SRX上配置Dynamic XXX

oxo_520

于 2020-02-10 16:20:03 发布

阅读量685

点赞数

分类专栏：防火墙 SRX

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

本文链接：https://blog.csdn.net/oxo_520/article/details/104180433

版权

防火墙同时被 2 个专栏收录

1 篇文章 0 订阅

订阅专栏

1 篇文章 0 订阅

订阅专栏

2020年陈姐只能宅在家里，年后也无法上班，要求在家里办公，有远程访问公司内网文件服务器的需求，公司的防火墙是一台Juniper SRX 240，要实现xxx连接，但只有2个默认的许可。

配置远程认证及地址分配

远程客户端分配的ip地址

set access address-assignment pool dyn-***-address-pool family inet network 123.1.1.0/24
set access address-assignment pool dyn-***-address-pool family inet network 123.1.1.0/24 range d***-range low 123.1.1.100
set access address-assignment pool dyn-***-address-pool family inet network 123.1.1.0/24 range d***-range high 123.1.1.200
set access address-assignment pool dyn-***-address-pool family inet xauth-attributes primary-dns 114.114.114.114/32

远程登录的用户的配置模板--用户名，地址池等

set access profile dyn-***-access-profile client user01 firewall-user password Abc@123
set access profile dyn-***-access-profile client user02 firewall-user password Abc#123
set access profile dyn-***-access-profile address-assignment pool dyn-***-address-pool

web认证也使用相同模板

set access firewall-authentication web-authentication default-profile dyn-***-access-profile

启用https的访问

set system services web-management https system-generated-certificate

xxx隧道配置

Phase1-IKE Police

set security ike policy ike-dyn-***-policy mode aggressive
set security ike policy ike-dyn-***-policy proposal-set standard
set security ike policy ike-dyn-***-policy pre-shared-key ascii-text "#123Abc"

Phase1-IKE Gateway

set security ike gateway dyn-***-local-gw ike-policy ike-dyn-vpn-policy
set security ike gateway dyn-***-local-gw dynamic hostname mydyvpn
set security ike gateway dyn-***-local-gw dynamic connections-limit 10
set security ike gateway dyn-***-local-gw dynamic ike-user-type group-ike-id
set security ike gateway dyn-***-local-gw external-interface ge-0/0/0.0
set security ike gateway dyn-***-local-gw xauth access-profile dyn-***-access-profile

Phase2-IPsec Police

set security ipsec policy ipsec-dyn-***-policy proposal-set standard

Phase2-IPsec xxx

set security ipsec vpn dyn-*** ike gateway dyn-***-local-gw
set security ipsec vpn dyn-*** ike ipsec-policy ipsec-dyn-***-policy

Untrust -> Trust策略，调用隧道

set security policies from-zone untrust to-zone trust policy dyn-***-policy match source-address any
set security policies from-zone untrust to-zone trust policy dyn-***-policy match destination-address any
set security policies from-zone untrust to-zone trust policy dyn-***-policy match application any
set security policies from-zone untrust to-zone trust policy dyn-***-policy then permit tunnel ipsec-*** dyn-***

放行进入主机的流量

set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping

远程客户端段动态xxx的配置

remote-protected-resources：是远程客户端可以访问的内网资源

set security dynamic-*** access-profile dyn-***-access-profile
set security dynamic-*** clients all remote-protected-resources 10.0.0.0/8
set security dynamic-*** clients all remote-exceptions 0.0.0.0/0
set security dynamic-*** clients all ipsec-*** dyn-***
set security dynamic-*** clients all user user01
set security dynamic-*** clients all user user02

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
复制链接

分享到 QQ

分享到新浪微博

扫一扫

专栏目录

oxo_520 CSDN认证博客专家 CSDN认证企业博客

码龄13年

4: 原创

38万+: 周排名

63万+: 总排名

5839: 访问

: 等级

130: 积分

0: 粉丝

0: 获赞

0: 评论

2: 收藏

私信

关注

分类专栏

防火墙 1篇
SRX 1篇
Docker 1篇

最新文章

目录

评论

被折叠的条评论为什么被折叠?

到【灌水乐园】发言

查看更多评论

添加红包

成就一亿技术人!

hope_wisdom

发出的红包

实付元

使用余额支付

点击重新获取

扫码支付

钱包余额 0

抵扣说明：

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。