书签分享收藏举报版权申诉 / 31

立即下载加入VIP,免费下载

当前位置：首页 > 农林牧渔 > 水产渔业 > JuniperSRXVirtualRouter专题.docx

JuniperSRXVirtualRouter专题.docx

文档编号：11462832
上传时间：2023-03-01
格式：DOCX
页数：31
大小：37.86KB

《JuniperSRXVirtualRouter专题.docx》由会员分享，可在线阅读，更多相关《JuniperSRXVirtualRouter专题.docx（31页珍藏版）》请在冰豆网上搜索。

JuniperSRXVirtualRouter专题.docx

JuniperSRXVirtualRouter专题

JuniperSRX防火墙VirtualRouter专题

文档查看须知：

测试环境：

SRX220H

拓扑对应IP:

G-0/0/3：

192.168.3.1/24

G-0/0/4：

192.168.4.1/24

G-0/0/5：

192.168.5.1/24

G-0/0/6：

10.10.30.189/24

F0/1：

192.168.4.2/24

F0/2：

192.168.5.2/24

F0/3:

192.168.100.1/24（模拟遥远互联网）

测试拓扑：

一虚拟路由器（记住来流量入口）；

需求：

外网用户访问防火墙的外网接口3389端口NAT到内网服务器192.168.3.5:

3389，流量按原路返回；

放行所有外网用户到主机192.168.3.5的3389端口；（双线接入）

配置：

setrouting-instancesTelinstance-typevirtual-router

setrouting-instancesTelinterfacege-0/0/4.0

setrouting-instancesTelrouting-optionsinterface-routesrib-groupinetBig-rib

setrouting-instancesTelrouting-optionsstaticroute0.0.0.0/0next-hop192.168.4.2

setrouting-instancesCNCinstance-typevirtual-router

setrouting-instancesCNCinterfacege-0/0/5.0

setrouting-instancesCNCrouting-optionsinterface-routesrib-groupinetBig-rib

setrouting-instancesCNCrouting-optionsstaticroute0.0.0.0/0next-hop192.168.5.2

setinterfacesge-0/0/3unit0familyinetaddress192.168.3.1/24

setinterfacesge-0/0/4unit0familyinetaddress192.168.4.1/24

setinterfacesge-0/0/5unit0familyinetaddress192.168.5.1/24

setinterfacesge-0/0/6unit0familyinetaddress10.10.30.189/24

setrouting-optionsinterface-routesrib-groupinetBig-rib

setrouting-optionsstaticroute10.0.0.0/8next-hop10.10.30.1

setrouting-optionsstaticroute0.0.0.0/0next-hop192.168.4.2

setrouting-optionsstaticroute0.0.0.0/0install

setrouting-optionsstaticroute0.0.0.0/0no-readvertise

setrouting-optionsrib-groupsBig-ribimport-ribinet.0

setrouting-optionsrib-groupsBig-ribimport-ribCNC.inet.0

setrouting-optionsrib-groupsBig-ribimport-ribTel.inet.0

setsecuritynatdestinationpool111address192.168.3.5/32

setsecuritynatdestinationrule-set1fromzoneTel-trust

setsecuritynatdestinationrule-set1rule111matchsource-address0.0.0.0/0

setsecuritynatdestinationrule-set1rule111matchdestination-address192.168.4.1/32

setsecuritynatdestinationrule-set1rule111matchdestination-port3389

setsecuritynatdestinationrule-set1rule111thendestination-natpool111

setsecuritynatdestinationrule-set2fromzoneCNC-trust

setsecuritynatdestinationrule-set2rule222matchsource-address0.0.0.0/0

setsecuritynatdestinationrule-set2rule222matchdestination-address192.168.5.1/32

setsecuritynatdestinationrule-set1rule111matchdestination-port3389

setsecuritynatdestinationrule-set2rule222thendestination-natpool111

setapplicationsapplicationtcp_3389protocoltcp

setapplicationsapplicationtcp_3389destination-port3389

setsecurityzonessecurity-zonetrustaddress-bookaddressH_192.168.3.5192.168.3.5/32

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchsource-addressany

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchdestination-addressH_192.168.3.5

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchapplicationtcp_3389

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitthenpermit

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchsource-addressany

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchdestination-addressH_192.168.3.5

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchapplicationtcp_3389

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitthenpermit

setsecurityzonessecurity-zonetrusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zonetrusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zonetrustinterfacesge-0/0/3.0

setsecurityzonessecurity-zoneTel-trusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneTel-trusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneTel-trustinterfacesge-0/0/4.0

setsecurityzonessecurity-zoneCNC-trusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneCNC-trusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneCNC-trustinterfacesge-0/0/5.0

setsecurityzonessecurity-zoneMGThost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneMGThost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneMGTinterfacesge-0/0/6.0

验证：

root@SRX-Ipsec-A>showsecurityflowsession

SessionID:

9696,Policyname:

default-permit/5,Timeout:

1794,Valid

In:

192.168.100.211/57408-->192.168.5.1/3389;tcp,If:

ge-0/0/5.0,Pkts:

2,Bytes:

112

Out:

192.168.3.5/3389-->192.168.100.211/57408;tcp,If:

ge-0/0/3.0,Pkts:

1,Bytes:

60

============================================================================

root@SRX-Ipsec-A>showsecurityflowsession

SessionID:

9697,Policyname:

default-permit/4,Timeout:

1796,Valid

In:

192.168.100.211/57409-->192.168.4.1/3389;tcp,If:

ge-0/0/4.0,Pkts:

2,Bytes:

112

Out:

192.168.3.5/3389-->192.168.100.211/57409;tcp,If:

ge-0/0/3.0,Pkts:

1,Bytes:

60

配置解析：

setrouting-instancesTelinstance-typevirtual-router

//创建虚拟VRTel

setrouting-instancesTelinterfacege-0/0/4.0

//把逻辑接口加入虚拟VR

setrouting-instancesTelrouting-optionsinterface-routesrib-groupinetBig-rib

//定义新增的路由表属于路由组“Big-rib”

setrouting-instancesTelrouting-optionsstaticroute0.0.0.0/0next-hop192.168.4.2

//为Tel路由表配置路由

setrouting-instancesCNCinstance-typevirtual-router

setrouting-instancesCNCinterfacege-0/0/5.0

setrouting-instancesCNCrouting-optionsinterface-routesrib-groupinetBig-rib

setrouting-instancesCNCrouting-optionsstaticroute0.0.0.0/0next-hop192.168.5.2

//配置路由表CNC相关信息

setinterfacesge-0/0/3unit0familyinetaddress192.168.3.1/24

setinterfacesge-0/0/4unit0familyinetaddress192.168.4.1/24

setinterfacesge-0/0/5unit0familyinetaddress192.168.5.1/24

setinterfacesge-0/0/6unit0familyinetaddress10.10.30.189/24

//配置逻辑接口的IP地址

setrouting-optionsinterface-routesrib-groupinetBig-rib

//定义路由表组，并把接口路由加入到Big-rib路由组中

setrouting-optionsstaticroute10.0.0.0/8next-hop10.10.30.1

setrouting-optionsstaticroute0.0.0.0/0next-hop192.168.4.2

//配置全局路由表路由信息

setrouting-optionsstaticroute0.0.0.0/0install

//把路由表安装到转发表

setrouting-optionsstaticroute0.0.0.0/0no-readvertise

//

setrouting-optionsrib-groupsBig-ribimport-ribinet.0

setrouting-optionsrib-groupsBig-ribimport-ribCNC.inet.0

setrouting-optionsrib-groupsBig-ribimport-ribTel.inet.0

//导入三张路由表之间的直连路由到路由表组

setsecuritynatdestinationpool111address192.168.3.5/32

//定义目的NAT后的内部服务器的IP地址

setsecuritynatdestinationrule-set1fromzoneTel-trust

setsecuritynatdestinationrule-set1rule111matchsource-address0.0.0.0/0

setsecuritynatdestinationrule-set1rule111matchdestination-address192.168.4.1/32

setsecuritynatdestinationrule-set1rule111matchdestination-port3389

setsecuritynatdestinationrule-set1rule111thendestination-natpool111

//配置ZONETel-trust的目的NAT

setsecuritynatdestinationrule-set2fromzoneCNC-trust

setsecuritynatdestinationrule-set2rule222matchsource-address0.0.0.0/0

setsecuritynatdestinationrule-set2rule222matchdestination-address192.168.5.1/32

setsecuritynatdestinationrule-set1rule111matchdestination-port3389

setsecuritynatdestinationrule-set2rule222thendestination-natpool111

//配置ZONECNC-trust的目的NAT

setapplicationsapplicationtcp_3389protocoltcp

setapplicationsapplicationtcp_3389destination-port3389

setsecurityzonessecurity-zonetrustaddress-bookaddressH_192.168.3.5192.168.3.5/32

//自定义端口和配置地址表

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchsource-addressany

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchdestination-addressH_192.168.3.5

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitmatchapplicationtcp_3389

setsecuritypoliciesfrom-zoneTel-trustto-zonetrustpolicydefault-permitthenpermit

//配置Tel-trust到trust策略

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchsource-addressany

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchdestination-addressH_192.168.3.5

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitmatchapplicationtcp_3389

setsecuritypoliciesfrom-zoneCNC-trustto-zonetrustpolicydefault-permitthenpermit

//配置CNC-trust到trust策略

setsecurityzonessecurity-zonetrusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zonetrusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zonetrustinterfacesge-0/0/3.0

setsecurityzonessecurity-zoneTel-trusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneTel-trusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneTel-trustinterfacesge-0/0/4.0

setsecurityzonessecurity-zoneCNC-trusthost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneCNC-trusthost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneCNC-trustinterfacesge-0/0/5.0

setsecurityzonessecurity-zoneMGThost-inbound-trafficsystem-servicesall

setsecurityzonessecurity-zoneMGThost-inbound-trafficprotocolsall

setsecurityzonessecurity-zoneMGTinterfacesge-0/0/6.0

//定义逻辑接口到ZONE，并开放所有的协议及服务来访问防火墙的直连接口

二虚拟路由器（多链路负载冗余）；

需求：

内网用户访问端口22.3389.8080,走电信，其他所有流量走CNC；

所有内网访问外网的流量NAT为对应外网接口IP地址；

实现负载冗余的功能；

放行所有服务；（双线接入）

配置：

setrouting-instancesTelinstance-typevirtual-router

setrouting-instancesTelinterfacege-0/0/4.0

setrouting-instancesTelrouting-optionsinterface-routesrib-groupinetBig-rib

setrouting-instancesTelrouting-optionsstaticroute0.0.0.0/0next-hop19

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

下载	加入VIP,免费下载

版权申诉 word格式文档无特别注明外均可编辑修改；预览文档经过压缩，下载后原文更清晰！ 立即下载

配套讲稿：: 如PPT文件的首页显示word图标，表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
特殊限制：: 部分文档作品中含有的国旗、国徽等图片，仅作为作品整体效果示例展示，禁止商用。设计者仅对作品中独创性部分享有著作权。
关键词：: JuniperSRXVirtualRouter 专题

冰豆网所有资源均是用户自行上传分享，仅供网友学习交流，未经上传用户书面授权，请勿作他用。

关于本文

本文标题：JuniperSRXVirtualRouter专题.docx
链接地址：https://www.bdocx.com/doc/11462832.html

JuniperSRXVirtualRouter专题.docx

热门标签