设备为ssg5与srx100,会以ssg5的命令作为srx的命令参照
Ssg5作为中心,srx100作为分支,因为考虑到分支可能无法通过固定IP接入,因此将建立aggr模式的基于路由的ipsecvpn,并通过local-id对分支设备进行验证。
Ssg5会将0/0,和0/1口都划归为外网口互为冗余
SRX100会将0/0和0/1口都划归为外网口互为冗余
Ssg5的配置:
配置设备管理用户名密码及http端口: set admin name set admin password admin set admin port 8080
设置bgroup0(内网口)为可信任: set interface
设置bgroup3(外网口)为不可信任: set interface
设置虚拟设备接口tunnel9为可信任: set interface
将0/0和0/1物理口划到bgroup3组: set interface bgroup3 port ethernet0/0 set interface bgroup3 port ethernet0/1
将0/2-0/6物理口划到bgroup0组: set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3 set interface bgroup0 port ethernet0/4 set interface bgroup0 port ethernet0/5 set interface bgroup0 port ethernet0/6
配置内外网接口IP、网关并配置nat
set interface bgroup0 ip 10.0.0.1/24 set interface bgroup0 nat
set interface bgroup3 ip1.1.1.2/24 set interface bgroup3 route
set interface bgroup3 gateway 1.1.1.1
配置虚拟接口tunnel9的IP地址与内网地址相同: set interface tunnel.9 ip unnumbered interface bgroup0
在内网接口启用dns转发: set interface bgroup0 proxy dns setdns proxy
setdns proxy enable
配置内外网口可管理:
set interface bgroup0 ip manageable set interface bgroup3 ip manageable set interface bgroup3 manage ping set interface bgroup3 manage telnet set interface bgroup3 manage web 在内网口开启dhcp:
set interface bgroup0 dhcp server service set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option gateway 10.0.0.1
set interface bgroup0 dhcp server option netmask 255.255.255.0 set interface bgroup0 dhcp server option center
set interface bgroup0 dhcp server option dns1 10.0.0.1
set interface bgroup0 dhcp server ip10.0.0.21 to 10.0.0.181 unset interface bgroup0 dhcp server config next-server-ip
配置主机名: set hostname 10 配置DNS:
setdns host dns1 219.141.136.10
首先配置第一阶段,设置其本地标识名称为“2SRX”,并限制分支接入的名称为2center,协
…… 此处隐藏2208字 ……
set security policies from-zone trust to-zone trust policy t-t match source-address any destination-address any application any
set security policies from-zone trust to-zone trust policy t-t then permit
配置安全策略允许trust区域访问untrust区域:
set security policies from-zone trust to-zone untrust policy t-u match source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy t-u then permit
创建虚拟接口st0.9并设置其属于trust区域: set interfaces st0 unit 9 family inet
set security zones security-zone trust interfaces st0.9