Cau Hinh Juniper Firewall WebManagerment

8/17/2019 Cau Hinh Juniper Firewall WebManagerment

1/12

Lab 01 Cấu hình Juniper SRX làm router WAN

Yêu cầu:

+Cấu hình cho Juniper SRX làm router WAN (Chạy PPPoE)+yn!mic NA" cho #n$i%e &à ' r! #nternet+St!tic NA" cho *n noài truy c,p http &ào We Ser&er

I. Cấu hình cơ bản:

1.1 Cấu hình password root:

set system root-authentication plain-text-password New password: xxxxxx Retype new password: xxxxxx

1.2 Cấu hình hostname:

set system host-name hcm-svuit-vsrx

1.3 Cấu hình lo!n banner:

set system login message "Webcome to SVUIT.\n ab !uniper S#\n"

1." Cấu hình t!me#one:


2/12

set system time-$one GMT+7

1.$ Cấu hình name%ser&er:

set system name-ser%er 8.8.8.8set system name-ser%er 4.2.2.2

1.' ()o user *uản tr+:

set system login user svuit uid &'''set system login user svuit class super-user set system login user svuit authentication plain-text-password New password: xxxxxx

Retype new password: xxxxxx

-.u / 0 12y mình tạo u$er $&uit c3 4ull 5uy6n 5u7n tr8 (t.9n 1.9n &:i u$er root)

II. ,-t cc d+ch &/:

2.1 00 (45(

set system ser%ices ssh

set system ser%ices telnet

2.2 6, 7858975(

Cấu hình ch; cho truy c,p &ào inter4!ce e=?@?@B? (ch; cho php truyc,p t> #n$i%e)

set system ser%ices web-management http inter(ace ge-')')*.'set system ser%ices web-management https system-generated-certi(icateset system ser%ices web-management https inter(ace ge-')')*.'

set system ser%ices web-management session idle-timeout +'

2.3 Cấu hình C; cho Cl!ent Ins!de:

Cấu hình cho cDc Client tron #n$i%e nh,n CP t> Jupiter SRX

set system ser%ices dhcp pool *'.*.*.')&, address-range low *'.*.*.*& high *'.*.*.&'


3/12

set system ser%ices dhcp pool *'.*.*.')&, name-ser%er /./././set system ser%ices dhcp pool *'.*.*.')&, name-ser%er ,.&.&.&set system ser%ices dhcp pool *'.*.*.')&, router *'.*.*.*

III. Cấu hình . Cấu hình ;;;o:

set inter(aces ge-')')' mac aa:bb:cc:dd:ee:ff 012u h3nh 1lone 4ac 5ddress n6u b7n d8ng Internet 9:Tset inter(aces ge-')')' unit ' encapsulation -!ver-ether

set inter(aces pp' traceoptions (lag allset inter(aces pp' unit ' !i"t-t!-!i"tset inter(aces pp' unit ' ppp-options pap de(ault-password svuit#c!mset inter(aces pp' unit ' ppp-options pap local-password svuit#c!mset inter(aces pp' unit ' ppp-options pap local-name sgds$-12%4&'-12%

set inter(aces pp' unit ' ppp-options pap assive

set inter(aces pp' unit ' pppoe-options underlying-inter(ace ge-0/0/0.0set inter(aces pp' unit ' pppoe-options c$ie"t

set inter(aces pp' unit ' "!-(eea$ivesset inter(aces pp' unit ' (amily inet mtu 14)2set inter(aces pp' unit ' (amily inet "eg!tiate-address

>. Cấu hình de?ault route:set routing-options static route '.'.'.')' next-hop pp'.' metric '

>I. Cấu hình @nam!c 58(:


4/12

Cấu hình yn!mic NA" cho php #n$i%e &à ' truy c,p #nternet

set security nat source rule-set *T#,utside (rom $one Insideset security nat source rule-set *T#,utside (rom $one utside

set security nat source rule-set *T#,utside rule src-i"terface match source-address '.'.'.')'set security nat source rule-set *T#,utside rule src-i"terface match destination-address '.'.'.')'set security nat source rule-set *T#,utside rule src-i"terface then source-nat inter(ace

>II. Cấu hình 0tat!c 58(:

Cấu hình St!tic NA" cho php *n noài truy c,p http &ào We $er&er 1t tron Qone '

set security nat destination pool address *'.&.&.&'')?& port 80

set security nat destination rule-set eb#*T (rom $one >utsideset security nat destination rule-set eb#*T rule u$e#eb#*T match source-address '.'.'.')'set security nat destination rule-set eb#*T rule u$e#eb#*T match destination-address *''.*'set security nat destination rule-set eb#*T rule u$e#eb#*T match destination-port 80set security nat destination rule-set eb#*T rule u$e#eb#*T then destination-nat pool

>III. Cấu hình Aone:

B.1 Aone Ins!de:

"ạo Qone #n$i%e &à Dn #nter4!ce e=?@?@B? &ào QoneM ch; cho php cDc tr!44ice pinM %hcpMhttpM http$M$$hMtelnet

set security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices pingset security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices dhcpset security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices httpset security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices httpsset security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices sshset security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices telnet

B.2 Aone 7A:

"ạo Qone ' &à Dn #nter4!ce e=?@?@B? &ào QoneM ch; cho php cDc tr!44ice pinM httpMhttp$M$$hMtelnet

set security $ones security-$one M5 inter(aces ge-0/0/2.0 host-inbound-tra((ic system-ser%ices ping


5/12

set security $ones security-$one M5 inter(aces ge-0/0/2.0 host-inbound-tra((ic system-ser%ices httpset security $ones security-$one M5 inter(aces ge-0/0/2.0 host-inbound-tra((ic system-ser%ices httpsset security $ones security-$one M5 inter(aces ge-0/0/2.0 host-inbound-tra((ic system-ser%ices sshset security $ones security-$one M5 inter(aces ge-0/0/2.0 host-inbound-tra((ic system-ser%ices telnet

B.3 Aone uts!de:

"ạo Qone ut$i%e Dn #nter4!ce e=?@?@?B? M pp?B? (inter4!ce IKt nTi PPPoE) &ào Qone

set security $ones security-$one ,utside inter(aces 0.0set security $ones security-$one ,utside inter(aces ge-0/0/0.0

-.u /F mUi inter4!ce ch; 1.c Vn &:i mt QoneM mc 18nh inter4!ce 1L e%DEDED.D 1.cDn cho Qone untrust n*n ạn ph7i Y inter4!ce e%DEDED.D r! Ihoi Qone untrust tr.:c

Ihi Dn n3 cho Qone uts!de.

delete security zones security-zone untrust interfaces ge-0/0/0.0

'c 18nh 1L c3 cDc Qone$ &à policy $!uF

6666666666666666666666666666666666

r!!t sh! securit9 !"es

Security $one@ trustSend reset (or non-SAB session T1: pacCets@ >n:olicy con(igurable@ AesInter(aces bound@ 'Inter(aces@

Security $one@ u"trustSend reset (or non-SAB session T1: pacCets@>(( :olicy con(igurable@ AesScreen@ untrust-screenInter(aces bound@ *Inter(aces@ ge-0/0/0.0

Security $one@ ;u"!s-h!stSend reset (or non-SAB session T1: pacCets@>(( :olicy con(igurable@ AesInter(aces bound@ 'Inter(aces@

r!!t sh! securit9 !$icies


6/12

#n$i%e r! ut$i%e

set security policies (rom-$one 3"side to-$one ,utside policy 3"side#,utside match source-address anset security policies (rom-$one 3"side to-$one ,utside policy 3"side#,utside match destination-addreset security policies (rom-$one 3"side to-$one ,utside policy 3"side#,utside match application any

set security policies (rom-$one 3"side to-$one ,utside policy 3"side#,utside then permit

G.2 Ins!de to 6,

"ạo policy cho pehp$ truy c,p t> #n$i%e &ào '

set security policies (rom-$one 3"side to-$one M5 policy eb#3"side#M5 match source-address aset security policies (rom-$one 3"side to-$one M5 policy eb#3"side#M5 match destination-addrset security policies (rom-$one 3"side to-$one M5 policy eb#3"side#M5 match application Funoset security policies (rom-$one 3"side to-$one M5 policy eb#3"side#M5 match application Funo

set security policies (rom-$one 3"side to-$one M5 policy eb#3"side#M5 then permit

G.3 uts!de to 6,

"ạo policy chop php truy c,p t> u$i%e &ào We Ser&er 1t tron '

set security policies (rom-$one ,utside to-$one M5 policy eb#,utside#M5 match source-addreset security policies (rom-$one ,utside to-$one M5 policy eb#,utside#M5 match destination-aset security policies (rom-$one ,utside to-$one M5 policy eb#,utside#M5 match application Fuset security policies (rom-$one ,utside to-$one M5 policy eb#,utside#M5 match application Fuset security policies (rom-$one ,utside to-$one M5 policy eb#,utside#M5 then permit

7Ht s lJnh K!Lm tra cấu hình:0how thMn t!n cc Inter?ace:


7/12

0how thMn t!n bản


8/12

0how thMn t!n cấp C;:

Cl!ent tron !ns!de nh-n I; tO C;(ru@ c-p Internet(ru@ c-p 6ebs!te nH! bH tron &Pn 7A


9/12

(O Ins!de tru@ c-p &Qo 6eb%7anaement:


10/12


11/12


12/12

Cau Hinh Juniper Firewall WebManagerment

Documents