配置juniper-SSG.docx

简述环境：1.双ISP，两个服务器6.6和6.8对外开放17991端口2.trust-vr和untrust-vr同在，zone untrust被修改到untrust-vr中3.6.6 VIP 180的地址，6.8 MIP 221的地址，应用源路由其实东西也不多，不过没配过的我开始真不知道如何配置juniper的地址转换set clock ntpset clock timezone 8set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00set vrouter trust-vr sharableset vrouter untrust-vrexitset vrouter trust-vrunset auto-route-exportexit-若防火墙里没有你所用的服务就自己加吧-set service 17991 protocol tcp src-port 0-65535 dst-port 17991-17991set service 3389 protocol tcp src-port 0-65535 dst-port 3389-3389set alg appleichat enableunset alg appleichat re-assembly enableset alg sctp enableset auth-server Local id 0set auth-server Local server-name Localset auth default auth server Localset auth radius accounting port 1646set admin name netscreenset admin password nJqNNxrLGyrLc0lEtsCBqfDtDMA/Pnset admin user hongyuan password nNnfG0rrJIWDcc8EysvMuSCt+LBiDn privilege all-如果要添加管理ip，别忘了添加内部网段地址，第一次我只加了远端的公网地址，导致内部要配置却进不去，只能console了。-set admin manager-ip 192.168.6.0 255.255.255.0set admin manager-ip 114.255.150.140 255.255.255.255set admin manager-ip 219.141.171.130 255.255.255.255set admin auth web timeout 10set admin auth server Localset admin format dosset zone Trust vrouter trust-vr-Untrust默认是在 trust-vr里的，我给改了-set zone Untrust vrouter untrust-vrset zone DMZ vrouter trust-vrset zone VLAN vrouter trust-vrset zone Untrust-Tun vrouter trust-vrset zone Trust tcp-rstset zone Untrust blockunset zone Untrust tcp-rstset zone MGT blockset zone DMZ tcp-rstset zone VLAN blockunset zone VLAN tcp-rstset zone Trust screen limit-session source-ip-basedset zone Trust screen limit-session destination-ip-basedset zone Untrust screen alarm-without-dropset zone Untrust screen on-tunnelset zone Untrust screen icmp-floodset zone Untrust screen udp-floodset zone Untrust screen winnukeset zone Untrust screen port-scanset zone Untrust screen ip-sweepset zone Untrust screen tear-dropset zone Untrust screen syn-floodset zone Untrust screen ip-spoofingset zone Untrust screen ping-deathset zone Untrust screen ip-filter-srcset zone Untrust screen landset zone Untrust screen syn-fragset zone Untrust screen tcp-no-flagset zone Untrust screen unknown-protocolset zone Untrust screen ip-bad-optionset zone Untrust screen ip-record-routeset zone Untrust screen ip-timestamp-optset zone Untrust screen ip-security-optset zone Untrust screen ip-loose-src-routeset zone Untrust screen ip-strict-src-routeset zone Untrust screen ip-stream-optset zone Untrust screen icmp-fragmentset zone Untrust screen icmp-largeset zone Untrust screen syn-finset zone Untrust screen fin-no-ackset zone Untrust screen limit-session source-ip-basedset zone Untrust screen syn-ack-ack-proxyset zone Untrust screen block-fragset zone Untrust screen limit-session destination-ip-basedset zone Untrust screen icmp-idset zone V1-Untrust screen tear-dropset zone V1-Untrust screen syn-floodset zone V1-Untrust screen ping-deathset zone V1-Untrust screen ip-filter-srcset zone V1-Untrust screen landset zone Untrust screen limit-session source-ip-based 512set zone Untrust screen limit-session destination-ip-based 512set interface ethernet0/0 zone Trustset interface ethernet0/1 zone V1-Trustset interface ethernet0/2 zone V1-Trustset interface ethernet0/8 zone Untrustset interface ethernet0/9 zone Untrust-两条互联网在一个区域set interface ethernet0/0 ip 192.168.6.2/24set interface ethernet0/0 nat-内网口启动NAT，去往untrust区或dmz区都 会触发nat，除非把防火墙配成透传模式unset interface vlan1 ipset interface ethernet0/8 ip 221.7.199.182/29set interface ethernet0/8 routeset interface ethernet0/9 ip 180.136.240.114/30set interface ethernet0/9 routeunset interface vlan1 bypass-others-ipsecunset interface vlan1 bypass-non-ipset interface ethernet0/9 manage-ip 180.136.240.113set interface ethernet0/0 ip manageableset interface ethernet0/8 ip manageableset interface ethernet0/9 ip manageableset interface ethernet0/8 manage pingset interface ethernet0/8 manage telnetset interface ethernet0/8 manage webset interface ethernet0/9 manage pingset interface ethernet0/9 manage telnetset interface ethernet0/9 manage web-server auto detection开启，防火墙会自动ping这台内部地址，如果无法通信，status就是down-set interface ethernet0/9 vip interface-ip 3389 3389 192.168.6.6set interface ethernet0/9 vip interface-ip 17991 17991 192.168.6.6set interface ethernet0/8 vip interface-ip 3389 3389 192.168.6.21-看，是这里-若你有同网段多个ip地址可以用mip，注意我把它放在untrust-vr了-set interface ethernet0/8 mip 221.7.199.179 host 192.168.6.8 netmask 255.255.255.255 vr untrust-vrunset flow no-tcp-seq-checkset flow tcp-syn-checkunset flow tcp-syn-bit-checkset flow reverse-route clear-text preferset flow reverse-route tunnel alwaysset pki authority default scep mode autoset pki x509 default cert-path partialset address Trust 221.7.199.180/32 221.7.199.180 255.255.255.255set ike respond-bad-spi 1set ike ikev2 ike-sa-soft-lifetime 60unset ike ikeid-enumerationunset ike dos-protectionunset ipsec access-session enableset ipsec access-session maximum 5000set ipsec access-session upper-threshold 0set ipsec access-session lower-threshold 0set ipsec access-session dead-p2-sa-timeout 0unset ipsec access-session log-errorunset ipsec access-session info-exch-connectedunset ipsec access-session use-error-logset vrouter untrust-vrexitset vrouter trust-vrexitset url protocol websenseexit-juniper也有隐藏deny any any 所以，从trust到untrust要配置permit any any-set policy id 1 name PERMIT_ANY from Trust to Untrust Any Any ANY permitset policy id 1exitset policy id 2 name PERMIT_PING from Untrust to Trust Any MIP(221.7.199.179) PING permitset policy id 2exitset policy id 4 name PERMIT_CT from Untrust to Trust Any VIP(ethernet0/9) 3389 permit logset policy id 4exitset policy id 5 name PERMIT_CNC from Untrust to Trust Any MIP(221.7.199.179) 3389 permit logset policy id 5exitset policy id 6 name test from Untrust to Trust Any VIP(ethernet0/8) 3389 permit logset policy id 6exitset policy id 7 name PERMIT_CT_17991 from Untrust to Trust Any VIP(ethernet0/9) 17991 permit logset policy id 7exitset policy id 8 name PERMIT_CNC_17991 from Untrust to Trust Any MIP(221.7.199.179) 17991 permit logset policy id 8exitset nsmgmt bulkcli reboot-timeout 60set ssh version v2set config lock timeout 5unset license-key auto-updateset ntp server 210.72.1