win10无法登陆SSG进行WEB UI管理
- 故障描述:尝试登录SSG设备时,无法无法刷出页面,但是设备时可以ping通的(内部接口),可以Telnet上设备,就是无法通过网页登录。
- 深入测试:win7的系统可以登录,win10的不行,浏览器报协议版本或加密算法不支持。
- 故障分析:这种情况下,可能是由于防火墙的加密算法的问题。
1、con到设备:
- SSG320M-> get ssh
- SSH V2 is active
- SSH is NOT enabled
- SSH is NOT ready for connections
- Maximum sessions: 6
- Active sessions: 0
2、查看加密算法:
- SSG320M-> get ssl
- web SSL enable.
- web SSL port number(443).
- web SSL cert: Default - System Self-Signed Cert.
- web SSL cipher(RC4_MD5)..
3、修改加密算法并保存配置:
- SSG320M-> set ssl encrypt 3des sha-1
- SSG320M-> save
- Save System Configuration ...
- Done
修改后,测试win10登录SSG管理,正常,问题解决。
NAT
1.NAT-Src with PAT Enabled
- set interface "ethernet0/0" zone "Trust"
- set interface "ethernet0/2" zone "Untrust"
- set interface ethernet0/0 ip 172.16.1.1/24
- set interface ethernet0/0 nat
- set interface ethernet0/2 ip 192.168.0.199/24
- set interface ethernet0/2 route
- set interface ethernet0/2 gateway 192.168.0.1
- set interface ethernet0/2 dip 5 192.168.0.198
- set policy from Trust to Untrust Any Any ANY nat src dip-id 5 permit log
2.NAT-Src with PAT Disabled
- set interface "ethernet0/0" zone "Trust"
- set interface "ethernet0/2" zone "Untrust"
- set interface ethernet0/0 ip 172.16.1.1/24
- set interface ethernet0/0 nat
- set interface ethernet0/2 ip 192.168.0.199/24
- set interface ethernet0/2 route
- set interface ethernet0/2 gateway 192.168.0.1
- set interface ethernet0/2 dip 6 192.168.0.198 fix-port
- set policy from trust to untrust any any any nat src dip-ip 6 permit log
3.NAT-Src Without DIP
- set interface "ethernet0/0" zone "Trust"
- set interface "ethernet0/2" zone "Untrust"
- set interface ethernet0/0 ip 172.16.1.1/24
- set interface ethernet0/0 nat
- set interface ethernet0/2 ip 192.168.0.199/24
- set interface ethernet0/2 route
- set interface ethernet0/2 gateway 192.168.0.1
- set interface ethernet0/2 dip 5 192.168.0.198 192.168.0.198e
- set policy from trust to untrust any any any nat src permit log
透明墙
- set interface "ethernet0/0" zone "V1-Trust"
- set interface "ethernet0/2" zone "V1-Untrust"
- set policy id 3 name "towan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit
- set policy id 3
- 主要区别:
- 思科ASA5500系列防火墙在透明模式下,不会透传CDP和BPDUs;
- Juniper的SSG系列防火墙会透传CDP和BPDUs,有时可能会造成二层环路。
ACL生效顺序和ID无关和acl 顺序有关
常用命令
配置
- injoin-ssg320m-> get config
- Total Config size 3586:
- unset key protection enable
- set clock timezone 0
- set vrouter trust-vr sharable
- set vrouter "untrust-vr"
- exit
- set vrouter "trust-vr"
- unset auto-route-export
- exit
- set vrouter name "MGMT" id 1025 sharable
- set vrouter "MGMT"
- unset auto-route-export
- exit
- set alg appleichat enable
- unset alg appleichat re-assembly enable
- set alg sctp enable
- set auth-server "Local" id 0
- set auth-server "Local" server-name "Local"
- set auth default auth server "Local"
- set auth radius accounting port 1646
- set admin name "netscreen"
- set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
- set admin port 8000
- set admin http redirect
- set admin auth web timeout 10
- set admin auth server "Local"
- set admin format dos
- set zone "Trust" vrouter "trust-vr"
- set zone "Untrust" vrouter "trust-vr"
- set zone "DMZ" vrouter "trust-vr"
- set zone "VLAN" vrouter "trust-vr"
- set zone "Untrust-Tun" vrouter "trust-vr"
- set zone "Trust" tcp-rst
- set zone "Untrust" block
- unset zone "Untrust" tcp-rst
- set zone "MGT" block
- unset zone "V1-Trust" tcp-rst
- unset zone "V1-Untrust" tcp-rst
- set zone "DMZ" tcp-rst
- unset zone "V1-DMZ" tcp-rst
- unset zone "VLAN" tcp-rst
- set zone "Untrust" screen tear-drop
- set zone "Untrust" screen syn-flood
- set zone "Untrust" screen ping-death
- set zone "Untrust" screen ip-filter-src
- set zone "Untrust" screen land
- set zone "V1-Untrust" screen tear-drop
- set zone "V1-Untrust" screen syn-flood
- set zone "V1-Untrust" screen ping-death
- set zone "V1-Untrust" screen ip-filter-src
- set zone "V1-Untrust" screen land
- set interface "ethernet0/0" zone "V1-Trust"
- set interface "ethernet0/1" zone "DMZ"
- set interface "ethernet0/2" zone "V1-Untrust"
- set interface vlan1 ip 192.168.0.250/24
- unset interface vlan1 bypass-others-ipsec
- unset interface vlan1 bypass-non-ip
- set interface vlan1 ip manageable
- set interface ethernet0/0 manage mtrace
- set interface vlan1 manage mtrace
- unset flow no-tcp-seq-check
- set flow tcp-syn-check
- unset flow tcp-syn-bit-check
- set flow reverse-route clear-text prefer
- set flow reverse-route tunnel always
- set hostname injoin-ssg320m
- set pki authority default scep mode "auto"
- set pki x509 default cert-path partial
- set dns host dns1 0.0.0.0
- set dns host dns2 0.0.0.0
- set dns host dns3 0.0.0.0
- set address "Untrust" "8.8.8.8/32" 8.8.8.8 255.255.255.255
- set crypto-policy
- exit
- set ike respond-bad-spi 1
- set ike ikev2 ike-sa-soft-lifetime 60
- unset ike ikeid-enumeration
- unset ike dos-protection
- unset ipsec access-session enable
- set ipsec access-session maximum 5000
- set ipsec access-session upper-threshold 0
- set ipsec access-session lower-threshold 0
- set ipsec access-session dead-p2-sa-timeout 0
- unset ipsec access-session log-error
- unset ipsec access-session info-exch-connected
- unset ipsec access-session use-error-log
- set url protocol websense
- exit
- set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit log
- set policy id 2
- exit
- set policy id 3 name "towan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit
- set policy id 3
- exit
- set nsmgmt bulkcli reboot-timeout 60
- set ssh version v2
- set config lock timeout 5
- unset license-key auto-update
- set telnet client enable
- set ssl encrypt 3des sha-1
- set snmp port listen 161
- set snmp port trap 162
- set snmpv3 local-engine id "JN1230D03ADD"
- set vrouter "untrust-vr"
- exit
- set vrouter "trust-vr"
- unset add-default-route
- set route 8.8.8.8/32 interface ethernet0/0 gateway 172.16.1.2
- exit
- set vrouter "MGMT"
- exit
- set vrouter "untrust-vr"
- exit
- set vrouter "trust-vr"
- exit
- set vrouter "MGMT"
- exit
初始化
设备开机状态下,使用插到设备正前方的reset口,有手感,直到等到status灯变成橙色,再变绿色后,针松开2秒钟,再将针插入reset孔不放直到灯变红,此时所有端口灯都会灭掉。针取出即可。最后设备会自动重启。设备即恢复出厂默认值。