當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

Juniper SSG 防火墙

發布時間：2023/12/29 编程问答 35 豆豆

生活随笔收集整理的這篇文章主要介紹了 Juniper SSG 防火墙小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

win10無法登陸SSG進行WEB UI管理

故障描述：嘗試登錄SSG設備時，無法無法刷出頁面，但是設備時可以ping通的（內部接口），可以Telnet上設備，就是無法通過網頁登錄。
深入測試：win7的系統可以登錄，win10的不行，瀏覽器報協議版本或加密算法不支持。
故障分析：這種情況下，可能是由于防火墻的加密算法的問題。

1、con到設備：

SSG320M-> get ssh
SSH V2 is active
SSH is NOT enabled
SSH is NOT ready for connections
Maximum sessions: 6
Active sessions: 0

2、查看加密算法：

SSG320M-> get ssl
web SSL enable.
web SSL port number(443).
web SSL cert: Default - System Self-Signed Cert.
web SSL cipher(RC4_MD5)..

3、修改加密算法并保存配置：

SSG320M-> set ssl encrypt 3des sha-1
SSG320M-> save
Save System Configuration ...
Done

修改后，測試win10登錄SSG管理，正常，問題解決。

NAT

1.NAT-Src with PAT Enabled

set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 172.16.1.1/24
set interface ethernet0/0 nat
set interface ethernet0/2 ip 192.168.0.199/24
set interface ethernet0/2 route
set interface ethernet0/2 gateway 192.168.0.1
set interface ethernet0/2 dip 5 192.168.0.198
set policy from Trust to Untrust Any Any ANY nat src dip-id 5 permit log

2.NAT-Src with PAT Disabled

set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 172.16.1.1/24
set interface ethernet0/0 nat
set interface ethernet0/2 ip 192.168.0.199/24
set interface ethernet0/2 route
set interface ethernet0/2 gateway 192.168.0.1
set interface ethernet0/2 dip 6 192.168.0.198 fix-port
set policy from trust to untrust any any any nat src dip-ip 6 permit log

3.NAT-Src Without DIP

set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 172.16.1.1/24
set interface ethernet0/0 nat
set interface ethernet0/2 ip 192.168.0.199/24
set interface ethernet0/2 route
set interface ethernet0/2 gateway 192.168.0.1
set interface ethernet0/2 dip 5 192.168.0.198 192.168.0.198e
set policy from trust to untrust any any any nat src permit log

透明墻

set interface "ethernet0/0" zone "V1-Trust"
set interface "ethernet0/2" zone "V1-Untrust"
set policy id 3 name "towan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit
set policy id 3

主要區別：
思科ASA5500系列防火墻在透明模式下，不會透傳CDP和BPDUs；
Juniper的SSG系列防火墻會透傳CDP和BPDUs，有時可能會造成二層環路。

ACL生效順序和ID無關和acl 順序有關

常用命令

配置

injoin-ssg320m-> get config
Total Config size 3586:
unset key protection enable
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set vrouter name "MGMT" id 1025 sharable
set vrouter "MGMT"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin port 8000
set admin http redirect
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "V1-Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "V1-Untrust"
set interface vlan1 ip 192.168.0.250/24
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set interface ethernet0/0 manage mtrace
set interface vlan1 manage mtrace
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname injoin-ssg320m
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 0.0.0.0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Untrust" "8.8.8.8/32" 8.8.8.8 255.255.255.255
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit log
set policy id 2
exit
set policy id 3 name "towan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit
set policy id 3
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ssl encrypt 3des sha-1
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "JN1230D03ADD"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 8.8.8.8/32 interface ethernet0/0 gateway 172.16.1.2
exit
set vrouter "MGMT"
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set vrouter "MGMT"
exit

初始化

設備開機狀態下，使用插到設備正前方的reset口，有手感，直到等到status燈變成橙色，再變綠色后，針松開2秒鐘，再將針插入reset孔不放直到燈變紅，此時所有端口燈都會滅掉。針取出即可。最后設備會自動重啟。設備即恢復出廠默認值。

總結

以上是生活随笔為你收集整理的Juniper SSG 防火墙的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。