1.JUNIPER-5GT防火墙静态路由如何设置?-Juniper
2.现有一台JUNIPER SSG5 防火墙,设有一个固定外网IP10.1.1.2。如何设置访问外网?是否还需加什么设备?
3.关于Juniper SSG-5-SB防火墙的配置实例或者教程?
4.在juniper防火墙,set security zones security-zone trust address-book address-set 中,
可以远程web管理。
要先设置策略放行流量:set policy from zone名1 to zone名2 源 目标 协议 permit
在接口上开放web管理服务 :set interface ethernet X/X manage web
然后再浏览器输入防火墙地址就OK了
JUNIPER-5GT防火墙静态路由如何设置?-Juniper
很简单。
既然你做了映射,不管是VIP方式还是MIP方式,都会有一条对应的Policies。
点击这条Policies后面的Edit,编辑这条Policies,点击Advanced,进入高级设置。
在最下面有个Traffic?Shaping选项勾起来,然后在Maximum?Bandwidth里填上你想要限制的带宽大小,比如2000。
不过,就像楼上说的,毕竟不是专业的流量整形设备,所以效果只能是一般性。
以上步骤的截图:
现有一台JUNIPER SSG5 防火墙,设有一个固定外网IP10.1.1.2。如何设置访问外网?是否还需加什么设备?
我配过PIX和ASA没配过JUNIPER如果命令没什么变动的话因改是这样的confitroute(inside)你内部接口的名字#routeinside00192.168.1.2就这样我设你的三层交换机接口是192.168.1.2这个你自己看看就知道00在防火墙里代表的就是路由的0.0.0.00.0.0.0希望你能讲信誉给我分或纳答案我讲的很具体觉对不是复制
关于Juniper SSG-5-SB防火墙的配置实例或者教程?
这是最简单的基本需求,不需要加设备。
我说一下步骤,具体操作你看图就可以了: 1、外网端口ip设置,路由模式。2、内网端口ip设置,nat模式。3、静态路由0.0.0.0 到外网地址的网关。4、策略,开放内网访外网any(默认有的)。
这些足够了,也可以通过向导配置。
在juniper防火墙,set security zones security-zone trust address-book address-set 中,
ssg5-serial-> get config
Total Config size 3827:
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Trust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 10.160.144.201/24#出口接口IP
set interface ethernet0/0 nat
set interface bgroup0 ip 192.168.100.1/24#内网接口IP
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage web
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage web
set interface ethernet0/2 dhcp client enable
set interface ethernet0/6 dhcp client enable
unset interface ethernet0/2 dhcp client settings update-dhcpserver
unset interface ethernet0/6 dhcp client settings update-dhcpserver
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log count #设置允许上网
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 10.160.144.254 #定义网关
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
ssg5-serial->
就几个打#号的地方配置了一下,就能上网了
我有一本“NetScreen 概念与范例
ScreenOS 参考指南”基本的命令都有,要的话M我好了,因为里面有网址,所以放不到wendang.baidu上
因为在策略当中,策略的源地址和目的地址不能填写真实IP地址,所以先要在ZONE里面去定义这个真实地址,也就是给真实地址取一个名字,然后在策略当中的源地址和目的地址就是你在ZONE里面创建的真实地址的名字,用来调用真实IP地址。
那么这个address-book就是创建真实IP地址名字的地方,
address-book后面接的是真实IP地址所取的名字然后再真实IP地址,一个名字对应一个真实IP地址。
而address-set是可以创建一个地址名字group组的,那么一个group组的名字后面就可以有许多真实IP地址的名字,也就是把address-book下定义的真实IP地址名字全部放到一个组里面来。
那么在策略的调用中,就可以在源或者目的的地方选择创建的地址组来调用所有需要用到的真实IP地址
求解答都不给分,怎么可能有人理你。心情好才给你说一下。
