Juniper基本配置 – ONE

Juniper基本配置

2022-5-28 14:51

|

2022-5-28 15:00

|

Firewall,Network

210 字

|

10 分钟

本文最后更新于 699 天前，其中的信息可能已经有所发展或是发生改变。

1. 名称介绍

Cluster-id #：0-15可选，如果等于0不能做HA。
Group #：横向，用于数据控制。
Node id #：竖向，SRX1，SRX2. 
gr: GRE隧道接口
ip: ip-over-ip接口
ge: 千兆以太网接口
ae: 聚合以太网接口
as: 聚合SONET/SDH接口
Fxp0：带外管理口。独立于HA，且管理口配置不会进行同步
Fxp1（console Link）：控制层面心跳口。不同型号接口不一样，不做配置。
（可参考：https://www.juniper.net/documentation/us/en/software/junos/chassis-cluster-security-devices/topics/topic-map/security-chassis-cluster-verification.html）
Fab(Fabric Link)#：数据面心跳。模块类型1GE或10GE
Reth#：转发数据口，每个SRX分一个接口捆绑成一个reth#。可理解为冗余端口组

查看转发会话
show security flow session
查看nat详情
show security nat source rule all

2. 用户配置

root用户密码修改及配置
    set system root-authentication plain-text-password
    New password:
    Retype new password:

新建用户
    set system login user vtg uid 101 class super-user    // super-user 为完全权限                  
    set system login user vtg authentication plain-text-password
    New password:
    Retype new password: 
    show cli authorization        //查看当前用户权限

3. 上网配置

    1. 配置接口ip地址
     set interfaces ge-0/0/0.0 family inet address 124.207.100.1/24 //注意子网掩码表示方式
      或    
     set interfaces ge-0/0/0 unit 0 family inet address 124.207.100.1/24
    2. 接口划分安全域
     set security zones security-zone untrust interfaces ge-0/0/0.0 //将接口ge-0/0/0.0 划分至非安全域
     set security zones security-zone trust interfaces ge-0/0/1.0
    3. 开启接口可支持的功能或服务
     set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services   ping
     set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services   ssh
     set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services   telnet
     set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services   http
     set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services   https
    4. 建立全局地址簿
     set security address-book global address vlan10 192.168.10.0/24
     set security address-book global address vlan20 192.168.20.0/24
     set security address-book global address vlan30 192.168.30.0/24
     将以上地址放进地址组，如下
     set security address-book global address-set Inside_network address vlan10
     set security address-book global address-set Inside_network address vlan20
     set security address-book global address-set Inside_network address vlan30

     注意： 做nat时，需调用全局地址簿中的地址，不然会报错，且global为系统内置的对象，需要将地址放置在此处
    5. 源nat配置
     set security nat source rule-set src-nat from zone trust
     set security nat source rule-set src-nat to zone untrust
     set security nat source rule-set src-nat rule id1 match source-address 192.168.10.0/24        //单个ip或单网段
      或
     set security nat source rule-set src-nat rule id1 match source-address-name Inside_network        //调用刚才建立的地址组
     set security nat source rule-set src-nat rule id1 destination-address 0.0.0.0/0
     set security nat source rule-set src-nat rule id1 then source-nat interface        //转换成出接口地址
            
    6. 目的nat配置
     需要先配置nat pool	
     例：添加一台需要映射到公网的oa服务器
     set security nat destination pool oa_web address 192.168.10.11/32 port 23        //地址为192.168.10.11 需要映射的端口为23
     目的nat配置
     set security nat destination rule-set dst_nat from zone untrust
     set security nat destination rule-set dst_nat rule id1 match destination-address 124.207.100.2/32
     set security nat destination rule-set dst_nat rule id1 match destination-port 8080
     set security nat destination rule-set dst_nat rule id1 match protocol tcp
     set security nat destination rule-set dst_nat rule id1 then destinatione-nat pool oa_web        //转换对象，调用已配置的pool名称
    7. 策略配置
     默认策略
     trust to trust --- permit any any 
       default-permit
     trust to untrust --- permit any any 
       default-permit 
     untrust to trust --- deny any any 
       default-deny
     set security policies from-zone trust to-zone untrust policy default-permit match source-address any destionation-address any application any 
     set security policies from-zone trust to-zone untrust policy default-permit then permit

     新增策略建议，policy 名称设置为policy_id1*
     set security policies from-zone untrust to-zone trust policy policy_id10 match source-address any destionation-address any application any 
     set security poilicies from-zone untrust to-zone trust policy policy_id10 then permit

     策略顺序优先级调整
     after     Insert after given data element     -- 在给定数据元素之后插入之后
     before    Insert before given data element    -- 在给定数据元素之前插入之前
     insert security policies from-zone trust to-zone untrust policy new_policy before policy default-permit  //new_policy default-permit 均为策略名称

4. NAT详解

源地址         目的地址           源地址转换为       目的地址转换为
10.1.1.1       10.5.5.5             172.16.1.1            192.168.1.1
1、源地址转换
set security nat source pool AAA address 172.16.1.1/32 to 172.16.1.1/32    
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule A-B match source-address 10.1.1.1/32
set security nat source rule-set trust-to-untrust rule A-B match destination-address 192.168.1.1/32
set security nat source rule-set trust-to-untrust rule A-B then source-nat pool AAA

set security nat source pool BBB address 10.5.5.5/32 to 10.5.5.5/32
set security nat source rule-set untrust-to-trust from zone untrust
set security nat source rule-set untrust-to-trust to zone trust
set security nat source rule-set untrust-to-trust rule B-A match source-address 192.168.1.1/32
set security nat source rule-set untrust-to-trust rule B-A  match destination-address 10.1.1.1/32
set security nat source rule-set untrust-to-trust rule B-A  then source-nat pool BBB

注：源地址转换时匹配的目的地址是真实的目的地址，因为先进行目的转换再进行源地址转换


2.目的转换
set security nat destination pool CCC address 192.168.1.1/32
set security nat destination rule-set trust-to-untrust from zone trust
set security nat destination rule-set trust-to-untrust rule A-Bmatch source-address 10.1.1.1/32
set security nat destination rule-set trust-to-untrust rule A-B match destination-address 10.5.5.5/32
set security nat destination rule-set trust-to-untrust rule A-B then destination-nat pool CCC

set security nat destination pool DDD address 10.1.1.1/32
set security nat destination rule-set untrust-to-trust from zone untrust
set security nat destination rule-set untrust-to-trust rule B-A match source-address 192.168.1.1/32
set security nat destination rule-set untrust-to-trust rule B-A match destination-address 172.16.1.1/32
set security nat destination rule-set untrust-to-trust rule B-A then destination-nat pool DDD
3.策略
从trust到untrust
set security zones security-zone trust address-book address EEE 10.1.1.1/32
set security zones security-zone untrust address-book address FFF 192.168.1.1/32
set security policies from-zone trust to-zone untrust policy A-B match source-address EEE
set security policies from-zone trust to-zone untrust policy A-B match destination-address FFF
set security policies from-zone trust to-zone untrust policy A-B match application any
set security policies from-zone trust to-zone untrust policy A-B then permit
set security policies from-zone trust to-zone untrust policy A-B then log session-init
set security policies from-zone trust to-zone untrust policy A-B then log session-close
从untrust到trust
set security policies from-zone untrust to-zone trust policy B-A match source-address FFF
set security policies from-zone untrust to-zone trust policy B-A match destination-address EEE
set security policies from-zone untrust to-zone trust policy B-A match application any
set security policies from-zone untrust to-zone trust policy B-A then permit
set security policies from-zone untrust to-zone trust policy B-A then log session-init
set security policies from-zone untrust to-zone trust policy B-A then log session-close
4.开ARP代理，因为10.5.5.5 和172.16.1.1是实际上不存在的，所以需要在物理接口上开ARP代理
set security nat proxy-arp interface reth0.0 address 10.5.5.5/32 to 10.5.5.5/32  
set security nat proxy-arp interface reth1.0 address 172.16.1.1/32 to 172.16.1.1/32
注：reth0.0位内部接口，reth1.0为防火墙外部接口

5. 策略路由

静态路由/默认路由
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.2
如果是双链路或者多链路，可以使用以下方式配置，然后在配置rpm监测，如果不配置rpm将不会自动切换
静态路由默认优先级值为5，可使用preference来手动指定
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.2
set routing-options static route 0.0.0.0/0 qualified-next-hop 20.1.1.2 preference 20

策略路由(多出口示例)
配置思路：
	1. 创建独立于主路由表inet.0的路由表即routing-instance路由实例
  2. 为这些实例添加路由表
  3. 为路由条目添加底层路由
  4. 根据源地址配置过滤策略(即ACL)，并将这些数据送进不同的路由表
  5. 将过滤策略应用在内网接口的input方向
  
1. 创建路由实例，名称为PBRCU,PBRCT,分别对应联通和移动线路
set routing-instances pbrct instance-type forwarding \\类型为forwarding 
set routing-instances pbrct routing-options static route 0.0.0.0/0 next-hop 20.1.1.1 \\路由条目
set routing-instances pbrcu instance-type forwarding
set routing-instances pbrcu routing-options static route 0.0.0.0/0 next-hop 10.1.1.1

2. 创建rib-group并关联新创建的实例及默认inet.0路由，同时将直连路由安装进实例路由表
set routing-options rib-groups pbr-group import-rib inet.0 \\关联inet.0路由
set routing-options rib-groups pbr-group import-rib pbrcu.inet.0 \\关联新建的路由实例pbrcu.inet.0
set routing-options rib-groups pbr-group import-rib pbrct.inet.0 \\关联新建的路由实例pbrct.inet.0
set routing-options interface-routes rib-group inet pbr-group	\\安装直连路由至rib-group组

3. 配置过滤条件(可以理解为我们常用的ACL)
set firewall filter pbracl term aclid1 from address 192.168.1.0/24 \\匹配源地址
set firewall filter pbracl term aclid1 then log \\开启log日志
set firewall filter pbracl term aclid1 then routing-instance pbrct \\如果满足条件，则执行路由实例pbrct
set firewall filter pbracl term default then accept \\其他则默认走主路由表

4. 将filter关联在接口input方向
set interfaces ge-0/0/2 unit 0 family inet filter input pbracl

暂无评论

发送评论编辑评论

Markdown

|´・ω・)ノ

ヾ(≧∇≦*)ゝ

(☆ω☆)

（╯‵□′）╯︵┴─┴

￣﹃￣

(/ω＼)

∠( ᐛ 」∠)＿

(๑•̀ㅁ•́ฅ)

→_→

୧(๑•̀⌄•́๑)૭

٩(ˊᗜˋ*)و

(ノ°ο°)ノ

(´இ皿இ｀)

⌇●﹏●⌇

(ฅ´ω`ฅ)

(╯°A°)╯︵○○○

φ(￣∇￣o)

ヾ(´･･｀｡)ノ"

( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃

(ó﹏ò｡)

Σ(っ °Д °;)っ

( ,,´･ω･)ﾉ"(´っω･｀｡)

╮(╯▽╰)╭

o(*////▽////*)q

＞﹏＜

( ๑´•ω•) "(ㆆᴗㆆ)

颜文字

Emoji

小恐龙

花!