第一次配置juniper-SSG140(2010-04-27 10:10:43)、简述环境：1.双ISP，两个服务器6.6和6.8对外开放17991端口2.trust-vr和untrust-vr同在，zone untrust被修改到untrust-vr中3.6.6 VIP 180的地址，6.8 MIP 221的地址，应用源路由其实东西也不多，不过没配过的我开始真不知道如何配置juniper的地址转换set clock ntpset clock timezone 8set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00 set vrouter trust-vr sharableset vrouter "untrust-vr"exitset vrouter "trust-vr"unset auto-route-exportexit------------------------------------------------------------------------------若防火墙里没有你所用的服务就自己加吧-------------------------------------------------------------------------------------------------set service "17991" protocol tcp src-port 0-65535 dst-port 17991-17991 set service "3389" protocol tcp src-port 0-65535 dst-port 3389-3389 set alg appleichat enableunset alg appleichat re-assembly enableset alg sctp enableset auth-server "Local" id 0set auth-server "Local" server-name "Local"set auth default auth server "Local"set auth radius accounting port 1646set admin name "netscreen"set admin password "nJqNNxrLGyrLc0lEtsCBqfDtDMA/Pn"set admin user "hongyuan" password "nNnfG0rrJIWDcc8EysvMuSCt+LBiDn" privilege "all"-----------------------------------------------------------------------------------------如果要添加管理ip，别忘了添加内部网段地址，第一次我只加了远端的公网地址，导致内部要配置却进不去，只能console了。

--------------------------------------------------------------------------------------------------set admin manager-ip 192.168.6.0 255.255.255.0set admin manager-ip 114.255.150.140 255.255.255.255set admin manager-ip 219.141.171.130 255.255.255.255set admin auth web timeout 10set admin auth server "Local"set admin format dosset zone "Trust" vrouter "trust-vr"-------------------------------------------------------------------------------------------------"Untrust"默认是在"trust-vr"里的，我给改了--------------------------------------------------------------------------------------------------set zone "Untrust" vrouter "untrust-vr"set zone "DMZ" vrouter "trust-vr"set zone "VLAN" vrouter "trust-vr"set zone "Untrust-Tun" vrouter "trust-vr"set zone "Trust" tcp-rstset zone "Untrust" blockunset zone "Untrust" tcp-rstset zone "MGT" blockset zone "DMZ" tcp-rstset zone "VLAN" blockunset zone "VLAN" tcp-rstset zone "Trust" screen limit-session source-ip-basedset zone "Trust" screen limit-session destination-ip-basedset zone "Untrust" screen alarm-without-dropset zone "Untrust" screen on-tunnelset zone "Untrust" screen icmp-floodset zone "Untrust" screen udp-floodset zone "Untrust" screen winnukeset zone "Untrust" screen port-scanset zone "Untrust" screen ip-sweepset zone "Untrust" screen tear-dropset zone "Untrust" screen syn-floodset zone "Untrust" screen ip-spoofingset zone "Untrust" screen ping-deathset zone "Untrust" screen ip-filter-srcset zone "Untrust" screen landset zone "Untrust" screen syn-fragset zone "Untrust" screen tcp-no-flagset zone "Untrust" screen unknown-protocolset zone "Untrust" screen ip-bad-optionset zone "Untrust" screen ip-record-routeset zone "Untrust" screen ip-timestamp-optset zone "Untrust" screen ip-security-optset zone "Untrust" screen ip-loose-src-routeset zone "Untrust" screen ip-strict-src-routeset zone "Untrust" screen ip-stream-optset zone "Untrust" screen icmp-fragmentset zone "Untrust" screen icmp-largeset zone "Untrust" screen syn-finset zone "Untrust" screen fin-no-ackset zone "Untrust" screen limit-session source-ip-basedset zone "Untrust" screen syn-ack-ack-proxyset zone "Untrust" screen block-fragset zone "Untrust" screen limit-session destination-ip-basedset zone "Untrust" screen icmp-idset zone "V1-Untrust" screen tear-dropset zone "V1-Untrust" screen syn-floodset zone "V1-Untrust" screen ping-deathset zone "V1-Untrust" screen ip-filter-srcset zone "V1-Untrust" screen landset zone "Untrust" screen limit-session source-ip-based 512set zone "Untrust" screen limit-session destination-ip-based 512set interface "ethernet0/0" zone "Trust"set interface "ethernet0/1" zone "V1-Trust"set interface "ethernet0/2" zone "V1-Trust"set interface "ethernet0/8" zone "Untrust"set interface "ethernet0/9" zone "Untrust"----------------两条互联网在一个区域set interface ethernet0/0 ip 192.168.6.2/24set interface ethernet0/0 nat-----------------------------内网口启动NAT，去往untrust区或dmz区都会触发nat，除非把防火墙配成透传模式unset interface vlan1 ipset interface ethernet0/8 ip 221.7.199.182/29set interface ethernet0/8 routeset interface ethernet0/9 ip 180.136.240.114/30set interface ethernet0/9 routeunset interface vlan1 bypass-others-ipsecunset interface vlan1 bypass-non-ipset interface ethernet0/9 manage-ip 180.136.240.113set interface ethernet0/0 ip manageableset interface ethernet0/8 ip manageableset interface ethernet0/9 ip manageableset interface ethernet0/8 manage pingset interface ethernet0/8 manage telnetset interface ethernet0/8 manage webset interface ethernet0/9 manage pingset interface ethernet0/9 manage telnetset interface ethernet0/9 manage web-------------------------------------------------------------------------------------------------server auto detection开启，防火墙会自动ping这台内部地址，如果无法通信，status就是down--------------------------------------------------------------------------------------------------set interface ethernet0/9 vip interface-ip 3389 "3389" 192.168.6.6 set interface ethernet0/9 vip interface-ip 17991 "17991" 192.168.6.6 set interface ethernet0/8 vip interface-ip 3389 "3389"192.168.6.21-------看，是这里-------------------------------------------------------------------------------------------------若你有同网段多个ip地址可以用mip，注意我把它放在untrust-vr了-------------------------------------------------------------------------------------------------set interface "ethernet0/8" mip 221.7.199.179 host 192.168.6.8 netmask 255.255.255.255 vr "untrust-vr"unset flow no-tcp-seq-checkset flow tcp-syn-checkunset flow tcp-syn-bit-checkset flow reverse-route clear-text preferset flow reverse-route tunnel alwaysset pki authority default scep mode "auto"set pki x509 default cert-path partialset address "Trust" "221.7.199.180/32" 221.7.199.180 255.255.255.255 set ike respond-bad-spi 1set ike ikev2 ike-sa-soft-lifetime 60unset ike ikeid-enumerationunset ike dos-protectionunset ipsec access-session enableset ipsec access-session maximum 5000set ipsec access-session upper-threshold 0set ipsec access-session lower-threshold 0set ipsec access-session dead-p2-sa-timeout 0unset ipsec access-session log-errorunset ipsec access-session info-exch-connectedunset ipsec access-session use-error-logset vrouter "untrust-vr"exitset vrouter "trust-vr"exitset url protocol websenseexit------------------------------------------------------------------------------------------------juniper也有隐藏deny any any 所以，从trust到untrust要配置permit any any-----------------------------------------------------------------------------------------------set policy id 1 name "PERMIT_ANY" from "Trust" to "Untrust" "Any" "Any" "ANY" permitset policy id 1exitset policy id 2 name "PERMIT_PING" from "Untrust" to "Trust" "Any" "MIP(221.7.199.179)" "PING" permitset policy id 2exitset policy id 4 name "PERMIT_CT" from "Untrust" to "Trust" "Any" "VIP(ethernet0/9)" "3389" permit logset policy id 4exitset policy id 5 name "PERMIT_CNC" from "Untrust" to "Trust" "Any" "MIP(221.7.199.179)" "3389" permit logset policy id 5exitset policy id 6 name "test" from "Untrust" to "Trust" "Any""VIP(ethernet0/8)" "3389" permit logset policy id 6exitset policy id 7 name "PERMIT_CT_17991" from "Untrust" to "Trust" "Any""VIP(ethernet0/9)" "17991" permit logset policy id 7exitset policy id 8 name "PERMIT_CNC_17991" from "Untrust" to "Trust" "Any" "MIP(221.7.199.179)" "17991" permit logset policy id 8exitset nsmgmt bulkcli reboot-timeout 60set ssh version v2set config lock timeout 5unset license-key auto-updateset ntp server "210.72.145.44"set snmp port listen 161set snmp port trap 162-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------set vrouter "untrust-vr"-----------------------------------以下是untrust-vr里的路由set source-routing enableset route 0.0.0.0/0 interface ethernet0/8 gateway 221.7.199.177set route 0.0.0.0/0 interface ethernet0/9 gateway 180.136.240.113 set route source 192.168.6.6/32 interface ethernet0/9 gateway180.136.240.113set route source 192.168.6.8/32 interface ethernet0/8 gateway221.7.199.177set route 192.168.6.0/24 vrouter "trust-vr" preference 20 metric 1 exitset vrouter "trust-vr"-------------------------------------以下是trust-vr里的路由unset add-default-routeset route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1exitset vrouter "untrust-vr"exitset vrouter "trust-vr"exit。