雅那安

拥有正确的价值观,实现自己的人生价值:所作所为有益于人类社会发展。
  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理
Juniper srx新增接口IP,使PC直连srx(转)

转自:https://www.jianshu.com/p/bc27134bde3d

Juniper srx新增接口IP,使PC直连srx

2018.11.19 14:24:15字数 424

概述

需求为PC直连srx防火墙,配置互联IP,并允许PC访问untrust区域,能够访问互联网
本例中防火墙新增地址 10.1.1.1/30
PC配置IP:10.1.1.2/30 gateway:10.1.1.1

说明

用户视图:root@srx>
配置视图:root@srx#
配置视图:root@srx# run show config run 表示在用户视图下执行命令
root@srx# show #查看当前的配置,注意这里是已配置上的,但不一定生效
root@srx# run show config #查看当前已生效的配置
root@srx> show config #查看当前已生效的配置

配置步骤

  1. 检查现有的端口IP
    root@srx> show interfaces terse
    找一个不冲突的IP
  2. 查看路由表
    找到IP后,再查看路由表是否有去到这个网段的路由,没有则为正常,如果有就不应使用这个地址
    root@srx> show route
  3. 配置接口IP和区域
    set interfaces ge-0/0/2 unit 0 family inet address 10.1.1.1/30
    set security zones security-zone trust interfaces ge-0/0/2 #为方便配置,将该接口添加进已有的区域,本例为trust区域
  4. 验证是否配置源NAT
root@srx# run show security nat source summary  #查看现有的源NAT策略
Total port number usage for port translation pool: 0
Maximum port number for port translation pool: 67108864
Total pools: 0

Total rules: 7
Rule name          Rule set       From              To                   Action
1                  trust-to-untrust trust           untrust              interface

root@srx# run show security nat source rule 1 
 
source NAT rule: 1                    Rule-set: trust-to-untrust 
  Rule-Id                    : 1  
  Rule position              : 1
  From zone                  : trust
  To zone                    : untrust
  Match
    Source addresses         : 0.0.0.0         - 255.255.255.255  #源地址已匹配any
    Destination addresses    : 0.0.0.0         - 255.255.255.255
    Destination port         : 0               - 0
  Action                        : interface 
    Persistent NAT type         : N/A              
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0 
  Translation hits           : 111
  1. 验证安全策略是否放行trust->untrust
root@srx# run show security policies from-zone trust to-zone untrust    
From zone: trust, To zone: untrust
  Policy: ABC, State: enabled, Index: 18, Scope Policy: 0, Sequence number: 1
    Source addresses: OFFICE_Set  #仅放行了OFFICE_Set 这个address book的地址段
    Destination addresses: any
    Applications: any
    Action: permit
  Policy: 1, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: deny

需要新增address-book
root@srx# set security zones security-zone trust address-book address test_add 10.1.1.2
新增策略

set security policies from-zone trust to-zone untrust policy 2 match source-address test_add
set security policies from-zone trust to-zone untrust policy 2 match destination-address any
set security policies from-zone trust to-zone untrust policy 2 match application any
set security policies from-zone trust to-zone untrust policy 2 then permit

查看策略的配置顺序

root@srx# show security policies from-zone trust to-zone untrust | display set
set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then deny
set security policies from-zone trust to-zone untrust policy 2 match source-address test_add
set security policies from-zone trust to-zone untrust policy 2 match destination-address any
set security policies from-zone trust to-zone untrust policy 2 match application any
set security policies from-zone trust to-zone untrust policy 2 then permit

如上所示,可以看到新增的policy2在下边,这样会先匹配到policy 1,被deny掉
所以需要改变策略的顺序,用如下命令
insert security policies from-zone trust to-zone untrust policy 2 before policy 1

    1. 提交配置
      root@srx# commit
posted on 2019-10-20 18:35  雅那安  阅读(702)  评论(0编辑  收藏  举报