井场服务器组网配置Juniper防火墙配置手册.docx

1、井场服务器组网配置Juniper防火墙配置手册编号：005版本：1.0井场服务器组网配置Juniper防火墙配置手册目录1.1 juniper SRX240防火墙配置说明 11.1.1 初始安装 11.1.2 Policy 21.1.3 NAT 61.1.4 IPSEC VPN 101.1 juniper SRX240防火墙配置说明1.1.1 初始安装1.1.1.1 登陆Console口(通用超级终端缺省配置)连接SRX，root用户登陆，密码为root123login: rootPassword:- JUNOS 9.5R1.8 built 2009-07-1615:04:30 UTCroot

2、% cli /*进入操作模式*/rootrootconfigureEntering configuration mode/*进入配置模式*/editRoot#1.1.1.2 设置root用户口令设置root用户口令set system root-authentication encrypted-password密码将以密文方式显示$1$rA9jkLwN$jMkZts1WXVc.Sx6NtZTLQ0注意：强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式)，此配置参数要求输入的口令应是经加密算法加密后的字符串，采用这种加密方式手工输入时存

3、在密码无法通过验证风险。注：root用户仅用于console连接本地管理SRX，不能通过远程登陆管理SRX，必须成功设置root口令后，才能执行commit提交后续配置命令。1.1.1.3 设置远程登陆管理用户root#set system login user lab uid 2000set system login user lab class super-userset system login user lab authentication encrypted-passwordroot# new password : lab123 root# retype new password:

4、lab123注：此lab用户拥有超级管理员权限，可用于console和远程管理访问，另也可自行灵活定义其它不同管理权限用户。1.1.1.4 远程管理SRX相关配置run set dateYYYYMMDDhhmm.ss/*设置系统时钟*/set system time-zoneAsia/Shanghai/*设置时区为上海*/set system host-name SRX3400-A/*设置主机名*/set system name-server 1.1.1.1 /*设置DNS服务器*/set system services ftpset system services telnet set sy

5、stem services web-management http /*在系统级开启ftp/telnet/http远程接入管理服务*/1.1.2 PolicyPolicy配置方法与ScreenOS基本一致，仅在配置命令上有所区别，其中策略的允许/拒绝的动作（Action）需要额外配置一条then语句(将ScreenOS的一条策略分解成两条及以上配置语句)。Policy需要手动配置policy name，policy name可以是字符串，也可以是数字（与ScreenOS的policy ID类似,只不过需要手工指定）。/由trust区到Untrust区的策略set security polici

6、es from-zone trust to-zone untrust policy trust-to-untrust match source-address any（匹配任意源地址）set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any（匹配任意目标地址）set security policies from-zone trust to-zone untrust policy trust-to-untrust match applica

7、tion any（匹配任意应用）set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit（策略允许）/由Untrust到trust区的策略set security policies from-zone untrust to-zone trust policy oracle-3389 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-3389

8、match destination-address oracle-server（匹配目的地址为oracle-server的组）set security policies from-zone untrust to-zone trust policy oracle-3389 match application tcp-3389（匹配为tcp-3389的应用）set security policies from-zone untrust to-zone trust policy oracle-3389 then permit/以下同理set security policies from-zone u

9、ntrust to-zone trust policy oracle-6000 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-6000 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-6000 match application tcp-6000set security policies fro

10、m-zone untrust to-zone trust policy oracle-6000 then permitset security policies from-zone untrust to-zone trust policy oracle-50001 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-50001 match destination-address oracle-serverset security policies from-zon

11、e untrust to-zone trust policy oracle-50001 match application tcp-50001set security policies from-zone untrust to-zone trust policy oracle-50001 then permitset security policies from-zone untrust to-zone trust policy oracle-50002 match source-address anyset security policies from-zone untrust to-zon

12、e trust policy oracle-50002 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-50002 match application tcp-50002set security policies from-zone untrust to-zone trust policy oracle-50002 then permitset security policies from-zone untrust to-zone

13、 trust policy oracle-50003 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-50003 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-50003 match application tcp-50003set security policies from-zone unt

14、rust to-zone trust policy oracle-50003 then permitset security policies from-zone untrust to-zone trust policy oracle-50004 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-50004 match destination-address oracle-serverset security policies from-zone untrust

15、 to-zone trust policy oracle-50004 match application tcp-50004set security policies from-zone untrust to-zone trust policy oracle-50004 then permitset security policies from-zone untrust to-zone trust policy oracle-50005 match source-address anyset security policies from-zone untrust to-zone trust p

16、olicy oracle-50005 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-50005 match application tcp-50005set security policies from-zone untrust to-zone trust policy oracle-50005 then permitset security policies from-zone untrust to-zone trust po

17、licy oracle-50006 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-50006 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-50006 match application tcp-50006set security policies from-zone untrust to-z

18、one trust policy oracle-50006 then permitset security policies from-zone untrust to-zone trust policy oracle-7009 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-7009 match destination-address oracle-serverset security policies from-zone untrust to-zone tr

19、ust policy oracle-7009 match application udp-7009set security policies from-zone untrust to-zone trust policy oracle-7009 then permitset security policies from-zone untrust to-zone trust policy oracle-7010 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-70

20、10 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-7010 match application udp-7010set security policies from-zone untrust to-zone trust policy oracle-7010 then permitset security policies from-zone untrust to-zone trust policy oracle-7011 ma

21、tch source-address anyset security policies from-zone untrust to-zone trust policy oracle-7011 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-7011 match application udp-7011set security policies from-zone untrust to-zone trust policy oracle

22、-7011 then permitset security policies from-zone untrust to-zone trust policy oracle-7012 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-7012 match destination-address oracle-serverset security policies from-zone untrust to-zone trust policy oracle-7012 m

23、atch application udp-7012set security policies from-zone untrust to-zone trust policy oracle-7012 then permitset security policies from-zone untrust to-zone trust policy oracle-1521 match source-address anyset security policies from-zone untrust to-zone trust policy oracle-1521 match destination-add

24、ress oracle-serverset security policies from-zone untrust to-zone trust policy oracle-1521 match application tcp-1521set security policies from-zone untrust to-zone trust policy oracle-1521 then permitset security policies from-zone trust to-zone trust policy trust-trust match source-address anyset

25、security policies from-zone trust to-zone trust policy trust-trust match destination-address anyset security policies from-zone trust to-zone trust policy trust-trust match application anyset security policies from-zone trust to-zone trust policy trust-trust then permitset security policies from-zon

26、e trust to-zone vpn policy vpn1 match source-address anyset security policies from-zone trust to-zone vpn policy vpn1 match destination-address anyset security policies from-zone trust to-zone vpn policy vpn1 match application anyset security policies from-zone trust to-zone vpn policy vpn1 then per

27、mitset security policies from-zone vpn to-zone trust policy vpn1 match source-address anyset security policies from-zone vpn to-zone trust policy vpn1 match destination-address anyset security policies from-zone vpn to-zone trust policy vpn1 match application anyset security policies from-zone vpn t

28、o-zone trust policy vpn1 then permit/配置安全区trustset security zones security-zone trust address-book address oracle-server 192.168.250.10/32（配置trust区地址池）set security zones security-zone trust host-inbound-traffic system-services all（配置trust区允许的服务）set security zones security-zone trust host-inbound-tra

29、ffic protocols all（配置trust区允许的协议）set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services all（配置trust区的接口）set security zones security-zone trust interfaces vlan.0 host-inbound-traffic protocols all（配置trust区Untrustset security zones security-zone untrust address-b

30、ook address dyn-vpn 172.16.1.0/24set security zones security-zone untrust address-book address 172.31.10.0 172.31.10.0/24set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services sshset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-

31、traffic system-services pingset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all/配置安全区vpnset security zones security-zone vpn host-inbound-traffic syste

32、m-services allset security zones security-zone vpn interfaces st0.1001/配置应用set applications application tcp-1521 protocol tcp（协议tcp）set applications application tcp-1521 destination-port 1521（端口1521）set applications application tcp-3389 protocol tcpset applications application tcp-3389 destination-port 3389set applications application tcp-600