一.SRX端設置:
system {
host-name SRX1;
domain-name my.local;
root-authentication {
encrypted-password "$1$CukmmB9s$h28WLN7QFN9F6XxfUlCl/."; ## SECRET-DATA
}
name-server {
192.168.1.200;
}
login {
user my {
uid 2002;
class super-user;
authentication {
encrypted-password "$1$Zv.VaSr2$Desz5YafLPkJjdAMPNqwU1"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/0.0;
}
https {
system-generated-certificate;
interface ge-0/0/1.0;
}
}
}
syslog {
user * {
any emergency;
}
host 10.1.1.10 {
any any;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 202.100.2.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 202.100.2.254;
}
}
security {
ike {
proposal IKE_PHASE1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}
policy IKE_POLICY_PHASE1 {
mode main;
proposals IKE_PHASE1;
pre-shared-key ascii-text "$9$O878REyXxdsgJhSds2gJZn/9p1R"; ## SECRET-DATA
}
gateway GW {
ike-policy IKE_POLICY_PHASE1;
address 202.100.1.1;
external-interface ge-0/0/1.0;
}
}
ipsec {
proposal IPSEC_PHASE2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
}
policy IPSEC_POLICY_PHASE2 {
perfect-forward-secrecy {
keys group2;
}
proposals IPSEC_PHASE2;
}
*** S2S*** {
ike {
gateway GW;
ipsec-policy IPSEC_POLICY_PHASE2;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set SNAT {
from zone trust;
to zone untrust;
rule NO_NAT {
match {
source-address 10.1.1.0/24;
destination-address 192.168.1.0/24;
}
then {
source-nat {
off;
}
}
}
rule Inside_to_Outside {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy ***_TRUST_UNTRUST {
match {
source-address SRX_Inside;
destination-address CP_Inside;
application any;
}
then {
permit {
tunnel {
ipsec-*** S2S***;
pair-policy ***_UNTRUST_TRUST;
}
}
}
}
policy DEFAULT {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy ***_UNTRUST_TRUST {
match {
source-address CP_Inside;
destination-address SRX_Inside;
application any;
}
then {
permit {
tunnel {
ipsec-*** S2S***;
pair-policy ***_TRUST_UNTRUST;
}
}
}
}
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
zones {
security-zone trust {
address-book {
address SRX_Inside 10.1.1.0/24;
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone untrust {
address-book {
address CP_Inside 192.168.1.0/24;
}
host-inbound-traffic {
system-services {
ping;
telnet;
https;
ike;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
}
}
二.CP端設置:
