企业网络项目调试系列-03锐捷核心交换机与Juniper防火墙配置
拓扑
锐捷核心交换机配置
inter Ag3
switchport mode access
switchport access vlan 2000
inter g1/0/21
port-group 3 mode active
inter g2/0/21
port-group 3 mode active
exit
vlan 2000
inter vlan 2000
ip address 10.1.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
防火墙配置
恢复出厂设置
load factory-default
set system root-authentication plain-text-password
commit
exit
exit
reboot
cli
configure
delete security
delete interfaces
delete vlans
delete system
set system root-authentication plain-text-password
聚合口设置(#这里我理解为连了几台,跟ae号有关)
set chassis aggregated-devices ethernet device-count 1
set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ge-0/0/2 gigether-options 802.3ad ae0
set interfaces ae0 aggregated-ether-options lacp active
配置接口IP地址
set interfaces ae0 unit 0 family inet address 10.1.1.1/24
set interface ge-0/0/10.0 family inet address 172.16.3.1/24
set interface ge-0/0/14.0 family inet address 123.100.1.1/24
set interface ge-0/0/15.0 family inet address 202.100.1.1/24
配置接口到指定的区域
set security zones security-zone INSIDE interfaces ae0.0
set security zones security-zone DMZ interfaces ge-0/0/10.0
set security zones security-zone OUTSIDE interfaces ge-0/0/14.0
set security zones security-zone OUTSIDE interfaces ge-0/0/15.0
配置静态路由
edit routing-options static
set route 192.168.10.0/24 next-hop 10.1.1.254
set route 192.168.20.0/24 next-hop 10.1.1.254
set route 192.168.30.0/24 next-hop 10.1.1.254
set route 192.168.40.0/24 next-hop 10.1.1.254
set route 192.168.50.0/24 next-hop 10.1.1.254
set route 192.168.60.0/24 next-hop 10.1.1.254
set route 192.168.70.0/24 next-hop 10.1.1.254
set route 192.168.80.0/24 next-hop 10.1.1.254
set route 192.168.90.0/24 next-hop 10.1.1.254
set route 192.168.100.0/24 next-hop 10.1.1.254
set route 0.0.0.0/0 next-hop 202.100.1.254
set route 0.0.0.0/0 qualified-next-hop 123.100.1.254 preference 100
exit
策略集配置(1.内到外允许,2.内到DMZ指定IP允许80、443,3.DMZ到外允许 4.外到内和DMZ拒绝默认)
内到外DX允许
edit security policies from-zone INSIDE to-zone OUTSIDE
edit policy Permit-All
set match source-address any
set match destination-address any
set match application any
set then permit
exit
exit
commit
内到DMZ允许IP172.16.3.2的80,443端口
1.基于DMZ定义address-book
edit security zones security-zone DMZ
set address-book address WEB 172.16.3.2/32
exit
2.定义80、443端口及应用
edit applications application TCP-80
set protocol tcp destination-port 80
exit
edit applications application TCP-443
set protocol tcp destination-port 443
exit
3.策略设置
edit security policies from-zone INSIDE to-zone DMZ
edit policy Permit-web
set match source-address any
set match destination-address WEB
set match application TCP-80
set match application TCP-443
set then permit
exit
commit
****允许所有(可以进行对比测试)
edit security policies from-zone INSIDE to-zone DMZ
edit policy Permit-ALL
set match source-address any
set match destination-address any
set match application any
set then permit
exit
exit
commit
DMZ到外DX允许
edit security policies from-zone DMZ to-zone OUTSIDE
edit policy Permit-ALL
set match source-address any
set match destination-address any
set match application any
set then permit
exit
exit
外到DMZ拒绝(默认就是所有拒绝)
策略路由(1.192.168.10/40.0,172.16.3.0走SP1 123.1.1.254 2.192.168.50/60走SP2 202.100.1.254)
1.建立路由实例(根据外网ISP链路进行一对一建立)
edit routing-instances DX
set instance-type forwarding
edit routing-options static
set route 0.0.0.0/0 next-hop 123.100.1.254
set route 0.0.0.0/0 qualified-next-hop 202.100.1.254 preference 100
exit
exit
edit routing-instances LT
set instance-type forwarding
edit routing-options static
set route 0.0.0.0/0 next-hop 202.100.1.254
set route 0.0.0.0/0 qualified-next-hop 123.100.1.254 preference 100
exit
exit
2.建立访问控制列表筛选流量(走不同ISP的源段,定义不同的规则,最后加一个允许剩余流量规则)
edit firewall filter internet-vlan
edit term from-NetworktoDX
set from source-address 192.168.10.0/24
set from source-address 192.168.40.0/24
set from source-address 172.16.3.0/24
set then routing-instance DX
up
edit term from-NetwroktoLT
set from source-address 192.168.50.0/24
set from source-address 192.168.60.0/24
set then routing-instance LT
up
set term Permit-All then accept
up
exit
3.应用访问控制列表到端口的入方向
set interfaces ae0.0 family inet filter input-list internet-vlan
set interfaces ge-0/0/10.0 family inet filter input-list internet-vlan
4.合并路由表
edit routing-options
set interface-routes rib-group inet Policy-Routing
edit rib-groups Policy-Routing
set import-rib [inet.0 DX.inet.0 LT.inet.0]
up
up
exit
commit
测试链路故障转移及转换IP是否正常。
为了更直观的体验接下来的实验,完成以上实验后,删除外网到内网的路由(ACG的内部路由)
NAT配置(1.源NAT,内和DMZ到外允许,2.目标NAT(外到DMZ WEB服务器80、443)
1.源NAT
edit security nat source rule-set NAT-Policy
set from zone INSIDE
set from zone DMZ
set to zone OUTSIDE
edit rule LAN-WAN-Interface-NAT
set match source-address 192.168.10.0/24
set match source-address 192.168.40.0/24
set match source-address 192.168.50.0/24
set match source-address 192.168.60.0/24
set match source-address 172.16.3.0/24
set then source-nat interface
exit
exit
测试,查看会话需下面相关配置
edit security policies
edit from-zone DMZ to-zone OUTSIDE policy DMZ-OUTSIDE-Permit
set then log session-init session-close
exit
exit
edit system syslog file new-nat-log
set any any
set match RT_FLOW_SESSION
edit security policies
edit from-zone INSIDE to-zone OUTSIDE policy Permit-All
set then log session-init session-close
exit
exit
edit system syslog file new-nat-log
set any any
set match RT_FLOW_SESSION
查看会话
run show security flow session
run show log new-nat-log
run show security nat source rule all
创建配置快照
commit comment sourceNATdone
run show system commit
rollback 3
commit
2.目标NAT(外到DMZ WEB服务器80、443)
edit applications application TCP-80
set protocol tcp destination-port 80
exit
edit applications application TCP-443
set protocol tcp destination-port 443
exit
edit security nat destination
set pool web32-443 address 172.16.3.2/32 port 443
set pool web32-80 address 172.16.3.2/32 port 80
edit rule-set Outside-to-DMZ-des-NAT
set from zone OUTSIDE
set rule LT-router-8443 match source-address 0.0.0.0/0
set rule LT-router-8443 match destination-address 202.100.1.2/32
set rule LT-router-8443 match destination-port 8443
set rule LT-router-8443 then destination-nat pool web32-443
set rule LT-router-8080 match source-address 0.0.0.0/0
set rule LT-router-8080 match destination-address 202.100.1.2/32
set rule LT-router-8080 match destination-port 8080
set rule LT-router-8080 then destination-nat pool web32-80
exit
exit
edit security nat destination
edit rule-set Outside-to-DMZ-des-NAT
set from zone OUTSIDE
set rule DX-router-8443 match source-address 0.0.0.0/0
set rule DX-router-8443 match destination-address 123.100.1.2/32
set rule DX-router-8443 match destination-port 8443
set rule DX-router-8443 then destination-nat pool web32-443
set rule DX-router-8080 match source-address 0.0.0.0/0
set rule DX-router-8080 match destination-address 123.100.1.2/32
set rule DX-router-8080 match destination-port 8080
set rule DX-router-8080 then destination-nat pool web32-80
exit
exit
set security nat proxy-arp interface ge-0/0/15.0 address 202.100.1.2/32
set security nat proxy-arp interface ge-0/0/14.0 address 123.100.1.2/32
edit security zones security-zone DMZ
set address-book address WEB 172.16.3.2/32
up
up
up
edit security policies from-zone OUTSIDE to-zone DMZ policy Permit-DMZ-443
set match source-address any
set match destination-address WEB
set match application TCP-443
set match application TCP-80
set then permit
commit
exit
edit security zones
set security-zone DMZ host-inbound-traffic system-services all
set security-zone DMZ host-inbound-traffic protocols all
set security-zone OUTSIDE host-inbound-traffic system-services all
set security-zone OUTSIDE host-inbound-traffic protocols all
set security-zone INSIDE host-inbound-traffic system-services all
set security-zone INSIDE host-inbound-traffic protocols all
测试分成内网测试和外网测试:这里会出现外网测试正常,内网测试不通的情况。主要原因是内网访问公网地址,还需要做其他的配置,这个问题是NAT回流导致,需要通过双向NAT方案进行解决。
整个系列文章可参考如下链接:
企业网络项目调试系列-07防火墙配置:https://mp.csdn.net/mp_blog/creation/editor/142526946
企业网络项目调试系列-06无线网络配置:https://mp.csdn.net/mp_blog/creation/editor/142388653
企业网络项目调试系列-05核心网安全 DHCP SERVER与DHCP SNOOPING配置:https://mp.csdn.net/mp_blog/creation/editor/142298365
企业网络项目调试系列-04核心网络(有线部分)配置:https://mp.csdn.net/mp_blog/creation/editor/142272289
企业网络项目调试系列-03锐捷核心交换机与Juniper防火墙配置:https://editor.csdn.net/md/?articleId=142208696
企业网络项目调试系列-02锐捷核心交换机虚拟堆叠实现:
https://mp.csdn.net/mp_blog/creation/editor/142255632
企业网络项目调试系列-01网络总体拓扑及实验目标
https://mp.csdn.net/mp_blog/creation/editor/142255787
测试内容
测试一,telnet 端口是否能通。
测试二,应用是否正常,这里主要考虑应用的设计思路尤其是有端口重定向的话要注意。
另外对于双链路负载我们又该如何进行设置呢?
通过上述配置,内网机器可以通过WEB服务器的地址访问,公网可以通过公网地址访问WEB,但是内网区域的机器不能通过公网的映射地址进行访问。为了解决这个问题,需要进行如下设置,就是双向NAT的配置。
添加域间策略
edit security policies from-zone INSIDE to-zone DMZ policy Source-NAT-Plicy
set match source-address any
set match destination-address any
set match application any
set then permit
exit
添加目的NAT的from zone INSIDE
edit security nat destination
edit rule-set INSIDE-DMZ
set from zone INSIDE
set rule rule1 match source-address 0.0.0.0/0
set rule rule1 match destination-address 202.100.1.2/32
set rule rule1 match destination-port 8443
set rule rule1 then destination-nat pool web32-443
set rule rule2 match source-address 0.0.0.0/0
set rule rule2 match destination-address 202.100.1.2/32
set rule rule2 match destination-port 8080
set rule rule2 then destination-nat pool web32-80
set rule rule3 match source-address 0.0.0.0/0
set rule rule3 match destination-address 123.100.1.2/32
set rule rule3 match destination-port 8443
set rule rule3 then destination-nat pool web32-443
set rule rule4 match source-address 0.0.0.0/0
set rule rule4 match destination-address 123.100.1.2/32
set rule rule4 match destination-port 8080
set rule rule4 then destination-nat pool web32-80
添加源NAT规则
edit security nat source
set pool LT-WEB address 202.100.1.2
edit security nat source rule-set INSIDE-DMZ
set from zone INSIDE
set to zone DMZ
edit rule server1-44380
set match source-address 0.0.0.0/0
set match destination-address 172.16.3.2/32
set match destination-port 443
set match destination-port 80
set then source-nat pool LT-WEB
查看会话及命中率
root# run show security flow session
run show log new-nat-log | last 10
run show security nat source rule all
run show security nat destination rule all
run show security policies hit-count
经过以上测试,内网可以用公网地址进行访问。
对于juniper防火墙,防火墙允许包从电信进,联通出,所以可以实现整体的互通,但是,这种对于效率来讲其实是很差的,而且这种情况,大多数防火墙其实是不允许这样的,最终包会被拒绝掉。我们可以想象假如从一个电信用户访问123.1.1.2地址,防火墙会从123进,202出,最终经过联通到电信。
如果优化让他电信从电信走,联通从联通走,这里给出个思路,使用策略路由,WEB服务本身有2个地址,如172.16.3.3、172.16.3.2,然后基于2个地址进行源策略路由的配置。这样就可以实现联通走联通,电信走电信的效果。当然也可以做基于目标的策略路由,但是就需要有运营商的地址库,但这样配起来就会很麻烦。
看大家有一些人对拓扑图比较关注,这里分享2个VISIO版拓扑链接,供大家免费下载使用。
https://download.csdn.net/download/king01299/89755212 中小企业网络综合拓扑图Visio版
https://download.csdn.net/download/king01299/89755214 校园网络综合拓扑图Visio版
喜欢的收藏!还请大家留个好评,关注,收藏,一键三连哦!!!
版权说明:如非注明,本站文章均为 扬州驻场服务-网络设备调试-监控维修-南京泽同信息科技有限公司 原创,转载请注明出处和附带本文链接。
请在这里放置你的在线分享代码