企业网络项目调试系列-01锐捷核心交换机与Juniper防火墙配置

企业网络项目调试系列-01锐捷核心交换机与Juniper防火墙配置

拓扑

锐捷核心交换机配置
inter Ag3
switchport mode access
switchport access vlan 2000
inter g1/0/21
port-group 3 mode active
inter g2/0/21
port-group 3 mode active
exit
vlan 2000
inter vlan 2000
ip address 10.1.1.254 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.1.1.1

防火墙配置
恢复出厂设置
load factory-default
set system root-authentication plain-text-password
commit
exit
exit
reboot
cli
configure
delete security
delete interfaces
delete vlans
delete system
set system root-authentication plain-text-password
聚合口设置(#这里我理解为连了几台，跟ae号有关)
set chassis aggregated-devices ethernet device-count 1
set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ge-0/0/2 gigether-options 802.3ad ae0
set interfaces ae0 aggregated-ether-options lacp active

配置接口IP地址
set interfaces ae0 unit 0 family inet address 10.1.1.1/24
set interface ge-0/0/10.0 family inet address 172.16.3.1/24
set interface ge-0/0/14.0 family inet address 123.100.1.1/24
set interface ge-0/0/15.0 family inet address 202.100.1.1/24
配置接口到指定的区域
set security zones security-zone INSIDE interfaces ae0.0
set security zones security-zone DMZ interfaces ge-0/0/10.0
set security zones security-zone OUTSIDE interfaces ge-0/0/14.0
set security zones security-zone OUTSIDE interfaces ge-0/0/15.0
配置静态路由
edit routing-options static
set route 192.168.10.0/24 next-hop 10.1.1.254
set route 192.168.20.0/24 next-hop 10.1.1.254
set route 192.168.30.0/24 next-hop 10.1.1.254
set route 192.168.40.0/24 next-hop 10.1.1.254
set route 192.168.50.0/24 next-hop 10.1.1.254
set route 192.168.60.0/24 next-hop 10.1.1.254
set route 192.168.70.0/24 next-hop 10.1.1.254
set route 192.168.80.0/24 next-hop 10.1.1.254
set route 192.168.90.0/24 next-hop 10.1.1.254
set route 192.168.100.0/24 next-hop 10.1.1.254
set route 0.0.0.0/0 next-hop 202.100.1.254
set route 0.0.0.0/0 qualified-next-hop 123.100.1.254 preference 100
exit
策略集配置（1.内到外允许，2.内到DMZ指定IP允许80、443，3.DMZ到外允许 4.外到内和DMZ拒绝默认)
内到外DX允许
edit security policies from-zone INSIDE to-zone OUTSIDE
edit policy Permit-All
set match source-address any
set match destination-address any
set match application any
set then permit
exit
exit
commit

内到DMZ允许IP172.16.3.2的80,443端口
1.基于DMZ定义address-book
edit security zones security-zone DMZ
set address-book address WEB 172.16.3.2/32
exit
2.定义80、443端口及应用
edit applications application TCP-80
set protocol tcp destination-port 80
exit
edit applications application TCP-443
set protocol tcp destination-port 443
exit
3.策略设置
edit security policies from-zone INSIDE to-zone DMZ
edit policy Permit-web
set match source-address any
set match destination-address WEB
set match application TCP-80
set match application TCP-443
set then permit
exit
commit

****允许所有（可以进行对比测试）
edit security policies from-zone INSIDE to-zone DMZ
edit policy Permit-ALL
set match source-address any
set match destination-address any
set match application any
set then permit
exit
exit
commit

DMZ到外DX允许
edit security policies from-zone DMZ to-zone OUTSIDE
edit policy Permit-ALL
set match source-address any
set match destination-address any
set match application any
set then permit
exit
exit

外到DMZ拒绝（默认就是所有拒绝）

策略路由（1.192.168.10/40.0,172.16.3.0走SP1 123.1.1.254 2.192.168.50/60走SP2 202.100.1.254)
1.建立路由实例（根据外网ISP链路进行一对一建立）
edit routing-instances DX
set instance-type forwarding
edit routing-options static
set route 0.0.0.0/0 next-hop 123.100.1.254
set route 0.0.0.0/0 qualified-next-hop 202.100.1.254 preference 100
exit
exit
edit routing-instances LT
set instance-type forwarding
edit routing-options static
set route 0.0.0.0/0 next-hop 202.100.1.254
set route 0.0.0.0/0 qualified-next-hop 123.100.1.254 preference 100
exit
exit

2.建立访问控制列表筛选流量（走不同ISP的源段，定义不同的规则，最后加一个允许剩余流量规则）
edit firewall filter internet-vlan
edit term from-NetworktoDX
set from source-address 192.168.10.0/24
set from source-address 192.168.40.0/24
set from source-address 172.16.3.0/24
set then routing-instance DX
up
edit term from-NetwroktoLT
set from source-address 192.168.50.0/24
set from source-address 192.168.60.0/24
set then routing-instance LT
up
set term Permit-All then accept
up
exit
3.应用访问控制列表到端口的入方向
set interfaces ae0.0 family inet filter input-list internet-vlan
set interfaces ge-0/0/10.0 family inet filter input-list internet-vlan

4.合并路由表
edit routing-options
set interface-routes rib-group inet Policy-Routing
edit rib-groups Policy-Routing
set import-rib [inet.0 DX.inet.0 LT.inet.0]
up
up
exit
commit

测试链路故障转移及转换IP是否正常。

为了更直观的体验接下来的实验，完成以上实验后，删除外网到内网的路由(ACG的内部路由）

NAT配置（1.源NAT，内和DMZ到外允许，2.目标NAT（外到DMZ WEB服务器80、443）
1.源NAT
edit security nat source rule-set NAT-Policy
set from zone INSIDE
set from zone DMZ
set to zone OUTSIDE
edit rule LAN-WAN-Interface-NAT
set match source-address 192.168.10.0/24
set match source-address 192.168.40.0/24
set match source-address 192.168.50.0/24
set match source-address 192.168.60.0/24
set match source-address 172.16.3.0/24
set then source-nat interface
exit
exit

测试，查看会话需下面相关配置
edit security policies
edit from-zone DMZ to-zone OUTSIDE policy DMZ-OUTSIDE-Permit
set then log session-init session-close
exit
exit
edit system syslog file new-nat-log
set any any
set match RT_FLOW_SESSION

edit security policies
edit from-zone INSIDE to-zone OUTSIDE policy Permit-All
set then log session-init session-close
exit
exit
edit system syslog file new-nat-log
set any any
set match RT_FLOW_SESSION

查看会话
run show security flow session
run show log new-nat-log
run show security nat source rule all

创建配置快照
commit comment sourceNATdone
run show system commit
rollback 3
commit

2.目标NAT（外到DMZ WEB服务器80、443）
edit applications application TCP-80
set protocol tcp destination-port 80
exit
edit applications application TCP-443
set protocol tcp destination-port 443
exit
edit security nat destination
set pool web32-443 address 172.16.3.2/32 port 443
set pool web32-80 address 172.16.3.2/32 port 80
edit rule-set Outside-to-DMZ-des-NAT
set from zone OUTSIDE
set rule LT-router-8443 match source-address 0.0.0.0/0
set rule LT-router-8443 match destination-address 202.100.1.2/32
set rule LT-router-8443 match destination-port 8443
set rule LT-router-8443 then destination-nat pool web32-443

set rule LT-router-8080 match source-address 0.0.0.0/0
set rule LT-router-8080 match destination-address 202.100.1.2/32
set rule LT-router-8080 match destination-port 8080
set rule LT-router-8080 then destination-nat pool web32-80
exit
exit
edit security nat destination
edit rule-set Outside-to-DMZ-des-NAT
set from zone OUTSIDE
set rule DX-router-8443 match source-address 0.0.0.0/0
set rule DX-router-8443 match destination-address 123.100.1.2/32
set rule DX-router-8443 match destination-port 8443
set rule DX-router-8443 then destination-nat pool web32-443

set rule DX-router-8080 match source-address 0.0.0.0/0
set rule DX-router-8080 match destination-address 123.100.1.2/32
set rule DX-router-8080 match destination-port 8080
set rule DX-router-8080 then destination-nat pool web32-80
exit
exit
set security nat proxy-arp interface ge-0/0/15.0 address 202.100.1.2/32
set security nat proxy-arp interface ge-0/0/14.0 address 123.100.1.2/32
edit security zones security-zone DMZ
set address-book address WEB 172.16.3.2/32
up
up
up
edit security policies from-zone OUTSIDE to-zone DMZ policy Permit-DMZ-443
set match source-address any
set match destination-address WEB
set match application TCP-443
set match application TCP-80
set then permit
commit
exit
edit security zones
set security-zone DMZ host-inbound-traffic system-services all
set security-zone DMZ host-inbound-traffic protocols all

set security-zone OUTSIDE host-inbound-traffic system-services all
set security-zone OUTSIDE host-inbound-traffic protocols all

set security-zone INSIDE host-inbound-traffic system-services all
set security-zone INSIDE host-inbound-traffic protocols all

测试分成内网测试和外网测试：这里会出现外网测试正常，内网测试不通的情况。主要原因是内网访问公网地址，还需要做其他的配置，这个问题是NAT回流导致，需要通过双向NAT方案进行解决。
测试内容
测试一，telnet 端口是否能通。
测试二，应用是否正常，这里主要考虑应用的设计思路尤其是有端口重定向的话要注意。

另外对于双链路负载我们又该如何进行设置呢？

通过上述配置，内网机器可以通过WEB服务器的地址访问，公网可以通过公网地址访问WEB，但是内网区域的机器不能通过公网的映射地址进行访问。为了解决这个问题，需要进行如下设置，就是双向NAT的配置。

添加域间策略
edit security policies from-zone INSIDE to-zone DMZ policy Source-NAT-Plicy
set match source-address any
set match destination-address any
set match application any
set then permit
exit
添加目的NAT的from zone INSIDE
edit security nat destination
edit rule-set INSIDE-DMZ
set from zone INSIDE
set rule rule1 match source-address 0.0.0.0/0
set rule rule1 match destination-address 202.100.1.2/32
set rule rule1 match destination-port 8443
set rule rule1 then destination-nat pool web32-443

set rule rule2 match source-address 0.0.0.0/0
set rule rule2 match destination-address 202.100.1.2/32
set rule rule2 match destination-port 8080
set rule rule2 then destination-nat pool web32-80

set rule rule3 match source-address 0.0.0.0/0
set rule rule3 match destination-address 123.100.1.2/32
set rule rule3 match destination-port 8443
set rule rule3 then destination-nat pool web32-443

set rule rule4 match source-address 0.0.0.0/0
set rule rule4 match destination-address 123.100.1.2/32
set rule rule4 match destination-port 8080
set rule rule4 then destination-nat pool web32-80

添加源NAT规则
edit security nat source
set pool LT-WEB address 202.100.1.2

edit security nat source rule-set INSIDE-DMZ
set from zone INSIDE
set to zone DMZ
edit rule server1-44380
set match source-address 0.0.0.0/0
set match destination-address 172.16.3.2/32
set match destination-port 443
set match destination-port 80
set then source-nat pool LT-WEB

查看会话及命中率
root# run show security flow session
run show log new-nat-log | last 10
run show security nat source rule all
run show security nat destination rule all
run show security policies hit-count

经过以上测试，内网可以用公网地址进行访问。

对于juniper防火墙，防火墙允许包从电信进，联通出，所以可以实现整体的互通，但是，这种对于效率来讲其实是很差的，而且这种情况，大多数防火墙其实是不允许这样的，最终包会被拒绝掉。我们可以想象假如从一个电信用户访问123.1.1.2地址，防火墙会从123进，202出，最终经过联通到电信。
如果优化让他电信从电信走，联通从联通走，这里给出个思路，使用策略路由，WEB服务本身有2个地址，如172.16.3.3、172.16.3.2，然后基于2个地址进行源策略路由的配置。这样就可以实现联通走联通，电信走电信的效果。当然也可以做基于目标的策略路由，但是就需要有运营商的地址库，但这样配起来就会很麻烦。