-
目录
1.
概述
..................................................
..................................................
..................................................
.............2
2.
设备型号及连接说明
.
.............................................
..................................................
....................................2
2.1.
设备型号
.
..................................................
..................................................
............................................2
3.
需求说明
.......................
..................................................
..................................................
...............................2
4.
配置说明
.......................
..................................................
..................................................
...............................2
4.1.
N
ETSCREEN
208
配置说明
..
..................................................
..................................................
...................2
4.2.
N
ETSCREEN
50B
配置说明(国研机房)
.
......................
..................................................
.....................4
4.3.
N
ETSCREEN
5
GT
配置说明(办
公网)
....................................
..................................................
..............4
5.
配置附表
.......................
..................................................
..................................................
...............................4
5.1.
N
ETSCREEN
208
.................
..................................................
..................................................
.......................4
5.2.
N
ETSCREEN
50B
.................
..................................................
..................................................
.......................8
5.3.
N
ETSCREEN
5GT
.................
..................................................
..................................................
.....................13
NetscreenJuniper
防火墙
V
PN
配置说明
1.
概述
此文档主要是描述国研机房及办公网防火墙以下几点:
型号说明
安装和配置说明
应用策略说明
VPN
连接说明
2.
设备型号及连接说明
2.1.
设备型号
公司总共的防火墙设备列表
设备名称
型号
网络防火墙
Nescreen208
网络防火墙
Netscreen 50B
网络防火墙
Netscreen 5GT
设备名称
型号
网络防火墙
Nescreen208
网络防火墙
Netscreen 50B
网络防火墙
Netscreen 5GT
数量
1
2
2
数量
1
1
1
IDC
主过滤防火墙
IDC
办公区
VPN
端设备<
/p>
办公网
VPN
端设备
概述
IDC
主过滤防火墙
IDC
办公网
VPN
端设备
概述
机房连接使用的防火墙设备列表
3.
需求说明
我们的防火墙主要有两个大的用途:
1.将内部的
Web
服务器向外提供映射及
IDC
服务器出局访问
2.
VPN
互通
在上
面的列表中,
netscreen208
主要用向外映射
WEB
服务器及控制
IDC
< br>服务器出局访问
50B
主要用
于与办公网
5GT
的
VPN
互通
4.
配置说明
4.1.
< br>Netscreen208
配置说明
映射说明:
set
interface ethernet1 vip 211.144.149.11 25
#映射
25
端口
set interface ethernet1 vip
211.144.149.11 + 80
#映射
80
端口
set interface ethernet1 vip
211.144.149.11 + 110
#映射
110
端口
set
interface
ethernet1
vip
211.144.149.12
80
172.16.1.21
#映射
80
端口网站
set
interface
ethernet1
vip
211.144.149.13
80
172.16.1.23
#映射
80
端口网站
set
interface ethernet1 vip 211.144.149.14 80
#映射
80
端口网站
策略说明:
set policy id 1 name
set
policy id 1
set service
exit
#内网所有出局
80
及
icmp
访问均可
set policy id 3 name
set policy id 3
set src-address
set src-
address
exit
#允许
内网地址
network(172.16.12.9)
网管服务
器及
network2(172.16.12.8)
邮件服务器
全部访
问出局
set policy id 5 from
set policy id 5
set service
set service
exit
#允许外部访问
VIP(211.144.149.11)mail/web
服务
set policy id 6
from
set policy id 6
exit
#允许外部访问
VIP(211.144.149.12)web
服务
set
policy id 7 from
set policy id 7
exit
#允许外部访问
VIP(2
11.144.149.13)web
服务
set policy id 8 from
set
policy id 8
exit
#允许外部访问
VIP(211.144.149.14)web
服务
< br>
set policy id 9 from
set
policy id 9
exit
#暂时不生效
set policy
id 10 from
set policy id 10
exit
#暂时不生效
set policy id
11 from
permit
set policy id 11
exit
#暂时不生效,以后用于主从
DNS
服务器
set policy id 12 name
rust
log
set policy id 12
4.2.
N
etscreen50B
配置说明(国研机房)
50B
主要是用于跟办公网的
VPN
通信,主要是用于
VPN
策
略
详细配置说明相对较复杂,我们只在附表中给出配置文件。
<
/p>
4.3.
Netscreen5gt
配置
说明(办公网)
5GT
主要是用于跟
国研机房的
VPN
通信,主要是用于
V
PN
策略
详细配置说明相对较复杂,我们只在附表中给出配置文件。
5.
配置附表
5.1.
Netscreen208
set clock timezone 7
set vrouter trust-vr sharable
set vrouter
exit
set vrouter
unset auto-
route-export
exit
set
service
set auth-server
set
auth-server
set auth default auth
server
set auth radius accounting port
1646
set admin name
set
admin password
set admin port 8000
set admin auth timeout 10
set admin auth server
set
admin format dos
set zone
set zone
set zone
set zone
set zone
set zone
set zone
unset zone
set zone
set zone
set zone
unset zone
unset zone
unset zone
unset zone
unset zone
unset zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set interface
set interface
set interface
unset
interface vlan1 ip
set interface
ethernet1 ip 211.144.149.2/25
set
interface ethernet1 route
set interface
ethernet2 ip 172.16.1.2/24
set
interface ethernet2 nat
unset interface
vlan1 bypass-others-ipsec
unset
interface vlan1 bypass-non-ip
set
interface ethernet1 ip manageable
set
interface ethernet2 ip manageable
set
interface ethernet1 manage ssh
set
interface ethernet1 manage ssl
set
interface ethernet1 vip 211.144.149.11 25
set interface ethernet1 vip
211.144.149.11 + 80
set interface
ethernet1 vip 211.144.149.11 + 110
set
interface ethernet1 vip 211.144.149.12 80
set interface ethernet1 vip
211.144.149.13 80
set interface
ethernet1 vip 211.144.149.14 80
set
interface
mip
211.144.149.6
host
172.16.1.25
netmask
255.255.255.255 vr
unset
flow no-tcp-seq-check
set flow tcp-syn-
check
set address
set
address
set address
set
address
set address
set
address
set address
set
address
set address
set
address
set ike respond-bad-spi 1
unset ikeikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-
threshold 0
set ipsec access-session
lower-threshold 0
set ipsec access-
session dead-p2-sa-timeout 0
unset
ipsec access-session log-error
unset
ipsec access-session info-exch-connected
unset ipsec access-session use-error-
log
set url protocol websense
exit
set
policy
id
1
name
from
to
set
policy id 1
set service
exit
set policy id 3 name
permit
set policy id 3
set src-
address
set src-address
exit
set
policy
id
5
from
to
permit
log
set policy id 5
set
service
set service
exit
set
policy
id
6
from
to
permit
log
set policy id 6
exit
set
policy
id
7
from
to
permit
set policy id 7
exit
set
policy
id
8
from
to
permit
log
set policy id 8
exit
set
policy
id
9
from
to
permit
set policy id 9
exit
set
policy
id
10
from
to
set
policy id 10
exit
set
policy
id
11
from
to
set policy id 11
exit
set policy id 12 name
set policy id 12
exit
set pki authority
default scep mode
set pki x509 default
cert-path partial
set syslog config
set syslog config
set syslog
src-interface ethernet2
set syslog
enable
unset log module system level
notification destination syslog
unset
log module system level information destination
syslog
unset log module system level
debugging destination syslog
set
nsmgmtbulkcli reboot-timeout 60
set ssh
version v2
set ssh enable
set config lock timeout 5
set snmp community
set snmp
host
trap v2
set
snmp
host
192.168.21.102
255.255.255.255
src-
interface
ethernet2 trap v2
set snmp name
set snmp port
listen 161
set snmp port trap 162
set vrouter
exit
set vrouter
unset add-
default-route
set
route
172.16.12.0/24
interface
ethernet2
gateway
172.16.1.1
preference
20
set route
0.0.0.0/0 interface ethernet1 gateway
211.144.149.1 preference 20
set
route
192.168.0.0/16
interface
ethernet2
gateway
172.16.1.3
preference
20
set
route
172.16.4.14/32
interface
ethernet2
gateway
172.16.1.1
preference
20
exit
set vrouter
exit
set vrouter
exit
5.2.
Netscreen50B
set clock timezone 7
set
vrouter trust-vr sharable
set vrouter
exit
set vrouter
unset auto-route-export
exit
set service
set
service
set auth-server
set auth-server
set auth
default auth server
set auth radius
accounting port 1646
set admin name
set admin password
set admin auth timeout 10
set admin auth server
set
admin format dos
set zone
set zone
set zone
set zone
set zone
set zone
set zone
unset zone
set
zone
set zone
set zone
unset
zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
set zone
-
-
-
-
-
-
-
-
-
上一篇:读后感1500字《沉重的肉身》
下一篇:DellBIOS设置说明