Tổng quan:
Sơ đồ:
Yêu cầu:
I. Cấu hình cơ bản:
1.1 Cấu hình password root:
1.2 Cấu hình hostname:
1.4 Cấu hình timezone:
1.5 Cấu hình name-server:
1.6 Tạo user quản trị:
II. Bật các dịch vụ:
2.1 SSH, TELNET
2.2 WEB MANAGEMENT
2.3 Cấu hình DHCP cho Client Inside:
III. Cấu hình địa chỉ IP:
Lưu ý: Interface ge-0/0/0 dùng để cấu hình PPPoE ko được phép gán IP.
Nếu đã gán IP, thì phải xóa đi…
IV. Cấu hình PPPoE:
V. Cấu hình default route:
VI. Cấu hình Dynamic NAT:
VII. Cấu hình Static NAT:
VIII. Cấu hình Zone:
8.1 Zone Inside:
8.2 Zone DMZ:
8.3 Zone Outside:
IX. Cấu hình Policy:
9.1 Inside to Outside
9.2 Inside to WEB
9.3 Outside to WEB
Sơ đồ:
Yêu cầu:
+Cấu hình cho Juniper SRX làm router WAN (Chạy PPPoE)
+Dynamic NAT cho Inside và DMZ ra Internet
+Static NAT cho bên ngoài truy cập http vào Web Server
+Dynamic NAT cho Inside và DMZ ra Internet
+Static NAT cho bên ngoài truy cập http vào Web Server
I. Cấu hình cơ bản:
1.1 Cấu hình password root:
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system root-authentication plain-text-password
New password:xxxxxx
Retype new password:xxxxxx[/TD]
[/TR]
[/TABLE]
[TR]
[TD]set system root-authentication plain-text-password
New password:xxxxxx
Retype new password:xxxxxx[/TD]
[/TR]
[/TABLE]
1.2 Cấu hình hostname:
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system host-name hcm-svuit-vsrx[/TD]
[/TR]
[/TABLE]
1.3 Cấu hình login banner:[TR]
[TD]set system host-name hcm-svuit-vsrx[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system login message "Webcome to SVUIT.\n Lab Juniper SRX\n"[/TD]
[/TR]
[/TABLE]
[TR]
[TD]set system login message "Webcome to SVUIT.\n Lab Juniper SRX\n"[/TD]
[/TR]
[/TABLE]
1.4 Cấu hình timezone:
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system time-zone GMT+7[/TD]
[/TR]
[/TABLE]
[TR]
[TD]set system time-zone GMT+7[/TD]
[/TR]
[/TABLE]
1.5 Cấu hình name-server:
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system name-server 8.8.8.8
set system name-server 4.2.2.2[/TD]
[/TR]
[/TABLE]
[TR]
[TD]set system name-server 8.8.8.8
set system name-server 4.2.2.2[/TD]
[/TR]
[/TABLE]
1.6 Tạo user quản trị:
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system login user svuit uid 2000
set system login user svuit class super-user
set system login user svuit authentication plain-text-password
New password:xxxxxx
Retype new password:xxxxxx[/TD]
[/TR]
[/TABLE]
Lưu ý ở đây mình tạo user svuit có full quyền quản trị (tương đương với user root)
[TR]
[TD]set system login user svuit uid 2000
set system login user svuit class super-user
set system login user svuit authentication plain-text-password
New password:xxxxxx
Retype new password:xxxxxx[/TD]
[/TR]
[/TABLE]
Lưu ý ở đây mình tạo user svuit có full quyền quản trị (tương đương với user root)
II. Bật các dịch vụ:
2.1 SSH, TELNET
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system services ssh
set system services telnet[/TD]
[/TR]
[/TABLE]
[TR]
[TD]set system services ssh
set system services telnet[/TD]
[/TR]
[/TABLE]
2.2 WEB MANAGEMENT
Cấu hình chỉ cho truy cập vào web-management từ interface ge-0/0/1.0 (chỉ cho phép truy cập từ Inside)
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system services web-management http interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set system services web-management session idle-timeout 60[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system services web-management http interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set system services web-management session idle-timeout 60[/TD]
[/TR]
[/TABLE]
2.3 Cấu hình DHCP cho Client Inside:
Cấu hình cho các Client trong Inside nhận DHCP từ Jupiter SRX
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system services dhcp pool 10.1.1.0/24 address-range low 10.1.1.192 high 10.1.1.250
set system services dhcp pool 10.1.1.0/24 name-server 8.8.8.8
set system services dhcp pool 10.1.1.0/24 name-server 4.2.2.2
set system services dhcp pool 10.1.1.0/24 router 10.1.1.1[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]set system services dhcp pool 10.1.1.0/24 address-range low 10.1.1.192 high 10.1.1.250
set system services dhcp pool 10.1.1.0/24 name-server 8.8.8.8
set system services dhcp pool 10.1.1.0/24 name-server 4.2.2.2
set system services dhcp pool 10.1.1.0/24 router 10.1.1.1[/TD]
[/TR]
[/TABLE]
III. Cấu hình địa chỉ IP:
[TABLE="class: grid, width: 800"]
[TR]
[TD]set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.2.2.1/24[/TD]
[/TR]
[/TABLE]
[TR]
[TD]set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.2.2.1/24[/TD]
[/TR]
[/TABLE]
Lưu ý: Interface ge-0/0/0 dùng để cấu hình PPPoE ko được phép gán IP.
Nếu đã gán IP, thì phải xóa đi…
IV. Cấu hình PPPoE:
[TABLE="class: grid, width: 800"]
[TR]
[TD]set interfaces ge-0/0/0 mac aa:bb:cc:dd:ee:ff (Cấu hình Clone Mac Address nếu bạn dùng Internet FPT)
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pp0 traceoptions flag all
set interfaces pp0 unit 0 point-to-point
set interfaces pp0 unit 0 ppp-options pap default-password svuit_com
set interfaces pp0 unit 0 ppp-options pap local-password svuit_com
set interfaces pp0 unit 0 ppp-options pap local-name sgdsl-123456-123
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 no-keepalives
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address[/TD]
[/TR]
[/TABLE]
[TR]
[TD]set interfaces ge-0/0/0 mac aa:bb:cc:dd:ee:ff (Cấu hình Clone Mac Address nếu bạn dùng Internet FPT)
set interfaces ge-0/0/0 unit 0 encapsulation ppp-over-ether
set interfaces pp0 traceoptions flag all
set interfaces pp0 unit 0 point-to-point
set interfaces pp0 unit 0 ppp-options pap default-password svuit_com
set interfaces pp0 unit 0 ppp-options pap local-password svuit_com
set interfaces pp0 unit 0 ppp-options pap local-name sgdsl-123456-123
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/0.0
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 no-keepalives
set interfaces pp0 unit 0 family inet mtu 1492
set interfaces pp0 unit 0 family inet negotiate-address[/TD]
[/TR]
[/TABLE]
V. Cấu hình default route:
[TABLE="class: grid, width: 800"]
[TR]
[TD]set routing-options static route 0.0.0.0/0 next-hop pp0.0 metric 0[/TD]
[/TR]
[/TABLE]
[TR]
[TD]set routing-options static route 0.0.0.0/0 next-hop pp0.0 metric 0[/TD]
[/TR]
[/TABLE]
VI. Cấu hình Dynamic NAT:
Cấu hình Dynamic NAT cho phép Inside và DMZ truy cập Internet
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security nat source rule-set NAT_Outside from zone Inside
set security nat source rule-set NAT_Outside from zone DMZ
set security nat source rule-set NAT_Outside to zone Outside
set security nat source rule-set NAT_Outside rule src-interface match source-address 0.0.0.0/0
set security nat source rule-set NAT_Outside rule src-interface match destination-address 0.0.0.0/0
set security nat source rule-set NAT_Outside rule src-interface then source-nat interface[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security nat source rule-set NAT_Outside from zone Inside
set security nat source rule-set NAT_Outside from zone DMZ
set security nat source rule-set NAT_Outside to zone Outside
set security nat source rule-set NAT_Outside rule src-interface match source-address 0.0.0.0/0
set security nat source rule-set NAT_Outside rule src-interface match destination-address 0.0.0.0/0
set security nat source rule-set NAT_Outside rule src-interface then source-nat interface[/TD]
[/TR]
[/TABLE]
VII. Cấu hình Static NAT:
Cấu hình Static NAT cho phép bên ngoài truy cập http vào Web server đặt trong zone DMZ
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security nat destination pool WEBSERVER address 10.2.2.200/32 port 80
set security nat destination rule-set Web_NAT from zone Outside
set security nat destination rule-set Web_NAT rule Rule_Web_NAT match source-address 0.0.0.0/0
set security nat destination rule-set Web_NAT rule Rule_Web_NAT match destination-address 100.100.100.100/32
set security nat destination rule-set Web_NAT rule Rule_Web_NAT match destination-port 80
set security nat destination rule-set Web_NAT rule Rule_Web_NAT then destination-nat pool WEBSERVER[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security nat destination pool WEBSERVER address 10.2.2.200/32 port 80
set security nat destination rule-set Web_NAT from zone Outside
set security nat destination rule-set Web_NAT rule Rule_Web_NAT match source-address 0.0.0.0/0
set security nat destination rule-set Web_NAT rule Rule_Web_NAT match destination-address 100.100.100.100/32
set security nat destination rule-set Web_NAT rule Rule_Web_NAT match destination-port 80
set security nat destination rule-set Web_NAT rule Rule_Web_NAT then destination-nat pool WEBSERVER[/TD]
[/TR]
[/TABLE]
VIII. Cấu hình Zone:
8.1 Zone Inside:
Tạo zone Inside và gán Interface ge-0/0/1.0 vào zone, chỉ cho phép các traffice ping, dhcp, http, https,ssh,telnet
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services telnet[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services dhcp
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services http
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services https
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone Inside interfaces ge-0/0/1.0 host-inbound-traffic system-services telnet[/TD]
[/TR]
[/TABLE]
8.2 Zone DMZ:
Tạo zone DMZ và gán Interface ge-0/0/2.0 vào zone, chỉ cho phép các traffice ping, http, https,ssh,telnet
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services http
set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services https
set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services ssh
set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services telnet[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services http
set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services https
set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services ssh
set security zones security-zone DMZ interfaces ge-0/0/2.0 host-inbound-traffic system-services telnet[/TD]
[/TR]
[/TABLE]
8.3 Zone Outside:
Tạo zone Outside gán Interface ge-0/0/0.0 , pp0.0 (interface kết nối PPPoE) vào zone
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security zones security-zone Outside interfaces pp0.0
set security zones security-zone Outside interfaces ge-0/0/0.0[/TD]
[/TR]
[/TABLE]
Lưu ý: mỗi interface chỉ được gắn với một zone, mặc định interface đã ge-0/0/0.0 được gán cho zone untrust
nên bạn phải gỡ bỏ interface ge-0/0/0.0 ra khoi zone untrust trước khi gán nó cho zone Outside.
delete security zones security-zone untrust interfaces ge-0/0/0.0
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security zones security-zone Outside interfaces pp0.0
set security zones security-zone Outside interfaces ge-0/0/0.0[/TD]
[/TR]
[/TABLE]
Lưu ý: mỗi interface chỉ được gắn với một zone, mặc định interface đã ge-0/0/0.0 được gán cho zone untrust
nên bạn phải gỡ bỏ interface ge-0/0/0.0 ra khoi zone untrust trước khi gán nó cho zone Outside.
delete security zones security-zone untrust interfaces ge-0/0/0.0
Mặc định đã có các zones và policy sau:
[TABLE="class: grid, width: 800"]
[TR]
[TD]==================================
root> show security zones
Security zone: trust
Send reset for non-SYN session TCP packets: On
Policy configurable: Yes
Interfaces bound: 0
Interfaces:
Security zone: untrust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Screen: untrust-screen
Interfaces bound: 1
Interfaces: ge-0/0/0.0
Security zone: junos-host
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces:[/TD]
[TD]root> show security policies
Default policy: deny-all
From zone: trust, To zone: trust
Policy: default-permit, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: trust, To zone: untrust
Policy: default-permit, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: untrust, To zone: trust
Policy: default-deny, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: deny[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]==================================
root> show security zones
Security zone: trust
Send reset for non-SYN session TCP packets: On
Policy configurable: Yes
Interfaces bound: 0
Interfaces:
Security zone: untrust
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Screen: untrust-screen
Interfaces bound: 1
Interfaces: ge-0/0/0.0
Security zone: junos-host
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces:[/TD]
[TD]root> show security policies
Default policy: deny-all
From zone: trust, To zone: trust
Policy: default-permit, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: trust, To zone: untrust
Policy: default-permit, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
From zone: untrust, To zone: trust
Policy: default-deny, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: deny[/TD]
[/TR]
[/TABLE]
IX. Cấu hình Policy:
9.1 Inside to Outside
Tạo policy cho phép truy cập từ Inside ra Outside
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security policies from-zone Inside to-zone Outside policy Inside_Outside match source-address any
set security policies from-zone Inside to-zone Outside policy Inside_Outside match destination-address any
set security policies from-zone Inside to-zone Outside policy Inside_Outside match application any
set security policies from-zone Inside to-zone Outside policy Inside_Outside then permit[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security policies from-zone Inside to-zone Outside policy Inside_Outside match source-address any
set security policies from-zone Inside to-zone Outside policy Inside_Outside match destination-address any
set security policies from-zone Inside to-zone Outside policy Inside_Outside match application any
set security policies from-zone Inside to-zone Outside policy Inside_Outside then permit[/TD]
[/TR]
[/TABLE]
9.2 Inside to WEB
Tạo policy cho pehps truy cập từ Inside vào DMZ
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match source-address any
set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match destination-address any
set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match application junos-http
set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match application junos-https
set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ then permit[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match source-address any
set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match destination-address any
set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match application junos-http
set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ match application junos-https
set security policies from-zone Inside to-zone DMZ policy Web_Inside_DMZ then permit[/TD]
[/TR]
[/TABLE]
9.3 Outside to WEB
Tạo policy chop phép truy cập từ Ouside vào Web Server đặt trong DMZ
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match source-address any
set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match destination-address any
set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match application junos-http
set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match application junos-https
set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ then permit[/TD]
[/TR]
[/TABLE]
[TABLE="class: grid, width: 800"]
[TR]
[TD]set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match source-address any
set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match destination-address any
set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match application junos-http
set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ match application junos-https
set security policies from-zone Outside to-zone DMZ policy Web_Outside_DMZ then permit[/TD]
[/TR]
[/TABLE]
Last edited:
