Juniper SRX 防火墙基础上网配置

简介

基于PNET-LAB模拟器，使用 vSRX-NG 23.4R1.9 镜像进行实验。

实验需求

配置WAN口 LAN口，实现基础的上网功能。配置NAT、DHCP。

ISP 路由器使用Cisco IOS模拟，与SRX对接口配置 1.1.1.2，Lookback0配置114.114.114.114/32

实验步骤

实验拓扑

基础配置 - root密码、主机名、时区NTP。

set system root-authentication plain-text-password
# vSRX 默认无root密码，会强制要求配置一个。
set system host-name SRX01
# 配置设备的主机名，方便标识。
set system time-zone Asia/Shanghai
# 配置设备时区，可能需要手动导入时区文件。https://www.juniper.net/documentation/cn/zh/software/junos/time-mgmt/topics/topic-map/configure-time-zone.html
set system ntp server 1.1.1.1 
# 配置NTP服务器地址。如果目标是域名，需要配置DNS服务器。（安全类产品时间很重要）
show | compare 
commit
# 最后查看要提交的配置，然后提交生效。

配置公/内网接口地址，默认路由。

set interfaces ge-0/0/0 description LAN1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.1/24
set interfaces ge-0/0/1 description WAN1
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.1/24
# 配置接口描述、配置IP地址。
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2  
# 配置默认路由指向公网出口网关。
show route 
inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0          *[Static/5] 00:00:33
                    >  to 1.1.1.2 via ge-0/0/1.0
1.1.1.0/24         *[Direct/0] 00:02:15
                    >  via ge-0/0/1.0
1.1.1.1/32         *[Local/0] 00:02:15
                       Local via ge-0/0/1.0
192.168.0.0/24     *[Direct/0] 00:02:46
                    >  via ge-0/0/0.0
192.168.0.1/32     *[Local/0] 00:02:46
                       Local via ge-0/0/0.0
192.168.1.1/32     *[Local/0] 00:18:13
                       Reject
# 查看路由表验证。
ping 114.114.114.114 
# Ping ISP路由器的LookBack0验证。

配置安全区域并关联接口

安全区域（Security Zone）：它是一个或多个接口的集合，是防火墙区别于路由器的主要特性。 防火墙通过安全区域来划分网络、标识报文流动的“路线”，当报文在不同的安全区域之间流动时，才会触发安全检查。 相同区域不受限制，不同区域必须按照安全策略进行控制。

set security zones security-zone LAN
set security zones security-zone LAN host-inbound-traffic system-services all
set security zones security-zone LAN host-inbound-traffic protocols all
set security zones security-zone LAN interfaces ge-0/0/0.0
# 内网区域配置允许所有服务、允许所有协议进入，并把 ge-0/0/0.0 加入内网区域。
set security zones security-zone WAN       
set security zones security-zone WAN host-inbound-traffic system-services ping
set security zones security-zone WAN interfaces ge-0/0/1.0  
# 外网区域配置只允许ICMP进入区域，并把 ge-0/0/1.0 加入外网区域

配置 SNAT 规则

set security nat source rule-set LAN_to_WAN_SNAT from zone LAN
# 配置NAT源区域
set security nat source rule-set LAN_to_WAN_SNAT to zone WAN
# 配置NAT目标区域
set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT match source-address 0.0.0.0/0
# 不限制源地址
set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT then source-nat interface
# 配置NAT地址为接口IP。

配置安全策略规则LAN 到 WAN

set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone LAN to-zone WAN policy Default-Permit match source-address any
set security policies from-zone LAN to-zone WAN policy Default-Permit match destination-address any
set security policies from-zone LAN to-zone WAN policy Default-Permit match application any
set security policies from-zone LAN to-zone WAN policy Default-Permit then permit
# 配置LAN区域到WAN区域允许所有IP和APP。

配置DHCP，为LAN口下联终端分配IP

set system services dhcp pool 192.168.0.0/24 address-range low 192.168.0.101
set system services dhcp pool 192.168.0.0/24 address-range high 192.168.0.200

# 配置地址池192.168.0.0/24 配置分配地址范围。

set system services dhcp pool 192.168.0.0/24 name-server 114.114.114.114

# 配置DNS服务器

set system services dhcp pool 192.168.0.0/24 router 192.168.0.1

# 配置默认网关

set system services dhcp pool 192.168.0.0/24 default-lease-time 3600

# 配置IP地址保留时间

set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

# 配置LAN区域指定接口允许DHCP服务通过。

PS：接口的 IP 地址必须与 DHCP 池位于同网段中。配置完成之后，会自动关联。

DHCP服务验证

show system services dhcp pool 

# 查看所有Pool

show system services dhcp binding

IP address       Hardware address   Type     Lease expires at
192.168.0.101    50:11:1b:00:97:00  dynamic  2024-03-22 06:50:12 UTC

# 查看已分配IP


show system services dhcp statistics

# 查看状态

最终验证

最终win-PC 可以DHCP自动获取到IP，并可以ping通 114.114.114.114;