Tổng quan:
Sơ đồ:
Yêu cầu:
I. Cấu hình cơ bản:
1.1 Cấu hình password root:
1.2 Cấu hình hostname:
1.3 Cấu hình login banner:
1.4 Cấu hình timezone:
1.5 Cấu hình name-server:
1.6 Tạo user quản trị:
Lưu ý ở đây mình tạo user svuit có full quyền quản trị (tương đương với user root)
II. Bật các dịch vụ:
2.1 SSH, TELNET
2.2 WEB MANAGEMENT
2.3 Cấu hình DHCP cho Client Inside:
III. Cấu hình địa chỉ IP:
Lưu ý: Interface ge-0/0/0 dùng để cấu hình PPPoE ko được phép gán IP.
Nếu đã gán IP, thì phải xóa đi…
IV. Cấu hình PPPoE:
V. Cấu hình default route:
VI. Cấu hình Dynamic NAT:
VII. Cấu hình Static NAT:
VIII. Cấu hình Zone:
8.1 Zone Inside:
8.2 Zone DMZ:
8.3 Zone Outside:
IX. Cấu hình Policy:
9.1 Inside to Outside
9.2 Inside to WEB
9.3 Outside to WEB
Sơ đồ:
Yêu cầu:
+Cấu hình cho Juniper SRX làm router WAN (Chạy PPPoE)
+Dynamic NAT cho Inside và DMZ ra Internet
+Static NAT cho bên ngoài truy cập http vào Web Server
+Dynamic NAT cho Inside và DMZ ra Internet
+Static NAT cho bên ngoài truy cập http vào Web Server
I. Cấu hình cơ bản:
1.1 Cấu hình password root:
set system root-authentication plain-text-password New password:xxxxxx Retype new password:xxxxxx |
1.2 Cấu hình hostname:
set system host-name hcm-svuit-vsrx |
set system login message "Webcome to SVUIT.\n Lab Juniper SRX\n" |
1.4 Cấu hình timezone:
set system time-zone GMT+7 |
1.5 Cấu hình name-server:
set system name-server 8.8.8.8 set system name-server 4.2.2.2 |
1.6 Tạo user quản trị:
set system login user svuit uid 2000 set system login user svuit class super-user set system login user svuit authentication plain-text-password New password:xxxxxx Retype new password:xxxxxx |
Lưu ý ở đây mình tạo user svuit có full quyền quản trị (tương đương với user root)
II. Bật các dịch vụ:
2.1 SSH, TELNET
set system services ssh set system services telnet |
2.2 WEB MANAGEMENT
Cấu hình chỉ cho truy cập vào web-management từ interface ge-0/0/1.0 (chỉ cho phép truy cập từ Inside)
set system services web-management http interface ge-0/0/1.0 set system services web-management https system-generated-certificate set system services web-management https interface ge-0/0/1.0 set system services web-management session idle-timeout 60 |
2.3 Cấu hình DHCP cho Client Inside:
Cấu hình cho các Client trong Inside nhận DHCP từ Jupiter SRX
set system services dhcp pool 10.1.1.0/24 address-range low 10.1.1.192 high 10.1.1.250 set system services dhcp pool 10.1.1.0/24 name-server 8.8.8.8 set system services dhcp pool 10.1.1.0/24 name-server 4.2.2.2 set system services dhcp pool 10.1.1.0/24 router 10.1.1.1 |
III. Cấu hình địa chỉ IP:
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/2 unit 0 family inet address 10.2.2.1/24 |
Lưu ý: Interface ge-0/0/0 dùng để cấu hình PPPoE ko được phép gán IP.
Nếu đã gán IP, thì phải xóa đi…
IV. Cấu hình PPPoE:
set interfaces ge-0/0/0 mac aa:bb:cc:dd:ee:ff (Cấu hình Clone Mac Address nếu bạn dùng Internet FPT) set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether set interfaces pp0 traceoptions flag all set interfaces pp0 unit 0 point-to-point set interfaces pp0 unit 0 ppp-options pap default-password svuit_com set interfaces pp0 unit 0 ppp-options pap local-password svuit_com set interfaces pp0 unit 0 ppp-options pap local-name sgdsl-123456-123 set interfaces pp0 unit 0 ppp-options pap passive set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0 set interfaces pp0 unit 0 pppoe-options client set interfaces pp0 unit 0 no-keepalives set interfaces pp0 unit 0 family inet mtu 1492 set interfaces pp0 unit 0 family inet negotiate-address |
V. Cấu hình default route:
set routing-options static route 0.0.0.0/0 next-hop pp0.0 metric 0 |
VI. Cấu hình Dynamic NAT:
Cấu hình Dynamic NAT cho phép Inside và DMZ truy cập Internet
set security nat source rule-set NAT_Outside from zone Inside set security nat source rule-set NAT_Outside from zone DMZ set security nat source rule-set NAT_Outside to zone Outside set security nat source rule-set NAT_Outside rule src-interface match source-address 0.0.0.0/0 set security nat source rule-set NAT_Outside rule src-interface match destination-address 0.0.0.0/0 set security nat source rule-set NAT_Outside rule src-interface then source-nat interface |
VII. Cấu hình Static NAT:
Cấu hình Static NAT cho phép bên ngoài truy cập http vào Web server đặt trong zone DMZ
set security nat destination pool WEBSERVER address 10.2.2.200/32 port 80 set security nat destination rule-set Web_NAT from zone Outside set security nat destination rule-set Web_NAT rule Rule_Web_NAT match source-address 0.0.0.0/0 set security nat destination rule-set Web_NAT rule Rule_Web_NAT match destination-address 100.100.100.100/32 set security nat destination rule-set Web_NAT rule Rule_Web_NAT match destination-port 80 set security nat destination rule-set Web_NAT rule Rule_Web_NAT then destination-nat pool WEBSERVER |
VIII. Cấu hình Zone:
8.1 Zone Inside:
Tạo zone Inside và gán Interface ge-0/0/1.0 vào zone, chỉ cho phép các traffice ping, dhcp, http, https,ssh,telnet
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services ping set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services http set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services https set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services telnet |
8.2 Zone DMZ:
Tạo zone DMZ và gán Interface ge-0/0/2.0 vào zone, chỉ cho phép các traffice ping, http, https,ssh,telnet
set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services ping set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services http set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services https set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services ssh set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services telnet |
8.3 Zone Outside:
Tạo zone Outside gán Interface ge-0/0/0.0 , pp0.0 (interface kết nối PPPoE) vào zone
Lưu ý: mỗi interface chỉ được gắn với một zone, mặc định interface đã ge-0/0/0.0 được gán cho zone untrust
nên bạn phải gỡ bỏ interface ge-0/0/0.0 ra khoi zone untrust trước khi gán nó cho zone Outside.
delete security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone Outside interfaces pp0.0 set security zones security-zone Outside interfaces ge-0/0/0.0 |
Lưu ý: mỗi interface chỉ được gắn với một zone, mặc định interface đã ge-0/0/0.0 được gán cho zone untrust
nên bạn phải gỡ bỏ interface ge-0/0/0.0 ra khoi zone untrust trước khi gán nó cho zone Outside.
delete security zones security-zone untrust interfaces ge-0/0/0.0
Mặc định đã có các zones và policy sau:
================================== root> show security zones Security zone: trust Send reset for non-SYN session TCP packets: On Policy configurable: Yes Interfaces bound: 0 Interfaces: Security zone: untrust Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Screen: untrust-screen Interfaces bound: 1 Interfaces: ge-0/0/0.0 Security zone: junos-host Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: | root> show security policies Default policy: deny-all From zone: trust, To zone: trust Policy: default-permit, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: permit From zone: trust, To zone: untrust Policy: default-permit, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: permit From zone: untrust, To zone: trust Policy: default-deny, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: deny |
IX. Cấu hình Policy:
9.1 Inside to Outside
Tạo policy cho phép truy cập từ Inside ra Outside
set security policies from-zone Inside to-zone Outside policy Inside_Outside match source-address any set security policies from-zone Inside to-zone Outside policy Inside_Outside match destination-address any set security policies from-zone Inside to-zone Outside policy Inside_Outside match application any set security policies from-zone Inside to-zone Outside policy Inside_Outside then permit |
9.2 Inside to WEB
Tạo policy cho pehps truy cập từ Inside vào DMZ
set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match source-address any set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match destination-address any set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match application junos-http set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match application junos-https set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ then permit |
9.3 Outside to WEB
Tạo policy chop phép truy cập từ Ouside vào Web Server đặt trong DMZ
set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match source-address any set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match destination-address any set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match application junos-http set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match application junos-https set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ then permit |
Last edited: