Пример настройки Juniper Networks SRX




Полезная ссылка: О нас и наших клиентах

 


Пример настройки оборуждования Juniper Networks SRX


Ниже приведен пример дистанционной настройки сайта брандмауэра Juniper SRX100 вместе с объяснениями. Я использовал этот образец конфигурации для дистанционной настройки нескольких брандмауэров на разных сайтах. Вы увидите 4 отдельных подсети / сети VLAN для VoIP, данных, корпоративной беспроводной связи и гостевой беспроводной связи. В данном конкретном примере, настройка VoIP была для ShoreTel, а беспроводная технология Aruba Networks. Вы также увидите маршрутизированную настройку VPN, связанную с Untrust интерфейсом, который позволяет установить связь между HQ и удаленным сайтом.


Примечание: Вы можете просматривать конфигурацию ниже в любое время с помощью команды "show | display set". Я немного изменил её отображение, чтобы показать, что значит каждая строка.


/>

Полезная ссылка: Консультация и настройка оборудования Juniper SRX

Для установки имени хоста:


set system host-name

 

Для установки пароля администратора:


set system root-authentication plain-text-password

 

Для установки имени сервера:


set system name-server

 

Для установки имен пользователей и паролей:


set system login user example uid 2000

set system login user example class super-user

set system login user example authentication plain-text-password 

 

Для обеспечения глобального обслуживания:


set system services ftp

set system services ssh

set system services web-management https system-generated-certificate

set system services web-management https interface vlan.5 

 (vlan.5 позволяет веб-управление только с этого логического интерфейса. Вы увидите ниже, что vlan.5 также известен как data VLAN)

 

Для установки другой системной политики:


set system syslog archive size 100k

set system syslog archive files 3

set system syslog user * any emergency

set system syslog file messages any critical

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands error

set system max-configurations-on-flash 5

set system max-configuration-rollbacks 5

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

 

(Настройки выше по умолчанию, но при необходимости их можно изменить.)

 

Для настройки интерфейса:


set interfaces fe-0/0/0 description "WAN"

set interfaces fe-0/0/0 unit 0 family inet dhcp

 

(В этом примере я использовал интерфейс fe-0/0/0 в качестве интерфейса WAN.)

 

set interfaces fe-0/0/1 description "VOIP/DATA"

set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk

set interfaces fe-0/0/1 unit 0 family ethernet-switching native-vlan-id 5

 

(Интерфейс fe-0/0/1 является магистральным портом как для VOIP так и для DATA VLAN.)

 

set interfaces fe-0/0/2 disable

set interfaces fe-0/0/3 disable

 

set interfaces fe-0/0/4 disable

 

set interfaces fe-0/0/5 disable

 

set interfaces fe-0/0/6 disable

 

(Интерфейсы выше заблокированы, поскольку они не используются для примера)

 

set interfaces fe-0/0/7 description "CORP WIRELESS/GUEST WIRELESS"

set interfaces fe-0/0/7 unit 0 family ethernet-switching port-mode trunk

set interfaces fe-0/0/7 unit 0 family ethernet-switching native-vlan-id 6

 

(Интерфейс fe-0/0/7 является магистральным портом и для CORP WIRELESS и для GUEST WIRELESS VLANs.)

 

Для настройки интерфейса для маршрутизированного VPN на Juniper SRX:


set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.254 ipsec-vpn routebasedvpn

set interfaces st0 unit 0 family inet address 10.10.10.5/24

(10.10.10.254 IP является адресом для интерфейса HQ st0. 10.10.10.5 IP - это адрес локального интерфейса local st0)

Для настройки шлюза/подсети  для каждого VLAN на Juniper SRX:

 
set interfaces vlan unit 1 family inet address 192.168.4.1/24

set interfaces vlan unit 2 family inet address 192.168.5.1/24

set interfaces vlan unit 3 family inet address 192.168.6.1/24

set interfaces vlan unit 4 family inet address 192.168.7.1/24

 

Для настройки опций DHCP на Juniper SRX:


set forwarding-options helpers bootp relay-agent-option

set forwarding-options helpers bootp description "DHCP SERVER"

set forwarding-options helpers bootp server 10.10.100.10

set forwarding-options helpers bootp vpn

set forwarding-options helpers bootp interface vlan.4

set forwarding-options helpers bootp interface vlan.5

set forwarding-options helpers bootp interface vlan.6

set forwarding-options helpers bootp interface vlan.7


(В примере выше, SRX осуществляет ретрансляцию с центрального севера DHCP до HQ.)

Для настройки опций маршрутизации на Juniper SRX:

 
set routing-options static route 192.168.4.0/24 next-hop st0.0

(В примере выше, подсеть для VoIP VLAN ретранслируется через интерфейс VPN tunnel.)

Для настройки протоколов:
set protocols igmp interface vlan.4

set protocols lldp interface all

 set protocols lldp-med interface all


Для настройки IPSEC VPN на Juniper SRX:


set security ike proposal phase1-prop authentication-method pre-shared-keys

set security ike proposal phase1-prop dh-group group2

set security ike proposal phase1-prop authentication-algorithm sha1

set security ike proposal phase1-prop encryption-algorithm 3des-cbc

set security ike policy ike-policy1 mode main

set security ike policy ike-policy1 proposal-set standard

set security ike policy ike-policy1 pre-shared-key ascii-text test1234

set security ike gateway ike-gateway1 ike-policy ike-policy1

set security ike gateway ike-gateway1 address 1.1.1.1

set security ike gateway ike-gateway1 external-interface fe-0/0/0.0

set security ipsec proposal phase2-prop protocol esp

set security ipsec proposal phase2-prop authentication-algorithm hmac-sha1-96

set security ipsec proposal phase2-prop encryption-algorithm 3des-cbc

set security ipsec policy ipsec-policy1 perfect-forward-secrecy keys group2

set security ipsec policy ipsec-policy1 proposal-set standard

set security ipsec vpn routebasedvpn bind-interface st0.0

set security ipsec vpn routebasedvpn ike gateway ike-gateway1

set security ipsec vpn routebasedvpn ike ipsec-policy ipsec-policy1

set security ipsec vpn routebasedvpn establish-tunnels immediately

Для настройки NAT на Juniper SRX:


set security nat source rule-set voip-to-untrust from zone voip

set security nat source rule-set voip-to-untrust to zone untrust

set security nat source rule-set voip-to-untrust rule source-nat-rule1 match source-address 192.168.4.0/24

set security nat source rule-set voip-to-untrust rule source-nat-rule1 then source-nat interface

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule source-nat-rule2 match source-address 192.168.5.0/24

set security nat source rule-set trust-to-untrust rule source-nat-rule2 then source-nat interface

set security nat source rule-set corp_wireless-to-untrust from zone corp_wireless

set security nat source rule-set corp_wireless-to-untrust to zone untrust

set security nat source rule-set corp_wireless-to-untrust rule source-nat-rule3 match source-address 192.168.6.0/24

set security nat source rule-set corp_wireless-to-untrust rule source-nat-rule3 then source-nat interface

set security nat source rule-set guest_wireless-to-untrust from zone guest_wireless

set security nat source rule-set guest_wireless-to-untrust to zone untrust

set security nat source rule-set guest_wireless-to-untrust rule source-nat-rule3 match source-address 181.168.7.0/24

set security nat source rule-set guest_wireless-to-untrust rule source-nat-rule3 then source-nat interface

 

Дл настройки опций фаервола на Juniper SRX:


set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option

set security screen ids-option untrust-screen ip tear-drop

set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200

set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048

set security screen ids-option untrust-screen tcp syn-flood timeout 20

set security screen ids-option untrust-screen tcp land

Для настройки зон на Juniper SRX:


set security zones security-zone voip host-inbound-traffic system-services all

set security zones security-zone voip host-inbound-traffic protocols all

set security zones security-zone voip interfaces vlan.4
set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces vlan.5

set security zones security-zone untrust screen untrust-screen

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic protocols router-discovery

set security zones security-zone corp_wireless host-inbound-traffic system-services all

set security zones security-zone corp_wireless host-inbound-traffic protocols all

set security zones security-zone corp_wireless interfaces vlan.6

set security zones security-zone vpn address-book address hq_network 10.10.0.0/16

set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all

set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all

set security zones security-zone guest_wireless host-inbound-traffic system-services all

set security zones security-zone guest_wireless host-inbound-traffic protocols all

 set security zones security-zone guest_wireless interfaces vlan.7


Для настройки политики от зоны к зоне на Juniper SRX:


set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any

set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any

set security policies from-zone trust to-zone trust policy trust-to-trust match application any

set security policies from-zone trust to-zone trust policy trust-to-trust then permit

set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any

set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any

set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any

set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit

set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any

set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any

set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any

set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit

set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match source-address any

set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match destination-address any

set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match application any

set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust then permit

set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match source-address any

set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match destination-address any

set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match application any

set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn then permit

set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match source-address any

set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match destination-address any

set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match application any

set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless then permit

set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match source-address any

set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match destination-address any

set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match application any

set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust then permit

set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match source-address any

set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match destination-address any

set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match application any

set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless then permit

set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match source-address any

set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match destination-address any

set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match application any

set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless then permit

set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match source-address any

set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match destination-address any

set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match application any

set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless then permit

set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match source-address any

set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match destination-address any

set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match application any

set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust then permit

set security flow tcp-mss ipsec-vpn mss 1350


Для настройки VLAN на Juniper SRX:

 

set vlans VOIP description "VOIP"

set vlans VOIP vlan-id 4

set vlans VOIP interface fe-0/0/1.0

set vlans VOIP l3-interface vlan.4

set vlans DATA description "DATA"

set vlans DATA vlan-id 5

set vlans DATA l3-interface vlan.5     

set vlans CORP_WIRELESS description "CORP_WIRELESS"

set vlans CORP_WIRELESS vlan-id 6

set vlans CORP_WIRELESS l3-interface vlan.6

set vlans GUEST_WIRELESS description "GUEST_WIRELESS"

set vlans GUEST_WIRELESS vlan-id 7

set vlans GUEST_WIRELESS interface fe-0/0/7.0

set vlans GUEST_WIRELESS l3-interface vlan.7

(Вы заметите, что интерфейс fe-0/0/1.0 связан с VOIP VLAN. Однако, если вы посмотрите раздел "set interfaces" (настройка интерфейсов) снова, вы увидите, что интерфейс fe-0/0/1 имеет родной VLAN ID 5. Это означает, что обе VLAN могут существовать на этом интерфейсе, но по умолчанию устройства будут получать IP в VLAN 5, если не указано иное (т.е. в этом примере опция пользовательского DHCP была создана для VoIP VLAN, используя VLAN ID 4.)).



Обновлен 12 июл 2014. Создан 02 апр 2014



  Комментарии       
Имя или Email


При указании email на него будут отправляться ответы
Как имя будет использована первая часть email до @
Сам email нигде не отображается!
Зарегистрируйтесь, чтобы писать под своим ником

____

______
Яндекс.Метрика