Netscreen配置手册.doc

Juniper NetScreen配置手册透明模式将防火墙配置为透明模式1. 创建2层Zoneset zone name L2 例：set zone name L2-Demo L2 12. 把接口划到安全区set interface zone 例：set interface e3 zone L2-Demo3.a. 配置IP地址set zone name L2 例：ns208- set zone name L2-Demo L2 1set interface zone 例：set interface e3 zone L2-Demob. 选择广播选项set vlan1 broadcast c. 配置Vlan的管理选项set interface vlan1 manage例： set int vlan1 manageset interface vlan1 manage 例：set int vlan1 manage web set int vlan1 manage sslset int vlan1 manage nsmgmtd. 为每个Zone配置管理选项set zone manage 例：set zone v1-dmz manage web透明模式下的检查工具Get interfaceGet ARPGet mac-learnGet session三层操作模式将防火墙配置为三层操作模式1. 创建Zoneset zone name 例：set zone name Private2. 把接口分配到Zoneset interface zone 例：set interface e8 zone untrust3. 给接口指定IP地址set interface ip /例：set interface e8 ip /244. 配置静态路由set route / interface gateway 例：set route /24 interface e1 gateway 54验证路由get route ip 例：ns208- get route ip Destination Routes for -trust-vr : = /24 (id=6) via 54 (vr: trust-vr) Interface ethernet1 , metric 1显示VR例：ns208- get vrouter ID Name Vsys Owner Export Routes OSPF BGP RIP 1 untrust-vr Root shared n/a 0/max* 2 trust-vr Root shared no 8/maxtotal 2 vrouters shown and 0 of them defined by user* indicates default vrouter for the current vsys配置两个VR1. 把Zone划到VR中set zone vrouter 例：set zone Untrust vrouter untrust-vr2. 给zone指定接口3. 给接口分配IP地址4. 配置VR间路由set vrouter route / vrouter 例：set vrouter untrust-vr route /24 vrouter trust-vr配置接口模式set interface route | nat例：set interface e1 nat策略的配置及高级选项创建策略1. 创建地址表2. 创建服务查看预定义的服务get service pre-defined创建自定义服务set service name 3. 创建策略set policy from to permit | deny例：set policy from private to public /32 any http permit4. 策略排序set policy move before | after 例：set policy move id 5 before 4配置选项1. 创建并查看地址组set group address add 例：set group address Private Admins add Admin1set group address Private Admins add Admin2get group address 例：get group address PrivateGroup Name Count CommentAdmins 2get group address 例：get group address Private AdminsGroup Name: AllowedServices Comment:Group Items: 5Members: FTP HTTP PING TELNET TFTP2. 创建并查看服务组set group service add get group service例：get group serviceGroup Name Count CommentAllowedServices 5get group service 例：get group service AllowedServicesGroup Name: AllowedServices Comment:Group Items: 5Members: FTP HTTP PING TELNET TFTP3. 创建多单元策略高级选项1. 配置流量日志并验证访问日志set policy (from zone to zone sa da service action) log 或者 set policy log例：ns5gt- set policy id 1ns5gt(policy:1)- set policy logget log traffic2. 配置流量统计并验证流量统计set policy (from zone to zone sa da service action) count 或者 set policy countset policy count alarm 例：ns5gt- set policy id 1ns5gt(policy:1)- set policy countget counters policy 3. 创建计划并应用计划到策略中set scheduler recurrent start stop start stop 例：set scheduler NoICQ recurrent mon start 7:00 stop 12:00 start 13:00 stop 18:00set scheduler NoICQ recurrent tues start 7:00 stop 12:00 13:00 stop 18:00(etc.)set scheduler once start stop 例：set scheduler Y2K once start 01/01/2000 stop 01/02/2000set policy (from zone to zone sa da service action) schedule 认证的配置1. 创建用户数据库set user password 2. 配置认证策略set policy (from zone to zone sa da service action) authset policy (from zone to zone sa da service action) webauth3. 配置WebAuth地址（只用于WebAuth）set interface webauthset interface webauth-ip 4. 确认认证配置ns5gt- get user allTotal users: 1Id User name Enable Type ID-type Identity Belongs to groups- - - - - - - 1 JoeUser Yes authns5gt- get auth tableTotal users in table: 1 Successful: 1, Failed: 0 Pending : 0, Others: 0Col T: Used: D = Default settings, W = WebAuth, A = Auth server in policy id src user group age status server T srczone dstzone 1 3 JoeUser 5 Success Local W N/A N/A基于策略的NAT配置NAT-src配置过程1. 创建DIP端口转换set interface dip 例：set interface e8 dip 5 54禁止端口转换set interface dip fix-port例：set interface e8 dip 5 54 fix-port地址变换set interface dip shift-from 例：set interface e8 dip 5 shift-from 02. 创建策略set policy from to nat src dip id permit 不带DIP:ns208 set policy from Private to External any any any nat src permit带DIP:ns208 set policy from Private to External any any any nat src dip 5 permitNAT-dst配置过程1. 配置地址表条目set address / 例：set address Private MyPCPublic 0/322.A 配置可达性 Secondary 地址set interface ip / secondary例：set interface e1 ip /24 secondaryB. 配置可达性 静态路由set route / int 例：set route 0/32 int e13. 配置策略一对一set policy from to nat dst ip permit例：set policy from External to Private any MyPCPublic http nat dst ip permit地址变换set policy from to nat dst ip permit例：set policy from External to Private any PublicRange http nat dst ip 54 permit端口转换set policy from to nat dst ip port permit例：set policy from External to Private any MyPCPublic http nat dst ip port 8080 permitMIP配置过程1. 定义MIPset int mip host 例：set int e8 mip 5 host 2. 配置MIP策略set policy from to MIP() permitVIP配置过程1. 定义VIPset int vip 例：set int e8 vip 00 23 telnet set int e8 vip 00 21 ftp set int e8 vip 00 80 http 2. 定义策略set policy from to VIP() permit例；set policy from untrust to private any VIP:4 any permitVPN配置基于策略的VPN1. 设置最大分片长度set flow tcp-mss2. 配置IKE网关set ike gateway address preshare sec-level standard | basic | compatible3. 创建IKE VPNset vpn gateway sec-level standard | basic | compatible4. 创建地址对象5. 配置VPN策略例：set ike gateway toCorporate address 50 preshare XXX sec-level standardset vpn CorporateVPN gateway toCorporate sec-level standard set address Trust HomeNet /32set address Untrust CorpNet /16set policy from Trust to Untrust HomeNet CorpNet any tunnel vpn CorporateVPNset policy from Untrust to Trust CorpNet HomeNet any tunnel vpn CorporateVPN验证VPN通道1. 产生数据 ping, telnet, http, ftp, etc例：ns208- ping from trustType escape sequence to abortSending 5, 100-byte ICMP Echos to , timeout is 2 seconds from ethernet8!Success Rate is 100 percent (5/5), round-trip time min/avg/max=40/40/41 ms2. 检查第一阶段网关状态例：ns208- get ike cookieActive: 1, Dead: 0, Total 1522f/3, 50-50: PRESHR/grp2/3DES/SHA, xchg(2) usr(d-1/u-1)resent-tmr 0 lifetime 28800 lt-recv 28800 nxt_rekey 25813 cert-expire 0 initiator 1, in-out 1, err cnt 0, send dir 0, cond 0nat-traversal map not availableike heartbeat : disabledike heartbeat last rcv time: 0ike heartbeat last snd time: 0XAUTH status: 03. 检查第二阶段SA的活动状态例：ns208- get sa activeTotal active sa: 1HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys00000001 50 500 esp:3des/sha1 cb0bed95 3563 unlim A/- 2 0排错 1. 第一阶段：不可识别的网关发起端例：ns208- get eventDate Time Module Level Type Description2003-04-30 01:53:17 system info 00536 IKE Phase 1: Initiated negotiations in main mode.响应端例：ns208- get eventDate Time Module Level Type Description2003-04-30 01:53:24 system info 00536 IKE Phase 1: Rejected an initial Phase 1 packet from an unrecognized peer gateway.提议不匹配发起端例：ns208- get eventDate Time Module Level Type Description2003-04-30 01:58:00 system info 00536 IKE Phase 1: Retransmission limit has been reached.2003-04-30 01:56:57 system info 00536 IKE Phase 1: Initiated negotiations in main mode.响应端例：ns208- get eventDate Time Module Level Type Description2003-04-30 01:57:10 system info 00536 IKE Phase 1: Rejected proposals from peer. Negotiations failed.2003-04-30 01:57:10 system info 00536 IKE Phase 1: Responder starts MAIN mode negotiations.2. 第二阶段：提议不匹配发起端例：ns208- get eventTotal event entries = 72Date Time Module Level Type Description2003-04-30 01:53:09 system info 00536 IKE Received notify message for DOI .响应端例：ns208- get eventDate Time Module Level Type Description2003-04-30 01:51:01 system info 00536 IKE Phase 2 msg-id : Negotiations have failed.2003-04-30 01:51:01 system info 00536 IKE Phase 2: Rejected proposals from peer. Negotiations failed.ProxyID 不匹配发起端例：ns208- get eventDate Time Module Level Type Description2003-04-30 02:05:59 system info 00536 IKE Phase 2: Initiated negotiation.2003-04-30 02:05:59 system info 00536 IKE Phase 1: Completed Main mode negotiations with a -second lifetime.远端的ProxyID例：ns208- get eventDate Time Module Level Type Description2003-04-30 02:05:10 system info 00536 IKE Phase 2: No policy exists for the proxy ID received: local ID (/, ,) remote ID (/ ,)本地的ProxyID例：ns5gt- get policy id 3name:none (id 3), zone Untrust - Trust,action Tunnel, status enabled, pairpolicy 2src CorpNet, dst HomeNet, serv ANYproxy id: local /55, remote /, proto 0, port 0No AuthenticationNo User, User Group or Group expression set解决不匹配的问题例：ns5gt- unset policy id 2ns5gt- unset policy id 3ns5gt- unset address untrust CorpNetns5gt- unset address trust HomeNetns5gt- set address untrust CorpNet /24ns5gt- set address trust HomeNet /24ns5gt- set policy from trust to untrust HomeNet CorpNet any tunnel MyVPNpolicy id = 2ns5gt- set policy from untrust to trust CorpNet HomeNet any tunnel MyVPNpolicy id = 3ns5gt- get policy id 3name:none (id 3), zone Untrust - Trust,action Tunnel, status enabled, pairpolicy 2src CorpNet, dst HomeNet, serv ANYproxy id: local /, remote /, proto 0, port 0基于路由的VPNset vpn bind interface ns5xt set interface tunnel.1 zone trustns5xt set interface tunnel.1 ip unnumberedns5xt set ike gateway toCorporate address 50 preshare XXX sec-level standardns5xt set vpn CorporateVPN gateway toCorporate sec-level standardns5xt set vpn CorporateVPN bind interface tunnel.1 ns5xt set route /8 int tunnel.1验证配置1. 产生数据ping, telnet, http, ftp, etc例：ns208- ping from e8Type escape sequence to abortSending 5, 100-byte ICMP Echos to , timeout is 2 seconds from ethernet8!Success Rate is 100 percent (5/5), round-trip time min/avg/max=40/40/41 ms2. 查看通道接口get route ip例：ns208- get route ip Destination Routes for -trust-vr : = /24 (id=6) via (vr: trust-vr) Interface tunnel.1 , metric 13. 检查第一阶段网关状态例：ns208- get ike cookieActive: 1, Dead: 0, Total 1522f/3, 50-50: PRESHR/grp2/3DES/SHA, xchg(2) usr(d-1/u-1)resent-tmr 0 lifetime 28800 lt-recv 28800 nxt_rekey 25813 cert-expire 0 initiator 1, in-out 1, err cnt 0, send dir 0, cond 0nat-traversal map not availableike heartbeat : disabledike heartbeat last rcv time: 0ike heartbeat last snd time: 0XAUTH status: 04. 检查第二阶段SA的活动状态例：ns208- get sa activeTotal active sa: 1HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys00000001 50 500 esp:3des/sha1 cb0bed95 3563 unlim A/- 2 0排错与基于策略的VPN排错方法相同主动/被动1. 接口set interface ethernet7 zone haset interface ethernet8 zone haset interface ethernet1 zone u