由于在实际工作中有时会遇到SRX系列的路由器防火墙模块设备,在网上能到的资料大多也是一些界面文档或者以Netscreen为主的资料,官方资料大部分都是英文的,有时候排错或者配置,真的很头痛;
开两台 VmSRX :SRX1:
第一步:配置IP:
set interfaces ge-0/0/0 unit 0 family inetaddress 10.247.171.1/24
set interfaces lo0 unit 10 family inetaddress 192.168.10.1/24
set interfaces st0 unit 1 family inetaddress 1.1.1.1/24
第二步:配置地址条目
set security address-book trust address A10192.168.10.0/24
set security address-book trust attach zonetrust
set security address-book untrust addressA20 192.168.20.0/24
set security address-book untrust attachzone untrust
第三步:配置IKE:
set security ike policy abc mode aggressive
set security ike policy abc proposal-setstandard
set security ike policy abc pre-shared-keyascii-text "$9$JZUi.QF/0BEP5BEcyW8ZUj"
set security ike gateway gw1 ike-policy abc
set security ike gateway gw1 address10.247.171.2
set security ike gateway gw1external-interface ge-0/0/0.0
第四步:配置IPSEC
set security ipsec policy aaa proposal-setstandard
set security ipsec *** ***1 bind-interfacest0.1
set security ipsec *** ***1 ike gateway gw1
set security ipsec *** ***1 ikeipsec-policy aaa
set security ipsec *** ***1establish-tunnels immediately
第五步:配置NAT:
set security nat source rule-set rsl fromzone trust
set security nat source rule-set rsl tozone untrust
set security nat source rule-set rsl ruler1 match source-address 0.0.0.0/0
set security nat source rule-set rsl ruler1 match destination-address 0.0.0.0/0
set security nat source rule-set rsl ruler1 then source-nat interface
第六步:配置策略
set security policies from-zone trustto-zone untrust policy 3 match source-address A10
set security policies from-zone trustto-zone untrust policy 3 match destination-address A20
set security policies from-zone trustto-zone untrust policy 3 match application any
set security policies from-zone trustto-zone untrust policy 3 then permit
set security policies from-zone trustto-zone untrust policy 1 match source-address any
set security policies from-zone trustto-zone untrust policy 1 match destination-address any
set security policies from-zone trustto-zone untrust policy 1 match application any
set security policies from-zone trustto-zone untrust policy 1 then permit
set security policies from-zone untrustto-zone trust policy 4 match source-address A20
set security policies from-zone untrustto-zone trust policy 4 match destination-address A10
set security policies from-zone untrustto-zone trust policy 4 match application any
set security policies from-zone untrustto-zone trust policy 4 then permit
set security policies from-zone untrustto-zone trust policy 2 match source-address any
set security policies from-zone untrustto-zone trust policy 2 match destination-address any
set security policies from-zone untrustto-zone trust policy 2 match application any
set security policies from-zone untrustto-zone trust policy 2 then permit
第七步:开启相应的系统服务
set security zones security-zone untrustinterfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrustinterfaces st0.1 host-inbound-traffic system-services all
set security zones security-zone trustinterfaces lo0.10 host-inbound-traffic system-services all
第八步:路由
set routing-options static route192.168.20.0/24 next-hop st0.1
第九步:测试
juniper@SRX1# run show security ikeactive-peer
Remote Address Port Peer IKE-ID XAUTH username Assigned IP
10.247.171.2 500 10.247.171.2
juniper@SRX1# run show security ikesecurity-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2186252 UP 68aa002abd20d235 10437397ed758938 Aggressive 10.247.171.2
juniper@SRX1# run show security ipsecsecurity-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 efe41cb5 3431/ unlim - root 500 10.247.171.2
>131073 ESP:3des/sha1 ada231d7 3431/ unlim - root 500 10.247.171.2
juniper@SRX1# run show security ipsecstatistics
ESP Statistics:
Encrypted bytes: 31864
Decrypted bytes: 19300
Encrypted packets: 236
Decrypted packets: 231
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AHauthentication failures: 0, Replay errors: 0
ESPauthentication failures: 0, ESP decryption failures: 0
Badheaders: 0, Bad trailers: 0
juniper@SRX1# run ping 192.168.20.1 source192.168.10.1
PING 192.168.20.1 (192.168.20.1): 56 databytes
64 bytes from 192.168.20.1: icmp_seq=0ttl=64 time=3.892 ms
64 bytes from 192.168.20.1: icmp_seq=1ttl=64 time=4.428 ms
64 bytes from 192.168.20.1: icmp_seq=2ttl=64 time=2.309 ms
64 bytes from 192.168.20.1: icmp_seq=3ttl=64 time=2.347 ms
64 bytes from 192.168.20.1: icmp_seq=4ttl=64 time=2.332 ms
^C
--- 192.168.20.1 ping statistics ---
5 packets transmitted, 5 packets received,0% packet loss
round-trip min/avg/max/stddev =2.309/3.062/4.428/0.913 ms
交流:1124287125
下面是SRX1的完整体配置:
juniper@SRX1# run show configuration |display set
set version 12.1X44.4
set system host-name SRX1
set system domain-name juniper.net
set system authentication-order password
set system root-authenticationencrypted-password "$1$hY6E.7uG$pn0ThmAXMrL2vf7BSLhmG0"
set system login user juniper uid 2001
set system login user juniper classsuper-user
set system login user juniperauthentication encrypted-password"$1$3VlKTGll$5MGwhUdY4BYtY2hILDRc/1"
set system services ssh protocol-version v2
set system services telnet
set system services web-management httpinterface ge-0/0/0.0
set system services web-management sessionidle-timeout 10
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messagesauthorization info
set system syslog file interactive-commandsinteractive-commands any
set system syslog file monitor-log match192.168.159.128
set system license autoupdate urlhttps://ae1.juniper.net/junos/key_retrieval
set chassis aggregated-devices ethernetdevice-count 2
set interfaces ge-0/0/0 unit 0 family inetaddress 10.247.171.1/24
set interfaces lo0 unit 10 family inetaddress 192.168.10.1/24
set interfaces st0 unit 1 family inetaddress 1.1.1.1/24
set routing-options static route192.168.20.0/24 next-hop st0.1
set security pki
set security ike policy abc mode aggressive
set security ike policy abc proposal-setstandard
set security ike policy abc pre-shared-keyascii-text "$9$JZUi.QF/0BEP5BEcyW8ZUj"
set security ike gateway gw1 ike-policy abc
set security ike gateway gw1 address10.247.171.2
set security ike gateway gw1external-interface ge-0/0/0.0
set security ipsec policy aaa proposal-setstandard
set security ipsec *** ***1 bind-interfacest0.1
set security ipsec *** ***1 ike gateway gw1
set security ipsec *** ***1 ikeipsec-policy aaa
set security ipsec *** ***1establish-tunnels immediately
set security address-book trust address A10192.168.10.0/24
set security address-book trust attach zonetrust
set security address-book untrust addressA20 192.168.20.0/24
set security address-book untrust attachzone untrust
set security nat source rule-set rsl fromzone trust
set security nat source rule-set rsl tozone untrust
set security nat source rule-set rsl ruler1 match source-address 0.0.0.0/0
set security nat source rule-set rsl ruler1 match destination-address 0.0.0.0/0
set security nat source rule-set rsl ruler1 then source-nat interface
set security policies from-zone trustto-zone untrust policy 3 match source-address A10
set security policies from-zone trustto-zone untrust policy 3 match destination-address A20
set security policies from-zone trustto-zone untrust policy 3 match application any
set security policies from-zone trustto-zone untrust policy 3 then permit
set security policies from-zone trustto-zone untrust policy 1 match source-address any
set security policies from-zone trustto-zone untrust policy 1 match destination-address any
set security policies from-zone trustto-zone untrust policy 1 match application any
set security policies from-zone trustto-zone untrust policy 1 then permit
set security policies from-zone untrustto-zone trust policy 4 match source-address A20
set security policies from-zone untrustto-zone trust policy 4 match destination-address A10
set security policies from-zone untrustto-zone trust policy 4 match application any
set security policies from-zone untrustto-zone trust policy 4 then permit
set security policies from-zone untrustto-zone trust policy 2 match source-address any
set security policies from-zone untrustto-zone trust policy 2 match destination-address any
set security policies from-zone untrustto-zone trust policy 2 match application any
set security policies from-zone untrustto-zone trust policy 2 then permit
set security zones security-zone untrustinterfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrustinterfaces st0.1 host-inbound-traffic system-services all
set security zones security-zone trustinterfaces lo0.10 host-inbound-traffic system-services all
ese