Juniper基本配置命令
关于用户:
1. root用户密码修改及配置
set system root-authentication plain-text-password
New password:
Retype new password:
2. 新建用户
set system login user vtg uid 101 class super-user // super-user 为完全权限
set system login user vtg authentication plain-text-password
New password:
Retype new password:
show cli authorization //查看当前用户权限
配置详情
1. 配置接口ip地址
set interfaces ge-0/0/0.0 family inet address 124.207.100.1/24 //注意子网掩码表示方式
或
set interfaces ge-0/0/0 unit 0 family inet address 124.207.100.1/24
2. 接口划分安全域
set security zones security-zone untrust interfaces ge-0/0/0.0 /将接口ge-0/0/0.0 划分至非安全域
set security zones security-zone trust interfaces ge-0/0/1.0
3. 开启接口可支持的功能或服务
set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0 host-inbound-traffic system-services https
4. 建立全局地址簿
set security address-book global address vlan10 192.168.10.0/24
set security address-book global address vlan20 192.168.20.0/24
set security address-book global address vlan30 192.168.30.0/24
将以上地址放进地址组,如下
set security address-book global address-set Inside_network address vlan10
set security address-book global address-set Inside_network address vlan20
set security address-book global address-set Inside_network address vlan30
注意: 做nat时,需调用全局地址簿中的地址,不然会报错,且global为系统内置的对象,需要将地址放置在此处
5. 源nat配置
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone untrust
set security nat source rule-set src-nat rule id1 match source-address 192.168.10.0/24 //单个ip或单网段
或
set security nat source rule-set src-nat rule id1 match source-address-name Inside_network //调用刚才建立的地址组
set security nat source rule-set src-nat rule id1 destination-address 0.0.0.0/0
set security nat source rule-set src-nat rule id1 then source-nat interface //转换成出接口地址
6. 目的nat配置
需要先配置nat pool
例:添加一台需要映射到公网的oa服务器
set security nat destination pool oa_web address 192.168.10.11/32 port 23 //地址为192.168.10.11 需要映射的端口为23
目的nat配置
set security nat destination rule-set dst_nat from zone untrust
set security nat destination rule-set dst_nat rule id1 match destination-address 124.207.100.2/32
set security nat destination rule-set dst_nat rule id1 match destination-port 8080
set security nat destination rule-set dst_nat rule id1 match protocol tcp
set security nat destination rule-set dst_nat rule id1 then destinatione-nat pool oa_web //转换对象,调用已配置的pool名称
7. 策略配置
默认策略
trust to trust --- permit any any
default-permit
trust to untrust --- permit any any
default-permit
untrust to trust --- deny any any
default-deny
set security policies from-zone trust to-zone untrust policy default-permit match source-address any destionation-address any application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
新增策略建议,policy 名称设置为policy_id1*
set security policies from-zone untrust to-zone trust policy policy_id10 match source-address any destionation-address any application any
set security poilicies from-zone untrust to-zone trust policy policy_id10 then permit
策略顺序优先级调整
after Insert after given data element -- 在给定数据元素之后插入之后
before Insert before given data element -- 在给定数据元素之前插入之前
insert security policies from-zone trust to-zone untrust policy new_policy before policy default-permit
// new_policy default-permit 均为策略名称