字体: | 推荐给好友 上一篇 | 下一篇 业务支持:+86 0769-22166223

JUNIP 防火墙nat(VIP,MIP)配置

发布: 2007-7-10 09:34 | 作者: 火龙 | 来源: 本站原创 | 查看: 111次

news.m176.com  火龙一字一句打出来的.

细的东西就不说了.配的说明书上都有.下面说说可能出现的问题及分析

1.用WEB 或CON 配置,为内网及外网端口配上IP. 在外网口上配网关.

    本例内网口 是 192.0.0.102 内网服务器是192.0.0.1

    外网口是 192.168.0.152 外网网关是 192.168.0.150  .对外宣称服务器的IP是 192.168.0.160

2.配置外网 VIP或MIP

  VIP是用 外网口IP地址,或者指定单一IP对内网的IP进行NAT的方式

  MIP 是用数个外网口IP,对内部服务器进行NAT.

  本例使用了VIP 也使用了MIP,两个可以同时用

3.配置策略POLICY

   内网TRUE 到外网UNTRUE 系统默认全开放的.所以可以不再配

   外网到内网. 选相应的IP,端口和服务.

   本例为了方便测试MIP项是选择全部服务器.这样做关不安全.

上述操作完成后.基本功能应该都具备了.下面说说可能出现的问题

1.内网不能PING通外网

  A.内网不能PING通外网端口IP

   一般情况,在防火墙内部PING一下内网端口IP,也PING一个外网商品IP.如果不通.一定是网络接口没有UP.或者网线没放在配置指定的接口

   用内网PC机不能ping 通防火墙内网口. 上面的原因要找一下.另外看一下 INTERFACE    -> Service Options ->Other Services ->ping 是不是允许

   用内网PC机不能ping通防火墙外网口.最上面的原因要找一下.再看内网PC机的网关是否没有设置.内网PC的网关当然要指向防火墙内网口的IP

  B.内网不能PING通外网相邻的IP

    A上的原因要一条条过.

    最好把 From Trust To Untrust 只留 any any any 那一行.

    上面都不行,把From Untrust To Trust 全部删除再试

  C.内网不能PING通互联网上的IP

                 上面A B 两项都没问题的话.只要在NETWORK -> ROUTE 加一条路由 指到你的互联网网关上就可以了.

     本例中是 set interface ethernet0/9 gateway 192.168.0.150 

        D.外网不能NAT进入内网

                  有时为了方便,大家初期配置时不想做过多限制,所以有了"Untrust" to "Trust" ANY ANY ANY 这样的配置

                   set policy id 6 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log

     殊不知.这个策略加上去没一点效果,所以NAT也不能工作.

     只要你没有上述想法.按需要配置,一配就通.

   set policy id 6 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/9)" "terminal_33 89" permit log
   set policy id 6
  exit
  set policy id 9 from "Untrust" to "Trust"  "Any" "MIP(192.168.0.160)" "ANY" perm  it log count
  set policy id 9

   

以下是可以正常运行(VIP是安全配置,MIP是全开放,需要按VIP方式改一下)完整的配置清单 .

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "terminal_3389" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "ftp_exp" protocol tcp src-port 0-65535 dst-port 63000-63000
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
unset zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen component-block zip
set zone "Untrust" screen component-block jar
set zone "Untrust" screen component-block exe
set zone "Untrust" screen component-block activex
set zone "Untrust" screen icmp-id
set zone "Untrust" screen ip-spoofing drop-no-rpf-route
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/9" zone "Untrust"
set interface ethernet0/0 ip 192.0.0.102/24
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 10.0.0.102/24
set interface ethernet0/1 nat
set interface ethernet0/9 ip 192.168.0.152/24
set interface ethernet0/9 nat
set interface ethernet0/9 gateway 192.168.0.150
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/9 ip manageable
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage web
set interface ethernet0/9 manage ping
set interface ethernet0/9 manage ssh
set interface ethernet0/9 manage telnet
set interface ethernet0/9 manage web
set interface ethernet0/9 monitor track-ip ip
set interface ethernet0/9 monitor track-ip weight 1
unset interface ethernet0/9 monitor track-ip dynamic
set interface ethernet0/9 vip untrust 3389 "terminal_3389" 192.0.0.1
set interface ethernet0/9 vip untrust 21 "FTP" 192.0.0.1
set interface ethernet0/9 dip interface-ip incoming
set interface "ethernet0/9" mip 192.168.0.160 host 192.0.0.1 netmask 255.255.255
.255 vr "trust-vr"
set interface ethernet0/1 route-deny
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain InterDNS
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 202.96.128.86 src-interface ethernet0/9
set dns host dns2 202.96.134.133 src-interface ethernet0/9
set dns host dns3 0.0.0.0
set address "Trust" "aadata_lan" 192.0.0.0 255.255.255.0
set address "Untrust" "aadata_internet" 192.168.0.0 255.255.255.0
set ippool "aadata_local" 192.0.0.1 192.0.0.10
set ippool "aadata_internet" 192.168.0.160 192.168.0.165
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 8 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/9)" "FTP" permit
 log
set policy id 8
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 6 from "Untrust" to "Trust"  "Any" "VIP(ethernet0/9)" "terminal_33
89" permit log
set policy id 6
exit
set policy id 9 from "Untrust" to "Trust"  "Any" "MIP(192.168.0.160)" "ANY" perm
it log count
set policy id 9
exit
set monitor cpu 100
set log module system level error destination console
set log module system level warning destination console
set log module system level notification destination console
set log module system level information destination console
set log module system level debugging destination console
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

评分:0

我来说两句

seccode

最新更新

东莞电信 数据中心 | 交流论坛 | 快捷面板 | 站点地图 | 友情链接 | 空间列表 | 站点存档 |