juniper SRX 利用虚拟路由器实现多链路冗余以及双向接入案例

Juniper 防火墙的多路由共享方案●问题的提出在企业网维护实践中，常常遇到用户外网接口故障，导致用户邮件等业务中断，严重影响用户工作。

解决此类问题的方法是多运营商网络接口。

当一个接口故障时其它接口能保证用户业务正常运行。

●解决方案1.如何在防火墙上配置使用这些接口，首先想到的是首选路由/二选路由方案。

当首选路由故障后，使用二选路由。

路由数据示例如下：ID IP-Prefix Interface Gateway P Pref Mtr Vsys* 8 0.0.0.0/0 ethernet3 1.1.1.250 C 0 1 Root9 0.0.0.0/0 ethernet2 2.2.2.250 S 20 1 Root该方案的缺陷是不能充放利用多个运用商提供的带宽，二选路由只能在首选路由故障后才能使用。

2.使用等价多径路由EQUAL COST MULTIPATH ROUTING，正常情况下两个路由均衡负荷外网流量，充分利用现有的带宽资源。

Juniper Netscreen ECMP配置注意点：✓ScreenOS 5.1版本以上支持✓两条路由需具有相同的优先级和Metric值，两条路由的出接口需在同一安全区段。

✓配置的两条同一目标路由在路由表中有效（*号）。

✓启用ECMP功能路由数据示例如下：ID IP-Prefix Interface Gateway P Pref Mtr Vsys * 8 0.0.0.0/0 ethernet3 1.1.1.250 C 0 1 Root * 9 0.0.0.0/0 ethernet2 2.2.2.250 S 0 1 Root具体实施如下✓打开EQUAL COST MULTIPATH ROUTING功能✓设置静态路由的preference值为0（与连接路由的preference值相同）✓设置静态路由，保证两个共享的路由有相同的metricset route 0.0.0.0/0 interface ethernet3 gateway 1.1.1.250 metric 1set route 0.0.0.0/0 interface ethernet4 gateway 2.2.2.250 metric 1。

单台JuniperSSG双ISP接入单Juniper SSG 双ISP接入冗余幸得公司有两条 ISP，有一台小墙Juniper SSG 5（两台SSG 550在生产环境中，不能拿来实验）拿来做个双ISP接入实验。

SSG 5的ScreenOS 为6.3.0r17。

在juniper上做DHCP服务器，给客户端分配IP，Untrust口IP 被遮盖。

CLI:set interface ethernet0/0 ip 222.xxx.xxx.50/28set interface ethernet0/0 routeset interface ethernet0/1 ip 122.xxx.xxx.162/29set interface ethernet0/1 routeset interface ethernet0/6 ip 10.255.255.250/24set interface ethernet0/6 natset dns host dns1 61.177.7.1 src-interface ethernet0/0set dns host dns2 221.6.4.66 src-interface ethernet0/1set route 0.0.0.0/0 interface ethernet0/0 gateway 222.xxx.xxx.49（首选默认电信路由）set route 0.0.0.0/0 interface ethernet0/1 gateway 122.xxx.xxx.161 preference 30（备用默认联通路由，当电信外网出现故障时，此条路由起用）（因为环境中没有三层交换机，PC直连防火墙trust端口，所以不用设置回路路由）set address "Trust" "10.255.255.0" 10.255.255.0 255.255.255.0（设置trust区段的地址薄）set policy id 2 name "Permit Access" from "Trust" to "Untrust""10.255.255.0" "Any" "ANY" permit log（设置策略，允许内部网段10.255.255.0/24访问外网）WebUI:Network>Interface>List设置两个Untrust端口设置Trust端口，注意接口要是NAT 模式设置路由Network>Routing>Destination 默认电信路由设置完成后，如下：策略如下：以上基本设置完成后，设置Monitor，目的是当电信主线路出现故障后，在设定的时间内，路由自动转向备用联通线路。

概述juniper防火墙的双机具有高冗余性和安全性，便于管理，分为三种组网模式：layer3的A/P组网模式layer3的full-mesh的A/P组网模式layer3的full-mesh的A/A组网模式其中layer3A/P模式对环境要求最低，是业界广为流行的配置。

但是，其利用率不高，同一时间只有一台防火墙处理网络流量，一侧链路和设备出现故障时提供冗余切换。

配置要求硬件和软件版本相同，接口编号相同，放入HA的接口要统一。

配置时只需清空备的那一台，然后将HA、manger ip 、MGT端口ip，及个性化配置即可。

两台防火墙用e4口连接。

配置主防火墙unset interface e4 ip//清空e4口的ip地址set interface e4 zone ha//将e4口和HA区域绑定//-----配置NSRP----set nsrp cluster id 1//设置cluster组号set nsrp vsd id 0//设置虚拟安全数据库的组号0set nsrp vsd-group id 0 priority 50//设置nsrp主设备的优先级（优先级数值越大，优先级越小）set nsrp rto syn//设置配置同步set nsrp vsd-group id 0 monitor interface ethernet3set nsrp vsd-group id 0 monitor interface ethernet1//设置防火墙监控的端口//只有当备份防火墙配置之后，主设备上才能检测到备防火墙的状态（get nsrp）set nsrp vsd-group hb-interval 200//设置心跳信息每隔200秒发送问候信息set nsrp vsd-group hb-threshold 3//设置心跳信息总共发出3次问候信息save//保存配置备防火墙unset all//恢复出厂设置set interface e4 zone ha//将e4和ha区域绑定set nsrp cluster id 1//设置cluster组号set nsrp vsd id 0//设置vsd组号set nsrp vsd-group id 0 priority 100//设置nsrp主设备的优先级（优先级数值越大，优先级越小）set nsrp rto syn//设置配置同步set nsrp vsd-group id 0 monitor interface ethernet3set nsrp vsd-group id 0 monitor interface ethernet1//设置防火墙监控的端口set nsrp vsd-group hb-interval 200//设置心跳信息每隔200秒发送问候信息set nsrp vsd-group hb-threshold 3//设置心跳信息总共发出3次问候信息save //保存同步配置在备机上操作exec nsrp sync global-config check-sum//将两台设备的配置进行校检，如有不同，备份的设备将会在重启后把主设备上的配置导入备份主机中exec nsrp sync global-config save//如有不同，备份的设备将会在重启后把主设备上的配置导入备份主机中。

Juniper Netscreen 204防火墙Untrust接口倒换作者 马钢博客 版本 2009021101需求Netscreen 204防火墙拥有两个公网接口，当主接口链路失效时，如ISP故障，则将流量转移到备份接口。

解决方法图 1 网络拓扑如图 1所示，由主接口ethernet2检测ISP网关连通性，如果网关不可达，则标记主接口down，ethernet3自动作为默认出口。

设置ethernet2和ethernet3同为Untrust区段set interface ethernet2 zone Untrustset interface ethernet3 zone Untrust设置ethernet2接口的默认路由为优先路由set route 0.0.0.0/0 interface ethernet2 gateway 2.2.2.254 preference 20set route 0.0.0.0/0 interface ethernet3 gateway 3.3.3.254 preference 25配置track‐ipset interface ethernet2 monitor track‐ip ipset interface ethernet2 monitor track‐ip ip 2.2.2.254set interface ethernet2 track‐ip ip 2.2.2.254 interval 1set interface ethernet2 track‐ip ip 2.2.2.254 threshold 2set interface ethernet2 track‐ip ip 2.2.2.254 weight 10set interface ethernet2 track‐ip threshold 8set interface ethernet2 track‐ip weight 12set interface ethernet2 monitor threshold 5unset interface ethernet3 monitor track‐ip dynamic完成上述设置后，防火墙将在ethernet2启用IP跟踪。

Juniper SRX防火墙简明配置手册SRX系列防火墙是Juniper公司基于JUNOS操作系统的安全系列产品，JUNOS集成了路由、交换、安全性和一系列丰富的网络服务。

目前Juniper公司的全系列路由器产品、交换机产品和SRX安全产品均采用统一源代码的JUNOS操作系统，JUNOS是全球首款将转发与控制功能相隔离，并采用模块化软件架构的网络操作系统。

JUNOS作为电信级产品的精髓是Juniper 真正成功的基石，它让企业级产品同样具有电信级的不间断运营特性，更好的安全性和管理特性，JUNOS软件创新的分布式架构为高性能、高可用、高可扩展的网络奠定了基础。

基于NP架构的SRX系列产品产品同时提供性能优异的防火墙、NAT、IPSEC、IPS、SSL VPN和UTM 等全系列安全功能，其安全功能主要来源于已被广泛证明的ScreenOS操作系统。

本文旨在为熟悉Netscreen防火墙ScreenOS操作系统的工程师提供SRX防火墙参考配置，以便于大家能够快速部署和维护SRX防火墙，文档介绍JUNOS操作系统，并参考ScreenOS配置介绍SRX防火墙配置方法，最后对SRX防火墙常规操作与维护做简要说明。

一、JUNOS操作系统介绍1.1 层次化配置结构JUNOS采用基于FreeBSD内核的软件模块化操作系统，支持CLI命令行和WEBUI两种接口配置方式，本文主要对CLI命令行方式进行配置说明。

JUNOS CLI使用层次化配置结构，分为操作（operational）和配置（configure）两类模式，在操作模式下可对当前配置、设备运行状态、路由及会话表等状态进行查看及设备运维操作，并通过执行config或edit命令进入配置模式，在配置模式下可对各相关模块进行配置并能够执行操作模式下的所有命令（run）。

在配置模式下JUNOS采用分层分级模块下配置结构，如下图所示，edit命令进入下一级配置（类似unix cd命令）,exit命令退回上一级，top命令回到根级。

Juniper SRX防火墙简明配置手册目录一、JUNOS操作系统介绍 (3)1.1 层次化配置结构 (3)1.2 JunOS配置管理 (4)1.3 SRX主要配置内容 (4)二、SRX防火墙配置说明 (5)2.1 初始安装 (5)2.1.1 登陆 (5)2.1.2 设置root用户口令 (9)2.1.3 JSRP初始化配置 (9)2.1.4 设置远程登陆管理用户 (14)2.1.5 远程管理SRX相关配置 (15)2.1.6 ZONE及相关接口的配置 (15)2.2 Policy (16)2.3 NAT (17)2.3.1 Interface based NAT (18)2.3.2 Pool based Source NAT (18)2.3.3 Pool base destination NAT (19)2.3.4 Pool base Static NAT (20)2.4 IPSEC VPN (21)2.5 Application and ALG (22)三、SRX防火墙常规操作与维护 (22)3.1 单机设备关机 (22)3.2单机设备重启 (23)3.3单机操作系统升级 (23)3.4双机模式下主备SRX关机 (23)3.5双机模式下主备设备重启 (24)3.6双机模式下操作系统升级 (24)3.7双机转发平面主备切换及切换后恢复 (25)3.8双机控制平面主备切换及切换后恢复 (25)3.9双机模式下更换备SRX (25)3.10双机模式下更换主SRX (26)3.11双机模式更换电源 (27)3.12双机模式更换故障板卡 (27)3.13配置备份及还原方法 (27)3.14密码修改方法 (28)3.15磁盘文件清理方法 (28)3.16密码恢复 (28)3.17常用监控维护命令 (29)四、SRX防火墙介绍 (31)Juniper SRX防火墙简明配置手册SRX系列防火墙是Juniper公司基于JUNOS操作系统的安全系列产品，JUNOS集成了路由、交换、安全性和一系列丰富的网络服务。

拓扑图：需求：PC1和PC2主机访问http服务走ge-0/0/0（wan1），访问telnet服务走ge-0/0/1（wan2）。

其余走ge-0/0/0（wan1）。

配置过程：第一步，创建路由实例(routing-instance)set routing-instances wan1 instance-type forwardingset routing-instances wan1 routing-options static route 0.0.0.0/0 next-hop 202.100.1.1set routing-instances wan2 instance-type forwardingset routing-instances wan2 routing-options static route 0.0.0.0/0 next-hop 202.100.2.1wan1：路由实例的名称forwarding：路由实例的类型PS：每一个路由实例可以理解为一个单独的路由转发表。

第二步：设置路由信息组（rib-groups）set routing-options rib-groups routing_table_group import-rib inet.0set routing-options rib-groups routing_table_group import-rib wan1.inet.0set routing-options rib-groups routing_table_group import-rib wan2.inet.0说明：routing_table_group：路由信息组名称wan1.inet.0：如果wan1的话，它的路由转发表的命名就是wan1.inet.0，是自动生成的。

PS:As the two ISPs are part of inet.0, the rib-group configuration is required to import the directly connected routes of the ISP into the routing-instance. (来自官方解释)意思就是需要将直连的路由输入到路由实例中。

juniperSRX利用虚拟路由器实现多链路冗余以及双向接入案例juniper SRX 利用虚拟路由器实现多链路冗余以及双向接入案例目录文档查看须知： (2)测试拓扑： (4)一虚拟路由器（记住来流量入口）； (5)需求： (5)配置： (5)验证： (7)配置解析： (7)二虚拟路由器（多链路负载冗余）； (10)需求： (10)配置： (11)验证： (13)配置解析： (18)三虚拟路由器（双线接入）； (21)需求： (21)配置： (21)验证： (25)注意点： (26)文档查看须知：测试环境：SRX 220H拓扑对应 IP:G-0/0/3：192.168.3.1/24G-0/0/4：192.168.4.1/24G-0/0/5：192.168.5.1/24G-0/0/6：10.10.30.189/24F0/1：192.168.4.2/24F0/2：192.168.5.2/24F0/3:192.168.100.1/24（模拟遥远互联网）测试拓扑：一虚拟路由器（记住来流量入口）；需求：外网用户访问防火墙的外网接口3389 端口NAT 到内网服务器192.168.3.5:3389，流量按原路返回；放行所有外网用户到主机 192.168.3.5 的 3389 端口；（双线接入）配置：set routing-instances Tel instance-type virtual-routerset routing-instances Tel interface ge-0/0/4.0set routing-instances Tel routing-options interface-routes rib-group inet Big-ribset routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2set routing-instances CNC instance-type virtual-routerset routing-instances CNC interface ge-0/0/5.0set routing-instances CNC routing-options interface-routes rib-group inet Big-ribset routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24set routing-options interface-routes rib-group inet Big-rib set routing-options static route 10.0.0.0/8 next-hop 10.10.30.1set routing-options static route 0.0.0.0/0 next-hop 192.168.4.2set routing-options static route 0.0.0.0/0 installset routing-options static route 0.0.0.0/0 no-readvertiseset routing-options rib-groups Big-rib import-rib inet.0set routing-options rib-groups Big-rib import-rib CNC.inet.0 set routing-options rib-groups Big-rib import-rib Tel.inet.0 set security nat destination pool 111 address 192.168.3.5/32 set security nat destination rule-set 1 from zone Tel-trustset security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0set security nat destination rule-set 1 rule 111 match destination-address 192.168.4.1/32set security nat destination rule-set 1 rule 111 match destination-port 3389set security nat destination rule-set 1 rule 111 then destination-nat pool 111set security nat destination rule-set 2 from zone CNC-trust set security nat destination rule-set 2 rule 222 match source-address 0.0.0.0/0set security nat destination rule-set 2 rule 222 match destination-address 192.168.5.1/32set security nat destination rule-set 1 rule 111 match destination-port 3389set security nat destination rule-set 2 rule 222 then destination-nat pool 111set applications application tcp_3389 protocol tcpset applications application tcp_3389 destination-port 3389 set security zones security-zone trust address-book address H_192.168.3.5 192.168.3.5/32set security policies from-zone Tel-trust to-zone trust policy default-permit match source-address anyset security policies from-zone Tel-trust to-zone trust policy default-permit match destination-address H_192.168.3.5 set security policies from-zone Tel-trust to-zone trust policy default-permit match application tcp_3389set security policies from-zone Tel-trust to-zone trust policy default-permit then permitset security policies from-zone CNC-trust to-zone trust policy default-permit match source-address anyset security policies from-zone CNC-trust to-zone trust policy default-permit match destination-addressH_192.168.3.5set security policies from-zone CNC-trust to-zone trust policy default-permit match application tcp_3389set security policies from-zone CNC-trust to-zone trust policy default-permit then permitset security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces ge-0/0/3.0 set security zones security-zone T el-trust host-inbound-traffic system-services allset security zones security-zone T el-trust host-inbound-traffic protocols allset security zones security-zone T el-trust interfaces ge-0/0/4.0set security zones security-zone CNC-trust host-inbound-traffic system-services allset security zones security-zone CNC-trust host-inbound-traffic protocols allset security zones security-zone CNC-trust interfaces ge-0/0/5.0set security zones security-zone MGT host-inbound-traffic system-services allset security zones security-zone MGT host-inbound-traffic protocols allset security zones security-zone MGT interfaces ge-0/0/6.0 验证：root@SRX-Ipsec-A> show security flow sessionSession ID: 9696, Policy name: default-permit/5, Timeout: 1794, ValidIn: 192.168.100.211/57408 --> 192.168.5.1/3389;tcp, If: ge-0/0/5.0, Pkts: 2, Bytes: 112Out: 192.168.3.5/3389 --> 192.168.100.211/57408;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60====================================== ===================================== = root@SRX-Ipsec-A> show security flow sessionSession ID: 9697, Policy name: default-permit/4, Timeout: 1796, ValidIn: 192.168.100.211/57409 --> 192.168.4.1/3389;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112Out: 192.168.3.5/3389 --> 192.168.100.211/57409;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60配置解析：set routing-instances Tel instance-type virtual-router//创建虚拟 VR Telset routing-instances Tel interface ge-0/0/4.0//把逻辑接口加入虚拟 VRset routing-instances Tel routing-options interface-routes rib-group inet Big-rib//定义新增的路由表属于路由组“Big-rib”set routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2 //为 Tel 路由表配置路由set routing-instances CNC instance-type virtual-routerset routing-instances CNC interface ge-0/0/5.0set routing-instances CNC routing-options interface-routes rib-group inet Big-rib set routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2 //配置路由表 CNC 相关信息set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24set interfaces ge-0/0/5 unit 0 family inet address192.168.5.1/24set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24//配置逻辑接口的 IP 地址set routing-options interface-routes rib-group inet Big-rib //定义路由表组，并把接口路由加入到 Big-rib 路由组中set routing-options static route 10.0.0.0/8 next-hop 10.10.30.1set routing-options static route 0.0.0.0/0 next-hop 192.168.4.2//配置全局路由表路由信息set routing-options static route 0.0.0.0/0 install//把路由表安装到转发表set routing-options static route 0.0.0.0/0 no-readvertise//set routing-options rib-groups Big-rib import-rib inet.0set routing-options rib-groups Big-rib import-rib CNC.inet.0 set routing-options rib-groups Big-rib import-rib Tel.inet.0 //导入三张路由表之间的直连路由到路由表组set security nat destination pool 111 address 192.168.3.5/32 //定义目的 NAT 后的内部服务器的 IP 地址set security nat destination rule-set 1 from zone Tel-trustset security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0set security nat destination rule-set 1 rule 111 match destination-address 192.168.4.1/32set security nat destination rule-set 1 rule 111 match destination-port 3389set security nat destination rule-set 1 rule 111 then destination-nat pool 111//配置 ZONE Tel-trust 的目的NATset security nat destination rule-set 2 from zone CNC-trust set security nat destination rule-set 2 rule 222 match source-address 0.0.0.0/0set security nat destination rule-set 2 rule 222 match destination-address 192.168.5.1/32set security nat destination rule-set 1 rule 111 match destination-port 3389set security nat destination rule-set 2 rule 222 then destination-nat pool 111//配置 ZONE CNC-trust 的目的NATset applications application tcp_3389 protocol tcpset applications application tcp_3389 destination-port 3389 set security zones security-zone trust address-book address H_192.168.3.5 192.168.3.5/32//自定义端口和配置地址表set security policies from-zone Tel-trust to-zone trust policy default-permit match source-address anyset security policies from-zone Tel-trust to-zone trust policy default-permit match destination-address H_192.168.3.5 set security policies from-zone Tel-trust to-zone trust policy default-permit match application tcp_3389set security policies from-zone Tel-trust to-zone trust policy default-permit then permit//配置 Tel-trust 到 trust 策略set security policies from-zone CNC-trust to-zone trust policy default-permit match source-address anyset security policies from-zone CNC-trust to-zone trust policy default-permit match destination-addressH_192.168.3.5set security policies from-zone CNC-trust to-zone trust policy default-permit match application tcp_3389set security policies from-zone CNC-trust to-zone trust policy default-permit then permit//配置 CNC-trust 到 trust 策略set security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces ge-0/0/3.0set security zones security-zone T el-trust host-inbound-traffic system-services all set security zones security-zone Tel-trust host-inbound-traffic protocols allset security zones security-zone T el-trust interfaces ge-0/0/4.0set security zones security-zone CNC-trust host-inbound-traffic system-services all set security zones security-zone CNC-trust host-inbound-traffic protocols allset security zones security-zone CNC-trust interfaces ge-0/0/5.0set security zones security-zone MGT host-inbound-traffic system-services allset security zones security-zone MGT host-inbound-traffic protocols allset security zones security-zone MGT interfaces ge-0/0/6.0//定义逻辑接口到ZONE，并开放所有的协议及服务来访问防火墙的直连接口二虚拟路由器（多链路负载冗余）；需求：内网用户访问端口22.3389.8080,走电信，其他所有流量走CNC；所有内网访问外网的流量NAT 为对应外网接口IP 地址；实现负载冗余的功能；放行所有服务；（双线接入）配置：set routing-instances Tel instance-type virtual-routerset routing-instances Tel interface ge-0/0/4.0set routing-instances Tel routing-options interface-routes rib-group inet Big-ribset routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2set routing-instances Tel routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100 set routing-instances CNC instance-type virtual-routerset routing-instances CNC interface ge-0/0/5.0set routing-instances CNC routing-options interface-routes rib-group inet Big-ribset routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2set routing-instances CNC routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 100 set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24 set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24set routing-options interface-routes rib-group inet Big-rib set routing-options static route 10.0.0.0/8 next-hop10.10.30.1set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 10set routing-options static route 0.0.0.0/0 installset routing-options static route 0.0.0.0/0 no-readvertiseset routing-options rib-groups Big-rib import-rib inet.0set routing-options rib-groups Big-rib import-rib CNC.inet.0 set routing-options rib-groups Big-rib import-rib Tel.inet.0 set security nat source rule-set Soure-NAT-Policy from zone trustset security nat source rule-set Soure-NAT-Policy to zone Tel-trustset security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match source-address 192.168.3.0/24set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match destination-address 0.0.0.0/0 set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 then source-nat interfaceset security zones security-zone trust address-book address Net_192.168.3.0 192.168.3.0/24set security policies from-zone trust to-zone Tel-trust policy 1 match source-address N et_192.168.3.0set security policies from-zone trust to-zone Tel-trust policy 1 match destination-address anyset security policies from-zone trust to-zone Tel-trust policy 1 match application anyset security policies from-zone trust to-zone Tel-trust policy 1 then permitset security policies from-zone trust to-zone Tel-trust policy 1 then log session-initset security policies from-zone trust to-zone Tel-trust policy 1 then log session-closeset security nat source rule-set Soure-NAT-Policy-2 from zone trustset security nat source rule-set Soure-NAT-Policy-2 to zone CNC-trustset security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match source-address 192.168.3.0/24 set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match destination-address 0.0.0.0/0 set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 then source-nat interface set security policies from-zone trust to-zone CNC-trust policy 2 match source-address Net_192.168.3.0set security policies from-zone trust to-zone CNC-trust policy 2 match destination-address anyset security policies from-zone trust to-zone CNC-trust policy 2 match application anyset security policies from-zone trust to-zone CNC-trust policy 2 then permitset security policies from-zone trust to-zone CNC-trust policy 2 then log session-initset security policies from-zone trust to-zone CNC-trust policy 2 then log session-closeset interfaces ge-0/0/3 unit 0 family inet filter input filter-1 set firewall filter filter-1 term term-1 from destination-port 22set firewall filter filter-1 term term-1 from destination-port 3389set firewall filter filter-1 term term-1 from destination-port 8080set firewall filter filter-1 term term-1 then routing-instance Telset firewall filter filter-1 term default then routing-instance CNCset security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces ge-0/0/3.0 set security zones security-zone T el-trust host-inbound-traffic system-services allset security zones security-zone T el-trust host-inbound-traffic protocols allset security zones security-zone T el-trust interfaces ge-0/0/4.0set security zones security-zone CNC-trust host-inbound-traffic system-services allset security zones security-zone CNC-trust host-inbound-traffic protocols allset security zones security-zone CNC-trust interfaces ge-0/0/5.0set security zones security-zone MGT host-inbound-traffic system-services allset security zones security-zone MGT host-inbound-traffic protocols allset security zones security-zone MGT interfaces ge-0/0/6.0 验证：基于目标端口路由验证：Session ID: 9693, Policy name: 1121/6, Timeout: 1790, Valid In: 192.168.3.5/52562 --> 192.168.100.211/3389;tcp, If: ge-0/0/3.0, Pkts: 2, Bytes: 112 Out: 192.168.100.211/3389 --> 192.168.4.1/28262;tcp, If: ge-0/0/4.0, Pkts: 1, Bytes: 60 Session ID: 9703, Policy name: 1121/7, Timeout: 2, ValidIn: 192.168.3.5/6252 --> 192.168.100.211/1;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60 Out: 192.168.100.211/1 --> 192.168.5.1/4217;icmp, If: ge-0/0/5.0, Pkts: 1, Bytes: 60 当前路由表：root@SRX-Ipsec-A> show routeinet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/10] 00:01:26> to 192.168.4.2 via ge-0/0/4.0[Static/100] 00:01:04> to 192.168.5.2 via ge-0/0/5.0192.168.3.0/24 *[Direct/0] 00:04:31> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 16:44:09Local via ge-0/0/3.0192.168.4.0/24 *[Direct/0] 00:01:26> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 00:01:26Local via ge-0/0/4.0192.168.5.0/24 *[Direct/0] 00:01:04> via ge-0/0/5.0192.168.5.1/32 *[Local/0] 00:01:04Local via ge-0/0/5.0CNC.inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0hidden) + = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:01:04> to 192.168.5.2 via ge-0/0/5.0[Static/100] 00:01:26> to 192.168.4.2 via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:04:31> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 00:04:31Local via ge-0/0/3.0192.168.4.0/24 *[Direct/0] 00:01:26> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 00:01:26Local via ge-0/0/4.0192.168.5.0/24 *[Direct/0] 00:01:04> via ge-0/0/5.0192.168.5.1/32 *[Local/0] 16:44:09Local via ge-0/0/5.0Tel.inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:01:26> to 192.168.4.2 via ge-0/0/4.0[Static/100] 00:01:04> to 192.168.5.2 via ge-0/0/5.0192.168.3.0/24 *[Direct/0] 00:04:31> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 00:04:31Local via ge-0/0/3.0192.168.4.0/24 *[Direct/0] 00:01:26> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 16:44:09192.168.5.0/24 *[Direct/0] 00:01:04> via ge-0/0/5.0192.168.5.1/32 *[Local/0] 00:01:04Local via ge-0/0/5.0双线冗余验证：root@SRX-Ipsec-A> show security flow sessionSession ID: 10321, Policy name: 1121/7, Timeout: 48, ValidIn: 192.168.3.2/188 --> 192.168.100.211/59209;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 84 Out: 192.168.100.211/59209 --> 192.168.5.1/13586;icmp, If: ge-0/0/5.0, Pkts: 0, Bytes: 0 Session ID: 10322, Policy name: 1121/6, Timeout: 50, Valid手动拔掉 CNC 广域网线路（模拟 CNC 线路故障）In: 192.168.3.2/189 --> 192.168.100.211/59209;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 84 Out: 192.168.100.211/59209 --> 192.168.4.1/19350;icmp, If: ge-0/0/4.0, Pkts: 0, Bytes: 0 Session ID: 10330, Policy name: 1121/6, Timeout: 2, ValidIn: 192.168.3.2/197 --> 192.168.100.211/59209;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 84 Out: 192.168.100.211/59209 --> 192.168.4.1/3661;icmp, If: ge-0/0/4.0, Pkts: 1, Bytes: 84 当前路由表：root@SRX-Ipsec-A> show routeinet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/10] 00:00:45> to 192.168.4.2 via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:06:27> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 16:46:05192.168.4.0/24 *[Direct/0] 00:00:45> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 00:00:45Local via ge-0/0/4.0192.168.5.1/32 *[Local/0] 00:00:37RejectCNC.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/100] 00:00:45> to 192.168.4.2 via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:06:27> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 00:06:27Local via ge-0/0/3.0192.168.4.0/24 *[Direct/0] 00:00:45> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 00:00:45Local via ge-0/0/4.0192.168.5.1/32 *[Local/0] 16:46:05RejectTel.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both0.0.0.0/0 *[Static/5] 00:00:45> to 192.168.4.2 via ge-0/0/4.0192.168.3.0/24 *[Direct/0] 00:06:27> via ge-0/0/3.0192.168.3.1/32 *[Local/0] 00:06:27Local via ge-0/0/3.0192.168.4.0/24 *[Direct/0] 00:00:45> via ge-0/0/4.0192.168.4.1/32 *[Local/0] 16:46:05Local via ge-0/0/4.0192.168.5.1/32 *[Local/0] 00:00:37Reject配置解析：set routing-instances Tel instance-type virtual-routerset routing-instances Tel interface ge-0/0/4.0set routing-instances Tel routing-options interface-routes rib-group inet Big-ribset routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2set routing-instances CNC routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100 //配置Tel 路由表并配置相关信息，通过优先级来实现双广域网冗余，优先级值越小，优先级越高set routing-instances CNC instance-type virtual-routerset routing-instances CNC interface ge-0/0/5.0set routing-instances CNC routing-options interface-routes rib-group inet Big-ribset routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2set routing-instances CNC routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 100 //配置CNC 路由表并配置相关信息set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24//配置逻辑接口对应 IP 地址set routing-options interface-routes rib-group inet Big-rib //定义路由表组，并把接口路由加入到 Big-rib 路由组中set routing-options static route 10.0.0.0/8 next-hop 10.10.30.1set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 10//配置全局路由表路由信息，通过指定优先级来实现双广域网的冗余set routing-options static route 0.0.0.0/0 install//把路由表安装到转发表set routing-options static route 0.0.0.0/0 no-readvertise//set routing-options rib-groups Big-rib import-rib inet.0set routing-options rib-groups Big-rib import-rib CNC.inet.0 set routing-options rib-groups Big-rib import-rib Tel.inet.0 //导入三张路由表之间的直连路由到路由表组set security nat source rule-set Soure-NAT-Policy from zone trustset security nat source rule-set Soure-NAT-Policy to zone Tel-trustset security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match source-address 192.168.3.0/24 set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 matchdestination-address 0.0.0.0/0 set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 then source-nat interface //配置 ZONE Tel-trust 基于接口的源NATset security zones security-zone trust address-book address Net_192.168.3.0 192.168.3.0/24//定义地址表set security policies from-zone trust to-zone Tel-trust policy 1 match source-address N et_192.168.3.0set security policies from-zone trust to-zone Tel-trust policy 1 match destination-address anyset security policies from-zone trust to-zone Tel-trust policy 1 match application anyset security policies from-zone trust to-zone Tel-trust policy 1 then permitset security policies from-zone trust to-zone Tel-trust policy 1 then log session-initset security policies from-zone trust to-zone Tel-trust policy 1 then log session-close//根据需求配置策略并记录 LOG 信息set security nat source rule-set Soure-NAT-Policy-2 from zone trustset security nat source rule-set Soure-NAT-Policy-2 to zone CNC-trustset security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match source-address 192.168.3.0/24 set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match destination-address 0.0.0.0/0 set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 then source-nat interface //配置 ZONE CNC-trust 基于接口的源NATset security policies from-zone trust to-zone CNC-trustpolicy 2 match source-address Net_192.168.3.0set security policies from-zone trust to-zone CNC-trust policy 2 match destination-address any。

JUNIPer配置说明〉操作模式#配置模式#show interface#show interface deatil | math fe‐0/0/0>hlpe apropes arp>config ３种模式#edit interface 一层一层配置#up 退出#show |display set （显示所有可刷的命令）#edit security nat source#rename rule‐set trust‐to‐untrust to rule‐set inside‐to‐outside (重命令nat名字) #rollback (恢复到以前的配置，可选５０份)#commit at 201207200800(定时提交)>clear system commit (清除未提交的配置)#commit comment "beyond"（为提交的配置进行说明）# run show system commit（查看提交的配置说明，用于快速恢复的配置） #commit confirmed (十分钟之内不对配置进行确认，自动恢复配置到提交之前) #copy interface ge‐0/0/1 to ge0/0/3 （复制配置）#show system update (查看系统时间)>request system reboot (重启系统)>request system power‐off (关闭系统)#edit sytem login user class ? (设置用户，有４种权限)#edit system service (设置系统服务)#set ssh /telnet /web‐ma….>show system license (查看授权)>request system license add terminal (加载授权信息)> show system processes extensive（查看系统进程）> restart chassis‐control gracefully（重启系统进程）> load update xxx (加载以前的配置文件)run show security flow session summary（查看防火墙会话数）run show security flow session（查看防火墙具体会话数）1, root密码设置set system root‐authentication plain‐text‐passworderpo@66982, 远程登录用户set system login user erpo class super‐user authentication plain‐text‐passworderpo6698３，设置时间run set date 201207091908４，设置时区为上海set system time‐zone Asia/shanghai５，设置主机名set system host‐name FW６，设置ＮＤＳ服和器Set system name‐server 208.67.222.222; 208.67.220.220;７，端口交换机属性设置root@ex2200# edit vlans test #新建vlan名称为testroot@ex2200# set vlan-id 10 #设置vlan idroot@ex2200# set description “Test VLAN” #设置vlan描述root@ex2200# set mac-limit 200 #设置mac数量,范围是(1..65535)，通常可以不配置root@ex2200# set mac-table-aging-time 600 #”设置mac生存时间(秒)，范围是(60-1000000) ”root@ex2200# set l3-interface vlan.10 #”将绑定三层逻辑子端口”root@ex2200# set interface ge-0/0/1.0 #”将端口加入到VLAN中”root@ex2200# set interface ge-0/0/2.0 #”将端口加入到VLAN中”(2)创建三层逻辑子端口root@ex2200# top #”回到最外层菜单”root@ex2200# set interfaces vlan unit 10 family inet address 192.168.1.1/24 #设置网关(3)将交换机端口修改为access模式并加入到新创建的VLAN中root@ex2200# top #”回到最外层菜单”root@ex2200# set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode accessroot@ex2200# set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10root@ex2200# set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode accessroot@ex2200# set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 10(4)commit提交：root@ex2200#commit８， DHCP 配置(DHCP Server)set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.33set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.64et system services dhcp pool 192.168.1.0/24 domain-name set system services dhcp pool 192.168.1.0/24 name-server 192.168.1.1set system services dhcp pool 192.168.1.0/24 router 192.168.1.1set system services dhcp pool 192.168.1.0/24 default-lease-time 3600set security zones security-zone untrust interfaces fe-0/0/5.0 host-inbound-traffic system-services dhcpuser@host# set security zones security-zone untrust interfaces fe-0/0/6.0 host-inbound-traffic system-services dhcp user@host# set interfaces fe-0/0/6 unit 0 family inet address 192.168.1.1/24DHCP设置(DHCP Client)user@host# set interfaces fe‐0/0/7 unit 0 family inet dhcpuser@host# set security zones security‐zone untrust interfaces fe‐0/0/7.0 host‐inbound‐traffic system‐services dhcpDHCP设置（DHCP Relay）user@host# set forwarding‐options helpers bootp description "Global DHCP relay service"user@host# set forwarding‐options helpers bootp server 192.18.24.38user@host# set forwarding‐options helpers bootp maximum‐hop‐count 4user@host# set forwarding‐options helpers bootp interface fe‐0/0/7.0user@host# set security zones security‐zone untrust interfaces fe‐0/0/7 host‐inbound‐traffic system‐services dhcpuser@host# set security zones security‐zone untrust interfaces fe‐0/0/8 host‐inbound‐traffic system‐services dhcp９，接口设置user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24或者set interfaces ge-0/0/1.0 family inet address 192.168.20.2/249.2 设置区域user@host# set security zones security-zone trustuser@host# set security zones security-zone trust interfaces ge-0/0/1.0…ge-0/0/1.0 host-inbound-traffic system-services http (允许的服务)10, 静态路由user@host# set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254user@host# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.25411,在系统级开启ftp/telnet/http远程接入管理服务Set system services ftpSet system services sshSet system services telnetSet system services web‐management http12, 在untrust zone 打开允许远程登录管理服务Set security zones security‐zone untrnst host‐inbound‐traffic system‐services ssh13,防火墙策略安全设备的缺省行为是拒绝安全区段之间的所有信息流，允许绑定到同一区段的接口间的所有信息流。

JuniperSRX3400 Routing-instance AAA、NTP、SYSLOG实验配置手册目录1.实验需求 (3)2.实验环境 (3)3.实验拓扑 (4)3.1.创建虚拟机 (4)3.2.虚拟机之间网络连接 (4)4.防火墙配置 (7)5.AAA配置验证 (14)5.1.1.若将防火墙source-address定义为172.16.1.1 (14)5.1.2.删除环回口lo0地址 (16)6.NTP配置验证 (17)6.1.1.若将ntp源地址设为172.16.1.1， (18)6.1.2.删除环回口lo0地址 (18)7.SYSLOG配置验证 (19)7.1.1.若将SYSLOG源地址设为172.16.1.1 (19)7.1.2.删除防火墙上lo0接口地址 (20)8.最终结论 (21)为了能够充分理解Juniper SRX 防火墙在运行routing-instance 情况下配置AAA、syslog、ntp的运行机制，通过虚拟机搭建试验环境来验证。

2.实验环境Juniper 防火墙使用虚拟机来搭建，Radius服务器使用windows 2003 + ACS v4.2，将windows 2003作为ntp server, 在windows 2003上安装Kiwi_Syslog_Server 作为syslog软件。

实验工具如下：3.1.创建虚拟机创建2个虚拟机：SRX：juniper 防火墙Radius_NTP_Syslog_server：作为radius、NTP、syslog服务器；3.2.虚拟机之间网络连接各虚拟机网卡连接方式如下：1）将虚拟机SRX网卡1与物理机网卡桥接2）将虚拟机SRX网卡3采用自定义方式，用于与两台服务器连接3）服务器网卡也采用自定义的方式，用于与SRX连接：4）配置IP地址，测试联通性按照以上拓扑图对防火墙接口、服务器网口的IP地址进行配置，并测试连通性。