[轉貼] Juniper Ns-50設定檔
http://mdetw.blogspot.com/2008/06/juniper-ns-50.html<br><br><h2 class="date-header">008年6月25日 星期三</h2>
<div class="post">
<a name="7336153498251684576"></a>
<h3 class="post-title">
<a href="http://mdetw.blogspot.com/2008/06/juniper-ns-50.html">Juniper Ns-50設定檔</a>
</h3>
<div class="post-body">
<p>以下的設定,假設trust-vr為內部網路,而untrust-vr為外部網路,內部網路區域為192.168.1.0,而外部網路則為
192.168.10.0,其中內部選用NAT模式,而外部則選用Route模式,表示所有內部的連線電腦,將會由此一轉址防火牆取得IP,並利用
reserved address的方式,在內部IP中保留一個對應IP
192.168.1.10給某一台MAC為000000000000的電腦,並且在untrust-vr區段(ethernet-3),將此一內部
host
IP(即192.168.1.10)以MIP的方式,對應給外部的IP(192.168.10.59),然後再利用Policy設定,讓untrust-
vr區域的電腦,可以透過MIP,"直接"穿過防火牆,與trust-vr內的192.168.1.10進行連線.<br><br><span class="fullpost">set clock timezone 0<br>set vrouter trust-vr sharable<br>set vrouter "untrust-vr"<br>exit<br>set vrouter "trust-vr"<br>unset auto-route-export<br>exit<br>set auth-server "Local" id 0<br>set auth-server "Local" server-name "Local"<br>set auth default auth server "Local"<br>set auth radius accounting port 1646<br>set admin name "帳號"<br>set admin password "密碼"<br>set admin http redirect<br>set admin auth timeout 10<br>set admin auth server "Local"<br>set admin format dos<br>set zone "Trust" vrouter "trust-vr"<br>set zone "Untrust" vrouter "trust-vr"<br>set zone "DMZ" vrouter "trust-vr"<br>set zone "VLAN" vrouter "trust-vr"<br>set zone "Untrust-Tun" vrouter "trust-vr"<br>set zone "Trust" tcp-rst <br>set zone "Untrust" block <br>unset zone "Untrust" tcp-rst <br>set zone "MGT" block <br>set zone "DMZ" tcp-rst <br>set zone "VLAN" block <br>unset zone "VLAN" tcp-rst <br>set zone "Untrust" screen tear-drop<br>set zone "Untrust" screen syn-flood<br>set zone "Untrust" screen ping-death<br>set zone "Untrust" screen ip-filter-src<br>set zone "Untrust" screen land<br>set zone "V1-Untrust" screen tear-drop<br>set zone "V1-Untrust" screen syn-flood<br>set zone "V1-Untrust" screen ping-death<br>set zone "V1-Untrust" screen ip-filter-src<br>set zone "V1-Untrust" screen land<br>set interface "ethernet1" zone "Trust"<br>set interface "ethernet2" zone "DMZ"<br>set interface "ethernet3" zone "Untrust"<br>unset interface vlan1 ip<br>set interface ethernet1 ip 192.168.1.1/24<br>set interface ethernet1 nat<br>set interface ethernet3 ip 192.168.10.89/24<br>set interface ethernet3 route<br>unset interface vlan1 bypass-others-ipsec<br>unset interface vlan1 bypass-non-ip<br>set interface ethernet1 ip manageable<br>set interface ethernet3 ip manageable<br>unset interface ethernet1 manage snmp<br>set interface ethernet1 manage mtrace<br>set interface vlan1 manage mtrace<br>set interface ethernet1 dhcp server service<br>set interface ethernet1 dhcp server enable<br>set interface ethernet1 dhcp server option gateway 192.168.1.1 <br>set interface ethernet1 dhcp server option netmask 255.255.255.0 <br>set interface ethernet1 dhcp server option dns1 192.168.10.3<br>set interface ethernet1 dhcp server option dns2 192.168.11.2<br>set interface ethernet1 dhcp server option dns3 168.95.1.1 <br>set interface ethernet1 dhcp server ip 192.168.1.15 to 192.168.1.250 <br>set interface ethernet1 dhcp server ip 192.168.1.10 mac 000000000000 <br>set interface "ethernet3" mip 192.168.10.88 host 192.168.1.9 netmask 255.255.255.255 vr "trust-vr"<br>set interface "ethernet3" mip 192.168.10.59 host 192.168.1.10 netmask 255.255.255.255 vr "trust-vr"<br>unset flow no-tcp-seq-check<br>set flow tcp-syn-check<br>set domain this.is.my.domain<br>set hostname ns50<br>set pki authority default scep mode "auto"<br>set pki x509 default cert-path partial<br>set dns host dns1 192.168.10.3<br>set dns host dns2 192.168.11.2<br>set dns host schedule 06:28<br>set ike respond-bad-spi 1<br>unset ike ikeid-enumeration<br>unset ipsec access-session enable<br>set ipsec access-session maximum 5000<br>set ipsec access-session upper-threshold 0<br>set ipsec access-session lower-threshold 0<br>set ipsec access-session dead-p2-sa-timeout 0<br>unset ipsec access-session log-error<br>unset ipsec access-session info-exch-connected<br>unset ipsec access-session use-error-log<br>set url protocol sc-cpa<br>set cache size 500<br>exit<br>set policy id 1 name "All" from "Trust" to "Untrust" "Any" "Any" "ANY" permit <br>set policy id 1<br>exit<br>set policy id 2 name "10.88" from "Untrust" to "Trust" "Any" "MIP(192.168.10.88)" "ANY" permit <br>set policy id 2<br>exit<br>set policy id 3 name "10.59" from "Untrust" to "Trust" "Any" "MIP(192.168.10.59)" "ANY" permit <br>set policy id 3<br>exit<br>set nsmgmt bulkcli reboot-timeout 60<br>set ssh version v2<br>set config lock timeout 5<br>set snmp port listen 161<br>set snmp port trap 162<br>set vrouter "untrust-vr"<br>exit<br>set vrouter "trust-vr"<br>unset add-default-route<br>set route 0.0.0.0/0 interface ethernet3 gateway 192.168.10.254 preference 20<br>exit<br>set vrouter "untrust-vr"<br>exit<br>set vrouter "trust-vr"<br>exit</span></p></div></div><br>