juniper SRX Remoat ***配置

最新推荐文章于 2024-07-25 22:32:15 发布

weixin_34281477

最新推荐文章于 2024-07-25 22:32:15 发布

阅读量108

点赞数

文章标签：运维

原文链接：http://blog.51cto.com/fendou929/1166135

版权

Dynamic ××× //最新远程×××解决方案，默认2个授权！
xp-------srx-----inside1
set system services web-management https system-generated-certificate
set security zones security-zone Outside interface fe-0/0/0.0 host-inbound-traffic ssh
set security zones security-zone Outside interface fe-0/0/0.0 host-inbound-traffic ike
set security zones security-zone Outside interface fe-0/0/0.0 host-inbound-traffic ping
set security zones security-zone Outside interface fe-0/0/0.0 host-inbound-traffic https

edit access address-assignment pool dyn-***-address-pool
edit family inet
set network 123.1.1.0/24
edit range d***-range
set low 123.1.1.100
set high 123.1.1.200
set xauth-attributes primary-dns 8.8.8.8/32

配置Access Profile
edit profile dyn-***-access-profile
set client remoteuser firewall-user password cisco
set address-assignment pool dyn-***-address-pool
set firewall-authentication web-authentication default-profile dyn-***-access-profile

配置第一阶段策略：
edit security ike policy ike-dyn-***-policy
set mode aggressive
set proposal-set standard //调用系统标准的proposal
set pre-shared-key ascii-text cisco

edit gaeway dyn-***-local-gw
set ike-policy ike-dyn-***-policy
edit dynamic
set hostname dy***
set connection-limit 10
set ike-user-type group-ike-id //所有的用户都用相同的用户ID！
up
up

set external-interface fe-0/0/0.0
set xauth access-profile dyn-***-access-profile

配置第二阶段策略：
edit ipsec policy ipsec-dyn-***-policy
set proposal-set standard
up
edit *** dyn-*** ike
set gatway dyn-***-local-gw
set ipsec psec-dyn-***-policy

配置Dynamic ×××策略！
edit dynamic-***
set access-profile dyn-***-access-profile
edit clients all
set remote-protected-resources 10/8 //类似隧道分割10.0.0.0/8
set remote-exceptions 0/0
set ipsec-*** dyn-*** //把×××关联
set user remoteuser //把相应的用户关联！

配置Security Policy //放行×××流量
edit security policies from-zone Outside to-zone Inside1 policy dyv-***-policy
set match source-address any
set match destination-address any
set match application any
set then permit tunnel ipsec-*** dyn-***

commit //提交！！！
----------------------------------------------
show security ike security-associations
show security ike active-peer
show security ipsec security-associations
show security dynamic-*** users

转载于:https://blog.51cto.com/fendou929/1166135