juniper srx防火墙配置案例

• SRX source NAT

setinterfaces ge-0/0/0 unit 0 family inet address 192.168.2.254/24

setinterfaces ge-0/0/1 unit 0 family inet address 192.168.114.190/24

setinterfaces ge-0/0/2 unit 0 family inet address 172.16.2.254/24

setrouting-options static route 0.0.0.0/0 next-hop 192.168.114.254

setsecurity zones security-zone trust interfaces ge-0/0/0.0

setsecurity zones security-zone trust host-inbound-traffic system-services ssh

set security zones security-zone trust host-inbound-trafficsystem-services ping

setsecurity zones security-zone trust host-inbound-traffic system-services https

setsecurity zones security-zone untrust interfaces ge-0/0/1.0

setsecurity zones security-zone untrust host-inbound-traffic system-services ssh

setsecurity zones security-zone untrust host-inbound-traffic system-services https

set security zones security-zone dmz interfaces ge-0/0/2.0

setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services ping

setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services ssh

setsecurity zones security-zone trust address-book address trust-add192.168.2.0/24

setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchsource-address trust-add

setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchdestination-address any

setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchapplication any

setsecurity policies from-zone trust to-zone untrust policy trust-untrust thenpermit

1、Source NAT（端口转换）

setsecurity nat source rule-set source-NAT from zone trust

setsecurity nat source rule-set source-NAT to zone untrust

set security nat source rule-set source-NAT rule PAT match source-address 192.168.2.0/24

set security nat source rule-set source-NAT rule PAT then source-nat interface

2、Source NAT（地址池）

set security nat source poolsource-NAT-POOL address 192.168.114.100/32 to 192.168.114.110/32    //地址池转换将会轮询做地址转换 //

setsecurity nat source rule-set source-NAT from zone trust

setsecurity nat source rule-set source-NAT to zone untrust

setsecurity nat source rule-set source-NAT rule NAT1 match source-address192.168.2.0/24

setsecurity nat source rule-set source-NAT rule NAT1 then source-nat poolsource-NAT-POOL

set security nat proxy-arpinterface ge-0/0/1.0 address 192.168.114.100/32 to 192.168.114.110/32 // 需要为地址池转换方式设置ARP代理//

# run show security nat source rule all   

root@vSRX# run show security policies   

root@vSRX# run show security flow session   

SessionID: 2579, Policy name: trust-untrust/7, Timeout: 2, Valid

  In: 192.168.2.110/5632 --> 192.168.114.20/512;icmp,If: ge-0/0/0.0, Pkts: 1, Bytes: 60

  Out: 192.168.114.20/512 --> 192.168.114.106/1138;icmp,If: ge-0/0/1.0, Pkts: 1, Bytes: 60

insert rule-set source-NATrule  NAT1  before rulePAT  //把NAT1  Rule插入到PAT Rule前面，先启用NAT pool转换，再使用PAT转换//

root@vSRX# run show security nat source summary

Totalport number usage for port translation pool: 709632

Maximumport number for port translation pool: 16777216

Totalpools: 1

Pool                 Address                  Routing              PAT  Total

Name                 Range                    Instance                  Address

source-NAT-POOL      192.168.114.100-192.168.114.110default       yes  11  

Totalrules: 2

Rulename          Rule set       From              To                   Action

NAT1               source-NAT     trust             untrust              source-NAT-POOL

PAT                source-NAT     trust             untrust              interface

root@vSRX# run show securityflow session     //地址轮询复用转换//

SessionID: 3017, Policy name: trust-untrust/7, Timeout: 2, Valid

  In: 192.168.2.110/9728 -->192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60

  Out: 192.168.114.20/512 --> 192.168.114.103/12564;icmp, If:ge-0/0/1.0, Pkts: 1, Bytes: 60

SessionID: 3018, Policy name: trust-untrust/7, Timeout: 2, Valid

  In: 192.168.2.110/9984 -->192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60

  Out: 192.168.114.20/512 -->192.168.114.104/16881;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Totalsessions: 2

SessionID: 3019, Policy name: trust-untrust/7, Timeout: 2, Valid

  In: 192.168.2.110/10240 -->192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60

  Out: 192.168.114.20/512 -->192.168.114.105/13679;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

SessionID: 3020, Policy name: trust-untrust/7, Timeout: 2, Valid

  In: 192.168.2.110/10496 -->192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60

  Out: 192.168.114.20/512 -->192.168.114.106/17443;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Totalsessions: 2

root@vSRX#set securitynat source poolsource-NAT-POOL port no-translation     //禁止PAT转换，动态一对一，最后一个接口地址复用//

essionID: 4546, Policy name: trust-untrust/7, Timeout: 1796, Valid

  In: 192.168.2.110/1761 -->220.181.90.240/80;tcp, If: ge-0/0/0.0, Pkts: 4, Bytes: 912

  Out: 220.181.90.240/80 --> 192.168.114.102/1761;tcp,If: ge-0/0/1.0, Pkts: 2, Bytes: 319

SessionID: 4556, Policy name: trust-untrust/7, Timeout: 1800, Valid

  In: 192.168.2.110/1762 -->119.97.155.2/80;tcp, If: ge-0/0/0.0, Pkts: 34, Bytes: 2138

  Out: 119.97.155.2/80 --> 192.168.114.102/1762;tcp,If: ge-0/0/1.0, Pkts: 61, Bytes: 75406

SessionID: 4557, Policy name: trust-untrust/7, Timeout: 1798, Valid

  In: 192.168.2.110/1763 -->119.97.155.2/80;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 837

  Out: 119.97.155.2/80 --> 192.168.114.102/1763;tcp,If: ge-0/0/1.0, Pkts: 8, Bytes: 8278

• SRX destination     NAT(cisco  static PAT静态端口映射)

将DMZ 172.16.2.22:23端口转换到untrust地址192.168.114.250: 2323端口

setsecurity nat destination pool DMZ-Server-telnet address 172.16.2.22/32

setsecurity nat destination pool DMZ-Server-telnet address port 23

setsecurity nat destination pool DMZ-Server-http address 172.16.2.22/32

setsecurity nat destination pool DMZ-Server-http address port 80

setsecurity nat destination rule-set Dest-NAT from zone untrust

set security nat destination rule-setDest-NAT rule Untrust-DMZ-NAT-telnet match source-address 0.0.0.0/0

set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-address192.168.114.114/32

set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-port 2323

set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet then destination-nat poolDMZ-Server-telnet

setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchsource-address 0.0.0.0/0

setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-address 192.168.114.114/32

setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-port 80

setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http thendestination-nat pool DMZ-Server-http

setsecurity nat proxy-arp interface ge-0/0/1.0 address 192.168.114.114/32

setsecurity zones security-zone dmz address-book address DMZ-Server 172.16.2.22/32

setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchsource-address any

setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchdestination-address DMZ-Server

setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-http

setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-telnet

setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ then permit

•  Static NAT，静态一对一，既转换源也转换目的(outbound方向转换原，inbound转换目的)

setsecurity nat static rule-set Static-NAT from zone untrust

setsecurity nat static rule-set Static-NAT rule 1to1 match destination-address192.168.114.250/32

setsecurity nat static rule-set Static-NAT rule 1to1 then static-nat prefix172.16.2.22/32

setsecurity nat proxy-arp interface ge-0/0/1.0 address 192.168.114.250/32

setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchsource-address any

setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchdestination-address DMZ-Server

setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchapplication junos-ftp

setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp thenpermit

#########################################################################################################

Set  authentication-order[ radius password ]                                

setsystem radius-server 172.16.2.22 port 1812

set system radius-server 172.16.2.22 secret freeit123

setsystem radius-server 172.16.2.22 source-address 172.16.2.254

set system login user user1authentication encrypted-password  freeit123    //重要:在radius上创建的用户账户必须在本地创建该用户，

                                                                                                                                                               否则radius认证失败，如果radius服务器没有响应，则通过本地密码认证//

穿越防火墙的web认证：

setaccess profile WEBAUTH authentication-order password

set access profile WEBAUTH client user1 firewall-user password user1

setaccess firewall-authentication web-authentication default-profile WEBAUTH

setaccess firewall-authentication web-authentication banner success "web authlogin success"

setsystem services web-management http interface ge-0/0/0.0

setsecurity zones security-zone trust interfaces ge-0/0/0.0

setsecurity zones security-zone trust host-inbound-traffic system-services http

setinterfaces ge-0/0/0 unit 0 family inet address 172.16.1.253/24web-authentication http

setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-add

setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-add

setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication any

setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication web-authentication client-match user1

setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count

直通代理：

set access profile PT-AUTH authentication-order password   

setaccess profile PT-AUTH client test firewall-user password"$9$I.4Rrvx7VY4Zdb"

setaccess firewall-authentication pass-through default-profile PT-AUTH

setaccess firewall-authentication pass-through http banner success "LoginSuccess"

setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-add

setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-add

setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication any

setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication pass-through

setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count

set access profile PT-AUTH authentication-order radius  

set access profile PT-AUTH radius-server192.168.2.22 secret freeit123     /radius配置/