一、拓扑图

juniper防火墙动态***配置_第1张图片

墙规划三个安全区域:trust,untrust,dmz。

trust接口:ge-0/0/0 管理ip:192.168.1.1/24,公司办公区。

untrust接口:ge-0/0/1管理ip:100.100.100.1/24,接外部互联网。

dmz接口:ge-0/0/2管理ip:10.10.10.1/24,公司服务器区。

远程动态***客户端分配地址池范围:172.16.10.0/24,分配的地址段:172.16.10.10---172.16.10.250。


二、具体配置

1、配置主机名,root账号密码,web分发pulse客户端产生证书方式https

set system host-name srx2
set system root-authentication encrypted-password "$1$iu2fOc8K$3htfeb/bly.2BfRoDsqVX."
set system services web-management https system-generated-certificate

2、配置接口ip地址

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 100.100.100.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.10.10.1/24

3、配置*** phase 1参数

set security ike policy ike-pol1 mode aggressive
set security ike policy ike-pol1 proposal-set standard
set security ike policy ike-pol1 pre-shared-key ascii-text "$9$/kW.Au1Srv7-wRh-wYgUD9Ap0RhylK8xN"
set security ike gateway gate-dynamic ike-policy ike-pol1
set security ike gateway gate-dynamic dynamic hostname srx2
set security ike gateway gate-dynamic dynamic connections-limit 50
set security ike gateway gate-dynamic dynamic ike-user-type group-ike-id
set security ike gateway gate-dynamic external-interface ge-0/0/1
set security ike gateway gate-dynamic xauth access-profile dynamic-users

4、配置*** phase 2参数

set security ipsec policy ipsec-pol1 proposal-set standard
set security ipsec *** dynamic-*** ike gateway gate-dynamic
set security ipsec *** dynamic-*** ike ipsec-policy ipsec-pol1

5、配置动态***参数

set security dynamic-*** access-profile dynamic-users
set security dynamic-*** clients all remote-protected-resources 192.168.1.0/24 
set security dynamic-*** clients all remote-protected-resources 10.10.10.0/24
set security dynamic-*** clients all remote-exceptions 0.0.0.0/0
set security dynamic-*** clients all ipsec-*** dynamic-***
set security dynamic-*** clients all user client1
set security dynamic-*** clients all user client2
set security dynamic-*** clients all user louis.yang

6、配置安全策略

set security policies from-zone trust to-zone untrust policy p2 match source-address any
set security policies from-zone trust to-zone untrust policy p2 match destination-address any
set security policies from-zone trust to-zone untrust policy p2 match application any
set security policies from-zone trust to-zone untrust policy p2 then permit
set security policies from-zone dmz to-zone untrust policy p3 match source-address any
set security policies from-zone dmz to-zone untrust policy p3 match destination-address any
set security policies from-zone dmz to-zone untrust policy p3 match application any
set security policies from-zone dmz to-zone untrust policy p3 then permit
set security policies from-zone untrust to-zone trust policy dynamic-***-policy match source-address any
set security policies from-zone untrust to-zone trust policy dynamic-***-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dynamic-***-policy match application any
set security policies from-zone untrust to-zone trust policy dynamic-***-policy then permit tunnel ipsec-*** dynamic-***
set security policies from-zone untrust to-zone dmz policy p4 match source-address any
set security policies from-zone untrust to-zone dmz policy p4 match destination-address any
set security policies from-zone untrust to-zone dmz policy p4 match application any
set security policies from-zone untrust to-zone dmz policy p4 then permit tunnel ipsec-*** dynamic-***

7、配置安全区域
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone dmz interfaces ge-0/0/2.0

8、配置access profile

set access profile dynamic-users client client1 firewall-user password "$9$yjQeMXVwgUjq7-jqmfn6revW7-bs2aGD"
set access profile dynamic-users client client2 firewall-user password "$9$nmBV9tOhSeX7V1R7VwYZG69Ap1RcylMLx"
set access profile dynamic-users client louis.yang firewall-user password "$9$upaWBRSvWxwYoreYoJGq.0BIEreM8X-bs"
set access profile dynamic-users address-assignment pool dynamic-pool
set access address-assignment pool dynamic-pool family inet network 172.16.10.0/24
set access address-assignment pool dynamic-pool family inet range dynamic-range low 172.16.10.10
set access address-assignment pool dynamic-pool family inet range dynamic-range high 172.16.10.250
set access address-assignment pool dynamic-pool family inet xauth-attributes primary-dns 202.96.134.133/32
set access firewall-authentication web-authentication default-profile dynamic-users


三、验证

juniper防火墙动态***配置_第2张图片


在客户端ping trust安全区域PC:192.168.1.6,DMZ区域PC:10.10.10.254通。

juniper防火墙动态***配置_第3张图片

远程客户端获取到地址池的IP172.16.10.11,客户端连接到墙。

juniper防火墙动态***配置_第4张图片

juniper防火墙动态***配置_第5张图片

juniper防火墙动态***配置_第6张图片

具体验证(略)

 

四、总结

       juniper srx防火墙动态***的配置,关键是我加绿的部分。远程被保护资源和放行***隧道。配置排错部分推荐官网kb:https://kb.juniper.net/InfoCenter/index?page=content&id=KB17220&actp=search