IT BLOG(KR)

안녕하세요.

이번에는 Juniper SRX S2S VPN 설정하겠습니다.

실습을 위해서 기본 설정은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/196

1. 토폴로지는 아래와 같습니다.

SRX01 Ge-0/0/0 10.1.1.1 trust

SRX01 Ge-0/0/1 192.168.1.1 untrust

SRX02 Ge-0/0/0 20.1.1.1 trust

SRX02 Ge-0/0/1 192.168.2.1 untrust

S2S VPN 연결후 PC 192.168.1.10 <-> PC 192.168.2.10으로 통신이 가능 합니다.

2. SRX01 설정

2-1 Tunnel Interface 설정

set interfaces st0 unit 0 family inet

2-2 Tunnel Interface통해서 상대방 SRX02 내부 192.168.2.0/24로 Static Route 설정

set routing-options static route 192.168.2.0/24 next-hop st0.0

2-3 IKE 설정

IKE POLICY Name: IKE-POLICY-S2SVPN-01

IKE GATEWAY Name: IKE-GW-S2SVPN-01

Pre-share-Keys: juniper

set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive
set security ike policy IKE-POLICY-S2SVPN-01 proposals standard
set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper
set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01
set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1
set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0

2-4 IPSEC 설정

set security ipsec proposal standard
set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard
set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0
set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01
set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01
set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately

2-5 S2S VPN을 위한 방화벽 정책 설정

set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0

set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit

set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit

3 SRX02 설정

3-1 Tunnel Interface 설정

set interfaces st0 unit 0 family inet

3-2 Tunnel Interface통해서 상대방 SRX02 내부 192.168.1.0/24로 Static Route 설정

set routing-options static route 192.168.1.0/24 next-hop st0.0

3-3 IKE 설정

IKE POLICY Name: IKE-POLICY-S2SVPN-01

IKE GATEWAY Name: IKE-GW-S2SVPN-01

Pre-share-Keys: juniper

set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive
set security ike policy IKE-POLICY-S2SVPN-01 proposals standard
set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper
set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01
set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1
set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0

3-4 IPSEC 설정

set security ipsec proposal standard
set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard
set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0
set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01
set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01
set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately

3-5 S2S VPN을 위한 방화벽 정책 설정

set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0

set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit

set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit

4. Test

PC01에서 PC02로 PING 192.168.2.10

PC02에서 PC01로 PING 192.168.1.10

PC01
84 bytes from 192.168.2.10 icmp_seq=105 ttl=62 time=12.610 ms
84 bytes from 192.168.2.10 icmp_seq=106 ttl=62 time=33.502 ms
84 bytes from 192.168.2.10 icmp_seq=107 ttl=62 time=3.875 ms
84 bytes from 192.168.2.10 icmp_seq=108 ttl=62 time=5.376 ms
84 bytes from 192.168.2.10 icmp_seq=109 ttl=62 time=3.175 ms
84 bytes from 192.168.2.10 icmp_seq=110 ttl=62 time=2.963 ms
84 bytes from 192.168.2.10 icmp_seq=111 ttl=62 time=3.547 ms
84 bytes from 192.168.2.10 icmp_seq=112 ttl=62 time=3.976 ms
84 bytes from 192.168.2.10 icmp_seq=113 ttl=62 time=3.358 ms
84 bytes from 192.168.2.10 icmp_seq=114 ttl=62 time=9.753 ms
84 bytes from 192.168.2.10 icmp_seq=115 ttl=62 time=3.128 ms
84 bytes from 192.168.2.10 icmp_seq=116 ttl=62 time=4.142 ms
84 bytes from 192.168.2.10 icmp_seq=117 ttl=62 time=3.175 ms
84 bytes from 192.168.2.10 icmp_seq=118 ttl=62 time=4.214 ms
84 bytes from 192.168.2.10 icmp_seq=119 ttl=62 time=3.807 ms
84 bytes from 192.168.2.10 icmp_seq=120 ttl=62 time=4.220 ms
84 bytes from 192.168.2.10 icmp_seq=121 ttl=62 time=7.300 ms
84 bytes from 192.168.2.10 icmp_seq=122 ttl=62 time=3.735 ms
84 bytes from 192.168.2.10 icmp_seq=123 ttl=62 time=5.798 ms
84 bytes from 192.168.2.10 icmp_seq=124 ttl=62 time=3.588 ms
84 bytes from 192.168.2.10 icmp_seq=125 ttl=62 time=3.750 ms
84 bytes from 192.168.2.10 icmp_seq=126 ttl=62 time=3.633 ms
84 bytes from 192.168.2.10 icmp_seq=127 ttl=62 time=2.710 ms
84 bytes from 192.168.2.10 icmp_seq=128 ttl=62 time=4.018 ms
84 bytes from 192.168.2.10 icmp_seq=129 ttl=62 time=3.169 ms
84 bytes from 192.168.2.10 icmp_seq=130 ttl=62 time=3.093 ms
84 bytes from 192.168.2.10 icmp_seq=131 ttl=62 time=3.001 ms
84 bytes from 192.168.2.10 icmp_seq=132 ttl=62 time=4.013 ms
84 bytes from 192.168.2.10 icmp_seq=133 ttl=62 time=3.296 ms
84 bytes from 192.168.2.10 icmp_seq=134 ttl=62 time=2.731 ms
84 bytes from 192.168.2.10 icmp_seq=135 ttl=62 time=3.164 ms
84 bytes from 192.168.2.10 icmp_seq=136 ttl=62 time=3.521 ms
84 bytes from 192.168.2.10 icmp_seq=137 ttl=62 time=3.264 ms
84 bytes from 192.168.2.10 icmp_seq=138 ttl=62 time=3.372 ms

PC02
84 bytes from 192.168.1.10 icmp_seq=96 ttl=62 time=11.549 ms
84 bytes from 192.168.1.10 icmp_seq=97 ttl=62 time=3.299 ms
84 bytes from 192.168.1.10 icmp_seq=98 ttl=62 time=4.139 ms
84 bytes from 192.168.1.10 icmp_seq=99 ttl=62 time=6.704 ms
84 bytes from 192.168.1.10 icmp_seq=100 ttl=62 time=7.948 ms
84 bytes from 192.168.1.10 icmp_seq=101 ttl=62 time=7.042 ms
84 bytes from 192.168.1.10 icmp_seq=102 ttl=62 time=8.883 ms
84 bytes from 192.168.1.10 icmp_seq=103 ttl=62 time=5.830 ms
84 bytes from 192.168.1.10 icmp_seq=104 ttl=62 time=3.864 ms
84 bytes from 192.168.1.10 icmp_seq=105 ttl=62 time=7.203 ms
84 bytes from 192.168.1.10 icmp_seq=106 ttl=62 time=5.233 ms
84 bytes from 192.168.1.10 icmp_seq=107 ttl=62 time=3.276 ms
84 bytes from 192.168.1.10 icmp_seq=108 ttl=62 time=3.849 ms
84 bytes from 192.168.1.10 icmp_seq=109 ttl=62 time=4.194 ms
84 bytes from 192.168.1.10 icmp_seq=110 ttl=62 time=3.221 ms
84 bytes from 192.168.1.10 icmp_seq=111 ttl=62 time=3.447 ms
84 bytes from 192.168.1.10 icmp_seq=112 ttl=62 time=4.475 ms
84 bytes from 192.168.1.10 icmp_seq=113 ttl=62 time=4.493 ms
84 bytes from 192.168.1.10 icmp_seq=114 ttl=62 time=3.987 ms
84 bytes from 192.168.1.10 icmp_seq=115 ttl=62 time=3.965 ms
84 bytes from 192.168.1.10 icmp_seq=116 ttl=62 time=3.814 ms
84 bytes from 192.168.1.10 icmp_seq=117 ttl=62 time=3.276 ms
84 bytes from 192.168.1.10 icmp_seq=118 ttl=62 time=3.454 ms
84 bytes from 192.168.1.10 icmp_seq=119 ttl=62 time=4.694 ms
84 bytes from 192.168.1.10 icmp_seq=120 ttl=62 time=4.093 ms
84 bytes from 192.168.1.10 icmp_seq=121 ttl=62 time=3.481 ms
84 bytes from 192.168.1.10 icmp_seq=122 ttl=62 time=5.376 ms
84 bytes from 192.168.1.10 icmp_seq=123 ttl=62 time=3.494 ms
84 bytes from 192.168.1.10 icmp_seq=124 ttl=62 time=4.032 ms
84 bytes from 192.168.1.10 icmp_seq=125 ttl=62 time=3.6

4. S2S VPN 상태 확인

SRX01

IKE Phase 1 UP이 표시 되면 IPSEC를 확인 합니다.

root@SRX01> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
5482273 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 20.1.1.1

IPSEC Phase2 아래처럼 터널이 생성 되었는지 확인

root@SRX01> show security ipsec security-associations
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1   fc12e938 3062/ unlim  -   root 500   20.1.1.1
  >131073 ESP:3des/sha1   49d44ef0 3062/ unlim  -   root 500   20.1.1.1

PC01에서 PC02로 무한으로 PING를 시도하고 Packet Count가 실제 올라가는지 확인 합니다

그리고 SRX01에서 아래 명령어로 확인

root@SRX01> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:            70040
  Decrypted bytes:            41832
  Encrypted packets:            515
  Decrypted packets:            498
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

root@SRX01>

10초뒤에 다시 똑같은 명령어를 입력하면 Packet Count가 증가하였습니다.

root@SRX01> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:            77656
  Decrypted bytes:            46536
  Encrypted packets:            571
  Decrypted packets:            554
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

root@SRX01>

PC02 -> PC01로 무한으로 PING를 시도합니다

SRX02에서 확인해보겠습니다.

IKE Phase 1 UP이 표시 되면 IPSEC를 확인 합니다.

root@SRX02> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
6514201 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 10.1.1.1

root@SRX02>

IPSEC Phase2 Tunnel이 생성되었습니다.

root@SRX02> show security ipsec security-associations
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:3des/sha1   49d44ef0 2678/ unlim  -   root 500   10.1.1.1
  >131073 ESP:3des/sha1   fc12e938 2678/ unlim  -   root 500   10.1.1.1

root@SRX02>

Packet Count를 확인 합니다

root@SRX02> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:            87992
  Decrypted bytes:            55776
  Encrypted packets:            647
  Decrypted packets:            664
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

root@SRX02>

10초뒤에 다시 한번 확인합니다

root@SRX02> show security ipsec statistics
ESP Statistics:
  Encrypted bytes:            90032
  Decrypted bytes:            57036
  Encrypted packets:            662
  Decrypted packets:            679
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

root@SRX02>

전체 설정

SRX01

root@SRX01> show configuration | display set | no-more
set version 21.3R1.9
set system host-name SRX01
set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive
set security ike policy IKE-POLICY-S2SVPN-01 proposals standard
set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$a-GjqTz6uORmfORhSMWJGD"
set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01
set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1
set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0
set security ipsec proposal standard
set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard
set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0
set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01
set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01
set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254
set routing-options static route 192.168.2.0/24 next-hop st0.0

root@SRX01>

SRX02

root@SRX02> show configuration | display set | no-more
set version 21.3R1.9
set system host-name SRX02
set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive
set security ike policy IKE-POLICY-S2SVPN-01 proposals standard
set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$SY2lvLdb2GDkxNDk.P3nylK"
set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01
set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1
set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0
set security ipsec proposal standard
set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard
set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0
set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01
set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01
set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set interfaces st0 unit 0 family inet
set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254
set routing-options static route 192.168.1.0/24 next-hop st0.0

root@SRX02>

Router

hostname INT_R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.1.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 20.1.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 192.168.10.99 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.253
!
ipv6 ioam timestamp
!
!
access-list 1 permit any
!

지금까지 [2025][Juniper SRX #23] site to site vpn - S2S VPN 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0)	2025.02.14
[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0)	2025.02.07
[2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0)	2025.02.07
[2025][Juniper SRX #21] ip monitor - ip sla (0)	2025.02.06
[2024][Juniper SRX #20] License Install - J-Web (0)	2025.02.05

안녕하세요.

오늘은 Juniper SRX에서 Site to Site VPN 설정에 대해서 알아보겠습니다.

EVE-NG에서 토폴로지는 아래와 같이 구성하였습니다.

위에 테스트 구성을 하기 위해서는 아래 글을 참고 부탁드립니다.

1. EVE_NG 설치

https://itblog-kr.tistory.com/11

[2024][EVE-NG #1] 네트워크 시뮬레이션 EVE-NG 설치하기(VMware Workstation)

안녕하세요. 오늘은 주제는 [2024][EVE-NG #1] 네트워크 시뮬레이션 EVE-NG 설치하기(VMware Workstation)입니다. EVE-NG를 설치하기 전에 EVE-NG가 무엇인지 궁금하신 분은 아래 블로그 글을 참조 부탁드립

itblog-kr.tistory.com

2. Router 설치

https://itblog-kr.tistory.com/6

[EVE-NG #6] vIOS cisco 라우터 설치하기

안녕하세요. 이번에는 EVE-NG안에 vIOS cisco라우터를 설치해보겠습니다. EVE-NG가 설치가 않되어져 있다면 아래 블로그를 참조하여 EVE-NG부터 설치하시길 바랍니다. VirtualBox(무료) 가상화 프로그램을

itblog-kr.tistory.com

3. SRX설치

https://itblog-kr.tistory.com/26

[2024][EVE-NG #14] Juniper SRX 방화벽 설치하기

안녕하세요. 오늘은 [2024][EVE-NG #14] Juniper SRX 방화벽 설치하기입니다. 1. eve-ng 공식 홈페이지 관련 내용입니다. https://www.eve-ng.net/index.php/documentation/howtos/howto-add-juniper-vsrx-ng-15-x-and-later/ Juniper vSR

itblog-kr.tistory.com

4. VPC설치

https://itblog-kr.tistory.com/59

[2024][EVE-NG #18] Virtual PC(VPCS)

안녕하세요. 이번에는 EVE-NG에서 VPC에 대해서 알아보도록 하겠습니다. 테스트 할때 간단하게 Ping을 위해서 PC를 만들고 싶을때가 있습니다. 그렇다고 라우터나 스위치 또는 윈도우 PC를 두기에

itblog-kr.tistory.com

실습 준비가 완료 되었으면 주니퍼 SRX site to site vpn를 테스트 하겠습니다.

1. Router 설정

Router#
Router#conf t
Router(config)#ho INT_R1
INT_R1(config)#int g0/2
INT_R1(config-if)#ip add 192.168.10.99 255.255.255.0
INT_R1(config-if)#no sh
INT_R1(config-if)#int g0/0
INT_R1(config-if)#ip add 10.1.1.254 255.255.255.0
INT_R1(config-if)#no sh
INT_R1(config-if)#int g0/1
INT_R1(config-if)#ip add 20.1.1.254 255.255.255.0
INT_R1(config-if)#no sh
INT_R1(config-if)#end

INT_R1#conf t
INT_R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.253

1-1 NAT 설정

INT_R1#conf t
INT_R1(config)#access-list 1 permit any
INT_R1(config)#int g0/2
INT_R1(config-if)#ip nat out
INT_R1(config-if)#int g0/0
INT_R1(config-if)#ip nat inside
INT_R1(config-if)#int g0/1
INT_R1(config-if)#ip nat inside
INT_R1(config-if)#end
INT_R1(config)#ip nat inside source list 1 interface g0/2 overload
INT_R1(config)#

1-2 Ping Test

INT_R1#show ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         10.1.1.254      YES manual up                    up
GigabitEthernet0/1         20.1.1.254      YES manual up                    up
GigabitEthernet0/2         192.168.10.99   YES manual up                    up
GigabitEthernet0/3         unassigned      YES unset  administratively down down
NVI0                       10.1.1.254      YES unset  up                    up
INT_R1#
INT_R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.10.253 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.10.253
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.1.1.0/24 is directly connected, GigabitEthernet0/0
L        10.1.1.254/32 is directly connected, GigabitEthernet0/0
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/1
L        20.1.1.254/32 is directly connected, GigabitEthernet0/1
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, GigabitEthernet0/2
L        192.168.10.99/32 is directly connected, GigabitEthernet0/2
INT_R1#
INT_R1#
INT_R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms
INT_R1#ping 8.8.8.8 sou
INT_R1#ping 8.8.8.8 source g0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms
INT_R1#ping 8.8.8.8 source g0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 20.1.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/8 ms
INT_R1#

2. SRX01 기본 설정

ge-0/0/0 - 10.1.1.1

ge-0/0/1 - 192.168.1.1

2-1 기본설정값을 모두 삭제

root@:~ # cli
root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# cin
^
unknown command.
root# commit
commit complete

[edit]
root#

2-2 기본설정

set system host-name SRX01
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

2-3 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

2-4 NAT 설정

set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface

2-5 확인

root@SRX01> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     10.1.1.1/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.1/24
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root@SRX01> show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:02:39
                    >  to 10.1.1.254 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:02:40
                    >  via ge-0/0/0.0
10.1.1.1/32        *[Local/0] 00:02:40
                       Local via ge-0/0/0.0
192.168.1.0/24     *[Direct/0] 00:02:39
                    >  via ge-0/0/1.0
192.168.1.1/32     *[Local/0] 00:02:39
                       Local via ge-0/0/1.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:07:11
                       MultiRecv

root@SRX01> show security zones

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

root@SRX01> show security nat source summary
Total pools: 0

Total rules: 1
Rule name          Rule set       From              To                   Action
PAT-INTERFACE      SOURCE-NAT     trust             untrust              interface

root@SRX01> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
source NAT rule: PAT-INTERFACE          Rule-set: SOURCE-NAT
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : trust
  To zone                    : untrust
  Match
    Source addresses         : 192.168.1.0     - 192.168.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 10
    Successful sessions      : 10
  Number of sessions         : 0

root@SRX01>

3. PC01 설정

VPCS>
VPCS> ip 192.168.1.10/24 192.168.1.1
Checking for duplicate address...
VPCS : 192.168.1.10 255.255.255.0 gateway 192.168.1.1

VPCS> save
Saving startup configuration to startup.vpc
. done

VPCS>

3-1 Ping 테스트

VPCS>
VPCS> ping 192.168.1.1

84 bytes from 192.168.1.1 icmp_seq=1 ttl=64 time=471.943 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=64 time=0.827 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=64 time=0.941 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=64 time=0.788 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=64 time=0.803 ms
^C
VPCS> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=29.083 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=5.006 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=5.656 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=5.298 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=115 time=5.411 ms
^C
VPCS>

4. SRX02 설정

Ge-0/0/0 20.1.1.1/24

Ge-0/0/1 192.168.2.1/24

4-1 기본설정값 삭제

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit
commit complete

[edit]
root#

4-2 기본 설정

set system host-name SRX02
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254

4-3 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

4-4 NAT 설정

set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface

4-5 확인

root@SRX02> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     20.1.1.1/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.2.1/24
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root@SRX02> show route

inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:01:44
                    >  to 20.1.1.254 via ge-0/0/0.0
20.1.1.0/24        *[Direct/0] 00:01:45
                    >  via ge-0/0/0.0
20.1.1.1/32        *[Local/0] 00:01:45
                       Local via ge-0/0/0.0
192.168.2.0/24     *[Direct/0] 00:01:44
                    >  via ge-0/0/1.0
192.168.2.1/32     *[Local/0] 00:01:44
                       Local via ge-0/0/1.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:18:00
                       MultiRecv

root@SRX02>

root@SRX02> show security zones

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

root@SRX02>

root@SRX02> show security zones terse
Zone                        Type
trust                       Security
untrust                     Security
junos-host                  Security

root@SRX02>

root@SRX02> ping 10.1.1.254
PING 10.1.1.254 (10.1.1.254): 56 data bytes
64 bytes from 10.1.1.254: icmp_seq=0 ttl=255 time=285.562 ms
64 bytes from 10.1.1.254: icmp_seq=1 ttl=255 time=4.858 ms
64 bytes from 10.1.1.254: icmp_seq=2 ttl=255 time=4.057 ms
64 bytes from 10.1.1.254: icmp_seq=3 ttl=255 time=3.332 ms
64 bytes from 10.1.1.254: icmp_seq=4 ttl=255 time=3.799 ms
^C
--- 10.1.1.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.332/60.322/285.562/112.621 ms

root@SRX02> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=5.710 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=3.859 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=4.569 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=4.114 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.859/4.563/5.710/0.709 ms

4-6 PC2 설정

VPCS> 192.168.2.10/24 192.168.2.1
Bad command: "192.168.2.10/24 192.168.2.1". Use ? for help.

VPCS> ip 192.168.2.10/24 192.168.2.1
Checking for duplicate address...
VPCS : 192.168.2.10 255.255.255.0 gateway 192.168.2.1

VPCS> save
Saving startup configuration to startup.vpc
. done

VPCS> ping 192.168.2.1

192.168.2.1 icmp_seq=1 timeout
84 bytes from 192.168.2.1 icmp_seq=2 ttl=64 time=0.764 ms
84 bytes from 192.168.2.1 icmp_seq=3 ttl=64 time=0.610 ms
84 bytes from 192.168.2.1 icmp_seq=4 ttl=64 time=0.833 ms
84 bytes from 192.168.2.1 icmp_seq=5 ttl=64 time=0.984 ms

VPCS> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=33.537 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=6.485 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=5.357 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=6.767 ms
^C
VPCS>

5. SRX01 -> SRX02 WAN포트로 통신

SRX02 -> SRX01 WAN포트로 통신

root@SRX01> ping 20.1.1.1
PING 20.1.1.1 (20.1.1.1): 56 data bytes
64 bytes from 20.1.1.1: icmp_seq=0 ttl=63 time=5.115 ms
64 bytes from 20.1.1.1: icmp_seq=1 ttl=63 time=3.391 ms
64 bytes from 20.1.1.1: icmp_seq=2 ttl=63 time=3.597 ms
64 bytes from 20.1.1.1: icmp_seq=3 ttl=63 time=5.333 ms
^C
--- 20.1.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.391/4.359/5.333/0.871 ms

root@SRX01>

root@SRX02> ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: icmp_seq=0 ttl=63 time=6.687 ms
64 bytes from 10.1.1.1: icmp_seq=1 ttl=63 time=7.102 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=63 time=4.646 ms
64 bytes from 10.1.1.1: icmp_seq=3 ttl=63 time=2.458 ms
64 bytes from 10.1.1.1: icmp_seq=4 ttl=63 time=5.987 ms
^C
--- 10.1.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.458/5.376/7.102/1.680 ms

root@SRX02>

Full configration

SRX01

root@SRX01> show configuration | display set | no-more
set version 21.3R1.9
set system host-name SRX01
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

SRX02

root@SRX02> show configuration | display set | no-more
set version 21.3R1.9
set system host-name SRX02
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254

root@SRX02>

Router 설정

hostname INT_R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.1.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 20.1.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 192.168.10.99 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.253
!
ipv6 ioam timestamp
!
!
access-list 1 permit any

지금까지 [2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 글을 읽어주셔서 감사합니다.

다음글을 Juniper SRX S2S VPN 설정 하겠습니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0)	2025.02.07
[2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0)	2025.02.07
[2025][Juniper SRX #21] ip monitor - ip sla (0)	2025.02.06
[2024][Juniper SRX #20] License Install - J-Web (0)	2025.02.05
[2024][Juniper SRX #19] J-Web (0)	2025.02.05

안녕하세요.

오늘은 Juniper srx ip monitor에 대해서 알아보겠습니다.

시스코 용어로는 IP SLA입니다.

아래처럼 SRX에 인터넷이 2개 연결되었다고 확인해보겠습니다.

Default Gateway는 한개만 선택되어서 라이팅이 됩니다.

Main Internet를 통해서 google 8.8.8.8를 모니터링하고 있다가, Main Internet이 죽으면 자동으로

디폴트케이트웨이를 백업 인터넷으로 변경을 실습해 보겠습니다.

토폴로지는 아래와 같습니다.

SRX

Ge-0/0/0 10.1.1.1이 메인 Internet

Ge-0/0/1 20.1.1.1이 백업 Internet 으로 간주하겠습니다.

Internet 라우터는 SRX에 올라오는 트래픽을 NAT처리해서 8.8.8.8이랑 통신 되게 설정 합니다.

기본설정을 먼저 해보겠습니다.

INTENRET ROUTER 설정 입니다.

Router(config)#no ip domain-lookup
Router(config)#hostname INT_ROUTER
INT_ROUTER(config)#line con 0
INT_ROUTER(config-line)#exec-time
INT_ROUTER(config-line)#logg sy
INT_ROUTER(config-line)#end

INT_ROUTER#conf t
INT_ROUTER(config)#int g0/0
INT_ROUTER(config-if)#ip add 192.168.10.101 255.255.255.0
INT_ROUTER(config-if)#no sh
INT_ROUTER(config-if)#end
INT_ROUTER(config)#int g0/1
INT_ROUTER(config-if)#ip add 10.1.1.254 255.255.255.0
INT_ROUTER(config-if)#no sh
INT_ROUTER(config-if)#int g0/2
\INT_ROUTER(config-if)#ip add 20.1.1.254 255.255.255.0
INT_ROUTER(config-if)#no sh
INT_ROUTER(config-if)#end

INT_ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.253
INT_ROUTER(config)#end
INT_ROUTER#

INT_ROUTER#
INT_ROUTER#show ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.10.101  YES manual up                    up
GigabitEthernet0/1         10.1.1.254      YES manual up                    up
GigabitEthernet0/2         20.1.1.254      YES manual up                    up
GigabitEthernet0/3         unassigned      YES unset  administratively down down
INT_ROUTER#

INT_ROUTER#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms

PAT를 설정 합니다.

INT_ROUTER#conf t
INT_ROUTER(config)#int g0/0
INT_ROUTER(config-if)#ip nat outside

INT_ROUTER(config-if)#int g0/1
INT_ROUTER(config-if)#ip nat inside
INT_ROUTER(config-if)#int g0/2
INT_ROUTER(config-if)#ip nat inside
INT_ROUTER(config-if)#end

INT_ROUTER(config)#access-list 1 permit any
INT_ROUTER(config)#ip nat inside source list 1 interface gigabitEthernet 0/0 overload

INT_ROUTER#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/7 ms

INT_ROUTER#ping 8.8.8.8 source g0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms

INT_ROUTER#ping 8.8.8.8 source g0/2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 20.1.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/8 ms
INT_ROUTER#

이번에는 주니퍼 기본 설정을 하겠습니다.

기본적으로 설정값을 다 지우고 root password를 설정 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root> configure
Entering configuration mode

[edit]
root#

[edit]
root#

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

Interface 설정

root> show configuration | display set | no-more
set version 21.3R1.9
set system root-authentication encrypted-password "$6$6IWgKM8j$c5/l5czscFh31rD/X/mx8ug3IUwUdyYtb8/KYEjYA7J6YxayiDelNUx9cmSFxzjWpf/0LLxBAADLf.WGE2.XV1"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.0
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 20.1.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 30.1.1.1/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     10.1.1.1/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     20.1.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     30.1.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root> show security zones

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 2
  Interfaces:
    ge-0/0/1.0
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

root>

root> ping 10.1.1.254
PING 10.1.1.254 (10.1.1.254): 56 data bytes
64 bytes from 10.1.1.254: icmp_seq=0 ttl=255 time=3.320 ms
64 bytes from 10.1.1.254: icmp_seq=1 ttl=255 time=3.150 ms
64 bytes from 10.1.1.254: icmp_seq=2 ttl=255 time=2.836 ms
64 bytes from 10.1.1.254: icmp_seq=3 ttl=255 time=2.550 ms
64 bytes from 10.1.1.254: icmp_seq=4 ttl=255 time=2.607 ms
^C
--- 10.1.1.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.550/2.893/3.320/0.300 ms

root> ping 20.1.1.254
PING 20.1.1.254 (20.1.1.254): 56 data bytes
64 bytes from 20.1.1.254: icmp_seq=0 ttl=255 time=2.894 ms
64 bytes from 20.1.1.254: icmp_seq=1 ttl=255 time=2.782 ms
64 bytes from 20.1.1.254: icmp_seq=2 ttl=255 time=2.699 ms
64 bytes from 20.1.1.254: icmp_seq=3 ttl=255 time=3.372 ms
64 bytes from 20.1.1.254: icmp_seq=4 ttl=255 time=2.571 ms
^C
--- 20.1.1.254 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.571/2.864/3.372/0.275 ms

root>

NAT 설정

Source IP가 30.1.1.0/24에 대해서는 Source NAT를 진행합니다.

set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 30.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface

Firewall Rule 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

VPC IP 설정 및 8.8.8.8 테스트

VPCS> ip 30.1.1.254/24 30.1.1.1
Checking for duplicate address...
VPCS : 30.1.1.254 255.255.255.0 gateway 30.1.1.1

VPCS> save
Saving startup configuration to startup.vpc
.  done

VPCS> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=17.295 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=4.437 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=5.881 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=5.225 ms
^C
VPCS>

VPCS> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1   30.1.1.1   9.255 ms  0.759 ms  0.866 ms
2   10.1.1.254   8.273 ms  16.840 ms  4.871 ms
3   192.168.10.253   15.513 ms  4.014 ms  4.634 ms
4   202.14.11.193   3.964 ms  4.513 ms  3.862 ms
5   202.14.12.33   4.422 ms  3.900 ms  6.111 ms
6   203.117.190.81   7.847 ms  7.067 ms  9.060 ms
^C 7     *

VPCS>

위에 처럼 메인 Internet를 통해서 8.8.8.8 통신을 시도 합니다.

10.1.1.254 Main Internet

20.1.1.254 Backup Internet

SRX에서 IP MONITOR기능을 설정해서 Main Internet를 통해서 8.8.8.8 모니터링 합니다.

모니터링이 성공하면 디폴트로 설정된 Default Gateway를 사용하고 실패하면 20.1.1.254 Default Gateway를 추가하여.

우선순위를 더 높에 사용해서 20.1.1.254가 선택되게 합니다.

다시 Main Internet를 통해서 8.8.8.8 성공하면 Main Internet 10.1.1.254 Defualt Gateway가 선택 되게 합니다.

SRX 설정값 입니다.

set services rpm probe probe-test test test probe-type icmp-ping
set services rpm probe probe-test test test target address 8.8.8.8
set services rpm probe probe-test test test probe-count 5
set services rpm probe probe-test test test probe-interval 5
set services rpm probe probe-test test test test-interval 5
set services rpm probe probe-test test test thresholds successive-loss 10
set services rpm probe probe-test test test next-hop 10.1.1.254
set services ip-monitoring policy probe-policy match rpm-probe probe-test
set services ip-monitoring policy probe-policy then preferred-route route 0.0.0.0/0 next-hop 20.1.1.254

라우팅을 확인 합니다

10.1.1.254가 사용중입니다.

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:37:58
                    >  to 10.1.1.254 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:37:58
                    >  via ge-0/0/0.0
10.1.1.1/32        *[Local/0] 00:37:58
                       Local via ge-0/0/0.0
20.1.1.0/24        *[Direct/0] 00:37:58
                    >  via ge-0/0/1.0
20.1.1.1/32        *[Local/0] 00:37:58
                       Local via ge-0/0/1.0
30.1.1.0/24        *[Direct/0] 00:37:58
                    >  via ge-0/0/2.0
30.1.1.1/32        *[Local/0] 00:37:58
                       Local via ge-0/0/2.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:57:56
                       MultiRecv

root>

IP Monitering 상태 확인하는 방법

root> show services rpm probe-results
    Owner: probe-test, Test: test
    Target address: 8.8.8.8, Probe type: icmp-ping, Icmp-id: 10,
    Test size: 5 probes
    Probe results:
      Response received
      Probe sent time: Thu Feb  6 13:11:33 2025
      Probe rcvd/timeout time: Thu Feb  6 13:11:33 2025, No hardware timestamps
      Rtt: 3555 usec, Round trip jitter: 285 usec
      Round trip interarrival jitter: 1223 usec
    Results over current test:
      Probes sent: 5, Probes received: 5, Loss percentage: 0.000000
      Measurement: Round trip time
        Samples: 5, Minimum: 3065 usec, Maximum: 3555 usec, Average: 3297 usec,
        Peak to peak: 490 usec, Stddev: 158 usec, Sum: 16484 usec
      Measurement: Positive round trip jitter
        Samples: 4, Minimum: 90 usec, Maximum: 285 usec, Average: 187 usec,
        Peak to peak: 195 usec, Stddev: 70 usec, Sum: 749 usec
      Measurement: Negative round trip jitter
        Samples: 1, Minimum: 277 usec, Maximum: 277 usec, Average: 277 usec,
        Peak to peak: 0 usec, Stddev: 0 usec, Sum: 277 usec
    Results over last test:
      Probes sent: 5, Probes received: 5, Loss percentage: 0.000000
      Test completed on Thu Feb  6 13:11:33 2025
      Measurement: Round trip time
        Samples: 5, Minimum: 3065 usec, Maximum: 3555 usec, Average: 3297 usec,
        Peak to peak: 490 usec, Stddev: 158 usec, Sum: 16484 usec
      Measurement: Positive round trip jitter
        Samples: 4, Minimum: 90 usec, Maximum: 285 usec, Average: 187 usec,
        Peak to peak: 195 usec, Stddev: 70 usec, Sum: 749 usec
      Measurement: Negative round trip jitter
        Samples: 1, Minimum: 277 usec, Maximum: 277 usec, Average: 277 usec,
        Peak to peak: 0 usec, Stddev: 0 usec, Sum: 277 usec
    Results over all tests:
      Probes sent: 10, Probes received: 10, Loss percentage: 0.000000
      Measurement: Round trip time
        Samples: 10, Minimum: 3033 usec, Maximum: 13877 usec,
        Average: 5128 usec, Peak to peak: 10844 usec, Stddev: 3872 usec,
        Sum: 51275 usec
      Measurement: Positive round trip jitter
        Samples: 6, Minimum: 32 usec, Maximum: 8668 usec, Average: 1575 usec,
        Peak to peak: 8636 usec, Stddev: 3173 usec, Sum: 9449 usec
      Measurement: Negative round trip jitter
        Samples: 3, Minimum: 277 usec, Maximum: 10844 usec, Average: 6590 usec,
        Peak to peak: 10567 usec, Stddev: 4553 usec, Sum: 19771 usec

root>

아래처럼 8.8.8.8 모니터링이 성공하였다고 PASS 표시됩니다.

root> show services ip-monitoring status

Policy - probe-policy (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    probe-test             test            8.8.8.8          PASS

  Route-Action (Adding backup routes when FAIL):
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         20.1.1.254       NOT-APPLIED

root>

이번에는 INT_ROUTER에서 G0/1 Shutdown 해 보겠습니다.

INT_ROUTER#show ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.10.101  YES manual up                    up
GigabitEthernet0/1         10.1.1.254      YES manual up                    up
GigabitEthernet0/2         20.1.1.254      YES manual up                    up
GigabitEthernet0/3         unassigned      YES unset  administratively down down
NVI0                       192.168.10.101  YES unset  up                    up
INT_ROUTER#
INT_ROUTER#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
INT_ROUTER(config)#int g0/1
INT_ROUTER(config-if)#sh
INT_ROUTER(config-if)#

그리고 Juniper SRX에서 상태를 확인해 보겠습니다.
메인 Internet를 통해서 8.8.8.8 실패해서 FAIL이라고 표시 됩니다.

root> show services ip-monitoring status

Policy - probe-policy (Status: FAIL)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    probe-test             test            8.8.8.8          FAIL

  Route-Action (Adding backup routes when FAIL):
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         20.1.1.254       APPLIED

root>

라우팅 테이블을 확인해보겠습니다.

0.0.0.0/0 * 20.1.1.254선택 되었습니다.

root> show route

inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/1] 00:00:40, metric2 0
                    >  to 20.1.1.254 via ge-0/0/1.0
                    [Static/5] 00:41:30
                    >  to 10.1.1.254 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:41:30
                    >  via ge-0/0/0.0
10.1.1.1/32        *[Local/0] 00:41:30
                       Local via ge-0/0/0.0
20.1.1.0/24        *[Direct/0] 00:41:30
                    >  via ge-0/0/1.0
20.1.1.1/32        *[Local/0] 00:41:30
                       Local via ge-0/0/1.0
30.1.1.0/24        *[Direct/0] 00:41:30
                    >  via ge-0/0/2.0
30.1.1.1/32        *[Local/0] 00:41:30
                       Local via ge-0/0/2.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 01:01:28
                       MultiRecv

root>

PC에서 8.8.8.8 Ping확인

VPCS> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=14.530 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=6.496 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=4.036 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=4.639 ms
^C
VPCS> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1   30.1.1.1   6.549 ms  0.323 ms  0.288 ms
2   20.1.1.254   4.672 ms  2.443 ms  2.587 ms
3   192.168.10.253   5.439 ms  3.019 ms  3.723 ms
4   202.14.11.193   2.668 ms  3.153 ms  2.520 ms
5   202.14.12.33   3.274 ms  2.983 ms  3.199 ms
6   203.117.190.81   3.344 ms  2.981 ms  3.447 ms
7     *  *  *
8   203.116.3.50   4.120 ms  3.835 ms  3.361 ms

VPCS>

Backup Internet 20.1.1.254를 통해서 8.8.8.8 통신 되었습니다.

이번에는 다시 INT_ROUTER G0/1를 Shutdown해서 Main Internet를 살리겠습니다

INT_ROUTER#conf t
Enter configuration commands, one per line. End with CNTL/Z.
INT_ROUTER(config)#int g0/1
INT_ROUTER(config-if)#no sh
INT_ROUTER(config-if)#end
INT_ROUTER#

Juniper SRX에 확인해보겠습니다.

메인 Intenret를 통해서 8.8.8.8 성공해서 PASS라고 표시 됩니다.

root> show services ip-monitoring status

Policy - probe-policy (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    probe-test             test            8.8.8.8          PASS

  Route-Action (Adding backup routes when FAIL):
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            0.0.0.0/0         20.1.1.254       NOT-APPLIED

라우팅 확인

메인 Intrenet이 0.0.0.0/0 선택 되었습니다.

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:44:58
                    >  to 10.1.1.254 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:44:58
                    >  via ge-0/0/0.0
10.1.1.1/32        *[Local/0] 00:44:58
                       Local via ge-0/0/0.0
20.1.1.0/24        *[Direct/0] 00:44:58
                    >  via ge-0/0/1.0
20.1.1.1/32        *[Local/0] 00:44:58
                       Local via ge-0/0/1.0
30.1.1.0/24        *[Direct/0] 00:44:58
                    >  via ge-0/0/2.0
30.1.1.1/32        *[Local/0] 00:44:58
                       Local via ge-0/0/2.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 01:04:56
                       MultiRecv

root>

PC에서 Ping확인

VPCS> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=5.238 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=4.189 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=4.335 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=4.901 ms
^C
VPCS> trace 8.8.8.8
trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop
1   30.1.1.1   0.720 ms  0.342 ms  0.297 ms
2   10.1.1.254   4.886 ms  2.755 ms  1.927 ms
3   192.168.10.253   4.773 ms  2.598 ms  2.446 ms
4   202.14.11.193   2.810 ms  2.187 ms  2.950 ms
5   202.14.12.33   3.585 ms  3.912 ms  2.398 ms
6   203.117.190.81   3.007 ms  3.628 ms  3.860 ms
7     *  *  *
8   203.118.60.86   3.371 ms  3.265 ms  3.244 ms

VPCS>

지금까지 [2025][Juniper SRX #21] ip monitor - ip sla 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0)	2025.02.07
[2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0)	2025.02.07
[2024][Juniper SRX #20] License Install - J-Web (0)	2025.02.05
[2024][Juniper SRX #19] J-Web (0)	2025.02.05
[2024][Juniper SRX #18] Firmware recommendation (0)	2025.01.11

안녕하세요.

오늘은 SRX320 License를 J-Web를 통해서 설치해보겠습니다.

1. SRX IPS라이센스를 구매하면 Distributor로부터 Activiation Code PDF파일을 전송 받게 됩니다.

중요부분은 다 삭제 하였습니다.

2. J-WEB를 접속 합니다.

시리얼번호는 삭제하였습니다. 시리얼번호를 확인 합니다.

3. JAL license Portal에 접속하고 위에 라이센스 activiation PDF파일에서 Activation Code를 복사해서 붙어 넣으면 자동으로 라이센스를 찾아서 Activiation으로 넘어 갑니다.

또는 아래 Order Number를 검색한후에 옆에 Activate 버튼을 눌러서 활성화도 가능 합니다.

라이센스를 구매할때 이미 고객사정보 Juniper SI 파트너 계정에 이미 라이센스가 들어가져 있습니다.

4. 아래처럼 장비 시리얼정보와, Noted, Email주소를 입력하고 Activate버튼을 클릭 합니다.

5. Download 버튼을 클릭 합니다.

6. 라이센스 키가 다운로드 되고 파일을 클릭 하면 아래처럼 정보를 확인 가능 합니다

Issue Date          : 05-Feb-2025
Expiry Date         : 25-Jan-2030

HW Serial Number    : 장비 시리얼 번호

SSRN                : xxxxxxxxxx

Feature             : S-SRX320-A1-5
Quantity            : 1
Software Version    : All Versions
License Key         :

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Device Administration

2. License Management를 선택합니다.

현재 Default로 아래처럼 2개가 설치 되어져 있습니다.

remote-access-ipsec-vpn-client	0	2	0	Permanent
remote-access-juniper-std	0	2	0	Permanent

3. Add버튼을 클릭 하고 Txt파일에서 키값을 복사해서 붙여넣기 합니다.

아래처럼 라이센스가 적용 되었습니다.

지금까지 [2024][Juniper SRX #20] License Install - J-Web 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0)	2025.02.07
[2025][Juniper SRX #21] ip monitor - ip sla (0)	2025.02.06
[2024][Juniper SRX #19] J-Web (0)	2025.02.05
[2024][Juniper SRX #18] Firmware recommendation (0)	2025.01.11
[2024][Juniper SRX #17] Firmware Upgrade path (0)	2025.01.07

안녕하세요.

오늘은 Juniper SRX J-Web에 대해서 알아보겠습니다.

Juniper SRX은 기본적으로 J-Web이 Default로 Enable 되어져 있습니다.

Console 케이블을 연결하고 Ge0/1 ~ Ge0/5 까지 아무 포트에 케이블을 PC와 연결 합니다.

Default Login -

id: root

password: 없음

장비에 아래처럼 이미 기본적으로 설정값이 들어가져 있습니다.

root> show configuration | display set | no-more
set version 21.4R3-S3.4
set system services ssh
set system services netconf ssh
set system services dhcp-local-server group jdhcp-group interface irb.0
set system services web-management https system-generated-certificate
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file interactive-commands interactive-commands any
set system syslog file messages any notice
set system syslog file messages authorization info
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-compliant
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies pre-id-default-policy then log session-close
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp
set interfaces ge-0/0/0 unit 0 family inet dhcp vendor-id Juniper-srx320
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7 unit 0 family inet dhcp vendor-id Juniper-srx320
set interfaces cl-1/0/0 dialer-options pool 1 priority 100
set interfaces dl0 unit 0 family inet negotiate-address
set interfaces dl0 unit 0 family inet6 negotiate-address
set interfaces dl0 unit 0 dialer-options pool 1
set interfaces dl0 unit 0 dialer-options dial-string 1234
set interfaces dl0 unit 0 dialer-options always-on
set interfaces irb unit 0 family inet address 192.168.1.1/24
set access address-assignment pool junosDHCPPool family inet network 192.168.1.0/24
set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.1.2
set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.1.254
set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.1.1
set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface irb.0
set protocols l2-learning global-mode switching
set protocols rstp interface all

root>

Irb interface를 확인 합니다.
192.168.1.1 irb0이 UP 되었습니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    down
ge-0/0/0.0              up    down inet
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
                                            10.0.0.6            --> 0/0
                                            128.0.0.1           --> 128.0.1.16
                                            128.0.0.6           --> 0/0
ge-0/0/1                up    down
ge-0/0/1.0              up    down eth-switch
ge-0/0/2                up    down
ge-0/0/2.0              up    down eth-switch
ge-0/0/3                up    up
ge-0/0/3.0              up    up   eth-switch
ge-0/0/4                up    down
ge-0/0/4.0              up    down eth-switch
ge-0/0/5                up    down
ge-0/0/5.0              up    down eth-switch
ge-0/0/6                up    down
ge-0/0/6.0              up    down eth-switch
ge-0/0/7                up    down
ge-0/0/7.0              up    down inet
dl0                     up    up
dl0.0                   up    up   inet
                                   inet6    fe80::7629:720f:fc1f:2b69/64
esi                     up    up
fti0                    up    up
fxp2                    up    up
fxp2.0                  up    up   tnp      0x1
gre                     up    up
ipip                    up    up
irb                     up    up
irb.0                   up    up   inet     192.168.1.1/24
jsrv                    up    up
jsrv.1                  up    up   inet     128.0.0.127/2
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
rbeb                    up    up
st0                     up    up
tap                     up    up
vtep                    up    up

Jweb 접속하기 전에 root 패스워드를 설정 합니다.

root# set system root-authentication plain-text-password

PC에서 Ping를 시도 합니다.

Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=3ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=3ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64

2. google chrome또는 Firebox에서 https://192.168.1.1 접속 합니다

3. Root/Passowrd를 입력 합니다.

4. 아래처럼 접속이 완료 되었습니다.

Juniper SRX는 예전에 J-Web버전에 버그들이랑 문제점들이 많아서 CLI로 통해서 Juniper SRX를 사용해 왔습니다.

지금까지 [2024][Juniper SRX #19] J-Web 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #21] ip monitor - ip sla (0)	2025.02.06
[2024][Juniper SRX #20] License Install - J-Web (0)	2025.02.05
[2024][Juniper SRX #18] Firmware recommendation (0)	2025.01.11
[2024][Juniper SRX #17] Firmware Upgrade path (0)	2025.01.07
[2024][Juniper SRX #16] password recovery (0)	2024.07.28

안녕하세요.

오늘은 PNETLab를 통해서 Arista vEOS Switch를 설치 해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search veos 검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search veos
=============================
    Available QEMU images
=============================
ID   NAME                    SIZE
--   ----                    ----
903  veos-4.14.0F            403.1 MiB
904  veos-4.14.5F            402.9 MiB
905  veos-4.15.0F            491.9 MiB
906  veos-4.23.2             425.2 MiB
907  veos-4.23.2.1           431.1 MiB
908  veos-4.24.0             418.5 MiB
909  veos-4.24.1             420.8 MiB
910  veos-4.24.1.1F          420.8 MiB
911  veos-4.24.2.1F          427.0 MiB
912  veos-4.24.2.2F          427.0 MiB
913  veos-4.24.2.3F          426.9 MiB
914  veos-4.24.2.4F          426.9 MiB
915  veos-4.24.2F            426.9 MiB
916  veos-4.24.3M            426.9 MiB
917  veos-4.24.4M            429.0 MiB
918  veos-4.24.5M            429.2 MiB
919  veos-4.24.6M            429.2 MiB
920  veos-4.24.7M            429.4 MiB
921  veos-4.24.8M            428.7 MiB
922  veos-4.25.0F            438.7 MiB
923  veos-4.25.0FX-LDP-RSVP  438.6 MiB
924  veos-4.25.1F            436.9 MiB
925  veos-4.25.2F            423.3 MiB
926  veos-4.25.3.1M          424.1 MiB
927  veos-4.25.3M            423.5 MiB
928  veos-4.25.4M            423.9 MiB
929  veos-4.25.5.1M          433.5 MiB
930  veos-4.25.5M            433.4 MiB
931  veos-4.25.6M            434.1 MiB
932  veos-4.25.7M            433.6 MiB
933  veos-4.26.0.1F          431.0 MiB
934  veos-4.26.0F            431.0 MiB
935  veos-4.26.1F            442.4 MiB
936  veos-4.26.2F            449.1 MiB
937  veos-4.26.3M            449.1 MiB
938  veos-4.26.4M            449.3 MiB
939  veos-4.26.5M            449.4 MiB
940  veos-4.27.0F            442.5 MiB
941  veos-4.27.1F            453.9 MiB
942  veos-4.27.3F            471.1 MiB
943  veos-4.27.4.1M          472.5 MiB
944  veos-4.27.4M            472.5 MiB
945  veos-4.28.0F            481.4 MiB
946  veos-4.28.1F            495.0 MiB
947  veos-4.29.2F            521.3 MiB

45 QEMU images found for the term: "veos"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "veos"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "veos"

root@pnetlab:~#

2. 저는 947 veos-4.29.2F 521.3 MiB 설치해보겠습니다

ishare2 pull qemu 947

root@pnetlab:~# ishare2 pull qemu 947
[!] IMAGE INFO
- Image Name       : veos-4.29.2F
- Image Size       : 521.3 MiB
- Image Type       : QEMU
- Image ID         : 947
- Image path       : /opt/unetlab/addons/qemu/veos-4.29.2F
- Using host       : https://labhub.eu.org
[!] DOWNLOADING IMAGE
/opt/unetlab/addons/qemu/v 100%[======================================>] 521.29M  5.33MB/s    in 94s
[+] DOWNLOAD COMPLETED!
[-] Extracting: veos-4.29.2F.tgz file...
[+] Extracted: /opt/unetlab/addons/qemu/veos-4.29.2F. Image ready to use.
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.250 접속 하고 로그인 합니다.

4. 아래 버튼을 클릭 합니다.

5. 아래처럼 New Lab이름을 정하고 Add버튼을 클릭 합니다.

6. 오른쪽 마우스를 클릭하고 Node를 클릭 합니다.

7. Arista vEOS를 선택 합니다.

8. 수정없이 그냥 Save버튼을 클릭 합니다.

9. 장비를 부팅 합니다.

10. 장비를 더블클릭하면 Putty또는 CRT가 자동으로 실행 됩니다.

[    4.374620] Running e2fsck on: /mnt/flash
[    4.405684] e2fsck on /mnt/flash took 0s
Data in /mnt/flash/vEOS-lab.swi differs from previous boot image on /mnt/flash.
Saving new boot image to /mnt/flash...
Switching rootfs

Welcome to Arista Networks EOS 4.29.2F
Architecture: x86_64
Starting ProcMgr: Removing all files in all subdirs of /etc/ProcMgr.d/run
[  OK  ]
Starting EOS initialization stage 1: [  OK  ]
Starting NorCal initialization: Starting EOS Cloud Init: [  OK  ]
[  OK  ]
Starting EOS initialization stage 2: [  OK  ]
Completing EOS initialization (press ESC to skip): [  OK  ]
Model and Serial Number: unknown
System RAM: 2005420 kB
Flash Memory size:  3.9G

No startup-config was found.

The device is in Zero Touch Provisioning mode and is attempting to
download the startup-config from a remote system. The device will not
be fully functional until either a valid startup-config is downloaded
from a remote system or Zero Touch Provisioning is cancelled.

To cancel Zero Touch Provisioning, login as admin and type
'zerotouch cancel' at the CLI. Alternatively, to disable Zero Touch
Provisioning permanently, type 'zerotouch disable' at the CLI.
Note: The device will reload when these commands are issued.

localhost login: Feb  3 12:30:44 localhost ZeroTouch: %ZTP-6-DHCPv4_QUERY: Sending DHCPv4 request with system MAC address on [ Ethernet1, Ethernet2, Ethernet3, Ethernet4, Ethernet5, Ethernet6, Ethernet7, Ethernet8 ] (option 67, 143)
Feb  3 12:30:44 localhost ZeroTouch: %ZTP-6-DHCPv4_QUERY: Sending DHCPv4 request with serial number on [ Ethernet1, Ethernet2, Ethernet3, Ethernet4, Ethernet5, Ethernet6, Ethernet7, Ethernet8 ] (option 67, 143)
Feb  3 12:30:50 localhost Stp: %SPANTREE-6-STABLE_CHANGE: Stp state is now stable
Feb  3 12:30:59 localhost ZeroTouch: %ZTP-4-DHCPv4_QUERY_FAIL: Failed to get a valid DHCPv4 response (option 67, 143)
Feb  3 12:30:59 localhost ZeroTouch: %ZTP-6-RETRY: Retrying Zero Touch Provisioning from the beginning (attempt 1)

No startup-config was found.

The device is in Zero Touch Provisioning mode and is attempting to
download the startup-config from a remote system. The device will not
be fully functional until either a valid startup-config is downloaded
from a remote system or Zero Touch Provisioning is cancelled.

To cancel Zero Touch Provisioning, login as admin and type
'zerotouch cancel' at the CLI. Alternatively, to disable Zero Touch
Provisioning permanently, type 'zerotouch disable' at the CLI.
Note: The device will reload when these commands are issued.

localhost login: Feb  3 12:31:14 localhost ZeroTouch: %ZTP-6-DHCPv4_QUERY: Sending DHCPv4 request with system MAC address on [ Ethernet1, Ethernet2, Ethernet3, Ethernet4, Ethernet5, Ethernet6, Ethernet7, Ethernet8 ] (option 67, 143)
Feb  3 12:31:14 localhost ZeroTouch: %ZTP-6-DHCPv4_QUERY: Sending DHCPv4 request with serial number on [ Ethernet1, Ethernet2, Ethernet3, Ethernet4, Ethernet5, Ethernet6, Ethernet7, Ethernet8 ] (option 67, 143)

No startup-config was found.

The device is in Zero Touch Provisioning mode and is attempting to
download the startup-config from a remote system. The device will not
be fully functional until either a valid startup-config is downloaded
from a remote system or Zero Touch Provisioning is cancelled.

To cancel Zero Touch Provisioning, login as admin and type
'zerotouch cancel' at the CLI. Alternatively, to disable Zero Touch
Provisioning permanently, type 'zerotouch disable' at the CLI.
Note: The device will reload when these commands are issued.

localhost login: admin
localhost>
localhost>?
  clear       Reset functions
  connect     TELNET client
  default     Set a command to its defaults
  disable     Disable commands for a specified privilege level
  enable      Enable commands for a specified privilege level
  exit        Leave Exec mode
  logout      Exit from EXEC mode
  netconf     Configure NETCONF
  no          Disable the command that follows
  ping        Ping remote systems
  reset       Reset various components of the switch
  run         Run multiple commands in one line
  show        Display details of switch operation
  ssh         Open ssh connection
  tcpdump     Monitor packets with tcpdump
  telnet      TELNET client
  terminal    Set terminal parameters
  traceroute  Traceroute command
  watch       Execute a command repeatedly
  zerotouch   ZeroTouch configuration

localhost>

시간이 지나면 위에 처럼 정삭적으로 동작합니다.

지금까지 [PNETLab][#4]- Arista vEOS Switch Install 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'PNETlab' 카테고리의 다른 글

[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10
[PNETLab][#2]- ishare command (0)	2024.12.27
[PNETLab][#1]- Installation on VMware workstation (0)	2024.12.27

안녕하세요.

오늘은 Cisco License Type에 대해서 알아보겠습니다.

Traditional - PAK

Smart License Mode -

Smart License use Policy Mode -

IOS 버전에 따라서 지원하는 모드가 다릅니다.

Smart Licensing Requirements by Release

The support for Smart Licensing started with Cisco IOS XE 16.10.1. In the Cisco IOS XE 17.3.2 and 17.4.1, support to a simplified method for Smart Licensing with the use of Policies mode only License was started.

IOS XE Release	Platform Requirements	CUBE Licensing
16.6.1 to 16.9.x	Smart Licensing mode is optional	RTU licensing only
16.10.x	Smart Licensing mode only	RTU licensing only
16.11.1a to 17.1.x	Smart Licensing mode only Continued registration is required to enable CUBE features	Smart Licensing only* Trunk license requests are set by manual configuration No license policing if out of compliance SIP processing disabled in the 'Eval-Expired' state
17.2.1r to 17.3.1a	Smart Licensing mode only Continued registration is required in order to enable CUBE features	Smart Licensing only* Trunk license requests are set dynamically by usage No license policing if out of compliance SIP processing disabled in the 'Eval-Expired' state
17.3.2 onwards	Smart Licensing with the use of Policy mode only License use must be reported within the account policy to enable CUBE features	Smart Licensing only* Trunk license use is measured periodically and reported as per the Smart Account policy In accordance with policy, license policing reports are not acknowledged (SIP processing is disabled otherwise)

Cisco 공식 홈페이지 정보 입니다.

https://www.cisco.com/c/en/us/support/docs/cx/common-licensing-issues/how-to/other/cx217847-configure-smart-licensing-on-ios-xe-plat.html

Configure Smart Licensing on Cisco IOS XE Platforms for CUBE

This document describes the concept and need behind the Cisco Smart Software Licensing for Cisco Unified Border Element (CUBE).

www.cisco.com

reference cisco site

https://www.cisco.com/c/en/us/td/docs/routers/sl_using_policy/b-sl-using-policy/info_about.html

Smart Licensing Using Policy for Cisco Enterprise Routing Platforms - Information About Smart Licensing Using Policy [Cisco IOS

Provides an overview of how one operates in the Smart Licensing Using Policy environment. Covers the list of products that this guide is applicable to. Covers the components that may be part of your implementation. Covers the key concepts that help you und

www.cisco.com

저작자표시 (새창열림)

'CISCO > 스위칭' 카테고리의 다른 글

[C9200CX]-Password Recovery - 패스워드 리커버리 (0)	2025.06.18
Firmware Software Policy (1)	2025.06.13
Cisco IOS recommendation (0)	2025.01.11
C9300 - Configure SSH2 (0)	2024.10.24
C9300-Stack Switch IOS Upgrade (1)	2024.10.24

안녕하세요.

현재 Firepower 제품군은 unified software image 지원 합니다.

FTD - Firepower Threat Defense - Next-genration Firewall 이미지를 사용 합니다.

만약에 FTD에 Cisco ASA code로 변환해서 사용을 하면 Next-Generation Firewall에서 제공하는 기능들을 사용 못합니다.

그리고 Cisco ASA code는 현재는 제공하지만 점차 제공하지 않을 예정이기 때문에 Cisco 에서도 FTD를 이미지를 권장합니다.

Cisco ASA Code는 아래처럼 두가지 모드가 있습니다.

1. Platform 모드

2. Appliance 모드

Platform 모드는 시스템을 하나의 통합 플랫폼으로 보고, 하드웨어와 관리 기능을 분리하여 구성합니다.

주요 특징:

**제어 플레인(Control Plane)**과 **데이터 플레인(Data Plane)**이 분리되어 있습니다. ASA 소프트웨어는 Firepower 플랫폼 내의 하나의 구성요소로 실행됩니다.
**FXOS(Firepower eXtensible Operating System)**가 기본 운영체제로 동작하며, 하드웨어 관리에 사용됩니다.
논리적 장치(Logical Device) 구성: Firepower Chassis Manager(FCM)나 FXOS CLI를 통해 ASA, FTD 등의 장치를 생성합니다.
다중 인스턴스(multi-instance) 지원: 하나의 장비에서 여러 논리적 방화벽을 운영할 수 있어 멀티 테넌시가 가능합니다.
주로 Firepower 4100 시리즈 또는 9300 시리즈에서 사용됩니다.

관리 방법:

FXOS와 ASA CLI 또는 ASDM을 함께 사용하여 관리합니다.
FXOS에서 인터페이스, 모듈, 하드웨어 수준의 설정을 담당합니다.

Appliance 모드

Appliance 모드는 Firepower 장비를 전통적인 ASA 장비처럼 독립형 방화벽 어플라이언스로 사용합니다.

주요 특징:

단일 이미지 부팅: ASA 소프트웨어가 직접 장비에서 실행되며, FXOS는 사용되지 않습니다.
구성이 간단하며, 기존 ASA 사용자에게 친숙한 방식입니다.
논리적 장치 개념 없이 단일 ASA 인스턴스만 실행됩니다.
주로 Firepower 2100 시리즈 또는 하위 모델에서 사용됩니다.

관리 방법:

ASA CLI, ASDM, 또는 Cisco Security Manager 등을 사용하여 직접 관리합니다.
FMC(Firepower Management Center)와는 주로 FTD 모드에서 통합됩니다.

항목 Platform 모드 Appliance 모드

기본 운영체제	FXOS	ASA 이미지 직접 실행
배포 방식	논리적 장치로 구성	단일 ASA 인스턴스
사용 가능한 하드웨어	Firepower 4100/9300 시리즈	Firepower 2100 시리즈 등
관리 도구	FXOS + ASA CLI/ASDM	ASA CLI, ASDM
다중 인스턴스 지원	예 (논리적 또는 다중 컨텍스트로 가능)	아니오 (ASA 자체 기능만 사용 가능)
복잡도	높음 (더 많은 제어 및 유연성 제공)	낮음 (간단한 설정 및 운영)

이번에 고객사 장비가 FPR3105인데 Cisco ASA Code를 사용해서 기존에 사용중인 ASA 5545-X 교체하고자 합니다.

FPR3105는 Appliance Mode를 지원하나요?

Cisco Firepower 3105(FPR3105)는 Appliance Mode를 지원합니다.
이 모드는 장치를 독립 실행형 ASA 어플라이언스로 작동하게 하며, Firepower eXtensible Operating System(FXOS) 계층 없이 전통적인 방화벽 기능을 제공합니다.

Appliance Mode에서는, FPR3105가 ASA 이미지를 직접 실행하므로, ASA 기능만 필요한 환경에서 배포 및 관리가 간소화됩니다.

이 모드는 특히 익숙한 ASA 인터페이스를 선호하고, Firepower Threat Defense(FTD)가 제공하는 고급 기능이 필요하지 않은 사용자에게 적합합니다.

단, Appliance Mode로 운영할 경우, 고급 위협 방어 및 침입 방지(IPS)와 같은 Firepower 서비스는 사용할 수 없습니다.
따라서 네트워크 보안 전략에 이러한 고급 기능이 포함되어 있다면, FPR3105를 FTD 이미지로 배포하는 것을 고려해야 합니다.

요약하자면, FPR3105는 유연한 장비로, ASA 또는 FTD 소프트웨어 중 원하는 모드로 구성할 수 있으며, 보안 요구사항과 운영 환경에 맞게 선택할 수 있습니다.

그럼 이번에는 ASA 버전 몇부터 Platform모드를 지원하고 Appliance모드를 지원하는지 알아보겠습니다.

예, Cisco Firepower 2100 시리즈에서 Appliance 모드는 ASA 9.13 이상 버전부터 지원됩니다. 이전 버전인 9.12 이하에서는 Platform 모드만 지원되며, Appliance 모드로의 전환을 위해서는 FXOS를 통한 재이미징이 필요합니다.ManualsLib+9Cisco Community+9ccnpsecuritywannabe.blogspot.com+9

ASA 9.13 이상으로 업그레이드하면 Appliance 모드가 기본 모드로 설정되며, show fxos mode 명령어를 통해 현재 모드를 확인할 수 있습니다. 이 모드에서는 ASA CLI나 ASDM을 통해 모든 설정을 구성할 수 있으며, FXOS CLI는 고급 트러블슈팅 명령어에만 사용됩니다.ManualsLib+3Manuals++3pseudoco.cisco.com+3

따라서, Firepower 2100을 Appliance 모드로 운영하려면 ASA 9.13 이상으로 업그레이드해야 하며, 이전 버전에서는 FXOS를 통해 Platform 모드로만 구성할 수 있습니다.

저작자표시 (새창열림)

'CISCO > FTD 방화벽' 카테고리의 다른 글

[FTD#6]-FPR FTD ASA Version Order - FPR3105-ASA-K9 (2)	2025.06.07
[FTD#5]-FPR FTD Convert to ASA Code (0)	2025.06.02
[FTD-#3]- FTD managed by FMC (0)	2024.11.11
[FTD-#2]-FTD GUI 503 service unavailable issue troubleshoot (0)	2024.11.08
[FTD-#1]-FTD Basic Configuration (0)	2024.11.08

안녕하세요.

오늘은 cisco ASA에 Remote Access VPN User를 확인해보겠습니다.

show vpn-sessiondb anyconnect

ASAv# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : kevin                  Index        : 62470
Assigned IP  : 192.168.200.100        Public IP    : 192.168.10.102
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 58544                  Bytes Rx     : 54607
Group Policy : ANYCONNECT_POLICY      Tunnel Group : MY_TUNNEL
Login Time   : 12:24:54 UTC Sun Feb 2 2025
Duration     : 0h:12m:24s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 0a0101fe0f406000679f6416
Security Grp : none
ASAv#

아래 명령어를 통해서 라이센스 남은 갯수도 확인 가능 합니다.

ASAv# show vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
                                     Status : Capacity : Installed :  Limit
                                  -----------------------------------------
AnyConnect Premium               :  ENABLED :      250 :         2 :   NONE
AnyConnect Essentials            : DISABLED :      250 :         0 :   NONE
Other VPN (Available by Default) :  ENABLED :      250 :       250 :   NONE
Shared License Server            : DISABLED
Shared License Participant       : DISABLED
AnyConnect for Mobile            : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment     : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone   : DISABLED
VPN-3DES-AES                     :  ENABLED
VPN-DES                          :  ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
                          Local : Shared :   All  :   Peak :  Eff.  :
                         In Use : In Use : In Use : In Use :  Limit : Usage
                       ----------------------------------------------------
AnyConnect Premium     :      1 :      0 :      1 :      2 :      2 :   50%
  AnyConnect Client    :                 :      1 :      1          :   50%
    AnyConnect Mobile  :                 :      0 :      0          :    0%
  Clientless VPN       :                 :      0 :      1          :    0%
  Generic IKEv2 Client :                 :      0 :      0          :    0%
Other VPN              :                 :      0 :      0 :    250 :    0%
  Cisco VPN Client     :                 :      0 :      0          :    0%
  L2TP Clients
  Site-to-Site VPN     :                 :      0 :      0          :    0%
---------------------------------------------------------------------------

ASAv#

anyconnect Permium 라이센스가 2개 이고, 현재 PC에서 접속 해서 한개를 사용하고 있고, Usage에 50% 표시 되었습니다.

ASAv# show version

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.22(1)

Compiled on Wed 10-May-17 15:38 PDT by builders
System image file is "boot:/asa981-smp-k8.bin"
Config file at boot was "startup-config"

ASAv up 6 hours 21 mins

Hardware:   ASAv, 2048 MB RAM, CPU Xeon E5 series 2394 MHz,
Model Id:   ASAv10
Internal ATA Compact Flash, 8192MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB

0: Ext: Management0/0       : address is 50fd.e000.3500, irq 11
1: Ext: GigabitEthernet0/0  : address is 50fd.e000.3501, irq 11
2: Ext: GigabitEthernet0/1  : address is 50fd.e000.3502, irq 10
3: Ext: GigabitEthernet0/2  : address is 50fd.e000.3503, irq 10
4: Ext: GigabitEthernet0/3  : address is 50fd.e000.3504, irq 11
5: Ext: GigabitEthernet0/4  : address is 50fd.e000.3505, irq 11
6: Ext: GigabitEthernet0/5  : address is 50fd.e000.3506, irq 10
7: Ext: GigabitEthernet0/6  : address is 50fd.e000.3507, irq 10

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.

Licensed features for this platform:
Maximum VLANs                     : 50
Inside Hosts                      : Unlimited
Failover                          : Active/Standby
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 0
Carrier                           : Disabled
AnyConnect Premium Peers          : 2
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 250
Total VPN Peers                   : 250

지금까지 [ASA #06] - Remote Access VPN current user check 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #08] - SSL (0)	2025.04.17
[ASA #07] - NTP and NTP zone configuration (0)	2025.04.15
[ASA #05] - Remote Access VPN License (0)	2025.02.02
[ASA #04] - Remote Access VPN (0)	2025.02.02
[ASA #03] - ASDM Install (0)	2025.02.02

안녕하세요.

오늘은 cisco asa remote access VPN license를 확인하는 방법에 대해서 알아보겠습니다.

아래처럼 shwo version을 입력하면 아래처럼 기본적으로 2개까지 제공되며, 추가적으로 사용시 License를 구매해야 합니다.

AnyConnect Premium Peers : 2

ASAv# show version

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.22(1)

Compiled on Wed 10-May-17 15:38 PDT by builders
System image file is "boot:/asa981-smp-k8.bin"
Config file at boot was "startup-config"

ASAv up 6 hours 4 mins

Hardware:   ASAv, 2048 MB RAM, CPU Xeon E5 series 2394 MHz,
Model Id:   ASAv10
Internal ATA Compact Flash, 8192MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB

0: Ext: Management0/0       : address is 50fd.e000.3500, irq 11
1: Ext: GigabitEthernet0/0  : address is 50fd.e000.3501, irq 11
2: Ext: GigabitEthernet0/1  : address is 50fd.e000.3502, irq 10
3: Ext: GigabitEthernet0/2  : address is 50fd.e000.3503, irq 10
4: Ext: GigabitEthernet0/3  : address is 50fd.e000.3504, irq 11
5: Ext: GigabitEthernet0/4  : address is 50fd.e000.3505, irq 11
6: Ext: GigabitEthernet0/5  : address is 50fd.e000.3506, irq 10
7: Ext: GigabitEthernet0/6  : address is 50fd.e000.3507, irq 10

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.

Licensed features for this platform:
Maximum VLANs                     : 50
Inside Hosts                      : Unlimited
Failover                          : Active/Standby
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 0
Carrier                           : Disabled
AnyConnect Premium Peers          : 2
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 250
Total VPN Peers                   : 250
AnyConnect for Mobile             : Disabled
AnyConnect for Cisco VPN Phone    : Disabled
Advanced Endpoint Assessment      : Disabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 2
Botnet Traffic Filter             : Enabled
Cluster                           : Disabled

Serial Number: 9A2U9VPUTQH

Image type          : Release
Key version         : A

Configuration last modified by enable_15 at 12:15:07.479 UTC Sun Feb 2 2025
ASAv#

ASAv# show vpn-sessiondb license-summary

ASAv는 Anyconnect Capacity는 250개 까지 가능하고 License 기본제공 2개 까지만 가능 합니다.

아래 정보를 보시면 현재 라이센스 사용수, 최대치 사용수까지 확인 가능 합니다.

ASAv# show vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
                                     Status : Capacity : Installed :  Limit
                                  -----------------------------------------
AnyConnect Premium               :  ENABLED :      250 :         2 :   NONE
AnyConnect Essentials            : DISABLED :      250 :         0 :   NONE
Other VPN (Available by Default) :  ENABLED :      250 :       250 :   NONE
Shared License Server            : DISABLED
Shared License Participant       : DISABLED
AnyConnect for Mobile            : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment     : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone   : DISABLED
VPN-3DES-AES                     :  ENABLED
VPN-DES                          :  ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
                          Local : Shared :   All  :   Peak :  Eff.  :
                         In Use : In Use : In Use : In Use :  Limit : Usage
                       ----------------------------------------------------
AnyConnect Premium     :      0 :      0 :      0 :      2 :      2 :    0%
  AnyConnect Client    :                 :      0 :      1          :    0%
    AnyConnect Mobile  :                 :      0 :      0          :    0%
  Clientless VPN       :                 :      0 :      1          :    0%
  Generic IKEv2 Client :                 :      0 :      0          :    0%
Other VPN              :                 :      0 :      0 :    250 :    0%
  Cisco VPN Client     :                 :      0 :      0          :    0%
  L2TP Clients
  Site-to-Site VPN     :                 :      0 :      0          :    0%
---------------------------------------------------------------------------

ASAv#

ASAv# show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :      0 :         17 :           1 :        0
  SSL/TLS/DTLS               :      0 :         17 :           1 :        0
Clientless VPN               :      0 :          2 :           1
  Browser                    :      0 :          2 :           1
---------------------------------------------------------------------------
Total Active and Inactive    :      0             Total Cumulative :     19
Device Total VPN Capacity    :    250
Device Load                  :     0%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concurrent
                             ----------------------------------------------
Clientless                   :      0 :          2 :               1
AnyConnect-Parent            :      0 :         17 :               1
SSL-Tunnel                   :      0 :         17 :               1
DTLS-Tunnel                  :      0 :          5 :               1
---------------------------------------------------------------------------
Totals                       :      0 :         41
---------------------------------------------------------------------------

ASAv#

하드웨어적으로 최대 지원되는 Anyconnect 유저수

지금까지 [ASA #05] - Remote Access VPN License 글을 읽어주셔서 감사합니다.

저작자표시 (새창열림)

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #07] - NTP and NTP zone configuration (0)	2025.04.15
[ASA #06] - Remote Access VPN current user check (0)	2025.02.02
[ASA #04] - Remote Access VPN (0)	2025.02.02
[ASA #03] - ASDM Install (0)	2025.02.02
[ASA #02] - TFTP Install (0)	2025.02.02

IT BLOG(KR)

전체 글

[2025][Juniper SRX #23] site to site vpn - S2S VPN - static route

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #21] ip monitor - ip sla

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #20] License Install - J-Web

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #19] J-Web

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[PNETLab][#4]- Arista vEOS Switch Install

'PNETlab' 카테고리의 다른 글

[C9300-#1]- Traditional mode/Smart Licensing mode/Smart Licensing with the use of Policy mode

Smart Licensing Requirements by Release

'CISCO > 스위칭' 카테고리의 다른 글

[FTD-#4]- cisco asa code

주요 특징:

관리 방법:

Appliance 모드

주요 특징:

관리 방법:

FPR3105는 Appliance Mode를 지원하나요?

'CISCO > FTD 방화벽' 카테고리의 다른 글

[ASA #06] - Remote Access VPN current user check

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #05] - Remote Access VPN License

'CISCO > ASA 방화벽' 카테고리의 다른 글

+ Recent posts

티스토리툴바