IT BLOG(KR)

안녕하세요.

오늘은 [2025][Juniper SRX #27] Static NAT - One to One NAT 설정해보겠습니다.

User01 - 10.1.1.1 Ge-0/0/0 192.168.10.83를 통해서 SNAT하고

User02 - 10.1.1.2 Ge-0/0/0 192.168.10.83를 통해서 SNAT하고
HTTP SERVER - 20.1.1.1에 static nat를 설정 하겠습니다.

외부에서 DMZ Server에 통신할때 192.168.10.84 -> 20.1.1.1 변경됩니다.

HTTP Server 20.1.1.1 외부로 통신할때 192.168.10.84로 변경 됩니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. User01/ USer02 설정

USER01> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

USER01 > save
Saving startup configuration to startup.vpc
. done

USER01 >
USER01 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER01 >

USER02> ip 10.1.1.2/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254

USER02 > save
Saving startup configuration to startup.vpc
. done

USER02 >
USER02 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER02 >

PC에서 ping 8.8.8.8 시도

USER01> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

USER02> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat

PC에서 다시 확인

USER01> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

USER02> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

방화벽에서 Session 확인하기

root> show security flow session
Session ID: 54102, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54387 --> 8.8.8.8/12;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/12 --> 192.168.10.83/31714;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54103, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54643 --> 8.8.8.8/8;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/8 --> 192.168.10.83/11101;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54104, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54643 --> 8.8.8.8/13;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/13 --> 192.168.10.83/8139;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54105, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54899 --> 8.8.8.8/9;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/9 --> 192.168.10.83/3136;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54106, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid
  In: 10.1.1.1/54899 --> 8.8.8.8/14;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/14 --> 192.168.10.83/13674;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
Total sessions: 5

DMZ에 20.1.1.1 서버에서 외부로 PING를 시도 합니다.

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/7 ms
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

제 PC에서도 PING를 시도 합니다.

C:\Users\USER>ping 192.168.10.84

Ping 192.168.10.84 32바이트 데이터 사용:
요청 시간이 만료되었습니다.
요청 시간이 만료되었습니다.
요청 시간이 만료되었습니다.
요청 시간이 만료되었습니다.

192.168.10.84에 대한 Ping 통계:
패킷: 보냄 = 4, 받음 = 0, 손실 = 4 (100% 손실),

One to One NAT ( Static NAT)를 사용 해서 192.168.10.84 <---> 20.1.1.1로 설정합니다.

서버는 외부 통신할때 Source IP 20.1.1.1 -> 192.168.10.84 변경됩니다.

외부에서 DMZ서버랑 통신 할때 Destination IP 192.168.10.84 -> 20.1.1.1 변경 됩니다.

우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.

set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32

set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit

그 이유는 SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84

Static NAT 설정

set security nat static rule-set static_nat_01 from zone untrust
set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32
set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32

WEB SERVER에서 외부로 PING

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/6 ms
R1#

내 PC에서 통신 시도

C:\Users\USER>ping 192.168.10.84

Ping 192.168.10.84 32바이트 데이터 사용:
192.168.10.84의 응답: 바이트=32 시간=40ms TTL=253
192.168.10.84의 응답: 바이트=32 시간=163ms TTL=253
192.168.10.84의 응답: 바이트=32 시간=17ms TTL=253
192.168.10.84의 응답: 바이트=32 시간=11ms TTL=253

192.168.10.84에 대한 Ping 통계:
패킷: 보냄 = 4, 받음 = 4, 손실 = 0 (0% 손실),
왕복 시간(밀리초):
최소 = 11ms, 최대 = 163ms, 평균 = 57ms

C:\Users\USER>

내 피시에서 https://192.168.10.84 접속하면 아래처럼 페이지가 열립니다.

SRX session 확인

아래처럼 20.1.1.1은 192.168.10.84로 변환하여 통신하고 있는것을 확인 가능 합니다.

root> show security flow session
Session ID: 57417, Policy name: trust_to_untrust/6, State: Stand-alone, Timeout: 2, Valid
  In: 20.1.1.1/8 --> 8.8.8.8/0;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 100,
  Out: 8.8.8.8/0 --> 192.168.10.84/8;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 100,

Session ID: 57418, Policy name: trust_to_untrust/6, State: Stand-alone, Timeout: 2, Valid
  In: 20.1.1.1/8 --> 8.8.8.8/1;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 100,
  Out: 8.8.8.8/1 --> 192.168.10.84/8;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 100,

제 PC에서 192.168.10.84 통신 했을때, 20.1.1.1로 변경되는것을 확인 가능 합니다.

root> show security flow session
Session ID: 58466, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/3 --> 192.168.10.84/11434;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 20.1.1.1/11434 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,

Session ID: 58467, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/3 --> 192.168.10.84/11436;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 20.1.1.1/11436 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,

Session ID: 58468, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 4, Valid
  In: 172.16.10.20/3 --> 192.168.10.84/11438;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 20.1.1.1/11438 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,
Total sessions: 3

root> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: auth_server            Rule-set: static_nat_01
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
  Destination addresses      : 192.168.10.84
  Host addresses             : 20.1.1.1
  Netmask                    : 32
  Host routing-instance      : N/A
  Translation hits           : 2083
    Successful sessions      : 2083
  Number of sessions         : 4

root>

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: untrust, To zone: dmz
  Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: dmz_server_01
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

root>

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 1942        Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       untrust          dmz               untrust_to_dmz_web_server 196 Permit
4       dmz              untrust           trust_to_untrust 2010        Permit

Number of policy: 4

root>

방화벽 NAT 확인

root> show security nat source summary
Total port number usage for port translation pool: 64512
Maximum port number for port translation pool: 50331648
Total pools: 1
Pool                 Address                  Routing              PAT  Total
Name                 Range                    Instance                  Address
source_nat           192.168.10.84-192.168.10.84 default           yes  1

Total rules: 1
Rule name          Rule set       From              To                   Action
PAT-INTERFACE      SOURCE-NAT     trust             untrust              interface
                               ^
syntax error, expecting <command>.
root> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
source NAT rule: PAT-INTERFACE          Rule-set: SOURCE-NAT
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : trust
  To zone                    : untrust
  Match
    Source addresses         : 10.1.1.0        - 10.1.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 1942
    Successful sessions      : 1942
  Number of sessions         : 0

root> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: auth_server            Rule-set: static_nat_01
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
  Destination addresses      : 192.168.10.84
  Host addresses             : 20.1.1.1
  Netmask                    : 32
  Host routing-instance      : N/A
  Translation hits           : 2302
    Successful sessions      : 2302
  Number of sessions         : 5

root>

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security nat static rule-set static_nat_01 from zone untrust
set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32
set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0)	2025.02.14
[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0)	2025.02.07
[2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0)	2025.02.07

안녕하세요.

오늘은 Juniper SRX에서 Source NAT를 IP Pool에 대해서 설정해보겠습니다.

토폴로지는 아래와 같습니다.

Ge-0/0/0 192.168.10.83 IP를 사용하지 않고, 192.168.10.84 IP를 통해서 Trust / DMZ Traffic를 SNAT하겠습니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. PC 설정

VPCS> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

VPCS> save
Saving startup configuration to startup.vpc
. done

VPCS>
VPCS> ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
VPCS>

PC에서 ping 8.8.8.8 시도

VPCS> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat

PC에서 다시 확인

VPCS> ping 8.8.8.8

8.8.8.8 icmp_seq=621 timeout
8.8.8.8 icmp_seq=622 timeout
8.8.8.8 icmp_seq=623 timeout
8.8.8.8 icmp_seq=624 timeout
8.8.8.8 icmp_seq=625 timeout
8.8.8.8 icmp_seq=626 timeout
8.8.8.8 icmp_seq=627 timeout
8.8.8.8 icmp_seq=628 timeout
8.8.8.8 icmp_seq=629 timeout
8.8.8.8 icmp_seq=630 timeout
8.8.8.8 icmp_seq=631 timeout
8.8.8.8 icmp_seq=632 timeout
VPCS>

그 이유는 SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84

PC에서 다시 8.8.8.8 PING

VPCS> ping 8.8.8.8 -c 1000

8.8.8.8 icmp_seq=1 timeout
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=2.049 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=1.954 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=2.603 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=2.052 ms
84 bytes from 8.8.8.8 icmp_seq=6 ttl=56 time=2.130 ms
84 bytes from 8.8.8.8 icmp_seq=7 ttl=56 time=2.229 ms
84 bytes from 8.8.8.8 icmp_seq=8 ttl=56 time=2.078 ms
84 bytes from 8.8.8.8 icmp_seq=9 ttl=56 time=2.150 ms
84 bytes from 8.8.8.8 icmp_seq=10 ttl=56 time=2.061 ms
84 bytes from 8.8.8.8 icmp_seq=11 ttl=56 time=2.151 ms
84 bytes from 8.8.8.8 icmp_seq=12 ttl=56 time=2.173 ms
84 bytes from 8.8.8.8 icmp_seq=13 ttl=56 time=2.450 ms
84 bytes from 8.8.8.8 icmp_seq=14 ttl=56 time=2.411 ms
84 bytes from 8.8.8.8 icmp_seq=15 ttl=56 time=2.296 ms
84 bytes from 8.8.8.8 icmp_seq=16 ttl=56 time=2.049 ms
84 bytes from 8.8.8.8 icmp_seq=17 ttl=56 time=2.047 ms
84 bytes from 8.8.8.8 icmp_seq=18 ttl=56 time=2.101 ms

SRX session 확인

root> show security flow session
Session ID: 3402, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2368;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2368 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,

Session ID: 3403, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/37592 --> 8.8.8.8/64;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/64 --> 192.168.10.84/20216;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 3405, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2369;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2369 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,

Session ID: 3406, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/37848 --> 8.8.8.8/65;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/65 --> 192.168.10.84/30540;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 3408, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 4, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2370;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2370 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,

Session ID: 3409, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid
  In: 10.1.1.1/38104 --> 8.8.8.8/66;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/66 --> 192.168.10.84/22474;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 3411, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 4, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2371;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2371 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,
Total sessions: 7

root>

HTTP Server에서 Ping 8.8.8.8 시도

SRX DMZ SNAT 설정이 없어서 실패

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

SRX에서 DMZ를 위해서 SNAT설정

set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24

HTTP Server에서 Ping 시도

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
R1#

SRX에서 기본적인 부분 확인 Command

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 15          Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       dmz              untrust           trust_to_untrust 10          Permit

Number of policy: 3

root>

방화벽 NAT 확인

root> show security nat source summary
Total pools: 0

Total rules: 1
Rule name          Rule set       From              To                   Action
PAT-INTERFACE      SOURCE-NAT     dmz               untrust              interface
PAT-INTERFACE                     trust

root> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 3/0
source NAT rule: PAT-INTERFACE          Rule-set: SOURCE-NAT
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : dmz
                             : trust
  To zone                    : untrust
  Match
    Source addresses         : 10.1.1.0        - 10.1.1.255
                               20.1.1.0        - 20.1.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 10
    Successful sessions      : 10
  Number of sessions         : 0

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set system root-authentication encrypted-password "$6$foWa5m5j$QTNzAZvC.AJNs4b9yJq/18Qp038uo2x6rPM/imUQn/M3hFIJsz5FxlOXdwq6iS2UG12O3SIpFdTzZBYi4wmkY1"
set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14
[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0)	2025.02.07
[2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0)	2025.02.07
[2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0)	2025.02.07

안녕하세요.

오늘은 Juniper SRX에서 Source NAT에 대해서 설정해보겠습니다.

토폴로지는 아래와 같습니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. PC 설정

VPCS> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

VPCS> save
Saving startup configuration to startup.vpc
. done

VPCS>
VPCS> ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
VPCS>

PC에서 ping 8.8.8.8 시도

VPCS> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface

PC에서 다시 확인

VPCS> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=23.166 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=2.255 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=1.980 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=2.337 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=2.088 ms
^C
VPCS>

HTTP Server에서 Ping 8.8.8.8 시도

SRX DMZ SNAT 설정이 없어서 실패

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

SRX에서 DMZ를 위해서 SNAT설정

set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24

HTTP Server에서 Ping 시도

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
R1#

SRX에서 기본적인 부분 확인 Command

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 15          Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       dmz              untrust           trust_to_untrust 10          Permit

Number of policy: 3

root>

방화벽 NAT 확인

root> show security nat source summary
Total pools: 0

Total rules: 1
Rule name          Rule set       From              To                   Action
PAT-INTERFACE      SOURCE-NAT     dmz               untrust              interface
PAT-INTERFACE                     trust

root> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 3/0
source NAT rule: PAT-INTERFACE          Rule-set: SOURCE-NAT
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : dmz
                             : trust
  To zone                    : untrust
  Match
    Source addresses         : 10.1.1.0        - 10.1.1.255
                               20.1.1.0        - 20.1.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 10
    Successful sessions      : 10
  Number of sessions         : 0

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #25] Source Nat - SNAT 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

안녕하세요.

오늘은 PNETLab에서 CheckPoint Firewall를 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search cpsg검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search cpsg
=============================
    Available QEMU images
=============================
ID   NAME                      SIZE
--   ----                      ----
201  cpsg-R77-20 (checkpoint)  4.0 GiB
202  cpsg-R80-20M1_T14         3.9 GiB
203  cpsg-R80-40               7.4 GiB
204  cpsg-R81                  5.5 GiB
205  cpsg-R81.10               8.1 GiB
206  cpsg-R81.10               5.7 GiB
207  cpsg-R81.20-Licensed      4.9 GiB
208  cpsg2-R81.20-Licensed     4.7 GiB

8 QEMU images found for the term: "cpsg"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "cpsg"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "cpsg"

root@pnetlab:~#

3. CheckPoint Firewall 설치

root@pnetlab:~# ishare2 pull qemu 202
[!] IMAGE INFO
- Image Name       : cpsg-R80-20M1_T14
- Image Size       : 3.9 GiB
- Image Type       : QEMU
- Image ID         : 202
- Image path       : /opt/unetlab/addons/qemu/cpsg-R80-20M1_T14
- Using host       : https://drive.labhub.eu.org
[!] DOWNLOADING IMAGE
/opt/unetlab/addons 100%[===================>]   3.92G  6.78MB/s    in 14m 17s
[+] DOWNLOAD COMPLETED!
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다. CheckPoint Test 그리고 Savve 버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. CheckPoint Security Gateay VE 선택합니다.

7. Save버튼을 클릭 합니다.

8. Network를 클릭 합니다.

9. save버튼을 클릭 합니다.

10. 아래처럼 연결하고 start버튼을 클릭 합니다.

11. 아이콘을 더블클릭 하면 아래처럼 putty 또는 CRT가 실행 됩니다.

저작자표시 (새창열림)

'PNETlab' 카테고리의 다른 글

[PNETLab][#10]- PNETLab Upgrade (0)	2025.02.18
[PNETLab][#9]- Cisco Catalyst 8000v install (0)	2025.02.15
[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10

안녕하세요.

오늘은 PNETLab에서 Aruba Mobility Controller 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search VMC검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search VMC
=============================
    Available QEMU images
=============================
ID  NAME                      SIZE
--  ----                      ----
59  aruba-VMC-8.5.0.13_80140  238.9 MiB
60  aruba-VMC-8.6.0.4-74969   246.3 MiB
61  aruba-VMC-8.8.0.1_80393   257.1 MiB
62  aruba-VMC-8.8.0.1_80393   206.5 MiB
63  aruba-VMC_8.3.0.3         726.0 MiB
64  aruba-VMC_8.4.0.3         238.7 MiB

6 QEMU images found for the term: "VMC"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "VMC"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "VMC"

root@pnetlab:~#

3. Aruba VMC 설치

root@pnetlab:~# ishare2 pull qemu 61
[!] IMAGE INFO
- Image Name       : aruba-VMC-8.8.0.1_80393
- Image Size       : 257.1 MiB
- Image Type       : QEMU
- Image ID         : 61
- Image path       : /opt/unetlab/addons/qemu/aruba-VMC-8.8.0.1_80393
- Using host       : https://drive.labhub.eu.org
[!] DOWNLOADING IMAGE
/opt/unetlab/addons/qemu/ 100%[====================================>] 237.56M  8.24MB/s    in 28s
/opt/unetlab/addons/qemu/ 100%[====================================>]  19.50M  6.03MB/s    in 3.5s
[+] DOWNLOAD COMPLETED!
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. Aruba WIFI Controller 선택합니다.

7. Save버튼을 클릭 합니다.

8. Network를 클릭 합니다.

9. save버튼을 클릭 합니다.

10. 아래처럼 연결하고 start버튼을 클릭 합니다.

부팅이 완료 될때까지 기다립니다.

그리고 기본적은 설정을 합니다.

Yes를 입력하면 재부팅이 됩니다.

부팅이 완료 될때까지 기다립니다.

https://192.168.10.88

로그인 정보를 입력 합니다.

지금까지 [PNETLab][#7]-Aruba Mobility Controller Install 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'PNETlab' 카테고리의 다른 글

[PNETLab][#9]- Cisco Catalyst 8000v install (0)	2025.02.15
[PNETLab][#8]-CheckPoint Firewall Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10
[PNETLab][#4]- Arista vEOS Switch Install (0)	2025.02.03

안녕하세요.

오늘은 PNETLab에서 Aruba CX Switch를 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search arubacx 검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search arubacx
┌────────────────────────────────────────────────────────────────┐
│ MOTD from the ishare2 team:                                    │
│ Changelog:                                                     │
│ - Fixed bug when doing integrity checks againts qemu images.   │
│                                                                │
│ Telegram: https://t.me/NetLabHub │
│ Donate: https://buymeacoffee.com/sudoalex │
│ GitHub: https://github.com/ishare2-org/ishare2-cli │
└────────────────────────────────────────────────────────────────┘
=============================
    Available QEMU images
=============================
ID  NAME           SIZE
--  ----           ----
65  arubacx-10.03  882.9 MiB
66  arubacx-10.04  1013.9 MiB
67  arubacx-10.04  329.7 MiB
68  arubacx-10.05  350.6 MiB
69  arubacx-10.07  1.4 GiB
70  arubacx-10.07  483.7 MiB

6 QEMU images found for the term: "arubacx"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "arubacx"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "arubacx"

3. Aruba CX Switch 설치

root@pnetlab:~# ishare2 pull qemu 69
[!] IMAGE INFO
- Image Name       : arubacx-10.07
- Image Size       : 1.4 GiB
- Image Type       : QEMU
- Image ID         : 69
- Image path       : /opt/unetlab/addons/qemu/arubacx-10.07
- Using host       : https://drive.labhub.eu.org
/opt/unetlab/addons/qemu/arubacx-10.07/virt 100%[========================================================================================>]   1.40G  1.15MB/s    in 20m 55s
[+] DOWNLOAD COMPLETED!
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. Aruba OS-CX Virtual Switch 선택합니다.

7. Save버튼을 클릭 합니다.

8. 장비를 부팅 합니다.

10. 디폴트 로그인 정보입니다.

user: admin

password: no password

switch login: admin
Password:

Please configure the 'admin' user account password.
Enter new password: *************
Confirm new password: *************
switch#

switch# show
  aaa                    Authentication, Authorization and Accounting
  access-list            Access control list (ACL)
  accounting             Show local accounting information
  active-gateway         Show active gateway settings
  alias                  Short names configured for a set of commands
  arp                    Show IPv4 addresses from neighbor table
  aruba-central          Configure Aruba-Central
  banner                 Show one of the configured system banners
  bfd                    Show BFD information
  bgp                    BGP specific commands
  bluetooth              Display information about Bluetooth wireless
                         management
  boot-history           Display boot history details
  capacities             Show system capacities and their values
  capacities-status      Show system capacities status and their values
  cdp                    Show various CDP settings
  checkpoint             Checkpoint information
  class                  Show Class configuration
  clock                  Show system date, time, and timezone settings
  configuration-lockout  Show REST Lockout configuration
  copp-policy            Control Plane Policing (CoPP) policy
  core-dump              Display core-dump list for current boot
  crypto                 Display crypto related features and settings
  debug                  Display currently active debug log destinations and
                         types
  dhcp                   Dynamic Host Configuration Protocol
  dhcp-relay             Show DHCP relay configuration
  dhcp-server            Show DHCP server configuration
  dhcpv4-snooping        Show DHCPv4-Snooping configuration
  dhcpv6-relay           Show DHCPv6 relay configuration
  dhcpv6-server          Show DHCP V6 server configuration
  dhcpv6-snooping        Show DHCPv6-Snooping configuration
  domain-name            Display domain name
  environment            Display system environment status information
  events                 Display all event logs
  evpn                   EVPN sub-address family
  external-storage       Show info for one external storage volume or all if
                         none specified
  history                Show previously entered commands
  hostname               Display hostname
  https-server           HTTPS Server Configuration
  interface              Interface information
  ip                     IP information
  ip-sla                 IP SLA
  ipv4                   IPv4 information
  ipv6                   IPv6 information
  keychain               Keychain information
  lacp                   Show various LACP settings
  lag                    Show LAG interface information
  lldp                   Show various LLDP settings
  logging                Display all event logs
  logrotate              Show logrotate config parameters
  loop-protect           Show loop protection status for all ports with loop
                         protection enabled
  mac-address-table      Show Layer 2 MAC address table information
  macsec                 Show MACsec information
  mirror                 Show Mirroring configuration
  mka                    Show MKA information
  mvrp                   Show MVRP settings and status
  nae-agent              NAE Agent details
  nae-script             NAE Script details
  nd-snooping            Show ND Snooping configuration
  ntp                    Show NTP information
  object-group           Object Group
  password-complexity    Show password complexity enforcement
  pbr                    Show Policy Based Routing (PBR) information
  pbr-action-list        Show Policy Based Routing (PBR) action list
                         configuration information
  policy                 Classifier policy
  port-access            Show Port Access information
  power-over-ethernet    Show Power over Ethernet (PoE) information
  qos                    Show QoS Configuration
  radius                 RADIUS Client configuration
  radius-server          Show RADIUS server configuration
  resources              Show line module resource information
  rmon                   Show RMON alarm configurations
  route-map              Display all Route-map
  router                 Routing Information
  running-config         Current running configuration
  service                Show service information
  session-timeout        Idle session timeout in minutes
  sflow                  sFlow configuration
  snmp                   SNMP configuration
  snmpv3                 SNMP version 3 configurations
  spanning-tree          Show spanning tree information
  ssh                    Show SSH configuration
  startup-config         Contents of startup configuration
  system                 System information
  tacacs-server          Show TACACS server configuration
  tech                   Display output of a predefined command sequence used
                         by technical support
  terminal-monitor       Displays Terminal-monitor status
  tls                    Display the state of TLS settings
  track                  Track information
  ubt                    User Based Tunnel configuration
  udld                   Show UDLD information
  upgrade                Show upgrade information
  uptime                 Show the elapsed time since the device was booted
  usb                    USB storage device settings
  user                   Show user information
  user-group             Local user group to be displayed
  user-list              Displays the list of local users
  version                Displays switch version
  vlan                   Show VLAN configuration
  vrf                    VRF Configuration
  vrrp                   VRRP information
  vsx                    Show various VSX settings
  ztp                    Zero Touch Provisioning
switch# show
% Command incomplete.
switch#

지금까지 [PNETLab][#6]-Aruba CX Switch Install 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'PNETlab' 카테고리의 다른 글

[PNETLab][#8]-CheckPoint Firewall Install (0)	2025.02.13
[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10
[PNETLab][#4]- Arista vEOS Switch Install (0)	2025.02.03
[PNETLab][#2]- ishare command (0)	2024.12.27

안녕하세요.

오늘은 C8200라우터는 smart licensing using policy 모드를 사용 합니다.

IOS XE버전별로 License 동작하는 방식이 다릅니다.

IOS XE Release	Platform Requirements	CUBE Licensing
16.6.1 to 16.9.x	Smart Licensing mode is optional	RTU licensing only
16.10.x	Smart Licensing mode only	RTU licensing only
16.11.1a to 17.1.x	Smart Licensing mode only Continued registration is required to enable CUBE features	Smart Licensing only* Trunk license requests are set by manual configuration No license policing if out of compliance SIP processing disabled in the 'Eval-Expired' state
17.2.1r to 17.3.1a	Smart Licensing mode only Continued registration is required in order to enable CUBE features	Smart Licensing only* Trunk license requests are set dynamically by usage No license policing if out of compliance SIP processing disabled in the 'Eval-Expired' state
17.3.2 onwards	Smart Licensing with the use of Policy mode only License use must be reported within the account policy to enable CUBE features	Smart Licensing only* Trunk license use is measured periodically and reported as per the Smart Account policy In accordance with policy, license policing reports are not acknowledged (SIP processing is disabled otherwise)

Step Summary

conf t

license boot level network-essentials

interface GigabitEthernet 0/0/0

ip add [IP address] [subnet] or ip add dhcp

no shutdown

exit

ip name-server 8.8.8.8

ip domain lookup source-interface GigabitEthernet 0/0/0

ip http client source-interface GigabitEthernet 0/0/0

license smart transport smart

license smart url default

ip route 0.0.0.0 0.0.0.0 [nexthop] if dhcp no need ip route command

end

show run

show ip int brie

show ip route

확인 후 저장 그리고 재부팅

write memory

reload

1. show version를 통해서 IOS XE버전을 확인 합니다.

2. 기본 설정을 합니다.

conf t
license boot level network-essentials
interface GigabitEthernet 0/0/0
ip add dhcp
no shutdown
exit
ip name-server 8.8.8.8
ip domain lookup source-interface GigabitEthernet 0/0/0
ip http client source-interface GigabitEthernet 0/0/0
license smart transport smart
license smart url default

3. 인터페이스 상태 확인 라우팅 상태 확인

그리고 외부 통신 확인

Router#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   172.20.10.3     YES DHCP   up                    up
GigabitEthernet0/0/1   unassigned      YES unset  administratively down down
GigabitEthernet0/0/2   unassigned      YES unset  administratively down down
GigabitEthernet0/0/3   unassigned      YES unset  administratively down down

Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is 172.20.10.1 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 172.20.10.1
      172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.20.10.0/28 is directly connected, GigabitEthernet0/0/0
L        172.20.10.3/32 is directly connected, GigabitEthernet0/0/0
Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!

4. 저장후 재부팅

wr
reload

5. Cisco CSSM에서 Idtoken를 생성 합니다.

cisco CSSM에서 Idtoken를 복사합니다.

ODVkNDkyYmUtNzc4MS00OWZiLWEzMzMtZTY2YmZhYTQxNjA5LTE3NDEzMzc2%0AMDYzNzN8L0pjaVh0K09pT3J1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

license smart trust idtoken ODVkNDkyYmUtNzc4MS00OWZiLWEzMzMtZTY2YmZhYTQxNjA5LTE3NDEzMzc2%0AMDYzNzN8L0pjaVh0K09pT3J1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX all force　

Router#
*Feb 13 01:38:52.352: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine
*Feb 13 01:38:52.414: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM[OK]
*Feb 13 01:38:55.470: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file
*Feb 13 01:38:55.493: %CRYPTO_SL_TP_LEVELS-6-VAR_NEW_VALUE: Setting crypto bidir throughput to: 10000 kbps
*Feb 13 01:38:58.298: %SMART_LIC-6-TRUST_INSTALL_SUCCESS: A new licensing trust code was successfully installed on P:C8200L-1N-4T,XXXXXXXXXXX
Router#

정상적으로 등록 되면 위에처럼 표시 됩니다.

6. License를 확인 합니다.

아래처럼 SA/VA에 고객사 정보가 확인 되면 정상적으로 등록 된것입니다.

Router#show license summary
Account Information:
  Smart Account: 고객사 정보 확인 가능
  Virtual Account: XXXXX

License Usage:
  License                 Entitlement Tag               Count Status
  -----------------------------------------------------------------------------
  network-essentials_10M  (ESR_P_10M_E)                     1 IN USE
  Router US Export Lic... (DNA_HSEC)                        0 NOT IN USE

또는 아래 명령어도 주로 사용 됩니다.

Router#show license status
Utility:
  Status: DISABLED

Smart Licensing Using Policy:
  Status: ENABLED

Account Information:
  Smart Account: 고객사 정보
  Virtual Account: XXXXX

Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED

Transport:
  Type: Smart
  URL: https://smartreceiver.cisco.com/licservice/license
  Proxy:
    Not Configured
  VRF: <empty>

Policy:
  Policy in use: Merged from multiple sources.
  Reporting ACK required: yes (CISCO default)
  Unenforced/Non-Export Perpetual Attributes:
    First report requirement (days): 365 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 90 (CISCO default)
  Unenforced/Non-Export Subscription Attributes:
    First report requirement (days): 90 (CISCO default)
    Reporting frequency (days): 90 (CISCO default)
    Report on change (days): 90 (CISCO default)
  Enforced (Perpetual/Subscription) License Attributes:
    First report requirement (days): 0 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 0 (CISCO default)
  Export (Perpetual/Subscription) License Attributes:
    First report requirement (days): 0 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 0 (CISCO default)

Miscellaneous:
  Custom Id: <empty>

Usage Reporting:
  Last ACK received: <none>
  Next ACK deadline: Feb 13 01:31:19 2026 UTC
  Reporting push interval: 0 (no reporting)
  Next ACK push check: Feb 13 02:09:10 2025 UTC
  Next report push: <none>
  Last report push: Feb 13 01:39:08 2025 UTC
  Last report file write: <none>

Trust Code Installed: Feb 13 01:38:58 2025 UTC

Router#

지금까지 [2025][C8200][#2] Register License to CSSM - smart licensing using policy 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > 라우팅' 카테고리의 다른 글

[2025][C8200][#3] Reset Smart license (0)	2025.03.04
[2025][C8200][#1] Router IOS XE upgrade (0)	2025.02.10
[ISR4221]-Performance License Install(SLR) (0)	2024.07.30
[ISR4221]-Cisco Router IOS Upgrade (2)	2024.07.29

안녕하세요.

오늘은 PNETLab에서 Aruba ClearPass를 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search clearpass 검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search clearpass
=============================
    Available QEMU images
=============================
ID   NAME                   SIZE
--   ----                   ----
192  clearpass-6.4.0.66263  10.8 GiB
193  clearpass-6.4.0.66263  10.8 GiB
194  clearpass-6.8.0        2.9 GiB

3 QEMU images found for the term: "clearpass"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "clearpass"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "clearpass"

root@pnetlab:~#

3. Aruba Classpass 설치

root@pnetlab:~# ishare2 pull qemu 194
[!] IMAGE INFO
- Image Name       : clearpass-6.8.0
- Image Size       : 2.9 GiB
- Image Type       : QEMU
- Image ID         : 194
- Image path       : /opt/unetlab/addons/qemu/clearpass-6.8.0
- Using host       : https://drive.labhub.eu.org
[!] DOWNLOADING IMAGE
/opt/unetlab/addons 100%[===================>]   2.86G   497KB/s    in 87m 5s
[+] DOWNLOAD COMPLETED!
[-] Extracting: clearpass-6.8.0.tgz file...
[+] Extracted: /opt/unetlab/addons/qemu/clearpass-6.8.0. Image ready to use.
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. Aruba ClearPass 선택합니다.

7. Save버튼을 클릭 합니다.

8. Network를 클릭 합니다.

9. save버튼을 클릭 합니다.

10. 아래처럼 연결하고 start버튼을 클릭 합니다.

11. Lab용이기 때문에, 1번을 선택하고 엔터를 누릅니다.

Y를 선택 합니다.

Y를 선택 합니다.

Y선택 합니다.

부팅이 완료 될때까지 기다립니다.

엔터를 클릭 합니다.

12. 디폴트 Username 그리고 Password

user: appadmin

password: eTIPS123

13. 아래처럼 기본 설정을 합니다.

IP주소를 잘못 설정 하였습니다.

로그인해서 아래처럼 수정 하고 Y를 클릭 합니다.

그리고 PC에서 PIng를 시도 합니다.

Ping 192.168.40.91 32바이트 데이터 사용:
192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=4ms TTL=64
192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=54ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=120ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=201ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=283ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=359ms TTL=64
192.168.40.91의 응답: 바이트=32 시간=395ms TTL=64

https://192.168.40.91로 접속 하면 잘 접속 됩니다.

ClearPass Policy Manager를 클릭 하면 라이센스 입력 페이지가 나옵니다.

Aruba Clear Pass는 NAC역활을 합니다. Cisco 제품군으로 비교하면 Cisco ISE랑 똑같습니다.

Cisco ISE는 6개월 정도 라이센스없이 Trial Version으로 사용 가능하나

Aruba Clear Pass는 라이센스 없으면 사용이 불가능 합니다. 홈페이지에서 trial license 신청 가능합니다.

지금까지 [PNETLab][#5]-Aruba ClearPass Install 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'PNETlab' 카테고리의 다른 글

[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#4]- Arista vEOS Switch Install (0)	2025.02.03
[PNETLab][#2]- ishare command (0)	2024.12.27
[PNETLab][#1]- Installation on VMware workstation (0)	2024.12.27

안녕하세요.

오늘은 C8200L Router IOS XE를 업그레이드를 해보겠습니다.

1. 현재 장비에서 show version를 통해서 version를 확인 합니다.

Router#show version
Cisco IOS XE Software, Version 17.06.06a
Cisco IOS Software [Bengaluru], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.6a, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2023 by Cisco Systems, Inc.
Compiled Fri 20-Oct-23 18:26 by mcpre

2. cisco 홈페이지에서 현재 시점에서 8200 router ios xe 추천 버전을 확인 합니다.

3. 파일을 다운로드 받고 파일을 USB에 복사합니다.

4. MD5 Checksum를 확인 합니다. 추후에 파일을 라우터에 복사하고 MD5 Checksum를 이용해서 파일이 잘 복사 되었는지 확인합니다. 만약에 파일이 깨진 상태에서 Upgrdae 업그레이드 하면 Upgrade가 Failed하고 Rommon mode로 빠질수 있습니다. 꼭 업그레이드 또는 다운그레이드 전에 파일 복사 후 MD5 체크섬을 확인 합니다.

C8200 라우터 Firmware Install 방식은 2가지가 있습니다.

1. ios xe file를 파일로 복사하고 boot config를 통해서 부팅 시키는 방법

2. install mode로 펌웨어를 설치하는 방법

현재 라우터 install mode인지 레거시 모드인지 확인하는 방법

아래처럼 표시 되면 install mode입니다.

Router#show install summary
[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
            C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type  St   Filename/Version
--------------------------------------------------------------------------------
IMG   C    17.06.06a.0.6

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Router#

또는 Bin 파일이 없고, Package 파일만 보이면 install mode입니다.

Router#dir flash:
Directory of bootflash:/

429089  drwx            57344  Feb 10 2025 05:32:00 +00:00  tracelogs
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
412897  drwx             4096  Feb 10 2025 05:19:23 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 05:18:46 +00:00  throughput_monitor_params
24292   -rw-           134899  Feb 10 2025 05:18:40 +00:00  memleak.tcl
24290   -rw-             1092  Feb 10 2025 05:18:09 +00:00  mode_event_log
89057   drwx             4096  Feb 10 2025 05:17:48 +00:00  .installer
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
226689  drwx             4096  Aug 26 2024 16:49:41 +00:00  .prst_sync
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
420993  drwx             4096  Aug 26 2024 16:31:49 +00:00  .rollback_timer
291458  -rw-             9338  Aug 26 2024 16:28:08 +00:00  packages.conf
291478  -rw-         43301928  Aug 26 2024 16:28:08 +00:00  c8000be-rpboot.17.06.06a.SPA.pkg
291477  -rw-        623141956  Aug 26 2024 16:27:18 +00:00  c8000be-mono-universalk9.17.06.06a.SPA.pkg
291476  -rw-           156728  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
291475  -rw-          2094136  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
291474  -rw-         14259252  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_async.17.06.06a.SPA.pkg
291473  -rw-         11093044  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
291472  -rw-          2475056  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
291471  -rw-         10253360  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_prince.17.06.06a.SPA.pkg
291470  -rw-          5571636  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
291469  -rw-          5334068  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
291468  -rw-         11523124  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
291467  -rw-          2966576  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
291466  -rw-         17646644  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
291465  -rw-          4793400  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
291464  -rw-         12870708  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_async.17.06.06a.SPA.pkg
291463  -rw-         11310132  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
291462  -rw-         18342964  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
291461  -rw-          1963060  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
291460  -rw-          6681656  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
291459  -rw-            54324  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
340033  drwx             4096  Aug 26 2024 16:19:03 +00:00  ss_disc
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

7361155072 bytes total (6161752064 bytes free)
Router#

그럼 Firmware Upgrade를 합니다.

1. USB를 C8200 Router에 연결 합니다.

아래처럼 로그가 발생하면 정상적으로 usb가 인식 되었습니다.

Router#
*Feb 10 05:34:02.622: %IOSD_INFRA-6-IFS_DEVICE_OIR: Device usb0 added

Router#dir usb0:/TC_8200
Directory of usb0:/TC_8200/

819 -rwx 859360566 Feb 10 2025 12:36:56 +00:00 c8000be-universalk9.17.09.05e.SPA.bin

2. 파일 복사하기

Router#copy usb0:/TC_8200/c8000be-universalk9.17.09.05e.SPA.bin flash:
Destination filename [c8000be-universalk9.17.09.05e.SPA.bin]?
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
859360566 bytes copied in 40.479 secs (21229787 bytes/sec)
Router#

파일 확인하기

아래 c8000be-universalk9.17.09.05e.SPA.bin 복사 되었습니다.

Router#dir flash:
Directory of bootflash:/

429089  drwx            57344  Feb 10 2025 06:07:00 +00:00  tracelogs
13      -rw-        859360566  Feb 10 2025 06:06:59 +00:00  c8000be-universalk9.17.09.05e.SPA.bin
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
412897  drwx             4096  Feb 10 2025 05:19:23 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 05:18:46 +00:00  throughput_monitor_params
24292   -rw-           134899  Feb 10 2025 05:18:40 +00:00  memleak.tcl
24290   -rw-             1092  Feb 10 2025 05:18:09 +00:00  mode_event_log
89057   drwx             4096  Feb 10 2025 05:17:48 +00:00  .installer
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
226689  drwx             4096  Aug 26 2024 16:49:41 +00:00  .prst_sync
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
420993  drwx             4096  Aug 26 2024 16:31:49 +00:00  .rollback_timer
291458  -rw-             9338  Aug 26 2024 16:28:08 +00:00  packages.conf
291478  -rw-         43301928  Aug 26 2024 16:28:08 +00:00  c8000be-rpboot.17.06.06a.SPA.pkg
291477  -rw-        623141956  Aug 26 2024 16:27:18 +00:00  c8000be-mono-universalk9.17.06.06a.SPA.pkg
291476  -rw-           156728  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
291475  -rw-          2094136  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
291474  -rw-         14259252  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_async.17.06.06a.SPA.pkg
291473  -rw-         11093044  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
291472  -rw-          2475056  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
291471  -rw-         10253360  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_prince.17.06.06a.SPA.pkg
291470  -rw-          5571636  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
291469  -rw-          5334068  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
291468  -rw-         11523124  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
291467  -rw-          2966576  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
291466  -rw-         17646644  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
291465  -rw-          4793400  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
291464  -rw-         12870708  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_async.17.06.06a.SPA.pkg
291463  -rw-         11310132  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
291462  -rw-         18342964  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
291461  -rw-          1963060  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
291460  -rw-          6681656  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
291459  -rw-            54324  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
340033  drwx             4096  Aug 26 2024 16:19:03 +00:00  ss_disc
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

7361155072 bytes total (5311582208 bytes free)
Router#

3. MD5 Checksum 확인

789f0f212ccd155b8aef19ce93c8476e

Router#verify /md5 flash:/c8000be-universalk9.17.09.05e.SPA.bin
.............................................................................................................................................................................................
.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Done!
verify /md5 (bootflash:/c8000be-universalk9.17.09.05e.SPA.bin) = 789f0f212ccd155b8aef19ce93c8476e

Router#

파일이 잘 복사 되었습니다.

4. 이제 새로운 ios xe를 설치 합니다.

SUMMARY STEPS

enable
install add file location: filename
show install summary
install activate [auto-abort-timer <time>]
install abort
install commit
install rollback to committed
install remove {file filesystem: filename | inactive}
show install summary
exit

install add file flash:c8000be-universalk9.17.09.05e.SPA.bin activate commit

System configuration has been modified.
Press Yes(y) to save the configuration and proceed.
Press No(n) for proceeding without saving the configuration.
Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q] y
Building configuration...
[OK]Modified configuration has been saved

*Feb 10 06:15:04.641: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file
*Feb 10 06:15:05.160: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install one-shot bootflash:c8000be-universalk9.17.09.05e.SPA.bininstall_add_activate_commit: Adding PACKAGE
install_add_activate_commit: Checking whether new add is allowed ....

--- Starting Add ---
Performing Add on Active/Standby
  [1] Add package(s) on R0
  [1] Finished Add on R0
Checking status of Add on [R0]
Add: Passed on [R0]
Finished Add

Image added. Version: 17.09.05e.0.80
install_add_activate_commit: Activating PACKAGE

*Feb 10 06:19:52.040: %EVENTLIB-3-CPUHOG: C0/0: iomd: uipeer downlink listener: 1520ms, Traceback=1#150f3a63e6e344df147a5440723734c6  evlib:7F79718AB000+A1D6 c:7F793381E000+3B3B0 ld-linux-x86-64:7F7983E83000+A974 ld-linux-x86-64:7F7983E83000+B4C5 ld-linux-x86-64:7F7983E83000+10085 ld-linux-x86-64:7F7983E83000+16BCA bipc:7F7972F08000+A381 bipc:7F7972F08000+412F uipeer:7F79739AB000+1EF7C evlib:7F79718AB000+8E16 evlib:7F79718AB000+9B60Following packages shall be activated:
/bootflash/c8000be-rpboot.17.09.05e.SPA.pkg
/bootflash/c8000be-mono-universalk9.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_async.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_10g.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_prince.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_ge.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_async.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dreamliner.17.09.05e.SPA.pkg

This operation may require a reload of the system. Do you want to proceed? [y/n] y
--- Starting Activate ---
Performing Activate on Active/Standby

재부팅이 완료 될때까지 기다립니다.

5. Version 확인

Router# show install summary
[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
            C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type  St   Filename/Version
--------------------------------------------------------------------------------
IMG   C    17.09.05e.0.80

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Router#

6. 기존에 Package가 Flash:에 존재 합니다. 필요없는 파일은 삭제합니다.

Router#dir flash:
Directory of bootflash:/

89057   drwx             4096  Feb 10 2025 06:29:40 +00:00  .installer
412897  drwx             4096  Feb 10 2025 06:28:09 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 06:28:09 +00:00  throughput_monitor_params
24292   -rw-           137940  Feb 10 2025 06:28:05 +00:00  memleak.tcl
226689  drwx             4096  Feb 10 2025 06:27:59 +00:00  .prst_sync
24289   -rw-             1939  Feb 10 2025 06:27:50 +00:00  trustidrootx3_ca_062035.ca
24290   -rwx             1274  Feb 10 2025 06:27:45 +00:00  mode_event_log
429089  drwx            57344  Feb 10 2025 06:27:42 +00:00  tracelogs
64769   drwx             4096  Feb 10 2025 06:27:04 +00:00  SHARED-IOX
420993  drwx             4096  Feb 10 2025 06:25:25 +00:00  .rollback_timer
16      -rw-             9330  Feb 10 2025 06:24:28 +00:00  packages.conf
404802  -rw-             9330  Feb 10 2025 06:18:05 +00:00  c8000be-universalk9.17.09.05e.SPA.conf
226691  -rw-         38283450  Feb 10 2025 06:18:05 +00:00  c8000be-rpboot.17.09.05e.SPA.pkg
404821  -rw-        679469056  Feb 10 2025 06:17:20 +00:00  c8000be-mono-universalk9.17.09.05e.SPA.pkg
404820  -rw-           167936  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg
404819  -rw-          2138112  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg
404818  -rw-         14557184  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_async.17.09.05e.SPA.pkg
404817  -rw-         11366400  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg
404816  -rw-          2535424  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_10g.17.09.05e.SPA.pkg
404815  -rw-         10432512  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_prince.17.09.05e.SPA.pkg
404814  -rw-          5677056  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg
404813  -rw-          5431296  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg
404812  -rw-         11714560  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg
404811  -rw-          2994176  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_ge.17.09.05e.SPA.pkg
404810  -rw-         17960960  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg
404809  -rw-          4894720  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg
404808  -rw-         13139968  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_async.17.09.05e.SPA.pkg
404807  -rw-         11497472  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg
404806  -rw-         18649088  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg
404805  -rw-          2007040  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg
404804  -rw-          6799360  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg
404803  -rw-            65536  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dreamliner.17.09.05e.SPA.pkg
13      -rw-        859360566  Feb 10 2025 06:06:59 +00:00  c8000be-universalk9.17.09.05e.SPA.bin
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
291478  -rw-         43301928  Aug 26 2024 16:28:08 +00:00  c8000be-rpboot.17.06.06a.SPA.pkg
291477  -rw-        623141956  Aug 26 2024 16:27:18 +00:00  c8000be-mono-universalk9.17.06.06a.SPA.pkg
291476  -rw-           156728  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
291475  -rw-          2094136  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
291474  -rw-         14259252  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_async.17.06.06a.SPA.pkg
291473  -rw-         11093044  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
291472  -rw-          2475056  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
291471  -rw-         10253360  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_prince.17.06.06a.SPA.pkg
291470  -rw-          5571636  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
291469  -rw-          5334068  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
291468  -rw-         11523124  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
291467  -rw-          2966576  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
291466  -rw-         17646644  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
291465  -rw-          4793400  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
291464  -rw-         12870708  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_async.17.06.06a.SPA.pkg
291463  -rw-         11310132  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
291462  -rw-         18342964  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
291461  -rw-          1963060  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
291460  -rw-          6681656  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
291459  -rw-            54324  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

Router#install remove inactive
install_remove: START Mon Feb 10 06:34:40 UTC 2025
install_remove: Removing IMG
Cleaning up unnecessary package files
No path specified, will use booted path /bootflash/packages.conf

Cleaning /bootflash
  Scanning boot directory for packages ... done.
  Preparing packages list to delete ...
    [R0]: /bootflash/packages.conf File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dreamliner.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_async.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_ge.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_prince.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_10g.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_async.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-mono-universalk9.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-rpboot.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-universalk9.17.09.05e.SPA.conf File is in use, will not delete.

The following files will be deleted:
    [R0]: /bootflash/c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_async.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_prince.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_async.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-mono-universalk9.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-rpboot.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-universalk9.17.09.05e.SPA.bin

Do you want to remove the above files?
                                      *Feb 10 06:34:40.411: %INSTALL-5-INSTALL_START_INFO: R0/0: install_mgr: Started install remove [y/n]y

Deleting file /bootflash/c8000be-firmware_dreamliner.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_async.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_ge.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_prince.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_10g.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_async.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-mono-universalk9.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-rpboot.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-universalk9.17.09.05e.SPA.bin ... done.
SUCCESS: Files deleted.

--- Starting Post_Remove_Cleanup ---
Performing REMOVE_POSTCHECK on all members
Finished Post_Remove_Cleanup
SUCCESS: install_remove Mon Feb 10 06:35:12 UTC 2025

Router#
*Feb 10 06:35:12.911: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_mgr: Completed install remove
Router#
Router#
Router#
Router#
Router#
Router#
Router#
Router#dir flash:
Directory of bootflash:/

89057   drwx             4096  Feb 10 2025 06:35:13 +00:00  .installer
412897  drwx             4096  Feb 10 2025 06:28:09 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 06:28:09 +00:00  throughput_monitor_params
24292   -rw-           137940  Feb 10 2025 06:28:05 +00:00  memleak.tcl
226689  drwx             4096  Feb 10 2025 06:27:59 +00:00  .prst_sync
24289   -rw-             1939  Feb 10 2025 06:27:50 +00:00  trustidrootx3_ca_062035.ca
24290   -rwx             1274  Feb 10 2025 06:27:45 +00:00  mode_event_log
429089  drwx            57344  Feb 10 2025 06:27:42 +00:00  tracelogs
64769   drwx             4096  Feb 10 2025 06:27:04 +00:00  SHARED-IOX
420993  drwx             4096  Feb 10 2025 06:25:25 +00:00  .rollback_timer
16      -rw-             9330  Feb 10 2025 06:24:28 +00:00  packages.conf
404802  -rw-             9330  Feb 10 2025 06:18:05 +00:00  c8000be-universalk9.17.09.05e.SPA.conf
226691  -rw-         38283450  Feb 10 2025 06:18:05 +00:00  c8000be-rpboot.17.09.05e.SPA.pkg
404821  -rw-        679469056  Feb 10 2025 06:17:20 +00:00  c8000be-mono-universalk9.17.09.05e.SPA.pkg
404820  -rw-           167936  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg
404819  -rw-          2138112  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg
404818  -rw-         14557184  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_async.17.09.05e.SPA.pkg
404817  -rw-         11366400  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg
404816  -rw-          2535424  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_10g.17.09.05e.SPA.pkg
404815  -rw-         10432512  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_prince.17.09.05e.SPA.pkg
404814  -rw-          5677056  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg
404813  -rw-          5431296  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg
404812  -rw-         11714560  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg
404811  -rw-          2994176  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_ge.17.09.05e.SPA.pkg
404810  -rw-         17960960  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg
404809  -rw-          4894720  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg
404808  -rw-         13139968  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_async.17.09.05e.SPA.pkg
404807  -rw-         11497472  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg
404806  -rw-         18649088  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg
404805  -rw-          2007040  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg
404804  -rw-          6799360  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg
404803  -rw-            65536  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dreamliner.17.09.05e.SPA.pkg
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

7361155072 bytes total (6116417536 bytes free)
Router#

show version

Router#               show version
Cisco IOS XE Software, Version 17.09.05e
Cisco IOS Software [Cupertino], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.9.5e, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2024 by Cisco Systems, Inc.
Compiled Thu 12-Dec-24 19:05 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2024 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: 17.6(8.1r)

Router uptime is 9 minutes
Uptime for this control processor is 9 minutes
System returned to ROM by Reload Command
System image file is "bootflash:packages.conf"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Technology Package License Information:

-----------------------------------------------------------------
Technology     Type         Technology-package Technology-package
                            Current            Next Reboot
-----------------------------------------------------------------
Smart License  Perpetual    None               None
Smart License  Subscription None               None

The current crypto throughput level is 250000 kbps

Smart Licensing Status: Smart Licensing Using Policy

cisco C8200L-1N-4T (1RU) processor with 1653598K/6147K bytes of memory.
Processor board ID FGL2835L17V
Router operating mode: Autonomous
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7245823K bytes of flash memory at bootflash:.

Configuration register is 0x2102

Router#

다시 한번 재부팅해서 제대로 부팅되는지 확인합니다.

Router#reload
Proceed with reload? [confirm]

*Feb 10 06:37:38.872: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.

정상적으로 부팅이 잘 됩니다.

지금까지 [2025][C8200] Router IOS XE upgrade 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > 라우팅' 카테고리의 다른 글

[2025][C8200][#3] Reset Smart license (0)	2025.03.04
[2025][C8200][#2] Register License to CSSM - smart licensing using policy (0)	2025.02.13
[ISR4221]-Performance License Install(SLR) (0)	2024.07.30
[ISR4221]-Cisco Router IOS Upgrade (2)	2024.07.29

안녕하세요.

이번에는 Juniper SRX S2S VPN 설정하고 Static Route대신 OSPF을 통해서 라우팅 테이블을 교환 하겠습니다.

실습을 위해서 기본 설정은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/196

1. 토폴로지는 아래와 같습니다.

SRX01 Ge-0/0/0 10.1.1.1 trust

SRX01 Ge-0/0/1 192.168.1.1 untrust

SRX02 Ge-0/0/0 20.1.1.1 trust

SRX02 Ge-0/0/1 192.168.2.1 untrust

S2S VPN 연결후 PC 192.168.1.10 <-> PC 192.168.2.10으로 통신이 가능 합니다.

2. SRX01 설정

2-1 Tunnel Interface 설정

set interfaces st0 unit 0 family inet address 1.1.1.1/30
set interfaces st0 unit 0 family inet mtu 1500
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set security zones security-zone vpn interfaces st0.0

2-2 Tunnel Interface통해서 상대방 라우팅을 교환하기 위해서 RIP 프로토콜을 설정합니다.

set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.2
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive
set routing-options router-id 1.1.1.1

2-3 IKE 설정

IKE POLICY Name: IKE-POLICY-S2SVPN-01

IKE GATEWAY Name: IKE-GW-S2SVPN-01

Pre-share-Keys: juniper

set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive
set security ike policy IKE-POLICY-S2SVPN-01 proposals standard
set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper
set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01
set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1
set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0

2-4 IPSEC 설정

set security ipsec proposal standard
set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard
set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0
set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01
set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01
set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately

2-5 S2S VPN을 위한 방화벽 정책 설정

set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0

set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit

set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit

3 SRX02 설정

3-1 Tunnel Interface 설정

set interfaces st0 unit 0 family inet address 1.1.1.2/30
set interfaces st0 unit 0 family inet mtu 1500
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set security zones security-zone vpn interfaces st0.0

3-2 Tunnel Interface통해서 상대방 통신하기 위해서 RIP을 설정해서 라우팅을 교환 합니다.

set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.1
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive
set routing-options router-id 1.1.1.2

3-3 IKE 설정

IKE POLICY Name: IKE-POLICY-S2SVPN-01

IKE GATEWAY Name: IKE-GW-S2SVPN-01

Pre-share-Keys: juniper

set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive
set security ike policy IKE-POLICY-S2SVPN-01 proposals standard
set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper
set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01
set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1
set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0

3-4 IPSEC 설정

set security ipsec proposal standard
set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard
set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0
set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01
set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01
set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately

3-5 S2S VPN을 위한 방화벽 정책 설정

set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0

set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit

set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit

OSPF 상태 확인

SRX01

root@SRX01> show ospf neighbor
Address          Interface              State           ID               Pri  Dead
1.1.1.2          st0.0                  Full            1.1.1.2          128    31

root@SRX01> show route

inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:50:07
                    >  to 10.1.1.254 via ge-0/0/0.0
1.1.1.0/30         *[Direct/0] 00:14:28
                    >  via st0.0
                    [OSPF/10] 00:14:24, metric 1
                    >  via st0.0
1.1.1.1/32         *[Local/0] 00:14:28
                       Local via st0.0
10.1.1.0/24        *[Direct/0] 00:50:07
                    >  via ge-0/0/0.0
10.1.1.1/32        *[Local/0] 00:50:07
                       Local via ge-0/0/0.0
192.168.1.0/24     *[Direct/0] 00:50:07
                    >  via ge-0/0/1.0
192.168.1.1/32     *[Local/0] 00:50:07
                       Local via ge-0/0/1.0
192.168.2.0/24     *[OSPF/10] 00:10:32, metric 2
                    >  via st0.0
224.0.0.5/32       *[OSPF/10] 00:14:29, metric 1
                       MultiRecv

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:51:09
                       MultiRecv

root@SRX01>

SRX02

root@SRX02> show ospf neighbor
Address          Interface              State           ID               Pri  Dead
1.1.1.1          st0.0                  Full            1.1.1.1          128    37

root@SRX02> show route

inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:50:23
                    >  to 20.1.1.254 via ge-0/0/0.0
1.1.1.0/30         *[Direct/0] 00:13:30
                    >  via st0.0
                    [OSPF/10] 00:13:26, metric 1
                    >  via st0.0
1.1.1.2/32         *[Local/0] 00:13:30
                       Local via st0.0
20.1.1.0/24        *[Direct/0] 00:50:23
                    >  via ge-0/0/0.0
20.1.1.1/32        *[Local/0] 00:50:23
                       Local via ge-0/0/0.0
192.168.1.0/24     *[OSPF/10] 00:10:54, metric 2
                    >  via st0.0
192.168.2.0/24     *[Direct/0] 00:50:23
                    >  via ge-0/0/1.0
192.168.2.1/32     *[Local/0] 00:50:23
                       Local via ge-0/0/1.0
224.0.0.5/32       *[OSPF/10] 00:13:31, metric 1
                       MultiRecv

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:51:27
                       MultiRecv

root@SRX02>

4. Test

PC01에서 PC02로 PING 192.168.2.10

PC02에서 PC01로 PING 192.168.1.10

PC01
84 bytes from 192.168.2.10 icmp_seq=105 ttl=62 time=12.610 ms
84 bytes from 192.168.2.10 icmp_seq=106 ttl=62 time=33.502 ms
84 bytes from 192.168.2.10 icmp_seq=107 ttl=62 time=3.875 ms
84 bytes from 192.168.2.10 icmp_seq=108 ttl=62 time=5.376 ms
84 bytes from 192.168.2.10 icmp_seq=109 ttl=62 time=3.175 ms
84 bytes from 192.168.2.10 icmp_seq=110 ttl=62 time=2.963 ms
84 bytes from 192.168.2.10 icmp_seq=111 ttl=62 time=3.547 ms
84 bytes from 192.168.2.10 icmp_seq=112 ttl=62 time=3.976 ms
84 bytes from 192.168.2.10 icmp_seq=113 ttl=62 time=3.358 ms
84 bytes from 192.168.2.10 icmp_seq=114 ttl=62 time=9.753 ms
84 bytes from 192.168.2.10 icmp_seq=115 ttl=62 time=3.128 ms
84 bytes from 192.168.2.10 icmp_seq=116 ttl=62 time=4.142 ms
84 bytes from 192.168.2.10 icmp_seq=117 ttl=62 time=3.175 ms
84 bytes from 192.168.2.10 icmp_seq=118 ttl=62 time=4.214 ms
84 bytes from 192.168.2.10 icmp_seq=119 ttl=62 time=3.807 ms
84 bytes from 192.168.2.10 icmp_seq=120 ttl=62 time=4.220 ms
84 bytes from 192.168.2.10 icmp_seq=121 ttl=62 time=7.300 ms
84 bytes from 192.168.2.10 icmp_seq=122 ttl=62 time=3.735 ms
84 bytes from 192.168.2.10 icmp_seq=123 ttl=62 time=5.798 ms
84 bytes from 192.168.2.10 icmp_seq=124 ttl=62 time=3.588 ms
84 bytes from 192.168.2.10 icmp_seq=125 ttl=62 time=3.750 ms
84 bytes from 192.168.2.10 icmp_seq=126 ttl=62 time=3.633 ms
84 bytes from 192.168.2.10 icmp_seq=127 ttl=62 time=2.710 ms
84 bytes from 192.168.2.10 icmp_seq=128 ttl=62 time=4.018 ms
84 bytes from 192.168.2.10 icmp_seq=129 ttl=62 time=3.169 ms
84 bytes from 192.168.2.10 icmp_seq=130 ttl=62 time=3.093 ms
84 bytes from 192.168.2.10 icmp_seq=131 ttl=62 time=3.001 ms
84 bytes from 192.168.2.10 icmp_seq=132 ttl=62 time=4.013 ms
84 bytes from 192.168.2.10 icmp_seq=133 ttl=62 time=3.296 ms
84 bytes from 192.168.2.10 icmp_seq=134 ttl=62 time=2.731 ms
84 bytes from 192.168.2.10 icmp_seq=135 ttl=62 time=3.164 ms
84 bytes from 192.168.2.10 icmp_seq=136 ttl=62 time=3.521 ms
84 bytes from 192.168.2.10 icmp_seq=137 ttl=62 time=3.264 ms
84 bytes from 192.168.2.10 icmp_seq=138 ttl=62 time=3.372 ms

PC02
84 bytes from 192.168.1.10 icmp_seq=96 ttl=62 time=11.549 ms
84 bytes from 192.168.1.10 icmp_seq=97 ttl=62 time=3.299 ms
84 bytes from 192.168.1.10 icmp_seq=98 ttl=62 time=4.139 ms
84 bytes from 192.168.1.10 icmp_seq=99 ttl=62 time=6.704 ms
84 bytes from 192.168.1.10 icmp_seq=100 ttl=62 time=7.948 ms
84 bytes from 192.168.1.10 icmp_seq=101 ttl=62 time=7.042 ms
84 bytes from 192.168.1.10 icmp_seq=102 ttl=62 time=8.883 ms
84 bytes from 192.168.1.10 icmp_seq=103 ttl=62 time=5.830 ms
84 bytes from 192.168.1.10 icmp_seq=104 ttl=62 time=3.864 ms
84 bytes from 192.168.1.10 icmp_seq=105 ttl=62 time=7.203 ms
84 bytes from 192.168.1.10 icmp_seq=106 ttl=62 time=5.233 ms
84 bytes from 192.168.1.10 icmp_seq=107 ttl=62 time=3.276 ms
84 bytes from 192.168.1.10 icmp_seq=108 ttl=62 time=3.849 ms
84 bytes from 192.168.1.10 icmp_seq=109 ttl=62 time=4.194 ms
84 bytes from 192.168.1.10 icmp_seq=110 ttl=62 time=3.221 ms
84 bytes from 192.168.1.10 icmp_seq=111 ttl=62 time=3.447 ms
84 bytes from 192.168.1.10 icmp_seq=112 ttl=62 time=4.475 ms
84 bytes from 192.168.1.10 icmp_seq=113 ttl=62 time=4.493 ms
84 bytes from 192.168.1.10 icmp_seq=114 ttl=62 time=3.987 ms
84 bytes from 192.168.1.10 icmp_seq=115 ttl=62 time=3.965 ms
84 bytes from 192.168.1.10 icmp_seq=116 ttl=62 time=3.814 ms
84 bytes from 192.168.1.10 icmp_seq=117 ttl=62 time=3.276 ms
84 bytes from 192.168.1.10 icmp_seq=118 ttl=62 time=3.454 ms
84 bytes from 192.168.1.10 icmp_seq=119 ttl=62 time=4.694 ms
84 bytes from 192.168.1.10 icmp_seq=120 ttl=62 time=4.093 ms
84 bytes from 192.168.1.10 icmp_seq=121 ttl=62 time=3.481 ms
84 bytes from 192.168.1.10 icmp_seq=122 ttl=62 time=5.376 ms
84 bytes from 192.168.1.10 icmp_seq=123 ttl=62 time=3.494 ms
84 bytes from 192.168.1.10 icmp_seq=124 ttl=62 time=4.032 ms
84 bytes from 192.168.1.10 icmp_seq=125 ttl=62 time=3.6

4. S2S VPN 상태 확인

SRX01

IKE Phase 1 UP이 표시 되면 IPSEC를 확인 합니다.

root@SRX01> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
5482273 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 20.1.1.1

IPSEC Phase2 아래처럼 터널이 생성 되었는지 확인

root@SRX01> show security ipsec security-associations
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1   fc12e938 3062/ unlim  -   root 500   20.1.1.1
  >131073 ESP:3des/sha1   49d44ef0 3062/ unlim  -   root 500   20.1.1.1

PC01에서 PC02로 무한으로 PING를 시도하고 Packet Count가 실제 올라가는지 확인 합니다

그리고 SRX01에서 아래 명령어로 확인

root@SRX01> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:            70040
  Decrypted bytes:            41832
  Encrypted packets:            515
  Decrypted packets:            498
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

root@SRX01>

10초뒤에 다시 똑같은 명령어를 입력하면 Packet Count가 증가하였습니다.

root@SRX01> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:            77656
  Decrypted bytes:            46536
  Encrypted packets:            571
  Decrypted packets:            554
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

root@SRX01>

PC02 -> PC01로 무한으로 PING를 시도합니다

SRX02에서 확인해보겠습니다.

IKE Phase 1 UP이 표시 되면 IPSEC를 확인 합니다.

root@SRX02> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
6514201 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 10.1.1.1

root@SRX02>

IPSEC Phase2 Tunnel이 생성되었습니다.

root@SRX02> show security ipsec security-associations
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1   49d44ef0 2678/ unlim  -   root 500   10.1.1.1
  >131073 ESP:3des/sha1   fc12e938 2678/ unlim  -   root 500   10.1.1.1

root@SRX02>

Packet Count를 확인 합니다

root@SRX02> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:            87992
  Decrypted bytes:            55776
  Encrypted packets:            647
  Decrypted packets:            664
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

root@SRX02>

10초뒤에 다시 한번 확인합니다

root@SRX02> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:            90032
  Decrypted bytes:            57036
  Encrypted packets:            662
  Decrypted packets:            679
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

root@SRX02>

라우팅 확인

SRX01

전체 설정

SRX01

root@SRX01> show configuration | display set | no-more
set version 21.3R1.9
set system host-name SRX01
set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive
set security ike policy IKE-POLICY-S2SVPN-01 proposals standard
set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$a-GjqTz6uORmfORhSMWJGD"
set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01
set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1
set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0
set security ipsec proposal standard
set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard
set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0
set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01
set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01
set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set security zones security-zone vpn interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set interfaces st0 unit 0 family inet mtu 1500
set interfaces st0 unit 0 family inet address 1.1.1.1/30
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.2
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive
set routing-options router-id 1.1.1.1
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

SRX02

root@SRX02> show configuration | display set | no-more
set version 21.3R1.9
set system host-name SRX02
set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive
set security ike policy IKE-POLICY-S2SVPN-01 proposals standard
set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$SY2lvLdb2GDkxNDk.P3nylK"
set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01
set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1
set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0
set security ipsec proposal standard
set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard
set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0
set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01
set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01
set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set security zones security-zone vpn interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set interfaces st0 unit 0 family inet mtu 1500
set interfaces st0 unit 0 family inet address 1.1.1.2/30
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p
set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.1
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive
set routing-options router-id 1.1.1.2
set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254

root@SRX02>

Router

hostname INT_R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.1.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 20.1.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 192.168.10.99 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.253
!
ipv6 ioam timestamp
!
!
access-list 1 permit any
!

지금까지 [2025][Juniper SRX #23] site to site vpn - S2S VPN - OSPF 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14
[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0)	2025.02.14
[2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0)	2025.02.07
[2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0)	2025.02.07
[2025][Juniper SRX #21] ip monitor - ip sla (0)	2025.02.06

IT BLOG(KR)

전체 글

[2025][Juniper SRX #27] Static NAT - One to One NAT

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #25] Source Nat - SNAT

[PNETLab][#8]-CheckPoint Firewall Install

'PNETlab' 카테고리의 다른 글

[PNETLab][#7]-Aruba Mobility Controller Install

'PNETlab' 카테고리의 다른 글

[PNETLab][#6]-Aruba CX Switch Install

'PNETlab' 카테고리의 다른 글

[2025][C8200][#2] Register License to CSSM - smart licensing using policy

'CISCO > 라우팅' 카테고리의 다른 글

[PNETLab][#5]-Aruba ClearPass Install

'PNETlab' 카테고리의 다른 글

[2025][C8200][#1] Router IOS XE upgrade

SUMMARY STEPS

'CISCO > 라우팅' 카테고리의 다른 글

[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

+ Recent posts

티스토리툴바