안녕하세요.
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT입니다.
Juniper SRX에 SSH 또는 Telnet 또는 J-web를 설정하여 Juniper SRX 관리할 수 있지만 보안 설정을 안 하면 모든 IP대역이 Juniper SRX를 SSH 또는 Telent 또는 J-web를 접속하여 로그인할 수 있습니다.
회사에서 보안상 특정 IP대역만 Juniper SRX MGMT IP를 통하여 주니퍼 방화벽을 관리해야 하는 경우에는 아래와 같이 설정 가능 합니다.
토폴로지
Juniper SRX 기본 설정은 아래와 같습니다.
| root> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$Ea7ce5UJ$33Cef6CXrDrf7O1iHX0Skwii8sjgCAeFvM5CXzEbX3/5QyNQxTMpRtregTUO/84DdvZhnEXel5WPvXKOu0hyx1" set system login user juniper uid 2000 set system login user juniper class super-user set system login user juniper authentication encrypted-password "$6$.zIMNUej$r05Ie68YwDsLLShNbIIYdL.TjI9p/ndcvxF0YOuOAbD.OlQWmgaABWskuOtmcU9ZRhp.VqM/tVcA2.tZMwc.W/" set system services ssh root-login allow set system services telnet set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set interfaces fxp0 unit 0 family inet address 192.168.10.220/24 set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 |
Cisco 스위치 기본 설정입니다.
| Switch#conf t Switch(config)#hostname SW1 SW1(config)#int g0/0 SW1(config-if)#no sw SW1(config-if)#ip add dhcp SW1(config-if)#no sh |
Juniper Interface를 상태를 확인합니다.
| root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.220/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down root> |
Cisco Interface를 확인합니다.
| SW1#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet0/0 192.168.10.104 YES DHCP up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up SW1# |
Juniper SRX fxp0 IP: 192.168.10.220
Cisco Gi0/0 IP: 192.168.10.104
Cisco에서 Juniper fxp0로 Ping를 시도합니다
| SW1#ping 192.168.10.220 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.220, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms SW1# |
Telnet Test - 정상적으로 동작합니다.
| SW1#telnet 192.168.10.220 Trying 192.168.10.220 ... Open login: juniper Password: Last login: Thu Jun 20 09:49:37 from 172.16.10.15 --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil juniper> |
SSH Test - 정상적으로 동작합니다.
| SW1#ssh -l root 192.168.10.220 Password: Last login: Sat Jun 22 06:12:39 2024 --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@:~ # |
현재 Cisco IP주소는 192.168.10.104인데, 보안 설정을 192.168.10.105만 Juniper SRX로 접속 가능 하게 설정해 보겠습니다.
1. IP 대상을 입력합니다. 여러 IP를 허용하면 여러 개를 입력합니다.
| set policy-options prefix-list manager-ip 192.168.10.105/32 |
2. IP를 이용해서 Filter 정책을 만듭니다.
IP: 192.168.10.105
Protocol: tcp
Destination port: telnet https ssh
만 허용합니다. 그리고 나머지는 차단합니다.
| set firewall filter manager-ip term accept_manager from prefix-list manager-ip set firewall filter manager-ip term accept_manager from protocol tcp set firewall filter manager-ip term accept_manager from destination-port telnet set firewall filter manager-ip term accept_manager from destination-port https set firewall filter manager-ip term accept_manager from destination-port ssh set firewall filter manager-ip term accept_manager then accept set firewall filter manager-ip term block_non_manager then discard |
3. MGMT interface fxp0에 filter를 적용합니다.
| set interfaces fxp0 unit 0 family inet filter input manager-ip commit |
그리고 설정을 적용합니다.
Cisco Side
Telent를 시도합니다. Juniper Filter정책 때문에 Telnet 접속이 실패합니다.
| SW1#telnet 192.168.10.220 Trying 192.168.10.220 ... % Connection timed out; remote host not responding SW1# |
SSH를 시도합니다. Juniper Filter정책 때문에 SSH 접속이 실패합니다.
| SW1#ssh -l root 192.168.10.220 SW1# |
Cisco Switch에서 IP주소를 192.168.10.105로 변경 후 Telnet과 SSH를 시도해 보겠습니다.
| SW1(config)#int g0/0 SW1(config-if)#ip add 192.168.10.105 255.255.255.0 SW1(config-if)#no sh SW1#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet0/0 192.168.10.105 YES manual up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up SW1# |
Telnet 시도 - 허용된 IP이기 때문에 telnet이 성공합니다.
| SW1#telnet 192.168.10.220 Trying 192.168.10.220 ... Open login: juniper Password: Last login: Sat Jun 22 06:19:21 from 192.168.10.104 --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil juniper> |
SSH 시도 - 허용된 IP이기 때문에 ssh가 성공합니다.
| SW1#ssh -l root 192.168.10.220 Password: Last login: Sat Jun 22 06:20:40 2024 from 192.168.10.104 --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@:~ # |
지금까지 [2024][Juniper SRX #10] Administrator access restriction settings for MGMT글을 읽어주셔서 감사합니다.
'JUNIPER > SRX 방화벽' 카테고리의 다른 글
| [2024][Juniper SRX #13] firewall policy (0) | 2024.07.25 |
|---|---|
| [2024][Juniper SRX #12] application and application-set (2) | 2024.07.24 |
| [2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0) | 2024.07.21 |
| [2024][Juniper SRX #8] Zone configuration (1) | 2024.07.20 |
| [2024][Juniper SRX #7] host-inbound-traffic (0) | 2024.07.19 |