您的位置:360文档中心› Juniper Netscreen 防火墙培训 路由模式

Juniper Netscreen 防火墙培训 路由模式

合集下载

Juniper防火墙产品培训+#

Juniper防火墙产品培训+#

市场领导地位-Gartnet 2004年报告
Juniper #1 out of 18 vendors
Gartner Magic Quadran报 告是针对IT特定细分市场 上的厂商实力所进行的极 具声望的评价,它从各个 方面来全方位评价厂商, 包括产品线的完整度和功 能、技术实力、创新性、 成功实施情 况、满足客户 现有和未来需求的能力, 以及包括服务和支持在内 的执行能力、市场 份额、 财务健康状况和其它关键 指标
• 广电总局国家骨干网

全国骨干网,50%以上设备
市场机会,约超过70 亿美元
• 安全市场上估计存在超过 70 亿美元的机会 • 包括 IPS、SSL VPN、路由功能和防火墙 VPN • 防火墙 VPN 仍然是安全市场最大的组成部分 • 我们的强项是防火墙/VPN产品 • 继续推动安全类产品的发展
先进的硬件设计通用结构的处理?数据在几个非优化的接口传送?每个api引入安全风险?处理的延迟导致无法预测的行为?数据通道无法优化pcappliancespseudoappliancesosvpncoprocessorcpurambusioinoutapplications专用的安全处理?基于流的线性的数据包处理?每个处理模块被优化?优化的应用和硬件用于安全处理和性能gigascreenasiccpuhighspeedbackplaneinoutramionetscreenadvancedarchitecturesecurityspecificrealtimeosintegratedsecurityapplicationsasicjuniper防火墙产品培训149152020screenos特点?安全性专用的实时操作系统?完全设计用于执行计算密集型安全功能而不会影响吞吐量?与硬件设备安全操作系统及安全应用紧密集成?状态协议级智能?集成深层检测防病毒和web过滤等?专用操作系统减少补丁和测试?所有防火墙ipsecvpn系列产品上部署相同的安全性专用操作系统juniper防火墙产品培训159152020screenosipv6?为状态防火墙和ipsecvpn提供生产级的商用ipv6支持?支持双堆栈架构使客户能够在一个设备上同时支持并保护ipv4与ipv6网络?支持所有主要的ipv6迁移机制包括ipv4ipv6和ipv6ipv4迁移ipv6隧道中的ipv4和ipv4隧道中的ipv6?以及面向ipv6的natpt?支持ripng动态路由协议允许客户提高生产网络中的ipv6部署的可扩展性?防止ipv6网络遭受synflood攻击和其他攻击使客户能够抵御从ipv4或ipv6网络中发起的拒绝服务攻击juniper防火墙产品培训169152020juniper防火墙产品线ns5gtns2550nshscns5400isg2000isg1000ssg520mssg550mnsseriesisgseriesssgseriesns5200ns500ns208ns204ssg20ssg5ssg140ssg350ssg320juniper防火墙产品培训179152020议程?juniper简介?juniper防火墙vpn产品线?juniperisg集成安全网关系列?juniperssg安全业务网关系列?产品对比?案例分析juniper防火墙

Juniper 防火墙策略路由配置

Juniper 防火墙策略路由配置

Juniper 防火墙策略路由配置一、网络拓扑图要求:1、默认路由走电信;2、源地址为192.168.1.10 的pc 访问电信1.0.0.0/8 的地址,走电信,访问互联网走网通;二、建立extended acl1、选择network---routing---pbr---extended acl list,点击new 添加:Extended acl id:acl 编号Sequence No.:条目编号源地址:192.168.1.10/32 目的地址:1.0.0.0/8 Protocol:选择为any端口号选择为:1-65535 点击ok:2、点击add seg No.再建立一条同样的acl,但protocol 为icmp,否则在trace route 的时候仍然后走默认路由:3、建立目的地址为0.0.0.0 的acl:切记添加一条协议为icmp 的acl;命令行:set access-list extended 10 src-ip 192.168.1.10/32 dst-ip 1.0.0.0/8 src-port 1-65535 dst-port 1-65535 protocol any entry 10set access-list extended 10 src-ip 192.168.1.10/32 dst-ip 1.0.0.0/8 protocol icmp entry 20set access-list extended 20 src-ip 192.168.1.10/32 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 1-65535 protocol any entry 10set access-list extended 20 src-ip 192.168.1.10/32 dst-ip 0.0.0.0/0 protocolicmp entry 20三、配置match group:1、network---routing---pbr---match group,点击add:Match group 的作用就是关联acl按照同样的方法将两个acl 进行关联:命令行:set match-group name group_10set match-group group_10 ext-acl 10 match-entry 10set match-group name group_20set match-group group_20 ext-acl 20 match-entry 10四、配置action group:1、network---routing---pbr---action group,点击add:在这里指定下一跳接口和地址。

juniper防火墙基本配置文档

juniper防火墙基本配置文档

防火墙基本配置步骤
防火墙的基本配置分三个步骤:
1、配置接口的IP地址和接口模式。

2、配置默认路由!
3、配置允许策略,TRUST到UNTRUST的策略!
这个是接口栏的截图:单击EDIT即可进行编辑!这里需要编辑trust口和untrust口!
这是点击trust口的edit后进入的配置界面,您只要输入IP地址和掩码位即可!注意:Manage ip* 对应的空白框一定不要填入内容,截图里的是自动生成的!其他保持默认,单击下面的OK即可完成!
下图是点击untrust口的edit进入编辑,选择static ip ,填入IP地址和掩码位,这里的IP是公网IP地址,manage ip那依然保持空白,模式为route,然后在service options选项栏中,将web ui,telnet,ping;三处打勾,如图!
然后点击OK即可完成!
点击左栏的Destination选项即可出现路由界面:新建点击NEW即可!
下图为点击NEW后出现的画面:如图填入内容,ip address/netmask填入0.0.0.0/0,
Next hop处选择gateway,在interface 处的下拉菜单中选择出口,gateway ip address填入UNTRUST口IP地址的下一跳网关即可!其他默认单击OK完成!
trust,TO处选择untrust,然后点击NEW!
点击new后的配置界面,如图配置即可!source address,destination address,service三处都选择ANY,action选permit, 在logging处打勾,其他保持默认,点击OK即可!
下图为蓝影标出的这条策略就是如上图配置完成后看到的结果!。

Juniper 防火墙HA配置详解_主从(L3 路由模式)

Juniper 防火墙HA配置详解_主从(L3 路由模式)

J u n i p e r防火墙H A配置详解_主从(L3路由模式)------------------------------------------作者xxxx------------------------------------------日期xxxxJuniper HA 主双(L3)路由模式配置实际环境中防火墙做主双是不太可能实现全互联结构,juniper防火墙标配都是4个物理以太网端口,全互联架构需要防火墙增加额外的以太网接口(这样会增加用户成本),或者在物理接口上使用子接口(这样配置的复杂性增加许多),最主要的是用户的网络中大多没有像全互联模式那样多的设备。

因此主双多数实现在相对冗余的网络环境中。

HAG 2/23G 2/1G 2/1G 2/23G 2/24G 2/24防火墙A上执行的命令set hostname ISG1000-Aset intset interface "ethernet1/4" zone "HA"set nsrp cluster id 1set nsrp rto-mirror syncset nsrp vsd-group id 0 priority 10set nsrp vsd-group id 0 preemptset nsrp vsd-group id 0 monitor interface ethernet1/1 set nsrp vsd-group id 0 monitor interface ethernet1/2 set interface ethernet1 zone trustset interface ethernet1 ip /24set interface ethernet1 manage-ipset interface ethernet2 zone Untrustset .254/24set inter.1set interface eth1 manageset interface eth2 manage防火墙B上执行的命令set hostname ISG1000-Bset interface "ethernet1/4" zone "HA"set nsrp cluster id 1set nsrp rto-mirror syncset nsrp vsd-group id 0 priority 100set nsrp vsd-group id 0 preemptset nsrp vsd-group id 0 monitor interface ethernet1/1 set nsrp vsd-group id 0 monitor interface ethernet1/2 set interface ethernet1 zone trustset interface ethernet1 ip /24set interface ethernet1 manage-ipset interface ethernet2 zone Untrustset interface ethernet2 manage-ip 172.16.1.2set interface eth1 manageset interface eth2 manage任意一个防火墙上执行的命令即可set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" permitset policy id 3 from "UnTrust" to "trust" "Any" "Any" "ANY" permit___________________________________________________________最后 A 和 B 都必须执行的命令exec nsrp sync global save。

Juniper_netscreen__防火墙培训进阶篇

Juniper_netscreen__防火墙培训进阶篇

Proprietary and Confidential

‹#›
分部C Gateway的设置
高级选项
VPN双方的模式必须一致
Copyright © 2008 Juniper Networks, Inc.
Proprietary and Confidential

Copyright © 2008 Juniper Networks, Inc.
Proprietary and Confidential

‹#›
L2TP Tunnel策略的设置
源地址选择Dial-Up VPN(系统自定义)
Action选择Tunnel
选择L2TP Tunnel
Proprietary and Confidential

‹#›
总部A Gateway的设置
高级选项
VPN双方的模式必须一致
Copyright © 2008 Juniper Networks, Inc.
Proprietary and Confidential

Proprietary and Confidential

‹#›
实现MAC绑定功能需要三个步骤
1、强迫执行ARP目地IP扫描:set arp always-ondest 2、作ARP静态绑定:set arp 10.0.0.250 0002b34896fc trust 3、设置一个地址组group,它只包含做MAC地址绑定 的那些IP地址。然后设置一个策略,只让这个地址组 group通过。

‹#›
静态对静态VPN配置
分部 Trust 10.1.0.1 Untrust 3.3.3.1 总部 Trust 10.50.0.1

Juniper防火墙连网端口映射

Juniper防火墙连网端口映射


13
创建Trust-Untrust区域策略
点击此处可以查 看策略日志
完成策略配置
Copyright © 2008 Juniper Networks, Inc.
Proprietary and Confidential

14
路由模式配置完成
配置完成后: 1. Ping测试,使用内网PC用Ping192.168.1.1地址进行连通测试.
2.
Ping测试,使用内网PC用Ping外网地址进行互联网测试.
Copyright © 2008 Juniper Networks, Inc.
Proprietary and Confidential

192.168.1.1/24
E 0/2
E 0/0
Copyright © 2008 Juniper Networks, Inc.
Proprietary and Confidential

5
接口地址一览表(初始)
编辑缺省 外网接口
Copyright © 2008 Juniper Networks, Inc.
Copyright © 2008 Juniper Networks, Inc.
Proprietary and Confidential

27
防火墙部署方式二、透明模式
TRUNK模式下的透明模式 下面结合具体环境说明一下
ROUTE
TRUNK TRUNK TRUNK
ROUTE FW

21
配置用于管理的VLAN 1 IP地址
配置与缺省地址的 不同私有地址用于 管理
Copyright © 2008 Juniper Networks, Inc.

Netscreen配置手册

Netscreen配置手册

Juniper NetScreen配置手册透明模式将防火墙配置为透明模式1.创建2层Zoneset zone name <name> L2 <vlan_tag>例:set zone name L2-Demo L2 12.把接口划到安全区set interface <int-name> zone <zone-name>例:set interface e3 zone L2-Demo3.a.配置IP地址set zone name <name> L2 <vlan_tag>例:ns208-> set zone name L2-Demo L2 1set interface <int-name> zone <zone-name>例:set interface e3 zone L2-Demob.选择广播选项set vlan1 broadcast <flood | arp>c.配置Vlan的管理选项set interface vlan1 manage例:set int vlan1 manageset interface vlan1 manage [<service>]例:set int vlan1 manage webset int vlan1 manage sslset int vlan1 manage nsmgmtd.为每个Zone配置管理选项set zone <name> manage [<service>]例:set zone v1-dmz manage web透明模式下的检查工具Get interfaceGet ARPGet mac-learnGet session三层操作模式将防火墙配置为三层操作模式1.创建Zoneset zone name <name>例:set zone name Private2.把接口分配到Zoneset interface <int-name> zone <zone-name>例:set interface e8 zone untrust3.给接口指定IP地址set interface <name> ip <X.X.X.X>/<mask>例:set interface e8 ip 1.1.8.1/244.配置静态路由set route <network>/<mask> interface <out_int> gateway <nhr>例:set route 10.1.10.0/24 interface e1 gateway 10.1.1.254验证路由get route ip <address>例:ns208-> get route ip 10.1.10.5Destination Routes for 10.1.10.5---------------------trust-vr : => 10.1.10.0/24 (id=6) via 10.1.1.254 (vr: trust-vr)Interface ethernet1 , metric 1显示VR例:ns208-> get vrouterID Name Vsys Owner Export Routes OSPF BGP RIP1 untrust-vr Root shared n/a 0/max* 2 trust-vr Root shared no 8/maxtotal 2 vrouters shown and 0 of them defined by user* indicates default vrouter for the current vsys配置两个VR1.把Zone划到VR中set zone <name> vrouter <name>例:set zone Untrust vrouter untrust-vr2.给zone指定接口3.给接口分配IP地址4.配置VR间路由set vrouter <name> route <network>/<mask> vrouter <name>例:set vrouter untrust-vr route 10.1.10.0/24 vrouter trust-vr配置接口模式set interface <name> [route | nat]例:set interface e1 nat策略的配置及高级选项创建策略1.创建地址表2.创建服务查看预定义的服务get service pre-defined创建自定义服务set service name <protocol> <(parameters vary)>3.创建策略set policy from <zone> to <zone> <source_addr> <dest_addr> <service> [permit | deny] 例:set policy from private to public 10.1.10.5/32 any http permit4.策略排序set policy move <id> [before | after] <id>例:set policy move id 5 before 4配置选项1.创建并查看地址组set group address <zone> <name> add <addr-name>例:set group address Private Admins add Admin1set group address Private Admins add Admin2get group address <zone>例:get group address PrivateGroup Name Count CommentAdmins 2get group address <zone> <group-name>例:get group address Private AdminsGroup Name: AllowedServices Comment:Group Items: 5Members: "FTP" "HTTP" "PING" "TELNET" "TFTP"2.创建并查看服务组set group service <name> add <service>get group service例:get group serviceGroup Name Count CommentAllowedServices 5get group service <group-name>例:get group service AllowedServicesGroup Name: AllowedServices Comment:Group Items: 5Members: "FTP" "HTTP" "PING" "TELNET" "TFTP"3.创建多单元策略高级选项1.配置流量日志并验证访问日志set policy (from zone to zone sa da service action) log–或者–set policy log例:ns5gt-> set policy id 1ns5gt(policy:1)-> set policy logget log traffic2.配置流量统计并验证流量统计set policy (from zone to zone sa da service action) count–或者–set policy countset policy count alarm <bytes/sec> <kbytes/min>例:ns5gt-> set policy id 1ns5gt(policy:1)-> set policy countget counters policy <id> <time parameters>3.创建计划并应用计划到策略中set scheduler <name> recurrent <day> start <time> stop <time> [start <time> stop <time>] 例:set scheduler NoICQ recurrent mon start 7:00 stop 12:00 start 13:00 stop 18:00 set scheduler NoICQ recurrent tues start 7:00 stop 12:00 13:00 stop 18:00(etc.)set scheduler <name> once start <mm/dd/yyyy> stop <mm/dd/yyyy>例:set scheduler Y2K once start 01/01/2000 stop 01/02/2000set policy (from zone to zone sa da service action) schedule <name>认证的配置1.创建用户数据库set user <name> password <password>2.配置认证策略set policy (from zone to zone sa da service action) authset policy (from zone to zone sa da service action) webauth3.配置WebAuth地址(只用于WebAuth)set interface <name> webauthset interface <name> webauth-ip <ip>4.确认认证配置ns5gt-> get user allTotal users: 1Id User name Enable Type ID-type Identity Belongs to groups----- --------------- ------ ------- ------- ---------- -----------------1 JoeUser Yes authns5gt-> get auth tableTotal users in table: 1Successful: 1, Failed: 0Pending : 0, Others: 0Col T: Used: D = Default settings, W = WebAuth, A = Auth server in policyid src user group age status server T srczone dstzone1 192.168.1.33 JoeUser 5 Success Local W N/A N/A基于策略的NAT配置NA T-src配置过程1.创建DIP端口转换set interface <name> dip <4-255> <start_address> [<end_address>]例:set interface e8 dip 5 1.1.10.2 1.1.10.254禁止端口转换set interface <name> dip <4-255> <start_address> [<end_address>] fix-port例:set interface e8 dip 5 1.1.10.2 1.1.10.254 fix-port地址变换set interface <name> dip <4-255> shift-from <priv-addr> <start_address> [<end_address>] 例:set interface e8 dip 5 shift-from 10.1.1.5 1.1.10.2 1.1.10.402.创建策略set policy from <zone> to <zone> <SA> <DA> <service> nat src [dip id <num>] permit不带DIP:ns208> set policy from Private to External any any any nat src permit带DIP:ns208> set policy from Private to External any any any nat src dip 5 permitNA T-dst配置过程1.配置地址表条目set address <zone> <name> <address>/<mask>例:set address Private MyPCPublic 1.1.10.20/322.A.配置可达性– Secondary 地址set interface <name> ip <address>/<mask> secondary例:set interface e1 ip 1.1.10.1/24 secondaryB.配置可达性–静态路由set route <network>/<mask> int <outbound int>例:set route 1.1.10.20/32 int e13.配置策略一对一set policy from <zone> to <zone> <SA> <DA> <service> nat dst ip <addr> permit例:set policy from External to Private any MyPCPublic http nat dst ip 10.1.20.5 permit地址变换set policy from <zone> to <zone> <SA> <DA> <service> nat dst ip <range start> <range end> permit例:set policy from External to Private any PublicRange http nat dst ip 10.1.40.1 10.1.40.254 permit端口转换set policy from <zone> to <zone> <SA> <DA> <service> nat dst ip <addr> port <port num> permit例:set policy from External to Private any MyPCPublic http nat dst ip 10.1.20.5 port 8080 permitMIP配置过程1.定义MIPset int <name> mip <publicIP> host <privateIP>例:set int e8 mip 1.1.8.15 host 10.1.10.52.配置MIP策略set policy from <zone> to <zone> <SA> MIP(<addr>) <service> permitVIP配置过程1.定义VIPset int <name> vip <publicIP> <port> <service> <privateIP>例:set int e8 vip 1.1.8.100 23 telnet 10.0.0.5set int e8 vip 1.1.8.100 21 ftp 10.1.20.5set int e8 vip 1.1.8.100 80 http 10.1.30.52.定义策略set policy from <zone> to <zone> <SA> VIP(<addr>) <service> permit例;set policy from untrust to private any VIP::4 any permitVPN配置基于策略的VPN1.设置最大分片长度set flow tcp-mss2.配置IKE网关set ike gateway <name> address <gate_IP> preshare <key> sec-level [standard | basic | compatible]3.创建IKE VPNset vpn <name> gateway <Phase1_gate_name> sec-level [standard | basic | compatible]4.创建地址对象5.配置VPN策略例:set ike gateway toCorporate address 4.4.4.250 preshare XXX sec-level standard set vpn CorporateVPN gateway toCorporate sec-level standardset address Trust HomeNet 10.1.0.0/32set address Untrust CorpNet 10.50.0.0/16set policy from Trust to Untrust HomeNet CorpNet any tunnel vpn CorporateVPNset policy from Untrust to Trust CorpNet HomeNet any tunnel vpn CorporateVPN验证VPN通道1.产生数据–ping, telnet, http, ftp, etc…例:ns208-> ping 10.50.0.5 from trustType escape sequence to abortSending 5, 100-byte ICMP Echos to 10.50.0.5, timeout is 2 seconds from ethernet8!!!!!Success Rate is 100 percent (5/5), round-trip time min/avg/max=40/40/41 ms2.检查第一阶段网关状态例:ns208-> get ike cookieActive: 1, Dead: 0, Total 1522f/3, 1.1.1.250->4.4.4.250: PRESHR/grp2/3DES/SHA, xchg(2) usr(d-1/u-1)resent-tmr 0 lifetime 28800 lt-recv 28800 nxt_rekey 25813 cert-expire 0initiator 1, in-out 1, err cnt 0, send dir 0, cond 0nat-traversal map not availableike heartbeat : disabledike heartbeat last rcv time: 0ike heartbeat last snd time: 0XAUTH status: 03.检查第二阶段SA的活动状态例:ns208-> get sa activeTotal active sa: 1HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys00000001< 4.4.4.250 500 esp:3des/sha1 8150f85b 3563 unlim A/- 3 000000001> 4.4.4.250 500 esp:3des/sha1 cb0bed95 3563 unlim A/- 2 0排错1.第一阶段:不可识别的网关发起端例:ns208-> get eventDate Time Module Level Type Description2003-04-30 01:53:17 system info 00536 IKE<1.1.1.250> >> <4.4.4.250> Phase 1:Initiated negotiations in main mode.响应端例:ns208-> get eventDate Time Module Level Type Description2003-04-30 01:53:24 system info 00536 IKE<1.1.1.250> Phase 1: Rejected aninitial Phase 1 packet from anunrecognized peer gateway.提议不匹配发起端例:ns208-> get eventDate Time Module Level Type Description2003-04-30 01:58:00 system info 00536 IKE<1.1.1.250> Phase 1: Retransmissionlimit has been reached.2003-04-30 01:56:57 system info 00536 IKE<1.1.1.250> >> <4.4.4.250> Phase 1:Initiated negotiations in main mode.响应端例:ns208-> get eventDate Time Module Level Type Description2003-04-30 01:57:10 system info 00536 IKE<1.1.1.250> Phase 1: Rejectedproposals from peer. Negotiationsfailed.2003-04-30 01:57:10 system info 00536 IKE<1.1.1.250> Phase 1: Responderstarts MAIN mode negotiations.2.第二阶段:提议不匹配发起端例:ns208-> get eventTotal event entries = 72Date Time Module Level Type Description2003-04-30 01:53:09 system info 00536 IKE<4.4.4.250> Received notify messagefor DOI <1> <14> <NO_PROPOSAL_CHOSEN>.响应端例:ns208-> get eventDate Time Module Level Type Description2003-04-30 01:51:01 system info 00536 IKE<1.1.1.250> Phase 2 msg-id<9e9d9b91>: Negotiations have failed.2003-04-30 01:51:01 system info 00536 IKE<1.1.1.250> Phase 2: Rejectedproposals from peer. Negotiationsfailed.ProxyID 不匹配发起端例:ns208-> get eventDate Time Module Level Type Description2003-04-30 02:05:59 system info 00536 IKE<4.4.4.250> Phase 2: Initiatednegotiation.2003-04-30 02:05:59 system info 00536 IKE<4.4.4.250> Phase 1: Completed Mainmode negotiations with a<28800>-second lifetime.远端的ProxyID例:ns208-> get eventDate Time Module Level Type Description2003-04-30 02:05:10 system info 00536 IKE<1.1.1.250> Phase 2: No policyexists for the proxy ID received:local ID (<10.0.0.0>/<255.255.255.0>,<0>,<0>) remote ID (<20.0.0.0>/<255.255.255.0>,<0>,<0>)本地的ProxyID例:ns5gt-> get policy id 3name:"none" (id 3), zone Untrust -> Trust,action Tunnel, status "enabled", pairpolicy 2src "CorpNet", dst "HomeNet", serv "ANY"<output omitted>proxy id:local 10.1.0.0/255.255.255.255, remote 10.50.0.0/255.255.0.0, proto 0, port 0No AuthenticationNo User, User Group or Group expression set解决不匹配的问题例:ns5gt-> unset policy id 2ns5gt-> unset policy id 3ns5gt-> unset address untrust CorpNetns5gt-> unset address trust HomeNetns5gt-> set address untrust CorpNet 10.0.0.0/24ns5gt-> set address trust HomeNet 20.0.0.0/24ns5gt-> set policy from trust to untrust HomeNet CorpNet any tunnel MyVPN policy id = 2ns5gt-> set policy from untrust to trust CorpNet HomeNet any tunnel MyVPN policy id = 3ns5gt-> get policy id 3name:"none" (id 3), zone Untrust -> Trust,action Tunnel, status "enabled", pairpolicy 2src "CorpNet", dst "HomeNet", serv "ANY"<output omitted>proxy id:local 10.0.0.0/255.255.255.0, remote 20.0.0.0/255.255.0.0, proto 0, port 0基于路由的VPNset vpn <name> bind interface <int_name>ns5xt> set interface tunnel.1 zone trustns5xt> set interface tunnel.1 ip unnumberedns5xt> set ike gateway toCorporate address 4.4.4.250 preshare XXX sec-level standard ns5xt> set vpn CorporateVPN gateway toCorporate sec-level standardns5xt> set vpn CorporateVPN bind interface tunnel.1ns5xt> set route 20.0.0.0/8 int tunnel.1验证配置1.产生数据-ping, telnet, http, ftp, etc…例:ns208-> ping 10.0.0.5 from e8Type escape sequence to abortSending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds from ethernet8 !!!!!Success Rate is 100 percent (5/5), round-trip time min/avg/max=40/40/41 ms2.查看通道接口-get route ip例:ns208-> get route ip 10.0.0.5Destination Routes for 10.0.0.5---------------------trust-vr : => 10.0.0.0/24 (id=6) via 0.0.0.0 (vr: trust-vr)Interface tunnel.1 , metric 13.检查第一阶段网关状态例:ns208-> get ike cookieActive: 1, Dead: 0, Total 1522f/3, 1.1.1.250->4.4.4.250: PRESHR/grp2/3DES/SHA, xchg(2) usr(d-1/u-1)resent-tmr 0 lifetime 28800 lt-recv 28800 nxt_rekey 25813 cert-expire 0initiator 1, in-out 1, err cnt 0, send dir 0, cond 0nat-traversal map not availableike heartbeat : disabledike heartbeat last rcv time: 0ike heartbeat last snd time: 0XAUTH status: 04.检查第二阶段SA的活动状态例:ns208-> get sa activeTotal active sa: 1HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys00000001< 4.4.4.250 500 esp:3des/sha1 8150f85b 3563 unlim A/- 3 000000001> 4.4.4.250 500 esp:3des/sha1 cb0bed95 3563 unlim A/- 2 0排错与基于策略的VPN排错方法相同主动/被动1. 接口set interface ethernet7 zone haset interface ethernet8 zone haset interface ethernet1 zone untrustset interface ethernet1 ip 210.1.1.1/24set interface ethernet3 zone trustset interface ethernet3 ip 10.1.1.1/24set interface ethernet3 manage-ip 10.1.1.20set interface ethernet3 nat2. NSRPset nsrp rto-mirror syncset nsrp monitor interface ethernet1set nsrp monitor interface ethernet3set nsrp cluster id 1save高可用性(主/被模式)CLI ( NetScreen-A)1. 接口set interface ethernet7 zone haset interface ethernet8 zone haset interface ethernet1 zone untrustset interface ethernet1 ip 210.1.1.1/24set interface ethernet3 zone trustset interface ethernet3 ip 10.1.1.1/24set interface ethernet3 manage-ip 10.1.1.20 set interface ethernet3 nat2. NSRPset nsrp rto-mirror syncset nsrp monitor interface ethernet1set nsrp monitor interface ethernet3set nsrp cluster id 1saveCLI ( NetScreen-B)3. 接口set interface ethernet7 zone haset interface ethernet8 zone haset interface ethernet1 zone untrustset interface ethernet1 ip 210.1.1.1/24set interface ethernet3 zone trustset interface ethernet3 ip 10.1.1.1/24set interface ethernet3 manage-ip 10.1.1.21 set interface ethernet3 nat4. NSRPset nsrp rto-mirror syncset nsrp monitor interface ethernet1set nsrp monitor interface ethernet3set nsrp cluster id 1save。

juniper Netscreen防火墙策略路由配置

juniper Netscreen防火墙策略路由配置

juniper Netscreen防火墙策略路由配置Netscreen-25 概述Juniper网络公司NetScreen-25和NetScreen-50是面向大企业分支办事处和远程办事处、以及中小企业的集成安全产品。

它们可提供网络周边安全解决方案,并带有多个DMZ和VPN,可以确保无线LAN的安全性,或保护内部网络的安全。

NetScreen-25设备可提供100 Mbps 的防火墙和20 Mbps的3DES或AES VPN性能,可支持32,000条并发会话和125条VPN 隧道。

NetScreen-50设备是高性能的集成安全产品,可提供170 Mbps的防火墙和45 Mbps 的3DES或AES VPN性能,可支持64,000条并发会话和500 条VPN隧道。

一、特性与优势NetScreen-25和NetScreen-50产品的主要特性和优势如下:集成的深层检测防火墙可以逐策略提供应用层攻击防护,以保护互联网协议安全;集成的Web过滤功能,可制订企业Web使用策略、提高整体生产率、并最大限度地减少因滥用企业资源而必须承担的赔偿责任;拒绝服务攻击防护功能,可抵御30多种不同的内外部攻击;高可用性功能,可最大限度地消除单点故障;动态路由支持,以减少对手工建立新路由的依赖性;冗余的VPN隧道和VPN监控,可缩短VPN连接的故障切换时间;虚拟路由器支持,可将内部、专用或重叠的IP地址映射到全新的IP地址,提供到最终目的地的备用路由,且不被公众看到;可定制的安全区,能够提高接口密度,无需增加硬件开销、降低策略制订成本、限制未授权用户接入与攻击、简化VPN管理;通过图形Web UI、CLI或NetScreen-Security Manager集中管理系统进行管理;基于策略的管理,用于进行集中的端到端生命周期管理;.二、技术规格Netscreen-25或Netscreen-50都有两种不同的许可选项(Advanced/Baseline),提供不同级别的功能和容量。

  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
相关文档
最新文档