Juniper SRX3000工程开工指导书

Juniper防火墙工程开通指导书

set interfaces ge-0/0/4 gigether-options redundant-parent reth4 set interfaces ge-13/0/1 gigether-options redundant-parent reth1 set interfaces ge-13/0/2 gigether-options redundant-parent reth2 set interfaces ge-13/0/3 gigether-options redundant-parent reth3 set interfaces ge-13/0/4 gigether-options redundant-parent reth4

set interfaces fab0 fabric-options member-interfaces ge-0/0/0 set interfaces fab1 fabric-options member-interfaces ge-13/0/0

set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 192.168.100.1/24 set interfaces reth2 redundant-ether-options redundancy-group 1 set interfaces reth2 unit 0 family inet address 192.168.200.1/24 set interfaces reth3 redundant-ether-options redundancy-group 1 set interfaces reth3 unit 0 family inet address 220.1.1.18/24 set interfaces reth4 redundant-ether-options redundancy-group 1 set interfaces reth4 unit 0 family inet address 221.1.1.18/24

新建trust/untrust区域，并把接口放入相关区域并开放相关服务。（trust区域接口服务都打开，如telnet、ping、snmp、http）

set security zones security-zone trust interfaces reth1.0 host-inbound-traffic system-services all

set security zones security-zone trus tinterfaces reth2.0 host-inbound-traffic system-services all

set security zones security-zone untrust interfaces reth3.0 host-inbound-traffic protocols ping

set security zones security-zone untrust interfaces reth4.0 host-inbound-traffic protocols ping

3 .配置外网NAT地址池

set security nat source pool Pool-1 address 220.1.1.1 to 220.1.1.7 set security nat source pool Pool-2 address 221.1.1.1 to 221.1.1.7 set security nat source rule-set Rule-Pool-1 from zone trust

set security nat source rule-set Rule-Pool-1 to interface reth3.0 set security nat source rule-set Rule-Pool-2 from zone trust

set security nat source rule-set Rule-Pool-2 to interface reth4.0

set security nat source rule-set Rule-Pool-1 rule interface-nat match source-address 0.0.0.0/0

set security nat source rule-set Rule-Pool-1 rule interface-nat match destination-address 0.0.0.0/0

set security nat source rule-set Rule-Pool-1 rule interface-nat then source-nat pool poole-1

第49页

Juniper防火墙工程开通指导书

set security nat source rule-set Rule-Pool-2 rule interface-nat match source-address 0.0.0.0/0

set security nat source rule-set Rule-Pool-2 rule interface-nat match destination-address 0.0.0.0/0 set security nat source rule-set Rule-Pool-1 rule interface-nat then source-nat pool poole-2

由于dip地址池ip与接口在同一网段，需要配置proxy-arp

set security nat proxy-arp interface reth3.0 address 220.1.1.0/29 set security nat proxy-arp interface reth4.0 address 221.1.1.0/29

4.添加地址

set security zones security-zone trust address-book address mobile-address 10.0.0.0/8

5、配置内外网路由，并实现选录负载均衡

set routing-options forwarding-table export load-balance

set policy-options policy-statement load-balance then load-balance per-packet set routing-options static route 0.0.0.0/0 qualified-next-hop 220.1.1.254 set routing-options static route 0.0.0.0/0 qualified-next-hop 221.1.1.254

set routing-options static route 10.0.0.0/8 qualified-next-hop 192.168.100.254 set routing-options static route 10.0.0.0/8 qualified-next-hop 192.168.200.254

6、配置policy策略 A:设置从内到外的安全策略

set security policies from-zone trust to-zone untrust policy 1 match source-address mobile-address

set security policies from-zone trust to-zone untrust policy 1 match destination-address any

set security policies from-zone trust to-zone untrust policy 1 match application any

set security policies from-zone trust to-zone untrust policy 1 then permit

第50页