NetscreenJuniper防火墙VPN配置说明.docx
- 文档编号:9321794
- 上传时间:2023-02-04
- 格式:DOCX
- 页数:31
- 大小:20.53KB
NetscreenJuniper防火墙VPN配置说明.docx
《NetscreenJuniper防火墙VPN配置说明.docx》由会员分享,可在线阅读,更多相关《NetscreenJuniper防火墙VPN配置说明.docx(31页珍藏版)》请在冰豆网上搜索。
NetscreenJuniper防火墙VPN配置说明
目录
1.概述4
2.设备型号及连接说明4
2.1.设备型号4
3.需求说明4
4.配置说明4
4.1.Netscreen208配置说明4
4.2.Netscreen50B配置说明(国研机房)6
4.3.Netscreen5gt配置说明(办公网)6
5.配置附表6
5.1.Netscreen2086
5.2.Netscreen50B10
5.3.Netscreen5GT15
NetscreenJuniper防火墙VPN配置说明
1.概述
此文档主要是描述国研机房及办公网防火墙以下几点:
型号说明
安装和配置说明
应用策略说明
VPN连接说明
2.设备型号及连接说明
2.1.设备型号
公司总共的防火墙设备列表
设备名称\型号
数量
概述
网络防火墙Nescreen208
1
IDC主过滤防火墙
网络防火墙Netscreen50B
2
IDC\办公区VPN端设备
网络防火墙Netscreen5GT
2
办公网VPN端设备
机房连接使用的防火墙设备列表
设备名称\型号
数量
概述
网络防火墙Nescreen208
1
IDC主过滤防火墙
网络防火墙Netscreen50B
1
IDC
网络防火墙Netscreen5GT
1
办公网VPN端设备
3.需求说明
我们的防火墙主要有两个大的用途:
1.将内部的Web服务器向外提供映射及IDC服务器出局访问
2.VPN互通
在上面的列表中,netscreen208主要用向外映射WEB服务器及控制IDC服务器出局访问
50B主要用于与办公网5GT的VPN互通
4.配置说明
4.1.Netscreen208配置说明
映射说明:
setinterfaceethernet1vip211.144.149.1125"MAIL"172.16.12.8 #映射25端口
setinterfaceethernet1vip211.144.149.11+80"HTTP"172.16.12.8 #映射80端口
setinterfaceethernet1vip211.144.149.11+110"POP3"172.16.12.8#映射110端口
setinterfaceethernet1vip211.144.149.1280"HTTP"172.16.1.21#映射80端口网站
setinterfaceethernet1vip211.144.149.1380"HTTP"172.16.1.23 #映射80端口网站
setinterfaceethernet1vip211.144.149.1480"HTTP"172.16.4.14 #映射80端口网站
策略说明:
setpolicyid1name"webnat"from"Trust"to"Untrust""172.16.1.1/25""Any""HTTP"permit
setpolicyid1
setservice"ICMP-ANY"
exit
#内网所有出局80及icmp访问均可
setpolicyid3name"smtp"from"Trust"to"Untrust""network""Any""ANY"permit
setpolicyid3
setsrc-address"network2"
setsrc-address"smtp"
exit
#允许内网地址network(172.16.12.9)网管服务器及network2(172.16.12.8)邮件服务器全部访问出局
setpolicyid5from"Untrust"to"Global""Any""VIP(211.144.149.11)""HTTP"permitlog
setpolicyid5
setservice"POP3"
setservice"SMTP"
exit
#允许外部访问VIP(211.144.149.11)mail/web服务
setpolicyid6from"Untrust"to"Global""Any""VIP(211.144.149.12)""HTTP"permitlog
setpolicyid6
exit
#允许外部访问VIP(211.144.149.12)web服务
setpolicyid7from"Untrust"to"Global""Any""VIP(211.144.149.13)""HTTP"permit
setpolicyid7
exit
#允许外部访问VIP(211.144.149.13)web服务
setpolicyid8from"Untrust"to"Global""Any""VIP(211.144.149.14)""HTTP"permitlog
setpolicyid8
exit
#允许外部访问VIP(211.144.149.14)web服务
setpolicyid9from"Trust"to"Untrust""172.16.4.14/32""Any""HTTP"permit
setpolicyid9
exit
#暂时不生效
setpolicyid10from"Trust"to"Untrust""172.16.1.25""211.144.158.218/32""ANY"permit
setpolicyid10
exit
#暂时不生效
setpolicyid11from"Untrust"to"Global""211.144.158.218/32""MIP(211.144.149.6)""ANY"permit
setpolicyid11
exit
#暂时不生效,以后用于主从DNS服务器
setpolicyid12name"deny"from"Untrust"to"Trust""203.196.128.49/32""Any""ANY"denylog
setpolicyid12
4.2.Netscreen50B配置说明(国研机房)
50B主要是用于跟办公网的VPN通信,主要是用于VPN策略
详细配置说明相对较复杂,我们只在附表中给出配置文件。
4.3.Netscreen5gt配置说明(办公网)
5GT主要是用于跟国研机房的VPN通信,主要是用于VPN策略
详细配置说明相对较复杂,我们只在附表中给出配置文件。
5.配置附表
5.1.Netscreen208
setclocktimezone7
setvroutertrust-vrsharable
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
unsetauto-route-export
exit
setservice"8080"protocoltcpsrc-port0-65535dst-port8080-8080
setauth-server"Local"id0
setauth-server"Local"server-name"Local"
setauthdefaultauthserver"Local"
setauthradiusaccountingport1646
setadminname"testadmin"
setadminpassword"nGV2PirHHhcNcrOM9sTB+rJt/6OPrn"
setadminport8000
setadminauthtimeout10
setadminauthserver"Local"
setadminformatdos
setzone"Trust"vrouter"trust-vr"
setzone"Untrust"vrouter"trust-vr"
setzone"DMZ"vrouter"trust-vr"
setzone"VLAN"vrouter"trust-vr"
setzone"Untrust-Tun"vrouter"trust-vr"
setzone"Trust"tcp-rst
setzone"Untrust"block
unsetzone"Untrust"tcp-rst
setzone"MGT"block
setzone"DMZ"tcp-rst
setzone"VLAN"block
unsetzone"VLAN"tcp-rst
unsetzone"Untrust"screentear-drop
unsetzone"Untrust"screensyn-flood
unsetzone"Untrust"screenping-death
unsetzone"Untrust"screenip-filter-src
unsetzone"Untrust"screenland
setzone"V1-Untrust"screentear-drop
setzone"V1-Untrust"screensyn-flood
setzone"V1-Untrust"screenping-death
setzone"V1-Untrust"screenip-filter-src
setzone"V1-Untrust"screenland
setzone"Untrust"screenlimit-sessionsource-ip-based1000
setzone"Untrust"screenlimit-sessiondestination-ip-based1000
setzone"Untrust"screensyn-ack-ackthreshold1000
setinterface"ethernet1"zone"Untrust"
setinterface"ethernet2"zone"Trust"
setinterface"ethernet3"zone"Untrust"
unsetinterfacevlan1ip
setinterfaceethernet1ip211.144.149.2/25
setinterfaceethernet1route
setinterfaceethernet2ip172.16.1.2/24
setinterfaceethernet2nat
unsetinterfacevlan1bypass-others-ipsec
unsetinterfacevlan1bypass-non-ip
setinterfaceethernet1ipmanageable
setinterfaceethernet2ipmanageable
setinterfaceethernet1managessh
setinterfaceethernet1managessl
setinterfaceethernet1vip211.144.149.1125"MAIL"172.16.12.8
setinterfaceethernet1vip211.144.149.11+80"HTTP"172.16.12.8
setinterfaceethernet1vip211.144.149.11+110"POP3"172.16.12.8
setinterfaceethernet1vip211.144.149.1280"HTTP"172.16.1.21
setinterfaceethernet1vip211.144.149.1380"HTTP"172.16.1.23
setinterfaceethernet1vip211.144.149.1480"HTTP"172.16.4.14
setinterface"ethernet1"mip211.144.149.6host172.16.1.25netmask255.255.255.255vr"trust-vr"
unsetflowno-tcp-seq-check
setflowtcp-syn-check
setaddress"Trust""172.16.1.1/25"172.16.1.1255.255.255.128
setaddress"Trust""172.16.1.25"172.16.1.25255.255.255.255
setaddress"Trust""172.16.12.0/24"172.16.12.0255.255.255.0
setaddress"Trust""172.16.4.14/32"172.16.4.14255.255.255.255
setaddress"Trust""bbs"172.16.4.14255.255.255.255
setaddress"Trust""network"172.16.12.9255.255.255.255
setaddress"Trust""network2"172.16.12.10255.255.255.255
setaddress"Trust""smtp"172.16.12.8255.255.255.255
setaddress"Untrust""203.196.128.49/32"203.196.128.49255.255.255.255
setaddress"Untrust""211.144.158.218/32"211.144.158.218255.255.255.255
setikerespond-bad-spi1
unsetikeikeid-enumeration
unsetikedos-protection
unsetipsecaccess-sessionenable
setipsecaccess-sessionmaximum5000
setipsecaccess-sessionupper-threshold0
setipsecaccess-sessionlower-threshold0
setipsecaccess-sessiondead-p2-sa-timeout0
unsetipsecaccess-sessionlog-error
unsetipsecaccess-sessioninfo-exch-connected
unsetipsecaccess-sessionuse-error-log
seturlprotocolwebsense
exit
setpolicyid1name"webnat"from"Trust"to"Untrust""172.16.1.1/25""Any""HTTP"permit
setpolicyid1
setservice"ICMP-ANY"
exit
setpolicyid3name"smtp"from"Trust"to"Untrust""network""Any""ANY"permit
setpolicyid3
setsrc-address"network2"
setsrc-address"smtp"
exit
setpolicyid5from"Untrust"to"Global""Any""VIP(211.144.149.11)""HTTP"permitlog
setpolicyid5
setservice"POP3"
setservice"SMTP"
exit
setpolicyid6from"Untrust"to"Global""Any""VIP(211.144.149.12)""HTTP"permitlog
setpolicyid6
exit
setpolicyid7from"Untrust"to"Global""Any""VIP(211.144.149.13)""HTTP"permit
setpolicyid7
exit
setpolicyid8from"Untrust"to"Global""Any""VIP(211.144.149.14)""HTTP"permitlog
setpolicyid8
exit
setpolicyid9from"Trust"to"Untrust""172.16.4.14/32""Any""HTTP"permit
setpolicyid9
exit
setpolicyid10from"Trust"to"Untrust""172.16.1.25""211.144.158.218/32""ANY"permit
setpolicyid10
exit
setpolicyid11from"Untrust"to"Global""211.144.158.218/32""MIP(211.144.149.6)""ANY"permit
setpolicyid11
exit
setpolicyid12name"deny"from"Untrust"to"Trust""203.196.128.49/32""Any""ANY"denylog
setpolicyid12
exit
setpkiauthoritydefaultscepmode"auto"
setpkix509defaultcert-pathpartial
setsyslogconfig"172.16.12.9"
setsyslogconfig"172.16.12.9"facilitieslocal0local0
setsyslogsrc-interfaceethernet2
setsyslogenable
unsetlogmodulesystemlevelnotificationdestinationsyslog
unsetlogmodulesystemlevelinformationdestinationsyslog
unsetlogmodulesystemleveldebuggingdestinationsyslog
setnsmgmtbulkclireboot-timeout60
setsshversionv2
setsshenable
setconfiglocktimeout5
setsnmpcommunity"testsnmp"Read-WriteTrap-ontrafficversionv2c
setsnmphost"testsnmp"172.16.12.9255.255.255.255src-interfaceethernet2trapv2
setsnmphost"testsnmp"192.168.21.102255.255.255.255src-interfaceethernet2trapv2
setsnmpname"uns208"
setsnmpportlisten161
setsnmpporttrap162
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
unsetadd-default-route
setroute172.16.12.0/24interfaceethernet2gateway172.16.1.1preference20
setroute0.0.0.0/0interfaceethernet1gateway211.144.149.1preference20
setroute192.168.0.0/16interfaceethernet2gateway172.16.1.3preference20
setroute172.16.4.14/32interfaceethernet2gateway172.16.1.1preference20
exit
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
exit
5.2.Netscreen50B
setclocktimezone7
setvroutertrust-vrsharable
setvrouter"untrust-vr"
exit
setvrouter"trust-vr"
unsetauto-route-export
exit
setservice"5222"protocoltcpsrc-port0-65535dst-port5222-5222
setservice"6664"protocoltcpsrc-port0-65535dst-port6664-6664
setauth-server"Local"id0
setauth-server"Local"server-name"Local"
setauthdefaultauthserver"Local"
setauthradiusaccountingport1646
setadminname"testadmin"
setadminpassword"nGV2PirHHhcNcrOM9sTB+rJt/6OPrn"
setadminauthtimeout10
setadminauthserver"Local"
setadminformatdos
setzone"Trust"vrouter"trust-vr"
setzone"Untrust"vrouter"trust-vr"
setzone"DMZ"vrouter"t
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- NetscreenJuniper 防火墙 VPN 配置 说明