Juniper SRX详细配置手册(含注释).doc

Juniper SRX标准配置第一节 系统配置31.1、设备初始化31.1.1登陆31.1.2设置root用户口令31.1.3设置远程登陆管理用户32、系统管理41.2.1 选择时区41.2.2 系统时间41.2.3 DNS服务器51.2.4系统重启51.2.5 Alarm告警处理51.2.6 Root密码重置6第二节 网络设置72.1、Interface72.1.1 PPPOE72.1.2 Manual82.1.3 DHCP82.2、Routing9Static Route92.3、SNMP9第三节 高级设置93.1.1 修改服务端口93.1.2 检查硬件序列号93.1.3 内外网接口启用端口服务103.1.4 创建端口服务103.1.5 VIP端口映射103.1.6 MIP映射113.1.7禁用console口123.1.8 Juniper SRX带源ping外网默认不通，需要做源地址NAT123.1.9 设置SRX管理IP123.2.0 配置回退133.2.1 UTM调用133.2.2 网络访问缓慢解决13第四节 VPN设置144.1、点对点IPSec VPN144.1.1 Route Basiced144.1.2 Policy Basiced174.2、Remote VPN194.2.1 SRX端配置194.2.2 客户端配置20第一节 系统配置1.1、设备初始化1.1.1登陆首次登录需要使用Console口连接SRX，root用户登陆，密码为空login: rootPassword:- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTCroot% cli /*进入操作模式*/rootroot configureEntering configuration mode /*进入配置模式*/editRoot#1.1.2设置root用户口令（必须配置root帐号密码，否则后续所有配置及修改都无法提交）root# set system root-authentication plain-text-passwordroot# new password : root123root# retype new password: root123密码将以密文方式显示root# show system root-authenticationencrypted-password $1$xavDeUe6$fNM6olGU.8.M7B62u05D6.; # SECRET-DATA注意：强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式)，此配置参数要求输入的口令应是经加密算法加密后的字符串，采用这种加密方式手工输入时存在密码无法通过验证风险。注：root用户仅用于console连接本地管理SRX，不能通过远程登陆管理SRX，必须成功设置root口令后，才能执行commit提交后续配置命令。1.1.3设置远程登陆管理用户root# set system login user lab class super-user authentication plain-text-passwordroot# new password : juniperroot# retype new password: srx123注：此juniper用户拥有超级管理员权限，可用于console和远程管理访问，另也可自行灵活定义其它不同管理权限用户。2、系统管理1.2.1 选择时区srx_admin# set system time-zone Asia/Shanghai /*亚洲/上海*/1.2.2 系统时间 手动设定srx_admin set date 201511201537.00srx_admin show system uptime Current time: 2015-11-20 15:37:14 UTCSystem booted: 2015-11-20 15:21:48 UTC (2d 00:15 ago)Protocols started: 2015-11-20 15:24:45 UTC (2d 00:12 ago)Last configured: 2015-11-20 15:30:38 UTC (00:06:36 ago) by srx_admin 3:37PM up 2 days, 15 mins, 3 users, load averages: 0.07, 0.17, .2 NTP同步一次srx_admin set date ntp 01 8 Feb 15:49:50 ntpdate6616: step time server 01 offset -28796.357071 sec NTP服务器srx_admin# set system ntp server srx_admin#set system ntp server ntp.api.bz/*SRX系统NTP服务器，设备需要联网可以解析ntp地址，不然命令无法输入*/srx_admin show ntp status status=c011 sync_alarm, sync_unspec, 1 event, event_restart,version=ntpd 4.2.0-a Fri Nov 20 15:44:16 UTC 2014 (1),processor=octeon, system=JUNOS12.1X44-D35.5, leap=11, stratum=16,precision=-17, rootdelay=0.000, rootdispersion=0.105, peer=0,refid=INIT, reftime=00000000.00000000 Thu, Feb 7 2036 14:28:16.000,poll=4, clock=d88195bc.562dc2db Sun, Feb 8 2015 7:58:52.336, state=0,offset=0.000, frequency=0.000, jitter=0.008, stability=0.000srx_adminholy-shit show ntp associations remote refid st t when poll reach delay offset jitter= 48 3 - 16 64 1 5.473 -0.953 0.008 .INIT. 16 - - 64 0 0.000 0.000 4000.001.2.3 DNS服务器srx_admin# set system name-server /*SRX系统DNS*/1.2.4 系统重启重启系统srx_admin request system reboot关闭系统srx_admin request system power-off1.2.5 Alarm告警处理告警查看root# run show system alarms 2 alarms currently activeAlarm time Class Description2015-11-20 14:21:49 UTC Minor Autorecovery information needs to be saved2015-11-20 14:21:49 UTC Minor Rescue configuration is not set 告警处理告警一处理root request system autorecovery state save Saving config recovery informationSaving license recovery informationSaving BSD label recovery information告警二处理root request system configuration rescue save1.2.6 Root密码重置SRX Root密码丢失，并且没有其他的超级用户权限，那么就需要执行密码恢复，该操作需要中断设备正常运行，但不会丢失配置信息。操作步骤如下：1.重启防火墙，CRT上出现下面提示时，按空格键中断正常启动，然后再进入单用户状态，并输入：boot sLoading /boot/defaults/loader.conf /kernel data=0xb15b3c+0x13464c syms=0x4+0x8bb00+0x4+0xcac15Hit Enter to boot immediately, or space bar for command prompt.loader loader boot -s2. 执行密码恢复：在以下提示文字后输入recovery，设备将自动进行重启 Enter full pathname of shell or recovery for root password recovery or RETURN for /bin/sh: recovery* FILE SYSTEM WAS MODIFIED *System watchdog timer disabledEnter full pathname of shell or recovery for root password recovery or RETURN for /bin/sh: recovery3. 进入配置模式，删除root密码后重新设置root密码，并保存重启root configure Entering configuration modeeditroot# delete system root-authentication editroot# set system root-authentication plain-text-passwordNew password:Retype new password:editroot# commitcommit completeeditroot# exitExiting configuration moderoot request system rebootReboot the system ? yes,no (no) yes 第二节 网络设置2.1、Interface2.1.1 PPPOE在外网接口（fe-0/0/0）下封装PPPsrx_admin# set interfaces fe-0/0/0 unit 0 encapsulation ppp-over-etherCHAP认证配置srx_admin# set interfaces pp0 unit 0 ppp-options chap default-chap-secret 1234567890/*PPPOE的密码*/srx_admin# set interfaces pp0 unit 0 ppp-options chap local-name rxgjhygs163 /*PPPOE的帐号*/srx_admin# set interfaces pp0 unit 0 ppp-options chap passive/*采用被动模式*/PAP认证配置srx_admin# set interfaces pp0 unit 0 ppp-options pap default-password 1234567890 /*PPPOE的密码*/srx_admin# set interfaces pp0 unit 0 ppp-options pap local-name rxgjhygs163 /*PPPOE的帐号*/srx_admin# set interfaces pp0 unit 0 ppp-options pap local-password 1234567890 /*PPPOE的密码*/srx_admin# set interfaces pp0 unit 0 ppp-options pap passive /*采用被动模式*/PPP接口调用srx_admin# set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/0.0/*在外网接口（fe-0/0/0）下启用PPPOE拨号*/PPPOE拨号属性配置srx_admin# set interfaces pp0 unit 0 pppoe-options idle-timeout 0/*空闲超时值*/srx_admin# set interfaces pp0 unit 0 pppoe-options auto-reconnect 3 /*3秒自动重拨*/srx_admin# set interfaces pp0 unit 0 pppoe-options client /*表示为PPPOE客户端*/srx_admin# set interfaces pp0 unit 0 family inet mtu 1492 /*修改此接口的MTU值，改成1492。因为PPPOE的报头会有一点的开销*/srx_admin# set interfaces pp0 unit 0 family inet negotiate-address /*自动协商地址，即由服务端分配动态地址*/默认路由srx_admin# set routing-options static route /0 next-hop pp0.0PPPOE接口划入untrust接口srx_admin# set security zones security-zone untrust interfaces pp0.0验证PPPoE是否已经拔通，是否获得IP地址srx_admin#run show interfaces terse | match pppp0 up up pp0.0 up up inet - ppd0 up up ppe0 up up 注：PPPOE拨号成功后需要调整MTU值，使上网体验达到最佳（MTU值不合适的话上网会卡）srx_admin# set interfaces pp0 unit 0 family inet mtu 1304 /*调整MTU大小*/srx_admin# set security flow tcp-mss all-tcp mss 1304 /*调整TCP分片大小*/2.1.2 Manualsrx_admin# set interfaces fe-0/0/0 unit 0 family inet address 38/292.1.3 DHCP启用DHCP地址池srx_admin# set system services dhcp pool /24 router /*DHCP网关*/srx_admin# set system services dhcp pool /24 address-range low /*DHCP地址池第一个地址*/srx_admin# set system services dhcp pool /24 address-range high 54/*DHCP地址池最后一个地址*/srx_admin# set system services dhcp pool /24 default-lease-time 36000/*DHCP地址租期*/srx_admin# set system services dhcp pool /24 domain-name /*DHCP域名*/srx_admin# set system services dhcp pool /24 name-server 33 /*DHCP 分配DNS*/srx_admin# set system services dhcp pool /24 name-server srx_admin# set system services dhcp propagate-settings vlan.0 /*DHCP分发端口*/配置内网接口地址srx_admin# set interfaces vlan unit 0 family inet address /24内网接口调用DHCP地址池srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services dhcp2.2、RoutingStatic Routesrx_admin# set route-option static route /0 next-hop 53 /*默认路由*/srx_admin# set route-option static route /24 next-hop st0.0 /*Route Basiced VPN路由*/2.3、SNMPsrx_admin# set snmp community Ajitec authorization read-only/read-write /*SNMP监控权限*/srx_admin# set snmp client-list snmp_srx240 9/32 /*SNMP监控主机*/第三节 高级设置3.1.1 修改服务端口srx_admin# set system services web-management http port 8000 /*更改web的http管理端口号*/srx_admin# set system services web-management https port 1443 /*更改web的https管理端口号*/3.1.2 检查硬件序列号srx# run show chassis hardware Hardware inventory:Item Version Part number Serial number DescriptionChassis BZ2615AF0491 SRX100H2Routing Engine REV 05 650-048781 BZ2615AF0491 RE-SRX100H2FPC 0 FPCPIC 0 8x FE Base PICPower Supply 0 3.1.3 内外网接口启用端口服务定义系统服务srx_admin# set system services sshsrx_admin# set system services telnetsrx_admin# set system services web-management http interface vlan.0srx_admin# set system services web-management http interface fe-0/0/0.0srx_admin# set system services web-management https interface vlan.0srx_admin# set system services web-management management-url admin/*后期用https:/ip/admin就可以登录管理页面，不加就直接跳转*/内网接口启用端口服务srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ping /*开启ping */srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services http /*开启http */srx_admin#set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services telnet /*开启telnet */外网接口启用端口服务srx_admin# set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping /*开启ping */srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services telnet /*开启telnet */srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services http /*开启http */srx_admin#set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services all /*开启所有服务*/3.1.4 创建系统服务srx_admin#set applications application RDP protocol tcp /*协议选择tcp*/srx_admin#set applications application RDP source-port 0-65535 /*源端口*/srx_admin#set applications application RDP destination-port 3389 /*目的端口*/srx_admin#set applications application RDP protocol udp /*协议选择udp*/srx_admin#set applications application RDP source-port 0-65535 /*源端口*/srx_admin#set applications application RDP destination-port 3389 /*目的端口*/3.1.5 VIP端口映射Destination NAT配置srx_admin#set security nat destination pool 22 address 0/32/*Destination NAT pool设置，为真实内网地址*/srx_admin#set security nat destination pool 22 address port 3389/*Destination NAT pool设置，为内网地址的端口号*/srx_admin#set security nat destination rule-set 2 from zone untrust/* Destination NAT Rule设置，访问流量从untrust区域过来*/srx_admin#set security nat destination rule-set 2 rule 111 match source-address /0/* Destination NAT Rule设置，访问流量可以任意地址*/srx_admin#set security nat destination rule-set 2 rule 111 match destination-address 54/32/* Destination NAT Rule设置，访问的目的地址是57*/srx_admin#set security nat destination rule-set 2 rule 111 match destination-port 3389/* Destination NAT Rule设置，访问的目的地址的端口号*/srx_admin#set security nat destination rule-set 2 rule 111 then destination-nat pool 22/*Destination NAT Rule设置，调用pool地址*/策略配置srx_admin#set security policies from-zone untrust to-zone trust policy vip match source-address anysrx_admin#set security policies from-zone untrust to-zone trust policy vip match destination-address H0/32srx_admin#set security policies from-zone untrust to-zone trust policy vip match application anysrx_admin#set security policies from-zone untrust to-zone trust policy vip then permitsrx_admin#set security zones security-zone trust address-book address H0/32 0/323.1.6 MIP映射Destination NAT设置srx_admin#set security nat destination pool 111 address /32 /*Destination NAT pool设置，为真实内网地址*/srx_admin#set security nat destination rule-set 1 from zone untrust /*Destination NAT Rule设置，访问流量从untrust区域过来*/srx_admin#set security nat destination rule-set 1 rule 111 match source-address /0/*Destination NAT Rule设置，访问流量可以任意地址*/srx_admin#set security nat destination rule-set 1 rule 11 match destination-address 57/32/*Destination NAT Rule设置，访问的目的地址是57*/srx_admin#set security nat destination rule-set 1 rule 11 then destination-nat pool 11/*Destination NAT Rule设置，调用pool地址*/配置ARP代理srx_admin#set security nat proxy-arp interface fe-0/0/0.0 address 57/32策略配置srx_admin#set security policies from-zone untrust to-zone trust policy mip match source-address anysrx_admin#set security policies from-zone untrust to-zone trust policy mip match destination-address H0/32srx_admin#set security policies from-zone untrust to-zone trust policy mip match application anysrx_admin#set security policies from-zone untrust to-zone trust policy mip then permit3.1.7禁用console口juniper-srxSRX100H2# edit system ports console /*进入console接口*/juniper-srxSRX100H2# set disable /*关闭端口*/juniper-srxSRX100H2# commit confirmed 3 /*提交3分钟，3分钟后回退*/3.1.8 Juniper SRX带源ping外网默认不通，需要做源地址NATset security nat source rule-set LOCAL from zone junos-hostset security nat source rule-set LOCAL to zone untrustset security nat source rule-set LOCAL rule LOCAL match source-address /32set security nat source rule-set LOCAL rule LOCAL match destination-address /0set security nat source rule-set LOCAL rule LOCAL then source-nat interfaceset security nat source rule-set trust-to-untrust from zone trustset security nat source rule-set trust-to-untrust to zone untrustset security nat source rule-set trust-to-untrust rule source-nat-rule match source-address /0set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface3.1.9 设置SRX管理IP 参照防火墙外网接口的端口服务set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ikeset security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services pingset security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh定义防火墙filter，设定允许访问的地址和端口set firewall filter Outside_access_in term Permit_IP from source-address 58/32set firewall filter Outside_access_in term Permit_IP from destination-address 14/32set firewall filter Outside_access_in term Permit_IP from protocol tcpset firewall filter Outside_access_in term Permit_IP from destination-port sshset firewall filter Outside_access_in term Permit_IP then accept/*设置允许访问的地址和地址*/set firewall filter Outside_access_in term Deny_ANY from destination-address 14/32set firewall filter Outside_access_in term Deny_ANY from protocol tcpset firewall filter Outside_access_in term Deny_ANY from destination-port sshset firewall filter Outside_access_in term Deny_ANY then discardset firewall filter Outside_access_in term Permit_ANY then accept/*其他流量全部拒绝*/防火墙外网接口调用filter，在接口上启用限制set interfaces fe-0/0/0 unit 0 family inet filter input Outside_access_in注：在配置拒绝流量时注意在拒绝的端口后面放行其他流量，因为这个拒绝会把所有流量都拒绝掉。在配置拒绝流量时不能配置all，不然会把所有流量都拒绝掉。3.2.0 配置回退查看提交过的配置srx_admin # run show system commit 0 2016-05-04 11:47:46 UTC by root via junoscript1 2016-05-04 11:40:11 UTC by root via cli2 2016-05-04 11:38:36 UTC by root via cli3 2016-04-27 11:41:07 UTC by root via cli4 2016-04-01 17:37:22 UTC by root via button回退配置（“ROLLBACK 0”）srx_admin # rollback ?Possible completions: Execute this command 0 2016-05-04 11:47:46 UTC by root via junoscript 1 2016-05-04 11:40:11 UTC by root via cli 2 2016-05-04 11:38:36 UTC by root via cli 3 2016-04-27 11:41:07 UTC by root via cli 4 2016-04-01 17:37:22 UTC by root via button | Pipe through a command3.2.1 UTM调用在策略中调用UTMsrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust match application anysrx_admin #set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services utm-policy junos-av-policy3.2.2 网络访问缓慢解决srx_admin #set security flow syn-flood-protection-mode syn-cookiesrx_admin #set security flow tcp-mss all-tcp mss 1300srx_admin #set security flow tcp-session rst-sequence-checksrx_admin #set security flow tcp-session strict-syn-checksrx_admin #set security flow tcp-session no-sequence-check第四节 VPN设置4.1、点对点IPSec VPN4.1.1 Route Basiced/*standard or compatible模式*/创建tunnel接口srx_admin#set interfaces st0 unit 0 family inet /*新建st0.0接口*/srx_admin#set security zo