1、井场服务器组网配置Juniper防火墙配置手册编号:005版本:1.0井场服务器组网配置Juniper防火墙配置手册目录1.1 juniper SRX240防火墙配置说明 11.1.1 初始安装 11.1.2 Policy 21.1.3 NAT 61.1.4 IPSEC VPN 101.1 juniper SRX240防火墙配置说明1.1.1 初始安装1.1.1.1 登陆Console口(通用超级终端缺省配置)连接SRX,root用户登陆,密码为root123login: rootPassword:- JUNOS 9.5R1.8 built 2009-07-1615:04:30 UTCroot
2、% cli /*进入操作模式*/rootrootconfigureEntering configuration mode/*进入配置模式*/editRoot#1.1.1.2 设置root用户口令设置root用户口令set system root-authentication encrypted-password密码将以密文方式显示$1$rA9jkLwN$jMkZts1WXVc.Sx6NtZTLQ0注意:强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式),此配置参数要求输入的口令应是经加密算法加密后的字符串,采用这种加密方式手工输入时存
3、在密码无法通过验证风险。注:root用户仅用于console连接本地管理SRX,不能通过远程登陆管理SRX,必须成功设置root口令后,才能执行commit提交后续配置命令。1.1.1.3 设置远程登陆管理用户root#set system login user lab uid 2000set system login user lab class super-userset system login user lab authentication encrypted-passwordroot# new password : lab123 root# retype new password:
4、lab123注:此lab用户拥有超级管理员权限,可用于console和远程管理访问,另也可自行灵活定义其它不同管理权限用户。1.1.1.4 远程管理SRX相关配置run set dateYYYYMMDDhhmm.ss/*设置系统时钟*/set system time-zoneAsia/Shanghai/*设置时区为上海*/set system host-name SRX3400-A/*设置主机名*/set system name-server 1.1.1.1 /*设置DNS服务器*/set system services ftpset system services telnet set sy
5、stem services web-management http /*在系统级开启ftp/telnet/http远程接入管理服务*/1.1.2 PolicyPolicy配置方法与ScreenOS基本一致,仅在配置命令上有所区别,其中策略的允许/拒绝的动作(Action)需要额外配置一条then语句(将ScreenOS的一条策略分解成两条及以上配置语句)。Policy需要手动配置policy name,policy name可以是字符串,也可以是数字(与ScreenOS的policy ID类似,只不过需要手工指定)。/由trust区到Untrust区的策略set security polici
6、es from-zone trust to-zone untrust policy trust-to-untrust match source-address any(匹配任意源地址)set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any(匹配任意目标地址)set security policies from-zone trust to-zone untrust policy trust-to-untrust match applica
7、tion any(匹配任意应用)set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit(策略允许)/由Untrust到trust区的策略set security policies from-zone untrust to-zone trust policy oracle-3389 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-3389
8、match destination-address oracle-server(匹配目的地址为oracle-server的组)set security policies from-zone untrust to-zone trust policy oracle-3389 match application tcp-3389(匹配为tcp-3389的应用)set security policies from-zone untrust to-zone trust policy oracle-3389 then permit/以下同理set security policies from-zone u
9、ntrust to-zone trust policy oracle-6000 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-6000 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-6000 match application tcp-6000set security policies fro
10、m-zone untrust to-zone trust policy oracle-6000 then permitset security policies from-zone untrust to-zone trust policy oracle-50001 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-50001 match destination-address oracle-serverset security policies from-zon
11、e untrust to-zone trust policy oracle-50001 match application tcp-50001set security policies from-zone untrust to-zone trust policy oracle-50001 then permitset security policies from-zone untrust to-zone trust policy oracle-50002 match source-address anyset security policies from-zone untrust to-zon
12、e trust policy oracle-50002 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-50002 match application tcp-50002set security policies from-zone untrust to-zone trust policy oracle-50002 then permitset security policies from-zone untrust to-zone
13、 trust policy oracle-50003 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-50003 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-50003 match application tcp-50003set security policies from-zone unt
14、rust to-zone trust policy oracle-50003 then permitset security policies from-zone untrust to-zone trust policy oracle-50004 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-50004 match destination-address oracle-serverset security policies from-zone untrust
15、 to-zone trust policy oracle-50004 match application tcp-50004set security policies from-zone untrust to-zone trust policy oracle-50004 then permitset security policies from-zone untrust to-zone trust policy oracle-50005 match source-address anyset security policies from-zone untrust to-zone trust p
16、olicy oracle-50005 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-50005 match application tcp-50005set security policies from-zone untrust to-zone trust policy oracle-50005 then permitset security policies from-zone untrust to-zone trust po
17、licy oracle-50006 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-50006 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-50006 match application tcp-50006set security policies from-zone untrust to-z
18、one trust policy oracle-50006 then permitset security policies from-zone untrust to-zone trust policy oracle-7009 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-7009 match destination-address oracle-serverset security policies from-zone untrust to-zone tr
19、ust policy oracle-7009 match application udp-7009set security policies from-zone untrust to-zone trust policy oracle-7009 then permitset security policies from-zone untrust to-zone trust policy oracle-7010 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-70
20、10 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-7010 match application udp-7010set security policies from-zone untrust to-zone trust policy oracle-7010 then permitset security policies from-zone untrust to-zone trust policy oracle-7011 ma
21、tch source-address anyset security policies from-zone untrust to-zone trust policy oracle-7011 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-7011 match application udp-7011set security policies from-zone untrust to-zone trust policy oracle
22、-7011 then permitset security policies from-zone untrust to-zone trust policy oracle-7012 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-7012 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-7012 m
23、atch application udp-7012set security policies from-zone untrust to-zone trust policy oracle-7012 then permitset security policies from-zone untrust to-zone trust policy oracle-1521 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-1521 match destination-add
24、ress oracle-serverset security policies from-zone untrust to-zone trust policy oracle-1521 match application tcp-1521set security policies from-zone untrust to-zone trust policy oracle-1521 then permitset security policies from-zone trust to-zone trust policy trust-trust match source-address anyset
25、security policies from-zone trust to-zone trust policy trust-trust match destination-address anyset security policies from-zone trust to-zone trust policy trust-trust match application anyset security policies from-zone trust to-zone trust policy trust-trust then permitset security policies from-zon
26、e trust to-zone vpn policy vpn1 match source-address anyset security policies from-zone trust to-zone vpn policy vpn1 match destination-address anyset security policies from-zone trust to-zone vpn policy vpn1 match application anyset security policies from-zone trust to-zone vpn policy vpn1 then per
27、mitset security policies from-zone vpn to-zone trust policy vpn1 match source-address anyset security policies from-zone vpn to-zone trust policy vpn1 match destination-address anyset security policies from-zone vpn to-zone trust policy vpn1 match application anyset security policies from-zone vpn t
28、o-zone trust policy vpn1 then permit/配置安全区trustset security zones security-zone trust address-book address oracle-server 192.168.250.10/32(配置trust区地址池)set security zones security-zone trust host-inbound-traffic system-services all(配置trust区允许的服务)set security zones security-zone trust host-inbound-tra
29、ffic protocols all(配置trust区允许的协议)set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services all(配置trust区的接口)set security zones security-zone trust interfaces vlan.0 host-inbound-traffic protocols all(配置trust区Untrustset security zones security-zone untrust address-b
30、ook address dyn-vpn 172.16.1.0/24set security zones security-zone untrust address-book address 172.31.10.0 172.31.10.0/24set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services sshset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-
31、traffic system-services pingset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all/配置安全区vpnset security zones security-zone vpn host-inbound-traffic syste
32、m-services allset security zones security-zone vpn interfaces st0.1001/配置应用set applications application tcp-1521 protocol tcp(协议tcp)set applications application tcp-1521 destination-port 1521(端口1521)set applications application tcp-3389 protocol tcpset applications application tcp-3389 destination-port 3389set applications application tcp-600