrootroot# delete interfaces ge-0/0/0.0 删除接口相关配置,接口默认处于交换edit 模式Ethernet-switching模式下,要想设置成三层必须先把这个属rootr
5、oot# delete interfaces fe-0/0/2 unit 0 性删除,“.0”和unit0在意义上一样editwangjian# set interfaces ge-0/0/0.0 family inet address 192.168.201.239/24edit 设置ge-0/0/0.0为三层接口地址192.168.201.239wangjian# set interfaces fe-0/0/2.0 family inet address 192.168.1.1/24edit 设置fe-0/0/2.0为三层接口地址192.168.1.1wangjian# set routi
6、ng-options static route 0.0.0.0/0 next-hop 192.168.201.250edit 设置默认路由wangjian# set security zones security-zone untrust interfaces ge-0/0/0.0edit 设置ge-0/0/0.0口为untrust安全域接口wangjian# set security zones security-zone trust interfaces fe-0/0/2.0edit 设置fe-0/0/2.0口为trust安全域接口wangjian# delete security nat
7、 source rule-set trust-to-untrust edit 删除系统自带的源nat规则wangjian# set security nat source pool wangjian address 192.168.201.59 to 192.168.201.60 设置源nat地址池editwangjian# set security nat source rule-set wangjiannat from zone trust edit 设置nat源安全域wangjian# set security nat source rule-set wangjiannat to zon
8、e untrust edit 设置nat目的安全域wangjian# set security nat source rule-set wangjiannat rule wangjiannat1 match source-address 0.0.0.0/0 设置nat源地址editwangjian# set security nat source rule-set wangjiannat rule wangjiannat1 then source-nat pool wangjian 设置nat关联地址池editwangjian# set security zones security-zone
9、 untrust interface ge-0/0/0.0 host-inbound-traffic system-services httpedit 打开接口http管理wangjian# set system services web-management http edit 打开http全局开关wangjian# delete security policies from-zone trust to-zone untrust policy policy trust-to untrust 删除系统自带策略editwangjian# set security policies from-zo
10、ne trust to-zone untrust policy wangjian match source-address anyedit 配置策略源地址wangjian# set security policies from-zone trust to-zone untrust policy wangjian match destination-address any 配置策略目的地址editwangjian# set security policies from-zone trust to-zone untrust policy wangjian match application any
11、 配置策略应用editwangjian# set security policies from-zone trust to-zone untrust policy wangjian then permit 配置策略动作editwangjian# set security policies from-zone trust to-zone untrust policy wangjian then log session-init 开启策略日志会话开始editwangjian# set security policies from-zone trust to-zone untrust policy
12、wangjian then log session-close 开启策略日志会话结束 editwangjian# delete system services dhcp edit 删除系统默认dhcpwangjian# set system services dhcp router 192.168.1.1 edit DHCP参数默认网关wangjian# set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.29 DHCP参数地址池开始地址editwangjian# set system service
13、s dhcp pool 192.168.1.0/24 address-range high 192.168.1.39 DHCP参数地址池结束地址editwangjian# set system services dhcp maximum-lease-time 4294967295 edit DHCP参数分配地址租约时间wangjian# set system services dhcp name-server 202.106.0.20 edit DHCP参数DNS服务器wangjian# set system services dhcp name-server 8.8.8.8 edit DHCP参数DNS服务器wangjian# set system services dhcp propagate-settings fe-0/0/2.0 edit 设置DHCP信号发散端口wangjian# delete interfaces fe-0/0/2.0 edit 删除接口fe-0/0/2.0所有属性wangjian# set security zones security-zone trust interfaces fe-0/0/2.0 host-inbou
