常用SRX配置命令
目录
1.1 配置管理用户 (2)
1.2 配置系统管理服务 (2)
1.3 配置接口地址 (2)
1.4 配置冗余接口 (2)
1.5 配置zone或接口是否可以管理防火墙设备 (2)
1.6 增加路由 (3)
1.7 删除路由 (3)
1.8 修改路由 (3)
1.9 增加策略 (4)
1.10 删除策略 (5)
1.11 修改策略 (5)
1.12 静态NAT (5)
1.13 源NAT (6)
1.14 目的NAT (6)
1.15 查看HA状态 (7)
1.16 主备切换 (7)
1.17 常用维护命令 (9)
1.18 3、debug (18)
1.19 故障需收集的基本信息 (18)
注意:配置命令都在“#”模式下进行,通过用户名和密码登陆设备时在“>”模式下,需要配置“config 回车”,进入“#”模式
注意:红部分是可以修改的,其他部分都是使用?可以看到,使用tab键可以补全的
基础配置
1.1 配置管理用户
配置比如配置lab用户
set system login user lab class super-user
set system login user lab authentication plain-text-password
###回车后需要两次输入密码
1.2 配置系统管理服务
配置ssh、telnet、http、https登陆设备
set system services ssh
set system services telnet
set system services web-management http interface ge-0/0/0.0(可以进行的管理接口)set system services web-management http interface all
set system services web-management https system-generated-certificate
set system services web-management https interface all
1.3 配置接口地址
reth接口是防火墙HA后的冗余接口,这个接口包含配置在主设备和备设备的两条链路set interfaces ge-0/0/0 unit 0 family inet address 10.1.10.1/24
set interfaces reth5 unit 0 family inet address 1.1.70.5/24
1.4 配置冗余接口
把主设备的g-0/0/6接口,备设备的ge-9/0/6接口(物理接口位置与主设备相同)捆绑到冗余接口reth5中
set interface ge-0/0/6 gigether-options redundant-parent reth5
set interface ge-9/0/6 gigether-options redundant-parent reth5
set interface reth5 redundant-ether-options redundancy-group 1
1.5 配置zone或接口是否可以管理防火墙设备
A、配置zone trust,并且可以管理防火墙,分配接口ge-0/0/0.0接口到trust区域
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
B、配置zone untrust可以管理防火墙,但其中的ge-0/0/8.0只能用telnet和http管理,
其他的不允许:
set security zones security-zone untrust interfaces ge-0/0/8.0 host-inbound-traffic
system-services https
set security zones security-zone untrust interfaces ge-0/0/8.0 host-inbound-traffic
system-services ssh
路由配置
1.6 增加路由
A、配置静态路由,目标地址段是61.189.2.0/24 下一跳地址2.1.1.1
set routing-options static route 61.189.2.0/24 next-hop 2.1.1.1
B、缺省路由下一跳地址是2.1.1.1
set routing-options static route 0.0.0.0/0 next-hop 2.1.1.1
C、OSPF路由,ge-0/0/3.0接口在area 0中
set protocols ospf area 0 interface ge-0/0/3.0
1.7 删除路由
A、删除静态路由
delete routing-options static route 61.189.2.0/24 next-hop 2.1.1.1
B、删除缺省路由
delete routing-options static route 0.0.0.0/0 next-hop 2.1.1.1
C、删除OSPF路由
delete protocols ospf area 0 interface ge-0/0/3.0
1.8 修改路由
修改61.189.2.0/24的下一跳为3.1.1.1
delete routing-options static route 61.189.2.0/24 next-hop 2.1.1.1
set routing-options static route 61.189.2.0/24 next-hop 3.1.1.1
策略配置
A、从trust区域到untrust区域全部允许
set security policies from-zone trust to-zone untrust policy trust2un match source-address any
set security policies from-zone trust to-zone untrust policy trust2un match
destination-address any
set security policies from-zone trust to-zone untrust policy trust2un match application any set security policies from-zone trust to-zone untrust policy trust2un then permit
B、从trust访问untrust的部分网段192.168.1.0/24的http,ftp服务
定义untrust区域地址池,地址池名字192.168.1.0/24,地址192.168.1.0/24
set security zones security-zone untrust address-book address 192.168.1.0/24
192.168.1.0/24
set security policies from-zone trust to-zone untrust policy trust2un match source-address any
set security policies from-zone trust to-zone untrust policy trust2un match
destination-address 192.168.1.0/24
set security policies from-zone trust to-zone untrust policy trust2un match application junos-http
set security policies from-zone trust to-zone untrust policy trust2un match application junos-ftp
set security policies from-zone trust to-zone untrust policy trust2un then permit
C、从trust访问untrust的部分网段192.168.1.0/24的自定义服务TCP 3389端口
定义untrust区域地址池,地址池名字192.168.1.0/24,地址192.168.1.0/24
set security zones security-zone untrust address-book address 192.168.1.0/24
192.168.1.0/24
定义tcp 3389服务,定义服务名称TCP3389
set applications application TCP3389 protocol tcp destination-port 3389
set security policies from-zone trust to-zone untrust policy trust2un match source-address any
set security policies from-zone trust to-zone untrust policy trust2un match
destination-address 192.168.1.0/24
set security policies from-zone trust to-zone untrust policy trust2un match application TCP3389
set security policies from-zone trust to-zone untrust policy trust2un then permit
delete security policies from-zone trust to-zone untrust policy trust2un
1.11 修改策略
A、增加目的地址
set security zones security-zone untrust address-book address 192.168.2.0/24
192.168.2.0/24
delete inset security policies from-zone trust to-zone untrust policy trust2un match destination-address 192.168.2.0/24
B、增加443端口应用
set applications application TCP443 protocol tcp destination-port 443
set security policies from-zone trust to-zone untrust policy trust2un match application TCP443
C、去掉443端口应用
delete security policies from-zone trust to-zone untrust policy trust2un match application TCP443
NAT部分
1.12 静态NAT
外网untrust区域2.1.1.11与内网的trust区域192.168.20.1做静态NAT。
设置内部trust地址192.168.20.1/32
set security zones security-zone trust address-book address 192.168.20.1/32
192.168.20.1/32
配置静态nat从untrust到trust区域
set security nat static rule-set untrust-to-trust-static-nat from zone untrust
set security nat static rule-set untrust-to-trust-static-nat rule untrust2trust match
destination-address 2.1.1.11/32
set security nat static rule-set untrust-to-trust-static-nat rule untrust2trust then static-nat prefix 192.168.20.1/32
策略配置untrust区域到trust区域策略,允许目的地址192.168.20.1/32
set security policies from-zone untrust to-zone trust policy untrst2truststaticnat match source-address any
set security policies from-zone untrust to-zone trust policy untrst2truststaticnat match
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论