juniper srx防火墙-nat实际现网配置实例

Junipersrx550建⽴NAT端⼝映射⼀、Juniper srx 550建⽴NAT端⼝映射公司Juniper srx 550路由器，因为很少去设置，所以怕到时设置时步骤⼜给忘记了，这⾥做个备注，以便⽇后查NAT配置界⾯介绍：Rule Name：对该NAT的命名（不影响配置）；Source Address：对源地址的限制（可以不填，若要限制可以在Policy处设置）。

Deatination Address & Port：外⽹地址，对应的外⽹地址端⼝。

Actions：设置NAT的⾏为；⼆、配置⽅式1、配置NAT①、配置NAT内部终端映射端⼝。

选择NAT-----Deastination NAT-----Deastination NAT Pool-----add设置Pool的名字，以及内部终端IP，需要放出去的端⼝。

返回Destination Rule Set，配置NAT映射。

在r1规则中建⽴NAT映射，选择右下⾓的Add①输⼊Rule Name（不影响配置）；②对应的外⽹地址，已经映射的外⽹端⼝。

③在右⽅选择Do Destination NAT With Pool，并选择之前建⽴的Deastination NAT Pool这⾥注意下，有可能在保存的时候要求填source address，可先将0.0.0.0 :32 添加进去，保存成功后在删除⼆、以上为⽌NAT已经配好，但是还需要配置Policy,才能让外⾯的终端访问成功。

①、添加地址本，路径选择Security----Policy Elements----Address Book------点击右上⾓的Add分别填写，内⽹终端的相关信息，所在的防⽕墙Zone，地址名称（不影响配置），内⽹终端的IP地址。

②、添加服务端⼝路径选择：Security----Policy Elements----Applications------点击右上⾓的Add填写服务名称（不影响设置），使⽤协议，已经对应的端⼝。

前言、版本说明 (3)一、界面菜单管理 (5)2、WEB管理界面 (6)（1）Web管理界面需要浏览器支持Flash控件。

(6)（2）输入用户名密码登陆： (7)（3）仪表盘首页 (7)3、菜单目录 (10)二、接口配置 (16)1、接口静态IP (16)2、PPPoE (17)3、DHCP (18)三、路由配置 (20)1、静态路由 (20)2、动态路由 (21)四、区域设置Zone (23)五、策略配置 (25)1、策略元素定义 (25)2、防火墙策略配置 (29)3、安全防护策略 (31)六、地址转换 (32)1、源地址转换-建立地址池 (33)2、源地址转换规则设置 (35)七、VPN配置 (37)1、建立第一阶段加密建议IKE Proposal (Phase 1) (或者用默认提议) (38)2、建立第一阶段IKE策略 (39)3、建立第一阶段IKE Gateway (40)4、建立第二阶段加密提议IKE Proposal (Phase 2) (或者用默认提议) (41)5、建立第一阶段IKE策略 (42)6、建立VPN策略 (43)八、Screen防攻击 (46)九、双机 (48)十、故障诊断 (49)前言、版本说明产品：Juniper SRX240 SH版本：JUNOS Software Release [9.6R1.13]注：测试推荐使用此版本。

此版本对浏览速度、保存速度提高了一些，并且CPU占用率明显下降很多。

9.5R2.7版本（CPU持续保持在60%以上，甚至90%）9.6R1.13版本（对菜单操作或者保存配置时，仍会提升一部分CPU）一、界面菜单管理1、管理方式JuniperSRX系列防火墙出厂默认状态下，登陆用户名为root密码为空，所有接口都已开启Web管理，但无接口地址。

终端连接防火墙后，输入用户名(root)、密码(空)，显示如下：rootsrx240-1%输入cli命令进入JUNOS访问模式：rootsrx240-1% clirootsrx240-1>输入configure进入JUNOS配置模式：rootsrx240-1% clirootsrx240-1> configureEntering configuration mode[edit]rootsrx240-1#防火墙至少要进行以下配置才可以正常使用：(1)设置root密码（否则无法保存配置）(2)开启ssh/telnet/http服务(3)添加用户（root权限不能作为远程telnet，可以使用SHH方式）(4)分配新的用户权限2、WEB管理界面（1）Web管理界面需要浏览器支持Flash控件。

Juniper SRX防火墙简明配置手册目录一、 JUNOS 操作系统介绍 (3)1.1层次化配置结构 (3)1.2 JunOS 配置管理 (4)1.3 SRX 主要配置内容 (4)二、 SRX 防火墙配置说明 (5)2.1初始安装 (5)2.1.1登陆 (5)2.1.2设置 root 用户口令 (9)2.1.3JSRP 初始化配置 (9)2.1.4设置远程登陆管理用户 (14)2.1.5远程管理 SRX相关配置 (15)2.1.6ZONE 及相关接口的配置 (15)2.2 Policy (16)2.3 NAT (17)2.3.1Interface based NAT (18)2.3.2Pool based Source NAT (18)2.3.3Pool base destination NAT (19)2.3.4Pool base Static NAT (20)2.4 IPSEC VPN (21)2.5 Application and ALG (22)三、 SRX 防火墙常规操作与维护 (22)3.1单机设备关机 (22)3.2单机设备重启 (23)3.3单机操作系统升级 (23)3.4双机模式下主备 SRX 关机 (23)3.5双机模式下主备设备重启 (24)3.6双机模式下操作系统升级 (24)3.7双机转发平面主备切换及切换后恢复 (25)3.8双机控制平面主备切换及切换后恢复 (25)3.9双机模式下更换备SRX (25)3.10双机模式下更换主SRX (26)3.11双机模式更换电源 (27)3.12双机模式更换故障板卡 (27)3.13配置备份及还原方法 (27)3.14密码修改方法 (28)3.15磁盘文件清理方法 (28)3.16密码恢复 (28)3.17常用监控维护命令 (29)四、 SRX 防火墙介绍 (31)Juniper SRX防火墙简明配置手册SRX系列防火墙是 Juniper 公司基于 JUNOS操作系统的安全系列产品，JUNOS集成了路由、交换、安全性和一系列丰富的网络服务。

SRX NATSRX的NAT配置与ScreenOS显著不同，为保证系统的灵活性，SRX把NAT配置从安全策略里剥离出来，单独成为一个层次：即在SRX JUNOS中安全策略只负责控制业务数据的转发与否，NAT策略只控制业务数据的源地址和端口的翻译规则，两者各自独立。

SRX的NAT配置分为源地址翻译(source NAT), 目标地址翻译(destination NAT)和静态地址翻译(static NAT)三种，其配置语法都类似，只是nat rule必须被放到rule-set里使用，任意两个zone或任意两个网络逻辑接口之间只允许有一个rule-set。

值得注意的是SRX不会自动为NAT规则生成proxy-arp配置，因此如果NAT地址翻译之后的地址跟出向接口地址不同但在同一网络内时，必须手工配置相应接口proxy-arp以代理相关IP地址的ARP查询回应，否则下一条设备会由于不能通过ARP得到NAT地址的MAC 地址而不能构造完整的二层以太网帧头导致通信失败。

配置：set security nat source rule-set src-nat from zone trustset security nat source rule-set src-nat to zone untrustset security nat source rule-set src-nat rule src-1 match source-address 192.168.1.0/24set security nat source rule-set src-nat rule src-1 then source-nat interfaceset security nat destination pool 10-26-105-172-p1812 address 10.26.105.172/32set security nat destination pool 10-26-105-172-p1812 address port 1812set security nat destination rule-set dst-nat from zone ggsnset security nat destination rule-set dst-nat rule 30 match destination-address 10.0.0.173/32set security nat destination rule-set dst-nat rule 30 match destination-port 1645set security nat destination rule-set dst-nat rule 30 then destination-nat pool 10-26-105-172-p1812 set security nat destination rule-set dst-nat rule 40 match destination-address 10.0.0.173/32set security nat static rule-set static from zone cmnetset security nat static rule-set static rule static-10 match destination-address 211.137.59.27/32set security nat static rule-set static rule static-10 then static-nat prefix 10.26.105.170/32set security nat proxy-arp interface reth2.0 address 211.137.59.27/32set security nat proxy-arp interface reth0.0 address 10.0.0.173/32 或lab@srx210# show securitynat {source {rule-set src {from zone trust;to zone cmnet;rule src-10 {match {source-address 0.0.0.0/0;}then {source-nat {interface;}}}}}destination {pool 10-26-105-172-p1812 {address 10.26.105.172/32 port 1812;}rule-set dst-nat {from zone ggsn;rule 30 {match {destination-address 10.0.0.173/32;destination-port 1645;}then {destination-nat pool 10-26-105-172-p1812;}}static {rule-set static {from zone cmnet;rule static-10 {match {destination-address 211.137.59.27/32;}then {static-nat prefix 10.26.105.170/32;}}proxy-arp {interface reth2.0 {address {211.137.59.27/32;}}interface reth0.0 {address {10.0.0.173/32;}}}}。

Junipersrx100防火墙配置指导#一、初始化安装1。

1设备登录Juniper SRX系列防火墙。

开机之后，第一次必须通过console 口(通用超级终端缺省配置）连接SRX ，输入root 用户名登陆,密码为空，进入到SRX设备之后可以开始加载基线配置。

特别注意:SRX低端系列防火墙，在第一次登陆时，执行命令“show configuration”你会发现系统本身已经具备一些配置内容（包括DNS名称、DHCP服务器等），建议删除这些配置,重新配置. Delete 删除设备开机请直接通过console 连接到防火墙设备Login ： rootPassword : /＊＊＊初始化第一次登陆的时候，密码为空**/Root% cli /**进入操作模式*＊/Root>Root〉 configure /** 进入配置模式＊*/Root# delete /*＊*配置模式执行命令“delete”全局删除所有的系统缺省配置*＊＊/ 1.2 系统基线配置Set system host—name name/***配置设备名称“name”*＊＊/Set system time-zone Asia/Chongqing/＊＊＊配置系统时区＊*＊/Set system root—authentication plain-text-password 输入命令，回车New password: 第一次输入新密码，Retype new password 重新确认新密码/＊**配置系统缺省根账号密码，不允许修改根账号名称“root” *＊＊/注意:root帐号不能用于telnet,但是可以用于web和ssh管理登录到设备S et system login user topsci class super—user authentication plain-text-password New password 输入密码Retype new password 确认密码/**＊创建一个系统本地账号“name“,set system services sshset system services telnetset system services web—management http interface allset systhm services web—management http port 81 interface allset system services web—management https system—generated-certificateset system services web—management https interface all/＊**全局开启系统管理服务，ssh\telnet\http\https＊*＊/set interfacesge-0/0/2unit 0 family inet address 10.10.10。

Juniper SRX防火墙NAT配置简介基于源IP地址的NAT基本的实验拓扑：◆实验前的基本配置◆NAT配置前我们首先保证从Trust路由器可以直接访问Untrust路由器，防火墙的基本配置如下：#初始化化防火墙接口，并将接口划入到相应的Zoneset interfaces ge-0/0/0 unit 0 family inet address 10.1.1.10/24set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.10/24set interfaces ge-0/0/2 unit 0 family inet address 202.100.1.10/24set security zones security-zone trust interfaces ge-0/0/0.0set security zones security-zone DMZ interfaces ge-0/0/1.0set security zones security-zone untrust interfaces ge-0/0/2.0#配置策略明确方向Trust到Untrust的流量set security zones security-zone trust address-book address Inside-local 10.1.1.0/24set security zones security-zone untrust address-book address Untrust-client 202.100.1.0/24set security policies from-zone untrust to-zone trust policy Telnet match source-address Untrust -client set security policies from-zone untrust to-zone trust policy Telnet match destination-address Inside-local set security policies from-zone untrust to-zone trust policy Telnet match application junos-telnetset security policies from-zone untrust to-zone trust policy Telnet then permitset security policies from-zone trust to-zone untrust policy Out match source-address Inside-localset security policies from-zone trust to-zone untrust policy Out match destination-address untrust-client set security policies from-zone trust to-zone untrust policy Out match application anyset security policies from-zone trust to-zone untrust policy Out then permit从Trust路由器telnet到Untrust路由器，检验初始配置上图说明现在我们是直接使用Trust路由地的地址进行访问的◆配置NAT with no-pat#首先配置一个NAT地址池set security nat source pool To-Internet address 202.100.1.150/32 to 202.100.1.151/32 #配置NAT转换策略set security nat source pool To-Internet port no-translation关键字no-pat说明不使用端口转换set security nat source rule-set To-Internet from zone trustset security nat source rule-set To-Internet to zone untrustset security nat source rule-set To-Internet rule Internet match source-address 10.1.1.0/24set security nat source rule-set To-Internet rule Internet then source-nat pool To-Internetset security nat proxy-arp interface ge-0/0/2.0 address 202.100.1.150/32 to 202.100.1.151/32#上图说明我们的地址转换成功了上图说明我们发起的连接的端口没有被转换，只是转换了源地址◆配置NAPT⏹基于地址池的NAPT#首先配置一个NAT地址池set security nat source pool To-Internet address 202.100.1.150/32 to 202.100.1.151/32#配置NAT转换策略set security nat source rule-set To-Internet from zone trustset security nat source rule-set To-Internet to zone untrustset security nat source rule-set To-Internet rule Internet match source-address 10.1.1.0/24set security nat source rule-set To-Internet rule Internet then source-nat pool To-Internetset security nat proxy-arp interface ge-0/0/2.0 address 202.100.1.150/32 to 202.100.1.151/32上图说明我们的NAT策略成功上图说明我们的NAT不仅转换源地址，而且转换了源端口注意:在未启用persistent-nat特性的时候SRX不能够像ASA一样通过show xlate查看转换槽位⏹基于端口的NAPT#在NAT的rule-set下调用Interface关键字启用基于端口的NATset security nat source rule-set To-Internet from zone trustset security nat source rule-set To-Internet to zone untrustset security nat source rule-set To-Internet rule Telnet match source-address 10.1.1.0/24set security nat source rule-set To-Internet rule Telnet then source-nat interface#上图显示我们的NAT的源地址被转换为防火墙的外网口地址上图说明我们的NAT不仅转换源地址，而且转换了源端口⏹产生转换槽位的NAT#调用persistent-nat关键字启用NAT的转换槽位set security nat source pool Internet address 202.100.1.150/32 to 202.100.1.151/32set security nat source rule-set To-Internet from zone trustset security nat source rule-set To-Internet to zone untrustset security nat source rule-set To-Internet rule Telnet match source-address 10.1.1.0/24set security nat source rule-set To-Internet rule Telnet then source-nat pool Internetset security nat source rule-set To-Internet rule Telnet then source-nat pool persistent-nat permit any-remote-hostset security nat proxy-arp interface ge-0/0/3.0 address 202.100.1.150/32 to 202.100.1.151/32persistent-nat的三种模式：any-remote-host 在完成转换后，任意地址的任意都能与转换后的地址互通target-host 在完成转换后，至允许目标地址与转化后的地址互通target-host-port 在完成转换后，只允许目标地址的目标端口与转换后的地址互通上图显示了SRX产生的类似ASA的转换槽位基于目的IP地址的NAT实验网络拓扑如下：实验目标：实现Trust-Client(10.1.1.100)访问202.100.1.200:2323的时候完成对服务器Untrust-server的TELNET的访问实验实际配置步骤：#定义Zone和地址簿set security zones security-zone trust address-book address Trust-local 10.1.1.0/24set security zones security-zone trust interfaces ge-0/0/0.0set security zones security-zone untrust address-book address Untrust-client 202.100.1.0/24set security zones security-zone untrust interfaces ge-0/0/2.0#配置安全策略放行访问流量set security policies from-zone trust to-zone untrust policy Permit-telnet match source-address Trust-localset security policies from-zone trust to-zone untrust policy Permit-telnet match destination-address Untrust-client set security policies from-zone trust to-zone untrust policy Permit-telnet match application junos-telnetset security policies from-zone trust to-zone untrust policy Permit-telnet then permit#进行基于目的IP的NAT配置set security nat destination pool telnet address 202.100.1.100/32set security nat destination pool telnet address port 23set security nat destination rule-set telnet from zone trustset security nat destination rule-set telnet rule telnet match source-address 10.1.1.0/24set security nat destination rule-set telnet rule telnet match destination-address 202.100.1.200/32set security nat destination rule-set telnet rule telnet match destination-port 2323set security nat destination rule-set telnet rule telnet then destination-nat pool telnetset security nat proxy-arp interface ge-0/0/3.0 address 202.100.1.200/32双向NAT⏹配置Trust区域无网关配置的NAT server在实际的工作环境中，有些内网的服务器可能不止一块网卡，而且服务的网关已经设置在了其他的网络，这个时候就需要使用NAT Inbound将外网访问的源地址NAT到服务器同一网段进行解决◆实验网络拓扑：◆实验目标：将Trust-server（10.1.1.100）的TELNET服务映射到202.100.1.200在Trust-server不配置路由的情况下Untrust-client可以访问202.100.1.200的TELNET服务◆实验配置步骤：首先我们先做NAT server将Trust-server的地址映射到外网提供FTP服务#定义Zone和地址簿set security zones security-zone trust address-book address Trust-local 10.1.1.0/24set security zones security-zone trust interfaces ge-0/0/0.0set security zones security-zone untrust address-book address Untrust-client 202.100.1.0/24set security zones security-zone untrust interfaces ge-0/0/2.0#配置安全策略放行访问流量set security policies from-zone untrust to-zone trust policy Permit-Telnet match source-addressUntrust-clientset security policies from-zone untrust to-zone trust policy Permit-Telnet match destination-addressTrust-localset security policies from-zone untrust to-zone trust policy Permit-Telnet match application junos-telnetset security policies from-zone untrust to-zone trust policy Permit-Telnet then permit#配置Untrust静态NAT，完成内网到外网的转换set security nat static rule-set TELNET-SERVER from zone untrustset security nat static rule-set TELNET-SERVER rule SERVER match destination-address202.100.1.200/32set security nat static rule-set TELNET-SERVER rule SERVER match destination-port 23set security nat static rule-set TELNET-SERVER rule SERVER then static-nat prefix 10.1.1.100/32set security nat static rule-set TELNET-SERVER rule SERVER then static-nat prefix mapped-port 23set security nat proxy-arp interface ge-0/0/2.0 address 202.100.1.200/32在服务器配置网关的时候，进行测试如下删除服务器配置网关的时候进行测试如下：客户之所以无法访问内网的服务器，是因为内网服务器没有去往外网的路由条目。

SRX NA T和Policy执行先后顺序为：目的地址转换－目的地址路由查找－执行策略检查－源地址转换。

需注意：Policy中源地址应是转换前的源地址，而目的地址应是转换后的目的地址，即Policy中的源和目的地址应是两端的真实IP地址。

Static为双向NAT，其他类型均为单向NAT。

1.1 Interface based NATNAT：set security nat source rule-set 1 from zone trustset security nat source rule-set 1 to zone untrustset security nat source rule-set 1set security nat source rule-set 1 rule rule1 then source-nat interfacePolicy: set security policies from-zone trust to-zone untrust policy 1 match source-address 10.1.2.2 set security policies from-zone trust to-zone untrust policy 1 match destination-address anyset security policies from-zone trust to-zone untrust policy 1 match application anyset security policies from-zone trust to-zone untrust policy 1 then permit上述配置定义Policy策略，允许Trust zone 10.1.2.2地址访问Untrust方向任何地址，根据前面的NA T配置，SRX在建立session时自动执行接口源地址转换。

拓扑图：需求：PC1和PC2主机访问http服务走ge-0/0/0（wan1），访问telnet服务走ge-0/0/1（wan2）。

其余走ge-0/0/0（wan1）。

配置过程：第一步，创建路由实例(routing-instance)set routing-instances wan1 instance-type forwardingset routing-instances wan1 routing-options static route 0.0.0.0/0 next-hop 202.100.1.1set routing-instances wan2 instance-type forwardingset routing-instances wan2 routing-options static route 0.0.0.0/0 next-hop 202.100.2.1wan1：路由实例的名称forwarding：路由实例的类型PS：每一个路由实例可以理解为一个单独的路由转发表。

第二步：设置路由信息组（rib-groups）set routing-options rib-groups routing_table_group import-rib inet.0set routing-options rib-groups routing_table_group import-rib wan1.inet.0set routing-options rib-groups routing_table_group import-rib wan2.inet.0说明：routing_table_group：路由信息组名称wan1.inet.0：如果wan1的话，它的路由转发表的命名就是wan1.inet.0，是自动生成的。

PS:As the two ISPs are part of inet.0, the rib-group configuration is required to import the directly connected routes of the ISP into the routing-instance. (来自官方解释)意思就是需要将直连的路由输入到路由实例中。

juniperSRX利用虚拟路由器实现多链路冗余以及双向接入案例juniper SRX 利用虚拟路由器实现多链路冗余以及双向接入案例目录文档查看须知： (2)测试拓扑： (4)一虚拟路由器（记住来流量入口）； (5)需求： (5)配置： (5)验证： (7)配置解析： (7)二虚拟路由器（多链路负载冗余）； (10)需求： (10)配置： (11)验证： (13)配置解析： (18)三虚拟路由器（双线接入）； (21)需求： (21)配置： (21)验证： (25)注意点： (26)文档查看须知：测试环境：SRX 220H拓扑对应 IP:G-0/0/3：192.168.3.1/24G-0/0/4：192.168.4.1/24G-0/0/5：192.168.5.1/24G-0/0/6：10.10.30.189/24F0/1：192.168.4.2/24F0/2：192.168.5.2/24F0/3:192.168.100.1/24（模拟遥远互联网）测试拓扑：一虚拟路由器（记住来流量入口）；需求：外网用户访问防火墙的外网接口3389 端口NAT 到内网服务器192.168.3.5:3389，流量按原路返回；放行所有外网用户到主机 192.168.3.5 的 3389 端口；（双线接入）配置：set routing-instances Tel instance-type virtual-routerset routing-instances Tel interface ge-0/0/4.0set routing-instances Tel routing-options interface-routes rib-group inet Big-ribset routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2set routing-instances CNC instance-type virtual-routerset routing-instances CNC interface ge-0/0/5.0set routing-instances CNC routing-options interface-routes rib-group inet Big-ribset routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24set routing-options interface-routes rib-group inet Big-rib set routing-options static route 10.0.0.0/8 next-hop 10.10.30.1set routing-options static route 0.0.0.0/0 next-hop 192.168.4.2set routing-options static route 0.0.0.0/0 installset routing-options static route 0.0.0.0/0 no-readvertiseset routing-options rib-groups Big-rib import-rib inet.0set routing-options rib-groups Big-rib import-rib CNC.inet.0 set routing-options rib-groups Big-rib import-rib Tel.inet.0 set security nat destination pool 111 address 192.168.3.5/32 set security nat destination rule-set 1 from zone Tel-trustset security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0set security nat destination rule-set 1 rule 111 match destination-address 192.168.4.1/32set security nat destination rule-set 1 rule 111 match destination-port 3389set security nat destination rule-set 1 rule 111 then destination-nat pool 111set security nat destination rule-set 2 from zone CNC-trust set security nat destination rule-set 2 rule 222 match source-address 0.0.0.0/0set security nat destination rule-set 2 rule 222 match destination-address 192.168.5.1/32set security nat destination rule-set 1 rule 111 match destination-port 3389set security nat destination rule-set 2 rule 222 then destination-nat pool 111set applications application tcp_3389 protocol tcpset applications application tcp_3389 destination-port 3389 set security zones security-zone trust address-book address H_192.168.3.5 192.168.3.5/32set security policies from-zone Tel-trust to-zone trust policy default-permit match source-address anyset security policies from-zone Tel-trust to-zone trust policy default-permit match destination-address H_192.168.3.5 set security policies from-zone Tel-trust to-zone trust policy default-permit match application tcp_3389set security policies from-zone Tel-trust to-zone trust policy default-permit then permitset security policies from-zone CNC-trust to-zone trust policy default-permit match source-address anyset security policies from-zone CNC-trust to-zone trust policy default-permit match destination-addressH_192.168.3.5set security policies from-zone CNC-trust to-zone trust policy default-permit match application tcp_3389set security policies from-zone CNC-trust to-zone trust policy default-permit then permitset security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces ge-0/0/3.0 set security zones security-zone T el-trust host-inbound-traffic system-services allset security zones security-zone T el-trust host-inbound-traffic protocols allset security zones security-zone T el-trust interfaces ge-0/0/4.0set security zones security-zone CNC-trust host-inbound-traffic system-services allset security zones security-zone CNC-trust host-inbound-traffic protocols allset security zones security-zone CNC-trust interfaces ge-0/0/5.0set security zones security-zone MGT host-inbound-traffic system-services allset security zones security-zone MGT host-inbound-traffic protocols allset security zones security-zone MGT interfaces ge-0/0/6.0 验证：root@SRX-Ipsec-A> show security flow sessionSession ID: 9696, Policy name: default-permit/5, Timeout: 1794, ValidIn: 192.168.100.211/57408 --> 192.168.5.1/3389;tcp, If: ge-0/0/5.0, Pkts: 2, Bytes: 112Out: 192.168.3.5/3389 --> 192.168.100.211/57408;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60====================================== ===================================== = root@SRX-Ipsec-A> show security flow sessionSession ID: 9697, Policy name: default-permit/4, Timeout: 1796, ValidIn: 192.168.100.211/57409 --> 192.168.4.1/3389;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112Out: 192.168.3.5/3389 --> 192.168.100.211/57409;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60配置解析：set routing-instances Tel instance-type virtual-router//创建虚拟 VR Telset routing-instances Tel interface ge-0/0/4.0//把逻辑接口加入虚拟 VRset routing-instances Tel routing-options interface-routes rib-group inet Big-rib//定义新增的路由表属于路由组“Big-rib”set routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2 //为 Tel 路由表配置路由set routing-instances CNC instance-type virtual-routerset routing-instances CNC interface ge-0/0/5.0set routing-instances CNC routing-options interface-routes rib-group inet Big-rib set routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2 //配置路由表 CNC 相关信息set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24set interfaces ge-0/0/5 unit 0 family inet address192.168.5.1/24set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24//配置逻辑接口的 IP 地址set routing-options interface-routes rib-group inet Big-rib //定义路由表组，并把接口路由加入到 Big-rib 路由组中set routing-options static route 10.0.0.0/8 next-hop 10.10.30.1set routing-options static route 0.0.0.0/0 next-hop 192.168.4.2//配置全局路由表路由信息set routing-options static route 0.0.0.0/0 install//把路由表安装到转发表set routing-options static route 0.0.0.0/0 no-readvertise//set routing-options rib-groups Big-rib import-rib inet.0set routing-options rib-groups Big-rib import-rib CNC.inet.0 set routing-options rib-groups Big-rib import-rib Tel.inet.0 //导入三张路由表之间的直连路由到路由表组set security nat destination pool 111 address 192.168.3.5/32 //定义目的 NAT 后的内部服务器的 IP 地址set security nat destination rule-set 1 from zone Tel-trustset security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0set security nat destination rule-set 1 rule 111 match destination-address 192.168.4.1/32set security nat destination rule-set 1 rule 111 match destination-port 3389set security nat destination rule-set 1 rule 111 then destination-nat pool 111//配置 ZONE Tel-trust 的目的NATset security nat destination rule-set 2 from zone CNC-trust set security nat destination rule-set 2 rule 222 match source-address 0.0.0.0/0set security nat destination rule-set 2 rule 222 match destination-address 192.168.5.1/32set security nat destination rule-set 1 rule 111 match destination-port 3389set security nat destination rule-set 2 rule 222 then destination-nat pool 111//配置 ZONE CNC-trust 的目的NATset applications application tcp_3389 protocol tcpset applications application tcp_3389 destination-port 3389 set security zones security-zone trust address-book address H_192.168.3.5 192.168.3.5/32//自定义端口和配置地址表set security policies from-zone Tel-trust to-zone trust policy default-permit match source-address anyset security policies from-zone Tel-trust to-zone trust policy default-permit match destination-address H_192.168.3.5 set security policies from-zone Tel-trust to-zone trust policy default-permit match application tcp_3389set security policies from-zone Tel-trust to-zone trust policy default-permit then permit//配置 Tel-trust 到 trust 策略set security policies from-zone CNC-trust to-zone trust policy default-permit match source-address anyset security policies from-zone CNC-trust to-zone trust policy default-permit match destination-addressH_192.168.3.5set security policies from-zone CNC-trust to-zone trust policy default-permit match application tcp_3389set security policies from-zone CNC-trust to-zone trust policy default-permit then permit//配置 CNC-trust 到 trust 策略set security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces ge-0/0/3.0set security zones security-zone T el-trust host-inbound-traffic system-services all set security zones security-zone Tel-trust host-inbound-traffic protocols allset security zones security-zone T el-trust interfaces ge-0/0/4.0set security zones security-zone CNC-trust host-inbound-traffic system-services all set security zones security-zone CNC-trust host-inbound-traffic protocols allset security zones security-zone CNC-trust interfaces ge-0/0/5.0set security zones security-zone MGT host-inbound-traffic system-services allset security zones security-zone MGT host-inbound-traffic protocols allset security zones security-zone MGT interfaces ge-0/0/6.0//定义逻辑接口到ZONE，并开放所有的协议及服务来访问防火墙的直连接口二虚拟路由器（多链路负载冗余）；需求：内网用户访问端口22.3389.8080,走电信，其他所有流量走CNC；所有内网访问外网的流量NAT 为对应外网接口IP 地址；实现负载冗余的功能；放行所有服务；（双线接入）配置：set routing-instances Tel instance-type virtual-routerset routing-instances Tel interface ge-0/0/4.0set routing-instances Tel routing-options interface-routes rib-group inet Big-ribset routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2set routing-instances Tel routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100 set routing-instances CNC instance-type virtual-routerset routing-instances CNC interface ge-0/0/5.0set routing-instances CNC routing-options interface-routes rib-group inet Big-ribset routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2set routing-instances CNC routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 100 set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24 set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24set routing-options interface-routes rib-group inet Big-rib set routing-options static route 10.0.0.0/8 next-hop10.10.30.1set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 10set routing-options static route 0.0.0.0/0 installset routing-options static route 0.0.0.0/0 no-readvertiseset routing-options rib-groups Big-rib import-rib inet.0set routing-options rib-groups Big-rib import-rib CNC.inet.0 set routing-options rib-groups Big-rib import-rib Tel.inet.0 set security nat source rule-set Soure-NAT-Policy from zone trustset security nat source rule-set Soure-NAT-Policy to zone Tel-trustset security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match source-address 192.168.3.0/24set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match destination-address 0.0.0.0/0 set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 then source-nat interfaceset security zones security-zone trust address-book address Net_192.168.3.0 192.168.3.0/24set security policies from-zone trust to-zone Tel-trust policy 1 match source-address N et_192.168.3.0set security policies from-zone trust to-zone Tel-trust policy 1 match destination-address anyset security policies from-zone trust to-zone Tel-trust policy 1 match application anyset security policies from-zone trust to-zone Tel-trust policy 1 then permitset security policies from-zone trust to-zone Tel-trust policy 1 then log session-initset security policies from-zone trust to-zone Tel-trust policy 1 then log session-closeset security nat source rule-set Soure-NAT-Policy-2 from zone trustset security nat source rule-set Soure-NAT-Policy-2 to zone CNC-trustset security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match source-address 192.168.3.0/24 set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match destination-address 0.0.0.0/0 set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 then source-nat interface set security policies from-zone trust to-zone CNC-trust policy 2 match source-address Net_192.168.3.0set security policies from-zone trust to-zone CNC-trust policy 2 match destination-address anyset security policies from-zone trust to-zone CNC-trust policy 2 match application anyset security policies from-zone trust to-zone CNC-trust policy 2 then permitset security policies from-zone trust to-zone CNC-trust policy 2 then log session-initset security policies from-zone trust to-zone CNC-trust policy 2 then log session-closeset interfaces ge-0/0/3 unit 0 family inet filter input filter-1 set firewall filter filter-1 term term-1 from destination-port 22set firewall filter filter-1 term term-1 from destination-port 3389set firewall filter filter-1 term term-1 from destination-port 8080set firewall filter filter-1 term term-1 then routing-instance Telset firewall filter filter-1 term default then routing-instance CNCset security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces ge-0/0/3.0 set security zones security-zone T el-trust host-inbound-traffic system-services allset security zones security-zone T el-trust host-inbound-traffic protocols allset security zones security-zone T el-trust interfaces ge-0/0/4.0set security zones security-zone CNC-trust host-inbound-traffic system-services allset security zones security-zone CNC-trust host-inbound-traffic protocols allset security zones security-zone CNC-trust interfaces ge-0/0/5.0set security zones security-zone MGT host-inbound-traffic system-services allset security zones security-zone MGT host-inbound-traffic protocols allset security zones security-zone MGT interfaces ge-0/0/6.0 验证：基于目标端口路由验证：Session ID: 9693, Policy name: 1121/6, Timeout: 1790, Valid In: 192.168.3.5/52562 --> 192.168.100.211/3389;tcp, If: ge-0/0/3.0, Pkts: 2, Bytes: 112 Out: 192.168.100.211/3389 --> 192.168.4.1/28262;tcp, If: ge-0/0/4.0, Pkts: 1, Bytes: 60 Session ID: 9703, Policy name: 1121/7, Timeout: 2, ValidIn: 192.168.3.5/6252 --> 192.168.100.211/1;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60 Out: 192.168.100.211/1 --> 192.168.5.1/4217;icmp, If: ge-0/0/5.0, Pkts: 1, Bytes: 60 当前路由表：root@SRX-Ipsec-A> show routeinet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/10] 00:01:26> to 192.168.4.2 via ge-0/0/4.0[Static/100] 00:01:04> to 192.168.5.2 via ge-0/0/5.0192.168.3.0/24 *[Direct/0] 00:04:31> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 16:44:09Local via ge-0/0/3.0192.168.4.0/24 *[Direct/0] 00:01:26> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 00:01:26Local via ge-0/0/4.0192.168.5.0/24 *[Direct/0] 00:01:04> via ge-0/0/5.0192.168.5.1/32 *[Local/0] 00:01:04Local via ge-0/0/5.0CNC.inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0hidden) + = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:01:04> to 192.168.5.2 via ge-0/0/5.0[Static/100] 00:01:26> to 192.168.4.2 via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:04:31> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 00:04:31Local via ge-0/0/3.0192.168.4.0/24 *[Direct/0] 00:01:26> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 00:01:26Local via ge-0/0/4.0192.168.5.0/24 *[Direct/0] 00:01:04> via ge-0/0/5.0192.168.5.1/32 *[Local/0] 16:44:09Local via ge-0/0/5.0Tel.inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:01:26> to 192.168.4.2 via ge-0/0/4.0[Static/100] 00:01:04> to 192.168.5.2 via ge-0/0/5.0192.168.3.0/24 *[Direct/0] 00:04:31> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 00:04:31Local via ge-0/0/3.0192.168.4.0/24 *[Direct/0] 00:01:26> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 16:44:09192.168.5.0/24 *[Direct/0] 00:01:04> via ge-0/0/5.0192.168.5.1/32 *[Local/0] 00:01:04Local via ge-0/0/5.0双线冗余验证：root@SRX-Ipsec-A> show security flow sessionSession ID: 10321, Policy name: 1121/7, Timeout: 48, ValidIn: 192.168.3.2/188 --> 192.168.100.211/59209;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 84 Out: 192.168.100.211/59209 --> 192.168.5.1/13586;icmp, If: ge-0/0/5.0, Pkts: 0, Bytes: 0 Session ID: 10322, Policy name: 1121/6, Timeout: 50, Valid手动拔掉 CNC 广域网线路（模拟 CNC 线路故障）In: 192.168.3.2/189 --> 192.168.100.211/59209;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 84 Out: 192.168.100.211/59209 --> 192.168.4.1/19350;icmp, If: ge-0/0/4.0, Pkts: 0, Bytes: 0 Session ID: 10330, Policy name: 1121/6, Timeout: 2, ValidIn: 192.168.3.2/197 --> 192.168.100.211/59209;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 84 Out: 192.168.100.211/59209 --> 192.168.4.1/3661;icmp, If: ge-0/0/4.0, Pkts: 1, Bytes: 84 当前路由表：root@SRX-Ipsec-A> show routeinet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/10] 00:00:45> to 192.168.4.2 via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:06:27> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 16:46:05192.168.4.0/24 *[Direct/0] 00:00:45> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 00:00:45Local via ge-0/0/4.0192.168.5.1/32 *[Local/0] 00:00:37RejectCNC.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/100] 00:00:45> to 192.168.4.2 via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:06:27> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 00:06:27Local via ge-0/0/3.0192.168.4.0/24 *[Direct/0] 00:00:45> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 00:00:45Local via ge-0/0/4.0192.168.5.1/32 *[Local/0] 16:46:05RejectTel.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:00:45> to 192.168.4.2 via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:06:27> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 00:06:27Local via ge-0/0/3.0192.168.4.0/24 *[Direct/0] 00:00:45> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 16:46:05Local via ge-0/0/4.0192.168.5.1/32 *[Local/0] 00:00:37Reject配置解析：set routing-instances Tel instance-type virtual-routerset routing-instances Tel interface ge-0/0/4.0set routing-instances Tel routing-options interface-routes rib-group inet Big-ribset routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2set routing-instances CNC routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100 //配置Tel 路由表并配置相关信息，通过优先级来实现双广域网冗余，优先级值越小，优先级越高set routing-instances CNC instance-type virtual-routerset routing-instances CNC interface ge-0/0/5.0set routing-instances CNC routing-options interface-routes rib-group inet Big-ribset routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2set routing-instances CNC routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 100 //配置CNC 路由表并配置相关信息set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24//配置逻辑接口对应 IP 地址set routing-options interface-routes rib-group inet Big-rib //定义路由表组，并把接口路由加入到 Big-rib 路由组中set routing-options static route 10.0.0.0/8 next-hop 10.10.30.1set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 10//配置全局路由表路由信息，通过指定优先级来实现双广域网的冗余set routing-options static route 0.0.0.0/0 install//把路由表安装到转发表set routing-options static route 0.0.0.0/0 no-readvertise//set routing-options rib-groups Big-rib import-rib inet.0set routing-options rib-groups Big-rib import-rib CNC.inet.0 set routing-options rib-groups Big-rib import-rib Tel.inet.0 //导入三张路由表之间的直连路由到路由表组set security nat source rule-set Soure-NAT-Policy from zone trustset security nat source rule-set Soure-NAT-Policy to zone Tel-trustset security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match source-address 192.168.3.0/24 set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 matchdestination-address 0.0.0.0/0 set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 then source-nat interface //配置 ZONE Tel-trust 基于接口的源NATset security zones security-zone trust address-book address Net_192.168.3.0 192.168.3.0/24//定义地址表set security policies from-zone trust to-zone Tel-trust policy 1 match source-address N et_192.168.3.0set security policies from-zone trust to-zone Tel-trust policy 1 match destination-address anyset security policies from-zone trust to-zone Tel-trust policy 1 match application anyset security policies from-zone trust to-zone Tel-trust policy 1 then permitset security policies from-zone trust to-zone Tel-trust policy 1 then log session-initset security policies from-zone trust to-zone Tel-trust policy 1 then log session-close//根据需求配置策略并记录 LOG 信息set security nat source rule-set Soure-NAT-Policy-2 from zone trustset security nat source rule-set Soure-NAT-Policy-2 to zone CNC-trustset security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match source-address 192.168.3.0/24 set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match destination-address 0.0.0.0/0 set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 then source-nat interface //配置 ZONE CNC-trust 基于接口的源NATset security policies from-zone trust to-zone CNC-trustpolicy 2 match source-address Net_192.168.3.0set security policies from-zone trust to-zone CNC-trust policy 2 match destination-address any。

Juniper_SRX中⽂配置⼿册簿及现⽤图解实⽤标准⽂档
前⾔、版本说明 (2)
⼀、界⾯菜单管理 (3)
2、WEB管理界⾯ (4)
（1）Web管理界⾯需要浏览器⽀持Flash控件。

(4)
（2）输⼊⽤户名密码登陆： (4)
（3）仪表盘⾸页 (5)
3、菜单⽬录 (8)
⼆、接⼝配置 (13)
1、接⼝静态IP (13)
2、PPPoE (14)
3、DHCP (15)
三、路由配置 (17)
1、静态路由 (17)
2、动态路由 (17)
四、区域设置Zone (19)
五、策略配置 (21)
1、策略元素定义 (21)
2、防⽕墙策略配置 (23)
3、安全防护策略 (26)
六、地址转换 (27)
1、源地址转换-建⽴地址池 (27)
2、源地址转换规则设置 (28)
七、VPN配置 (31)
1、建⽴第⼀阶段加密建议IKE Proposal (Phase 1) (或者⽤默认提议) (31)
2、建⽴第⼀阶段IKE策略 (32)
3、建⽴第⼀阶段IKE Gateway (33)
4、建⽴第⼆阶段加密提议IKE Proposal (Phase 2) (或者⽤默认提议) (34)
5、建⽴第⼀阶段IKE策略 (35)
6、建⽴VPN策略 (36)
⼋、Screen防攻击 (38)
九、双机 (39)
⼗、故障诊断 (39)
⽂案⼤全
上⼀页下⼀页。

J u n i p e r S R X防火墙简明配置手册卞同超Juniper服务工程师JuniperNetworks,Inc.北京市东城区东长安街1号东方经贸城西三办公室15层1508室邮编:100738目录JuniperSRX防火墙简明配置手册SRX系列防火墙是Juniper公司基于JUNOS操作系统的安全系列产品，JUNOS集成了路由、交换、安全性和一系列丰富的网络服务。

目前Juniper公司的全系列路由器产品、交换机产品和SRX安全产品均采用统一源代码的JUNOS操作系统，JUNOS 是全球首款将转发与控制功能相隔离，并采用模块化软件架构的网络操作系统。

JUNOS作为电信级产品的精髓是Juniper真正成功的基石，它让企业级产品同样具有电信级的不间断运营特性，更好的安全性和管理特性，JUNOS软件创新的分布式架构为高性能、高可用、高可扩展的网络奠定了基础。

基于NP架构的SRX系列产品产品同时提供性能优异的防火墙、NAT、IPSEC、IPS、SSLVPN和UTM等全系列安全功能，其安全功能主要来源于已被广泛证明的ScreenOS操作系统。

本文旨在为熟悉Netscreen防火墙ScreenOS操作系统的工程师提供SRX防火墙参考配置，以便于大家能够快速部署和维护SRX防火墙，文档介绍JUNOS操作系统，并参考ScreenOS配置介绍SRX防火墙配置方法，最后对SRX防火墙常规操作与维护做简要说明。

一、JUNOS操作系统介绍1.1层次化配置结构JUNOS采用基于FreeBSD内核的软件模块化操作系统，支持CLI命令行和WEBUI 两种接口配置方式，本文主要对CLI命令行方式进行配置说明。

JUNOSCLI使用层次化配置结构，分为操作（operational）和配置（configure）两类模式，在操作模式下可对当前配置、设备运行状态、路由及会话表等状态进行查看及设备运维操作，并通过执行config或edit命令进入配置模式，在配置模式下可对各相关模块进行配置并能够执行操作模式下的所有命令（run）。

JuniperSRX3400 Routing-instance AAA、NTP、SYSLOG实验配置手册目录1.实验需求 (3)2.实验环境 (3)3.实验拓扑 (4)3.1.创建虚拟机 (4)3.2.虚拟机之间网络连接 (4)4.防火墙配置 (7)5.AAA配置验证 (14)5.1.1.若将防火墙source-address定义为172.16.1.1 (14)5.1.2.删除环回口lo0地址 (16)6.NTP配置验证 (17)6.1.1.若将ntp源地址设为172.16.1.1， (18)6.1.2.删除环回口lo0地址 (18)7.SYSLOG配置验证 (19)7.1.1.若将SYSLOG源地址设为172.16.1.1 (19)7.1.2.删除防火墙上lo0接口地址 (20)8.最终结论 (21)为了能够充分理解Juniper SRX 防火墙在运行routing-instance 情况下配置AAA、syslog、ntp的运行机制，通过虚拟机搭建试验环境来验证。

2.实验环境Juniper 防火墙使用虚拟机来搭建，Radius服务器使用windows 2003 + ACS v4.2，将windows 2003作为ntp server, 在windows 2003上安装Kiwi_Syslog_Server 作为syslog软件。

实验工具如下：3.1.创建虚拟机创建2个虚拟机：SRX：juniper 防火墙Radius_NTP_Syslog_server：作为radius、NTP、syslog服务器；3.2.虚拟机之间网络连接各虚拟机网卡连接方式如下：1）将虚拟机SRX网卡1与物理机网卡桥接2）将虚拟机SRX网卡3采用自定义方式，用于与两台服务器连接3）服务器网卡也采用自定义的方式，用于与SRX连接：4）配置IP地址，测试联通性按照以上拓扑图对防火墙接口、服务器网口的IP地址进行配置，并测试连通性。

Juniper SRX系列防火墙配置管理手册目录一、JUNOS操作系统介绍 (3)层次化配置结构 (3)JunOS配置管理 (4)SRX主要配置内容 (4)二、SRX防火墙配置操作举例说明 (5)初始安装 (5)设备登陆 (5)设备恢复出厂介绍 (5)设置root用户口令 (5)设置远程登陆管理用户 (6)远程管理SRX相关配置 (6)配置操作实验拓扑 (7)策略相关配置说明 (7)策略地址对象定义 (8)策略服务对象定义 (8)策略时间调度对象定义 (8)添加策略配置举例 (9)策略删除 (10)调整策略顺序 (10)策略失效与激活 (10)地址转换 (10)Interface based NAT 基于接口的源地址转换 (11)Pool based Source NAT基于地址池的源地址转换 (12)Pool base destination NAT基于地址池的目标地址转换 (12)Pool base Static NAT基于地址池的静态地址转换 (13)路由协议配置 (14)静态路由配置 (14)OSPF配置 (15)交换机Firewall限制功能 (22)限制IP地 (22)限制MAC地址 (22)三、SRX防火墙常规操作与维护 (23)设备关机 (23)设备重启 (23)操作系统升级 (24)密码恢复 (24)常用监控维护命令 (25)Juniper SRX Branch系列防火墙配置管理手册说明SRX系列防火墙是Juniper公司基于JUNOS操作系统的安全系列产品，JUNOS集成了路由、交换、安全性和一系列丰富的网络服务。

目前Juniper公司的全系列路由器产品、交换机产品和SRX安全产品均采用统一源代码的JUNOS操作系统，JUNOS是全球首款将转发与控制功能相隔离，并采用模块化软件架构的网络操作系统。

JUNOS作为电信级产品的精髓是Juniper真正成功的基石，它让企业级产品同样具有电信级的不间断运营特性，更好的安全性和管理特性，JUNOS软件创新的分布式架构为高性能、高可用、高可扩展的网络奠定了基础。

Juniper-SRX防火墙Web配置说明Juniper SRX防火墙配置说明1系统配置 (1)1.1配置ROOT帐号密码 (1)1.2配置用户名和密码 (2)2接口配置 (9)2.1IPV4地址配置 (9)2.2接口T RUNK模式配置 (13)2.3接口A CCESS模式配置 (14)3VLAN配置 (15)3.1创建VLAN配置 (15)4路由配置 (19)4.1静态路由配置 (21)5自定义应用配置 (22)5.1自定义服务配置 (22)5.2应用组配置 (23)6地址组配置 (24)6.1地址簿配置 (24)6.2地址组配置 (25)7日程表配置 (27)8NAT配置 (30)8.1S TATIC NAT配置 (30)1 系统配置1.1 配置root帐号密码首次登陆设备时，需要采用console方式，登陆用户名为：root，密码为空，登陆到cli下以后，执行如下命令，设置root帐号的密码。

root# set system root-authentication plain-text-passwordroot# new password : root123root# retype new password: root123密码将以密文方式显示。

注意：必须要首先配置root帐号密码，否则后续所有配置的修改都无法提交。

SRX系列低端设备在开机后，系统会加载一个默认配置，设备的第一个接口被划分在trust区域，配置一个ip地址192.168.1.1，允许ping、telnet、web等管理方式，可以通过该地址登陆设备。

登陆后显示页面如下：在该页面上，可以看到设备的基本情况，在左边的chassis view 中可以看到端口up/down情况，在system identification中可以看到设备序列号、设备名称、软件版本等信息，在resource utilization 中可以看到cpu、menory、session、存储空间等信息，在security resources中可以看到当前的会话统计、策略数量统计等信息。

Juniper SRX防火墙简明配置手册1.登录web管理界面工程师站网卡ip设置为10.5.241.0网段的地址，子网255.255.255.0，网线直连防火墙第一个接口，打开web浏览器输入地址10.5.241.29，输入用户名：root 密码：zaq1@WSX 点击log in如下图：2.配置接口地址点击configure-interfaces-ports-ge0/0/0-add添加ge0/0/0接口地址为10.5.241.29/24,zone选择untrust：点击configure-interfaces-ports-ge0/0/1-add添加ge0/0/1接口地址为10.56.21.29/24,zone选择trust：3.配置静态nat点击nat-staticnat-add 配置rule名称，from选择untrust，rules点击add添加静态路由，如下图：4.配置proxy点击nat-proxy-add，interface选择ge0/0/0,将映射的外网ip地址添加进来，如下图：5.配置静态路由点击Routing-StaticRouting-Add，route配置为0.0.0.0，next-hop配置为10.5.241.1（外网网关地址）6.配置zone策略点击security-zones/screens-add配置zone name为untrust,binding screen选择untrust-screen，interface in the zone选择接口ge0/0/0.0，host inbound traffic-zone里配置好允许访问的服务端口。

点击security-zones/screens-add配置zone name为trust,interface in the zone选择接口ge0/0/1.0，host inbound traffic-zone里配置好允许访问的服务端口。

J u n i p e r S R X详细配置手册(含注释)------------------------------------------作者xxxx------------------------------------------日期xxxxJuniper SRX标准配置第一节系统配置 (3)、设备初始化 (3)登陆 (3)设置root用户口令 (3)设置远程登陆管理用户 (4)2、系统管理 (4)1.2.1 选择时区 (4)1.2.2 系统时间 (4)1.2.3 DNS服务器 (5)系统重启 (5)1.2.5 Alarm告警处理 (5)1.2.6 Root密码重置 (6)第二节网络设置 (7)、Interface (7)2.1.1 PPPOE (7)2.1.2 Manual (9)2.1.3 DHCP (9)、Routing (10)Static Route (10)、SNMP (10)第三节高级设置 (10)3.1.1 修改服务端口 (10)3.1.2 检查硬件序列号 (10)3.1.3 内外网接口启用端口服务 (11)3.1.4 创建端口服务 (11)3.1.5 VIP端口映射 (12)3.1.6 MIP映射 (12)禁用console口 (13)3.1.8 Juniper SRX带源ping外网默认不通，需要做源地址NAT (13)3.1.9 设置SRX管理IP (13)3.2.0 配置回退 (14)3.2.1 UTM调用 (15)3.2.2 网络访问缓慢解决 (15)第四节 VPN设置 (15)、点对点IPSec VPN (15)4.1.1 Route Basiced (15)4.1.2 Policy Basiced (19)、Remote VPN (21)4.2.1 SRX端配置 (21)4.2.2 客户端配置 (23)第一节系统配置、设备初始化登陆首次登录需要使用Console口连接SRX，root用户登陆，密码为空login: rootPassword:--- JUNOS 9.5R1.8 built 2009-07-16 15:04:30 UTCroot% cli /***进入操作模式***/root>root> configureEntering configuration mode /***进入配置模式***/[edit]Root#1.1.2设置root用户口令（必须配置root帐号密码，否则后续所有配置及修改都无法提交）root# set system root-authentication plain-text-passwordroot# new password : root123root# retype new password: root123密码将以密文方式显示root# show system root-authenticationencrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA注意：强烈建议不要使用其它加密选项来加密root和其它user口令(如encrypted-password加密方式)，此配置参数要求输入的口令应是经加密算法加密后的字符串，采用这种加密方式手工输入时存在密码无法通过验证风险。

Juniper SRX防火墙配置说明1系统配置 (1)1.1配置ROOT帐号密码 (1)1.2配置用户名和密码 (2)1.3系统时间配置 (4)1.4设备名称配置 (5)1.5系统服务配置 (6)2接口配置 (8)2.1IPV4地址配置 (9)2.2接口T RUNK模式配置 (13)2.3接口A CCESS模式配置 (14)3VLAN配置 (15)3.1创建VLAN配置 (15)4区域配置 (19)4.1安全区域配置 (19)5路由配置 (21)5.1静态路由配置 (21)6自定义应用配置 (22)6.1自定义服务配置 (22)6.2应用组配置 (23)7地址组配置 (24)7.1地址簿配置 (24)7.2地址组配置 (25)8日程表配置 (27)9NAT配置 (30)9.1S TATIC NAT配置 (30)9.2D ESTINATION NA T配置 (30)9.3S OURCE NA T配置 (33)9.4P ROXY ARP配置 (38)10策略配置 (39)1 系统配置1.1 配置root帐号密码首次登陆设备时，需要采用console方式，登陆用户名为：root，密码为空，登陆到cli下以后，执行如下命令，设置root帐号的密码。

root# set system root-authentication plain-text-passwordroot# new password : root123root# retype new password: root123密码将以密文方式显示。

注意：必须要首先配置root帐号密码，否则后续所有配置的修改都无法提交。

SRX系列低端设备在开机后，系统会加载一个默认配置，设备的第一个接口被划分在trust区域，配置一个ip地址192.168.1.1，允许ping、telnet、web等管理方式，可以通过该地址登陆设备。

登陆后显示页面如下：在该页面上，可以看到设备的基本情况，在左边的chassis view中可以看到端口up/down情况，在system identification中可以看到设备序列号、设备名称、软件版本等信息，在resource utilization 中可以看到cpu、menory、session、存储空间等信息，在security resources中可以看到当前的会话统计、策略数量统计等信息。

Netscreen防火墙简单配置实例对照两个文档，可以实现简单配置netscreen防火墙。

Netscreen-100防火墙的基本配置流程NetScreen系列产品，是应用非常广泛的NAT设备。

NetScreen－100就是其中的一种。

NetScreen-100是个长方形的黑匣子，其正面面板上有四个接口。

左边一个是DB25串口，右边三个是以太网网口，从左向右依次为Trust Interface、DMZ Interface、Untrust Interface。

其中Trust Interface相当于HUB口，下行连接内部网络设备。

Untrust Interface相当于主机口，上行连接上公网的路由器等外部网关设备；两端口速率自适应（10M/100M）。

DMZ Interface介绍从略。

配置前的准备1. PC机通过直通网线与Trust Interface相连，用IE登录设备主页。

设备缺省IP为192.168.1.1/255.255.255.0，用户名和密码都为netscreen ；2. 登录成功后修改System 的IP和掩码，建议修改成与内部网段同网段，也可直接使用分配给Trust Interface的地址。

修改完毕点击ok，设备会重启；3. 把PC的地址改为与设备新的地址同网段，重新登录，即可进行配置4. 也可通过串口登录，在超级终端上通过命令行修改System IP数据配置数据配置包括三部分内容：Policy、Interface、Route Table。

1. 配置Policy用IE登陆NetScreen，在配置界面上，依次点击左边竖列中的Network–〉Policy，然后选中Outgoing。

如系统原有的与此不同，可点击表中最后一列的Remove来删除掉，然后点击左下角的New Policy，重新设置。

2. 配置Interface在配置界面上，依次点击左边竖列中的Configure–〉Interface选项，则显示如下所示的配置界面，其中主要是配置Trust Interface、Untrust Interface，必要时修改System IP。