2025.04.10
2025.04.10
안녕하세요.
오늘은 Okta에서 Paloalto Global Protect Application를 설치해보겠습니다.
1. Applications -> Applications -> Browse App Catalog 클릭 합니다.
2. Global Protect를 클릭 합니다. 그리고 아래처럼 SAML paloalto - Global Protect를 클릭 합니다.
3. Add Integration 버튼을 클릭 합니다.
4. Global Protect IP주소를 입력 합니다.
5. 아래처럼 설치가 완료 되었습니다.
지금까지 [Okta-#2] - PaloAlto Global Protect App Install 글을 읽어주셔서 감사합니다.
| [Okta-#1] - Sign up - Free Developer Edition (0) | 2025.04.10 |
|---|
안녕하세요.
PALOALTO GP 접속 시도시 2FA로 Okta를 사용해 보겠습니다.
회원 가입을 할때 Free Developer Edition를 가입하면 테스트용으로 Okta를 사용 가능 합니다.
1. 아래 사이트를 접속 합니다.
https://developer.okta.com/signup/
Okta Developer
BEST FOR DEVELOPERS Secure my customers or SaaS applications Build intuitive, secure user experiences in customer-facing applications.
developer.okta.com
2. 아래 버튼을 클릭 합니다.
3. Sign up버튼을 클릭 합니다.
4. 회사 이메일로 Activiation Email이 발송 되었습니다.
5. 아래 Acticate 버튼을 클릭 합니다.
6. 패스워드를 입력 합니다.
7. 패스워드를 설정후 로그인을 하면 아래처럼 화면이 표시 됩니다.
아래 set up버튼을 클릭 합니다.
8. 아래처럼 QR 코드를 확인 할수 있습니다.
9. 휴대폰에서 Okta Verify 앱을 설치 하고 Add Account를 클릭 합니다.
10. 아래 Organization 버튼을 클릭 합니다.
11. Add Account From Another Device 버튼을 클릭 합니다.
12. Scan QR Code를 클릭 하고 회사 이메일에 QR코드를 스캔 합니다.
13. Enable버튼을 클릭 합니다.
14. 등록 되었습니다.
15. 아래처럼 확인 가능 합니다.
16.
가입 했을떄 okta로 부터 도메인이 생성 되었습니다.
아래 처럼 입력 합니다.
https://dev-18331728.okta.com/
https://dev-18331728.okta.com/app/UserHome?iss=https%3A%2F%2Fdev-18331728.okta.com&session_hint=AUTHENTICATED
Javascript is required Javascript is disabled on your browser. Please enable Javascript and refresh this page. Refresh https://itunes.apple.com/us/app/okta-extension-app/id1439967473 null 2 PROD
dev-18331728.okta.com
17. 휴대폰에서 Okta Verify Code를 입력후 로그인 버튼을 클릭 합니다.
18. 아래처럼 로그인 되었습니다.
지금까지 [Okta-#1] - Sign up - Free Developer Edition 글을 읽어주셔서 감사합니다.
| [Okta-#2] - PaloAlto Global Protect App Install (0) | 2025.04.10 |
|---|
안녕하세요.
오늘은 팔로알토 장비 Password Recovery에 대해서 알아보겠습니다.
0. maint를 입력 합니다.
| =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2025.03.14 15:44:52 =~=~=~=~=~=~=~=~=~=~=~= Autoboot to default partition in 5 seconds. Enter 'maint' to boot to maint partition. Entry: m Entry: ma Entry: mai Entry: main Entry: maint Booting to maint mode. 10054784 bytes read in 37 ms (259.2 MiB/s) Allocating memory for ELF segment: addr: 0xffffffff80100000 (adjusted to: 0x100000), size 0x7c52a0 Bootloader: Done loading app on coremask: 0xff Starting cores: 0xff Linux version 3.10.87-oct2-mp (build@61b4b5631e94) (gcc version 4.7.0 (Cavium Inc. Version: SDK_BUILD build 49) ) #4 SMP Fri Nov 5 01:44:34 PDT 2021 CVMSEG size: 3 cache lines (384 bytes) Cavium Inc. SDK-3.1.2 bootconsole [early0] enabled CPU revision is: 000d9703 (Cavium Octeon III) FPU revision is: 00739700 Checking for the multiply/shift bug... no. Checking for the daddiu bug... no. Determined physical RAM map: memory: 0000000000702000 @ 0000000000100000 (kernel data and code) memory: 000000000004e000 @ 0000000000802000 (usable after init) memory: 0000000000076000 @ 0000000000850000 (kernel data and code) memory: 0000000000100000 @ 00000000eff00000 (usable) memory: 000000000feff000 @ 00000000f0001000 (usable) memory: 00000000f0000000 @ 000000031f000000 (usable) No power GPIO device tree entry No power GPIO device tree entry |
1. 콘솔포트를 연결하고 파워 전원을 연결 합니다.
2. Factory Reset
3. Select Factory Reset
4. 완료 될때까지 기다립니다.
5. Reboot를 선택 합니다.
6. 부팅이 완료 되면 admin/admin으로 로그인 합니다.
| admin@PA-820> show interface management ------------------------------------------------------------------------------- Name: Management Interface Link status: Runtime link speed/duplex/state: unknown/unknown/down Configured link speed/duplex/state: auto/auto/auto MAC address: Port MAC address c4:24:56:a6:84:00 Ip address: 192.168.1.1 Netmask: 255.255.255.0 Default gateway: Ipv6 address: unknown Ipv6 link local address: unknown Ipv6 default gateway: ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Logical interface counters: ------------------------------------------------------------------------------- bytes received 0 admin@PA-820> |
7. admin/admin 로그인 합니다.
지금까지 [PaloAlto FW-#20] - Password Recovery(Factory Reset) 글을 읽어주셔서 감사합니다.
안녕하세요.
오늘은 [2025][C8200][#3] Reset Smart license 대해서 알아보겠습니다.
17.3.2 이상부터는 smart licensing using policy 사용합니다. 장비가 발주가 될때 이미 SV/VA가 등록이 되어서 장비가 전달 됩니다.
SV = KOREA
VA = JAPAN
근데 만약에 고객사에 요청으로 인하여 VA를 USA로 변경해야 한다면, cisco license team에 요청해서 라이센스를 VA =USA 변경 가능 합니다.
하지만 장비를 부팅하고 show license status 하면 아래처럼 표시 됩니다.
| Router#show license status Utility: Status: DISABLED Smart Licensing Using Policy: Status: ENABLED Account Information: Smart Account: KOREA Virtual Account: JAPAN |
이 상태에서 CSSM에서 아래 환경에서 TOKEN를 발급해서 장비에 등록을 해도 정상적으로 동작하지 않습니다.
SA: KOREA
VA: USA
이상태에서 장비에 기존에 있는 SA/VA정보를 초기화 해야 합니다.
| Router#license smart factory re Router#license smart factory reset %Warning: reload required after "license smart factory reset" command Router# Router# Router#reload WARNING: |
장비가 부팅이 완료 되면 아래처럼 show license status 확인합니다
초기화 되었습니다.
| Router#show license status Utility: Status: DISABLED Smart Licensing Using Policy: Status: ENABLED Account Information: Smart Account: <none> Virtual Account: <none> |
이상태에서 장비를 CSSM에 등록 하면 정상적으로 동작 합니다.
아래처럼 정상적으로 CSSM에 등록 되었습니다.
| Router#license smart trust idtoken OGJjMmQwZDgtMWY3Zi00ZTdlLTk1YzctYjRjMzQ0Y all force Router# *Mar 4 04:56:30.279: %CRYPTO_ENGINE-5-KEY_DELETED: A key named SLA-KeyPair has been removed from key storage[OK] *Mar 4 04:56:32.118: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine *Mar 4 04:56:32.177: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM *Mar 4 04:56:34.590: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file *Mar 4 04:56:37.118: %SMART_LIC-6-TRUST_INSTALL_SUCCESS: A new licensing trust code was successfully installed on P:C8200-1N-4T,S:XXXXXX. Router# Router# Router# Router# |
CSSM에서 Event Log를 보면 정상적으로 등록 되었습니다.
| [2025][C8200][#2] Register License to CSSM - smart licensing using policy (0) | 2025.02.13 |
|---|---|
| [2025][C8200][#1] Router IOS XE upgrade (0) | 2025.02.10 |
| [ISR4221]-Performance License Install(PAK) (0) | 2024.07.30 |
| [ISR4221]-Cisco Router IOS Upgrade (2) | 2024.07.29 |
안녕하세요.
오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.
토폴로지
DC에 9800WLC가 있습니다.
1. SSID: TEST01
2. TEST01 VLAN110
3. WLC안에서 DHCP기능을 실행 합니다.
Office에서 유저가 TEST01 - AP에 접속 합니다.
유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.
1. WLC VLAN110 설정
Configuration ->Tags & Profiles -> WLANs
2. Click Add버튼
3. 아래처럼 설정 합니다.
Profile Name: TEST01
Status: Enable
Broadcase SSID: Enable
6GHz: Disabled
Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.
테스트 용도이기 때문에 이렇게 설정합니다.
그리고 Save버튼을 클릭 합니다.
4. VLAN 설정
Configuration -> Layer2 -> VLAN
Add버튼을 클릭 합니다.
4. Policy 설정
아래처럼 설정합니다.
아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.
5. TAG설정 - POLICY
Name: TEST01-POLICY-TAG
WLAN: TEST01
PLOICY: TEST01_POLICY
6. TAG 설정 - SITE
Name: TEST_SITE_TAG
아래처럼 설정 합니다.
6. AP에 TAG 설정
7. 설정값을 적용하면 AP가 재부팅이 됩니다.
8. WLC에서 자체 DHCP기능 설정
10. Lookback interface 생성
11. WLAN에서 DHCP Relay Look IP로 설정
WLAN VLAN 110이 DHCP relay로 직접 WLC DHCP 기능으로 IP할당 가능.
10. WLC interface IP주소
| WLC01#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet1 unassigned YES unset up up GigabitEthernet2 unassigned YES unset up up GigabitEthernet3 192.168.10.182 YES NVRAM up up Loopback10 1.1.1.1 YES TFTP up up Port-channel1 unassigned YES unset up up Vlan1 unassigned YES NVRAM up up Vlan100 192.168.100.182 YES NVRAM up up Vlan110 192.168.110.254 YES NVRAM up up Vlan120 192.168.120.254 YES NVRAM up up Vlan130 192.168.130.254 YES NVRAM up up WLC01# |
10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.
11. WLC에서 DHCP Binding 확인
| WLC01#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type State Interface Hardware address/ User name 192.168.110.11 0056.6c31.3130 Mar 01 2025 12:48 PM Automatic Selecting Vlan110 WLC01# |
지금까지 [C9800CL][#14]- DHCP - WLC Internal DHCP - option 5 글을 읽어주셔서 감사합니다.
| [C9800CL][#13]- DHCP - WLAN DHCP Relay - option4 (0) | 2025.03.01 |
|---|---|
| [C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0) | 2025.03.01 |
| [C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0) | 2025.03.01 |
| [C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0) | 2025.03.01 |
| [C9800CL][#9]- WLAN Guest (0) | 2024.12.26 |
안녕하세요.
오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.
토폴로지
DC에 9800WLC가 있습니다.
1. SSID: TEST01
2. TEST01 VLAN110
3. WLC WLAN에서 DHCP Reply를 설정 합니다.
4. WINDOWS 서버 IP주소 192.168.10.224
Office에서 유저가 TEST01 - AP에 접속 합니다.
유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.
1. WLC VLAN110 설정
Configuration ->Tags & Profiles -> WLANs
2. Click Add버튼
3. 아래처럼 설정 합니다.
Profile Name: TEST01
Status: Enable
Broadcase SSID: Enable
6GHz: Disabled
Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.
테스트 용도이기 때문에 이렇게 설정합니다.
그리고 Save버튼을 클릭 합니다.
4. VLAN 설정
Configuration -> Layer2 -> VLAN
Add버튼을 클릭 합니다.
4. Policy 설정
아래처럼 설정합니다.
아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.
5. TAG설정 - POLICY
Name: TEST01-POLICY-TAG
WLAN: TEST01
PLOICY: TEST01_POLICY
6. TAG 설정 - SITE
Name: TEST_SITE_TAG
아래처럼 설정 합니다.
6. AP에 TAG 설정
7. 설정값을 적용하면 AP가 재부팅이 됩니다.
8. WLC WLAN에서 DHCP Rely설정
9. 서버 IP주소 확인
윈도우서버에서 DHCP 서버 설정
10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.
11. 서에서 DHCP Binding 확인
지금까지 [C9800CL][#13]- DHCP - option4 - WLAN DHCP Relay 글을 읽어주셔서 감사합니다.
| [C9800CL][#14]- DHCP - WLC Internal DHCP - option 5 (0) | 2025.03.01 |
|---|---|
| [C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0) | 2025.03.01 |
| [C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0) | 2025.03.01 |
| [C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0) | 2025.03.01 |
| [C9800CL][#9]- WLAN Guest (0) | 2024.12.26 |
안녕하세요.
오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.
토폴로지
DC에 9800WLC가 있습니다.
1. SSID: TEST01
2. TEST01 VLAN110
3. DC 백본 스위치에서 INT VLAN110 - DHCP Rely설정
4. WINDOWS 서버 IP주소 192.168.10.224
Office에서 유저가 TEST01 - AP에 접속 합니다.
유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.
1. WLC VLAN110 설정
Configuration ->Tags & Profiles -> WLANs
2. Click Add버튼
3. 아래처럼 설정 합니다.
Profile Name: TEST01
Status: Enable
Broadcase SSID: Enable
6GHz: Disabled
Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.
테스트 용도이기 때문에 이렇게 설정합니다.
그리고 Save버튼을 클릭 합니다.
4. VLAN 설정
Configuration -> Layer2 -> VLAN
Add버튼을 클릭 합니다.
4. Policy 설정
아래처럼 설정합니다.
아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.
5. TAG설정 - POLICY
Name: TEST01-POLICY-TAG
WLAN: TEST01
PLOICY: TEST01_POLICY
6. TAG 설정 - SITE
Name: TEST_SITE_TAG
아래처럼 설정 합니다.
6. AP에 TAG 설정
7. 설정값을 적용하면 AP가 재부팅이 됩니다.
8. WLC VLAN110에 대해서 DHCP Rely설정
9. 서버 IP주소 확인
윈도우서버에서 DHCP 서버 설정
10. 백본 스위치에서 DHCP Relay 설정
| interface Vlan110 ip address 192.168.110.1 255.255.255.0 ip helper-address 192.168.10.224 |
11. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.
11. 서에서 DHCP Binding 확인
지금까지 [C9800CL][#12]- DHCP - option3 - SW dhcp Relay 글을 읽어주셔서 감사합니다.
| [C9800CL][#14]- DHCP - WLC Internal DHCP - option 5 (0) | 2025.03.01 |
|---|---|
| [C9800CL][#13]- DHCP - WLAN DHCP Relay - option4 (0) | 2025.03.01 |
| [C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0) | 2025.03.01 |
| [C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0) | 2025.03.01 |
| [C9800CL][#9]- WLAN Guest (0) | 2024.12.26 |
안녕하세요.
오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.
토폴로지
DC에 9800WLC가 있습니다.
1. SSID: TEST01
2. TEST01 VLAN110
3. WLC SVI에서 DHCP Relay를 설정 합니다.
4. WINDOWS 서버 IP주소 192.168.10.224
Office에서 유저가 TEST01 - AP에 접속 합니다.
유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.
1. WLC VLAN110 설정
Configuration ->Tags & Profiles -> WLANs
2. Click Add버튼
3. 아래처럼 설정 합니다.
Profile Name: TEST01
Status: Enable
Broadcase SSID: Enable
6GHz: Disabled
Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.
테스트 용도이기 때문에 이렇게 설정합니다.
그리고 Save버튼을 클릭 합니다.
4. VLAN 설정
Configuration -> Layer2 -> VLAN
Add버튼을 클릭 합니다.
4. Policy 설정
아래처럼 설정합니다.
아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.
5. TAG설정 - POLICY
Name: TEST01-POLICY-TAG
WLAN: TEST01
PLOICY: TEST01_POLICY
6. TAG 설정 - SITE
Name: TEST_SITE_TAG
아래처럼 설정 합니다.
6. AP에 TAG 설정
7. 설정값을 적용하면 AP가 재부팅이 됩니다.
8. WLC VLAN110에 대해서 DHCP Rely설정
9. 서버 IP주소 확인
윈도우서버에서 DHCP 서버 설정
10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.
11. 서에서 DHCP Binding 확인
지금까지 [C9800CL][#11]- DHCP Relay (SVI) - Option2 글을 읽어주셔서 감사합니다.
| [C9800CL][#13]- DHCP - WLAN DHCP Relay - option4 (0) | 2025.03.01 |
|---|---|
| [C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0) | 2025.03.01 |
| [C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0) | 2025.03.01 |
| [C9800CL][#9]- WLAN Guest (0) | 2024.12.26 |
| [C9800CL][#8]- Data Interface Redundancy - Port Channel (0) | 2024.12.25 |
안녕하세요.
오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.
토폴로지
DC에 9800WLC가 있습니다.
1. SSID: TEST01
2. TEST01 VLAN110
3. DC 백본 스위치에서 DHCP 기능을 활성화 합니다.
Office에서 유저가 TEST01 - AP에 접속 합니다.
유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.
1. WLC VLAN110 설정
Configuration ->Tags & Profiles -> WLANs
2. Click Add버튼
3. 아래처럼 설정 합니다.
Profile Name: TEST01
Status: Enable
Broadcase SSID: Enable
6GHz: Disabled
Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.
테스트 용도이기 때문에 이렇게 설정합니다.
그리고 Save버튼을 클릭 합니다.
4. VLAN 설정
Configuration -> Layer2 -> VLAN
Add버튼을 클릭 합니다.
4. Policy 설정
아래처럼 설정합니다.
아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.
5. TAG설정 - POLICY
Name: TEST01-POLICY-TAG
WLAN: TEST01
PLOICY: TEST01_POLICY
6. TAG 설정 - SITE
Name: TEST_SITE_TAG
아래처럼 설정 합니다.
6. AP에 TAG 설정
7. 설정값을 적용하면 AP가 재부팅이 됩니다.
8. DC SWITCH에서 DHCP 설정
| DHCP ip dhcp excluded-address 192.168.110.1 192.168.110.230 ! ip dhcp pool VL110 network 192.168.110.0 255.255.255.0 default-router 192.168.110.1 dns-server 8.8.8.8 ! VLAN 110 ! Int vlan 110 ip add 192.168.110.1 255.255.255.0 no shutdown |
9. DHCP Binding 확인
| SW01#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type State Interface Hardware address/ User name SW01# |
10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.
11. DC BackBone Swtich에서 DHCP Binding 확인
| SW01#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type State Interface Hardware address/ User name 192.168.110.239 011e.e792.411c.f0 Mar 02 2025 06:56 AM Automatic Active Vlan110 SW01# SW01#ping 192.168.110.239 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.110.239, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/48 ms SW01# |
지금까지 [C9800CL][#10]- DHCP Bridging - Option1 - BackBone SW DHCP 글을 읽어주셔서 감사합니다.
| [C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0) | 2025.03.01 |
|---|---|
| [C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0) | 2025.03.01 |
| [C9800CL][#9]- WLAN Guest (0) | 2024.12.26 |
| [C9800CL][#8]- Data Interface Redundancy - Port Channel (0) | 2024.12.25 |
| [C9800CL][#7]- AP authentication - AP MAC on WLC (0) | 2024.12.25 |
안녕하세요.
오늘은 PNETLab Upgrade하는 방법에 대해서 알아보겠습니다.
1. PNETLab 설치 방법
https://itblog-kr.tistory.com/122
[PNETLab][#1]- Installation on VMware workstation
안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안
itblog-kr.tistory.com
2. GUI에 접속 합니다. https://192.168.40.250
System 클릭 합니다.
3. Versions을 클릭 합니다.
4. Upgrade버튼을 클릭 합니다.
Current Version이랑 Latest Version이랑 똑같아서 클릭 해도 Upgrade가 않됩니다.
위와 같은 방법으로 upgrade하면 됩니다.
| [PNETLab][#9]- Cisco Catalyst 8000v install (0) | 2025.02.15 |
|---|---|
| [PNETLab][#8]-CheckPoint Firewall Install (0) | 2025.02.13 |
| [PNETLab][#7]-Aruba Mobility Controller Install (0) | 2025.02.13 |
| [PNETLab][#6]-Aruba CX Switch Install (0) | 2025.02.13 |
| [PNETLab][#5]-Aruba ClearPass Install (0) | 2025.02.10 |
안녕하세요.
오늘은 Juniper SRX Traffic Flow에 대해서 알아보겠습니다.
각 벤더마다 아키텍처가 다를수 있습니다.
이부분이 정책하게 이해해야지 설정값을 설정값을 잘 만들수 있습니다.
예를 들어서 SNAT, DNAT, Static NAT, 라우팅 테이블이 중에서
DNAT가 먼저 적용되고 변경된 Destination IP주소로 라우팅을 검색해서 라우팅을 하는지.
아니면 라우팅이 먼저 적용된다음에 DNAT가 적용 되는지.
순서에 따라서 설정값이 많이 달라집니다.
그래서 아래처럼 방화벽 Traffic Flow를 이해하는것이 중요 합니다.
주니퍼 방화벽 공식 홈페이지 URL주소 입니다.
Traffic Processing on SRX Series Firewalls Overview | Junos OS | Juniper Networks
Junos OS for security devices integrates network security and routing capabilities of Juniper Networks. Packets that enter and exit a device undergo both packet-based and flow-based processing. Understanding the Default Processing Behavior for IPv4 Traffic
www.juniper.net
시간이 되시면 위에 공식 홈페이지에 글을 끝까지 읽어보시길 바랍니다.
지금까지 [2025][Juniper SRX #31] Traffic Flow 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #30] IDP Signature Update (0) | 2025.02.16 |
|---|---|
| [2025][Juniper SRX #29] Firmware Upgrade - CLI (0) | 2025.02.16 |
| [2025][Juniper SRX #28] Destination Nat - DNAT (0) | 2025.02.16 |
| [2025][Juniper SRX #27] Destination Nat - Port Forwarding (0) | 2025.02.16 |
| [2025][Juniper SRX #27] Static NAT - One to One NAT (0) | 2025.02.14 |
안녕하세요.
오늘은 Juniper IPS Signature Update하는 방법에 대해서 알아보겠습니다.
1. Juniper SRX License Check
| root> show system license License usage: Licensed Licensed Licensed Feature Feature Feature Feature name used installed needed Expiry idp-sig 0 1 0 2030-01-26 00:00:00 UTC remote-access-ipsec-vpn-client 0 2 0 permanent remote-access-juniper-std 0 2 0 permanent Licenses installed: License identifier: JUNOS422937473 License version: 4 Valid for device: CW4024AX0159 Customer ID: KDDI ASIA PACIFIC PTE. LTD. Features: idp-sig - IDP Signature date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC root> |
2. Juniper IDP Signature check.
| root> show security idp security-package-version Attack database version:N/A(N/A) Detector version :N/A Policy template version :N/A Rollback Attack database version :N/A(N/A) Rollback Detector version : N/A |
3. Juniper SRX IDP package Download- 외부에 통신 확인.
| root> ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=118 time=46.391 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=33.274 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=20.448 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=19.188 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=18.793 ms ^C --- 8.8.8.8 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 18.793/27.619/46.391/10.815 ms root> request security idp security-package download Will be processed in async mode. Check the status using the status checking CLI root> root> request security idp security-package download status Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi). Version info:3786(Thu Feb 27 14:04:10 2025 UTC, Detector=23.6.160240709) root> |
4. Juniper SRX IDP Package Install
| root> request security idp security-package install Will be processed in async mode. Check the status using the status checking CLI root> request security idp security-package install status In progress:Installing AI ... root> |
약 5분 뒤에 request security idp security-package install status 확인 합니다.
| root> request security idp security-package install status Done;Attack DB update : successful - [UpdateNumber=3786,ExportDate=Thu Feb 27 14:04:10 2025 UTC,Detector=23.6.160240709] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no active policy configured. |
5. check version
| root> show security idp security-package-version Attack database version:3786(Thu Feb 27 14:04:10 2025 UTC) Detector version :23.6.160240709 Policy template version :N/A Rollback Attack database version :() Rollback Detector version : N/A root> |
지금까지 [2025][Juniper SRX #30] IDP Signature Update 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #31] Traffic Flow (0) | 2025.02.18 |
|---|---|
| [2025][Juniper SRX #29] Firmware Upgrade - CLI (0) | 2025.02.16 |
| [2025][Juniper SRX #28] Destination Nat - DNAT (0) | 2025.02.16 |
| [2025][Juniper SRX #27] Destination Nat - Port Forwarding (0) | 2025.02.16 |
| [2025][Juniper SRX #27] Static NAT - One to One NAT (0) | 2025.02.14 |
안녕하세요.
오늘은 Juniper SRX Firmware Upgrade를 해보겠습니다.
Juniper SRX는 보통 CLI에서 많이 사용 합니다.
1. Juniper 기본 설정값을 확인 합니다.
| root> show configuration | display set | no-more set version 21.4R3-S3.4 set system root-authentication encrypted-password "$6$Kt3WFIik$0vN75BKuEZDkbTiLXUiAaTbrdkZ2EQCMo0u/G2D.nI3yQFDnN2sRwSwMra/BrVBfXg2lnWtzltwnPZkIWY2Zi." set system services ssh set system services netconf ssh set system services dhcp-local-server group jdhcp-group interface irb.0 set system services web-management https system-generated-certificate set system name-server 8.8.8.8 set system name-server 8.8.4.4 set system syslog archive size 100k set system syslog archive files 3 set system syslog user * any emergency set system syslog file interactive-commands interactive-commands any set system syslog file messages any notice set system syslog file messages authorization info set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set system phone-home server https://redirect.juniper.net set system phone-home rfc-compliant set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.0 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp set interfaces ge-0/0/0 unit 0 family inet dhcp vendor-id Juniper-srx320 set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/7 unit 0 family inet dhcp vendor-id Juniper-srx320 set interfaces cl-1/0/0 dialer-options pool 1 priority 100 set interfaces dl0 unit 0 family inet negotiate-address set interfaces dl0 unit 0 family inet6 negotiate-address set interfaces dl0 unit 0 dialer-options pool 1 set interfaces dl0 unit 0 dialer-options dial-string 1234 set interfaces dl0 unit 0 dialer-options always-on set interfaces irb unit 0 family inet address 192.168.1.1/24 set access address-assignment pool junosDHCPPool family inet network 192.168.1.0/24 set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.1.2 set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.1.254 set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.1.1 set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0 set vlans vlan-trust vlan-id 3 set vlans vlan-trust l3-interface irb.0 set protocols l2-learning global-mode switching set protocols rstp interface all root> root> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed idp-sig 0 1 0 2030-01-26 00:00:00 UTC remote-access-ipsec-vpn-client 0 2 0 permanent remote-access-juniper-std 0 2 0 permanent Licenses installed: License identifier: JUNOS422937473 License version: 4 Valid for device: CW4024AX0159 Customer ID: KDDI ASIA PACIFIC PTE. LTD. Features: idp-sig - IDP Signature date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC root> root> show version Model: srx320 Junos: 21.4R3-S3.4 JUNOS Software Release [21.4R3-S3.4] |
2. UTP 케이블을 노트북과 Juniper SRX Ge-0/0/3에 연결합니다.
그리고 노트북에 192.168.1.2 255.255.255.0 설정하고
Ping 192.168.1.1
| C:\Users\admin>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=2ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 2ms, Average = 1ms C:\Users\admin> C:\Users\admin> |
3. ftp enable 합니다.
| root# set system services ftp [edit] root# show system services ftp; ssh; netconf { ssh; } dhcp-local-server { group jdhcp-group { interface irb.0; } } web-management { https { system-generated-certificate; } } [edit] root# commit commit complete [edit] root# |
또는 GUI에서 아래와 같이 확인 가능 합니다.
라이센스 정보 확인 합니다.
현재 SRX320 Firmware Version 확인
Currnet Version: 21.4R3-S3.4
Target Version: 23.4R2-S3
Firmware Upgrade Path
https://supportportal.juniper.net/s/article/Junos-upgrade-paths-for-SRX-platforms?language=en_US
CEC Juniper Community
supportportal.juniper.net
To make it easy to lookup for each Junos release for SRX from which earlier releases it is supported to directly upgrade to it, please see the below table.
Before performing the upgrade, please make sure to check the Notes section below for possible caveats and limitations which may apply.
Target Junos releaseDirect upgrade supported from
| 24.4(*2) | 24.2, 23.4, 23.2 |
| 24.2 | 23.4, 23.2, 22.4 |
| 23.4 | 23.2, 22.4, 22.3 |
| 23.2 | 22.4, 22.3, 22.2 |
| 22.4 | 22.3, 22.2, 22.1, 21.4 |
| 22.3 | 22.2, 22.1, 21.4 |
| 22.2 | 22.1, 21.4, 21.3, 21.2 |
| 22.1 | 21.4, 21.3, 21.2 |
| 21.4 | 21.3, 21.2, 21.1, 20.4 |
| 21.3 | 21.2, 21.1, 20.4 |
| 21.2 | 21.1, 20.4, 20.3, 20.2 |
| 21.1 | 20.4, 20.3, 20.2 |
| 20.4 | 20.3, 20.2, 20.1, 19.4 |
| 20.3 | 20.2, 20.1, 19.4 |
| 20.2 | 20.1, 19.4, 19.3, 19.2 |
| 20.1 | 19.4, 19.3, 19.2 |
| 19.4 | 19.3, 19.2, 19.1, 18.4, 15.1X49 |
| 19.3 | 19.2, 19.1, 18.4 |
| 19.2 | 19.1, 18.4, 18.3, 18.2 |
| 19.1 | 18.4, 18.3, 18.2 |
| 18.4 | 18.3, 18.2, 18.1, 17.4, 15.1X49 |
| 18.3 | 18.2, 18.1, 17.4 |
| 18.2 | 18.1, 17.4, 17.3 |
| 18.1 | 17.4, 17.3 |
| 17.4 | 17.3, 15.1X49 |
| 17.3 | 15.1X49 |
| 15.1X49 | 12.3X48 |
위에 정보를 확인한 결과
To upgrade your SRX device from Junos 21.4R3 to 23.4R2-S3
Path: 21.4R3 --> 22.4R3 --> 23.4R2-S3
Juniper 홈페이지에 접속해서 Firmware를 다운로드 합니다.
https://support.juniper.net/support/downloads/?p=srx320
Downloads
Help us improve your experience. Let us know what you think. Do you have time for a two-minute survey?
support.juniper.net
22.4R3.25 - Checksums 정보
MD5 : 22c2f625180aabe85f252f89c3f212d3
SHA1 : 6e5b2d2ef96227b1db95d265ba899854bd1b6c24
SHA256 : 12d7f2b8245c3f6610f34380a57a642d831aba83f6008b6929d3987737f93bf7
SHA512 : 024fd745d0d3e53daee5713e11aab9029ca9f9979d9b677be8e45f93446e7c2d0b228535291acdec9b3007d51f396ddd407786921cbd99be070212359edebfda
23.4R2.13 - Checksums 정보
MD5 : 18085ebeec8305f538226bd690b18954
SHA1 : 9eaa6ba139907f30863e8a53f9641ad206078d5e
SHA256 : 0728b9bf9c1576661b325a12d0fac7b5c3c2dd29dce184b9bcefca5ca4d973f8
SHA512 : 29d7c7676ca0bd8d8813f6ac2205eaf834ff0e7998ae7ff078f609630131c0136c105128707508e76e9b566ade07230af41256e6fcb0380b3977ea9a52bfdb06
Firmware업르게이드 하기전에 모든 Firmware Version를 다운로드 받았습니다.
winscp를 실행 합니다.
접속이 완료 되면 경로를 아래와 같이 합니다.
첫번째 이미지를 업로드 합니다.
파일이 업로드가 완료 되면 아래와 같이 명령어를 입력해서 확인 합니다.
| root> file list /cf/var/tmp /cf/var/tmp: appidd_cust_app_trace appidd_trace_debug bcast.bdisp.log bcast.disp.log bcast.rstdisp.log bcast.undisp.log cleanup-pkgs.log ebmq_authd_vty eedebug_bin_file install/ junos-srxsme-22.4R3.25.tgz kmdchk.log krt_rpf_filter.txt mmcq_authd mmcq_bbeStatsdGetCollector mmcq_mmdb_rep_mmcq mmcq_sdb_bbe_mmcq nsd_restart pfe-limit pfe_debug_commands phone-home/ pics/ policy_status rtsdb/ sd-upgrade/ sec-download/ vi.recover/ root> |
Firmware MD5 checksum 확인
| root> file checksum md5 /cf/var/tmp/junos-srxsme-22.4R3.25.tgz MD5 (/cf/var/tmp/junos-srxsme-22.4R3.25.tgz) = 22c2f625180aabe85f252f89c3f212d3 root> |
1차로 21.4R3-S3.4 -> 22.4R3.25 업그레이드
아래처럼 입력 하고 업그레이드가 완료 될때가지 기다립니다.
| root> request system software add /cf/var/tmp/junos-srxsme-22.4R3.25.tgz no-validate reboot Formatting alternate root (/dev/da0s2a)... /dev/da0s2a: 596.0MB (1220680 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 149.02MB, 9537 blks, 19200 inodes. super-block backups (for fsck -b #) at: 32, 305216, 610400, 915584 saving package file in /var/sw/pkg ... Installing package '/altroot/cf/packages/install-tmp/junos-22.4R3.25' ... Verified junos-boot-srxsme-22.4R3.25.tgz signed by PackageProductionECP256_2024 method ECDSA256+SHA256 Verified junos-srxsme-22.4R3.25-domestic signed by PackageProductionECP256_2024 method ECDSA256+SHA256 Verified manifest signed by PackageProductionECP256_2024 method ECDSA256+SHA256 JUNOS 22.4R3.25 will become active at next reboot Saving state for rollback ... Rebooting ... shutdown: [pid 6825] Shutdown NOW! *** FINAL System shutdown message from root@ *** System going down IMMEDIATELY 부팅 과정 생략 Amnesiac (ttyu0) login: |
부팅이 완료 되면 로그인 합니다.
| root> show version Model: srx320 Junos: 22.4R3.25 JUNOS Software Release [22.4R3.25] root> show system license License usage: Licenses Licenses Licenses Feature Feature Feature Feature name used installed needed Expiry idp-sig 0 1 0 2030-01 -26 00:00:00 UTC remote-access-ipsec-vpn-client 0 2 0 permane nt remote-access-juniper-std 0 2 0 permane nt Licenses installed: License identifier: License version: 4 Valid for device: Customer ID: Features: idp-sig - IDP Signature date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC root> |
1차로 21.4R3-S3.4 -> 22.4R3.25 업그레이드 완료 되었습니다.
2차로 22.4R3.25 -> 23.4R2.13 업그레이드를 하겠습니다.
우선 파일을 srx에 업로드 합니다.
| root> file list /cf/var/tmp /cf/var/tmp: appidd_cust_app_trace appidd_trace_debug bcast.bdisp.log bcast.disp.log bcast.rstdisp.log bcast.undisp.log cleanup-pkgs.log dyn_filterd_trace_debug ebmq_authd_vty eedebug_bin_file install/ junos-srxsme-22.4R3.25.tgz junos-srxsme-23.4R2.13.tgz kmdchk.log krt_rpf_filter.txt mmcq_authd mmcq_bbeStatsdGetCollector mmcq_mmdb_rep_mmcq mmcq_sdb_bbe_mmcq nsd_restart pfe-limit pfe_debug_commands phone-home/ pics/ policy_status rtsdb/ sd-upgrade/ sec-download/ vi.recover/ |
MD5 Check
| root> file checksum md5 /cf/var/tmp/junos-srxsme-23.4R2.13.tgz MD5 (/cf/var/tmp/junos-srxsme-23.4R2.13.tgz) = 18085ebeec8305f538226bd690b18954 |
Firmware Upgrade and check version
| root> request system software add /cf/var/tmp/junos-srxsme-23.4R2.13.tgz no-validate reboot 부팅 과정 생략 root> show version Model: srx320 Junos: 23.4R2.13 JUNOS Software Release [23.4R2.13] root> show system license License usage: Licensed Licensed Licensed Feature Feature Feature Feature name used installed needed Expiry idp-sig 0 1 0 2030-01-26 00:00:00 UTC remote-access-ipsec-vpn-client 0 2 0 permanent remote-access-juniper-std 0 2 0 permanent Licenses installed: License identifier: License version: 4 Valid for device: Customer ID: Features: idp-sig - IDP Signature date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC root> |
지금까지 [2025][Juniper SRX #29] Firmware Upgrade - CLI 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #31] Traffic Flow (0) | 2025.02.18 |
|---|---|
| [2025][Juniper SRX #30] IDP Signature Update (0) | 2025.02.16 |
| [2025][Juniper SRX #28] Destination Nat - DNAT (0) | 2025.02.16 |
| [2025][Juniper SRX #27] Destination Nat - Port Forwarding (0) | 2025.02.16 |
| [2025][Juniper SRX #27] Static NAT - One to One NAT (0) | 2025.02.14 |
안녕하세요.
오늘은 Juniper SRX DNAT에 대해서 알아보겠습니다.
User01 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.
User02 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.
untrust 192.168.10.85 으로 접속하면 20.1.1.1 으로 통신가능하게 DNAT를 설정하겠습니다.
1.SRX01 기본설정 입니다.
1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.
FreeBSD/amd64 (Amnesiac) (ttyu0) login: root --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@:~ # cli root> root> root> root> configure Entering configuration mode [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit |
1-2 Interface 설정
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 |
1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정
| set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 |
1-4 SRX에서 방화벽 정책 설정
| set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit |
2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다
| conf t int g0/0 ip add 20.1.1.1 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 20.1.1.254 ip http server |
| R1#show *Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 20.1.1.1 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down R1# R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 20.1.1.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 20.1.1.254 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/0 L 20.1.1.1/32 is directly connected, GigabitEthernet0/0 R1#ping 20.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1# |
3. User01/ USer02 설정
USER01> ip 10.1.1.1/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254 USER01 > save Saving startup configuration to startup.vpc . done USER01 > USER01 > ping 10.1.1.254 84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER01 > USER02> ip 10.1.1.2/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254 USER02 > save Saving startup configuration to startup.vpc . done USER02 > USER02 > ping 10.1.1.254 84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER02 > |
PC에서 ping 8.8.8.8 시도
| USER01> ping 8.8.8.8 8.8.8.8 icmp_seq=1 timeout 8.8.8.8 icmp_seq=2 timeout 8.8.8.8 icmp_seq=3 timeout 8.8.8.8 icmp_seq=4 timeout USER02> ping 8.8.8.8 8.8.8.8 icmp_seq=1 timeout 8.8.8.8 icmp_seq=2 timeout 8.8.8.8 icmp_seq=3 timeout 8.8.8.8 icmp_seq=4 timeout |
SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.
SRX에서 SNAT 설정
| set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat |
PC에서 다시 확인
| USER01> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms USER02> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms |
방화벽에서 Session 확인하기
| root> show security flow session Session ID: 54102, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.1/54387 --> 8.8.8.8/12;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/12 --> 192.168.10.83/31714;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54103, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.2/54643 --> 8.8.8.8/8;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/8 --> 192.168.10.83/11101;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54104, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.1/54643 --> 8.8.8.8/13;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/13 --> 192.168.10.83/8139;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54105, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.2/54899 --> 8.8.8.8/9;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/9 --> 192.168.10.83/3136;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54106, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid In: 10.1.1.1/54899 --> 8.8.8.8/14;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/14 --> 192.168.10.83/13674;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Total sessions: 5 |
제 PC에서도 PING를 시도 합니다.
| Probing 192.168.10.85:80/tcp - No response - time=2001.746ms Probing 192.168.10.85:80/tcp - No response - time=2003.928ms Probing 192.168.10.85:80/tcp - No response - time=2013.536ms Probing 192.168.10.85:80/tcp - No response - time=2006.107ms Probing 192.168.10.85:80/tcp - No response - time=2006.452ms Probing 192.168.10.85:80/tcp - No response - time=2005.353ms Probing 192.168.10.85:80/tcp - No response - time=2012.393ms Probing 192.168.10.85:80/tcp - No response - time=2012.957ms Probing 192.168.10.85:80/tcp - No response - time=2008.528ms Probing 192.168.10.85:80/tcp - No response - time=2011.220ms Probing 192.168.10.85:80/tcp - No response - time=2008.000ms Probing 192.168.10.85:80/tcp - No response - time=2008.216ms Probing 192.168.10.85:80/tcp - No response - time=2004.983ms Probing 192.168.10.85:80/tcp - No response - time=2000.407ms Probing 192.168.10.85:80/tcp - No response - time=2005.790ms |
우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.
| set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit |
SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.
| set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.86 |
DESTINATION NAT 설정
| set security nat destination pool web_server address 20.1.1.1/32 set security nat destination rule-set to_web_server from zone untrust set security nat destination rule-set to_web_server rule web_server_incoming match destination-address 192.168.10.86/32 set security nat destination rule-set to_web_server rule web_server_incoming then destination-nat pool web_server |
PC에서 통신을 확인 합니다.
정상적으로 통신 가능 합니다.
| Probing 192.168.10.86:80/tcp - Port is open - time=23.372ms Probing 192.168.10.86:80/tcp - Port is open - time=18.897ms Probing 192.168.10.86:80/tcp - Port is open - time=14.309ms Probing 192.168.10.86:80/tcp - Port is open - time=18.139ms Probing 192.168.10.86:80/tcp - Port is open - time=23.166ms Probing 192.168.10.86:80/tcp - Port is open - time=19.464ms Probing 192.168.10.86:80/tcp - Port is open - time=18.645ms Probing 192.168.10.86:80/tcp - Port is open - time=27.360ms Probing 192.168.10.86:80/tcp - Port is open - time=19.947ms Probing 192.168.10.86:80/tcp - Port is open - time=20.782ms |
위와 같이 192.168.10.85 포트 80 또는 8000으로 20.1.1.1 80으로 통신 가능 합니다.
Interface 확인
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.83/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 10.1.1.254/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 20.1.1.254/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down |
Routing 확인
| root> show route inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:13:56 > to 192.168.10.253 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/1.0 10.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/1.0 20.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/2.0 20.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/2.0 192.168.10.0/24 *[Direct/0] 00:13:56 > via ge-0/0/0.0 192.168.10.83/32 *[Local/0] 00:13:56 Local via ge-0/0/0.0 inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:30:41 MultiRecv root> |
Security Zone 확인
| root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security root> show security zones Security zone: dmz Zone ID: 10 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No |
방화벽 정책 확인
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: trust, To zone: dmz Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: dmz, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: untrust, To zone: dmz Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: dmz_server_01 Applications: any Source identity feeds: any Destination identity feeds: any Action: permit root> |
방화벽 Hit Count 확인
| root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust untrust trust_to_untrust 1942 Permit 2 trust dmz trust_to_untrust 0 Permit 3 untrust dmz untrust_to_dmz_web_server 844 Permit 4 dmz untrust trust_to_untrust 2010 Permit Number of policy: 4 root> |
방화벽 설정값
| root> show configuration | display set | no-more set version 21.3R1.9 set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security nat destination pool port_foward_server address 20.1.1.1/32 set security nat destination pool port_foward_server address port 80 set security nat destination pool web_server address 20.1.1.1/32 set security nat destination rule-set to_web_server from zone untrust set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32 set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80 set security nat destination rule-set to_web_server rule port_forwarding match destination-port 8000 set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server set security nat destination rule-set to_web_server rule web_server_incoming match destination-address 192.168.10.86/32 set security nat destination rule-set to_web_server rule web_server_incoming then destination-nat pool web_server set security nat static rule-set static_nat_01 from zone untrust set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32 set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.86/32 set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 root> |
지금까지 [2025][Juniper SRX #27] Destination Nat - DNAT 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #30] IDP Signature Update (0) | 2025.02.16 |
|---|---|
| [2025][Juniper SRX #29] Firmware Upgrade - CLI (0) | 2025.02.16 |
| [2025][Juniper SRX #27] Destination Nat - Port Forwarding (0) | 2025.02.16 |
| [2025][Juniper SRX #27] Static NAT - One to One NAT (0) | 2025.02.14 |
| [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0) | 2025.02.14 |
안녕하세요.
오늘은 Juniper SRX Destination Nat - Port Forwarding 에 대해서 알아보겠습니다.
User01 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.
User02 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.
untrust 192.168.10.85:80 으로 접속하면 20.1.1.1:80으로 통신가능하게 DNAT를 설정하겠습니다.
1.SRX01 기본설정 입니다.
1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.
FreeBSD/amd64 (Amnesiac) (ttyu0) login: root --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@:~ # cli root> root> root> root> configure Entering configuration mode [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit |
1-2 Interface 설정
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 |
1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정
| set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 |
1-4 SRX에서 방화벽 정책 설정
| set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit |
2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다
| conf t int g0/0 ip add 20.1.1.1 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 20.1.1.254 ip http server |
| R1#show *Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 20.1.1.1 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down R1# R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 20.1.1.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 20.1.1.254 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/0 L 20.1.1.1/32 is directly connected, GigabitEthernet0/0 R1#ping 20.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1# |
3. User01/ USer02 설정
USER01> ip 10.1.1.1/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254 USER01 > save Saving startup configuration to startup.vpc . done USER01 > USER01 > ping 10.1.1.254 84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER01 > USER02> ip 10.1.1.2/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254 USER02 > save Saving startup configuration to startup.vpc . done USER02 > USER02 > ping 10.1.1.254 84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER02 > |
PC에서 ping 8.8.8.8 시도
| USER01> ping 8.8.8.8 8.8.8.8 icmp_seq=1 timeout 8.8.8.8 icmp_seq=2 timeout 8.8.8.8 icmp_seq=3 timeout 8.8.8.8 icmp_seq=4 timeout USER02> ping 8.8.8.8 8.8.8.8 icmp_seq=1 timeout 8.8.8.8 icmp_seq=2 timeout 8.8.8.8 icmp_seq=3 timeout 8.8.8.8 icmp_seq=4 timeout |
SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.
SRX에서 SNAT 설정
| set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat |
PC에서 다시 확인
| USER01> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms USER02> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms |
방화벽에서 Session 확인하기
| root> show security flow session Session ID: 54102, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.1/54387 --> 8.8.8.8/12;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/12 --> 192.168.10.83/31714;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54103, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.2/54643 --> 8.8.8.8/8;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/8 --> 192.168.10.83/11101;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54104, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.1/54643 --> 8.8.8.8/13;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/13 --> 192.168.10.83/8139;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54105, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.2/54899 --> 8.8.8.8/9;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/9 --> 192.168.10.83/3136;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54106, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid In: 10.1.1.1/54899 --> 8.8.8.8/14;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/14 --> 192.168.10.83/13674;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Total sessions: 5 |
제 PC에서도 PING를 시도 합니다.
| Probing 192.168.10.85:80/tcp - No response - time=2001.746ms Probing 192.168.10.85:80/tcp - No response - time=2003.928ms Probing 192.168.10.85:80/tcp - No response - time=2013.536ms Probing 192.168.10.85:80/tcp - No response - time=2006.107ms Probing 192.168.10.85:80/tcp - No response - time=2006.452ms Probing 192.168.10.85:80/tcp - No response - time=2005.353ms Probing 192.168.10.85:80/tcp - No response - time=2012.393ms Probing 192.168.10.85:80/tcp - No response - time=2012.957ms Probing 192.168.10.85:80/tcp - No response - time=2008.528ms Probing 192.168.10.85:80/tcp - No response - time=2011.220ms Probing 192.168.10.85:80/tcp - No response - time=2008.000ms Probing 192.168.10.85:80/tcp - No response - time=2008.216ms Probing 192.168.10.85:80/tcp - No response - time=2004.983ms Probing 192.168.10.85:80/tcp - No response - time=2000.407ms Probing 192.168.10.85:80/tcp - No response - time=2005.790ms |
우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.
| set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit |
SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.
| set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85 |
DESTINATION NAT 설정
| set security nat destination pool port_foward_server address 20.1.1.1/32 set security nat destination pool port_foward_server address port 80 set security nat destination rule-set to_web_server from zone untrust set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32 set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80 set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server |
PC에서 통신을 확인 합니다.
정상적으로 통신 가능 합니다.
| C:\Users\USER>tcping -t 192.168.10.85 80 ** Pinging continuously. Press control-c to stop ** Probing 192.168.10.85:80/tcp - Port is open - time=65.904ms Probing 192.168.10.85:80/tcp - Port is open - time=15.969ms Control-C |
만약에 192.168.10.85:8000 -> 20.1.1.1:80으로 통신 하고 싶다면 아래와 같이 설정 합니다.
| set security nat destination rule-set to_web_server01 rule port_forwarding match destination-port 8000 |
내 PC에서 통신 시도
| C:\Users\USER>tcping -t 192.168.10.85 8000 ** Pinging continuously. Press control-c to stop ** Probing 192.168.10.85:8000/tcp - Port is open - time=14.496ms Probing 192.168.10.85:8000/tcp - Port is open - time=17.589ms Probing 192.168.10.85:8000/tcp - Port is open - time=13.039ms Probing 192.168.10.85:8000/tcp - Port is open - time=15.563ms Probing 192.168.10.85:8000/tcp - Port is open - time=15.389ms Probing 192.168.10.85:8000/tcp - Port is open - time=13.528ms Probing 192.168.10.85:8000/tcp - Port is open - time=11.238ms Probing 192.168.10.85:8000/tcp - Port is open - time=14.091ms C:\Users\USER>tcping -t 192.168.10.85 80 ** Pinging continuously. Press control-c to stop ** Probing 192.168.10.85:80/tcp - Port is open - time=55.989ms Probing 192.168.10.85:80/tcp - Port is open - time=54.255ms Probing 192.168.10.85:80/tcp - Port is open - time=19.360ms |
위와 같이 192.168.10.85 포트 80 또는 8000으로 20.1.1.1 80으로 통신 가능 합니다.
| root> show security nat destination summary Total pools: 1 Pool name Address Routing Port Total Range Instance Address port_foward_server 20.1.1.1 - 20.1.1.1 80 1 Total rules: 1 Rule name Rule set From Action port_forwarding to_web_server untrust port_foward_server root> root> show security nat destination rule all Total destination-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/0 Destination NAT rule: port_forwarding Rule-set: to_web_server Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 192.168.10.85 - 192.168.10.85 Destination port : 80 - 80 8000 - 8000 Action : port_foward_server Translation hits : 106 Successful sessions : 106 Number of sessions : 0 root> |
Interface 확인
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.83/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 10.1.1.254/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 20.1.1.254/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down |
Routing 확인
| root> show route inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:13:56 > to 192.168.10.253 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/1.0 10.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/1.0 20.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/2.0 20.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/2.0 192.168.10.0/24 *[Direct/0] 00:13:56 > via ge-0/0/0.0 192.168.10.83/32 *[Local/0] 00:13:56 Local via ge-0/0/0.0 inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:30:41 MultiRecv root> |
Security Zone 확인
| root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security root> show security zones Security zone: dmz Zone ID: 10 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No |
방화벽 정책 확인
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: trust, To zone: dmz Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: dmz, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: untrust, To zone: dmz Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: dmz_server_01 Applications: any Source identity feeds: any Destination identity feeds: any Action: permit root> |
방화벽 Hit Count 확인
| root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust untrust trust_to_untrust 1942 Permit 2 trust dmz trust_to_untrust 0 Permit 3 untrust dmz untrust_to_dmz_web_server 844 Permit 4 dmz untrust trust_to_untrust 2010 Permit Number of policy: 4 root> |
방화벽 설정값
| root> show configuration | display set | no-more set version 21.3R1.9 set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security nat destination pool port_foward_server address 20.1.1.1/32 set security nat destination pool port_foward_server address port 80 set security nat destination rule-set to_web_server from zone untrust set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32 set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80 set security nat destination rule-set to_web_server rule port_forwarding match destination-port 8000 set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server set security nat static rule-set static_nat_01 from zone untrust set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32 set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85/32 set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 root> |
지금까지 [2025][Juniper SRX #27] Destination Nat - Port Forwarding 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #29] Firmware Upgrade - CLI (0) | 2025.02.16 |
|---|---|
| [2025][Juniper SRX #28] Destination Nat - DNAT (0) | 2025.02.16 |
| [2025][Juniper SRX #27] Static NAT - One to One NAT (0) | 2025.02.14 |
| [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0) | 2025.02.14 |
| [2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0) | 2025.02.07 |
안녕하세요.
오늘은 PNETLab에서 Cisco Catalyst 8000v를 설치해보겠습니다.
PNETLab VMware를 실행 합니다.
설치 방법은 아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/122
[PNETLab][#1]- Installation on VMware workstation
안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안
itblog-kr.tistory.com
1. Putty를 통해서 PNETLab에 접속 합니다.
IP주소는 위에 참고해서 접속 합니다.
2. ishare2 search cpsg검색합니다.
ishare로는 검색이 되지 않습니다.
ishare2를 설치 해야 합니다.
아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/123
[PNETLab][#2]- ishare command
안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미
itblog-kr.tistory.com
| root@pnetlab:~# ishare2 search 8000v ┌────────────────────────────────────────────────────────────────┐ │ MOTD from the ishare2 team: │ │ Changelog: │ │ - Fixed bug when doing integrity checks againts qemu images. │ │ │ │ Telegram: https://t.me/NetLabHub │ │ Donate: https://buymeacoffee.com/sudoalex │ │ GitHub: https://github.com/ishare2-org/ishare2-cli │ └────────────────────────────────────────────────────────────────┘ ============================= Available QEMU images ============================= ID NAME SIZE -- ---- ---- 151 c8000v-17.06.03 1.5 GiB 152 c8000v-17.07.01a 1.5 GiB 153 c8000v-17.08.01 1.5 GiB 154 c8000v-17.10.01a 1.5 GiB 155 c8000v-17.11.01a 1.5 GiB 172 cat8000v-17-09-01a 1.7 GiB 173 cat8000v-17-13-01a 1.9 GiB 180 catalyst8000v-17.04.01 1.3 GiB 181 catalyst8000v-17.04.01a 1.3 GiB 182 catalyst8000v-17.04.01b 1.3 GiB 183 catalyst8000v-17.05.01a 1.4 GiB 184 catalyst8000v-17.06.01a 1.5 GiB 185 catalyst8000v-17.06.02 1.5 GiB 13 QEMU images found for the term: "8000v" ============================ Available IOL images ============================ ID NAME SIZE -- ---- ---- No IOL images found for the term: "8000v" ================================= Available DYNAMIPS images ================================= ID NAME SIZE -- ---- ---- No DYNAMIPS images found for the term: "8000v" root@pnetlab:~# ^C |
3. Cisco Catalyst 8000v 설치
| root@pnetlab:~# ishare2 pull qemu 183 [!] IMAGE INFO - Image Name : catalyst8000v-17.05.01a - Image Size : 1.4 GiB - Image Type : QEMU - Image ID : 183 - Image path : /opt/unetlab/addons/qemu/catalyst8000v-17.05.01a - Using host : https://drive.labhub.eu.org [!] DOWNLOADING IMAGE /opt/unetlab/addons/qemu/catalyst8000v-17.05.01 100%[=====================================================================================================>] 1.38G 8.54MB/s in 3m 26s [+] DOWNLOAD COMPLETED! [-] Extracting: catalyst8000v-17.05.01a.tgz file... [+] Extracted: /opt/unetlab/addons/qemu/catalyst8000v-17.05.01a. Image ready to use. [-] Fixing permissions... [+] Fix permissions command has been executed correctly root@pnetlab:~# |
3. https://192.168.40.254 접속합니다.
4. 아래 정보를 입력하고 Add버튼을 클릭 합니다. 아무 이름이나 입력 후 Savve 버튼을 클릭 합니다.
5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.
6. CheckPoint Security Gateay VE 선택합니다.
7. Save버튼을 클릭 합니다.
8. click 라우터
| License Type: Perpetual Next reload license Level: Addon License Level: Addon License Type: Subscription Next reload addon license Level: The current throughput level is 10000 kbps Smart Licensing Status: Registration Not Applicable/Not Applicable cisco C8000V (VXE) processor (revision VXE) with 2032007K/3075K bytes of memory. Processor board ID 9DJL2EOPCI1 Router operating mode: Autonomous 4 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 3965344K bytes of physical memory. 5234688K bytes of virtual hard disk at bootflash:. Configuration register is 0x2102 Router> show inven Router> show inventory NAME: "Chassis", DESCR: "Cisco Catalyst 8000V Edge Chassis" PID: C8000V , VID: V00 , SN: 9DJL2EOPCI1 NAME: "module R0", DESCR: "Cisco Catalyst 8000V Edge Route Processor" PID: C8000V , VID: V00 , SN: JAB1303001C NAME: "module F0", DESCR: "Cisco Catalyst 8000V Edge Embedded Services Processor" PID: C8000V , VID: , SN: Router> |
지금까지 [PNETLab][#9]- Cisco Catalyst 8000v install 글을 읽어주셔서 감사합니다.
| [PNETLab][#10]- PNETLab Upgrade (0) | 2025.02.18 |
|---|---|
| [PNETLab][#8]-CheckPoint Firewall Install (0) | 2025.02.13 |
| [PNETLab][#7]-Aruba Mobility Controller Install (0) | 2025.02.13 |
| [PNETLab][#6]-Aruba CX Switch Install (0) | 2025.02.13 |
| [PNETLab][#5]-Aruba ClearPass Install (0) | 2025.02.10 |
안녕하세요.
오늘은 [2025][Juniper SRX #27] Static NAT - One to One NAT 설정해보겠습니다.
User01 - 10.1.1.1 Ge-0/0/0 192.168.10.83를 통해서 SNAT하고
User02 - 10.1.1.2 Ge-0/0/0 192.168.10.83를 통해서 SNAT하고
HTTP SERVER - 20.1.1.1에 static nat를 설정 하겠습니다.
외부에서 DMZ Server에 통신할때 192.168.10.84 -> 20.1.1.1 변경됩니다.
HTTP Server 20.1.1.1 외부로 통신할때 192.168.10.84로 변경 됩니다.
1.SRX01 기본설정 입니다.
1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.
FreeBSD/amd64 (Amnesiac) (ttyu0) login: root --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@:~ # cli root> root> root> root> configure Entering configuration mode [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit |
1-2 Interface 설정
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 |
1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정
| set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 |
1-4 SRX에서 방화벽 정책 설정
| set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit |
2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다
| conf t int g0/0 ip add 20.1.1.1 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 20.1.1.254 ip http server |
| R1#show *Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 20.1.1.1 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down R1# R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 20.1.1.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 20.1.1.254 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/0 L 20.1.1.1/32 is directly connected, GigabitEthernet0/0 R1#ping 20.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1# |
3. User01/ USer02 설정
USER01> ip 10.1.1.1/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254 USER01 > save Saving startup configuration to startup.vpc . done USER01 > USER01 > ping 10.1.1.254 84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER01 > USER02> ip 10.1.1.2/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254 USER02 > save Saving startup configuration to startup.vpc . done USER02 > USER02 > ping 10.1.1.254 84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER02 > |
PC에서 ping 8.8.8.8 시도
| USER01> ping 8.8.8.8 8.8.8.8 icmp_seq=1 timeout 8.8.8.8 icmp_seq=2 timeout 8.8.8.8 icmp_seq=3 timeout 8.8.8.8 icmp_seq=4 timeout USER02> ping 8.8.8.8 8.8.8.8 icmp_seq=1 timeout 8.8.8.8 icmp_seq=2 timeout 8.8.8.8 icmp_seq=3 timeout 8.8.8.8 icmp_seq=4 timeout |
SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.
SRX에서 SNAT 설정
| set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat |
PC에서 다시 확인
| USER01> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms USER02> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms |
방화벽에서 Session 확인하기
| root> show security flow session Session ID: 54102, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.1/54387 --> 8.8.8.8/12;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/12 --> 192.168.10.83/31714;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54103, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.2/54643 --> 8.8.8.8/8;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/8 --> 192.168.10.83/11101;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54104, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.1/54643 --> 8.8.8.8/13;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/13 --> 192.168.10.83/8139;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54105, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.2/54899 --> 8.8.8.8/9;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/9 --> 192.168.10.83/3136;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 54106, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid In: 10.1.1.1/54899 --> 8.8.8.8/14;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/14 --> 192.168.10.83/13674;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Total sessions: 5 |
DMZ에 20.1.1.1 서버에서 외부로 PING를 시도 합니다.
| R1#ping 20.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/7 ms R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1# |
제 PC에서도 PING를 시도 합니다.
| C:\Users\USER>ping 192.168.10.84 Ping 192.168.10.84 32바이트 데이터 사용: 요청 시간이 만료되었습니다. 요청 시간이 만료되었습니다. 요청 시간이 만료되었습니다. 요청 시간이 만료되었습니다. 192.168.10.84에 대한 Ping 통계: 패킷: 보냄 = 4, 받음 = 0, 손실 = 4 (100% 손실), |
One to One NAT ( Static NAT)를 사용 해서 192.168.10.84 <---> 20.1.1.1로 설정합니다.
서버는 외부 통신할때 Source IP 20.1.1.1 -> 192.168.10.84 변경됩니다.
외부에서 DMZ서버랑 통신 할때 Destination IP 192.168.10.84 -> 20.1.1.1 변경 됩니다.
우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.
| set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit |
그 이유는 SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.
| set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84 |
Static NAT 설정
| set security nat static rule-set static_nat_01 from zone untrust set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32 set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32 |
WEB SERVER에서 외부로 PING
| R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/6 ms R1# |
내 PC에서 통신 시도
| C:\Users\USER>ping 192.168.10.84 Ping 192.168.10.84 32바이트 데이터 사용: 192.168.10.84의 응답: 바이트=32 시간=40ms TTL=253 192.168.10.84의 응답: 바이트=32 시간=163ms TTL=253 192.168.10.84의 응답: 바이트=32 시간=17ms TTL=253 192.168.10.84의 응답: 바이트=32 시간=11ms TTL=253 192.168.10.84에 대한 Ping 통계: 패킷: 보냄 = 4, 받음 = 4, 손실 = 0 (0% 손실), 왕복 시간(밀리초): 최소 = 11ms, 최대 = 163ms, 평균 = 57ms C:\Users\USER> |
내 피시에서 https://192.168.10.84 접속하면 아래처럼 페이지가 열립니다.
SRX session 확인
아래처럼 20.1.1.1은 192.168.10.84로 변환하여 통신하고 있는것을 확인 가능 합니다.
| root> show security flow session Session ID: 57417, Policy name: trust_to_untrust/6, State: Stand-alone, Timeout: 2, Valid In: 20.1.1.1/8 --> 8.8.8.8/0;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 100, Out: 8.8.8.8/0 --> 192.168.10.84/8;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 100, Session ID: 57418, Policy name: trust_to_untrust/6, State: Stand-alone, Timeout: 2, Valid In: 20.1.1.1/8 --> 8.8.8.8/1;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 100, Out: 8.8.8.8/1 --> 192.168.10.84/8;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 100, |
제 PC에서 192.168.10.84 통신 했을때, 20.1.1.1로 변경되는것을 확인 가능 합니다.
| root> show security flow session Session ID: 58466, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 2, Valid In: 172.16.10.20/3 --> 192.168.10.84/11434;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60, Out: 20.1.1.1/11434 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60, Session ID: 58467, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 2, Valid In: 172.16.10.20/3 --> 192.168.10.84/11436;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60, Out: 20.1.1.1/11436 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60, Session ID: 58468, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 4, Valid In: 172.16.10.20/3 --> 192.168.10.84/11438;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60, Out: 20.1.1.1/11438 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60, Total sessions: 3 |
| root> show security nat static rule all Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 Static NAT rule: auth_server Rule-set: static_nat_01 Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 192.168.10.84 Host addresses : 20.1.1.1 Netmask : 32 Host routing-instance : N/A Translation hits : 2083 Successful sessions : 2083 Number of sessions : 4 root> |
Interface 확인
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.83/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 10.1.1.254/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 20.1.1.254/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down |
Routing 확인
| root> show route inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:13:56 > to 192.168.10.253 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/1.0 10.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/1.0 20.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/2.0 20.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/2.0 192.168.10.0/24 *[Direct/0] 00:13:56 > via ge-0/0/0.0 192.168.10.83/32 *[Local/0] 00:13:56 Local via ge-0/0/0.0 inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:30:41 MultiRecv root> |
Security Zone 확인
| root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security root> show security zones Security zone: dmz Zone ID: 10 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No |
방화벽 정책 확인
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: trust, To zone: dmz Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: dmz, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: untrust, To zone: dmz Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: dmz_server_01 Applications: any Source identity feeds: any Destination identity feeds: any Action: permit root> |
방화벽 Hit Count 확인
| root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust untrust trust_to_untrust 1942 Permit 2 trust dmz trust_to_untrust 0 Permit 3 untrust dmz untrust_to_dmz_web_server 196 Permit 4 dmz untrust trust_to_untrust 2010 Permit Number of policy: 4 root> |
방화벽 NAT 확인
| root> show security nat source summary Total port number usage for port translation pool: 64512 Maximum port number for port translation pool: 50331648 Total pools: 1 Pool Address Routing PAT Total Name Range Instance Address source_nat 192.168.10.84-192.168.10.84 default yes 1 Total rules: 1 Rule name Rule set From To Action PAT-INTERFACE SOURCE-NAT trust untrust interface ^ syntax error, expecting <command>. root> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 source NAT rule: PAT-INTERFACE Rule-set: SOURCE-NAT Rule-Id : 1 Rule position : 1 From zone : trust To zone : untrust Match Source addresses : 10.1.1.0 - 10.1.1.255 Destination addresses : 0.0.0.0 - 255.255.255.255 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 1942 Successful sessions : 1942 Number of sessions : 0 root> show security nat static rule all Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 Static NAT rule: auth_server Rule-set: static_nat_01 Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 192.168.10.84 Host addresses : 20.1.1.1 Netmask : 32 Host routing-instance : N/A Translation hits : 2302 Successful sessions : 2302 Number of sessions : 5 root> |
방화벽 설정값
| root> show configuration | display set | no-more set version 21.3R1.9 set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security nat static rule-set static_nat_01 from zone untrust set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32 set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32 set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 root> |
지금까지 [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #28] Destination Nat - DNAT (0) | 2025.02.16 |
|---|---|
| [2025][Juniper SRX #27] Destination Nat - Port Forwarding (0) | 2025.02.16 |
| [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0) | 2025.02.14 |
| [2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0) | 2025.02.07 |
| [2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0) | 2025.02.07 |
안녕하세요.
오늘은 Juniper SRX에서 Source NAT를 IP Pool에 대해서 설정해보겠습니다.
토폴로지는 아래와 같습니다.
Ge-0/0/0 192.168.10.83 IP를 사용하지 않고, 192.168.10.84 IP를 통해서 Trust / DMZ Traffic를 SNAT하겠습니다.
1.SRX01 기본설정 입니다.
1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.
FreeBSD/amd64 (Amnesiac) (ttyu0) login: root --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@:~ # cli root> root> root> root> configure Entering configuration mode [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit |
1-2 Interface 설정
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 |
1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정
| set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 |
1-4 SRX에서 방화벽 정책 설정
| set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit |
2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다
| conf t int g0/0 ip add 20.1.1.1 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 20.1.1.254 ip http server |
| R1#show *Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 20.1.1.1 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down R1# R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 20.1.1.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 20.1.1.254 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/0 L 20.1.1.1/32 is directly connected, GigabitEthernet0/0 R1#ping 20.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1# |
3. PC 설정
VPCS> ip 10.1.1.1/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254 VPCS> save Saving startup configuration to startup.vpc . done VPCS> VPCS> ping 10.1.1.254 84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C VPCS> |
PC에서 ping 8.8.8.8 시도
| VPCS> ping 8.8.8.8 8.8.8.8 icmp_seq=1 timeout 8.8.8.8 icmp_seq=2 timeout 8.8.8.8 icmp_seq=3 timeout 8.8.8.8 icmp_seq=4 timeout |
SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.
SRX에서 SNAT 설정
| set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat |
PC에서 다시 확인
| VPCS> ping 8.8.8.8 8.8.8.8 icmp_seq=621 timeout 8.8.8.8 icmp_seq=622 timeout 8.8.8.8 icmp_seq=623 timeout 8.8.8.8 icmp_seq=624 timeout 8.8.8.8 icmp_seq=625 timeout 8.8.8.8 icmp_seq=626 timeout 8.8.8.8 icmp_seq=627 timeout 8.8.8.8 icmp_seq=628 timeout 8.8.8.8 icmp_seq=629 timeout 8.8.8.8 icmp_seq=630 timeout 8.8.8.8 icmp_seq=631 timeout 8.8.8.8 icmp_seq=632 timeout VPCS> |
그 이유는 SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.
| set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84 |
PC에서 다시 8.8.8.8 PING
| VPCS> ping 8.8.8.8 -c 1000 8.8.8.8 icmp_seq=1 timeout 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=2.049 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=1.954 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=2.603 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=2.052 ms 84 bytes from 8.8.8.8 icmp_seq=6 ttl=56 time=2.130 ms 84 bytes from 8.8.8.8 icmp_seq=7 ttl=56 time=2.229 ms 84 bytes from 8.8.8.8 icmp_seq=8 ttl=56 time=2.078 ms 84 bytes from 8.8.8.8 icmp_seq=9 ttl=56 time=2.150 ms 84 bytes from 8.8.8.8 icmp_seq=10 ttl=56 time=2.061 ms 84 bytes from 8.8.8.8 icmp_seq=11 ttl=56 time=2.151 ms 84 bytes from 8.8.8.8 icmp_seq=12 ttl=56 time=2.173 ms 84 bytes from 8.8.8.8 icmp_seq=13 ttl=56 time=2.450 ms 84 bytes from 8.8.8.8 icmp_seq=14 ttl=56 time=2.411 ms 84 bytes from 8.8.8.8 icmp_seq=15 ttl=56 time=2.296 ms 84 bytes from 8.8.8.8 icmp_seq=16 ttl=56 time=2.049 ms 84 bytes from 8.8.8.8 icmp_seq=17 ttl=56 time=2.047 ms 84 bytes from 8.8.8.8 icmp_seq=18 ttl=56 time=2.101 ms |
SRX session 확인
| root> show security flow session Session ID: 3402, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 2, Valid In: 172.16.10.20/1 --> 192.168.10.83/2368;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60, Out: 192.168.10.83/2368 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60, Session ID: 3403, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.1/37592 --> 8.8.8.8/64;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/64 --> 192.168.10.84/20216;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 3405, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 2, Valid In: 172.16.10.20/1 --> 192.168.10.83/2369;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60, Out: 192.168.10.83/2369 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60, Session ID: 3406, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid In: 10.1.1.1/37848 --> 8.8.8.8/65;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/65 --> 192.168.10.84/30540;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 3408, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 4, Valid In: 172.16.10.20/1 --> 192.168.10.83/2370;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60, Out: 192.168.10.83/2370 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60, Session ID: 3409, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid In: 10.1.1.1/38104 --> 8.8.8.8/66;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84, Out: 8.8.8.8/66 --> 192.168.10.84/22474;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, Session ID: 3411, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 4, Valid In: 172.16.10.20/1 --> 192.168.10.83/2371;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60, Out: 192.168.10.83/2371 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60, Total sessions: 7 root> |
HTTP Server에서 Ping 8.8.8.8 시도
SRX DMZ SNAT 설정이 없어서 실패
| R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1# |
SRX에서 DMZ를 위해서 SNAT설정
| set security nat source rule-set SOURCE-NAT from zone dmz set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24 |
HTTP Server에서 Ping 시도
| R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms R1# |
SRX에서 기본적인 부분 확인 Command
Interface 확인
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.83/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 10.1.1.254/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 20.1.1.254/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down |
Routing 확인
| root> show route inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:13:56 > to 192.168.10.253 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/1.0 10.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/1.0 20.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/2.0 20.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/2.0 192.168.10.0/24 *[Direct/0] 00:13:56 > via ge-0/0/0.0 192.168.10.83/32 *[Local/0] 00:13:56 Local via ge-0/0/0.0 inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:30:41 MultiRecv root> |
Security Zone 확인
| root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security root> show security zones Security zone: dmz Zone ID: 10 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No |
방화벽 정책 확인
| root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: trust, To zone: dmz Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: dmz, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit |
방화벽 Hit Count 확인
| root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust untrust trust_to_untrust 15 Permit 2 trust dmz trust_to_untrust 0 Permit 3 dmz untrust trust_to_untrust 10 Permit Number of policy: 3 root> |
방화벽 NAT 확인
| root> show security nat source summary Total pools: 0 Total rules: 1 Rule name Rule set From To Action PAT-INTERFACE SOURCE-NAT dmz untrust interface PAT-INTERFACE trust root> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 3/0 source NAT rule: PAT-INTERFACE Rule-set: SOURCE-NAT Rule-Id : 1 Rule position : 1 From zone : dmz : trust To zone : untrust Match Source addresses : 10.1.1.0 - 10.1.1.255 20.1.1.0 - 20.1.1.255 Destination addresses : 0.0.0.0 - 255.255.255.255 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 10 Successful sessions : 10 Number of sessions : 0 |
방화벽 설정값
| root> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$foWa5m5j$QTNzAZvC.AJNs4b9yJq/18Qp038uo2x6rPM/imUQn/M3hFIJsz5FxlOXdwq6iS2UG12O3SIpFdTzZBYi4wmkY1" set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone dmz set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32 set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 root> |
지금까지 [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #27] Destination Nat - Port Forwarding (0) | 2025.02.16 |
|---|---|
| [2025][Juniper SRX #27] Static NAT - One to One NAT (0) | 2025.02.14 |
| [2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0) | 2025.02.07 |
| [2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0) | 2025.02.07 |
| [2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0) | 2025.02.07 |
안녕하세요.
오늘은 Juniper SRX에서 Source NAT에 대해서 설정해보겠습니다.
토폴로지는 아래와 같습니다.
1.SRX01 기본설정 입니다.
1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.
FreeBSD/amd64 (Amnesiac) (ttyu0) login: root --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@:~ # cli root> root> root> root> configure Entering configuration mode [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit |
1-2 Interface 설정
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 |
1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정
| set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 |
1-4 SRX에서 방화벽 정책 설정
| set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit |
2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다
| conf t int g0/0 ip add 20.1.1.1 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 20.1.1.254 ip http server |
| R1#show *Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 20.1.1.1 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down R1# R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 20.1.1.254 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 20.1.1.254 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/0 L 20.1.1.1/32 is directly connected, GigabitEthernet0/0 R1#ping 20.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1# |
3. PC 설정
VPCS> ip 10.1.1.1/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254 VPCS> save Saving startup configuration to startup.vpc . done VPCS> VPCS> ping 10.1.1.254 84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C VPCS> |
PC에서 ping 8.8.8.8 시도
| VPCS> ping 8.8.8.8 8.8.8.8 icmp_seq=1 timeout 8.8.8.8 icmp_seq=2 timeout 8.8.8.8 icmp_seq=3 timeout 8.8.8.8 icmp_seq=4 timeout |
SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.
SRX에서 SNAT 설정
| set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface |
PC에서 다시 확인
| VPCS> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=23.166 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=2.255 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=1.980 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=2.337 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=2.088 ms ^C VPCS> |
HTTP Server에서 Ping 8.8.8.8 시도
SRX DMZ SNAT 설정이 없어서 실패
| R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1# |
SRX에서 DMZ를 위해서 SNAT설정
| set security nat source rule-set SOURCE-NAT from zone dmz set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24 |
HTTP Server에서 Ping 시도
| R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms R1# |
SRX에서 기본적인 부분 확인 Command
Interface 확인
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.83/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 10.1.1.254/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 20.1.1.254/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down |
Routing 확인
| root> show route inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:13:56 > to 192.168.10.253 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/1.0 10.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/1.0 20.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/2.0 20.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/2.0 192.168.10.0/24 *[Direct/0] 00:13:56 > via ge-0/0/0.0 192.168.10.83/32 *[Local/0] 00:13:56 Local via ge-0/0/0.0 inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:30:41 MultiRecv root> |
Security Zone 확인
| root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security root> show security zones Security zone: dmz Zone ID: 10 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No |
방화벽 정책 확인
| root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: trust, To zone: dmz Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: dmz, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit |
방화벽 Hit Count 확인
| root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust untrust trust_to_untrust 15 Permit 2 trust dmz trust_to_untrust 0 Permit 3 dmz untrust trust_to_untrust 10 Permit Number of policy: 3 root> |
방화벽 NAT 확인
| root> show security nat source summary Total pools: 0 Total rules: 1 Rule name Rule set From To Action PAT-INTERFACE SOURCE-NAT dmz untrust interface PAT-INTERFACE trust root> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 3/0 source NAT rule: PAT-INTERFACE Rule-set: SOURCE-NAT Rule-Id : 1 Rule position : 1 From zone : dmz : trust To zone : untrust Match Source addresses : 10.1.1.0 - 10.1.1.255 20.1.1.0 - 20.1.1.255 Destination addresses : 0.0.0.0 - 255.255.255.255 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 10 Successful sessions : 10 Number of sessions : 0 |
방화벽 설정값
| root> show configuration | display set | no-more set version 21.3R1.9 set security nat source rule-set SOURCE-NAT from zone dmz set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 root> |
지금까지 [2025][Juniper SRX #25] Source Nat - SNAT 글을 읽어주셔서 감사합니다.
안녕하세요.
오늘은 PNETLab에서 CheckPoint Firewall를 설치해보겠습니다.
PNETLab VMware를 실행 합니다.
설치 방법은 아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/122
[PNETLab][#1]- Installation on VMware workstation
안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안
itblog-kr.tistory.com
1. Putty를 통해서 PNETLab에 접속 합니다.
IP주소는 위에 참고해서 접속 합니다.
2. ishare2 search cpsg검색합니다.
ishare로는 검색이 되지 않습니다.
ishare2를 설치 해야 합니다.
아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/123
[PNETLab][#2]- ishare command
안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미
itblog-kr.tistory.com
| root@pnetlab:~# ishare2 search cpsg ============================= Available QEMU images ============================= ID NAME SIZE -- ---- ---- 201 cpsg-R77-20 (checkpoint) 4.0 GiB 202 cpsg-R80-20M1_T14 3.9 GiB 203 cpsg-R80-40 7.4 GiB 204 cpsg-R81 5.5 GiB 205 cpsg-R81.10 8.1 GiB 206 cpsg-R81.10 5.7 GiB 207 cpsg-R81.20-Licensed 4.9 GiB 208 cpsg2-R81.20-Licensed 4.7 GiB 8 QEMU images found for the term: "cpsg" ============================ Available IOL images ============================ ID NAME SIZE -- ---- ---- No IOL images found for the term: "cpsg" ================================= Available DYNAMIPS images ================================= ID NAME SIZE -- ---- ---- No DYNAMIPS images found for the term: "cpsg" root@pnetlab:~# |
3. CheckPoint Firewall 설치
root@pnetlab:~# ishare2 pull qemu 202 [!] IMAGE INFO - Image Name : cpsg-R80-20M1_T14 - Image Size : 3.9 GiB - Image Type : QEMU - Image ID : 202 - Image path : /opt/unetlab/addons/qemu/cpsg-R80-20M1_T14 - Using host : https://drive.labhub.eu.org [!] DOWNLOADING IMAGE /opt/unetlab/addons 100%[===================>] 3.92G 6.78MB/s in 14m 17s [+] DOWNLOAD COMPLETED! [-] Fixing permissions... [+] Fix permissions command has been executed correctly root@pnetlab:~# |
3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.
4. 아래 정보를 입력하고 Add버튼을 클릭 합니다. CheckPoint Test 그리고 Savve 버튼을 클릭 합니다.
5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.
6. CheckPoint Security Gateay VE 선택합니다.
7. Save버튼을 클릭 합니다.
8. Network를 클릭 합니다.
9. save버튼을 클릭 합니다.
10. 아래처럼 연결하고 start버튼을 클릭 합니다.
11. 아이콘을 더블클릭 하면 아래처럼 putty 또는 CRT가 실행 됩니다.
| [PNETLab][#10]- PNETLab Upgrade (0) | 2025.02.18 |
|---|---|
| [PNETLab][#9]- Cisco Catalyst 8000v install (0) | 2025.02.15 |
| [PNETLab][#7]-Aruba Mobility Controller Install (0) | 2025.02.13 |
| [PNETLab][#6]-Aruba CX Switch Install (0) | 2025.02.13 |
| [PNETLab][#5]-Aruba ClearPass Install (0) | 2025.02.10 |
안녕하세요.
오늘은 PNETLab에서 Aruba Mobility Controller 설치해보겠습니다.
PNETLab VMware를 실행 합니다.
설치 방법은 아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/122
[PNETLab][#1]- Installation on VMware workstation
안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안
itblog-kr.tistory.com
1. Putty를 통해서 PNETLab에 접속 합니다.
IP주소는 위에 참고해서 접속 합니다.
2. ishare2 search VMC검색합니다.
ishare로는 검색이 되지 않습니다.
ishare2를 설치 해야 합니다.
아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/123
[PNETLab][#2]- ishare command
안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미
itblog-kr.tistory.com
| root@pnetlab:~# ishare2 search VMC ============================= Available QEMU images ============================= ID NAME SIZE -- ---- ---- 59 aruba-VMC-8.5.0.13_80140 238.9 MiB 60 aruba-VMC-8.6.0.4-74969 246.3 MiB 61 aruba-VMC-8.8.0.1_80393 257.1 MiB 62 aruba-VMC-8.8.0.1_80393 206.5 MiB 63 aruba-VMC_8.3.0.3 726.0 MiB 64 aruba-VMC_8.4.0.3 238.7 MiB 6 QEMU images found for the term: "VMC" ============================ Available IOL images ============================ ID NAME SIZE -- ---- ---- No IOL images found for the term: "VMC" ================================= Available DYNAMIPS images ================================= ID NAME SIZE -- ---- ---- No DYNAMIPS images found for the term: "VMC" root@pnetlab:~# |
3. Aruba VMC 설치
| root@pnetlab:~# ishare2 pull qemu 61 [!] IMAGE INFO - Image Name : aruba-VMC-8.8.0.1_80393 - Image Size : 257.1 MiB - Image Type : QEMU - Image ID : 61 - Image path : /opt/unetlab/addons/qemu/aruba-VMC-8.8.0.1_80393 - Using host : https://drive.labhub.eu.org [!] DOWNLOADING IMAGE /opt/unetlab/addons/qemu/ 100%[====================================>] 237.56M 8.24MB/s in 28s /opt/unetlab/addons/qemu/ 100%[====================================>] 19.50M 6.03MB/s in 3.5s [+] DOWNLOAD COMPLETED! [-] Fixing permissions... [+] Fix permissions command has been executed correctly root@pnetlab:~# |
3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.
4. 아래 정보를 입력하고 Add버튼을 클릭 합니다.
5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.
6. Aruba WIFI Controller 선택합니다.
7. Save버튼을 클릭 합니다.
8. Network를 클릭 합니다.
9. save버튼을 클릭 합니다.
10. 아래처럼 연결하고 start버튼을 클릭 합니다.
부팅이 완료 될때까지 기다립니다.
그리고 기본적은 설정을 합니다.
Yes를 입력하면 재부팅이 됩니다.
부팅이 완료 될때까지 기다립니다.
https://192.168.10.88
로그인 정보를 입력 합니다.
지금까지 [PNETLab][#7]-Aruba Mobility Controller Install 글을 읽어주셔서 감사합니다.
| [PNETLab][#9]- Cisco Catalyst 8000v install (0) | 2025.02.15 |
|---|---|
| [PNETLab][#8]-CheckPoint Firewall Install (0) | 2025.02.13 |
| [PNETLab][#6]-Aruba CX Switch Install (0) | 2025.02.13 |
| [PNETLab][#5]-Aruba ClearPass Install (0) | 2025.02.10 |
| [PNETLab][#4]- Arista vEOS Switch Install (0) | 2025.02.03 |
안녕하세요.
오늘은 PNETLab에서 Aruba CX Switch를 설치해보겠습니다.
PNETLab VMware를 실행 합니다.
설치 방법은 아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/122
[PNETLab][#1]- Installation on VMware workstation
안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안
itblog-kr.tistory.com
1. Putty를 통해서 PNETLab에 접속 합니다.
IP주소는 위에 참고해서 접속 합니다.
2. ishare2 search arubacx 검색합니다.
ishare로는 검색이 되지 않습니다.
ishare2를 설치 해야 합니다.
아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/123
[PNETLab][#2]- ishare command
안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미
itblog-kr.tistory.com
| root@pnetlab:~# ishare2 search arubacx ┌────────────────────────────────────────────────────────────────┐ │ MOTD from the ishare2 team: │ │ Changelog: │ │ - Fixed bug when doing integrity checks againts qemu images. │ │ │ │ Telegram: https://t.me/NetLabHub │ │ Donate: https://buymeacoffee.com/sudoalex │ │ GitHub: https://github.com/ishare2-org/ishare2-cli │ └────────────────────────────────────────────────────────────────┘ ============================= Available QEMU images ============================= ID NAME SIZE -- ---- ---- 65 arubacx-10.03 882.9 MiB 66 arubacx-10.04 1013.9 MiB 67 arubacx-10.04 329.7 MiB 68 arubacx-10.05 350.6 MiB 69 arubacx-10.07 1.4 GiB 70 arubacx-10.07 483.7 MiB 6 QEMU images found for the term: "arubacx" ============================ Available IOL images ============================ ID NAME SIZE -- ---- ---- No IOL images found for the term: "arubacx" ================================= Available DYNAMIPS images ================================= ID NAME SIZE -- ---- ---- No DYNAMIPS images found for the term: "arubacx" |
3. Aruba CX Switch 설치
| root@pnetlab:~# ishare2 pull qemu 69 [!] IMAGE INFO - Image Name : arubacx-10.07 - Image Size : 1.4 GiB - Image Type : QEMU - Image ID : 69 - Image path : /opt/unetlab/addons/qemu/arubacx-10.07 - Using host : https://drive.labhub.eu.org /opt/unetlab/addons/qemu/arubacx-10.07/virt 100%[========================================================================================>] 1.40G 1.15MB/s in 20m 55s [+] DOWNLOAD COMPLETED! [-] Fixing permissions... [+] Fix permissions command has been executed correctly root@pnetlab:~# |
3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.
4. 아래 정보를 입력하고 Add버튼을 클릭 합니다.
5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.
6. Aruba OS-CX Virtual Switch 선택합니다.
7. Save버튼을 클릭 합니다.
8. 장비를 부팅 합니다.
10. 디폴트 로그인 정보입니다.
user: admin
password: no password
| switch login: admin Password: Please configure the 'admin' user account password. Enter new password: ************* Confirm new password: ************* switch# switch# show aaa Authentication, Authorization and Accounting access-list Access control list (ACL) accounting Show local accounting information active-gateway Show active gateway settings alias Short names configured for a set of commands arp Show IPv4 addresses from neighbor table aruba-central Configure Aruba-Central banner Show one of the configured system banners bfd Show BFD information bgp BGP specific commands bluetooth Display information about Bluetooth wireless management boot-history Display boot history details capacities Show system capacities and their values capacities-status Show system capacities status and their values cdp Show various CDP settings checkpoint Checkpoint information class Show Class configuration clock Show system date, time, and timezone settings configuration-lockout Show REST Lockout configuration copp-policy Control Plane Policing (CoPP) policy core-dump Display core-dump list for current boot crypto Display crypto related features and settings debug Display currently active debug log destinations and types dhcp Dynamic Host Configuration Protocol dhcp-relay Show DHCP relay configuration dhcp-server Show DHCP server configuration dhcpv4-snooping Show DHCPv4-Snooping configuration dhcpv6-relay Show DHCPv6 relay configuration dhcpv6-server Show DHCP V6 server configuration dhcpv6-snooping Show DHCPv6-Snooping configuration domain-name Display domain name environment Display system environment status information events Display all event logs evpn EVPN sub-address family external-storage Show info for one external storage volume or all if none specified history Show previously entered commands hostname Display hostname https-server HTTPS Server Configuration interface Interface information ip IP information ip-sla IP SLA ipv4 IPv4 information ipv6 IPv6 information keychain Keychain information lacp Show various LACP settings lag Show LAG interface information lldp Show various LLDP settings logging Display all event logs logrotate Show logrotate config parameters loop-protect Show loop protection status for all ports with loop protection enabled mac-address-table Show Layer 2 MAC address table information macsec Show MACsec information mirror Show Mirroring configuration mka Show MKA information mvrp Show MVRP settings and status nae-agent NAE Agent details nae-script NAE Script details nd-snooping Show ND Snooping configuration ntp Show NTP information object-group Object Group password-complexity Show password complexity enforcement pbr Show Policy Based Routing (PBR) information pbr-action-list Show Policy Based Routing (PBR) action list configuration information policy Classifier policy port-access Show Port Access information power-over-ethernet Show Power over Ethernet (PoE) information qos Show QoS Configuration radius RADIUS Client configuration radius-server Show RADIUS server configuration resources Show line module resource information rmon Show RMON alarm configurations route-map Display all Route-map router Routing Information running-config Current running configuration service Show service information session-timeout Idle session timeout in minutes sflow sFlow configuration snmp SNMP configuration snmpv3 SNMP version 3 configurations spanning-tree Show spanning tree information ssh Show SSH configuration startup-config Contents of startup configuration system System information tacacs-server Show TACACS server configuration tech Display output of a predefined command sequence used by technical support terminal-monitor Displays Terminal-monitor status tls Display the state of TLS settings track Track information ubt User Based Tunnel configuration udld Show UDLD information upgrade Show upgrade information uptime Show the elapsed time since the device was booted usb USB storage device settings user Show user information user-group Local user group to be displayed user-list Displays the list of local users version Displays switch version vlan Show VLAN configuration vrf VRF Configuration vrrp VRRP information vsx Show various VSX settings ztp Zero Touch Provisioning switch# show % Command incomplete. switch# |
지금까지 [PNETLab][#6]-Aruba CX Switch Install 글을 읽어주셔서 감사합니다.
| [PNETLab][#8]-CheckPoint Firewall Install (0) | 2025.02.13 |
|---|---|
| [PNETLab][#7]-Aruba Mobility Controller Install (0) | 2025.02.13 |
| [PNETLab][#5]-Aruba ClearPass Install (0) | 2025.02.10 |
| [PNETLab][#4]- Arista vEOS Switch Install (0) | 2025.02.03 |
| [PNETLab][#2]- ishare command (0) | 2024.12.27 |
안녕하세요.
오늘은 C8200라우터는 smart licensing using policy 모드를 사용 합니다.
IOS XE버전별로 License 동작하는 방식이 다릅니다.
| IOS XE Release | Platform Requirements | CUBE Licensing |
| 16.6.1 to 16.9.x |
|
|
| 16.10.x |
|
|
| 16.11.1a to 17.1.x |
|
|
| 17.2.1r to 17.3.1a |
|
|
| 17.3.2 onwards |
|
|
Step Summary
conf t
license boot level network-essentials
interface GigabitEthernet 0/0/0
ip add [IP address] [subnet] or ip add dhcp
no shutdown
exit
ip name-server 8.8.8.8
ip domain lookup source-interface GigabitEthernet 0/0/0
ip http client source-interface GigabitEthernet 0/0/0
license smart transport smart
license smart url default
ip route 0.0.0.0 0.0.0.0 [nexthop] if dhcp no need ip route command
end
show run
show ip int brie
show ip route
확인 후 저장 그리고 재부팅
write memory
reload
1. show version를 통해서 IOS XE버전을 확인 합니다.
2. 기본 설정을 합니다.
| conf t license boot level network-essentials interface GigabitEthernet 0/0/0 ip add dhcp no shutdown exit ip name-server 8.8.8.8 ip domain lookup source-interface GigabitEthernet 0/0/0 ip http client source-interface GigabitEthernet 0/0/0 license smart transport smart license smart url default |
3. 인터페이스 상태 확인 라우팅 상태 확인
그리고 외부 통신 확인
| Router#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 172.20.10.3 YES DHCP up up GigabitEthernet0/0/1 unassigned YES unset administratively down down GigabitEthernet0/0/2 unassigned YES unset administratively down down GigabitEthernet0/0/3 unassigned YES unset administratively down down Router#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route H - NHRP, G - NHRP registered, g - NHRP registration summary o - ODR, P - periodic downloaded static route, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR & - replicated local route overrides by connected Gateway of last resort is 172.20.10.1 to network 0.0.0.0 S* 0.0.0.0/0 [254/0] via 172.20.10.1 172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.20.10.0/28 is directly connected, GigabitEthernet0/0/0 L 172.20.10.3/32 is directly connected, GigabitEthernet0/0/0 Router#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! |
4. 저장후 재부팅
| wr reload |
5. Cisco CSSM에서 Idtoken를 생성 합니다.
cisco CSSM에서 Idtoken를 복사합니다.
ODVkNDkyYmUtNzc4MS00OWZiLWEzMzMtZTY2YmZhYTQxNjA5LTE3NDEzMzc2%0AMDYzNzN8L0pjaVh0K09pT3J1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
| license smart trust idtoken ODVkNDkyYmUtNzc4MS00OWZiLWEzMzMtZTY2YmZhYTQxNjA5LTE3NDEzMzc2%0AMDYzNzN8L0pjaVh0K09pT3J1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX all force Router# *Feb 13 01:38:52.352: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine *Feb 13 01:38:52.414: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM[OK] *Feb 13 01:38:55.470: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file *Feb 13 01:38:55.493: %CRYPTO_SL_TP_LEVELS-6-VAR_NEW_VALUE: Setting crypto bidir throughput to: 10000 kbps *Feb 13 01:38:58.298: %SMART_LIC-6-TRUST_INSTALL_SUCCESS: A new licensing trust code was successfully installed on P:C8200L-1N-4T,XXXXXXXXXXX Router# |
정상적으로 등록 되면 위에처럼 표시 됩니다.
6. License를 확인 합니다.
아래처럼 SA/VA에 고객사 정보가 확인 되면 정상적으로 등록 된것입니다.
| Router#show license summary Account Information: Smart Account: 고객사 정보 확인 가능 Virtual Account: XXXXX License Usage: License Entitlement Tag Count Status ----------------------------------------------------------------------------- network-essentials_10M (ESR_P_10M_E) 1 IN USE Router US Export Lic... (DNA_HSEC) 0 NOT IN USE |
또는 아래 명령어도 주로 사용 됩니다.
| Router#show license status Utility: Status: DISABLED Smart Licensing Using Policy: Status: ENABLED Account Information: Smart Account: 고객사 정보 Virtual Account: XXXXX Data Privacy: Sending Hostname: yes Callhome hostname privacy: DISABLED Smart Licensing hostname privacy: DISABLED Version privacy: DISABLED Transport: Type: Smart URL: https://smartreceiver.cisco.com/licservice/license Proxy: Not Configured VRF: <empty> Policy: Policy in use: Merged from multiple sources. Reporting ACK required: yes (CISCO default) Unenforced/Non-Export Perpetual Attributes: First report requirement (days): 365 (CISCO default) Reporting frequency (days): 0 (CISCO default) Report on change (days): 90 (CISCO default) Unenforced/Non-Export Subscription Attributes: First report requirement (days): 90 (CISCO default) Reporting frequency (days): 90 (CISCO default) Report on change (days): 90 (CISCO default) Enforced (Perpetual/Subscription) License Attributes: First report requirement (days): 0 (CISCO default) Reporting frequency (days): 0 (CISCO default) Report on change (days): 0 (CISCO default) Export (Perpetual/Subscription) License Attributes: First report requirement (days): 0 (CISCO default) Reporting frequency (days): 0 (CISCO default) Report on change (days): 0 (CISCO default) Miscellaneous: Custom Id: <empty> Usage Reporting: Last ACK received: <none> Next ACK deadline: Feb 13 01:31:19 2026 UTC Reporting push interval: 0 (no reporting) Next ACK push check: Feb 13 02:09:10 2025 UTC Next report push: <none> Last report push: Feb 13 01:39:08 2025 UTC Last report file write: <none> Trust Code Installed: Feb 13 01:38:58 2025 UTC Router# |
지금까지 [2025][C8200][#2] Register License to CSSM - smart licensing using policy 글을 읽어주셔서 감사합니다.
| [2025][C8200][#3] Reset Smart license (0) | 2025.03.04 |
|---|---|
| [2025][C8200][#1] Router IOS XE upgrade (0) | 2025.02.10 |
| [ISR4221]-Performance License Install(PAK) (0) | 2024.07.30 |
| [ISR4221]-Cisco Router IOS Upgrade (2) | 2024.07.29 |
안녕하세요.
오늘은 PNETLab에서 Aruba ClearPass를 설치해보겠습니다.
PNETLab VMware를 실행 합니다.
설치 방법은 아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/122
[PNETLab][#1]- Installation on VMware workstation
안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안
itblog-kr.tistory.com
1. Putty를 통해서 PNETLab에 접속 합니다.
IP주소는 위에 참고해서 접속 합니다.
2. ishare2 search clearpass 검색합니다.
ishare로는 검색이 되지 않습니다.
ishare2를 설치 해야 합니다.
아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/123
[PNETLab][#2]- ishare command
안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미
itblog-kr.tistory.com
| root@pnetlab:~# ishare2 search clearpass ============================= Available QEMU images ============================= ID NAME SIZE -- ---- ---- 192 clearpass-6.4.0.66263 10.8 GiB 193 clearpass-6.4.0.66263 10.8 GiB 194 clearpass-6.8.0 2.9 GiB 3 QEMU images found for the term: "clearpass" ============================ Available IOL images ============================ ID NAME SIZE -- ---- ---- No IOL images found for the term: "clearpass" ================================= Available DYNAMIPS images ================================= ID NAME SIZE -- ---- ---- No DYNAMIPS images found for the term: "clearpass" root@pnetlab:~# |
3. Aruba Classpass 설치
| root@pnetlab:~# ishare2 pull qemu 194 [!] IMAGE INFO - Image Name : clearpass-6.8.0 - Image Size : 2.9 GiB - Image Type : QEMU - Image ID : 194 - Image path : /opt/unetlab/addons/qemu/clearpass-6.8.0 - Using host : https://drive.labhub.eu.org [!] DOWNLOADING IMAGE /opt/unetlab/addons 100%[===================>] 2.86G 497KB/s in 87m 5s [+] DOWNLOAD COMPLETED! [-] Extracting: clearpass-6.8.0.tgz file... [+] Extracted: /opt/unetlab/addons/qemu/clearpass-6.8.0. Image ready to use. [-] Fixing permissions... [+] Fix permissions command has been executed correctly root@pnetlab:~# |
3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.
4. 아래 정보를 입력하고 Add버튼을 클릭 합니다.
5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.
6. Aruba ClearPass 선택합니다.
7. Save버튼을 클릭 합니다.
8. Network를 클릭 합니다.
9. save버튼을 클릭 합니다.
10. 아래처럼 연결하고 start버튼을 클릭 합니다.
11. Lab용이기 때문에, 1번을 선택하고 엔터를 누릅니다.
Y를 선택 합니다.
Y를 선택 합니다.
Y선택 합니다.
부팅이 완료 될때까지 기다립니다.
엔터를 클릭 합니다.
12. 디폴트 Username 그리고 Password
user: appadmin
password: eTIPS123
13. 아래처럼 기본 설정을 합니다.
IP주소를 잘못 설정 하였습니다.
로그인해서 아래처럼 수정 하고 Y를 클릭 합니다.
그리고 PC에서 PIng를 시도 합니다.
| Ping 192.168.40.91 32바이트 데이터 사용: 192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64 192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64 192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64 192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64 192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64 192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64 192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64 192.168.40.91의 응답: 바이트=32 시간=1ms TTL=64 192.168.40.91의 응답: 바이트=32 시간=4ms TTL=64 192.168.40.91의 응답: 바이트=32 시간<1ms TTL=64 192.168.40.91의 응답: 바이트=32 시간=54ms TTL=64 192.168.40.91의 응답: 바이트=32 시간=120ms TTL=64 192.168.40.91의 응답: 바이트=32 시간=201ms TTL=64 192.168.40.91의 응답: 바이트=32 시간=283ms TTL=64 192.168.40.91의 응답: 바이트=32 시간=359ms TTL=64 192.168.40.91의 응답: 바이트=32 시간=395ms TTL=64 |
https://192.168.40.91로 접속 하면 잘 접속 됩니다.
ClearPass Policy Manager를 클릭 하면 라이센스 입력 페이지가 나옵니다.
Aruba Clear Pass는 NAC역활을 합니다. Cisco 제품군으로 비교하면 Cisco ISE랑 똑같습니다.
Cisco ISE는 6개월 정도 라이센스없이 Trial Version으로 사용 가능하나
Aruba Clear Pass는 라이센스 없으면 사용이 불가능 합니다. 홈페이지에서 trial license 신청 가능합니다.
지금까지 [PNETLab][#5]-Aruba ClearPass Install 글을 읽어주셔서 감사합니다.
| [PNETLab][#7]-Aruba Mobility Controller Install (0) | 2025.02.13 |
|---|---|
| [PNETLab][#6]-Aruba CX Switch Install (0) | 2025.02.13 |
| [PNETLab][#4]- Arista vEOS Switch Install (0) | 2025.02.03 |
| [PNETLab][#2]- ishare command (0) | 2024.12.27 |
| [PNETLab][#1]- Installation on VMware workstation (0) | 2024.12.27 |
안녕하세요.
오늘은 C8200L Router IOS XE를 업그레이드를 해보겠습니다.
1. 현재 장비에서 show version를 통해서 version를 확인 합니다.
| Router#show version Cisco IOS XE Software, Version 17.06.06a Cisco IOS Software [Bengaluru], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.6a, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2023 by Cisco Systems, Inc. Compiled Fri 20-Oct-23 18:26 by mcpre |
2. cisco 홈페이지에서 현재 시점에서 8200 router ios xe 추천 버전을 확인 합니다.
3. 파일을 다운로드 받고 파일을 USB에 복사합니다.
4. MD5 Checksum를 확인 합니다. 추후에 파일을 라우터에 복사하고 MD5 Checksum를 이용해서 파일이 잘 복사 되었는지 확인합니다. 만약에 파일이 깨진 상태에서 Upgrdae 업그레이드 하면 Upgrade가 Failed하고 Rommon mode로 빠질수 있습니다. 꼭 업그레이드 또는 다운그레이드 전에 파일 복사 후 MD5 체크섬을 확인 합니다.
C8200 라우터 Firmware Install 방식은 2가지가 있습니다.
1. ios xe file를 파일로 복사하고 boot config를 통해서 부팅 시키는 방법
2. install mode로 펌웨어를 설치하는 방법
현재 라우터 install mode인지 레거시 모드인지 확인하는 방법
아래처럼 표시 되면 install mode입니다.
| Router#show install summary [ R0 ] Installed Package(s) Information: State (St): I - Inactive, U - Activated & Uncommitted, C - Activated & Committed, D - Deactivated & Uncommitted -------------------------------------------------------------------------------- Type St Filename/Version -------------------------------------------------------------------------------- IMG C 17.06.06a.0.6 -------------------------------------------------------------------------------- Auto abort timer: inactive -------------------------------------------------------------------------------- Router# |
또는 Bin 파일이 없고, Package 파일만 보이면 install mode입니다.
| Router#dir flash: Directory of bootflash:/ 429089 drwx 57344 Feb 10 2025 05:32:00 +00:00 tracelogs 267169 drwx 4096 Feb 10 2025 05:19:36 +00:00 pnp-tech 11 -rw- 248 Feb 10 2025 05:19:29 +00:00 .iox_dir_list 412897 drwx 4096 Feb 10 2025 05:19:23 +00:00 license_evlog 24295 -rw- 30 Feb 10 2025 05:18:46 +00:00 throughput_monitor_params 24292 -rw- 134899 Feb 10 2025 05:18:40 +00:00 memleak.tcl 24290 -rw- 1092 Feb 10 2025 05:18:09 +00:00 mode_event_log 89057 drwx 4096 Feb 10 2025 05:17:48 +00:00 .installer 12 drwx 4096 Feb 10 2025 04:29:43 +00:00 lost+found 226689 drwx 4096 Aug 26 2024 16:49:41 +00:00 .prst_sync 275265 drwx 4096 Aug 26 2024 16:42:04 +00:00 .dbpersist 437185 drwx 4096 Aug 26 2024 16:33:30 +00:00 sysboot 420993 drwx 4096 Aug 26 2024 16:31:49 +00:00 .rollback_timer 291458 -rw- 9338 Aug 26 2024 16:28:08 +00:00 packages.conf 291478 -rw- 43301928 Aug 26 2024 16:28:08 +00:00 c8000be-rpboot.17.06.06a.SPA.pkg 291477 -rw- 623141956 Aug 26 2024 16:27:18 +00:00 c8000be-mono-universalk9.17.06.06a.SPA.pkg 291476 -rw- 156728 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg 291475 -rw- 2094136 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg 291474 -rw- 14259252 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_async.17.06.06a.SPA.pkg 291473 -rw- 11093044 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg 291472 -rw- 2475056 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_10g.17.06.06a.SPA.pkg 291471 -rw- 10253360 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_prince.17.06.06a.SPA.pkg 291470 -rw- 5571636 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg 291469 -rw- 5334068 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg 291468 -rw- 11523124 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg 291467 -rw- 2966576 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_ge.17.06.06a.SPA.pkg 291466 -rw- 17646644 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg 291465 -rw- 4793400 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg 291464 -rw- 12870708 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_async.17.06.06a.SPA.pkg 291463 -rw- 11310132 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg 291462 -rw- 18342964 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg 291461 -rw- 1963060 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg 291460 -rw- 6681656 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg 291459 -rw- 54324 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dreamliner.17.06.06a.SPA.pkg 186209 drwx 4096 Aug 26 2024 16:20:23 +00:00 iox_host_data_share 364321 drwx 4096 Aug 26 2024 16:20:17 +00:00 core 210497 drwx 4096 Aug 26 2024 16:20:02 +00:00 guest-share 170017 drwx 4096 Aug 26 2024 16:19:55 +00:00 onep 129537 drwx 4096 Aug 26 2024 16:19:54 +00:00 pnp-info 121441 drwx 4096 Aug 26 2024 16:19:23 +00:00 virtual-instance 24294 -rw- 1923 Aug 26 2024 16:19:18 +00:00 trustidrootx3_ca_092024.ca 24293 -rw- 20109 Aug 26 2024 16:19:18 +00:00 ios_core.p7b 340033 drwx 4096 Aug 26 2024 16:19:03 +00:00 ss_disc 24291 -rw- 5242880 Aug 26 2024 16:19:03 +00:00 ssd 307649 drwx 4096 Aug 26 2024 16:18:49 +00:00 .ssh 7361155072 bytes total (6161752064 bytes free) Router# |
그럼 Firmware Upgrade를 합니다.
1. USB를 C8200 Router에 연결 합니다.
아래처럼 로그가 발생하면 정상적으로 usb가 인식 되었습니다.
| Router# *Feb 10 05:34:02.622: %IOSD_INFRA-6-IFS_DEVICE_OIR: Device usb0 added |
| Router#dir usb0:/TC_8200 Directory of usb0:/TC_8200/ 819 -rwx 859360566 Feb 10 2025 12:36:56 +00:00 c8000be-universalk9.17.09.05e.SPA.bin |
2. 파일 복사하기
| Router#copy usb0:/TC_8200/c8000be-universalk9.17.09.05e.SPA.bin flash: Destination filename [c8000be-universalk9.17.09.05e.SPA.bin]? Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC 859360566 bytes copied in 40.479 secs (21229787 bytes/sec) Router# |
파일 확인하기
아래 c8000be-universalk9.17.09.05e.SPA.bin 복사 되었습니다.
| Router#dir flash: Directory of bootflash:/ 429089 drwx 57344 Feb 10 2025 06:07:00 +00:00 tracelogs 13 -rw- 859360566 Feb 10 2025 06:06:59 +00:00 c8000be-universalk9.17.09.05e.SPA.bin 267169 drwx 4096 Feb 10 2025 05:19:36 +00:00 pnp-tech 11 -rw- 248 Feb 10 2025 05:19:29 +00:00 .iox_dir_list 412897 drwx 4096 Feb 10 2025 05:19:23 +00:00 license_evlog 24295 -rw- 30 Feb 10 2025 05:18:46 +00:00 throughput_monitor_params 24292 -rw- 134899 Feb 10 2025 05:18:40 +00:00 memleak.tcl 24290 -rw- 1092 Feb 10 2025 05:18:09 +00:00 mode_event_log 89057 drwx 4096 Feb 10 2025 05:17:48 +00:00 .installer 12 drwx 4096 Feb 10 2025 04:29:43 +00:00 lost+found 226689 drwx 4096 Aug 26 2024 16:49:41 +00:00 .prst_sync 275265 drwx 4096 Aug 26 2024 16:42:04 +00:00 .dbpersist 437185 drwx 4096 Aug 26 2024 16:33:30 +00:00 sysboot 420993 drwx 4096 Aug 26 2024 16:31:49 +00:00 .rollback_timer 291458 -rw- 9338 Aug 26 2024 16:28:08 +00:00 packages.conf 291478 -rw- 43301928 Aug 26 2024 16:28:08 +00:00 c8000be-rpboot.17.06.06a.SPA.pkg 291477 -rw- 623141956 Aug 26 2024 16:27:18 +00:00 c8000be-mono-universalk9.17.06.06a.SPA.pkg 291476 -rw- 156728 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg 291475 -rw- 2094136 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg 291474 -rw- 14259252 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_async.17.06.06a.SPA.pkg 291473 -rw- 11093044 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg 291472 -rw- 2475056 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_10g.17.06.06a.SPA.pkg 291471 -rw- 10253360 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_prince.17.06.06a.SPA.pkg 291470 -rw- 5571636 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg 291469 -rw- 5334068 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg 291468 -rw- 11523124 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg 291467 -rw- 2966576 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_ge.17.06.06a.SPA.pkg 291466 -rw- 17646644 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg 291465 -rw- 4793400 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg 291464 -rw- 12870708 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_async.17.06.06a.SPA.pkg 291463 -rw- 11310132 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg 291462 -rw- 18342964 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg 291461 -rw- 1963060 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg 291460 -rw- 6681656 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg 291459 -rw- 54324 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dreamliner.17.06.06a.SPA.pkg 186209 drwx 4096 Aug 26 2024 16:20:23 +00:00 iox_host_data_share 364321 drwx 4096 Aug 26 2024 16:20:17 +00:00 core 210497 drwx 4096 Aug 26 2024 16:20:02 +00:00 guest-share 170017 drwx 4096 Aug 26 2024 16:19:55 +00:00 onep 129537 drwx 4096 Aug 26 2024 16:19:54 +00:00 pnp-info 121441 drwx 4096 Aug 26 2024 16:19:23 +00:00 virtual-instance 24294 -rw- 1923 Aug 26 2024 16:19:18 +00:00 trustidrootx3_ca_092024.ca 24293 -rw- 20109 Aug 26 2024 16:19:18 +00:00 ios_core.p7b 340033 drwx 4096 Aug 26 2024 16:19:03 +00:00 ss_disc 24291 -rw- 5242880 Aug 26 2024 16:19:03 +00:00 ssd 307649 drwx 4096 Aug 26 2024 16:18:49 +00:00 .ssh 7361155072 bytes total (5311582208 bytes free) Router# |
3. MD5 Checksum 확인
789f0f212ccd155b8aef19ce93c8476e
| Router#verify /md5 flash:/c8000be-universalk9.17.09.05e.SPA.bin ............................................................................................................................................................................................. .................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Done! verify /md5 (bootflash:/c8000be-universalk9.17.09.05e.SPA.bin) = 789f0f212ccd155b8aef19ce93c8476e Router# |
파일이 잘 복사 되었습니다.
4. 이제 새로운 ios xe를 설치 합니다.
| install add file flash:c8000be-universalk9.17.09.05e.SPA.bin activate commit System configuration has been modified. Press Yes(y) to save the configuration and proceed. Press No(n) for proceeding without saving the configuration. Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q] y Building configuration... [OK]Modified configuration has been saved *Feb 10 06:15:04.641: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file *Feb 10 06:15:05.160: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install one-shot bootflash:c8000be-universalk9.17.09.05e.SPA.bininstall_add_activate_commit: Adding PACKAGE install_add_activate_commit: Checking whether new add is allowed .... --- Starting Add --- Performing Add on Active/Standby [1] Add package(s) on R0 [1] Finished Add on R0 Checking status of Add on [R0] Add: Passed on [R0] Finished Add Image added. Version: 17.09.05e.0.80 install_add_activate_commit: Activating PACKAGE *Feb 10 06:19:52.040: %EVENTLIB-3-CPUHOG: C0/0: iomd: uipeer downlink listener: 1520ms, Traceback=1#150f3a63e6e344df147a5440723734c6 evlib:7F79718AB000+A1D6 c:7F793381E000+3B3B0 ld-linux-x86-64:7F7983E83000+A974 ld-linux-x86-64:7F7983E83000+B4C5 ld-linux-x86-64:7F7983E83000+10085 ld-linux-x86-64:7F7983E83000+16BCA bipc:7F7972F08000+A381 bipc:7F7972F08000+412F uipeer:7F79739AB000+1EF7C evlib:7F79718AB000+8E16 evlib:7F79718AB000+9B60Following packages shall be activated: /bootflash/c8000be-rpboot.17.09.05e.SPA.pkg /bootflash/c8000be-mono-universalk9.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_sm_async.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_sm_10g.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_prince.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_nim_ge.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_nim_async.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg /bootflash/c8000be-firmware_dreamliner.17.09.05e.SPA.pkg This operation may require a reload of the system. Do you want to proceed? [y/n] y --- Starting Activate --- Performing Activate on Active/Standby |
재부팅이 완료 될때까지 기다립니다.
5. Version 확인
| Router# show install summary [ R0 ] Installed Package(s) Information: State (St): I - Inactive, U - Activated & Uncommitted, C - Activated & Committed, D - Deactivated & Uncommitted -------------------------------------------------------------------------------- Type St Filename/Version -------------------------------------------------------------------------------- IMG C 17.09.05e.0.80 -------------------------------------------------------------------------------- Auto abort timer: inactive -------------------------------------------------------------------------------- Router# |
6. 기존에 Package가 Flash:에 존재 합니다. 필요없는 파일은 삭제합니다.
| Router#dir flash: Directory of bootflash:/ 89057 drwx 4096 Feb 10 2025 06:29:40 +00:00 .installer 412897 drwx 4096 Feb 10 2025 06:28:09 +00:00 license_evlog 24295 -rw- 30 Feb 10 2025 06:28:09 +00:00 throughput_monitor_params 24292 -rw- 137940 Feb 10 2025 06:28:05 +00:00 memleak.tcl 226689 drwx 4096 Feb 10 2025 06:27:59 +00:00 .prst_sync 24289 -rw- 1939 Feb 10 2025 06:27:50 +00:00 trustidrootx3_ca_062035.ca 24290 -rwx 1274 Feb 10 2025 06:27:45 +00:00 mode_event_log 429089 drwx 57344 Feb 10 2025 06:27:42 +00:00 tracelogs 64769 drwx 4096 Feb 10 2025 06:27:04 +00:00 SHARED-IOX 420993 drwx 4096 Feb 10 2025 06:25:25 +00:00 .rollback_timer 16 -rw- 9330 Feb 10 2025 06:24:28 +00:00 packages.conf 404802 -rw- 9330 Feb 10 2025 06:18:05 +00:00 c8000be-universalk9.17.09.05e.SPA.conf 226691 -rw- 38283450 Feb 10 2025 06:18:05 +00:00 c8000be-rpboot.17.09.05e.SPA.pkg 404821 -rw- 679469056 Feb 10 2025 06:17:20 +00:00 c8000be-mono-universalk9.17.09.05e.SPA.pkg 404820 -rw- 167936 Feb 10 2025 06:17:08 +00:00 c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg 404819 -rw- 2138112 Feb 10 2025 06:17:08 +00:00 c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg 404818 -rw- 14557184 Feb 10 2025 06:17:08 +00:00 c8000be-firmware_sm_async.17.09.05e.SPA.pkg 404817 -rw- 11366400 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg 404816 -rw- 2535424 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_sm_10g.17.09.05e.SPA.pkg 404815 -rw- 10432512 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_prince.17.09.05e.SPA.pkg 404814 -rw- 5677056 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg 404813 -rw- 5431296 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg 404812 -rw- 11714560 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg 404811 -rw- 2994176 Feb 10 2025 06:17:06 +00:00 c8000be-firmware_nim_ge.17.09.05e.SPA.pkg 404810 -rw- 17960960 Feb 10 2025 06:17:06 +00:00 c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg 404809 -rw- 4894720 Feb 10 2025 06:17:06 +00:00 c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg 404808 -rw- 13139968 Feb 10 2025 06:17:06 +00:00 c8000be-firmware_nim_async.17.09.05e.SPA.pkg 404807 -rw- 11497472 Feb 10 2025 06:17:05 +00:00 c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg 404806 -rw- 18649088 Feb 10 2025 06:17:05 +00:00 c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg 404805 -rw- 2007040 Feb 10 2025 06:17:04 +00:00 c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg 404804 -rw- 6799360 Feb 10 2025 06:17:04 +00:00 c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg 404803 -rw- 65536 Feb 10 2025 06:17:04 +00:00 c8000be-firmware_dreamliner.17.09.05e.SPA.pkg 13 -rw- 859360566 Feb 10 2025 06:06:59 +00:00 c8000be-universalk9.17.09.05e.SPA.bin 267169 drwx 4096 Feb 10 2025 05:19:36 +00:00 pnp-tech 11 -rw- 248 Feb 10 2025 05:19:29 +00:00 .iox_dir_list 12 drwx 4096 Feb 10 2025 04:29:43 +00:00 lost+found 275265 drwx 4096 Aug 26 2024 16:42:04 +00:00 .dbpersist 437185 drwx 4096 Aug 26 2024 16:33:30 +00:00 sysboot 291478 -rw- 43301928 Aug 26 2024 16:28:08 +00:00 c8000be-rpboot.17.06.06a.SPA.pkg 291477 -rw- 623141956 Aug 26 2024 16:27:18 +00:00 c8000be-mono-universalk9.17.06.06a.SPA.pkg 291476 -rw- 156728 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg 291475 -rw- 2094136 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg 291474 -rw- 14259252 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_async.17.06.06a.SPA.pkg 291473 -rw- 11093044 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg 291472 -rw- 2475056 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_sm_10g.17.06.06a.SPA.pkg 291471 -rw- 10253360 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_prince.17.06.06a.SPA.pkg 291470 -rw- 5571636 Aug 26 2024 16:27:07 +00:00 c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg 291469 -rw- 5334068 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg 291468 -rw- 11523124 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg 291467 -rw- 2966576 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_ge.17.06.06a.SPA.pkg 291466 -rw- 17646644 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg 291465 -rw- 4793400 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg 291464 -rw- 12870708 Aug 26 2024 16:27:06 +00:00 c8000be-firmware_nim_async.17.06.06a.SPA.pkg 291463 -rw- 11310132 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg 291462 -rw- 18342964 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg 291461 -rw- 1963060 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg 291460 -rw- 6681656 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg 291459 -rw- 54324 Aug 26 2024 16:27:05 +00:00 c8000be-firmware_dreamliner.17.06.06a.SPA.pkg 186209 drwx 4096 Aug 26 2024 16:20:23 +00:00 iox_host_data_share 364321 drwx 4096 Aug 26 2024 16:20:17 +00:00 core 210497 drwx 4096 Aug 26 2024 16:20:02 +00:00 guest-share 170017 drwx 4096 Aug 26 2024 16:19:55 +00:00 onep 129537 drwx 4096 Aug 26 2024 16:19:54 +00:00 pnp-info 121441 drwx 4096 Aug 26 2024 16:19:23 +00:00 virtual-instance 24294 -rw- 1923 Aug 26 2024 16:19:18 +00:00 trustidrootx3_ca_092024.ca 24293 -rw- 20109 Aug 26 2024 16:19:18 +00:00 ios_core.p7b 24291 -rw- 5242880 Aug 26 2024 16:19:03 +00:00 ssd 307649 drwx 4096 Aug 26 2024 16:18:49 +00:00 .ssh |
| Router#install remove inactive install_remove: START Mon Feb 10 06:34:40 UTC 2025 install_remove: Removing IMG Cleaning up unnecessary package files No path specified, will use booted path /bootflash/packages.conf Cleaning /bootflash Scanning boot directory for packages ... done. Preparing packages list to delete ... [R0]: /bootflash/packages.conf File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_dreamliner.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_nim_async.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_nim_ge.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_prince.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_sm_10g.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_sm_async.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-mono-universalk9.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-rpboot.17.09.05e.SPA.pkg File is in use, will not delete. [R0]: /bootflash/c8000be-universalk9.17.09.05e.SPA.conf File is in use, will not delete. The following files will be deleted: [R0]: /bootflash/c8000be-firmware_dreamliner.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_nim_async.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_nim_ge.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_prince.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_sm_10g.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_sm_async.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-mono-universalk9.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-rpboot.17.06.06a.SPA.pkg [R0]: /bootflash/c8000be-universalk9.17.09.05e.SPA.bin Do you want to remove the above files? *Feb 10 06:34:40.411: %INSTALL-5-INSTALL_START_INFO: R0/0: install_mgr: Started install remove [y/n]y Deleting file /bootflash/c8000be-firmware_dreamliner.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_nim_async.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_nim_ge.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_prince.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_sm_10g.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_sm_async.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-mono-universalk9.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-rpboot.17.06.06a.SPA.pkg ... done. Deleting file /bootflash/c8000be-universalk9.17.09.05e.SPA.bin ... done. SUCCESS: Files deleted. --- Starting Post_Remove_Cleanup --- Performing REMOVE_POSTCHECK on all members Finished Post_Remove_Cleanup SUCCESS: install_remove Mon Feb 10 06:35:12 UTC 2025 Router# *Feb 10 06:35:12.911: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_mgr: Completed install remove Router# Router# Router# Router# Router# Router# Router# Router#dir flash: Directory of bootflash:/ 89057 drwx 4096 Feb 10 2025 06:35:13 +00:00 .installer 412897 drwx 4096 Feb 10 2025 06:28:09 +00:00 license_evlog 24295 -rw- 30 Feb 10 2025 06:28:09 +00:00 throughput_monitor_params 24292 -rw- 137940 Feb 10 2025 06:28:05 +00:00 memleak.tcl 226689 drwx 4096 Feb 10 2025 06:27:59 +00:00 .prst_sync 24289 -rw- 1939 Feb 10 2025 06:27:50 +00:00 trustidrootx3_ca_062035.ca 24290 -rwx 1274 Feb 10 2025 06:27:45 +00:00 mode_event_log 429089 drwx 57344 Feb 10 2025 06:27:42 +00:00 tracelogs 64769 drwx 4096 Feb 10 2025 06:27:04 +00:00 SHARED-IOX 420993 drwx 4096 Feb 10 2025 06:25:25 +00:00 .rollback_timer 16 -rw- 9330 Feb 10 2025 06:24:28 +00:00 packages.conf 404802 -rw- 9330 Feb 10 2025 06:18:05 +00:00 c8000be-universalk9.17.09.05e.SPA.conf 226691 -rw- 38283450 Feb 10 2025 06:18:05 +00:00 c8000be-rpboot.17.09.05e.SPA.pkg 404821 -rw- 679469056 Feb 10 2025 06:17:20 +00:00 c8000be-mono-universalk9.17.09.05e.SPA.pkg 404820 -rw- 167936 Feb 10 2025 06:17:08 +00:00 c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg 404819 -rw- 2138112 Feb 10 2025 06:17:08 +00:00 c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg 404818 -rw- 14557184 Feb 10 2025 06:17:08 +00:00 c8000be-firmware_sm_async.17.09.05e.SPA.pkg 404817 -rw- 11366400 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg 404816 -rw- 2535424 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_sm_10g.17.09.05e.SPA.pkg 404815 -rw- 10432512 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_prince.17.09.05e.SPA.pkg 404814 -rw- 5677056 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg 404813 -rw- 5431296 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg 404812 -rw- 11714560 Feb 10 2025 06:17:07 +00:00 c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg 404811 -rw- 2994176 Feb 10 2025 06:17:06 +00:00 c8000be-firmware_nim_ge.17.09.05e.SPA.pkg 404810 -rw- 17960960 Feb 10 2025 06:17:06 +00:00 c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg 404809 -rw- 4894720 Feb 10 2025 06:17:06 +00:00 c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg 404808 -rw- 13139968 Feb 10 2025 06:17:06 +00:00 c8000be-firmware_nim_async.17.09.05e.SPA.pkg 404807 -rw- 11497472 Feb 10 2025 06:17:05 +00:00 c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg 404806 -rw- 18649088 Feb 10 2025 06:17:05 +00:00 c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg 404805 -rw- 2007040 Feb 10 2025 06:17:04 +00:00 c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg 404804 -rw- 6799360 Feb 10 2025 06:17:04 +00:00 c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg 404803 -rw- 65536 Feb 10 2025 06:17:04 +00:00 c8000be-firmware_dreamliner.17.09.05e.SPA.pkg 267169 drwx 4096 Feb 10 2025 05:19:36 +00:00 pnp-tech 11 -rw- 248 Feb 10 2025 05:19:29 +00:00 .iox_dir_list 12 drwx 4096 Feb 10 2025 04:29:43 +00:00 lost+found 275265 drwx 4096 Aug 26 2024 16:42:04 +00:00 .dbpersist 437185 drwx 4096 Aug 26 2024 16:33:30 +00:00 sysboot 186209 drwx 4096 Aug 26 2024 16:20:23 +00:00 iox_host_data_share 364321 drwx 4096 Aug 26 2024 16:20:17 +00:00 core 210497 drwx 4096 Aug 26 2024 16:20:02 +00:00 guest-share 170017 drwx 4096 Aug 26 2024 16:19:55 +00:00 onep 129537 drwx 4096 Aug 26 2024 16:19:54 +00:00 pnp-info 121441 drwx 4096 Aug 26 2024 16:19:23 +00:00 virtual-instance 24294 -rw- 1923 Aug 26 2024 16:19:18 +00:00 trustidrootx3_ca_092024.ca 24293 -rw- 20109 Aug 26 2024 16:19:18 +00:00 ios_core.p7b 24291 -rw- 5242880 Aug 26 2024 16:19:03 +00:00 ssd 307649 drwx 4096 Aug 26 2024 16:18:49 +00:00 .ssh 7361155072 bytes total (6116417536 bytes free) Router# |
show version
| Router# show version Cisco IOS XE Software, Version 17.09.05e Cisco IOS Software [Cupertino], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.9.5e, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2024 by Cisco Systems, Inc. Compiled Thu 12-Dec-24 19:05 by mcpre Cisco IOS-XE software, Copyright (c) 2005-2024 by cisco Systems, Inc. All rights reserved. Certain components of Cisco IOS-XE software are licensed under the GNU General Public License ("GPL") Version 2.0. The software code licensed under GPL Version 2.0 is free software that comes with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such GPL code under the terms of GPL Version 2.0. For more details, see the documentation or "License Notice" file accompanying the IOS-XE software, or the applicable URL provided on the flyer accompanying the IOS-XE software. ROM: 17.6(8.1r) Router uptime is 9 minutes Uptime for this control processor is 9 minutes System returned to ROM by Reload Command System image file is "bootflash:packages.conf" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com. Technology Package License Information: ----------------------------------------------------------------- Technology Type Technology-package Technology-package Current Next Reboot ----------------------------------------------------------------- Smart License Perpetual None None Smart License Subscription None None The current crypto throughput level is 250000 kbps Smart Licensing Status: Smart Licensing Using Policy cisco C8200L-1N-4T (1RU) processor with 1653598K/6147K bytes of memory. Processor board ID FGL2835L17V Router operating mode: Autonomous 4 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 4194304K bytes of physical memory. 7245823K bytes of flash memory at bootflash:. Configuration register is 0x2102 Router# |
다시 한번 재부팅해서 제대로 부팅되는지 확인합니다.
| Router#reload Proceed with reload? [confirm] *Feb 10 06:37:38.872: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. |
정상적으로 부팅이 잘 됩니다.
지금까지 [2025][C8200] Router IOS XE upgrade 글을 읽어주셔서 감사합니다.
| [2025][C8200][#3] Reset Smart license (0) | 2025.03.04 |
|---|---|
| [2025][C8200][#2] Register License to CSSM - smart licensing using policy (0) | 2025.02.13 |
| [ISR4221]-Performance License Install(PAK) (0) | 2024.07.30 |
| [ISR4221]-Cisco Router IOS Upgrade (2) | 2024.07.29 |
안녕하세요.
이번에는 Juniper SRX S2S VPN 설정하고 Static Route대신 OSPF을 통해서 라우팅 테이블을 교환 하겠습니다.
실습을 위해서 기본 설정은 아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/196
1. 토폴로지는 아래와 같습니다.
SRX01 Ge-0/0/0 10.1.1.1 trust
SRX01 Ge-0/0/1 192.168.1.1 untrust
SRX02 Ge-0/0/0 20.1.1.1 trust
SRX02 Ge-0/0/1 192.168.2.1 untrust
S2S VPN 연결후 PC 192.168.1.10 <-> PC 192.168.2.10으로 통신이 가능 합니다.
2. SRX01 설정
2-1 Tunnel Interface 설정
| set interfaces st0 unit 0 family inet address 1.1.1.1/30 set interfaces st0 unit 0 family inet mtu 1500 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.0 |
2-2 Tunnel Interface통해서 상대방 라우팅을 교환하기 위해서 RIP 프로토콜을 설정합니다.
| set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.2 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive set routing-options router-id 1.1.1.1 |
2-3 IKE 설정
IKE POLICY Name: IKE-POLICY-S2SVPN-01
IKE GATEWAY Name: IKE-GW-S2SVPN-01
Pre-share-Keys: juniper
| set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 |
2-4 IPSEC 설정
| set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0 set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately |
2-5 S2S VPN을 위한 방화벽 정책 설정
| set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0 set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit |
3 SRX02 설정
3-1 Tunnel Interface 설정
| set interfaces st0 unit 0 family inet address 1.1.1.2/30 set interfaces st0 unit 0 family inet mtu 1500 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.0 |
3-2 Tunnel Interface통해서 상대방 통신하기 위해서 RIP을 설정해서 라우팅을 교환 합니다.
| set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.1 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive set routing-options router-id 1.1.1.2 |
3-3 IKE 설정
IKE POLICY Name: IKE-POLICY-S2SVPN-01
IKE GATEWAY Name: IKE-GW-S2SVPN-01
Pre-share-Keys: juniper
| set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 |
3-4 IPSEC 설정
| set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0 set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately |
3-5 S2S VPN을 위한 방화벽 정책 설정
| set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0 set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit |
OSPF 상태 확인
SRX01
| root@SRX01> show ospf neighbor Address Interface State ID Pri Dead 1.1.1.2 st0.0 Full 1.1.1.2 128 31 root@SRX01> show route inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:50:07 > to 10.1.1.254 via ge-0/0/0.0 1.1.1.0/30 *[Direct/0] 00:14:28 > via st0.0 [OSPF/10] 00:14:24, metric 1 > via st0.0 1.1.1.1/32 *[Local/0] 00:14:28 Local via st0.0 10.1.1.0/24 *[Direct/0] 00:50:07 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:50:07 Local via ge-0/0/0.0 192.168.1.0/24 *[Direct/0] 00:50:07 > via ge-0/0/1.0 192.168.1.1/32 *[Local/0] 00:50:07 Local via ge-0/0/1.0 192.168.2.0/24 *[OSPF/10] 00:10:32, metric 2 > via st0.0 224.0.0.5/32 *[OSPF/10] 00:14:29, metric 1 MultiRecv inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:51:09 MultiRecv root@SRX01> |
SRX02
| root@SRX02> show ospf neighbor Address Interface State ID Pri Dead 1.1.1.1 st0.0 Full 1.1.1.1 128 37 root@SRX02> show route inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:50:23 > to 20.1.1.254 via ge-0/0/0.0 1.1.1.0/30 *[Direct/0] 00:13:30 > via st0.0 [OSPF/10] 00:13:26, metric 1 > via st0.0 1.1.1.2/32 *[Local/0] 00:13:30 Local via st0.0 20.1.1.0/24 *[Direct/0] 00:50:23 > via ge-0/0/0.0 20.1.1.1/32 *[Local/0] 00:50:23 Local via ge-0/0/0.0 192.168.1.0/24 *[OSPF/10] 00:10:54, metric 2 > via st0.0 192.168.2.0/24 *[Direct/0] 00:50:23 > via ge-0/0/1.0 192.168.2.1/32 *[Local/0] 00:50:23 Local via ge-0/0/1.0 224.0.0.5/32 *[OSPF/10] 00:13:31, metric 1 MultiRecv inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:51:27 MultiRecv root@SRX02> |
4. Test
PC01에서 PC02로 PING 192.168.2.10
PC02에서 PC01로 PING 192.168.1.10
| PC01 84 bytes from 192.168.2.10 icmp_seq=105 ttl=62 time=12.610 ms 84 bytes from 192.168.2.10 icmp_seq=106 ttl=62 time=33.502 ms 84 bytes from 192.168.2.10 icmp_seq=107 ttl=62 time=3.875 ms 84 bytes from 192.168.2.10 icmp_seq=108 ttl=62 time=5.376 ms 84 bytes from 192.168.2.10 icmp_seq=109 ttl=62 time=3.175 ms 84 bytes from 192.168.2.10 icmp_seq=110 ttl=62 time=2.963 ms 84 bytes from 192.168.2.10 icmp_seq=111 ttl=62 time=3.547 ms 84 bytes from 192.168.2.10 icmp_seq=112 ttl=62 time=3.976 ms 84 bytes from 192.168.2.10 icmp_seq=113 ttl=62 time=3.358 ms 84 bytes from 192.168.2.10 icmp_seq=114 ttl=62 time=9.753 ms 84 bytes from 192.168.2.10 icmp_seq=115 ttl=62 time=3.128 ms 84 bytes from 192.168.2.10 icmp_seq=116 ttl=62 time=4.142 ms 84 bytes from 192.168.2.10 icmp_seq=117 ttl=62 time=3.175 ms 84 bytes from 192.168.2.10 icmp_seq=118 ttl=62 time=4.214 ms 84 bytes from 192.168.2.10 icmp_seq=119 ttl=62 time=3.807 ms 84 bytes from 192.168.2.10 icmp_seq=120 ttl=62 time=4.220 ms 84 bytes from 192.168.2.10 icmp_seq=121 ttl=62 time=7.300 ms 84 bytes from 192.168.2.10 icmp_seq=122 ttl=62 time=3.735 ms 84 bytes from 192.168.2.10 icmp_seq=123 ttl=62 time=5.798 ms 84 bytes from 192.168.2.10 icmp_seq=124 ttl=62 time=3.588 ms 84 bytes from 192.168.2.10 icmp_seq=125 ttl=62 time=3.750 ms 84 bytes from 192.168.2.10 icmp_seq=126 ttl=62 time=3.633 ms 84 bytes from 192.168.2.10 icmp_seq=127 ttl=62 time=2.710 ms 84 bytes from 192.168.2.10 icmp_seq=128 ttl=62 time=4.018 ms 84 bytes from 192.168.2.10 icmp_seq=129 ttl=62 time=3.169 ms 84 bytes from 192.168.2.10 icmp_seq=130 ttl=62 time=3.093 ms 84 bytes from 192.168.2.10 icmp_seq=131 ttl=62 time=3.001 ms 84 bytes from 192.168.2.10 icmp_seq=132 ttl=62 time=4.013 ms 84 bytes from 192.168.2.10 icmp_seq=133 ttl=62 time=3.296 ms 84 bytes from 192.168.2.10 icmp_seq=134 ttl=62 time=2.731 ms 84 bytes from 192.168.2.10 icmp_seq=135 ttl=62 time=3.164 ms 84 bytes from 192.168.2.10 icmp_seq=136 ttl=62 time=3.521 ms 84 bytes from 192.168.2.10 icmp_seq=137 ttl=62 time=3.264 ms 84 bytes from 192.168.2.10 icmp_seq=138 ttl=62 time=3.372 ms PC02 84 bytes from 192.168.1.10 icmp_seq=96 ttl=62 time=11.549 ms 84 bytes from 192.168.1.10 icmp_seq=97 ttl=62 time=3.299 ms 84 bytes from 192.168.1.10 icmp_seq=98 ttl=62 time=4.139 ms 84 bytes from 192.168.1.10 icmp_seq=99 ttl=62 time=6.704 ms 84 bytes from 192.168.1.10 icmp_seq=100 ttl=62 time=7.948 ms 84 bytes from 192.168.1.10 icmp_seq=101 ttl=62 time=7.042 ms 84 bytes from 192.168.1.10 icmp_seq=102 ttl=62 time=8.883 ms 84 bytes from 192.168.1.10 icmp_seq=103 ttl=62 time=5.830 ms 84 bytes from 192.168.1.10 icmp_seq=104 ttl=62 time=3.864 ms 84 bytes from 192.168.1.10 icmp_seq=105 ttl=62 time=7.203 ms 84 bytes from 192.168.1.10 icmp_seq=106 ttl=62 time=5.233 ms 84 bytes from 192.168.1.10 icmp_seq=107 ttl=62 time=3.276 ms 84 bytes from 192.168.1.10 icmp_seq=108 ttl=62 time=3.849 ms 84 bytes from 192.168.1.10 icmp_seq=109 ttl=62 time=4.194 ms 84 bytes from 192.168.1.10 icmp_seq=110 ttl=62 time=3.221 ms 84 bytes from 192.168.1.10 icmp_seq=111 ttl=62 time=3.447 ms 84 bytes from 192.168.1.10 icmp_seq=112 ttl=62 time=4.475 ms 84 bytes from 192.168.1.10 icmp_seq=113 ttl=62 time=4.493 ms 84 bytes from 192.168.1.10 icmp_seq=114 ttl=62 time=3.987 ms 84 bytes from 192.168.1.10 icmp_seq=115 ttl=62 time=3.965 ms 84 bytes from 192.168.1.10 icmp_seq=116 ttl=62 time=3.814 ms 84 bytes from 192.168.1.10 icmp_seq=117 ttl=62 time=3.276 ms 84 bytes from 192.168.1.10 icmp_seq=118 ttl=62 time=3.454 ms 84 bytes from 192.168.1.10 icmp_seq=119 ttl=62 time=4.694 ms 84 bytes from 192.168.1.10 icmp_seq=120 ttl=62 time=4.093 ms 84 bytes from 192.168.1.10 icmp_seq=121 ttl=62 time=3.481 ms 84 bytes from 192.168.1.10 icmp_seq=122 ttl=62 time=5.376 ms 84 bytes from 192.168.1.10 icmp_seq=123 ttl=62 time=3.494 ms 84 bytes from 192.168.1.10 icmp_seq=124 ttl=62 time=4.032 ms 84 bytes from 192.168.1.10 icmp_seq=125 ttl=62 time=3.6 |
4. S2S VPN 상태 확인
SRX01
IKE Phase 1 UP이 표시 되면 IPSEC를 확인 합니다.
| root@SRX01> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 5482273 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 20.1.1.1 |
IPSEC Phase2 아래처럼 터널이 생성 되었는지 확인
| root@SRX01> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 fc12e938 3062/ unlim - root 500 20.1.1.1 >131073 ESP:3des/sha1 49d44ef0 3062/ unlim - root 500 20.1.1.1 |
PC01에서 PC02로 무한으로 PING를 시도하고 Packet Count가 실제 올라가는지 확인 합니다
그리고 SRX01에서 아래 명령어로 확인
| root@SRX01> show security ipsec statistics ESP Statistics: Encrypted bytes: 70040 Decrypted bytes: 41832 Encrypted packets: 515 Decrypted packets: 498 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@SRX01> |
10초뒤에 다시 똑같은 명령어를 입력하면 Packet Count가 증가하였습니다.
| root@SRX01> show security ipsec statistics ESP Statistics: Encrypted bytes: 77656 Decrypted bytes: 46536 Encrypted packets: 571 Decrypted packets: 554 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@SRX01> |
PC02 -> PC01로 무한으로 PING를 시도합니다
SRX02에서 확인해보겠습니다.
IKE Phase 1 UP이 표시 되면 IPSEC를 확인 합니다.
| root@SRX02> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 6514201 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 10.1.1.1 root@SRX02> |
IPSEC Phase2 Tunnel이 생성되었습니다.
| root@SRX02> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 49d44ef0 2678/ unlim - root 500 10.1.1.1 >131073 ESP:3des/sha1 fc12e938 2678/ unlim - root 500 10.1.1.1 root@SRX02> |
Packet Count를 확인 합니다
| root@SRX02> show security ipsec statistics ESP Statistics: Encrypted bytes: 87992 Decrypted bytes: 55776 Encrypted packets: 647 Decrypted packets: 664 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@SRX02> |
10초뒤에 다시 한번 확인합니다
| root@SRX02> show security ipsec statistics ESP Statistics: Encrypted bytes: 90032 Decrypted bytes: 57036 Encrypted packets: 662 Decrypted packets: 679 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@SRX02> |
라우팅 확인
SRX01
전체 설정
SRX01
| root@SRX01> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX01 set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$a-GjqTz6uORmfORhSMWJGD" set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0 set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set interfaces st0 unit 0 family inet mtu 1500 set interfaces st0 unit 0 family inet address 1.1.1.1/30 set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.2 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive set routing-options router-id 1.1.1.1 set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254 |
SRX02
| root@SRX02> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX02 set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$SY2lvLdb2GDkxNDk.P3nylK" set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0 set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24 set interfaces st0 unit 0 family inet mtu 1500 set interfaces st0 unit 0 family inet address 1.1.1.2/30 set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.1 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive set routing-options router-id 1.1.1.2 set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254 root@SRX02> |
Router
| hostname INT_R1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ! ! ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 20.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 ip address 192.168.10.99 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 1 interface GigabitEthernet0/2 overload ip route 0.0.0.0 0.0.0.0 192.168.10.253 ! ipv6 ioam timestamp ! ! access-list 1 permit any ! |
지금까지 [2025][Juniper SRX #23] site to site vpn - S2S VPN - OSPF 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #27] Static NAT - One to One NAT (0) | 2025.02.14 |
|---|---|
| [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0) | 2025.02.14 |
| [2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0) | 2025.02.07 |
| [2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0) | 2025.02.07 |
| [2025][Juniper SRX #21] ip monitor - ip sla (0) | 2025.02.06 |
안녕하세요.
이번에는 Juniper SRX S2S VPN 설정하겠습니다.
실습을 위해서 기본 설정은 아래 글을 참고 부탁드립니다.
https://itblog-kr.tistory.com/196
1. 토폴로지는 아래와 같습니다.
SRX01 Ge-0/0/0 10.1.1.1 trust
SRX01 Ge-0/0/1 192.168.1.1 untrust
SRX02 Ge-0/0/0 20.1.1.1 trust
SRX02 Ge-0/0/1 192.168.2.1 untrust
S2S VPN 연결후 PC 192.168.1.10 <-> PC 192.168.2.10으로 통신이 가능 합니다.
2. SRX01 설정
2-1 Tunnel Interface 설정
| set interfaces st0 unit 0 family inet |
2-2 Tunnel Interface통해서 상대방 SRX02 내부 192.168.2.0/24로 Static Route 설정
| set routing-options static route 192.168.2.0/24 next-hop st0.0 |
2-3 IKE 설정
IKE POLICY Name: IKE-POLICY-S2SVPN-01
IKE GATEWAY Name: IKE-GW-S2SVPN-01
Pre-share-Keys: juniper
| set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 |
2-4 IPSEC 설정
| set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0 set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately |
2-5 S2S VPN을 위한 방화벽 정책 설정
| set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0 set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit |
3 SRX02 설정
3-1 Tunnel Interface 설정
| set interfaces st0 unit 0 family inet |
3-2 Tunnel Interface통해서 상대방 SRX02 내부 192.168.1.0/24로 Static Route 설정
| set routing-options static route 192.168.1.0/24 next-hop st0.0 |
3-3 IKE 설정
IKE POLICY Name: IKE-POLICY-S2SVPN-01
IKE GATEWAY Name: IKE-GW-S2SVPN-01
Pre-share-Keys: juniper
| set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 |
3-4 IPSEC 설정
| set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0 set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately |
3-5 S2S VPN을 위한 방화벽 정책 설정
| set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0 set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit |
4. Test
PC01에서 PC02로 PING 192.168.2.10
PC02에서 PC01로 PING 192.168.1.10
| PC01 84 bytes from 192.168.2.10 icmp_seq=105 ttl=62 time=12.610 ms 84 bytes from 192.168.2.10 icmp_seq=106 ttl=62 time=33.502 ms 84 bytes from 192.168.2.10 icmp_seq=107 ttl=62 time=3.875 ms 84 bytes from 192.168.2.10 icmp_seq=108 ttl=62 time=5.376 ms 84 bytes from 192.168.2.10 icmp_seq=109 ttl=62 time=3.175 ms 84 bytes from 192.168.2.10 icmp_seq=110 ttl=62 time=2.963 ms 84 bytes from 192.168.2.10 icmp_seq=111 ttl=62 time=3.547 ms 84 bytes from 192.168.2.10 icmp_seq=112 ttl=62 time=3.976 ms 84 bytes from 192.168.2.10 icmp_seq=113 ttl=62 time=3.358 ms 84 bytes from 192.168.2.10 icmp_seq=114 ttl=62 time=9.753 ms 84 bytes from 192.168.2.10 icmp_seq=115 ttl=62 time=3.128 ms 84 bytes from 192.168.2.10 icmp_seq=116 ttl=62 time=4.142 ms 84 bytes from 192.168.2.10 icmp_seq=117 ttl=62 time=3.175 ms 84 bytes from 192.168.2.10 icmp_seq=118 ttl=62 time=4.214 ms 84 bytes from 192.168.2.10 icmp_seq=119 ttl=62 time=3.807 ms 84 bytes from 192.168.2.10 icmp_seq=120 ttl=62 time=4.220 ms 84 bytes from 192.168.2.10 icmp_seq=121 ttl=62 time=7.300 ms 84 bytes from 192.168.2.10 icmp_seq=122 ttl=62 time=3.735 ms 84 bytes from 192.168.2.10 icmp_seq=123 ttl=62 time=5.798 ms 84 bytes from 192.168.2.10 icmp_seq=124 ttl=62 time=3.588 ms 84 bytes from 192.168.2.10 icmp_seq=125 ttl=62 time=3.750 ms 84 bytes from 192.168.2.10 icmp_seq=126 ttl=62 time=3.633 ms 84 bytes from 192.168.2.10 icmp_seq=127 ttl=62 time=2.710 ms 84 bytes from 192.168.2.10 icmp_seq=128 ttl=62 time=4.018 ms 84 bytes from 192.168.2.10 icmp_seq=129 ttl=62 time=3.169 ms 84 bytes from 192.168.2.10 icmp_seq=130 ttl=62 time=3.093 ms 84 bytes from 192.168.2.10 icmp_seq=131 ttl=62 time=3.001 ms 84 bytes from 192.168.2.10 icmp_seq=132 ttl=62 time=4.013 ms 84 bytes from 192.168.2.10 icmp_seq=133 ttl=62 time=3.296 ms 84 bytes from 192.168.2.10 icmp_seq=134 ttl=62 time=2.731 ms 84 bytes from 192.168.2.10 icmp_seq=135 ttl=62 time=3.164 ms 84 bytes from 192.168.2.10 icmp_seq=136 ttl=62 time=3.521 ms 84 bytes from 192.168.2.10 icmp_seq=137 ttl=62 time=3.264 ms 84 bytes from 192.168.2.10 icmp_seq=138 ttl=62 time=3.372 ms PC02 84 bytes from 192.168.1.10 icmp_seq=96 ttl=62 time=11.549 ms 84 bytes from 192.168.1.10 icmp_seq=97 ttl=62 time=3.299 ms 84 bytes from 192.168.1.10 icmp_seq=98 ttl=62 time=4.139 ms 84 bytes from 192.168.1.10 icmp_seq=99 ttl=62 time=6.704 ms 84 bytes from 192.168.1.10 icmp_seq=100 ttl=62 time=7.948 ms 84 bytes from 192.168.1.10 icmp_seq=101 ttl=62 time=7.042 ms 84 bytes from 192.168.1.10 icmp_seq=102 ttl=62 time=8.883 ms 84 bytes from 192.168.1.10 icmp_seq=103 ttl=62 time=5.830 ms 84 bytes from 192.168.1.10 icmp_seq=104 ttl=62 time=3.864 ms 84 bytes from 192.168.1.10 icmp_seq=105 ttl=62 time=7.203 ms 84 bytes from 192.168.1.10 icmp_seq=106 ttl=62 time=5.233 ms 84 bytes from 192.168.1.10 icmp_seq=107 ttl=62 time=3.276 ms 84 bytes from 192.168.1.10 icmp_seq=108 ttl=62 time=3.849 ms 84 bytes from 192.168.1.10 icmp_seq=109 ttl=62 time=4.194 ms 84 bytes from 192.168.1.10 icmp_seq=110 ttl=62 time=3.221 ms 84 bytes from 192.168.1.10 icmp_seq=111 ttl=62 time=3.447 ms 84 bytes from 192.168.1.10 icmp_seq=112 ttl=62 time=4.475 ms 84 bytes from 192.168.1.10 icmp_seq=113 ttl=62 time=4.493 ms 84 bytes from 192.168.1.10 icmp_seq=114 ttl=62 time=3.987 ms 84 bytes from 192.168.1.10 icmp_seq=115 ttl=62 time=3.965 ms 84 bytes from 192.168.1.10 icmp_seq=116 ttl=62 time=3.814 ms 84 bytes from 192.168.1.10 icmp_seq=117 ttl=62 time=3.276 ms 84 bytes from 192.168.1.10 icmp_seq=118 ttl=62 time=3.454 ms 84 bytes from 192.168.1.10 icmp_seq=119 ttl=62 time=4.694 ms 84 bytes from 192.168.1.10 icmp_seq=120 ttl=62 time=4.093 ms 84 bytes from 192.168.1.10 icmp_seq=121 ttl=62 time=3.481 ms 84 bytes from 192.168.1.10 icmp_seq=122 ttl=62 time=5.376 ms 84 bytes from 192.168.1.10 icmp_seq=123 ttl=62 time=3.494 ms 84 bytes from 192.168.1.10 icmp_seq=124 ttl=62 time=4.032 ms 84 bytes from 192.168.1.10 icmp_seq=125 ttl=62 time=3.6 |
4. S2S VPN 상태 확인
SRX01
IKE Phase 1 UP이 표시 되면 IPSEC를 확인 합니다.
| root@SRX01> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 5482273 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 20.1.1.1 |
IPSEC Phase2 아래처럼 터널이 생성 되었는지 확인
| root@SRX01> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 fc12e938 3062/ unlim - root 500 20.1.1.1 >131073 ESP:3des/sha1 49d44ef0 3062/ unlim - root 500 20.1.1.1 |
PC01에서 PC02로 무한으로 PING를 시도하고 Packet Count가 실제 올라가는지 확인 합니다
그리고 SRX01에서 아래 명령어로 확인
| root@SRX01> show security ipsec statistics ESP Statistics: Encrypted bytes: 70040 Decrypted bytes: 41832 Encrypted packets: 515 Decrypted packets: 498 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@SRX01> |
10초뒤에 다시 똑같은 명령어를 입력하면 Packet Count가 증가하였습니다.
| root@SRX01> show security ipsec statistics ESP Statistics: Encrypted bytes: 77656 Decrypted bytes: 46536 Encrypted packets: 571 Decrypted packets: 554 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@SRX01> |
PC02 -> PC01로 무한으로 PING를 시도합니다
SRX02에서 확인해보겠습니다.
IKE Phase 1 UP이 표시 되면 IPSEC를 확인 합니다.
| root@SRX02> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 6514201 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 10.1.1.1 root@SRX02> |
IPSEC Phase2 Tunnel이 생성되었습니다.
| root@SRX02> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 49d44ef0 2678/ unlim - root 500 10.1.1.1 >131073 ESP:3des/sha1 fc12e938 2678/ unlim - root 500 10.1.1.1 root@SRX02> |
Packet Count를 확인 합니다
| root@SRX02> show security ipsec statistics ESP Statistics: Encrypted bytes: 87992 Decrypted bytes: 55776 Encrypted packets: 647 Decrypted packets: 664 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@SRX02> |
10초뒤에 다시 한번 확인합니다
| root@SRX02> show security ipsec statistics ESP Statistics: Encrypted bytes: 90032 Decrypted bytes: 57036 Encrypted packets: 662 Decrypted packets: 679 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 root@SRX02> |
전체 설정
SRX01
| root@SRX01> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX01 set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$a-GjqTz6uORmfORhSMWJGD" set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0 set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set interfaces st0 unit 0 family inet set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254 set routing-options static route 192.168.2.0/24 next-hop st0.0 root@SRX01> |
SRX02
| root@SRX02> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX02 set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$SY2lvLdb2GDkxNDk.P3nylK" set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0 set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24 set interfaces st0 unit 0 family inet set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254 set routing-options static route 192.168.1.0/24 next-hop st0.0 root@SRX02> |
Router
| hostname INT_R1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ! ! ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 20.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 ip address 192.168.10.99 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 1 interface GigabitEthernet0/2 overload ip route 0.0.0.0 0.0.0.0 192.168.10.253 ! ipv6 ioam timestamp ! ! access-list 1 permit any ! |
지금까지 [2025][Juniper SRX #23] site to site vpn - S2S VPN 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0) | 2025.02.14 |
|---|---|
| [2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0) | 2025.02.07 |
| [2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0) | 2025.02.07 |
| [2025][Juniper SRX #21] ip monitor - ip sla (0) | 2025.02.06 |
| [2024][Juniper SRX #20] License Install - J-Web (0) | 2025.02.05 |
안녕하세요.
오늘은 Juniper SRX에서 Site to Site VPN 설정에 대해서 알아보겠습니다.
EVE-NG에서 토폴로지는 아래와 같이 구성하였습니다.
위에 테스트 구성을 하기 위해서는 아래 글을 참고 부탁드립니다.
1. EVE_NG 설치
https://itblog-kr.tistory.com/11
[2024][EVE-NG #1] 네트워크 시뮬레이션 EVE-NG 설치하기(VMware Workstation)
안녕하세요. 오늘은 주제는 [2024][EVE-NG #1] 네트워크 시뮬레이션 EVE-NG 설치하기(VMware Workstation)입니다. EVE-NG를 설치하기 전에 EVE-NG가 무엇인지 궁금하신 분은 아래 블로그 글을 참조 부탁드립
itblog-kr.tistory.com
2. Router 설치
https://itblog-kr.tistory.com/6
[EVE-NG #6] vIOS cisco 라우터 설치하기
안녕하세요. 이번에는 EVE-NG안에 vIOS cisco라우터를 설치해보겠습니다. EVE-NG가 설치가 않되어져 있다면 아래 블로그를 참조하여 EVE-NG부터 설치하시길 바랍니다. VirtualBox(무료) 가상화 프로그램을
itblog-kr.tistory.com
3. SRX설치
https://itblog-kr.tistory.com/26
[2024][EVE-NG #14] Juniper SRX 방화벽 설치하기
안녕하세요. 오늘은 [2024][EVE-NG #14] Juniper SRX 방화벽 설치하기입니다. 1. eve-ng 공식 홈페이지 관련 내용입니다. https://www.eve-ng.net/index.php/documentation/howtos/howto-add-juniper-vsrx-ng-15-x-and-later/ Juniper vSR
itblog-kr.tistory.com
4. VPC설치
https://itblog-kr.tistory.com/59
[2024][EVE-NG #18] Virtual PC(VPCS)
안녕하세요. 이번에는 EVE-NG에서 VPC에 대해서 알아보도록 하겠습니다. 테스트 할때 간단하게 Ping을 위해서 PC를 만들고 싶을때가 있습니다. 그렇다고 라우터나 스위치 또는 윈도우 PC를 두기에
itblog-kr.tistory.com
실습 준비가 완료 되었으면 주니퍼 SRX site to site vpn를 테스트 하겠습니다.
1. Router 설정
| Router# Router#conf t Router(config)#ho INT_R1 INT_R1(config)#int g0/2 INT_R1(config-if)#ip add 192.168.10.99 255.255.255.0 INT_R1(config-if)#no sh INT_R1(config-if)#int g0/0 INT_R1(config-if)#ip add 10.1.1.254 255.255.255.0 INT_R1(config-if)#no sh INT_R1(config-if)#int g0/1 INT_R1(config-if)#ip add 20.1.1.254 255.255.255.0 INT_R1(config-if)#no sh INT_R1(config-if)#end INT_R1#conf t INT_R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.253 |
1-1 NAT 설정
| INT_R1#conf t INT_R1(config)#access-list 1 permit any INT_R1(config)#int g0/2 INT_R1(config-if)#ip nat out INT_R1(config-if)#int g0/0 INT_R1(config-if)#ip nat inside INT_R1(config-if)#int g0/1 INT_R1(config-if)#ip nat inside INT_R1(config-if)#end INT_R1(config)#ip nat inside source list 1 interface g0/2 overload INT_R1(config)# |
1-2 Ping Test
| INT_R1#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.254 YES manual up up GigabitEthernet0/1 20.1.1.254 YES manual up up GigabitEthernet0/2 192.168.10.99 YES manual up up GigabitEthernet0/3 unassigned YES unset administratively down down NVI0 10.1.1.254 YES unset up up INT_R1# INT_R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 192.168.10.253 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 192.168.10.253 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 L 10.1.1.254/32 is directly connected, GigabitEthernet0/0 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/1 L 20.1.1.254/32 is directly connected, GigabitEthernet0/1 192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.10.0/24 is directly connected, GigabitEthernet0/2 L 192.168.10.99/32 is directly connected, GigabitEthernet0/2 INT_R1# INT_R1# INT_R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms INT_R1#ping 8.8.8.8 sou INT_R1#ping 8.8.8.8 source g0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.1.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms INT_R1#ping 8.8.8.8 source g0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 20.1.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/8 ms INT_R1# |
2. SRX01 기본 설정
ge-0/0/0 - 10.1.1.1
ge-0/0/1 - 192.168.1.1
2-1 기본설정값을 모두 삭제
| root@:~ # cli root> configure Entering configuration mode [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# cin ^ unknown command. root# commit commit complete [edit] root# |
2-2 기본설정
| set system host-name SRX01 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254 |
2-3 방화벽 정책 설정
| set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit |
2-4 NAT 설정
| set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface |
2-5 확인
| root@SRX01> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down root@SRX01> show route inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:02:39 > to 10.1.1.254 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:02:40 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:02:40 Local via ge-0/0/0.0 192.168.1.0/24 *[Direct/0] 00:02:39 > via ge-0/0/1.0 192.168.1.1/32 *[Local/0] 00:02:39 Local via ge-0/0/1.0 inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:07:11 MultiRecv root@SRX01> show security zones Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No root@SRX01> show security nat source summary Total pools: 0 Total rules: 1 Rule name Rule set From To Action PAT-INTERFACE SOURCE-NAT trust untrust interface root@SRX01> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 source NAT rule: PAT-INTERFACE Rule-set: SOURCE-NAT Rule-Id : 1 Rule position : 1 From zone : trust To zone : untrust Match Source addresses : 192.168.1.0 - 192.168.1.255 Destination addresses : 0.0.0.0 - 255.255.255.255 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 10 Successful sessions : 10 Number of sessions : 0 root@SRX01> |
3. PC01 설정
| VPCS> VPCS> ip 192.168.1.10/24 192.168.1.1 Checking for duplicate address... VPCS : 192.168.1.10 255.255.255.0 gateway 192.168.1.1 VPCS> save Saving startup configuration to startup.vpc . done VPCS> |
3-1 Ping 테스트
| VPCS> VPCS> ping 192.168.1.1 84 bytes from 192.168.1.1 icmp_seq=1 ttl=64 time=471.943 ms 84 bytes from 192.168.1.1 icmp_seq=2 ttl=64 time=0.827 ms 84 bytes from 192.168.1.1 icmp_seq=3 ttl=64 time=0.941 ms 84 bytes from 192.168.1.1 icmp_seq=4 ttl=64 time=0.788 ms 84 bytes from 192.168.1.1 icmp_seq=5 ttl=64 time=0.803 ms ^C VPCS> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=29.083 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=5.006 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=5.656 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=5.298 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=115 time=5.411 ms ^C VPCS> |
4. SRX02 설정
Ge-0/0/0 20.1.1.1/24
Ge-0/0/1 192.168.2.1/24
4-1 기본설정값 삭제
| root> configure Entering configuration mode [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit commit complete [edit] root# |
4-2 기본 설정
| set system host-name SRX02 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24 set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254 |
4-3 방화벽 정책 설정
| set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit |
4-4 NAT 설정
| set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface |
4-5 확인
| root@SRX02> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 20.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.2.1/24 ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down root@SRX02> show route inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:01:44 > to 20.1.1.254 via ge-0/0/0.0 20.1.1.0/24 *[Direct/0] 00:01:45 > via ge-0/0/0.0 20.1.1.1/32 *[Local/0] 00:01:45 Local via ge-0/0/0.0 192.168.2.0/24 *[Direct/0] 00:01:44 > via ge-0/0/1.0 192.168.2.1/32 *[Local/0] 00:01:44 Local via ge-0/0/1.0 inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:18:00 MultiRecv root@SRX02> root@SRX02> show security zones Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No root@SRX02> root@SRX02> show security zones terse Zone Type trust Security untrust Security junos-host Security root@SRX02> |
| root@SRX02> ping 10.1.1.254 PING 10.1.1.254 (10.1.1.254): 56 data bytes 64 bytes from 10.1.1.254: icmp_seq=0 ttl=255 time=285.562 ms 64 bytes from 10.1.1.254: icmp_seq=1 ttl=255 time=4.858 ms 64 bytes from 10.1.1.254: icmp_seq=2 ttl=255 time=4.057 ms 64 bytes from 10.1.1.254: icmp_seq=3 ttl=255 time=3.332 ms 64 bytes from 10.1.1.254: icmp_seq=4 ttl=255 time=3.799 ms ^C --- 10.1.1.254 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.332/60.322/285.562/112.621 ms root@SRX02> ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=5.710 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=3.859 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=4.569 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=4.114 ms ^C --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.859/4.563/5.710/0.709 ms |
4-6 PC2 설정
| VPCS> 192.168.2.10/24 192.168.2.1 Bad command: "192.168.2.10/24 192.168.2.1". Use ? for help. VPCS> ip 192.168.2.10/24 192.168.2.1 Checking for duplicate address... VPCS : 192.168.2.10 255.255.255.0 gateway 192.168.2.1 VPCS> save Saving startup configuration to startup.vpc . done VPCS> ping 192.168.2.1 192.168.2.1 icmp_seq=1 timeout 84 bytes from 192.168.2.1 icmp_seq=2 ttl=64 time=0.764 ms 84 bytes from 192.168.2.1 icmp_seq=3 ttl=64 time=0.610 ms 84 bytes from 192.168.2.1 icmp_seq=4 ttl=64 time=0.833 ms 84 bytes from 192.168.2.1 icmp_seq=5 ttl=64 time=0.984 ms VPCS> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=33.537 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=6.485 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=5.357 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=6.767 ms ^C VPCS> |
5. SRX01 -> SRX02 WAN포트로 통신
SRX02 -> SRX01 WAN포트로 통신
| root@SRX01> ping 20.1.1.1 PING 20.1.1.1 (20.1.1.1): 56 data bytes 64 bytes from 20.1.1.1: icmp_seq=0 ttl=63 time=5.115 ms 64 bytes from 20.1.1.1: icmp_seq=1 ttl=63 time=3.391 ms 64 bytes from 20.1.1.1: icmp_seq=2 ttl=63 time=3.597 ms 64 bytes from 20.1.1.1: icmp_seq=3 ttl=63 time=5.333 ms ^C --- 20.1.1.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.391/4.359/5.333/0.871 ms root@SRX01> root@SRX02> ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: icmp_seq=0 ttl=63 time=6.687 ms 64 bytes from 10.1.1.1: icmp_seq=1 ttl=63 time=7.102 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=63 time=4.646 ms 64 bytes from 10.1.1.1: icmp_seq=3 ttl=63 time=2.458 ms 64 bytes from 10.1.1.1: icmp_seq=4 ttl=63 time=5.987 ms ^C --- 10.1.1.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.458/5.376/7.102/1.680 ms root@SRX02> |
Full configration
SRX01
| root@SRX01> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX01 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254 |
SRX02
| root@SRX02> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX02 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24 set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254 root@SRX02> |
Router 설정
| hostname INT_R1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ! ! ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 20.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 ip address 192.168.10.99 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 1 interface GigabitEthernet0/2 overload ip route 0.0.0.0 0.0.0.0 192.168.10.253 ! ipv6 ioam timestamp ! ! access-list 1 permit any |
지금까지 [2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 글을 읽어주셔서 감사합니다.
다음글을 Juniper SRX S2S VPN 설정 하겠습니다.
| [2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0) | 2025.02.07 |
|---|---|
| [2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0) | 2025.02.07 |
| [2025][Juniper SRX #21] ip monitor - ip sla (0) | 2025.02.06 |
| [2024][Juniper SRX #20] License Install - J-Web (0) | 2025.02.05 |
| [2024][Juniper SRX #19] J-Web (0) | 2025.02.05 |
안녕하세요.
오늘은 Juniper srx ip monitor에 대해서 알아보겠습니다.
시스코 용어로는 IP SLA입니다.
아래처럼 SRX에 인터넷이 2개 연결되었다고 확인해보겠습니다.
Default Gateway는 한개만 선택되어서 라이팅이 됩니다.
Main Internet를 통해서 google 8.8.8.8를 모니터링하고 있다가, Main Internet이 죽으면 자동으로
디폴트케이트웨이를 백업 인터넷으로 변경을 실습해 보겠습니다.
토폴로지는 아래와 같습니다.
SRX
Ge-0/0/0 10.1.1.1이 메인 Internet
Ge-0/0/1 20.1.1.1이 백업 Internet 으로 간주하겠습니다.
Internet 라우터는 SRX에 올라오는 트래픽을 NAT처리해서 8.8.8.8이랑 통신 되게 설정 합니다.
기본설정을 먼저 해보겠습니다.
INTENRET ROUTER 설정 입니다.
| Router(config)#no ip domain-lookup Router(config)#hostname INT_ROUTER INT_ROUTER(config)#line con 0 INT_ROUTER(config-line)#exec-time INT_ROUTER(config-line)#logg sy INT_ROUTER(config-line)#end INT_ROUTER#conf t INT_ROUTER(config)#int g0/0 INT_ROUTER(config-if)#ip add 192.168.10.101 255.255.255.0 INT_ROUTER(config-if)#no sh INT_ROUTER(config-if)#end INT_ROUTER(config)#int g0/1 INT_ROUTER(config-if)#ip add 10.1.1.254 255.255.255.0 INT_ROUTER(config-if)#no sh INT_ROUTER(config-if)#int g0/2 \INT_ROUTER(config-if)#ip add 20.1.1.254 255.255.255.0 INT_ROUTER(config-if)#no sh INT_ROUTER(config-if)#end INT_ROUTER(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.253 INT_ROUTER(config)#end INT_ROUTER# INT_ROUTER# INT_ROUTER#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 192.168.10.101 YES manual up up GigabitEthernet0/1 10.1.1.254 YES manual up up GigabitEthernet0/2 20.1.1.254 YES manual up up GigabitEthernet0/3 unassigned YES unset administratively down down INT_ROUTER# INT_ROUTER#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms |
PAT를 설정 합니다.
| INT_ROUTER#conf t INT_ROUTER(config)#int g0/0 INT_ROUTER(config-if)#ip nat outside INT_ROUTER(config-if)#int g0/1 INT_ROUTER(config-if)#ip nat inside INT_ROUTER(config-if)#int g0/2 INT_ROUTER(config-if)#ip nat inside INT_ROUTER(config-if)#end INT_ROUTER(config)#access-list 1 permit any INT_ROUTER(config)#ip nat inside source list 1 interface gigabitEthernet 0/0 overload INT_ROUTER#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/7 ms INT_ROUTER#ping 8.8.8.8 source g0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.1.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms INT_ROUTER#ping 8.8.8.8 source g0/2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 20.1.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/8 ms INT_ROUTER# |
이번에는 주니퍼 기본 설정을 하겠습니다.
기본적으로 설정값을 다 지우고 root password를 설정 합니다.
| FreeBSD/amd64 (Amnesiac) (ttyu0) login: root --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@:~ # cli root> root> configure Entering configuration mode [edit] root# [edit] root# [edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit |
Interface 설정
| root> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$6IWgKM8j$c5/l5czscFh31rD/X/mx8ug3IUwUdyYtb8/KYEjYA7J6YxayiDelNUx9cmSFxzjWpf/0LLxBAADLf.WGE2.XV1" set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/2.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces ge-0/0/1.0 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 20.1.1.1/24 set interfaces ge-0/0/2 unit 0 family inet address 30.1.1.1/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254 |
| root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 20.1.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 30.1.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down root> show security zones Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 2 Interfaces: ge-0/0/1.0 ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No root> root> ping 10.1.1.254 PING 10.1.1.254 (10.1.1.254): 56 data bytes 64 bytes from 10.1.1.254: icmp_seq=0 ttl=255 time=3.320 ms 64 bytes from 10.1.1.254: icmp_seq=1 ttl=255 time=3.150 ms 64 bytes from 10.1.1.254: icmp_seq=2 ttl=255 time=2.836 ms 64 bytes from 10.1.1.254: icmp_seq=3 ttl=255 time=2.550 ms 64 bytes from 10.1.1.254: icmp_seq=4 ttl=255 time=2.607 ms ^C --- 10.1.1.254 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.550/2.893/3.320/0.300 ms root> ping 20.1.1.254 PING 20.1.1.254 (20.1.1.254): 56 data bytes 64 bytes from 20.1.1.254: icmp_seq=0 ttl=255 time=2.894 ms 64 bytes from 20.1.1.254: icmp_seq=1 ttl=255 time=2.782 ms 64 bytes from 20.1.1.254: icmp_seq=2 ttl=255 time=2.699 ms 64 bytes from 20.1.1.254: icmp_seq=3 ttl=255 time=3.372 ms 64 bytes from 20.1.1.254: icmp_seq=4 ttl=255 time=2.571 ms ^C --- 20.1.1.254 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.571/2.864/3.372/0.275 ms root> |
NAT 설정
Source IP가 30.1.1.0/24에 대해서는 Source NAT를 진행합니다.
| set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 30.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface |
Firewall Rule 설정
| set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit |
VPC IP 설정 및 8.8.8.8 테스트
| VPCS> ip 30.1.1.254/24 30.1.1.1 Checking for duplicate address... VPCS : 30.1.1.254 255.255.255.0 gateway 30.1.1.1 VPCS> save Saving startup configuration to startup.vpc . done VPCS> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=17.295 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=4.437 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=5.881 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=5.225 ms ^C VPCS> VPCS> trace 8.8.8.8 trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop 1 30.1.1.1 9.255 ms 0.759 ms 0.866 ms 2 10.1.1.254 8.273 ms 16.840 ms 4.871 ms 3 192.168.10.253 15.513 ms 4.014 ms 4.634 ms 4 202.14.11.193 3.964 ms 4.513 ms 3.862 ms 5 202.14.12.33 4.422 ms 3.900 ms 6.111 ms 6 203.117.190.81 7.847 ms 7.067 ms 9.060 ms ^C 7 * VPCS> |
위에 처럼 메인 Internet를 통해서 8.8.8.8 통신을 시도 합니다.
10.1.1.254 Main Internet
20.1.1.254 Backup Internet
SRX에서 IP MONITOR기능을 설정해서 Main Internet를 통해서 8.8.8.8 모니터링 합니다.
모니터링이 성공하면 디폴트로 설정된 Default Gateway를 사용하고 실패하면 20.1.1.254 Default Gateway를 추가하여.
우선순위를 더 높에 사용해서 20.1.1.254가 선택되게 합니다.
다시 Main Internet를 통해서 8.8.8.8 성공하면 Main Internet 10.1.1.254 Defualt Gateway가 선택 되게 합니다.
SRX 설정값 입니다.
| set services rpm probe probe-test test test probe-type icmp-ping set services rpm probe probe-test test test target address 8.8.8.8 set services rpm probe probe-test test test probe-count 5 set services rpm probe probe-test test test probe-interval 5 set services rpm probe probe-test test test test-interval 5 set services rpm probe probe-test test test thresholds successive-loss 10 set services rpm probe probe-test test test next-hop 10.1.1.254 set services ip-monitoring policy probe-policy match rpm-probe probe-test set services ip-monitoring policy probe-policy then preferred-route route 0.0.0.0/0 next-hop 20.1.1.254 |
라우팅을 확인 합니다
10.1.1.254가 사용중입니다.
| root> show route inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:37:58 > to 10.1.1.254 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:37:58 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:37:58 Local via ge-0/0/0.0 20.1.1.0/24 *[Direct/0] 00:37:58 > via ge-0/0/1.0 20.1.1.1/32 *[Local/0] 00:37:58 Local via ge-0/0/1.0 30.1.1.0/24 *[Direct/0] 00:37:58 > via ge-0/0/2.0 30.1.1.1/32 *[Local/0] 00:37:58 Local via ge-0/0/2.0 inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 00:57:56 MultiRecv root> |
IP Monitering 상태 확인하는 방법
| root> show services rpm probe-results Owner: probe-test, Test: test Target address: 8.8.8.8, Probe type: icmp-ping, Icmp-id: 10, Test size: 5 probes Probe results: Response received Probe sent time: Thu Feb 6 13:11:33 2025 Probe rcvd/timeout time: Thu Feb 6 13:11:33 2025, No hardware timestamps Rtt: 3555 usec, Round trip jitter: 285 usec Round trip interarrival jitter: 1223 usec Results over current test: Probes sent: 5, Probes received: 5, Loss percentage: 0.000000 Measurement: Round trip time Samples: 5, Minimum: 3065 usec, Maximum: 3555 usec, Average: 3297 usec, Peak to peak: 490 usec, Stddev: 158 usec, Sum: 16484 usec Measurement: Positive round trip jitter Samples: 4, Minimum: 90 usec, Maximum: 285 usec, Average: 187 usec, Peak to peak: 195 usec, Stddev: 70 usec, Sum: 749 usec Measurement: Negative round trip jitter Samples: 1, Minimum: 277 usec, Maximum: 277 usec, Average: 277 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 277 usec Results over last test: Probes sent: 5, Probes received: 5, Loss percentage: 0.000000 Test completed on Thu Feb 6 13:11:33 2025 Measurement: Round trip time Samples: 5, Minimum: 3065 usec, Maximum: 3555 usec, Average: 3297 usec, Peak to peak: 490 usec, Stddev: 158 usec, Sum: 16484 usec Measurement: Positive round trip jitter Samples: 4, Minimum: 90 usec, Maximum: 285 usec, Average: 187 usec, Peak to peak: 195 usec, Stddev: 70 usec, Sum: 749 usec Measurement: Negative round trip jitter Samples: 1, Minimum: 277 usec, Maximum: 277 usec, Average: 277 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 277 usec Results over all tests: Probes sent: 10, Probes received: 10, Loss percentage: 0.000000 Measurement: Round trip time Samples: 10, Minimum: 3033 usec, Maximum: 13877 usec, Average: 5128 usec, Peak to peak: 10844 usec, Stddev: 3872 usec, Sum: 51275 usec Measurement: Positive round trip jitter Samples: 6, Minimum: 32 usec, Maximum: 8668 usec, Average: 1575 usec, Peak to peak: 8636 usec, Stddev: 3173 usec, Sum: 9449 usec Measurement: Negative round trip jitter Samples: 3, Minimum: 277 usec, Maximum: 10844 usec, Average: 6590 usec, Peak to peak: 10567 usec, Stddev: 4553 usec, Sum: 19771 usec root> |
아래처럼 8.8.8.8 모니터링이 성공하였다고 PASS 표시됩니다.
| root> show services ip-monitoring status Policy - probe-policy (Status: PASS) RPM Probes: Probe name Test Name Address Status ---------------------- --------------- ---------------- --------- probe-test test 8.8.8.8 PASS Route-Action (Adding backup routes when FAIL): route-instance route next-hop state ----------------- ----------------- ---------------- ------------- inet.0 0.0.0.0/0 20.1.1.254 NOT-APPLIED root> |
이번에는 INT_ROUTER에서 G0/1 Shutdown 해 보겠습니다.
| INT_ROUTER#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 192.168.10.101 YES manual up up GigabitEthernet0/1 10.1.1.254 YES manual up up GigabitEthernet0/2 20.1.1.254 YES manual up up GigabitEthernet0/3 unassigned YES unset administratively down down NVI0 192.168.10.101 YES unset up up INT_ROUTER# INT_ROUTER#conf t Enter configuration commands, one per line. End with CNTL/Z. INT_ROUTER(config)#int g0/1 INT_ROUTER(config-if)#sh INT_ROUTER(config-if)# |
그리고 Juniper SRX에서 상태를 확인해 보겠습니다.
메인 Internet를 통해서 8.8.8.8 실패해서 FAIL이라고 표시 됩니다.
| root> show services ip-monitoring status Policy - probe-policy (Status: FAIL) RPM Probes: Probe name Test Name Address Status ---------------------- --------------- ---------------- --------- probe-test test 8.8.8.8 FAIL Route-Action (Adding backup routes when FAIL): route-instance route next-hop state ----------------- ----------------- ---------------- ------------- inet.0 0.0.0.0/0 20.1.1.254 APPLIED root> |
라우팅 테이블을 확인해보겠습니다.
0.0.0.0/0 * 20.1.1.254선택 되었습니다.
| root> show route inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/1] 00:00:40, metric2 0 > to 20.1.1.254 via ge-0/0/1.0 [Static/5] 00:41:30 > to 10.1.1.254 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:41:30 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:41:30 Local via ge-0/0/0.0 20.1.1.0/24 *[Direct/0] 00:41:30 > via ge-0/0/1.0 20.1.1.1/32 *[Local/0] 00:41:30 Local via ge-0/0/1.0 30.1.1.0/24 *[Direct/0] 00:41:30 > via ge-0/0/2.0 30.1.1.1/32 *[Local/0] 00:41:30 Local via ge-0/0/2.0 inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 01:01:28 MultiRecv root> |
PC에서 8.8.8.8 Ping확인
| VPCS> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=14.530 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=6.496 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=4.036 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=4.639 ms ^C VPCS> trace 8.8.8.8 trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop 1 30.1.1.1 6.549 ms 0.323 ms 0.288 ms 2 20.1.1.254 4.672 ms 2.443 ms 2.587 ms 3 192.168.10.253 5.439 ms 3.019 ms 3.723 ms 4 202.14.11.193 2.668 ms 3.153 ms 2.520 ms 5 202.14.12.33 3.274 ms 2.983 ms 3.199 ms 6 203.117.190.81 3.344 ms 2.981 ms 3.447 ms 7 * * * 8 203.116.3.50 4.120 ms 3.835 ms 3.361 ms VPCS> |
Backup Internet 20.1.1.254를 통해서 8.8.8.8 통신 되었습니다.
이번에는 다시 INT_ROUTER G0/1를 Shutdown해서 Main Internet를 살리겠습니다
| INT_ROUTER#conf t Enter configuration commands, one per line. End with CNTL/Z. INT_ROUTER(config)#int g0/1 INT_ROUTER(config-if)#no sh INT_ROUTER(config-if)#end INT_ROUTER# |
Juniper SRX에 확인해보겠습니다.
메인 Intenret를 통해서 8.8.8.8 성공해서 PASS라고 표시 됩니다.
| root> show services ip-monitoring status Policy - probe-policy (Status: PASS) RPM Probes: Probe name Test Name Address Status ---------------------- --------------- ---------------- --------- probe-test test 8.8.8.8 PASS Route-Action (Adding backup routes when FAIL): route-instance route next-hop state ----------------- ----------------- ---------------- ------------- inet.0 0.0.0.0/0 20.1.1.254 NOT-APPLIED |
라우팅 확인
메인 Intrenet이 0.0.0.0/0 선택 되었습니다.
| root> show route inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:44:58 > to 10.1.1.254 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:44:58 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:44:58 Local via ge-0/0/0.0 20.1.1.0/24 *[Direct/0] 00:44:58 > via ge-0/0/1.0 20.1.1.1/32 *[Local/0] 00:44:58 Local via ge-0/0/1.0 30.1.1.0/24 *[Direct/0] 00:44:58 > via ge-0/0/2.0 30.1.1.1/32 *[Local/0] 00:44:58 Local via ge-0/0/2.0 inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both ff02::2/128 *[INET6/0] 01:04:56 MultiRecv root> |
PC에서 Ping확인
| VPCS> ping 8.8.8.8 84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=5.238 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=4.189 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=4.335 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=4.901 ms ^C VPCS> trace 8.8.8.8 trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop 1 30.1.1.1 0.720 ms 0.342 ms 0.297 ms 2 10.1.1.254 4.886 ms 2.755 ms 1.927 ms 3 192.168.10.253 4.773 ms 2.598 ms 2.446 ms 4 202.14.11.193 2.810 ms 2.187 ms 2.950 ms 5 202.14.12.33 3.585 ms 3.912 ms 2.398 ms 6 203.117.190.81 3.007 ms 3.628 ms 3.860 ms 7 * * * 8 203.118.60.86 3.371 ms 3.265 ms 3.244 ms VPCS> |
지금까지 [2025][Juniper SRX #21] ip monitor - ip sla 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0) | 2025.02.07 |
|---|---|
| [2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0) | 2025.02.07 |
| [2024][Juniper SRX #20] License Install - J-Web (0) | 2025.02.05 |
| [2024][Juniper SRX #19] J-Web (0) | 2025.02.05 |
| [2024][Juniper SRX #18] Firmware recommendation (0) | 2025.01.11 |
안녕하세요.
오늘은 SRX320 License를 J-Web를 통해서 설치해보겠습니다.
1. SRX IPS라이센스를 구매하면 Distributor로부터 Activiation Code PDF파일을 전송 받게 됩니다.
중요부분은 다 삭제 하였습니다.
2. J-WEB를 접속 합니다.
시리얼번호는 삭제하였습니다. 시리얼번호를 확인 합니다.
3. JAL license Portal에 접속하고 위에 라이센스 activiation PDF파일에서 Activation Code를 복사해서 붙어 넣으면 자동으로 라이센스를 찾아서 Activiation으로 넘어 갑니다.
또는 아래 Order Number를 검색한후에 옆에 Activate 버튼을 눌러서 활성화도 가능 합니다.
라이센스를 구매할때 이미 고객사정보 Juniper SI 파트너 계정에 이미 라이센스가 들어가져 있습니다.
4. 아래처럼 장비 시리얼정보와, Noted, Email주소를 입력하고 Activate버튼을 클릭 합니다.
5. Download 버튼을 클릭 합니다.
6. 라이센스 키가 다운로드 되고 파일을 클릭 하면 아래처럼 정보를 확인 가능 합니다
| Issue Date : 05-Feb-2025 Expiry Date : 25-Jan-2030 HW Serial Number : 장비 시리얼 번호 SSRN : xxxxxxxxxx Feature : S-SRX320-A1-5 Quantity : 1 Software Version : All Versions License Key : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
Device Administration
2. License Management를 선택합니다.
현재 Default로 아래처럼 2개가 설치 되어져 있습니다.
| remote-access-ipsec-vpn-client | 0 | 2 | 0 | Permanent |
| remote-access-juniper-std | 0 | 2 | 0 | Permanent |
3. Add버튼을 클릭 하고 Txt파일에서 키값을 복사해서 붙여넣기 합니다.
아래처럼 라이센스가 적용 되었습니다.
지금까지 [2024][Juniper SRX #20] License Install - J-Web 글을 읽어주셔서 감사합니다.
| [2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0) | 2025.02.07 |
|---|---|
| [2025][Juniper SRX #21] ip monitor - ip sla (0) | 2025.02.06 |
| [2024][Juniper SRX #19] J-Web (0) | 2025.02.05 |
| [2024][Juniper SRX #18] Firmware recommendation (0) | 2025.01.11 |
| [2024][Juniper SRX #17] Firmware Upgrade path (0) | 2025.01.07 |