第一次配置juniper-SSG140
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
第一次配置juniper-SSG140
(2010-04-27 10:10:43)
、简述环境:
1.双ISP,两个服务器6.6和6.8对外开放17991端口
2.trust-vr和untrust-vr同在,zone untrust被修改到untrust-vr中
3.6.6 VIP 180的地址,6.8 MIP 221的地址,应用源路由
其实东西也不多,不过没配过的我开始真不知道如何配置juniper的地址转换
set clock ntp
set clock timezone 8
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00 set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
------------------------------------------------------------------------------
若防火墙里没有你所用的服务就自己加吧
-------------------------------------------------------------------------------------------------
set service "17991" protocol tcp src-port 0-65535 dst-port 17991-17991 set service "3389" protocol tcp src-port 0-65535 dst-port 3389-3389 set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nJqNNxrLGyrLc0lEtsCBqfDtDMA/Pn"
set admin user "hongyuan" password "nNnfG0rrJIWDcc8EysvMuSCt+LBiDn" privilege "all"
-----------------------------------------------------------------------------------------
如果要添加管理ip,别忘了添加内部网段地址,第一次我只加了远端的公网地址,导致内部要配置却进不去,只能console了。
--------------------------------------------------------------------------------------------------
set admin manager-ip 192.168.6.0 255.255.255.0
set admin manager-ip 114.255.150.140 255.255.255.255
set admin manager-ip 219.141.171.130 255.255.255.255
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
-------------------------------------------------------------------------------------------------
"Untrust"默认是在"trust-vr"里的,我给改了
--------------------------------------------------------------------------------------------------
set zone "Untrust" vrouter "untrust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Trust" screen limit-session source-ip-based
set zone "Trust" screen limit-session destination-ip-based
set zone "Untrust" screen alarm-without-drop
set zone "Untrust" screen on-tunnel
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood