Juniper srx新增接口IP，使PC直连srx(转)

转自：https://www.jianshu.com/p/bc27134bde3d

Juniper srx新增接口IP，使PC直连srx

2018.11.19 14:24:15字数 424

概述

需求为PC直连srx防火墙，配置互联IP，并允许PC访问untrust区域，能够访问互联网
本例中防火墙新增地址 10.1.1.1/30
PC配置IP：10.1.1.2/30 gateway：10.1.1.1

说明

用户视图：root@srx>
配置视图：root@srx#
配置视图：root@srx# run show config run 表示在用户视图下执行命令
root@srx# show #查看当前的配置，注意这里是已配置上的，但不一定生效
root@srx# run show config #查看当前已生效的配置
root@srx> show config #查看当前已生效的配置

配置步骤

1. 检查现有的端口IP
   root@srx> show interfaces terse
   找一个不冲突的IP
2. 查看路由表
   找到IP后，再查看路由表是否有去到这个网段的路由，没有则为正常，如果有就不应使用这个地址
   root@srx> show route
3. 配置接口IP和区域
   set interfaces ge-0/0/2 unit 0 family inet address 10.1.1.1/30
set security zones security-zone trust interfaces ge-0/0/2 #为方便配置，将该接口添加进已有的区域，本例为trust区域
4. 验证是否配置源NAT

root@srx# run show security nat source summary  #查看现有的源NAT策略
Total port number usage for port translation pool: 0
Maximum port number for port translation pool: 67108864
Total pools: 0

Total rules: 7
Rule name          Rule set       From              To                   Action
1                  trust-to-untrust trust           untrust              interface

root@srx# run show security nat source rule 1 
 
source NAT rule: 1                    Rule-set: trust-to-untrust 
  Rule-Id                    : 1  
  Rule position              : 1
  From zone                  : trust
  To zone                    : untrust
  Match
    Source addresses         : 0.0.0.0         - 255.255.255.255  #源地址已匹配any
    Destination addresses    : 0.0.0.0         - 255.255.255.255
    Destination port         : 0               - 0
  Action                        : interface 
    Persistent NAT type         : N/A              
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0 
  Translation hits           : 111

5. 验证安全策略是否放行trust->untrust

root@srx# run show security policies from-zone trust to-zone untrust    
From zone: trust, To zone: untrust
  Policy: ABC, State: enabled, Index: 18, Scope Policy: 0, Sequence number: 1
    Source addresses: OFFICE_Set  #仅放行了OFFICE_Set 这个address book的地址段
    Destination addresses: any
    Applications: any
    Action: permit
  Policy: 1, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: deny

需要新增address-book
root@srx# set security zones security-zone trust address-book address test_add 10.1.1.2
新增策略

set security policies from-zone trust to-zone untrust policy 2 match source-address test_add
set security policies from-zone trust to-zone untrust policy 2 match destination-address any
set security policies from-zone trust to-zone untrust policy 2 match application any
set security policies from-zone trust to-zone untrust policy 2 then permit

查看策略的配置顺序

root@srx# show security policies from-zone trust to-zone untrust | display set
set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then deny
set security policies from-zone trust to-zone untrust policy 2 match source-address test_add
set security policies from-zone trust to-zone untrust policy 2 match destination-address any
set security policies from-zone trust to-zone untrust policy 2 match application any
set security policies from-zone trust to-zone untrust policy 2 then permit

如上所示，可以看到新增的policy2在下边，这样会先匹配到policy 1，被deny掉
所以需要改变策略的顺序，用如下命令
insert security policies from-zone trust to-zone untrust policy 2 before policy 1

6. 提交配置
   root@srx# commit