Juniper SRX300 HA (路由模式)
需求描述(TMD,猪扒的配置案例少-做好了发一个出来。最新版本贴近实战)
1:本地是做远程网管的,Trusted接入的网管交换机。由Untrusted的设备远程ipsce 拨入到Trusted的设备做设备远程管理
2:DMZ没有设置后期需求加加
3:Untrusted 60422映射到本地管理接口上做 ssh 远程管理
4:配合cisco ACS/ISE 做账号 AAA 登入认证
5:配置时钟服务器对我远程时钟服务器进行同步
6:配置远程日志服务器进行日志记录
拓扑图
配置
dotcomlab@srx-a# run show configuration | display set
set version 21.2R3-S3.5
set groups node0 system host-name srx-a
set groups node0 system backup-router 192.168.1.254
set groups node0 system backup-router destination 192.168.1.0/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.1.101/24
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.1.100/24 master-only
set groups node1 system host-name srx-b
set groups node1 system backup-router 192.168.1.254
set groups node1 system backup-router destination 192.168.1.0/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.1.102/24
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.1.100/24 master-only
set apply-groups “${node}”
set system root-authentication encrypted-password “密码XXXXX”
set system login retry-options minimum-time 20
set system login retry-options lockout-period 10
set system login class RO-CLASS permissions view
set system login class RO-CLASS permissions view-configuration
set system login class RW-CLASS permissions all
set system login class juniper idle-timeout 20
set system login class juniper permissions all
set system login user JUNOS-RO uid 2004
set system login user JUNOS-RO class RO-CLASS
set system login user JUNOS-RW uid 2005
set system login user JUNOS-RW class RW-CLASS
set system login user dotcomlab uid 2001
set system login user dotcomlab class juniper
set system login user dotcomlab authentication encrypted-password “密码XXXXX”
set system login user ftpup uid 2006
set system login user ftpup class super-user
set system login user ftpup authentication encrypted-password “abc@123”
set system login user weblogin uid 2003
set system login user weblogin class RW-CLASS
set system login user weblogin authentication encrypted-password “密码XXXXX”
set system services ssh root-login deny
set system services ssh protocol-version v2
set system services ssh sftp-server
set system services ssh port 22
set system services ssh connection-limit 3
set system services ssh rate-limit 5
set system services netconf ssh
set system services dhcp-local-server group jdhcp-group interface irb.0 // 多余不用
set system services web-management https port 443
set system services web-management https system-generated-certificate
set system services web-management https interface reth0.0
set system services web-management session idle-timeout 10
set system services web-management session session-limit 1
set system time-zone Asia/Shanghai
set system authentication-order tacplus
set system authentication-order password
set system name-server 10.42.128.120
set system name-server 10.59.0.120
set system tacplus-server 10.59.0.138 port 49
set system tacplus-server 10.59.0.138 secret “密码XXXXX”
set system tacplus-server 10.59.0.138 single-connection
set system tacplus-server 10.59.0.138 source-address 10.42.254.62
set system accounting events login
set system accounting destination tacplus
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog host 172.16.123.161 any notice
set system syslog host 172.16.123.161 authorization any
set system syslog host 172.16.123.161 interactive-commands any
set system syslog host 172.16.123.161 port 514
set system syslog file interactive-commands interactive-commands any
set system syslog file messages any notice
set system syslog file messages authorization info
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp authentication-key 250 type md5
set system ntp authentication-key 250 value “密码XXXXX”
set system ntp server 10.59.119.250
set system ntp trusted-key 250
set system ntp source-address 10.42.254.62
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-compliant
set chassis cluster control-link-recovery
set chassis cluster reth-count 3
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set security ike proposal my_ncp_pro authentication-method pre-shared-keys
set security ike proposal my_ncp_pro dh-group group2
set security ike proposal my_ncp_pro authentication-algorithm md5
set security ike proposal my_ncp_pro encryption-algorithm aes-128-cbc
set security ike proposal my_ncp_pro lifetime-seconds 180
set security ike policy ike-dyn-vpn mode aggressive
set security ike policy ike-dyn-vpn proposals my_ncp_pro
set security ike policy ike-dyn-vpn pre-shared-key ascii-text “密码XXXXX”
set security ike gateway dyn-vpn-gw ike-policy ike-dyn-vpn
set security ike gateway dyn-vpn-gw dynamic hostname dynvpn
set security ike gateway dyn-vpn-gw dynamic connections-limit 10
set security ike gateway dyn-vpn-gw external-interface reth0.0
set security ike gateway dyn-vpn-gw xauth access-profile remote_access_profile
set security ipsec proposal dyn-vpn protocol esp
set security ipsec proposal dyn-vpn authentication-algorithm hmac-md5-96
set security ipsec proposal dyn-vpn encryption-algorithm aes-128-cbc
set security ipsec policy dyn-vpn-ncp proposals dyn-vpn
set security ipsec vpn dyn-vpn ike gateway dyn-vpn-gw
set security ipsec vpn dyn-vpn ike ipsec-policy dyn-vpn-ncp
set security address-book WG_address address 10.42.136.0/24 range-address 10.42.136.1 to 10.42.136.254
set security address-book WG_address address 10.42.128.250/32 10.42.128.250/32
set security address-book WG_address address-set 136/250 address 10.42.128.250/32
set security address-book WG_address address-set 136/250 address 10.42.136.0/24
set security address-book ssh-manage-address address ssh-manage-address 192.168.253.1/32
set security address-book global address ssh-manage-address 192.168.253.1/32
set security address-book global address remote-manage-address range-address 10.42.136.212 to 10.42.136.215
set security address-book global address ACS 10.59.0.138/32
set security address-book global address 5700HI 10.59.119.130/32
set security dynamic-vpn access-profile remote_access_profile
set security dynamic-vpn clients wizard-dyn-group remote-protected-resources 10.254.1.0/24
set security dynamic-vpn clients wizard-dyn-group ipsec-vpn dyn-vpn
set security dynamic-vpn clients wizard-dyn-group user remote123
set security forwarding-options family inet6 mode flow-based
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat source rule-set trust-to-untrust rule off-130-soure-nat-rule match source-address 10.59.119.130/32
set security nat source rule-set trust-to-untrust rule off-130-soure-nat-rule then source-nat off
set security nat destination pool ssh_manage address 192.168.253.1/32
set security nat destination pool ssh_manage address port 22
set security nat destination rule-set ssh_manage from zone untrust
set security nat destination rule-set ssh_manage rule 2 match source-address 0.0.0.0/0
set security nat destination rule-set ssh_manage rule 2 match destination-address 10.59.119.130/32
set security nat destination rule-set ssh_manage rule 2 then destination-nat off
set security nat destination rule-set ssh_manage rule 1 match source-address 0.0.0.0/0
set security nat destination rule-set ssh_manage rule 1 match destination-address 10.42.254.62/32
set security nat destination rule-set ssh_manage rule 1 match destination-port 60422
set security nat destination rule-set ssh_manage rule 1 then destination-nat pool ssh_manage
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone loopbak_zone policy untrust-to-loopbak_zone match source-address any
set security policies from-zone untrust to-zone loopbak_zone policy untrust-to-loopbak_zone match destination-address ssh-manage-address
set security policies from-zone untrust to-zone loopbak_zone policy untrust-to-loopbak_zone match application junos-ssh
set security policies from-zone untrust to-zone loopbak_zone policy untrust-to-loopbak_zone then permit
set security policies from-zone untrust to-zone trust policy ACS-to-SWitch match source-address ACS
set security policies from-zone untrust to-zone trust policy ACS-to-SWitch match destination-address 5700HI
set security policies from-zone untrust to-zone trust policy ACS-to-SWitch match application any
set security policies from-zone untrust to-zone trust policy ACS-to-SWitch then permit
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match source-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match destination-address any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn match application any
set security policies from-zone untrust to-zone trust policy policy_in_wizard_dyn_vpn then permit tunnel ipsec-vpn dyn-vpn
set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address remote-manage-address
set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any
set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match source-address any
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match destination-address any
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match application any
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust then permit
set security policies pre-id-default-policy then log session-close
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces reth2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces reth0.0 host-inbound-traffic protocols all
set security zones security-zone dmz interfaces reth1.0
set security zones security-zone loopbak_zone interfaces lo0.0 host-inbound-traffic system-services ssh
set interfaces ge-0/0/3 description untrust_zone
set interfaces ge-0/0/3 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 description dmz_zone
set interfaces ge-0/0/4 gigether-options redundant-parent reth1
set interfaces ge-0/0/5 description trust_zone
set interfaces ge-0/0/5 gigether-options redundant-parent reth2
set interfaces ge-1/0/3 description untrust_zone
set interfaces ge-1/0/3 gigether-options redundant-parent reth0
set interfaces ge-1/0/4 description dmz_zone
set interfaces ge-1/0/4 gigether-options redundant-parent reth1
set interfaces ge-1/0/5 description trust_zone
set interfaces ge-1/0/5 gigether-options redundant-parent reth2
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-1/0/2
set interfaces lo0 unit 0 family inet filter input RE-protection
set interfaces lo0 unit 0 family inet address 192.168.253.1/24
set interfaces reth0 description untrust_zone
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 10.42.254.62/27
set interfaces reth0 unit 0 family inet6 address 240b:8044:3031:6c::ccdd:62/120
set interfaces reth1 description dmz_zone
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet
set interfaces reth2 description trust_zone
set interfaces reth2 redundant-ether-options redundancy-group 1
set interfaces reth2 unit 0 family inet address 10.59.119.190/26
set firewall family inet filter RE-protection term allow-ssh from source-address 10.42.136.212/32
set firewall family inet filter RE-protection term allow-ssh from source-address 10.42.128.250/32
set firewall family inet filter RE-protection term allow-ssh from protocol tcp
set firewall family inet filter RE-protection term allow-ssh from port ssh
set firewall family inet filter RE-protection term allow-ssh then accept
set firewall family inet filter RE-protection term deny-ssh from protocol tcp
set firewall family inet filter RE-protection term deny-ssh from port ssh
set firewall family inet filter RE-protection term deny-ssh then count ssh-deny
set firewall family inet filter RE-protection term deny-ssh then log
set firewall family inet filter RE-protection term deny-ssh then discard
set firewall family inet filter RE-protection term else-all then accept
set access profile remote_access_profile client dotcomlab firewall-user password “密码XXXXX”
set access profile remote_access_profile client huanglj firewall-user password “密码XXXXX”
set access profile remote_access_profile address-assignment pool dyn-vpn-address-pool
set access address-assignment pool dyn-vpn-address-pool family inet network 10.42.254.192/26
set access address-assignment pool dyn-vpn-address-pool family inet dhcp-attributes router 10.42.254.254
set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 114.114.114.114/32
set access address-assignment pool dyn-vpn-address-pool family inet host 10.42.254.253 hardware-address aa:aa:aa:ac:bc:00
set access address-assignment pool dyn-vpn-address-pool family inet host 10.42.254.253 ip-address 10.42.254.253
set access firewall-authentication web-authentication default-profile remote_access_profile
set applications application tcp-60442 protocol tcp
set applications application tcp-60442 destination-port 60422
set protocols ospf area 0.0.0.0 interface reth0.0
set protocols lldp port-id-subtype interface-name
set protocols lldp interface reth0
set protocols rstp interface all
set routing-options rib inet6.0 static route ::/0 next-hop 240b:8044:3031:6c::ccdd:32
set routing-options router-id 10.42.254.62
set routing-options static route 0.0.0.0/0 next-hop 10.42.254.33