2024年2月19日发(作者:)
Juniper SRX防火墙Virtual Router配置实例
实例拓扑图:
一 虚拟路由器(记住来流量入口);
需求:
外网用户访问防火墙的外网接口3389端口NAT到内网服务器192.168.3.5:3389,流量按原路返回;
放行所有外网用户到主机192.168.3.5的3389端口;(双线接入) 配置:
set routing-instances Tel instance-type virtual-router
set routing-instances Tel interface ge-0/0/4.0
set routing-instances Tel routing-options interface-routes rib-group inet Big-rib
set routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2
set routing-instances CNC instance-type virtual-router
set routing-instances CNC interface ge-0/0/5.0
set routing-instances CNC routing-options interface-routes rib-group inet Big-rib
set routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2
set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24
set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24
set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24
set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24
set routing-options interface-routes rib-group inet Big-rib
set routing-options static route 10.0.0.0/8 next-hop 10.10.30.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.4.2
set routing-options static route 0.0.0.0/0 install
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options rib-groups Big-rib import-rib inet.0
set routing-options rib-groups Big-rib import-rib .0
set routing-options rib-groups Big-rib import-rib .0
set security nat destination pool 111 address 192.168.3.5/32
set security nat destination rule-set 1 from zone Tel-trust
set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 111 match destination-address 192.168.4.1/32
set security nat destination rule-set 1 rule 111 match destination-port 3389
set security nat destination rule-set 1 rule 111 then destination-nat pool 111
set security nat destination rule-set 2 from zone CNC-trust
set security nat destination rule-set 2 rule 222 match source-address 0.0.0.0/0
set security nat destination rule-set 2 rule 222 match destination-address 192.168.5.1/32
set security nat destination rule-set 1 rule 111 match destination-port 3389
set security nat destination rule-set 2 rule 222 then destination-nat pool 111
set applications application tcp_3389 protocol tcp
set applications application tcp_3389 destination-port 3389
set security zones security-zone trust address-book address H_192.168.3.5 192.168.3.5/32
set security policies from-zone Tel-trust to-zone trust policy default-permit match source-address any
set security policies from-zone Tel-trust to-zone trust policy default-permit match destination-address
H_192.168.3.5
set security policies from-zone Tel-trust to-zone trust policy default-permit match application tcp_3389
set security policies from-zone Tel-trust to-zone trust policy default-permit then permit
set security policies from-zone CNC-trust to-zone trust policy default-permit match source-address any
set security policies from-zone CNC-trust to-zone trust policy default-permit match destination-address
H_192.168.3.5
set security policies from-zone CNC-trust to-zone trust policy default-permit match application tcp_3389
set security policies from-zone CNC-trust to-zone trust policy default-permit then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone Tel-trust host-inbound-traffic system-services all
set security zones security-zone Tel-trust host-inbound-traffic protocols all
set security zones security-zone Tel-trust interfaces ge-0/0/4.0
set security zones security-zone CNC-trust host-inbound-traffic system-services all
set security zones security-zone CNC-trust host-inbound-traffic protocols all
set security zones security-zone CNC-trust interfaces ge-0/0/5.0
set security zones security-zone MGT host-inbound-traffic system-services all
set security zones security-zone MGT host-inbound-traffic protocols all
set security zones security-zone MGT interfaces ge-0/0/6.0
验证:
root@SRX-Ipsec-A> show security flow session
Session ID: 9696, Policy name: default-permit/5, Timeout: 1794, Valid
In: 192.168.100.211/57408 --> 192.168.5.1/3389;tcp, If: ge-0/0/5.0, Pkts: 2, Bytes: 112
Out: 192.168.3.5/3389 --> 192.168.100.211/57408;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60
============================================================================ root@SRX-Ipsec-A> show security flow session
Session ID: 9697, Policy name: default-permit/4, Timeout: 1796, Valid
In: 192.168.100.211/57409 --> 192.168.4.1/3389;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112
Out: 192.168.3.5/3389 --> 192.168.100.211/57409;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60
配置解析:
set routing-instances Tel instance-type virtual-router //创建虚拟VR Tel
set routing-instances Tel interface ge-0/0/4.0 //把逻辑接口加入虚拟VR
set routing-instances Tel routing-options interface-routes rib-group inet Big-rib //定义新增的路由表属于路由组“Big-rib”
set routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2 //为Tel路由表配置路由
set routing-instances CNC instance-type virtual-router set routing-instances CNC interface ge-0/0/5.0
set routing-instances CNC routing-options interface-routes rib-group inet Big-rib
set routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2 //配置路由表CNC相关信息 set
interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24
set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24
set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24
set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24 //配置逻辑接口的IP地址
set routing-options interface-routes rib-group inet Big-rib //定义路由表组,并把接口路由加入到Big-rib路由组中 set
routing-options static route 10.0.0.0/8 next-hop 10.10.30.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.4.2 //配置全局路由表路由信息
set routing-options static route 0.0.0.0/0 install //把路由表安装到转发表
set routing-options static route 0.0.0.0/0 no-readvertise //
set routing-options rib-groups Big-rib import-rib inet.0
set routing-options rib-groups Big-rib import-rib .0
set routing-options rib-groups Big-rib import-rib .0 //导入三张路由表之间的直连路由到路由表组
set security nat destination pool 111 address 192.168.3.5/32 //定义目的NAT后的内部服务器的IP地址
set security nat destination rule-set 1 from zone Tel-trust
set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 111 match destination-address 192.168.4.1/32
set security nat destination rule-set 1 rule 111 match destination-port 3389
set security nat destination rule-set 1 rule 111 then destination-nat pool 111 //配置ZONE Tel-trust的目的NAT
set security nat destination rule-set 2 from zone CNC-trust
set security nat destination rule-set 2 rule 222 match source-address 0.0.0.0/0
set security nat destination rule-set 2 rule 222 match destination-address 192.168.5.1/32
set security nat destination rule-set 1 rule 111 match destination-port 3389
set security nat destination rule-set 2 rule 222 then destination-nat pool 111 //配置ZONE CNC-trust的目的NAT set
applications application tcp_3389 protocol tcp
set applications application tcp_3389 destination-port 3389
set security zones security-zone trust address-book address H_192.168.3.5 192.168.3.5/32 //自定义端口和配置地址表
set security policies from-zone Tel-trust to-zone trust policy default-permit match source-address any
set security policies from-zone Tel-trust to-zone trust policy default-permit match destination-address H_192.168.3.5 set security
policies from-zone Tel-trust to-zone trust policy default-permit match application tcp_3389
set security policies from-zone Tel-trust to-zone trust policy default-permit then permit //配置Tel-trust到trust策略
set security policies from-zone CNC-trust to-zone trust policy default-permit match source-address any
set security policies from-zone CNC-trust to-zone trust policy default-permit match destination-address H_192.168.3.5
set security policies from-zone CNC-trust to-zone trust policy default-permit match application tcp_3389
set security policies from-zone CNC-trust to-zone trust policy default-permit then permit //配置CNC-trust到trust策略
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone Tel-trust host-inbound-traffic system-services all
set security zones security-zone Tel-trust host-inbound-traffic protocols all
set security zones security-zone Tel-trust interfaces ge-0/0/4.0
set security zones security-zone CNC-trust host-inbound-traffic system-services all
set security zones security-zone CNC-trust host-inbound-traffic protocols all
set security zones security-zone CNC-trust interfaces ge-0/0/5.0
set security zones security-zone MGT host-inbound-traffic system-services all
set security zones security-zone MGT host-inbound-traffic protocols all
set security zones security-zone MGT interfaces ge-0/0/6.0 //定义逻辑接口到ZONE,并开放所有的协议及服务来访问防火墙的直连接口
二 虚拟路由器(多链路负载冗余);
需求:
内网用户访问端口22.3389.8080,走电信,其他所有流量走CNC;
所有内网访问外网的流量NAT为对应外网接口IP地址;
实现负载冗余的功能;
放行所有服务;(双线接入)
配置:
set routing-instances Tel instance-type virtual-router
set routing-instances Tel interface ge-0/0/4.0
set routing-instances Tel routing-options interface-routes rib-group inet Big-rib
set routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2
set routing-instances Tel routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100
set routing-instances CNC instance-type virtual-router set routing-instances CNC interface ge-0/0/5.0
set routing-instances CNC routing-options interface-routes rib-group inet Big-rib
set routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2
set routing-instances CNC routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 100
set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24
set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24
set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24
set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24
set routing-options interface-routes rib-group inet Big-rib
set routing-options static route 10.0.0.0/8 next-hop 10.10.30.1
set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100
set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 10
set routing-options static route 0.0.0.0/0 install
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options rib-groups Big-rib import-rib inet.0
set routing-options rib-groups Big-rib import-rib .0
set routing-options rib-groups Big-rib import-rib .0
set security nat source rule-set Soure-NAT-Policy from zone trust
set security nat source rule-set Soure-NAT-Policy to zone Tel-trust
set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match source-address 192.168.3.0/24
set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match destination-address 0.0.0.0/0
set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 then source-nat interface
set security zones security-zone trust address-book address Net_192.168.3.0 192.168.3.0/24
set security policies from-zone trust to-zone Tel-trust policy 1 match source-address Net_192.168.3.0
set security policies from-zone trust to-zone Tel-trust policy 1 match destination-address any
set security policies from-zone trust to-zone Tel-trust policy 1 match application any
set security policies from-zone trust to-zone Tel-trust policy 1 then permit
set security policies from-zone trust to-zone Tel-trust policy 1 then log session-init
set security policies from-zone trust to-zone Tel-trust policy 1 then log session-close
set security nat source rule-set Soure-NAT-Policy-2 from zone trust
set security nat source rule-set Soure-NAT-Policy-2 to zone CNC-trust
set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match source-address 192.168.3.0/24
set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match destination-address 0.0.0.0/0
set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 then source-nat interface
set security policies from-zone trust to-zone CNC-trust policy 2 match source-address Net_192.168.3.0
set security policies from-zone trust to-zone CNC-trust policy 2 match destination-address any
set security policies from-zone trust to-zone CNC-trust policy 2 match application any
set security policies from-zone trust to-zone CNC-trust policy 2 then permit
set security policies from-zone trust to-zone CNC-trust policy 2 then log session-init
set security policies from-zone trust to-zone CNC-trust policy 2 then log session-close
set interfaces ge-0/0/3 unit 0 family inet filter input filter-1
set firewall filter filter-1 term term-1 from destination-port 22
set firewall filter filter-1 term term-1 from destination-port 3389
set firewall filter filter-1 term term-1 from destination-port 8080
set firewall filter filter-1 term term-1 then routing-instance Tel
set firewall filter filter-1 term default then routing-instance CNC
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone Tel-trust host-inbound-traffic system-services all
set security zones security-zone Tel-trust host-inbound-traffic protocols all
set security zones security-zone Tel-trust interfaces ge-0/0/4.0
set security zones security-zone CNC-trust host-inbound-traffic system-services all
set security zones security-zone CNC-trust host-inbound-traffic protocols all
set security zones security-zone CNC-trust interfaces ge-0/0/5.0
set security zones security-zone MGT host-inbound-traffic system-services all
set security zones security-zone MGT host-inbound-traffic protocols all
set security zones security-zone MGT interfaces ge-0/0/6.0
验证:
基于目标端口路由验证:
Session ID: 9693, Policy name: 1121/6, Timeout: 1790, Valid
In: 192.168.3.5/52562 --> 192.168.100.211/3389;tcp, If: ge-0/0/3.0, Pkts: 2, Bytes: 112
Out: 192.168.100.211/3389 --> 192.168.4.1/28262;tcp, If: ge-0/0/4.0, Pkts: 1, Bytes: 60
Session ID: 9703, Policy name: 1121/7, Timeout: 2, Valid
In: 192.168.3.5/6252 --> 192.168.100.211/1;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60
Out: 192.168.100.211/1 --> 192.168.5.1/4217;icmp, If: ge-0/0/5.0, Pkts: 1, Bytes: 60
查看当前路由表: root@SRX-Ipsec-A> show route
双线冗余验证:
root@SRX-Ipsec-A> show security flow session
Session ID: 10321, Policy name: 1121/7, Timeout: 48, Valid
In: 192.168.3.2/188 --> 192.168.100.211/59209;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 84
Out: 192.168.100.211/59209 --> 192.168.5.1/13586;icmp, If: ge-0/0/5.0, Pkts: 0, Bytes: 0
Session ID: 10322, Policy name: 1121/6, Timeout: 50, Valid
手动拔掉CNC广域网线路(模拟CNC线路故障)
In: 192.168.3.2/189 --> 192.168.100.211/59209;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 84
Out: 192.168.100.211/59209 --> 192.168.4.1/19350;icmp, If: ge-0/0/4.0, Pkts: 0, Bytes: 0 Session ID: 10330, Policy name: 1121/6,
Timeout: 2, Valid
In: 192.168.3.2/197 --> 192.168.100.211/59209;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 84
Out: 192.168.100.211/59209 --> 192.168.4.1/3661;icmp, If: ge-0/0/4.0, Pkts: 1, Bytes: 84
配置解析:
set routing-instances Tel instance-type virtual-router set routing-instances Tel interface ge-0/0/4.0
set routing-instances Tel routing-options interface-routes rib-group inet Big-rib
set routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2
set routing-instances CNC routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100 //配置Tel路由表并配置相关信息,通过优先级来实现双广域网冗余,优先级值越小,优先级越高
set routing-instances CNC instance-type virtual-router set routing-instances CNC interface ge-0/0/5.0
set routing-instances CNC routing-options interface-routes rib-group inet Big-rib
set routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2
set routing-instances CNC routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 100 //配置CNC路由表并配置相关信息
set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24
set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24
set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24
set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24 //配置逻辑接口对应IP地址
set routing-options interface-routes rib-group inet Big-rib //定义路由表组,并把接口路由加入到Big-rib路由组中 set
routing-options static route 10.0.0.0/8 next-hop 10.10.30.1
set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100
set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 10 //配置全局路由表路由信息,通过指定优先级来实现双广域网的冗余
set routing-options static route 0.0.0.0/0 install //把路由表安装到转发表
set routing-options static route 0.0.0.0/0 no-readvertise //
set routing-options rib-groups Big-rib import-rib inet.0
set routing-options rib-groups Big-rib import-rib .0
set routing-options rib-groups Big-rib import-rib .0 //导入三张路由表之间的直连路由到路由表组
set security nat source rule-set Soure-NAT-Policy from zone trust
set security nat source rule-set Soure-NAT-Policy to zone Tel-trust
set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match source-address 192.168.3.0/24
set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match destination-address 0.0.0.0/0
set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 then source-nat interface //配置ZONE Tel-trust基于接口的源NAT
set security zones security-zone trust address-book address Net_192.168.3.0 192.168.3.0/24 //定义地址表
set security policies from-zone trust to-zone Tel-trust policy 1 match source-address Net_192.168.3.0
set security policies from-zone trust to-zone Tel-trust policy 1 match destination-address any
set security policies from-zone trust to-zone Tel-trust policy 1 match application any
set security policies from-zone trust to-zone Tel-trust policy 1 then permit
set security policies from-zone trust to-zone Tel-trust policy 1 then log session-init
set security policies from-zone trust to-zone Tel-trust policy 1 then log session-close //根据需求配置策略并记录LOG信息
set security nat source rule-set Soure-NAT-Policy-2 from zone trust
set security nat source rule-set Soure-NAT-Policy-2 to zone CNC-trust
set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match source-address 192.168.3.0/24
set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match destination-address 0.0.0.0/0
set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 then source-nat interface //配置ZONE CNC-trust基于接口的源NAT
set security policies from-zone trust to-zone CNC-trust policy 2 match source-address Net_192.168.3.0
set security policies from-zone trust to-zone CNC-trust policy 2 match destination-address any
set security policies from-zone trust to-zone CNC-trust policy 2 match application any
set security policies from-zone trust to-zone CNC-trust policy 2 then permit
set security policies from-zone trust to-zone CNC-trust policy 2 then log session-init
set security policies from-zone trust to-zone CNC-trust policy 2 then log session-close //根据需求配置策略并记录LOG信息
set interfaces ge-0/0/3 unit 0 family inet filter input filter-1 //从接口ge-0/0/3进入的数据进行包过滤操作,并定义名称” filter-1”
set firewall filter filter-1 term term-1 from destination-port 22
set firewall filter filter-1 term term-1 from destination-port 3389
set firewall filter filter-1 term term-1 from destination-port 8080 //对符合包过滤名称”filter-1”的且符合目标端口22,3389,8080数据进行打标记,标记为term-1 set firewall filter filter-1 term term-1 then routing-instance Tel //定义标记为term-1的数据,使用Tel路由表来转发数据
set firewall filter filter-1 term default then routing-instance CNC //定义符合标记default数据使用CNC路由表来转发数据(default为自定义标记的名称,根据习惯随便取,如果没有指定符合条件则代表所有流量都匹配)
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone Tel-trust host-inbound-traffic system-services all
set security zones security-zone Tel-trust host-inbound-traffic protocols all set security zones security-zone Tel-trust interfaces ge-0/0/4.0
set security zones security-zone CNC-trust host-inbound-traffic system-services all
set security zones security-zone CNC-trust host-inbound-traffic protocols all set security zones security-zone CNC-trust interfaces
ge-0/0/5.0
set security zones security-zone MGT host-inbound-traffic system-services all
set security zones security-zone MGT host-inbound-traffic protocols all
set security zones security-zone MGT interfaces ge-0/0/6.0 //定义逻辑接口到ZONE,并开放所有的协议及服务来访问防火墙的直连接口
三 虚拟路由器(双线接入);
需求:
ZONE trust访问目标端口为22.3389.8080,走Tel;
ZONE trust主机192.168.3.2的所有流量走Tel;
所有未明确的指定的流量走CNC;
ZONE trust主机192.168.3.5对外发布远程桌面应用Tel-trust(192.168.4.5),CNC-trust(192.168.5.5)
实现从哪家运行商来的流量从哪家运行商返回;(主动发起的流量)
放行ZONE trust所有主机访问外网的流量;
放行所有从外网来访问内网主机192.168.3.5的远程桌面服务;
实现负载冗余;
配置:
set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24
set interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24
set interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24
set interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24
set routing-options interface-routes rib-group inet Big-rib
set routing-options static route 10.0.0.0/8 next-hop 10.10.30.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.4.2
set routing-options static route 0.0.0.0/0 install
set routing-options static route 0.0.0.0/0 no-readvertise
set routing-options rib-groups Big-rib import-rib inet.0
set routing-options rib-groups Big-rib import-rib .0
set routing-options rib-groups Big-rib import-rib .0
set security nat destination pool 111 address 192.168.3.5/32
set security nat destination rule-set 1 from zone Tel-trust
set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 111 match destination-address 192.168.4.5/32
set security nat destination rule-set 1 rule 111 match destination-port 3389
set security nat destination rule-set 1 rule 111 then destination-nat pool 111
set security nat destination rule-set 2 from zone CNC-trust
set security nat destination rule-set 2 rule 222 match source-address 0.0.0.0/0
set security nat destination rule-set 2 rule 222 match destination-address 192.168.5.5/32
set security nat destination rule-set 2 rule 222 match destination-port 3389
set security nat destination rule-set 2 rule 222 then destination-nat pool 111
set security zones security-zone trust address-book address Net_192.168.3.0 192.168.3.0/24
set security zones security-zone trust address-book address H_192.168.3.5 192.168.3.5/32
set applications application tcp_3389 protocol tcp
set applications application tcp_3389 destination-port 3389
set security nat proxy-arp interface ge-0/0/4.0 address 192.168.4.5/32
set security nat proxy-arp interface ge-0/0/5.0 address 192.168.5.5/32
set security policies from-zone Tel-trust to-zone trust policy default-permit match source-address any
set security policies from-zone Tel-trust to-zone trust policy default-permit match destination-address
H_192.168.3.5 set security policies from-zone Tel-trust to-zone trust policy default-permit match application
tcp_3389
set security policies from-zone Tel-trust to-zone trust policy default-permit then permit
set security policies from-zone CNC-trust to-zone trust policy default-permit-2 match source-address any
set security policies from-zone CNC-trust to-zone trust policy default-permit-2 match destination-address
H_192.168.3.5
set security policies from-zone CNC-trust to-zone trust policy default-permit-2 match application tcp_3389
set security policies from-zone CNC-trust to-zone trust policy default-permit-2 then permit
set security policies from-zone trust to-zone Tel-trust policy 1121 match source-address Net_192.168.3.0
set security policies from-zone trust to-zone Tel-trust policy 1121 match destination-address any
set security policies from-zone trust to-zone Tel-trust policy 1121 match application any
set security policies from-zone trust to-zone Tel-trust policy 1121 then permit
set security policies from-zone trust to-zone CNC-trust policy 1122 match source-address Net_192.168.3.0
set security policies from-zone trust to-zone CNC-trust policy 1122 match destination-address any
set security policies from-zone trust to-zone CNC-trust policy 1122 match application any
set security policies from-zone trust to-zone CNC-trust policy 1122 then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone Tel-trust host-inbound-traffic system-services all
set security zones security-zone Tel-trust host-inbound-traffic protocols all
set security zones security-zone Tel-trust interfaces ge-0/0/4.0
set security zones security-zone CNC-trust host-inbound-traffic system-services all
set security zones security-zone CNC-trust host-inbound-traffic protocols all
set security zones security-zone CNC-trust interfaces ge-0/0/5.0
set security zones security-zone MGT host-inbound-traffic system-services all
set security zones security-zone MGT host-inbound-traffic protocols all
set security zones security-zone MGT interfaces ge-0/0/6.0
set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100
set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 10
set security nat source rule-set Soure-NAT-Policy from zone trust
set security nat source rule-set Soure-NAT-Policy to zone Tel-trust
set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match source-address 192.168.3.0/24
set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 match destination-address 0.0.0.0/0
set security nat source rule-set Soure-NAT-Policy rule Source-nat-1 then source-nat interface
set security policies from-zone trust to-zone Tel-trust policy 1 match source-address Net_192.168.3.0
set security policies from-zone trust to-zone Tel-trust policy 1 match destination-address any
set security policies from-zone trust to-zone Tel-trust policy 1 match application any
set security policies from-zone trust to-zone Tel-trust policy 1 then permit
set security policies from-zone trust to-zone Tel-trust policy 1 then log session-init
set security policies from-zone trust to-zone Tel-trust policy 1 then log session-close
set security nat source rule-set Soure-NAT-Policy-2 from zone trust
set security nat source rule-set Soure-NAT-Policy-2 to zone CNC-trust
set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match source-address 192.168.3.0/24
set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 match destination-address 0.0.0.0/0
set security nat source rule-set Soure-NAT-Policy-2 rule Source-nat-2 then source-nat interface
set security policies from-zone trust to-zone CNC-trust policy 2 match source-address Net_192.168.3.0
set security policies from-zone trust to-zone CNC-trust policy 2 match destination-address any
set security policies from-zone trust to-zone CNC-trust policy 2 match application any
set security policies from-zone trust to-zone CNC-trust policy 2 then permit
set security policies from-zone trust to-zone CNC-trust policy 2 then log session-init
set security policies from-zone trust to-zone CNC-trust policy 2 then log session-close
set interfaces ge-0/0/3 unit 0 family inet filter input filter-1
set firewall filter filter-1 term term-1 from destination-port 22
set firewall filter filter-1 term term-1 from destination-port 3389
set firewall filter filter-1 term term-1 from destination-port 8080
set firewall filter filter-1 term term-1 from source-address 192.168.3.2/32
set firewall filter filter-1 term term-1 then routing-instance Tel
set firewall filter filter-1 term sour-add from source-address 192.168.3.2/32
set firewall filter filter-1 term sour-add then routing-instance Tel
set firewall filter filter-1 term default from source-address 0.0.0.0/0
set firewall filter filter-1 term default then routing-instance CNC
验证:
验证主机192.168.3.2流量
Session ID: 19710, Policy name: 1121/6, Timeout: 4, Valid
In: 192.168.3.2/4101 --> 192.168.100.211/1;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60
Out: 192.168.100.211/1 --> 192.168.4.1/1160;icmp, If: ge-0/0/4.0, Pkts: 1, Bytes: 60 Session ID: 19715, Policy name: 1121/6,
Timeout: 1798, Valid
In: 192.168.3.2/49329 --> 192.168.100.211/3389;tcp, If: ge-0/0/3.0, Pkts: 2, Bytes: 92
Out: 192.168.100.211/3389 --> 192.168.4.1/11322;tcp, If: ge-0/0/4.0, Pkts: 1, Bytes: 52
验证基于端口的流量
Session ID: 19732, Policy name: 1121/6, Timeout: 1796, Valid
In: 192.168.3.5/49331 --> 192.168.100.211/3389;tcp, If: ge-0/0/3.0, Pkts: 2, Bytes: 92
Out: 192.168.100.211/3389 --> 192.168.4.1/29111;tcp, If: ge-0/0/4.0, Pkts: 1, Bytes: 52 Session ID: 19733, Policy name: 1122/8,
Timeout: 2, Valid
In: 192.168.3.5/4131 --> 192.168.100.211/1;icmp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60
Out: 192.168.100.211/1 --> 192.168.5.1/8663;icmp, If: ge-0/0/5.0, Pkts: 1, Bytes: 60
验证外网从哪个口来从哪个口回
Session ID: 19777, Policy name: default-permit/4, Timeout: 1796, Valid
In: 192.168.100.211/51313 --> 192.168.4.5/3389;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112
Out: 192.168.3.5/3389 --> 192.168.100.211/51313;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60
Session ID: 19778, Policy name: default-permit-2/5, Timeout: 1798, Valid
In: 192.168.100.211/51318 --> 192.168.5.5/3389;tcp, If: ge-0/0/5.0, Pkts: 2, Bytes: 112
Out: 192.168.3.5/3389 --> 192.168.100.211/51318;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60
注意点:
1如果使用FBF(filter base forward),则必须在接口开启filter功能;
set interfaces ge-0/0/3 unit 0 family inet filter input filter-1
2 注意filter中term的先后顺序问题;(从上往下匹配)
修改顺序:insert firewall filter filter-1 term sour-add before term term-1
确认顺序:show configuration |display set 确认term顺序(从上往下匹配)
3 接口开启filter功能后,必须对所有的流量进行标记,默认情况下没有标记的流量将无法正常转发;
4 指定term标记的时候匹配的条件类型必须是一致的;
如:set firewall filter filter-1 term term-1 from destination-port 22 则term为term-1的标记的条件只能是destination-port,不能是其他的条件如:set firewall filter filter-1 term term-1 from source-address等,如果需要额外指定基于源地址的可以再创建一个term
5 在有开启filter功能的接口标记流量使用全局路由表;
set firewall filter filter-1 term globle-term from destination-address 10.168.0.0/22 set firewall filter dmz-out term globle-term then
accept
7 开启filter功能的接口,处理数据包的顺序:(待验证!!!!!!!!!!) 检查是否符合打标记的要求(N)丢弃 检查是否符合打标记的要求(Y)查看防火墙的会话表(Y) 按照会话表记录处理(如会话表使用Tel路由表则使用Tel路由表来转发流量) 检查是否符合打标记的要求(Y)查看防火墙的会话表(N)
转发
8 FBF常见的问题及处理步骤;(注意term的先后顺序) 配置好term,但是数据包没有按照配置需求转发数据; A:检查是否在数据进入接口开启filter功能; B:检查term中是否一个term中包含多种类型的数据流,如基于destination-port和source-addres等 配置好term,指定的特定流量按照指定的线路传输,但是其他未明确的流量全部丢弃;(如PING不通网关) A:确认是否为所有未明确指定的流量打上标记并指定使用那张路由表; B:如果没有需求使用特殊路由表,确认是否配置使用全局路由表的属性; 配置好term后直连主机PING不通网关地址(防火墙接口IP) A: A:确认此台主机流量是否明确指定标记并指定使用那张路由表; B:如果没有需求使用特殊路由表,确认此台主机是否使用配置使用全局路由表的属性;
按照标记选择路由表来进行相应流量
发布评论