Cau Hinh Juniper Firewall WebManagerment

  • View
    224

  • Download
    1

Embed Size (px)

Text of Cau Hinh Juniper Firewall WebManagerment

  • 8/17/2019 Cau Hinh Juniper Firewall WebManagerment

    1/12

    Lab 01 Cấu hình Juniper SRX làm router WAN

    Yêu cầu:

    +Cấu hình cho Juniper SRX làm router WAN (Chạy PPPoE) +yn!mic NA" cho #n$i%e &à ' r! #nternet +St!tic NA" cho *n noài truy c,p http &ào We Ser&er

    I. Cấu hình cơ bản:

    1.1 Cấu hình password root:

    set system root-authentication plain-text-password  New password: xxxxxx   Retype new password: xxxxxx 

    1.2 Cấu hình hostname:

    set system host-name hcm-svuit-vsrx

    1.3 Cấu hình lo!n banner:

    set system login message "Webcome to SVUIT.\n ab !uniper S#\n"

    1." Cấu hình t!me#one:

  • 8/17/2019 Cau Hinh Juniper Firewall WebManagerment

    2/12

    set system time-$one GMT+7

    1.$ Cấu hình name%ser&er:

    set system name-ser%er 8.8.8.8 set system name-ser%er 4.2.2.2

    1.' ()o user *uản tr+:

    set system login user svuit uid &''' set system login user svuit class super-user  set system login user svuit authentication plain-text-password  New password: xxxxxx 

     Retype new password: xxxxxx 

    -.u / 0 12y mình tạo u$er $&uit c3 4ull 5uy6n 5u7n tr8 (t.9n 1.9n &:i u$er root)

    II. ,-t cc d+ch &/:

    2.1 00 (45(

    set system ser%ices ssh

    set system ser%ices telnet

    2.2 6, 7858975(

    Cấu hình ch; cho truy c,p &ào inter4!ce e=?@?@B? (ch; cho php truy c,p t> #n$i%e)

    set system ser%ices web-management http inter(ace ge-')')*.' set system ser%ices web-management https system-generated-certi(icate set system ser%ices web-management https inter(ace ge-')')*.'

    set system ser%ices web-management session idle-timeout +'

    2.3 Cấu hình C; cho Cl!ent Ins!de:

    Cấu hình cho cDc Client tron #n$i%e nh,n CP t> Jupiter SRX

    set system ser%ices dhcp pool *'.*.*.')&, address-range low *'.*.*.*& high *'.*.*.&'

  • 8/17/2019 Cau Hinh Juniper Firewall WebManagerment

    3/12

    set system ser%ices dhcp pool *'.*.*.')&, name-ser%er /./././ set system ser%ices dhcp pool *'.*.*.')&, name-ser%er ,.&.&.& set system ser%ices dhcp pool *'.*.*.')&, router *'.*.*.*

    III. Cấu hình . Cấu hình ;;;o:

    set inter(aces ge-')')' mac aa:bb:cc:dd:ee:ff 012u h3nh 1lone 4ac 5ddress n6u b7n d8ng Internet 9:T set inter(aces ge-')')' unit ' encapsulation -!ver-ether

    set inter(aces pp' traceoptions (lag all set inter(aces pp' unit ' !i"t-t!-!i"t set inter(aces pp' unit ' ppp-options pap de(ault-password svuit#c!m set inter(aces pp' unit ' ppp-options pap local-password svuit#c!m set inter(aces pp' unit ' ppp-options pap local-name sgds$-12%4&'-12%

    set inter(aces pp' unit ' ppp-options pap assive

    set inter(aces pp' unit ' pppoe-options underlying-inter(ace ge-0/0/0.0 set inter(aces pp' unit ' pppoe-options c$ie"t

    set inter(aces pp' unit ' "!-(eea$ives set inter(aces pp' unit ' (amily inet mtu 14)2 set inter(aces pp' unit ' (amily inet "eg!tiate-address

    >. Cấu hình de?ault route: set routing-options static route '.'.'.')' next-hop pp'.' metric '

    >I. Cấu hình @nam!c 58(:

  • 8/17/2019 Cau Hinh Juniper Firewall WebManagerment

    4/12

    Cấu hình yn!mic NA" cho php #n$i%e &à ' truy c,p #nternet

    set security nat source rule-set *T#,utside (rom $one Inside set security nat source rule-set *T#,utside (rom $one utside

    set security nat source rule-set *T#,utside rule src-i"terface match source-address '.'.'.')'set security nat source rule-set *T#,utside rule src-i"terface match destination-address '.'.'.')' set security nat source rule-set *T#,utside rule src-i"terface then source-nat inter(ace

    >II. Cấu hình 0tat!c 58(:

    Cấu hình St!tic NA" cho php *n noài truy c,p http &ào We $er&er 1t tron Qone '

    set security nat destination pool   address *'.&.&.&'')?& port 80

    set security nat destination rule-set eb#*T (rom $one >utside set security nat destination rule-set eb#*T rule u$e#eb#*T match source-address '.'.'.')' set security nat destination rule-set eb#*T rule u$e#eb#*T match destination-address *''.*' set security nat destination rule-set eb#*T rule u$e#eb#*T match destination-port 80 set security nat destination rule-set eb#*T rule u$e#eb#*T then destination-nat pool 

    >III. Cấu hình Aone:

    B.1 Aone Ins!de:

    "ạo Qone #n$i%e &à Dn #nter4!ce e=?@?@B? &ào QoneM ch; cho php cDc tr!44ice pinM %hcpM httpM http$M$$hMtelnet

    set security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices ping set security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices dhcp set security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices http set security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices https set security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices ssh set security $ones security-$one 3"side inter(aces ge-0/0/1.0 host-inbound-tra((ic system-ser%ices telnet

    B.2 Aone 7A:

    "ạo Qone ' &à Dn #nter4!ce e=?@?@B? &ào QoneM ch; cho php cDc tr!44ice pinM httpM http$M$$hMtelnet

    set security $ones security-$one M5 inter(aces ge-0/0/2.0 host-inbound-tra((ic system-ser%ices ping

  • 8/17/2019 Cau Hinh Juniper Firewall WebManagerment

    5/12

    set security $ones security-$one M5 inter(aces ge-0/0/2.0 host-inbound-tra((ic system-ser%ices http set security $ones security-$one M5 inter(aces ge-0/0/2.0 host-inbound-tra((ic system-ser%ices https set security $ones security-$one M5 inter(aces ge-0/0/2.0 host-inbound-tra((ic system-ser%ices ssh set security $ones security-$one M5 inter(aces ge-0/0/2.0 host-inbound-tra((ic system-ser%ices telnet

    B.3 Aone uts!de:

    "ạo Qone ut$i%e Dn #nter4!ce e=?@?@?B? M pp?B? (inter4!ce IKt nTi PPPoE) &ào Qone

    set security $ones security-$one ,utside inter(aces 0.0 set security $ones security-$one ,utside inter(aces ge-0/0/0.0

    -.u /F mUi inter4!ce ch; 1.c Vn &:i mt QoneM mc 18nh inter4!ce 1L e%DEDED.D 1.c Dn cho Qone untrust n*n ạn ph7i  Y inter4!ce e%DEDED.D r! Ihoi Qone untrust tr.:c

    Ihi Dn n3 cho Qone uts!de.

    delete security zones security-zone untrust interfaces ge-0/0/0.0

    'c 18nh 1L c3 cDc Qone$ &à policy $!uF

    6666666666666666666666666666666666

    r!!t sh! securit9 !"es

    Security $one@ trust Send reset (or non-SAB session T1: pacCets@ >n :olicy con(igurable@ Aes Inter(aces bound@ ' Inter(aces@

    Security $one@ u"trust Send reset (or non-SAB session T1: pacCets@ >((  :olicy con(igurable@ Aes Screen@ untrust-screen Inter(aces bound@ * Inter(aces@ ge-0/0/0.0

    Security $one@ ;u"!s-h!st Send reset (or non-SAB session T1: pacCets@ >((  :olicy con(igurable@ Aes Inter(aces bound@ ' Inter(aces@

    r!!t sh! securit9 !$icies

  • 8/17/2019 Cau Hinh Juniper Firewall WebManagerment

    6/12

    #n$i%e r! ut$i%e

    set security policies (rom-$one 3"side to-$one ,utside policy 3"side#,utside match source-address an set security policies (rom-$one 3"side to-$one ,utside policy 3"side#,utside match destination-addre set security policies (rom-$one 3"side to-$one ,utside policy 3"side#,utside match application any

    set security policies (rom-$one 3"side to-$one ,utside policy 3"side#,utside then permit

    G.2 Ins!de to 6,

    "ạo policy cho pehp$ truy c,p t> #n$i%e &ào '

    set security policies (rom-$one 3"side to-$one M5 policy eb#3"side#M5 match source-address a set security policies (rom-$one 3"side to-$one M5 policy eb#3"side#M5 match destination-addr set security policies (rom-$one 3"side to-$one M5 policy eb#3"side#M5 match application Funo set security policies (rom-$one 3"side to-$one M5 policy eb#3"side#M5 match application Funo

    set security policies (rom-$one 3"side to-$one M5 policy eb#3"side#M5 then permit

    G.3 uts!de to 6,

    "ạo policy chop php truy c,p t> u$i%e &ào We Ser&er 1t tron '

    set security policies (rom-$one ,utside to-$one M5 policy eb#,utside#M5 match source-addre set security policies (rom-$one ,utside to-$one M5 policy eb#,utside#M5 match destination-a set security policies (rom-$one ,utside to-$one M5 policy eb#,utside#M5 match application Fu set security policies (rom-$one ,utside to-$one M5 policy eb#,utside#M5 match application Fu set security policies (rom-$one ,utside to-$one M5 policy eb#,utside#M5 then permit

    7Ht s lJnh K!Lm tra cấu hình: 0how thMn t!n cc Inter?ace:

  • 8/17/2019 Cau Hinh Juniper Firewall WebManagerment

    7/12

    0how thMn t!n bản

  • 8/17/2019 Cau Hinh Juniper Firewall WebManagerment

    8/12

    0how thMn t!n cấp C;:

    Cl!ent tron !ns!de nh-n I; tO C; (ru@ c-p Internet