juniper srx基本配置（上网、snat、policy）.docx

SRX基本配置（上网、snat、policy）环境介绍设备ge-0/0/0口为外网口，地址39/24，下一跳地址50设备fe-0/0/2口为内网口，地址/24，内网口作为PC网关来用，设置DHCP，DHCP设置参数如下：地址段 9-9 网关 DNS 0；设置源NAT，用9、0两个地址做转换NAT地址设置策略允许内网上网创建超级用户wangjian密码wangjian1986具体步骤用串口线连接设备console口，设置参数如下：这台设备是有配置的，所以要先清空设备配置，清空完设备配置，需要直接设备初始超级用户的密码，然后保存，才可以完成恢复出厂设置登入设备出现以下rootrootrootrootconfigure 进入配置模式Entering configuration modeeditrootroot# load factory-default 恢复出厂设备warning: activating factory configurationeditrootroot# set system root-authentication plain-text-password 设置超级用户密码New password: Retype new password:editrootroot# commit commit completeedit 此时回复出厂设置完成，下一步开始配置login: root 输入默认用户名rootPassword: 输入重置设备前输入的密码- JUNOS 10.4R9.2 built 2012-02-02 08:09:42 UTCrootroot% cli 敲入cli进入执行模式rootroot configure 敲入configure进入配置模式，执行模式代表符号“” Entering configuration modeeditrootroot# 配置模式“#”rootroot# set system login user wangjian class super-user authentication plain-text-password 建立用户名为“wangjian”的超级用户New password: 为用户“wangjian”设置密码 Retype new password: 重复输入密码editrootroot# delete interfaces ge-0/0/0.0 删除接口相关配置，接口默认处于交换edit 模式Ethernet-switching模式下，要想设置成三层必须先把这个属rootroot# delete interfaces fe-0/0/2 unit 0 性删除，“.0”和unit0在意义上一样editwangjian# set interfaces ge-0/0/0.0 family inet address 39/24edit 设置ge-0/0/0.0为三层接口地址39wangjian# set interfaces fe-0/0/2.0 family inet address /24edit 设置fe-0/0/2.0为三层接口地址wangjian# set routing-options static route /0 next-hop 50edit 设置默认路由wangjian# set security zones security-zone untrust interfaces ge-0/0/0.0edit 设置ge-0/0/0.0口为untrust安全域接口wangjian# set security zones security-zone trust interfaces fe-0/0/2.0edit 设置fe-0/0/2.0口为trust安全域接口wangjian# delete security nat source rule-set trust-to-untrust edit 删除系统自带的源nat规则wangjian# set security nat source pool wangjian address 9 to 0 设置源nat地址池editwangjian# set security nat source rule-set wangjiannat from zone trust edit 设置nat源安全域wangjian# set security nat source rule-set wangjiannat to zone untrust edit 设置nat目的安全域wangjian# set security nat source rule-set wangjiannat rule wangjiannat1 match source-address /0 设置nat源地址editwangjian# set security nat source rule-set wangjiannat rule wangjiannat1 then source-nat pool wangjian 设置nat关联地址池editwangjian# set security zones security-zone untrust interface ge-0/0/0.0 host-inbound-traffic system-services httpedit 打开接口http管理wangjian# set system services web-management http edit 打开http全局开关wangjian# delete security policies from-zone trust to-zone untrust policy policy trust-to untrust 删除系统自带策略editwangjian# set security policies from-zone trust to-zone untrust policy wangjian match source-address anyedit 配置策略源地址wangjian# set security policies from-zone trust to-zone untrust policy wangjian match destination-address any 配置策略目的地址editwangjian# set security policies from-zone trust to-zone untrust policy wangjian match application any 配置策略应用editwangjian# set security policies from-zone trust to-zone untrust policy wangjian then permit 配置策略动作editwangjian# set security policies from-zone trust to-zone untrust policy wangjian then log session-init 开启策略日志会话开始editwangjian# set security policies from-zone trust to-zone untrust policy wangjian then log session-close 开启策略日志会话结束 editwangjian# delete system services dhcp edit 删除系统默认dhcpwangjian# set system services dhcp router edit DHCP参数默认网关wangjian# set system services dhcp pool /24 address-range low 9 DHCP参数地址池开始地址editwangjian# set system services dhcp pool /24 address-range high 9 DHCP参数地址池结束地址editwangjian# set system services dhcp maximum-lease-time 4294967295 edit DHCP参数分配地址租约时间wangjian# set system services dhcp name-server 0 edit DHCP参数DNS服务器wangjian# set system services dhcp name-server edit DHCP参数DNS服务器wangjian# set system services dhcp propagate-settings fe-0/0/2.0 edit 设置DHCP信号发散端口wangjian# delete interfaces fe-0/0/2.0 edit 删除接口fe-0/0/2.0所有属性wangjian# set security zones security-zone trust interfaces fe-0/0/2.0 host-inbound-traffic system-services alledit 设置接口fe-0/0/2.0接口为trust安全域wangjian# set security nat proxy-arp interface ge-0/0/0 address 9 to 0 nat地址池地址在外网接口上做arp代理editwangjian# delete interfaces vlan edit 删除vlan接口wangjian# delete interfaces fe-0/0/3 edit 删除物理接口属性wangjian# delete interfaces fe-0/0/4 editwangjian# delete interfaces fe-0/0/5 editwangjian# delete interfaces fe-0/0/6 editwangjian# delete interfaces fe-0/0/7 editwangjian# delete interfaces ge-0/0/1 editwangjian# delete vlans edit 删除vlan这样就可以了，DHCP获取到地址Ping外网附加show命令wangjian# run show interfaces terse 查看物理接口属性Interface Admin Link Proto Local Remotege-0/0/0 up upge-0/0/0.0 up up inet 39/24gr-0/0/0 up upip-0/0/0 up uplsq-0/0/0 up uplt-0/0/0 up upmt-0/0/0 up upsp-0/0/0 up upsp-0/0/0.0 up up inet sp-0/0/0.16383 up up inet - 6 - 0/0 - 6 - 0/0ge-0/0/1 up downfe-0/0/2 up upfe-0/0/2.0 up up inet /24 fe-0/0/3 up downfe-0/0/4 up downfe-0/0/5 up downfe-0/0/6 up downfe-0/0/7 up downfxp2 up upfxp2.0 up up tnp 0x1 gre up upipip up upirb up uplo0 up uplo0.16384 up up inet - 0/0lo0.16385 up up inet - 0/0 6 - 0/0 - 0/0 - 0/0 6 - 0/0lo0.32768