juniper srx 基础配置--命令行

qweewq123qwe

　　set interface
　　set routing-options static
　　更改初始密码
　　set system root-authentication plain-text-password 回车
　　New password：
　　retype new password:

　　set system login user admin>　　set system login user admin authentication plain-text-password 输入密码
　　set system services ssh
　　set security zones security-zone untrust host-inbound-traffic system-services ssh/ping
　　set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh /telnet/ping
　　set security zones security-zone trust host-inbound-traffic system-services ssh /telnet /ping
　　set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh /telnet/ping
　　set security zones security-zone untrust interfaces ge-0/0/0 (不定义区域，无法配置NAT)
　　set security zones security-zone trust interfaces ge-0/0/1
　　###### set security zones security-zone trust interfaces ge-0/0/1 ???
　　###### set interfaces interface-range interfaces-trust member ge-0/0/1  ????
　　静态NAT：
　　set security nat source rule-set interface-nat from zone trust
　　set security nat source rule-set interface-nat to zone untrust
　　set security nat source rule-set interface-nat rule rule1 match source-address 192.168.0.0/23
　　set security nat source rule-set interface-nat rule rule1 match destination-address 0.0.0.0/0
　　set security nat source rule-set interface-nat rule rule1 then source-nat interface
　　set security zones security-zone trust address-book address 192 192.168.0.0/23
　　set security zones security-zone trust address-book address-set 192nat address 192
　　set security policies from-zone trust to-zone untrust policy 192nat match source-address any
　　set security policies from-zone trust to-zone untrust policy 192nat match destination-address any
　　set security policies from-zone trust to-zone untrust policy 192nat match application any
　　set security policies from-zone trust to-zone untrust policy 192nat then permit
　　强制172.16.0.12走150出去（默认走物理接口146出去）
　　set security nat source pool pool-1 address 121.9.255.112
　　set security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.12/32
　　set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0
　　set security nat source rule-set sou-nat rule rule-mail then source-nat pool pool-1
　　insert security nat source rule-set sou-nat rule rule-mail before rule rule-sou
　　##########################################################
　　端口映射 静态PAT: 从外到内
　　set security nat proxy-arp interface ge-0/0/0.0 address 10.1.1.100/24
　　set security nat proxy-arp interface ge-0/0/3.0 address 10.1.2.100/24
　　set security nat destination pool dnat-pool-1 address 192.168.0.9/32
　　set security nat destination pool dnat-pool-2 address 172.16.0.12/32
　　set security nat destination rule-set dst-nat from zone untrust
　　set security nat destination rule-set dst-nat rule rule3 match destination-address 10.1.1.100/24
　　set security nat destination rule-set dst-nat rule rule3 match destination-port 21
　　set security nat destination rule-set dst-nat rule rule3 then destination-nat pool dnat-pool-1
　　set security nat destination rule-set dst-nat rule rule2 match destination-address 10.1.2.100/24
　　set security nat destination rule-set dst-nat rule rule2 match destination-port 443
　　set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-pool-2
　　set security zones security-zone trust address-book address ftpserver 192.168.0.9
　　set security zones security-zone trust address-book address mailserver 172.16.0.12
　　set security zones security-zone trust address-book address-set servergroup address ftpserver
　　set security zones security-zone trust address-book address-set servergroup address mailserver
　　set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-http
　　set security policies from-zone untrust to-zone trust policy static-nat match application junos-pop3
　　set security policies from-zone untrust to-zone trust policy static-nat then permit
　　set applications application 443 protocol tcp
　　set applications application 443 destination-port 443
　　##############################################################
　　set security nat source rule-set sou-nat from zone trust
　　set security nat source rule-set sou-nat to zone untrust
　　set security nat source rule-set sou-nat rule rule-mail match source-address 172.16.0.30/32
　　set security nat source rule-set sou-nat rule rule-mail match destination-address 0.0.0.0/0
　　set security nat source rule-set sou-nat rule rule-mail then source-nat pool pool-1
　　##############################################################
　　管理端口：
　　set system services web-management https
　　set system services web-management http
　　set system services web-management http port 8084
　　set system services web-management http interface all
　　set system services web-management https system-generated-certificate
　　set system services web-management http interface ge-0/0/0.0
　　set system services web-management https interface ge-0/0/0.0
　　###########################################################################
　　定义端口地址池XXX_group：
　　set applications application smtp_25 destination-port 25 protocol tcp
　　set applications application pop3_110 destination-port 110 protocol tcp
　　set applications application exchange_135 destination-port 135 protocol tcp
　　set applications application smtp_465 destination-port 465 protocol tcp
　　set applications application imap_993 destination-port 993 protocol tcp
　　set applications application pop3_995 destination-port 995 protocol tcp
　　set applications application-set mail_port_group application smtp_25
　　set applications application-set XXX_group application smtp
　　set applications application-set XXX_group application pop3
　　引用XXX_group:
　　set security policies from-zone untrust to-zone trust policy mail-policy match application XXX_group
　　##############################################################################
　　反向静态NAT：从外到内
　　set security nat static rule-set mail-static-nat from zone untrust
　　set security nat static rule-set mail-static-nat rule mail1 match destination-address 121.9.255.150/32
　　set security nat static rule-set mail-static-nat rule mail1 then static-nat prefix 172.16.0.12/32
　　返回的安全Policy:
　　set security policies from-zone untrust to-zone trust policy mail-policy match source-address any
　　set security policies from-zone untrust to-zone trust policy mail-policy match destination-address Mail_ser
　　set security policies from-zone untrust to-zone trust policy mail-policy match application any (XXX_group)
　　set security policies from-zone untrust to-zone trust policy mail-policy then permit
　　插入insert Policy:
　　set security zones security-zone trust address-book address deny_172 172.16.0.155
　　set security policies from-zone trust to-zone untrust policy deny_172 match source-address deny_172
　　set security policies from-zone trust to-zone untrust policy deny_172 match destination-address any
　　set security policies from-zone trust to-zone untrust policy deny_172 match application any
　　set security policies from-zone trust to-zone untrust policy deny_172 then deny
　　insert security policies from-zone trust to-zone untrust policy deny_172 before policy         Trust2Utrust (Trust2Utrust允许上公网策略)
　　#####################################################
　　禁止192网段上网，只允许192.168.0.2，192.168.0.121上网
　　set security zones security-zone trust address-book address deny_192 192.168.0.0/23
　　set security zones security-zone trust address-book address permit_host_2 192.168.0.2/32
　　set security zones security-zone trust address-book address permit_host_121 192.168.0.121/32
　　set security zones security-zone trust address-book address-set permit_192_online address FTP_ser
　　set security zones security-zone trust address-book address-set permit_192_online address permit_host_2
　　set security zones security-zone trust address-book address-set permit_192_online address permit_host_121
　　set security zones security-zone trust address-book address-set deny_192_online address deny_192
　　返回的安全Policy:
　　set security policies from-zone trust to-zone untrust policy permit_192_online match source-address permit_192_online
　　set security policies from-zone trust to-zone untrust policy permit_192_online match destination-address any
　　set security policies from-zone trust to-zone untrust policy permit_192_online match application any
　　set security policies from-zone trust to-zone untrust policy permit_192_online then permit
　　set security policies from-zone trust to-zone untrust policy deny_192_online match source-address deny_192_online
　　set security policies from-zone trust to-zone untrust policy deny_192_online match destination-address any
　　set security policies from-zone trust to-zone untrust policy deny_192_online match application any
　　set security policies from-zone trust to-zone untrust policy deny_192_online then deny
　　insert security policies from-zone trust to-zone untrust policy permit_192_online before policy deny_172
　　insert security policies from-zone trust to-zone untrust policy deny_192_online before policy deny_172
　　###########################################################################
　　配置WEB管理
　　set system host-name Test
　　set system root-authentication encrypted-password "$1$XKPZUqwc$/WdxM1Cc1GAB8gJ0nNCOt."
　　set system name-server 202.96.128.166
　　set system name-server 202.96.128.86
　　set system login user admin uid 2001

　　set system login user admin>　　set system login user admin authentication encrypted-password HJuZerSULPfkA
　　set system services ssh
　　set system services web-management http port 8084
　　set system services web-management http interface all
　　set system services web-management http interface ge-0/0/0.0
　　set system services web-management https system-generated-certificate
　　set system services web-management https interface ge-0/0/0.0
　　set interfaces ge-0/0/0 unit 0 family inet address 192.168.8.125/24
　　set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
　　set security zones security-zone untrust host-inbound-traffic system-services http
　　set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
　　###########################################################################
　　开放Untrust服务端口
　　set security zones security-zone untrust interfaces ge-0/0/0.0
　　set security zones security-zone untrust host-inbound-traffic system-services all
　　set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
　　set security zones security-zone trust interfaces ge-0/0/1.0
　　set security zones security-zone trust host-inbound-traffic system-services all
　　set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
　　配置默认路由+NAT
　　set routing-options static route 0.0.0.0/0 next-hop 192.168.8.1
　　set security nat source rule-set sou-nat from zone trust
　　set security nat source rule-set sou-nat to zone untrust
　　set security nat source rule-set sou-nat rule rule-sou match source-address 0.0.0.0/0
　　set security nat source rule-set sou-nat rule rule-sou match destination-address 0.0.0.0/0
　　set security nat source rule-set sou-nat rule rule-sou then source-nat interface
　　内网放行策略：
　　set security policies from-zone trust to-zone untrust policy in_out match source-address any
　　set security policies from-zone trust to-zone untrust policy in_out match destination-address any
　　set security policies from-zone trust to-zone untrust policy in_out match application any
　　set security policies from-zone trust to-zone untrust policy in_out then permit