[轉貼] 設定Juniper 防火牆 啟用NAT模式
http://noahchou.wordpress.com/2008/12/23/%E8%A8%AD%E5%AE%9Ajuniper-%E9%98%B2%E7%81%AB%E7%89%86-%E5%95%9F%E7%94%A8nat%E6%A8%A1%E5%BC%8F/<br><h1 id="header"><a href="http://noahchou.wordpress.com/">獨自生活</a></h1>
<!-- end header -->
<h2>2008 十二月 23</h2>
<h3 class="storytitle"><a href="http://noahchou.wordpress.com/2008/12/23/%e8%a8%ad%e5%ae%9ajuniper-%e9%98%b2%e7%81%ab%e7%89%86-%e5%95%9f%e7%94%a8nat%e6%a8%a1%e5%bc%8f/" rel="bookmark">設定Juniper 防火牆 啟用NAT模式</a></h3>
<div class="meta">分類於 <a href="http://noahchou.wordpress.com/category/uncategorized/" title="觀看 Uncategorized 的所有文章" rel="category tag">Uncategorized</a> — noahchou @ 2:10 上午 <br></div>
<div class="storycontent">
<div class="snap_preview"><p>Juniper 防火牆的部署模式有NAT模式、路由模式、或者透明模式這三種,在設定前需先確定所使用的Juniper 防火牆型號。</p>
<div><span id="more-456"></span><strong>設定前所需要了解的資訊:</strong></div>
<ul><li><strong>Juniper</strong>防火牆預設管理埠和<strong></strong>:192.168.1.1/255.255.255.0</li><li>預設的IP位址通常設置在防火牆的<strong>Trust</strong>埠上(<strong>NS-5GT</strong>)、最小埠編號的物理埠上(<strong>NS-25/50/204/208/SSG</strong>系列)、或者專用的管理埠上(<strong>ISG-1000/2000,NS-5200/5400</strong>)</li><li><strong>Juniper</strong>防火牆預設登錄管理帳號:<strong><br>
</strong>帳號:netscreen<br>
密碼:netscreen</li><li><strong>Juniper SSG-20 </strong>防火牆的預埠口設定說明:(我所練習的機種)<br>
第1埠為Untrust;第 2埠為DMZ;第3~5埠為Trust。<br>
Interface:第1埠為ethemet0/0,第2埠為ethemet0/1,其他埠口照順序排列</li></ul>
<p><strong>使用Web來進行設定:</strong></p>
<ul><li>在流覽器上輸入<strong>Juniper</strong>防火牆預設的IP位置</li><li>使用設定精靈來進入設定。(因為我是恢復為出廠預設值,尚未作任何設定)<br>
請直接選擇:Next<br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00010.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00010" src="http://noahchou.files.wordpress.com/2008/12/20081223-00010-thumb.png?w=635&h=453" alt="2008-12-23_00010" width="635" border="0" height="453"></a> <br>
<span style="color: rgb(128, 0, 0);"><strong>PS:對於你是熟悉Juniper防火牆設定的工程師,可
以跳過該設定精靈,直接點選:No,skip the wizard and go straight to the WebUI
management session instead,之後選擇Next,直接登入防火牆設備的管理介面。</strong></span></li></ul>
<p> </p>
<ul><li>出現“Welcome to the Initial Configuration Wizard.”畫面,請選擇Next。<br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00011.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00011" src="http://noahchou.files.wordpress.com/2008/12/20081223-00011-thumb.png?w=640&h=462" alt="2008-12-23_00011" width="640" border="0" height="462"></a></li></ul>
<p> </p>
<ul><li>進入登錄用戶名和密碼的修改畫面<br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00012.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00012" src="http://noahchou.files.wordpress.com/2008/12/20081223-00012-thumb.png?w=643&h=462" alt="2008-12-23_00012" width="643" border="0" height="462"></a><br>
這裏所設定的帳號和密碼是防火牆設備上的ADMIN帳戶,這個帳戶對於防火牆設備來說具有最高的許可權,請在設定好後好好保存修改後的帳號和密碼。</li></ul>
<p> </p>
<ul><li> 選擇Untrust,DMZ,Trust所使用的介面<br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00013.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00013" src="http://noahchou.files.wordpress.com/2008/12/20081223-00013-thumb.png?w=638&h=456" alt="2008-12-23_00013" width="638" border="0" height="456"></a></li></ul>
<p> </p>
<ul><li> 設定外部線路<br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00014.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00014" src="http://noahchou.files.wordpress.com/2008/12/20081223-00014-thumb.png?w=574&h=660" alt="2008-12-23_00014" width="574" border="0" height="660"></a></li></ul>
<p> </p>
<ul><li>設定DMZ區域<br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00015.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00015" src="http://noahchou.files.wordpress.com/2008/12/20081223-00015-thumb.png?w=574&h=656" alt="2008-12-23_00015" width="574" border="0" height="656"></a></li></ul>
<p> </p>
<ul><li>設定內部線路<br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00016.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00016" src="http://noahchou.files.wordpress.com/2008/12/20081223-00016-thumb.png?w=577&h=654" alt="2008-12-23_00016" width="577" border="0" height="654"></a></li></ul>
<p> </p>
<ul><li><span style="font-size: 10.5pt; font-family: 新細明體,serif;">防火牆的基本配置完成</span><br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00017.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00017" src="http://noahchou.files.wordpress.com/2008/12/20081223-00017-thumb.png?w=693&h=684" alt="2008-12-23_00017" width="693" border="0" height="684"></a></li></ul>
<p> </p>
<ul><li><span style="font-size: 10.5pt; font-family: 新細明體,serif;">進行</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">DHCP</span><span style="font-size: 10.5pt; font-family: 新細明體,serif;">伺服器配置</span><br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00018.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00018" src="http://noahchou.files.wordpress.com/2008/12/20081223-00018-thumb.png?w=700&h=496" alt="2008-12-23_00018" width="700" border="0" height="496"></a><br>
<span style="font-size: 10.5pt; color: blue; font-family: 'Times New Roman',serif;" lang="EN-US">DHCP</span><span style="font-size: 10.5pt; color: blue; font-family: 新細明體,serif;">伺服器配置在需要防火牆在網路中充當</span><span style="font-size: 10.5pt; color: blue; font-family: 'Times New Roman',serif;" lang="EN-US">DHCP</span><span style="font-size: 10.5pt; color: blue; font-family: 新細明體,serif;">伺服器的時候才需要配置。否則請選擇</span><span style="font-size: 10.5pt; color: blue; font-family: 'Times New Roman',serif;" lang="EN-US">“</span><span style="font-size: 10.5pt; color: blue; font-family: 'Times New Roman',serif;" lang="EN-US">NO</span><span style="font-size: 10.5pt; color: blue; font-family: 'Times New Roman',serif;" lang="EN-US">”</span><span style="font-size: 10.5pt; color: blue; font-family: 新細明體,serif;">跳過</span></li></ul>
<p> </p>
<ul><li><span style="font-size: 10.5pt; font-family: 新細明體,serif;">完成</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">DHCP</span><span style="font-size: 10.5pt; font-family: 新細明體,serif;">伺服器選項設置,點選</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">“</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">Next</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">”</span><span style="font-size: 10.5pt; font-family: 新細明體,serif;">會彈出之前所有設定的匯總資訊,<span style="font-size: 10.5pt; font-family: 新細明體,serif;">確認配置沒有問題,點擊</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">“</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">Next</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">”。</span></span><br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00019.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00019" src="http://noahchou.files.wordpress.com/2008/12/20081223-00019-thumb.png?w=695&h=687" alt="2008-12-23_00019" width="695" border="0" height="687"></a></li></ul>
<p> </p>
<ul><li> <span style="font-size: 10.5pt; font-family: 新細明體,serif;">點選</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">“</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">Finish</span><span style="font-size: 10.5pt; font-family: 'Times New Roman',serif;" lang="EN-US">”完成設定</span><br>
<a href="http://noahchou.files.wordpress.com/2008/12/20081223-00020.png"><img style="border-width: 0pt; display: inline;" title="2008-12-23_00020" src="http://noahchou.files.wordpress.com/2008/12/20081223-00020-thumb.png?w=509&h=711" alt="2008-12-23_00020" width="509" border="0" height="711"></a> </li></ul>
<p>完成後防火牆會建立對來自內部網路到外部網路的連線啟用使用埠位址的NAT,同時防火牆設備會自動在策略清單部分建立一條由內部網路到外部網路的訪問策略:</p>
<p>策略:策略方向由Trust到Untrust,來源位址:ANY,目標位址:ANY,網路服務內容:ANY;<br>
策略作用:允許來自內部網路的任意IP位址穿過防火牆訪問外部網路網的任意位址。</p>
<p class="Default" style="margin: 0pt 0pt 0pt 21pt; text-indent: -21pt; text-align: justify;"> <img class="alignnone size-full wp-image-459" title="2008-12-23_00021" src="http://noahchou.files.wordpress.com/2008/12/2008-12-23_00021.png?w=804&h=124" alt="2008-12-23_00021" width="804" height="124"></p>
<p> </p>
<p><strong>使用指令模式來進行設定:<br>
</strong>set admin password “netscreen”<br>
set interface eth0/0 zone untrust<br>
set interface eth0/0 ip 59.120.3.16 255.255.255.0<br>
set interface eth0/0 gateway 59.120.3.254<br>
set interface eth0/1 zone dmz<br>
set interface eth0/1 ip 192.168.100.1 255.255.255.0<br>
set interface bgroup0 zone trust<br>
set interface bgroup0 ip 192.168.1.1 255.255.255.0<br>
set interface bgroup0 manage<br>
set interface bgroup0 port ethernet0/2<br>
set interface bgroup0 port ethernet0/3<br>
set interface bgroup0 port ethernet0/4<br>
set interface bgroup0 dhcp server ip 192.168.1.101 to 192.168.1.200</p>
</div> </div><br>