set system root-authentication plain-text-password # vSRX 默认无root密码,会强制要求配置一个。 set system host-name SRX01 # 配置设备的主机名,方便标识。 set system time-zone Asia/Shanghai # 配置设备时区,可能需要手动导入时区文件。https://www.juniper.net/documentation/cn/zh/software/junos/time-mgmt/topics/topic-map/configure-time-zone.html set system ntp server 1.1.1.1 # 配置NTP服务器地址。如果目标是域名,需要配置DNS服务器。(安全类产品时间很重要) show | compare commit # 最后查看要提交的配置,然后提交生效。
set security zones security-zone LAN set security zones security-zone LAN host-inbound-traffic system-services all set security zones security-zone LAN host-inbound-traffic protocols all set security zones security-zone LAN interfaces ge-0/0/0.0 # 内网区域配置允许所有服务、允许所有协议进入,并把 ge-0/0/0.0 加入内网区域。 set security zones security-zone WAN set security zones security-zone WAN host-inbound-traffic system-services ping set security zones security-zone WAN interfaces ge-0/0/1.0 # 外网区域配置只允许ICMP进入区域,并把 ge-0/0/1.0 加入外网区域
配置 SNAT 规则
1 2 3 4 5 6 7 8
set security nat source rule-set LAN_to_WAN_SNAT from zone LAN # 配置NAT源区域 set security nat source rule-set LAN_to_WAN_SNAT to zone WAN # 配置NAT目标区域 set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT match source-address 0.0.0.0/0 # 不限制源地址 set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT then source-nat interface # 配置NAT地址为接口IP。
配置安全策略规则LAN 到 WAN
1 2 3 4 5 6
set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies from-zone LAN to-zone WAN policy Default-Permit match source-address any set security policies from-zone LAN to-zone WAN policy Default-Permit match destination-address any set security policies from-zone LAN to-zone WAN policy Default-Permit match application any set security policies from-zone LAN to-zone WAN policy Default-Permit then permit # 配置LAN区域到WAN区域允许所有IP和APP。
set system services dhcp pool 192.168.0.0/24 address-range low 192.168.0.101 set system services dhcp pool 192.168.0.0/24 address-range high 192.168.0.200
# 配置地址池192.168.0.0/24 配置分配地址范围。
set system services dhcp pool 192.168.0.0/24 name-server 114.114.114.114
# 配置DNS服务器
set system services dhcp pool 192.168.0.0/24 router 192.168.0.1
# 配置默认网关
set system services dhcp pool 192.168.0.0/24 default-lease-time 3600
# 配置IP地址保留时间
set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
# 配置LAN区域指定接口允许DHCP服务通过。
PS:接口的 IP 地址必须与 DHCP 池位于同网段中。配置完成之后,会自动关联。
DHCP服务验证
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
show system services dhcp pool
# 查看所有Pool
show system services dhcp binding
IP address Hardware address Type Lease expires at 192.168.0.101 50:11:1b:00:97:00 dynamic 2024-03-22 06:50:12 UTC