《SRX基本配置.docx》由会员分享,可在线阅读,更多相关《SRX基本配置.docx(8页珍藏版)》请在三一文库上搜索。
1、.SRX 300 配置上网( WLAN与 VLAN都为内部IP )环境介绍设备 ge-0/0/0 口 外网口 ,即第一个口,地址172.16.65.203/24 ,下一跳地址172.16.65.1设备 ge-0/0/2 口 内网口即第三个口,地址 192.168.2.1/24 ,内网口作 PC 网关来用, 置 DHCP ,DHCP 置参数如下:地址段 192.168.2.29-192.168.2.39网关 192.168.1.1DNS 202.103.24.68 ; 8.8.8.8 置源 NAT ,用 172.16.65.250、 172.16.65.251 两个地址做 NAT 地址 置策略允
2、 内网上网 建超 用 root 密 TS.具体步骤用串口 接 console 口, 置参数如下: 台 是有配置的, 所以要先清空 配置, 清空完 配置, 需要直接 初始超 用 的密 ,然后保存,才可以完成恢复出厂 置登入 出 以下.rootrootrootrootconfigure进入配置模式Entering configuration modeeditrootroot# load factory-default恢复出厂设备warning: activating factory configurationeditrootroot# set system root-authentication
3、plain-text-password设置超级用户密码New password:Retype new password:editrootroot# commitcommit completeedit此时回复出厂设置完成,下一步开始配置login: root输入默认用户名rootPassword:输入重置设备前输入的密码rootroot% cli敲入 cli 进入执行模式rootroot configure敲入 configure 进入配置模式,执行模式代表符号“”Entering configuration modeeditrootroot#配置模式 “#”rootroot# set syst
4、em login user lvlin class super-user authentication plain-text-password 建立用户名为 “wangjian 的”超级用户New password:为用户 “root”设置密码Retype new password:重复输入密码editrootroot# delete interfaces ge-0/0/0.0删除接口相关配置,接口默认处于交换edit模式 Ethernet-switching 模式下,要想设置成三层必须先把这个属rootroot# delete interfaces fe-0/0/2 unit 0性删除, “
5、 .0和”unit0 在意义上一样editwangjian# set interfaces ge-0/0/0.0 family inet address 192.168.201.239/24edit设置 ge-0/0/0.0 为三层接口地址192.168.201.239set interfaces ge-0/0/0.0 family inet address 172.16.65.203/24 wangjian# set interfaces fe-0/0/2.0 family inet address 192.168.1.1/24.edit设置 Ge-0/0/2.0 为三层接口地址192.16
6、8.2.1wangjian# set routing-options static route 0.0.0.0/0 next-hop 192.168.201.250 set routing-options static route 0.0.0.0/0 next-hop 172.16.65.1edit设置默认路由wangjian# set security zones security-zone untrust interfaces ge-0/0/0.0edit设置 ge-0/0/0.0 口为 untrust 安全域接口wangjian# set security zones security-
7、zone trust interfaces ge-0/0/2.0edit设置 fe-0/0/2.0 口为 trust 安全域接口wangjian# delete security nat source rule-set trust-to-untrustedit删除系统自带的源nat 规则wangjian# set security nat source pool wangjian address 192.168.201.59 to 192.168.201.60设置源 nat 地址池set security nat source pool wangjian address 172.16.65.2
8、50 to 172.16.65.251 editwangjian# set security nat source rule-set wangjiannat from zone trustedit设置 nat 源安全域wangjian# set security nat source rule-set wangjiannat to zone untrustedit设置 nat 目的安全域wangjian# set security nat source rule-set wangjiannat rule wangjiannat1 match source-address0.0.0.0/0设置
9、nat 源地址editwangjian# set security nat source rule-set wangjiannat rule wangjiannat1 then source-nat poolwangjian设置 nat 关联地址池editwangjian# set security zones security-zone untrust interface ge-0/0/0.0 host-inbound-traffic system-services httpedit打开接口http 管理wangjian# set system services web-management
10、 httpedit打开 http 全局开关wangjian# delete security policies from-zone trust to-zone untrust policy trust-to untrust删除系统自带策略delete security policies from-zone trust to-zone untrust policy trust-to untrust editwangjian# set security policies from-zone trust to-zone untrust policy wangjian match source-add
11、ress any.edit配置策略源地址wangjian# set security policies from-zone trust to-zone untrust policy wangjian match destination-address any 配置策略目的地址editwangjian# set security policies from-zone trust to-zone untrust policy wangjian match application any 配置策略应用editwangjian# set security policies from-zone trus
12、t to-zone untrust policy wangjian thenpermit配置策略动作editwangjian# set security policies from-zone trust to-zone untrust policy wangjian then log session-init 开启策略日志 会话开始editwangjian# set security policies from-zone trust to-zone untrust policy wangjian then log session-close 开启策略日志 会话结束editwangjian# d
13、elete system services dhcpedit删除系统默认dhcpwangjian# set system services dhcp router 192.168.1.1editDHCP参数默认网关wangjian# set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.29 DHCP 参数地址池开始地址editwangjian# set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.39 DH
14、CP 参数地址池结束地址editwangjian# set system services dhcp maximum-lease-time 4294967295editDHCP 参数分配地址租约时间wangjian# set system services dhcp name-server 202.106.0.20editDHCP 参数 DNS 服务器wangjian# set system services dhcp name-server 8.8.8.8editDHCP 参数 DNS 服务器wangjian# set system services dhcp propagate-setti
15、ngs ge-0/0/2.0edit设置 DHCP 信号发散端口wangjian# delete interfaces ge-0/0/2.0edit删除接口fe-0/0/2.0 所有属性.wangjian# set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services alledit设置接口ge-0/0/2.0 接口为 trust 安全域wangjian# set security nat proxy-arp interface ge-0/0/0 address
16、 192.168.201.59 to 192.168.201.60 nat 地址池地址在外网接口上做 arp 代理set security nat proxy-arp interface ge-0/0/0 address 172.16.65.250 to 172.16.65.251 editwangjian# delete interfaces vlanedit删除 vlan 接口wangjian# delete interfaces ge-0/0/3edit删除物理接口属性wangjian# delete interfaces fe-0/0/4editwangjian# delete int
17、erfaces fe-0/0/5editwangjian# delete interfaces fe-0/0/6editwangjian# delete interfaces fe-0/0/7editwangjian# delete interfaces ge-0/0/1editwangjian# delete vlansedit删除 vlan这样就可以了,DHCP 获取到地址Ping 外网.附加 show 命令wangjian# run show interfaces terse查看物理接口属性InterfaceAdmin Link ProtoLocalRemotege-0/0/0upupg
18、e-0/0/0.0upupinet192.168.201.239/24gr-0/0/0upupip-0/0/0upuplsq-0/0/0upuplt-0/0/0upupmt-0/0/0upupsp-0/0/0upupsp-0/0/0.0upupinetsp-0/0/0.16383up up inet10.0.0.1- 10.0.0.1610.0.0.6- 0/0128.0.0.1- 128.0.1.16128.0.0.6- 0/0ge-0/0/1updownfe-0/0/2upupfe-0/0/2.0upupinet192.168.1.1/24fe-0/0/3updownfe-0/0/4upd
19、ownfe-0/0/5updownfe-0/0/6updownfe-0/0/7updownfxp2upupfxp2.0upuptnp0x1greupupipipupupirbupuplo0upuplo0.16384upupinet127.0.0.1- 0/0lo0.16385upupinet10.0.0.1- 0/010.0.0.16- 0/0128.0.0.1- 0/0.128.0.0.4- 0/0128.0.1.16- 0/0lo0.32768up uplsiupupmtunupuppimdupuppimeupuppp0upupppd0upupppe0upupst0upuptapupupvlanupupeditwangjian# show | compare跟上次 commit 前对比敲过的命令edit security zones security-zone untrust interfacesge-0/0/0.0 . + ge-0/0/1.0; editwangjian# rollback 0返回上次 commit 时的配置load completeedit.