root> show configuration | display set | no-more set version 21.4R3-S3.4 set system root-authentication encrypted-password "$6$Kt3WFIik$0vN75BKuEZDkbTiLXUiAaTbrdkZ2EQCMo0u/G2D.nI3yQFDnN2sRwSwMra/BrVBfXg2lnWtzltwnPZkIWY2Zi." set system services ssh set system services netconf ssh set system services dhcp-local-server group jdhcp-group interface irb.0 set system services web-management https system-generated-certificate set system name-server 8.8.8.8 set system name-server 8.8.4.4 set system syslog archive size 100k set system syslog archive files 3 set system syslog user * any emergency set system syslog file interactive-commands interactive-commands any set system syslog file messages any notice set system syslog file messages authorization info set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set system phone-home server https://redirect.juniper.net set system phone-home rfc-compliant set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.0 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp set interfaces ge-0/0/0 unit 0 family inet dhcp vendor-id Juniper-srx320 set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/7 unit 0 family inet dhcp vendor-id Juniper-srx320 set interfaces cl-1/0/0 dialer-options pool 1 priority 100 set interfaces dl0 unit 0 family inet negotiate-address set interfaces dl0 unit 0 family inet6 negotiate-address set interfaces dl0 unit 0 dialer-options pool 1 set interfaces dl0 unit 0 dialer-options dial-string 1234 set interfaces dl0 unit 0 dialer-options always-on set interfaces irb unit 0 family inet address 192.168.1.1/24 set access address-assignment pool junosDHCPPool family inet network 192.168.1.0/24 set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.1.2 set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.1.254 set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.1.1 set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0 set vlans vlan-trust vlan-id 3 set vlans vlan-trust l3-interface irb.0 set protocols l2-learning global-mode switching set protocols rstp interface all
root>
root> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed idp-sig 0 1 0 2030-01-26 00:00:00 UTC remote-access-ipsec-vpn-client 0 2 0 permanent remote-access-juniper-std 0 2 0 permanent
Licenses installed: License identifier: JUNOS422937473 License version: 4 Valid for device: CW4024AX0159 Customer ID: KDDI ASIA PACIFIC PTE. LTD. Features: idp-sig - IDP Signature date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC
root>
root> show version Model: srx320 Junos: 21.4R3-S3.4 JUNOS Software Release [21.4R3-S3.4]
2. UTP 케이블을 노트북과 Juniper SRX Ge-0/0/3에 연결합니다.
그리고 노트북에 192.168.1.2 255.255.255.0 설정하고
Ping 192.168.1.1
C:\Users\admin>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=2ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 2ms, Average = 1ms
C:\Users\admin>
C:\Users\admin>
3. ftp enable 합니다.
root# set system services ftp
[edit] root# show system services ftp; ssh; netconf { ssh; } dhcp-local-server { group jdhcp-group { interface irb.0; } } web-management { https { system-generated-certificate; } }
To make it easy to lookup for each Junos release for SRX from which earlier releases it is supported to directly upgrade to it, please see the below table.
Before performing the upgrade, please make sure to check the Notes section below for possible caveats and limitations which may apply.
Target Junos releaseDirect upgrade supported from
24.4(*2)
24.2, 23.4, 23.2
24.2
23.4, 23.2, 22.4
23.4
23.2, 22.4, 22.3
23.2
22.4, 22.3, 22.2
22.4
22.3, 22.2, 22.1, 21.4
22.3
22.2, 22.1, 21.4
22.2
22.1, 21.4, 21.3, 21.2
22.1
21.4, 21.3, 21.2
21.4
21.3, 21.2, 21.1, 20.4
21.3
21.2, 21.1, 20.4
21.2
21.1, 20.4, 20.3, 20.2
21.1
20.4, 20.3, 20.2
20.4
20.3, 20.2, 20.1, 19.4
20.3
20.2, 20.1, 19.4
20.2
20.1, 19.4, 19.3, 19.2
20.1
19.4, 19.3, 19.2
19.4
19.3, 19.2, 19.1, 18.4, 15.1X49
19.3
19.2, 19.1, 18.4
19.2
19.1, 18.4, 18.3, 18.2
19.1
18.4, 18.3, 18.2
18.4
18.3, 18.2, 18.1, 17.4, 15.1X49
18.3
18.2, 18.1, 17.4
18.2
18.1, 17.4, 17.3
18.1
17.4, 17.3
17.4
17.3, 15.1X49
17.3
15.1X49
15.1X49
12.3X48
위에 정보를 확인한 결과
To upgrade your SRX device from Junos 21.4R3 to 23.4R2-S3 Path: 21.4R3 -->22.4R3 -->23.4R2-S3
root> request system software add /cf/var/tmp/junos-srxsme-22.4R3.25.tgz no-validate reboot Formatting alternate root (/dev/da0s2a)... /dev/da0s2a: 596.0MB (1220680 sectors) block size 16384, fragment size 2048 using 4 cylinder groups of 149.02MB, 9537 blks, 19200 inodes. super-block backups (for fsck -b #) at: 32, 305216, 610400, 915584 saving package file in /var/sw/pkg ... Installing package '/altroot/cf/packages/install-tmp/junos-22.4R3.25' ... Verified junos-boot-srxsme-22.4R3.25.tgz signed by PackageProductionECP256_2024 method ECDSA256+SHA256 Verified junos-srxsme-22.4R3.25-domestic signed by PackageProductionECP256_2024 method ECDSA256+SHA256 Verified manifest signed by PackageProductionECP256_2024 method ECDSA256+SHA256 JUNOS 22.4R3.25 will become active at next reboot Saving state for rollback ... Rebooting ... shutdown: [pid 6825] Shutdown NOW!
*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY
부팅 과정 생략
Amnesiac (ttyu0)
login:
부팅이 완료 되면 로그인 합니다.
root> show version Model: srx320 Junos: 22.4R3.25 JUNOS Software Release [22.4R3.25]
root> show system license License usage: Licenses Licenses Licenses Feature Feature Feature Feature name used installed needed Expiry idp-sig 0 1 0 2030-01 -26 00:00:00 UTC remote-access-ipsec-vpn-client 0 2 0 permane nt remote-access-juniper-std 0 2 0 permane nt
Licenses installed: License identifier: License version: 4 Valid for device: Customer ID: Features: idp-sig - IDP Signature date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
1-2 Interface 설정
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정
set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0
1-4 SRX에서 방화벽 정책 설정
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다
conf t int g0/0 ip add 20.1.1.1 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 20.1.1.254 ip http server
R1#show *Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 20.1.1.1 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down R1# R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 20.1.1.254 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 20.1.1.254 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/0 L 20.1.1.1/32 is directly connected, GigabitEthernet0/0
R1#ping 20.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1#
3. User01/ USer02 설정
USER01> ip 10.1.1.1/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254
USER01> save Saving startup configuration to startup.vpc . done
USER01> USER01> ping 10.1.1.254
84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER01>
USER02> ip 10.1.1.2/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254
USER02> save Saving startup configuration to startup.vpc . done
USER02> USER02> ping 10.1.1.254
84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER02>
set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat
PC에서 다시 확인
USER01> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms
USER02> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms
Probing 192.168.10.85:80/tcp - No response - time=2001.746ms Probing 192.168.10.85:80/tcp - No response - time=2003.928ms Probing 192.168.10.85:80/tcp - No response - time=2013.536ms Probing 192.168.10.85:80/tcp - No response - time=2006.107ms Probing 192.168.10.85:80/tcp - No response - time=2006.452ms Probing 192.168.10.85:80/tcp - No response - time=2005.353ms Probing 192.168.10.85:80/tcp - No response - time=2012.393ms Probing 192.168.10.85:80/tcp - No response - time=2012.957ms Probing 192.168.10.85:80/tcp - No response - time=2008.528ms Probing 192.168.10.85:80/tcp - No response - time=2011.220ms Probing 192.168.10.85:80/tcp - No response - time=2008.000ms Probing 192.168.10.85:80/tcp - No response - time=2008.216ms Probing 192.168.10.85:80/tcp - No response - time=2004.983ms Probing 192.168.10.85:80/tcp - No response - time=2000.407ms Probing 192.168.10.85:80/tcp - No response - time=2005.790ms
우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.
set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit
SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.86
DESTINATION NAT 설정
set security nat destination pool web_server address 20.1.1.1/32
set security nat destination rule-set to_web_server from zone untrust set security nat destination rule-set to_web_server rule web_server_incoming match destination-address 192.168.10.86/32 set security nat destination rule-set to_web_server rule web_server_incoming then destination-nat pool web_server
PC에서 통신을 확인 합니다.
정상적으로 통신 가능 합니다.
Probing 192.168.10.86:80/tcp - Port is open - time=23.372ms Probing 192.168.10.86:80/tcp - Port is open - time=18.897ms Probing 192.168.10.86:80/tcp - Port is open - time=14.309ms Probing 192.168.10.86:80/tcp - Port is open - time=18.139ms Probing 192.168.10.86:80/tcp - Port is open - time=23.166ms Probing 192.168.10.86:80/tcp - Port is open - time=19.464ms Probing 192.168.10.86:80/tcp - Port is open - time=18.645ms Probing 192.168.10.86:80/tcp - Port is open - time=27.360ms Probing 192.168.10.86:80/tcp - Port is open - time=19.947ms Probing 192.168.10.86:80/tcp - Port is open - time=20.782ms
위와 같이 192.168.10.85 포트 80 또는 8000으로 20.1.1.1 80으로 통신 가능 합니다.
Interface 확인
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.83/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 10.1.1.254/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 20.1.1.254/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
Routing 확인
root> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:13:56 > to 192.168.10.253 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/1.0 10.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/1.0 20.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/2.0 20.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/2.0 192.168.10.0/24 *[Direct/0] 00:13:56 > via ge-0/0/0.0 192.168.10.83/32 *[Local/0] 00:13:56 Local via ge-0/0/0.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:30:41 MultiRecv
root>
Security Zone 확인
root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security
root> show security zones
Security zone: dmz Zone ID: 10 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
방화벽 정책 확인
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: trust, To zone: dmz Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: dmz, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: untrust, To zone: dmz Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: dmz_server_01 Applications: any Source identity feeds: any Destination identity feeds: any Action: permit
root>
방화벽 Hit Count 확인
root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust untrust trust_to_untrust 1942 Permit 2 trust dmz trust_to_untrust 0 Permit 3 untrust dmz untrust_to_dmz_web_server 844 Permit 4 dmz untrust trust_to_untrust 2010 Permit
Number of policy: 4
root>
방화벽 설정값
root> show configuration | display set | no-more set version 21.3R1.9 set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security nat destination pool port_foward_server address 20.1.1.1/32 set security nat destination pool port_foward_server address port 80 set security nat destination pool web_server address 20.1.1.1/32 set security nat destination rule-set to_web_server from zone untrust set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32 set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80 set security nat destination rule-set to_web_server rule port_forwarding match destination-port 8000 set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server set security nat destination rule-set to_web_server rule web_server_incoming match destination-address 192.168.10.86/32 set security nat destination rule-set to_web_server rule web_server_incoming then destination-nat pool web_server set security nat static rule-set static_nat_01 from zone untrust set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32 set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.86/32 set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
root>
지금까지 [2025][Juniper SRX #27] Destination Nat - DNAT 글을 읽어주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
1-2 Interface 설정
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정
set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0
1-4 SRX에서 방화벽 정책 설정
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다
conf t int g0/0 ip add 20.1.1.1 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 20.1.1.254 ip http server
R1#show *Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 20.1.1.1 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down R1# R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 20.1.1.254 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 20.1.1.254 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/0 L 20.1.1.1/32 is directly connected, GigabitEthernet0/0
R1#ping 20.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1#
3. User01/ USer02 설정
USER01> ip 10.1.1.1/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254
USER01> save Saving startup configuration to startup.vpc . done
USER01> USER01> ping 10.1.1.254
84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER01>
USER02> ip 10.1.1.2/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254
USER02> save Saving startup configuration to startup.vpc . done
USER02> USER02> ping 10.1.1.254
84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER02>
set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat
PC에서 다시 확인
USER01> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms
USER02> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms
Probing 192.168.10.85:80/tcp - No response - time=2001.746ms Probing 192.168.10.85:80/tcp - No response - time=2003.928ms Probing 192.168.10.85:80/tcp - No response - time=2013.536ms Probing 192.168.10.85:80/tcp - No response - time=2006.107ms Probing 192.168.10.85:80/tcp - No response - time=2006.452ms Probing 192.168.10.85:80/tcp - No response - time=2005.353ms Probing 192.168.10.85:80/tcp - No response - time=2012.393ms Probing 192.168.10.85:80/tcp - No response - time=2012.957ms Probing 192.168.10.85:80/tcp - No response - time=2008.528ms Probing 192.168.10.85:80/tcp - No response - time=2011.220ms Probing 192.168.10.85:80/tcp - No response - time=2008.000ms Probing 192.168.10.85:80/tcp - No response - time=2008.216ms Probing 192.168.10.85:80/tcp - No response - time=2004.983ms Probing 192.168.10.85:80/tcp - No response - time=2000.407ms Probing 192.168.10.85:80/tcp - No response - time=2005.790ms
우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.
set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit
SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85
DESTINATION NAT 설정
set security nat destination pool port_foward_server address 20.1.1.1/32 set security nat destination pool port_foward_server address port 80
set security nat destination rule-set to_web_server from zone untrust set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32 set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80 set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server
PC에서 통신을 확인 합니다.
정상적으로 통신 가능 합니다.
C:\Users\USER>tcping -t 192.168.10.85 80
** Pinging continuously. Press control-c to stop **
Probing 192.168.10.85:80/tcp - Port is open - time=65.904ms Probing 192.168.10.85:80/tcp - Port is open - time=15.969ms Control-C
만약에 192.168.10.85:8000 -> 20.1.1.1:80으로 통신 하고 싶다면 아래와 같이 설정 합니다.
set security nat destination rule-set to_web_server01 rule port_forwarding match destination-port 8000
내 PC에서 통신 시도
C:\Users\USER>tcping -t 192.168.10.85 8000
** Pinging continuously. Press control-c to stop **
Probing 192.168.10.85:8000/tcp - Port is open - time=14.496ms Probing 192.168.10.85:8000/tcp - Port is open - time=17.589ms Probing 192.168.10.85:8000/tcp - Port is open - time=13.039ms Probing 192.168.10.85:8000/tcp - Port is open - time=15.563ms Probing 192.168.10.85:8000/tcp - Port is open - time=15.389ms Probing 192.168.10.85:8000/tcp - Port is open - time=13.528ms Probing 192.168.10.85:8000/tcp - Port is open - time=11.238ms Probing 192.168.10.85:8000/tcp - Port is open - time=14.091ms
C:\Users\USER>tcping -t 192.168.10.85 80
** Pinging continuously. Press control-c to stop **
Probing 192.168.10.85:80/tcp - Port is open - time=55.989ms Probing 192.168.10.85:80/tcp - Port is open - time=54.255ms Probing 192.168.10.85:80/tcp - Port is open - time=19.360ms
위와 같이 192.168.10.85 포트 80 또는 8000으로 20.1.1.1 80으로 통신 가능 합니다.
root> show security nat destination summary Total pools: 1 Pool name Address Routing Port Total Range Instance Address port_foward_server 20.1.1.1 - 20.1.1.1 80 1
Total rules: 1 Rule name Rule set From Action port_forwarding to_web_server untrust port_foward_server
root>
root> show security nat destination rule all Total destination-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/0 Destination NAT rule: port_forwarding Rule-set: to_web_server Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 192.168.10.85 - 192.168.10.85 Destination port : 80 - 80 8000 - 8000 Action : port_foward_server Translation hits : 106 Successful sessions : 106 Number of sessions : 0
root>
Interface 확인
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.83/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 10.1.1.254/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 20.1.1.254/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
Routing 확인
root> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:13:56 > to 192.168.10.253 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/1.0 10.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/1.0 20.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/2.0 20.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/2.0 192.168.10.0/24 *[Direct/0] 00:13:56 > via ge-0/0/0.0 192.168.10.83/32 *[Local/0] 00:13:56 Local via ge-0/0/0.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:30:41 MultiRecv
root>
Security Zone 확인
root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security
root> show security zones
Security zone: dmz Zone ID: 10 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
방화벽 정책 확인
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: trust, To zone: dmz Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: dmz, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: untrust, To zone: dmz Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: dmz_server_01 Applications: any Source identity feeds: any Destination identity feeds: any Action: permit
root>
방화벽 Hit Count 확인
root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust untrust trust_to_untrust 1942 Permit 2 trust dmz trust_to_untrust 0 Permit 3 untrust dmz untrust_to_dmz_web_server 844 Permit 4 dmz untrust trust_to_untrust 2010 Permit
Number of policy: 4
root>
방화벽 설정값
root> show configuration | display set | no-more set version 21.3R1.9 set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security nat destination pool port_foward_server address 20.1.1.1/32 set security nat destination pool port_foward_server address port 80 set security nat destination rule-set to_web_server from zone untrust set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32 set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80 set security nat destination rule-set to_web_server rule port_forwarding match destination-port 8000 set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server set security nat static rule-set static_nat_01 from zone untrust set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32 set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85/32 set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
root>
지금까지 [2025][Juniper SRX #27] Destination Nat - Port Forwarding 글을 읽어주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
1-2 Interface 설정
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정
set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0
1-4 SRX에서 방화벽 정책 설정
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다
conf t int g0/0 ip add 20.1.1.1 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 20.1.1.254 ip http server
R1#show *Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 20.1.1.1 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down R1# R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 20.1.1.254 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 20.1.1.254 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/0 L 20.1.1.1/32 is directly connected, GigabitEthernet0/0
R1#ping 20.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1#
3. User01/ USer02 설정
USER01> ip 10.1.1.1/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254
USER01 > save Saving startup configuration to startup.vpc . done
USER01 > USER01 > ping 10.1.1.254
84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER01 >
USER02> ip 10.1.1.2/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254
USER02 > save Saving startup configuration to startup.vpc . done
USER02 > USER02 > ping 10.1.1.254
84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C USER02 >
set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat
PC에서 다시 확인
USER01> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms
USER02> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms
One to One NAT ( Static NAT)를 사용 해서 192.168.10.84 <---> 20.1.1.1로 설정합니다.
서버는 외부 통신할때 Source IP 20.1.1.1 -> 192.168.10.84 변경됩니다.
외부에서 DMZ서버랑 통신 할때 Destination IP 192.168.10.84 -> 20.1.1.1 변경 됩니다.
우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.
set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit
그 이유는 SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84
Static NAT 설정
set security nat static rule-set static_nat_01 from zone untrust set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32 set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32
WEB SERVER에서 외부로 PING
R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/6 ms R1#
root> show security nat static rule all Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 Static NAT rule: auth_server Rule-set: static_nat_01 Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 192.168.10.84 Host addresses : 20.1.1.1 Netmask : 32 Host routing-instance : N/A Translation hits : 2083 Successful sessions : 2083 Number of sessions : 4
root>
Interface 확인
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.83/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 10.1.1.254/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 20.1.1.254/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
Routing 확인
root> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:13:56 > to 192.168.10.253 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/1.0 10.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/1.0 20.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/2.0 20.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/2.0 192.168.10.0/24 *[Direct/0] 00:13:56 > via ge-0/0/0.0 192.168.10.83/32 *[Local/0] 00:13:56 Local via ge-0/0/0.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:30:41 MultiRecv
root>
Security Zone 확인
root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security
root> show security zones
Security zone: dmz Zone ID: 10 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
방화벽 정책 확인
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: trust, To zone: dmz Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: dmz, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: untrust, To zone: dmz Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: dmz_server_01 Applications: any Source identity feeds: any Destination identity feeds: any Action: permit
root>
방화벽 Hit Count 확인
root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust untrust trust_to_untrust 1942 Permit 2 trust dmz trust_to_untrust 0 Permit 3 untrust dmz untrust_to_dmz_web_server 196 Permit 4 dmz untrust trust_to_untrust 2010 Permit
Number of policy: 4
root>
방화벽 NAT 확인
root> show security nat source summary Total port number usage for port translation pool: 64512 Maximum port number for port translation pool: 50331648 Total pools: 1 Pool Address Routing PAT Total Name Range Instance Address source_nat 192.168.10.84-192.168.10.84 default yes 1
Total rules: 1 Rule name Rule set From To Action PAT-INTERFACE SOURCE-NAT trust untrust interface ^ syntax error, expecting <command>. root> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 source NAT rule: PAT-INTERFACE Rule-set: SOURCE-NAT Rule-Id : 1 Rule position : 1 From zone : trust To zone : untrust Match Source addresses : 10.1.1.0 - 10.1.1.255 Destination addresses : 0.0.0.0 - 255.255.255.255 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 1942 Successful sessions : 1942 Number of sessions : 0
root> show security nat static rule all Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 Static NAT rule: auth_server Rule-set: static_nat_01 Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 192.168.10.84 Host addresses : 20.1.1.1 Netmask : 32 Host routing-instance : N/A Translation hits : 2302 Successful sessions : 2302 Number of sessions : 5
root>
방화벽 설정값
root> show configuration | display set | no-more set version 21.3R1.9 set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security nat static rule-set static_nat_01 from zone untrust set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32 set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32 set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32 set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01 set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
root>
지금까지 [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool 글을 읽어주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
1-2 Interface 설정
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정
set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0
1-4 SRX에서 방화벽 정책 설정
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다
conf t int g0/0 ip add 20.1.1.1 255.255.255.0 no sh ip route 0.0.0.0 0.0.0.0 20.1.1.254 ip http server
R1#show *Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 20.1.1.1 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down R1# R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 20.1.1.254 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 20.1.1.254 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/0 L 20.1.1.1/32 is directly connected, GigabitEthernet0/0
R1#ping 20.1.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms R1#
3. PC 설정
VPCS> ip 10.1.1.1/24 10.1.1.254 Checking for duplicate address... VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254
VPCS> save Saving startup configuration to startup.vpc . done
VPCS> VPCS> ping 10.1.1.254
84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms 84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms 84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms 84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms ^C VPCS>
set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat
그 이유는 SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84
PC에서 다시 8.8.8.8 PING
VPCS> ping 8.8.8.8 -c 1000
8.8.8.8 icmp_seq=1 timeout 84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=2.049 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=1.954 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=2.603 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=2.052 ms 84 bytes from 8.8.8.8 icmp_seq=6 ttl=56 time=2.130 ms 84 bytes from 8.8.8.8 icmp_seq=7 ttl=56 time=2.229 ms 84 bytes from 8.8.8.8 icmp_seq=8 ttl=56 time=2.078 ms 84 bytes from 8.8.8.8 icmp_seq=9 ttl=56 time=2.150 ms 84 bytes from 8.8.8.8 icmp_seq=10 ttl=56 time=2.061 ms 84 bytes from 8.8.8.8 icmp_seq=11 ttl=56 time=2.151 ms 84 bytes from 8.8.8.8 icmp_seq=12 ttl=56 time=2.173 ms 84 bytes from 8.8.8.8 icmp_seq=13 ttl=56 time=2.450 ms 84 bytes from 8.8.8.8 icmp_seq=14 ttl=56 time=2.411 ms 84 bytes from 8.8.8.8 icmp_seq=15 ttl=56 time=2.296 ms 84 bytes from 8.8.8.8 icmp_seq=16 ttl=56 time=2.049 ms 84 bytes from 8.8.8.8 icmp_seq=17 ttl=56 time=2.047 ms 84 bytes from 8.8.8.8 icmp_seq=18 ttl=56 time=2.101 ms
R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) R1#
SRX에서 DMZ를 위해서 SNAT설정
set security nat source rule-set SOURCE-NAT from zone dmz set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24
HTTP Server에서 Ping 시도
R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms R1#
SRX에서 기본적인 부분 확인 Command
Interface 확인
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.83/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 10.1.1.254/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 20.1.1.254/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
Routing 확인
root> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:13:56 > to 192.168.10.253 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/1.0 10.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/1.0 20.1.1.0/24 *[Direct/0] 00:13:56 > via ge-0/0/2.0 20.1.1.254/32 *[Local/0] 00:13:56 Local via ge-0/0/2.0 192.168.10.0/24 *[Direct/0] 00:13:56 > via ge-0/0/0.0 192.168.10.83/32 *[Local/0] 00:13:56 Local via ge-0/0/0.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:30:41 MultiRecv
root>
Security Zone 확인
root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security
root> show security zones
Security zone: dmz Zone ID: 10 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
방화벽 정책 확인
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: trust, To zone: dmz Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit From zone: dmz, To zone: untrust Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit
방화벽 Hit Count 확인
root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust untrust trust_to_untrust 15 Permit 2 trust dmz trust_to_untrust 0 Permit 3 dmz untrust trust_to_untrust 10 Permit
Number of policy: 3
root>
방화벽 NAT 확인
root> show security nat source summary Total pools: 0
Total rules: 1 Rule name Rule set From To Action PAT-INTERFACE SOURCE-NAT dmz untrust interface PAT-INTERFACE trust
root> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 3/0 source NAT rule: PAT-INTERFACE Rule-set: SOURCE-NAT Rule-Id : 1 Rule position : 1 From zone : dmz : trust To zone : untrust Match Source addresses : 10.1.1.0 - 10.1.1.255 20.1.1.0 - 20.1.1.255 Destination addresses : 0.0.0.0 - 255.255.255.255 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 10 Successful sessions : 10 Number of sessions : 0
방화벽 설정값
root> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$foWa5m5j$QTNzAZvC.AJNs4b9yJq/18Qp038uo2x6rPM/imUQn/M3hFIJsz5FxlOXdwq6iS2UG12O3SIpFdTzZBYi4wmkY1" set security nat source pool source_nat address 192.168.10.84/32 set security nat source rule-set SOURCE-NAT from zone dmz set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32 set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz host-inbound-traffic system-services all set security zones security-zone dmz host-inbound-traffic protocols all set security zones security-zone dmz interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24 set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
root>
지금까지 [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool 글을 읽어주셔서 감사합니다.
S2S VPN 연결후 PC 192.168.1.10 <-> PC 192.168.2.10으로 통신이 가능 합니다.
2. SRX01 설정
2-1 Tunnel Interface 설정
set interfaces st0 unit 0 family inet address 1.1.1.1/30 set interfaces st0 unit 0 family inet mtu 1500 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.0
2-2 Tunnel Interface통해서 상대방 라우팅을 교환하기 위해서 RIP 프로토콜을 설정합니다.
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.2 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive set routing-options router-id 1.1.1.1
2-3 IKE 설정
IKE POLICY Name:IKE-POLICY-S2SVPN-01
IKE GATEWAY Name: IKE-GW-S2SVPN-01
Pre-share-Keys:juniper
set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0
2-4 IPSEC 설정
set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0 set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately
2-5 S2S VPN을 위한 방화벽 정책 설정
set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
3 SRX02 설정
3-1 Tunnel Interface 설정
set interfaces st0 unit 0 family inet address 1.1.1.2/30 set interfaces st0 unit 0 family inet mtu 1500 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.0
3-2 Tunnel Interface통해서 상대방 통신하기 위해서 RIP을 설정해서 라우팅을 교환 합니다.
set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.1 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive set routing-options router-id 1.1.1.2
3-3 IKE 설정
IKE POLICY Name:IKE-POLICY-S2SVPN-01
IKE GATEWAY Name: IKE-GW-S2SVPN-01
Pre-share-Keys:juniper
set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0
3-4 IPSEC 설정
set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0 set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately
3-5 S2S VPN을 위한 방화벽 정책 설정
set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
OSPF 상태 확인
SRX01
root@SRX01> show ospf neighbor Address Interface State ID Pri Dead 1.1.1.2 st0.0 Full 1.1.1.2 128 31
root@SRX01> show route
inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:50:07 > to 10.1.1.254 via ge-0/0/0.0 1.1.1.0/30 *[Direct/0] 00:14:28 > via st0.0 [OSPF/10] 00:14:24, metric 1 > via st0.0 1.1.1.1/32 *[Local/0] 00:14:28 Local via st0.0 10.1.1.0/24 *[Direct/0] 00:50:07 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:50:07 Local via ge-0/0/0.0 192.168.1.0/24 *[Direct/0] 00:50:07 > via ge-0/0/1.0 192.168.1.1/32 *[Local/0] 00:50:07 Local via ge-0/0/1.0 192.168.2.0/24 *[OSPF/10] 00:10:32, metric 2 > via st0.0 224.0.0.5/32 *[OSPF/10] 00:14:29, metric 1 MultiRecv
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:51:09 MultiRecv
root@SRX01>
SRX02
root@SRX02> show ospf neighbor Address Interface State ID Pri Dead 1.1.1.1 st0.0 Full 1.1.1.1 128 37
root@SRX02> show route
inet.0: 9 destinations, 10 routes (9 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:50:23 > to 20.1.1.254 via ge-0/0/0.0 1.1.1.0/30 *[Direct/0] 00:13:30 > via st0.0 [OSPF/10] 00:13:26, metric 1 > via st0.0 1.1.1.2/32 *[Local/0] 00:13:30 Local via st0.0 20.1.1.0/24 *[Direct/0] 00:50:23 > via ge-0/0/0.0 20.1.1.1/32 *[Local/0] 00:50:23 Local via ge-0/0/0.0 192.168.1.0/24 *[OSPF/10] 00:10:54, metric 2 > via st0.0 192.168.2.0/24 *[Direct/0] 00:50:23 > via ge-0/0/1.0 192.168.2.1/32 *[Local/0] 00:50:23 Local via ge-0/0/1.0 224.0.0.5/32 *[OSPF/10] 00:13:31, metric 1 MultiRecv
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:51:27 MultiRecv
root@SRX02>
4. Test
PC01에서 PC02로 PING 192.168.2.10
PC02에서 PC01로 PING 192.168.1.10
PC01 84 bytes from 192.168.2.10 icmp_seq=105 ttl=62 time=12.610 ms 84 bytes from 192.168.2.10 icmp_seq=106 ttl=62 time=33.502 ms 84 bytes from 192.168.2.10 icmp_seq=107 ttl=62 time=3.875 ms 84 bytes from 192.168.2.10 icmp_seq=108 ttl=62 time=5.376 ms 84 bytes from 192.168.2.10 icmp_seq=109 ttl=62 time=3.175 ms 84 bytes from 192.168.2.10 icmp_seq=110 ttl=62 time=2.963 ms 84 bytes from 192.168.2.10 icmp_seq=111 ttl=62 time=3.547 ms 84 bytes from 192.168.2.10 icmp_seq=112 ttl=62 time=3.976 ms 84 bytes from 192.168.2.10 icmp_seq=113 ttl=62 time=3.358 ms 84 bytes from 192.168.2.10 icmp_seq=114 ttl=62 time=9.753 ms 84 bytes from 192.168.2.10 icmp_seq=115 ttl=62 time=3.128 ms 84 bytes from 192.168.2.10 icmp_seq=116 ttl=62 time=4.142 ms 84 bytes from 192.168.2.10 icmp_seq=117 ttl=62 time=3.175 ms 84 bytes from 192.168.2.10 icmp_seq=118 ttl=62 time=4.214 ms 84 bytes from 192.168.2.10 icmp_seq=119 ttl=62 time=3.807 ms 84 bytes from 192.168.2.10 icmp_seq=120 ttl=62 time=4.220 ms 84 bytes from 192.168.2.10 icmp_seq=121 ttl=62 time=7.300 ms 84 bytes from 192.168.2.10 icmp_seq=122 ttl=62 time=3.735 ms 84 bytes from 192.168.2.10 icmp_seq=123 ttl=62 time=5.798 ms 84 bytes from 192.168.2.10 icmp_seq=124 ttl=62 time=3.588 ms 84 bytes from 192.168.2.10 icmp_seq=125 ttl=62 time=3.750 ms 84 bytes from 192.168.2.10 icmp_seq=126 ttl=62 time=3.633 ms 84 bytes from 192.168.2.10 icmp_seq=127 ttl=62 time=2.710 ms 84 bytes from 192.168.2.10 icmp_seq=128 ttl=62 time=4.018 ms 84 bytes from 192.168.2.10 icmp_seq=129 ttl=62 time=3.169 ms 84 bytes from 192.168.2.10 icmp_seq=130 ttl=62 time=3.093 ms 84 bytes from 192.168.2.10 icmp_seq=131 ttl=62 time=3.001 ms 84 bytes from 192.168.2.10 icmp_seq=132 ttl=62 time=4.013 ms 84 bytes from 192.168.2.10 icmp_seq=133 ttl=62 time=3.296 ms 84 bytes from 192.168.2.10 icmp_seq=134 ttl=62 time=2.731 ms 84 bytes from 192.168.2.10 icmp_seq=135 ttl=62 time=3.164 ms 84 bytes from 192.168.2.10 icmp_seq=136 ttl=62 time=3.521 ms 84 bytes from 192.168.2.10 icmp_seq=137 ttl=62 time=3.264 ms 84 bytes from 192.168.2.10 icmp_seq=138 ttl=62 time=3.372 ms
PC02 84 bytes from 192.168.1.10 icmp_seq=96 ttl=62 time=11.549 ms 84 bytes from 192.168.1.10 icmp_seq=97 ttl=62 time=3.299 ms 84 bytes from 192.168.1.10 icmp_seq=98 ttl=62 time=4.139 ms 84 bytes from 192.168.1.10 icmp_seq=99 ttl=62 time=6.704 ms 84 bytes from 192.168.1.10 icmp_seq=100 ttl=62 time=7.948 ms 84 bytes from 192.168.1.10 icmp_seq=101 ttl=62 time=7.042 ms 84 bytes from 192.168.1.10 icmp_seq=102 ttl=62 time=8.883 ms 84 bytes from 192.168.1.10 icmp_seq=103 ttl=62 time=5.830 ms 84 bytes from 192.168.1.10 icmp_seq=104 ttl=62 time=3.864 ms 84 bytes from 192.168.1.10 icmp_seq=105 ttl=62 time=7.203 ms 84 bytes from 192.168.1.10 icmp_seq=106 ttl=62 time=5.233 ms 84 bytes from 192.168.1.10 icmp_seq=107 ttl=62 time=3.276 ms 84 bytes from 192.168.1.10 icmp_seq=108 ttl=62 time=3.849 ms 84 bytes from 192.168.1.10 icmp_seq=109 ttl=62 time=4.194 ms 84 bytes from 192.168.1.10 icmp_seq=110 ttl=62 time=3.221 ms 84 bytes from 192.168.1.10 icmp_seq=111 ttl=62 time=3.447 ms 84 bytes from 192.168.1.10 icmp_seq=112 ttl=62 time=4.475 ms 84 bytes from 192.168.1.10 icmp_seq=113 ttl=62 time=4.493 ms 84 bytes from 192.168.1.10 icmp_seq=114 ttl=62 time=3.987 ms 84 bytes from 192.168.1.10 icmp_seq=115 ttl=62 time=3.965 ms 84 bytes from 192.168.1.10 icmp_seq=116 ttl=62 time=3.814 ms 84 bytes from 192.168.1.10 icmp_seq=117 ttl=62 time=3.276 ms 84 bytes from 192.168.1.10 icmp_seq=118 ttl=62 time=3.454 ms 84 bytes from 192.168.1.10 icmp_seq=119 ttl=62 time=4.694 ms 84 bytes from 192.168.1.10 icmp_seq=120 ttl=62 time=4.093 ms 84 bytes from 192.168.1.10 icmp_seq=121 ttl=62 time=3.481 ms 84 bytes from 192.168.1.10 icmp_seq=122 ttl=62 time=5.376 ms 84 bytes from 192.168.1.10 icmp_seq=123 ttl=62 time=3.494 ms 84 bytes from 192.168.1.10 icmp_seq=124 ttl=62 time=4.032 ms 84 bytes from 192.168.1.10 icmp_seq=125 ttl=62 time=3.6
4. S2S VPN 상태 확인
SRX01
IKE Phase 1 UP이 표시 되면 IPSEC를 확인 합니다.
root@SRX01> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 5482273 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 20.1.1.1
IPSEC Phase2 아래처럼 터널이 생성 되었는지 확인
root@SRX01> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 fc12e938 3062/ unlim - root 500 20.1.1.1 >131073 ESP:3des/sha1 49d44ef0 3062/ unlim - root 500 20.1.1.1
PC01에서 PC02로 무한으로 PING를 시도하고 Packet Count가 실제 올라가는지 확인 합니다
root@SRX02> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 6514201 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 10.1.1.1
root@SRX02>
IPSEC Phase2 Tunnel이 생성되었습니다.
root@SRX02> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 49d44ef0 2678/ unlim - root 500 10.1.1.1 >131073 ESP:3des/sha1 fc12e938 2678/ unlim - root 500 10.1.1.1
root@SRX01> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX01 set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$a-GjqTz6uORmfORhSMWJGD" set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0 set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set interfaces st0 unit 0 family inet mtu 1500 set interfaces st0 unit 0 family inet address 1.1.1.1/30 set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.2 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive set routing-options router-id 1.1.1.1 set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254
SRX02
root@SRX02> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX02 set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$SY2lvLdb2GDkxNDk.P3nylK" set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0 set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn host-inbound-traffic protocols all set security zones security-zone vpn interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24 set interfaces st0 unit 0 family inet mtu 1500 set interfaces st0 unit 0 family inet address 1.1.1.2/30 set protocols ospf area 0.0.0.0 interface st0.0 interface-type p2p set protocols ospf area 0.0.0.0 interface st0.0 neighbor 1.1.1.1 set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive set routing-options router-id 1.1.1.2 set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254
root@SRX02>
Router
hostname INT_R1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ! ! ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 20.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 ip address 192.168.10.99 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 1 interface GigabitEthernet0/2 overload ip route 0.0.0.0 0.0.0.0 192.168.10.253 ! ipv6 ioam timestamp ! ! access-list 1 permit any !
지금까지 [2025][Juniper SRX #23] site to site vpn - S2S VPN - OSPF 글을 읽어주셔서 감사합니다.
S2S VPN 연결후 PC 192.168.1.10 <-> PC 192.168.2.10으로 통신이 가능 합니다.
2. SRX01 설정
2-1 Tunnel Interface 설정
set interfaces st0 unit 0 family inet
2-2 Tunnel Interface통해서 상대방 SRX02 내부 192.168.2.0/24로 Static Route 설정
set routing-options static route 192.168.2.0/24 next-hop st0.0
2-3 IKE 설정
IKE POLICY Name: IKE-POLICY-S2SVPN-01
IKE GATEWAY Name: IKE-GW-S2SVPN-01
Pre-share-Keys: juniper
set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0
2-4 IPSEC 설정
set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0 set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately
2-5 S2S VPN을 위한 방화벽 정책 설정
set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
3 SRX02 설정
3-1 Tunnel Interface 설정
set interfaces st0 unit 0 family inet
3-2 Tunnel Interface통해서 상대방 SRX02 내부 192.168.1.0/24로 Static Route 설정
set routing-options static route 192.168.1.0/24 next-hop st0.0
3-3 IKE 설정
IKE POLICY Name:IKE-POLICY-S2SVPN-01
IKE GATEWAY Name: IKE-GW-S2SVPN-01
Pre-share-Keys:juniper
set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text juniper set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0
3-4 IPSEC 설정
set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0 set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately
3-5 S2S VPN을 위한 방화벽 정책 설정
set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
4. Test
PC01에서 PC02로 PING 192.168.2.10
PC02에서 PC01로 PING 192.168.1.10
PC01 84 bytes from 192.168.2.10 icmp_seq=105 ttl=62 time=12.610 ms 84 bytes from 192.168.2.10 icmp_seq=106 ttl=62 time=33.502 ms 84 bytes from 192.168.2.10 icmp_seq=107 ttl=62 time=3.875 ms 84 bytes from 192.168.2.10 icmp_seq=108 ttl=62 time=5.376 ms 84 bytes from 192.168.2.10 icmp_seq=109 ttl=62 time=3.175 ms 84 bytes from 192.168.2.10 icmp_seq=110 ttl=62 time=2.963 ms 84 bytes from 192.168.2.10 icmp_seq=111 ttl=62 time=3.547 ms 84 bytes from 192.168.2.10 icmp_seq=112 ttl=62 time=3.976 ms 84 bytes from 192.168.2.10 icmp_seq=113 ttl=62 time=3.358 ms 84 bytes from 192.168.2.10 icmp_seq=114 ttl=62 time=9.753 ms 84 bytes from 192.168.2.10 icmp_seq=115 ttl=62 time=3.128 ms 84 bytes from 192.168.2.10 icmp_seq=116 ttl=62 time=4.142 ms 84 bytes from 192.168.2.10 icmp_seq=117 ttl=62 time=3.175 ms 84 bytes from 192.168.2.10 icmp_seq=118 ttl=62 time=4.214 ms 84 bytes from 192.168.2.10 icmp_seq=119 ttl=62 time=3.807 ms 84 bytes from 192.168.2.10 icmp_seq=120 ttl=62 time=4.220 ms 84 bytes from 192.168.2.10 icmp_seq=121 ttl=62 time=7.300 ms 84 bytes from 192.168.2.10 icmp_seq=122 ttl=62 time=3.735 ms 84 bytes from 192.168.2.10 icmp_seq=123 ttl=62 time=5.798 ms 84 bytes from 192.168.2.10 icmp_seq=124 ttl=62 time=3.588 ms 84 bytes from 192.168.2.10 icmp_seq=125 ttl=62 time=3.750 ms 84 bytes from 192.168.2.10 icmp_seq=126 ttl=62 time=3.633 ms 84 bytes from 192.168.2.10 icmp_seq=127 ttl=62 time=2.710 ms 84 bytes from 192.168.2.10 icmp_seq=128 ttl=62 time=4.018 ms 84 bytes from 192.168.2.10 icmp_seq=129 ttl=62 time=3.169 ms 84 bytes from 192.168.2.10 icmp_seq=130 ttl=62 time=3.093 ms 84 bytes from 192.168.2.10 icmp_seq=131 ttl=62 time=3.001 ms 84 bytes from 192.168.2.10 icmp_seq=132 ttl=62 time=4.013 ms 84 bytes from 192.168.2.10 icmp_seq=133 ttl=62 time=3.296 ms 84 bytes from 192.168.2.10 icmp_seq=134 ttl=62 time=2.731 ms 84 bytes from 192.168.2.10 icmp_seq=135 ttl=62 time=3.164 ms 84 bytes from 192.168.2.10 icmp_seq=136 ttl=62 time=3.521 ms 84 bytes from 192.168.2.10 icmp_seq=137 ttl=62 time=3.264 ms 84 bytes from 192.168.2.10 icmp_seq=138 ttl=62 time=3.372 ms
PC02 84 bytes from 192.168.1.10 icmp_seq=96 ttl=62 time=11.549 ms 84 bytes from 192.168.1.10 icmp_seq=97 ttl=62 time=3.299 ms 84 bytes from 192.168.1.10 icmp_seq=98 ttl=62 time=4.139 ms 84 bytes from 192.168.1.10 icmp_seq=99 ttl=62 time=6.704 ms 84 bytes from 192.168.1.10 icmp_seq=100 ttl=62 time=7.948 ms 84 bytes from 192.168.1.10 icmp_seq=101 ttl=62 time=7.042 ms 84 bytes from 192.168.1.10 icmp_seq=102 ttl=62 time=8.883 ms 84 bytes from 192.168.1.10 icmp_seq=103 ttl=62 time=5.830 ms 84 bytes from 192.168.1.10 icmp_seq=104 ttl=62 time=3.864 ms 84 bytes from 192.168.1.10 icmp_seq=105 ttl=62 time=7.203 ms 84 bytes from 192.168.1.10 icmp_seq=106 ttl=62 time=5.233 ms 84 bytes from 192.168.1.10 icmp_seq=107 ttl=62 time=3.276 ms 84 bytes from 192.168.1.10 icmp_seq=108 ttl=62 time=3.849 ms 84 bytes from 192.168.1.10 icmp_seq=109 ttl=62 time=4.194 ms 84 bytes from 192.168.1.10 icmp_seq=110 ttl=62 time=3.221 ms 84 bytes from 192.168.1.10 icmp_seq=111 ttl=62 time=3.447 ms 84 bytes from 192.168.1.10 icmp_seq=112 ttl=62 time=4.475 ms 84 bytes from 192.168.1.10 icmp_seq=113 ttl=62 time=4.493 ms 84 bytes from 192.168.1.10 icmp_seq=114 ttl=62 time=3.987 ms 84 bytes from 192.168.1.10 icmp_seq=115 ttl=62 time=3.965 ms 84 bytes from 192.168.1.10 icmp_seq=116 ttl=62 time=3.814 ms 84 bytes from 192.168.1.10 icmp_seq=117 ttl=62 time=3.276 ms 84 bytes from 192.168.1.10 icmp_seq=118 ttl=62 time=3.454 ms 84 bytes from 192.168.1.10 icmp_seq=119 ttl=62 time=4.694 ms 84 bytes from 192.168.1.10 icmp_seq=120 ttl=62 time=4.093 ms 84 bytes from 192.168.1.10 icmp_seq=121 ttl=62 time=3.481 ms 84 bytes from 192.168.1.10 icmp_seq=122 ttl=62 time=5.376 ms 84 bytes from 192.168.1.10 icmp_seq=123 ttl=62 time=3.494 ms 84 bytes from 192.168.1.10 icmp_seq=124 ttl=62 time=4.032 ms 84 bytes from 192.168.1.10 icmp_seq=125 ttl=62 time=3.6
4. S2S VPN 상태 확인
SRX01
IKE Phase 1 UP이 표시 되면 IPSEC를 확인 합니다.
root@SRX01> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 5482273 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 20.1.1.1
IPSEC Phase2 아래처럼 터널이 생성 되었는지 확인
root@SRX01> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 fc12e938 3062/ unlim - root 500 20.1.1.1 >131073 ESP:3des/sha1 49d44ef0 3062/ unlim - root 500 20.1.1.1
PC01에서 PC02로 무한으로 PING를 시도하고 Packet Count가 실제 올라가는지 확인 합니다
root@SRX02> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 6514201 UP 65c909f14f4d8824 7d74504d227553ca Aggressive 10.1.1.1
root@SRX02>
IPSEC Phase2 Tunnel이 생성되었습니다.
root@SRX02> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:3des/sha1 49d44ef0 2678/ unlim - root 500 10.1.1.1 >131073 ESP:3des/sha1 fc12e938 2678/ unlim - root 500 10.1.1.1
root@SRX01> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX01 set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$a-GjqTz6uORmfORhSMWJGD" set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 20.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX01-TO-SRX02 bind-interface st0.0 set security ipsec vpn SRX01-TO-SRX02 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX01-TO-SRX02 establish-tunnels immediately set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set interfaces st0 unit 0 family inet set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254 set routing-options static route 192.168.2.0/24 next-hop st0.0
root@SRX01>
SRX02
root@SRX02> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX02 set security ike proposal standard authentication-method pre-shared-keys set security ike policy IKE-POLICY-S2SVPN-01 mode aggressive set security ike policy IKE-POLICY-S2SVPN-01 proposals standard set security ike policy IKE-POLICY-S2SVPN-01 pre-shared-key ascii-text "$9$SY2lvLdb2GDkxNDk.P3nylK" set security ike gateway IKE-GW-S2SVPN-01 ike-policy IKE-POLICY-S2SVPN-01 set security ike gateway IKE-GW-S2SVPN-01 address 10.1.1.1 set security ike gateway IKE-GW-S2SVPN-01 external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy IPSEC-POLICY-S2SVPN-01 proposals standard set security ipsec vpn SRX02-TO-SRX01 bind-interface st0.0 set security ipsec vpn SRX02-TO-SRX01 ike gateway IKE-GW-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 ike ipsec-policy IPSEC-POLICY-S2SVPN-01 set security ipsec vpn SRX02-TO-SRX01 establish-tunnels immediately set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone vpn host-inbound-traffic system-services all set security zones security-zone vpn interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24 set interfaces st0 unit 0 family inet set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254 set routing-options static route 192.168.1.0/24 next-hop st0.0
root@SRX02>
Router
hostname INT_R1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ! ! ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 20.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 ip address 192.168.10.99 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 1 interface GigabitEthernet0/2 overload ip route 0.0.0.0 0.0.0.0 192.168.10.253 ! ipv6 ioam timestamp ! ! access-list 1 permit any !
지금까지 [2025][Juniper SRX #23] site to site vpn - S2S VPN 글을 읽어주셔서 감사합니다.
실습 준비가 완료 되었으면 주니퍼 SRX site to site vpn를 테스트 하겠습니다.
1. Router 설정
Router# Router#conf t Router(config)#ho INT_R1 INT_R1(config)#int g0/2 INT_R1(config-if)#ip add 192.168.10.99 255.255.255.0 INT_R1(config-if)#no sh INT_R1(config-if)#int g0/0 INT_R1(config-if)#ip add 10.1.1.254 255.255.255.0 INT_R1(config-if)#no sh INT_R1(config-if)#int g0/1 INT_R1(config-if)#ip add 20.1.1.254 255.255.255.0 INT_R1(config-if)#no sh INT_R1(config-if)#end
INT_R1#conf t INT_R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.10.253
1-1 NAT 설정
INT_R1#conf t INT_R1(config)#access-list 1 permit any INT_R1(config)#int g0/2 INT_R1(config-if)#ip nat out INT_R1(config-if)#int g0/0 INT_R1(config-if)#ip nat inside INT_R1(config-if)#int g0/1 INT_R1(config-if)#ip nat inside INT_R1(config-if)#end INT_R1(config)#ip nat inside source list 1 interface g0/2 overload INT_R1(config)#
1-2 Ping Test
INT_R1#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.254 YES manual up up GigabitEthernet0/1 20.1.1.254 YES manual up up GigabitEthernet0/2 192.168.10.99 YES manual up up GigabitEthernet0/3 unassigned YES unset administratively down down NVI0 10.1.1.254 YES unset up up INT_R1# INT_R1#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 192.168.10.253 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.10.253 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.1.1.0/24 is directly connected, GigabitEthernet0/0 L 10.1.1.254/32 is directly connected, GigabitEthernet0/0 20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 20.1.1.0/24 is directly connected, GigabitEthernet0/1 L 20.1.1.254/32 is directly connected, GigabitEthernet0/1 192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.10.0/24 is directly connected, GigabitEthernet0/2 L 192.168.10.99/32 is directly connected, GigabitEthernet0/2 INT_R1# INT_R1# INT_R1#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/10 ms INT_R1#ping 8.8.8.8 sou INT_R1#ping 8.8.8.8 source g0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.1.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms INT_R1#ping 8.8.8.8 source g0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 20.1.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/8 ms INT_R1#
set system host-name SRX01 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254
2-3 방화벽 정책 설정
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
2-4 NAT 설정
set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
2-5 확인
root@SRX01> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root@SRX01> show route
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:02:39 > to 10.1.1.254 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:02:40 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:02:40 Local via ge-0/0/0.0 192.168.1.0/24 *[Direct/0] 00:02:39 > via ge-0/0/1.0 192.168.1.1/32 *[Local/0] 00:02:39 Local via ge-0/0/1.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:07:11 MultiRecv
root@SRX01> show security zones
Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
root@SRX01> show security nat source summary Total pools: 0
Total rules: 1 Rule name Rule set From To Action PAT-INTERFACE SOURCE-NAT trust untrust interface
root@SRX01> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0 source NAT rule: PAT-INTERFACE Rule-set: SOURCE-NAT Rule-Id : 1 Rule position : 1 From zone : trust To zone : untrust Match Source addresses : 192.168.1.0 - 192.168.1.255 Destination addresses : 0.0.0.0 - 255.255.255.255 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 10 Successful sessions : 10 Number of sessions : 0
root@SRX01>
3. PC01 설정
VPCS> VPCS> ip 192.168.1.10/24 192.168.1.1 Checking for duplicate address... VPCS : 192.168.1.10 255.255.255.0 gateway 192.168.1.1
VPCS> save Saving startup configuration to startup.vpc . done
VPCS>
3-1 Ping 테스트
VPCS> VPCS> ping 192.168.1.1
84 bytes from 192.168.1.1 icmp_seq=1 ttl=64 time=471.943 ms 84 bytes from 192.168.1.1 icmp_seq=2 ttl=64 time=0.827 ms 84 bytes from 192.168.1.1 icmp_seq=3 ttl=64 time=0.941 ms 84 bytes from 192.168.1.1 icmp_seq=4 ttl=64 time=0.788 ms 84 bytes from 192.168.1.1 icmp_seq=5 ttl=64 time=0.803 ms ^C VPCS> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=29.083 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=5.006 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=5.656 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=5.298 ms 84 bytes from 8.8.8.8 icmp_seq=5 ttl=115 time=5.411 ms ^C VPCS>
4. SRX02 설정
Ge-0/0/0 20.1.1.1/24
Ge-0/0/1 192.168.2.1/24
4-1 기본설정값 삭제
root> configure Entering configuration mode
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
[edit] root#
4-2 기본 설정
set system host-name SRX02 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24 set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254
4-3 방화벽 정책 설정
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
4-4 NAT 설정
set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
4-5 확인
root@SRX02> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 20.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.2.1/24 ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root@SRX02> show route
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:01:44 > to 20.1.1.254 via ge-0/0/0.0 20.1.1.0/24 *[Direct/0] 00:01:45 > via ge-0/0/0.0 20.1.1.1/32 *[Local/0] 00:01:45 Local via ge-0/0/0.0 192.168.2.0/24 *[Direct/0] 00:01:44 > via ge-0/0/1.0 192.168.2.1/32 *[Local/0] 00:01:44 Local via ge-0/0/1.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:18:00 MultiRecv
root@SRX02>
root@SRX02> show security zones
Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
root@SRX02>
root@SRX02> show security zones terse Zone Type trust Security untrust Security junos-host Security
root@SRX02>
root@SRX02> ping 10.1.1.254 PING 10.1.1.254 (10.1.1.254): 56 data bytes 64 bytes from 10.1.1.254: icmp_seq=0 ttl=255 time=285.562 ms 64 bytes from 10.1.1.254: icmp_seq=1 ttl=255 time=4.858 ms 64 bytes from 10.1.1.254: icmp_seq=2 ttl=255 time=4.057 ms 64 bytes from 10.1.1.254: icmp_seq=3 ttl=255 time=3.332 ms 64 bytes from 10.1.1.254: icmp_seq=4 ttl=255 time=3.799 ms ^C --- 10.1.1.254 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.332/60.322/285.562/112.621 ms
root@SRX02> ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=116 time=5.710 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=3.859 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=4.569 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=4.114 ms ^C --- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.859/4.563/5.710/0.709 ms
4-6 PC2 설정
VPCS> 192.168.2.10/24 192.168.2.1 Bad command: "192.168.2.10/24 192.168.2.1". Use ? for help.
VPCS> ip 192.168.2.10/24 192.168.2.1 Checking for duplicate address... VPCS : 192.168.2.10 255.255.255.0 gateway 192.168.2.1
VPCS> save Saving startup configuration to startup.vpc . done
VPCS> ping 192.168.2.1
192.168.2.1 icmp_seq=1 timeout 84 bytes from 192.168.2.1 icmp_seq=2 ttl=64 time=0.764 ms 84 bytes from 192.168.2.1 icmp_seq=3 ttl=64 time=0.610 ms 84 bytes from 192.168.2.1 icmp_seq=4 ttl=64 time=0.833 ms 84 bytes from 192.168.2.1 icmp_seq=5 ttl=64 time=0.984 ms
VPCS> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=33.537 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=6.485 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=5.357 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=6.767 ms ^C VPCS>
5. SRX01 -> SRX02 WAN포트로 통신
SRX02 -> SRX01 WAN포트로 통신
root@SRX01> ping 20.1.1.1 PING 20.1.1.1 (20.1.1.1): 56 data bytes 64 bytes from 20.1.1.1: icmp_seq=0 ttl=63 time=5.115 ms 64 bytes from 20.1.1.1: icmp_seq=1 ttl=63 time=3.391 ms 64 bytes from 20.1.1.1: icmp_seq=2 ttl=63 time=3.597 ms 64 bytes from 20.1.1.1: icmp_seq=3 ttl=63 time=5.333 ms ^C --- 20.1.1.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.391/4.359/5.333/0.871 ms
root@SRX01>
root@SRX02> ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: icmp_seq=0 ttl=63 time=6.687 ms 64 bytes from 10.1.1.1: icmp_seq=1 ttl=63 time=7.102 ms 64 bytes from 10.1.1.1: icmp_seq=2 ttl=63 time=4.646 ms 64 bytes from 10.1.1.1: icmp_seq=3 ttl=63 time=2.458 ms 64 bytes from 10.1.1.1: icmp_seq=4 ttl=63 time=5.987 ms ^C --- 10.1.1.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.458/5.376/7.102/1.680 ms
root@SRX02>
Full configration
SRX01
root@SRX01> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX01 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254
SRX02
root@SRX02> show configuration | display set | no-more set version 21.3R1.9 set system host-name SRX02 set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 192.168.2.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24 set routing-options static route 0.0.0.0/0 next-hop 20.1.1.254
root@SRX02>
Router 설정
hostname INT_R1 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ! ! ! ! ! ! ! ! ! ! ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface GigabitEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 ip address 20.1.1.254 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2 ip address 192.168.10.99 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/3 no ip address shutdown duplex auto speed auto media-type rj45 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list 1 interface GigabitEthernet0/2 overload ip route 0.0.0.0 0.0.0.0 192.168.10.253 ! ipv6 ioam timestamp ! ! access-list 1 permit any
지금까지 [2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 글을 읽어주셔서 감사합니다.
Main Internet를 통해서 google 8.8.8.8를 모니터링하고 있다가, Main Internet이 죽으면 자동으로
디폴트케이트웨이를 백업 인터넷으로 변경을 실습해 보겠습니다.
토폴로지는 아래와 같습니다.
SRX
Ge-0/0/0 10.1.1.1이 메인 Internet
Ge-0/0/1 20.1.1.1이 백업 Internet 으로 간주하겠습니다.
Internet 라우터는 SRX에 올라오는 트래픽을 NAT처리해서 8.8.8.8이랑 통신 되게 설정 합니다.
기본설정을 먼저 해보겠습니다.
INTENRET ROUTER 설정 입니다.
Router(config)#no ip domain-lookup Router(config)#hostname INT_ROUTER INT_ROUTER(config)#line con 0 INT_ROUTER(config-line)#exec-time INT_ROUTER(config-line)#logg sy INT_ROUTER(config-line)#end
INT_ROUTER#conf t INT_ROUTER(config)#int g0/0 INT_ROUTER(config-if)#ip add 192.168.10.101 255.255.255.0 INT_ROUTER(config-if)#no sh INT_ROUTER(config-if)#end INT_ROUTER(config)#int g0/1 INT_ROUTER(config-if)#ip add 10.1.1.254 255.255.255.0 INT_ROUTER(config-if)#no sh INT_ROUTER(config-if)#int g0/2 \INT_ROUTER(config-if)#ip add 20.1.1.254 255.255.255.0 INT_ROUTER(config-if)#no sh INT_ROUTER(config-if)#end
INT_ROUTER# INT_ROUTER#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 192.168.10.101 YES manual up up GigabitEthernet0/1 10.1.1.254 YES manual up up GigabitEthernet0/2 20.1.1.254 YES manual up up GigabitEthernet0/3 unassigned YES unset administratively down down INT_ROUTER#
INT_ROUTER#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/6 ms
PAT를 설정 합니다.
INT_ROUTER#conf t INT_ROUTER(config)#int g0/0 INT_ROUTER(config-if)#ip nat outside
INT_ROUTER(config)#access-list 1 permit any INT_ROUTER(config)#ip nat inside source list 1 interface gigabitEthernet 0/0 overload
INT_ROUTER#ping 8.8.8.8 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/7 ms
INT_ROUTER#ping 8.8.8.8 source g0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.1.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms
INT_ROUTER#ping 8.8.8.8 source g0/2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 20.1.1.254 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/8 ms INT_ROUTER#
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
Interface 설정
root> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$6IWgKM8j$c5/l5czscFh31rD/X/mx8ug3IUwUdyYtb8/KYEjYA7J6YxayiDelNUx9cmSFxzjWpf/0LLxBAADLf.WGE2.XV1" set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/2.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces ge-0/0/1.0 set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 20.1.1.1/24 set interfaces ge-0/0/2 unit 0 family inet address 30.1.1.1/24 set protocols lldp interface all set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 20.1.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 30.1.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root> show security zones
Security zone: trust Zone ID: 7 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 2 Interfaces: ge-0/0/1.0 ge-0/0/2.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: untrust Zone ID: 8 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/0.0 Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
Security zone: junos-host Zone ID: 2 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Advanced-connection-tracking timeout: 1800 Unidirectional-session-refreshing: No
root>
root> ping 10.1.1.254 PING 10.1.1.254 (10.1.1.254): 56 data bytes 64 bytes from 10.1.1.254: icmp_seq=0 ttl=255 time=3.320 ms 64 bytes from 10.1.1.254: icmp_seq=1 ttl=255 time=3.150 ms 64 bytes from 10.1.1.254: icmp_seq=2 ttl=255 time=2.836 ms 64 bytes from 10.1.1.254: icmp_seq=3 ttl=255 time=2.550 ms 64 bytes from 10.1.1.254: icmp_seq=4 ttl=255 time=2.607 ms ^C --- 10.1.1.254 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.550/2.893/3.320/0.300 ms
root> ping 20.1.1.254 PING 20.1.1.254 (20.1.1.254): 56 data bytes 64 bytes from 20.1.1.254: icmp_seq=0 ttl=255 time=2.894 ms 64 bytes from 20.1.1.254: icmp_seq=1 ttl=255 time=2.782 ms 64 bytes from 20.1.1.254: icmp_seq=2 ttl=255 time=2.699 ms 64 bytes from 20.1.1.254: icmp_seq=3 ttl=255 time=3.372 ms 64 bytes from 20.1.1.254: icmp_seq=4 ttl=255 time=2.571 ms ^C --- 20.1.1.254 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.571/2.864/3.372/0.275 ms
root>
NAT 설정
Source IP가 30.1.1.0/24에 대해서는 Source NAT를 진행합니다.
set security nat source rule-set SOURCE-NAT from zone trust set security nat source rule-set SOURCE-NAT to zone untrust set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 30.1.1.0/24 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0 set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
Firewall Rule 설정
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
VPC IP 설정 및 8.8.8.8 테스트
VPCS> ip 30.1.1.254/24 30.1.1.1 Checking for duplicate address... VPCS : 30.1.1.254 255.255.255.0 gateway 30.1.1.1
VPCS> save Saving startup configuration to startup.vpc . done
VPCS> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=17.295 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=4.437 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=5.881 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=5.225 ms ^C VPCS>
VPCS> trace 8.8.8.8 trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop 1 30.1.1.1 9.255 ms 0.759 ms 0.866 ms 2 10.1.1.254 8.273 ms 16.840 ms 4.871 ms 3 192.168.10.253 15.513 ms 4.014 ms 4.634 ms 4 202.14.11.193 3.964 ms 4.513 ms 3.862 ms 5 202.14.12.33 4.422 ms 3.900 ms 6.111 ms 6 203.117.190.81 7.847 ms 7.067 ms 9.060 ms ^C 7 *
VPCS>
위에 처럼 메인 Internet를 통해서 8.8.8.8 통신을 시도 합니다.
10.1.1.254 Main Internet
20.1.1.254 Backup Internet
SRX에서 IP MONITOR기능을 설정해서 Main Internet를 통해서 8.8.8.8 모니터링 합니다.
다시 Main Internet를 통해서 8.8.8.8 성공하면 Main Internet 10.1.1.254 Defualt Gateway가 선택 되게 합니다.
SRX 설정값 입니다.
set services rpm probe probe-test test test probe-type icmp-ping set services rpm probe probe-test test test target address 8.8.8.8 set services rpm probe probe-test test test probe-count 5 set services rpm probe probe-test test test probe-interval 5 set services rpm probe probe-test test test test-interval 5 set services rpm probe probe-test test test thresholds successive-loss 10 set services rpm probe probe-test test test next-hop 10.1.1.254 set services ip-monitoring policy probe-policy match rpm-probe probe-test set services ip-monitoring policy probe-policy then preferred-route route 0.0.0.0/0 next-hop 20.1.1.254
라우팅을 확인 합니다
10.1.1.254가 사용중입니다.
root> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:37:58 > to 10.1.1.254 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:37:58 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:37:58 Local via ge-0/0/0.0 20.1.1.0/24 *[Direct/0] 00:37:58 > via ge-0/0/1.0 20.1.1.1/32 *[Local/0] 00:37:58 Local via ge-0/0/1.0 30.1.1.0/24 *[Direct/0] 00:37:58 > via ge-0/0/2.0 30.1.1.1/32 *[Local/0] 00:37:58 Local via ge-0/0/2.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
Policy - probe-policy (Status: PASS) RPM Probes: Probe name Test Name Address Status ---------------------- --------------- ---------------- --------- probe-test test 8.8.8.8 PASS
Route-Action (Adding backup routes when FAIL): route-instance route next-hop state ----------------- ----------------- ---------------- ------------- inet.0 0.0.0.0/0 20.1.1.254 NOT-APPLIED
root>
이번에는 INT_ROUTER에서 G0/1 Shutdown 해 보겠습니다.
INT_ROUTER#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 192.168.10.101 YES manual up up GigabitEthernet0/1 10.1.1.254 YES manual up up GigabitEthernet0/2 20.1.1.254 YES manual up up GigabitEthernet0/3 unassigned YES unset administratively down down NVI0 192.168.10.101 YES unset up up INT_ROUTER# INT_ROUTER#conf t Enter configuration commands, one per line. End with CNTL/Z. INT_ROUTER(config)#int g0/1 INT_ROUTER(config-if)#sh INT_ROUTER(config-if)#
그리고 Juniper SRX에서 상태를 확인해 보겠습니다. 메인 Internet를 통해서 8.8.8.8 실패해서 FAIL이라고 표시 됩니다.
root> show services ip-monitoring status
Policy - probe-policy (Status: FAIL) RPM Probes: Probe name Test Name Address Status ---------------------- --------------- ---------------- --------- probe-test test 8.8.8.8 FAIL
Route-Action (Adding backup routes when FAIL): route-instance route next-hop state ----------------- ----------------- ---------------- ------------- inet.0 0.0.0.0/0 20.1.1.254 APPLIED
root>
라우팅 테이블을 확인해보겠습니다.
0.0.0.0/0 * 20.1.1.254선택 되었습니다.
root> show route
inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/1] 00:00:40, metric2 0 > to 20.1.1.254 via ge-0/0/1.0 [Static/5] 00:41:30 > to 10.1.1.254 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:41:30 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:41:30 Local via ge-0/0/0.0 20.1.1.0/24 *[Direct/0] 00:41:30 > via ge-0/0/1.0 20.1.1.1/32 *[Local/0] 00:41:30 Local via ge-0/0/1.0 30.1.1.0/24 *[Direct/0] 00:41:30 > via ge-0/0/2.0 30.1.1.1/32 *[Local/0] 00:41:30 Local via ge-0/0/2.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 01:01:28 MultiRecv
root>
PC에서 8.8.8.8 Ping확인
VPCS> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=14.530 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=6.496 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=4.036 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=4.639 ms ^C VPCS> trace 8.8.8.8 trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop 1 30.1.1.1 6.549 ms 0.323 ms 0.288 ms 2 20.1.1.254 4.672 ms 2.443 ms 2.587 ms 3 192.168.10.253 5.439 ms 3.019 ms 3.723 ms 4 202.14.11.193 2.668 ms 3.153 ms 2.520 ms 5 202.14.12.33 3.274 ms 2.983 ms 3.199 ms 6 203.117.190.81 3.344 ms 2.981 ms 3.447 ms 7 * * * 8 203.116.3.50 4.120 ms 3.835 ms 3.361 ms
VPCS>
Backup Internet 20.1.1.254를 통해서 8.8.8.8 통신 되었습니다.
이번에는 다시 INT_ROUTER G0/1를 Shutdown해서 Main Internet를 살리겠습니다
INT_ROUTER#conf t Enter configuration commands, one per line. End with CNTL/Z. INT_ROUTER(config)#int g0/1 INT_ROUTER(config-if)#no sh INT_ROUTER(config-if)#end INT_ROUTER#
Juniper SRX에 확인해보겠습니다.
메인 Intenret를 통해서 8.8.8.8 성공해서 PASS라고 표시 됩니다.
root> show services ip-monitoring status
Policy - probe-policy (Status: PASS) RPM Probes: Probe name Test Name Address Status ---------------------- --------------- ---------------- --------- probe-test test 8.8.8.8 PASS
Route-Action (Adding backup routes when FAIL): route-instance route next-hop state ----------------- ----------------- ---------------- ------------- inet.0 0.0.0.0/0 20.1.1.254 NOT-APPLIED
라우팅 확인
메인 Intrenet이 0.0.0.0/0 선택 되었습니다.
root> show route
inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:44:58 > to 10.1.1.254 via ge-0/0/0.0 10.1.1.0/24 *[Direct/0] 00:44:58 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:44:58 Local via ge-0/0/0.0 20.1.1.0/24 *[Direct/0] 00:44:58 > via ge-0/0/1.0 20.1.1.1/32 *[Local/0] 00:44:58 Local via ge-0/0/1.0 30.1.1.0/24 *[Direct/0] 00:44:58 > via ge-0/0/2.0 30.1.1.1/32 *[Local/0] 00:44:58 Local via ge-0/0/2.0
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 01:04:56 MultiRecv
root>
PC에서 Ping확인
VPCS> ping 8.8.8.8
84 bytes from 8.8.8.8 icmp_seq=1 ttl=115 time=5.238 ms 84 bytes from 8.8.8.8 icmp_seq=2 ttl=115 time=4.189 ms 84 bytes from 8.8.8.8 icmp_seq=3 ttl=115 time=4.335 ms 84 bytes from 8.8.8.8 icmp_seq=4 ttl=115 time=4.901 ms ^C VPCS> trace 8.8.8.8 trace to 8.8.8.8, 8 hops max, press Ctrl+C to stop 1 30.1.1.1 0.720 ms 0.342 ms 0.297 ms 2 10.1.1.254 4.886 ms 2.755 ms 1.927 ms 3 192.168.10.253 4.773 ms 2.598 ms 2.446 ms 4 202.14.11.193 2.810 ms 2.187 ms 2.950 ms 5 202.14.12.33 3.585 ms 3.912 ms 2.398 ms 6 203.117.190.81 3.007 ms 3.628 ms 3.860 ms 7 * * * 8 203.118.60.86 3.371 ms 3.265 ms 3.244 ms
VPCS>
지금까지 [2025][Juniper SRX #21] ip monitor - ip sla 글을 읽어주셔서 감사합니다.
Juniper SRX은 기본적으로 J-Web이 Default로 Enable 되어져 있습니다.
Console 케이블을 연결하고 Ge0/1 ~ Ge0/5 까지 아무 포트에 케이블을 PC와 연결 합니다.
Default Login -
id: root
password: 없음
장비에 아래처럼 이미 기본적으로 설정값이 들어가져 있습니다.
root> show configuration | display set | no-more set version 21.4R3-S3.4 set system services ssh set system services netconf ssh set system services dhcp-local-server group jdhcp-group interface irb.0 set system services web-management https system-generated-certificate set system name-server 8.8.8.8 set system name-server 8.8.4.4 set system syslog archive size 100k set system syslog archive files 3 set system syslog user * any emergency set system syslog file interactive-commands interactive-commands any set system syslog file messages any notice set system syslog file messages authorization info set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set system phone-home server https://redirect.juniper.net set system phone-home rfc-compliant set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.0 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp set interfaces ge-0/0/0 unit 0 family inet dhcp vendor-id Juniper-srx320 set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/7 unit 0 family inet dhcp vendor-id Juniper-srx320 set interfaces cl-1/0/0 dialer-options pool 1 priority 100 set interfaces dl0 unit 0 family inet negotiate-address set interfaces dl0 unit 0 family inet6 negotiate-address set interfaces dl0 unit 0 dialer-options pool 1 set interfaces dl0 unit 0 dialer-options dial-string 1234 set interfaces dl0 unit 0 dialer-options always-on set interfaces irb unit 0 family inet address 192.168.1.1/24 set access address-assignment pool junosDHCPPool family inet network 192.168.1.0/24 set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.1.2 set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.1.254 set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.1.1 set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0 set vlans vlan-trust vlan-id 3 set vlans vlan-trust l3-interface irb.0 set protocols l2-learning global-mode switching set protocols rstp interface all
root>
Irb interface를 확인 합니다. 192.168.1.1 irb0이 UP 되었습니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up down ge-0/0/0.0 up down inet gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16 10.0.0.6 --> 0/0 128.0.0.1 --> 128.0.1.16 128.0.0.6 --> 0/0 ge-0/0/1 up down ge-0/0/1.0 up down eth-switch ge-0/0/2 up down ge-0/0/2.0 up down eth-switch ge-0/0/3 up up ge-0/0/3.0 up up eth-switch ge-0/0/4 up down ge-0/0/4.0 up down eth-switch ge-0/0/5 up down ge-0/0/5.0 up down eth-switch ge-0/0/6 up down ge-0/0/6.0 up down eth-switch ge-0/0/7 up down ge-0/0/7.0 up down inet dl0 up up dl0.0 up up inet inet6 fe80::7629:720f:fc1f:2b69/64 esi up up fti0 up up fxp2 up up fxp2.0 up up tnp 0x1 gre up up ipip up up irb up up irb.0 up up inet 192.168.1.1/24 jsrv up up jsrv.1 up up inet 128.0.0.127/2 lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up rbeb up up st0 up up tap up up vtep up up
Jweb 접속하기 전에 root 패스워드를 설정 합니다.
root# set system root-authentication plain-text-password
PC에서 Ping를 시도 합니다.
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=2ms TTL=64 Reply from 192.168.1.1: bytes=32 time=3ms TTL=64 Reply from 192.168.1.1: bytes=32 time=2ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=2ms TTL=64 Reply from 192.168.1.1: bytes=32 time=2ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=3ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=2ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64 Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
2. google chrome또는 Firebox에서 https://192.168.1.1 접속 합니다
3. Root/Passowrd를 입력 합니다.
4. 아래처럼 접속이 완료 되었습니다.
Juniper SRX는 예전에 J-Web버전에 버그들이랑 문제점들이 많아서 CLI로 통해서 Juniper SRX를 사용해 왔습니다.
지금까지 [2024][Juniper SRX #19] J-Web 글을 읽어주셔서 감사합니다.
To make it easy to lookup for each Junos release for SRX from which earlier releases it is supported to directly upgrade to it, please see the below table.
Before performing the upgrade, please make sure to check the Notes section below for possible caveats and limitations which may apply.
Choice: Booting Junos in CLI recovery mode ... Verified /boot/manifest signed by PackageProductionECP256_2021 Verified /boot/loader.rc Verified /boot/support.4th Verified /boot/load-dtb.4th Verified /boot/platform.4th Verified /boot/platform-load-dtb.4th - / yymmss==[[00xx8++00xx88++00]] 33dd33bb-- boooott//oosddaattaa==ddaattaa==00xx44ffff118eexxtt==00xx5577ee337744 -- siiggnneedd bby888 || ioonnEECCPP225566__22002211 netstack/../manifest signed by PackageProductionECP256_2021 Veerriiffiieedd //ppaacckkaaggeess//sseettss//aaccttiivvee//bboooott//ooss--kkeerrnneell//kkeerrnneell Veerriiffiieedd //ppaacckkaaggeess//sseettss//aaccttiivvee//bboooott//ooss--vvmmgguueesstt//iinniitt..44tthh - ified /packages/sets/active/boot/junos-modules/init.4th \- ified /packages/sets/active/boot/junos-net-platform/../manifest signed by PackageProductionECP256_2021 Verified /packages/sets/active/boot/junos-vmguest-platform/../manifest signed by PackageProductionECP256_2021 VVeerriiffiieedd //ppaacckkaaggeess//sseettss//aaccttiivvee//bboooott//ooss--kkeerrnneell//....//mmaanniiffeesstt ssiiggnneedd bbyy PPaacckkaaggeePPrrooddu
부팅이 완료되면, 로그인 없이 바로 root> 모드입니다.
패스워드를 수정합니다. 그리고 재부팅합니다.
이유는 현재 모드는 password recovery 모드입니다.
NOTE: the 'configure' command to make any required changes. For example, NOTE: to reset the root password, type: NOTE: configure NOTE: set system root-authentication plain-text-password NOTE: (enter the new password when asked) NOTE: commit NOTE: exit NOTE: exit NOTE: When you exit the CLI, you will be in a shell. Starting CLI ...
root> configure root# set system root-authentication plain-text-password New password: error: require change of case, digits or punctuation
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
[edit] root@srx# exit Exiting configuration mode
root@srx> request system reboot Reboot the system ? [yes,no] (no) yes
Jun 23 11:12:02 shutdown 16997 - - reboot requested by root at Sun Jun 23 11:12:02 2024 Shutdown NOW! [pid 16997] Jun 23 11:12:02 shutdown 16997 - - reboot by root: Waiting (max 60 seconds) for system process `vnlru' to stop... done Waiting (max 60 seconds) for system process `syncer' to stop... Syncing disks, vnodes remaining... 0
부팅이 완료될 때까지 기다립니다.
password recovery mode에서 변경했던 패스워드로 로그인을 시도합니다.
그리고 interface ge-0/0/0 ip주소를 확인합니다.
password-recovery는 단순히 비밀번호만 수정합니다. 다른 설정값은 그대로 남아 있습니다.
login: root Password: Last login: Sun Jun 23 10:42:33 on ttyu0
--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@srx:~ # ci ci: Command not found. root@srx:~ # cli root@srx> show interfaces terse | match ge-0/0 ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.1.1/24 ge-0/0/1 up up ge-0/0/2 up up
지금까지 [2024][Juniper SRX #16] password recovery 글을 읽어 주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system or ^ syntax error. root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
[edit] root#
ge-0/0/0 192.168.1.1/24 설정하기
root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
root# run show interfaces terse | match ge-0/0 ge-0/0/0 up up ge-0/0/1 up up ge-0/0/2 up up
위에 보시면 commit를 누르지 않으면 설정값이 적용되지 않습니다.
현재 어떤 명령어가 commit를 대기 중인지 확인하는 방법
root# show | compare [edit] + interfaces { + ge-0/0/0 { + unit 0 { + family inet { + address 192.168.1.1/24; + } + } + } + }
[edit] root#
만약에 이 상태에서 exit로 밖으로 나가면 위에 설정값은 사라집니다.
root# exit The configuration has been changed but not committed Exit with uncommitted changes? [yes,no] (yes)
no를 선택합니다
commit check은 commit 하기 전에 추가적으로 설정값이 맞는지 확인합니다. 만약에 commit check 없이 바로 commit 했을 때 설정값에 문제가 있다면 error메시지가 출력되면서 commit이 실패합니다.
root# commit check configuration check succeeds
[edit] root#
commit 실행
root# commit commit complete
[edit] root# exit Exiting configuration mode
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
재부팅합니다. juniper는 commit 하면 명령어 적용과 저장이 됩니다.
재부팅해서 설정값이 유지되는지 확인해 보겠습니다.
request system reboot
부팅이 완료될 때까지 기다립니다.
root> request system reboot Reboot the system ? [yes,no] (no) yes
*** FINAL System shutdown message from root@ ***
System going down IMMEDIATELY
Stopping cron. .
부팅이 완료되면 Interface ge-0/0/0 ip를 확인해 보면 그대로 설정 값이 남아 있습니다.
login: root Password: Last login: Sun Jun 23 09:53:36 on ttyu0
commit confirmed - hostname firewall 변경하고 commit 수행합니다. 그리고 10분 안에 commit이 다시 한번 없으면 이전 상태로 돌아갑니다.
root@srx# set system host-name firewall
[edit] root@srx# commit ? Possible completions: <[Enter]> Execute this command activate Activate a previously prepared commit and-quit Quit configuration mode if commit succeeds at Time at which to activate configuration changes check Check correctness of syntax; do not apply changes comment Message to write to commit log confirmed Automatically rollback if not confirmed peers-synchronize Synchronize commit on remote peers prepare Prepare for an upcoming commit activation | Pipe through a command [edit] root@srx# commit confirmed commit confirmed will be automatically rolled back in 10 minutes unless confirmed commit complete
# commit confirmed will be rolled back in 10 minutes [edit] root@firewall#
테스트를 위해서 10분을 기다립니다. 10분 안에 commit이 없으면 host-name은 이전 설정값은 srx로 변경됩니다.
10분안에 commit을 하지 않았기 때문에 설정값이 이전으로 rollback 되었음
Broadcast Message from root@srx (no tty) at 10:25 UTC...
Commit was not confirmed; automatic rollback complete.
[edit] root@srx#
이번에는 테스트를 위해서 commit confirmed 1으로 하고 1분 안에 commit를 수행합니다.
1분이 지나도 설정값이 rollback 되지 않습니다.
root@srx# set system host-name firewall
[edit] root@srx# commit confirmed 1 commit confirmed will be automatically rolled back in 1 minutes unless confirmed commit complete
# commit confirmed will be rolled back in 1 minute [edit] root@firewall# commit commit complete
[edit] root@firewall#
commit at를 테스트해 보겠습니다
12:00:00에 commit를 수행합니다.
[edit] root@firewall# set system host-name srxsrx
root@firewall# commit at 12:00:00 configuration check succeeds commit at will be executed at 2024-06-23 12:00:00 UTC The configuration has been changed but not committed Exiting configuration mode
root@firewall>
이번에는 Rollback에 대해서 알아보겠습니다.
설정값 원복(rollback)
설정값을 기존 설정값으로 원복수행(rollback 후 반드시 commit를 수행해야 완료됨)
설정값을 commit 할 때마다 rollback이 생성됩니다.
rollback 0 - 마지막 commit이후 변경한 설정값을 초기화
rollback 1 - 마지막 commit이전 설정값을 원복
rollback 2 - 2번째 전 commit이전 설정값으로 원복
commit 할 때마다 rollback으로 생성되는데 그 시점을 알고 싶을 때 확인 명령어
Possible completions: <revision> Rollback to given configuration revision re0-1719138399-8 2024-06-23 10:26:40 UTC by root via cli re0-1719138393-7 2024-06-23 10:26:36 UTC by root via cli commit confirmed, rollback in 1mins re0-1719138344-6 2024-06-23 10:25:47 UTC by root via other re0-1719137740-5 2024-06-23 10:15:43 UTC by root via cli commit confirmed, rollback in 10mins re0-1719137710-4 2024-06-23 10:15:13 UTC by root via cli re0-1719137288-3 2024-06-23 10:08:11 UTC by root via cli re0-1719136430-2 2024-06-23 09:54:02 UTC by root via cli re0-1719135583-1 2024-06-23 09:41:04 UTC by root via other [edit] root@firewall# rollback revision
이번에는 [2024][Juniper SRX #14] firewall policy 순서 변경입니다.
방화벽 정책이 여러 개가 있으면 항상 맨 위에서부터 아래로 정책 허용/차단을 확인합니다.
그래서 방화벽 정책 순서는 매우 중요합니다.
추가적으로 방화벽 정책을 변경하지 않으면 새로운 방화벽 정책은 맨 아래에 추가됩니다.
우선 테스트를 하면서 자세히 설명하도록 하겠습니다.
*** 중요 ***
1. Juniper SRX stateful 방화벽입니다
나가는 Traffic을 허용하는 방화벽 정책이 있으면 Return 되는 Traffic은 자동으로 허용됩니다.
자세한 내용은 나중에 다른 강좌에서 설명하겠습니다.
2. 방화벽이 정책이 여러 개가 있다면 맨 위에서부터 아래로 차근차근 방화벽 정책을 확인합니다.
3. 맨 아래 deny 정책이 없어도 default로 모든 traffic은 차단됩니다. - 즉 default deny all이라는 정책이 있습니다.
4. 방화벽 정책을 만들 때에는,
4-1 match
4-1-1 source-ip
4-1-2 destination-ip
4-1-3 destination application
위에 조건문을 입력하고 어떻게 처리할 것인지 정의 ㅎ합니다
4-2 action
4-2-1 permit - 허용
4-2-2 reject - 차단
4-2-3 log - 로그 생성 - 꼭 하위옵션 session-init/close 명령어를 추가로 입력해야 합니다.
4-2-3-1 session-init - 세션이 시작될 때 로그 생성
4-2-3-2 session-close - 세션이 종료될 때 로그 생성
4-2-4 count - 해당조건 트래픽 누적 치 사용량 정보 제공
permit, log, count를 동시에 설정 가능 합니다.
토폴로지는 아래와 같습니다.
SRX
ge-0/0/0 - dhcp - untrust
ge-0/0/1 - 192.168.1.1/24 - trust
ge-0/0/2 - 172.16.1.1/24 - dmz
SW01
gi0/0 - 192.168.1.2/24
SW02
gi0/0 - 172.16.1.2/24
그리고 아래 서비스를 enable 합니다.
http
https
telnet
ssh
방화벽 정책 1)
192.168.1.2 -> 172.16.1.2 http 허용
방화벽 정책 2)
192.168.1.2 -> 172.16.1.2 https 허용
방화벽 정책 3)
192.168.1.2 -> 172.16.1.2 ssh 허용
기존 방화벽 설정값 삭제
root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
2. Inteface에 IP주소를 설정합니다.
root# set interfaces ge-0/0/0 unit 0 family inet dhcp
[edit] root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
[edit] root# set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.1/24
[edit] root# commit
그리고 Interface에 IP주소를 확인합니다.
root# set security zones security-zone unturst root# set security zones security-zone untrust interfaces ge-0/0/0
root# set security zones security-zone trust root# set security zones security-zone trust interfaces ge-0/0/1
root# set security zones security-zone dmz root# set security zones security-zone dmz interfaces ge-0/0/2
root# commit commit complete
root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security
root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 192.168.10.105/24 untrust sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null ge-0/0/1.0 up up inet 192.168.1.1/24 trust ge-0/0/2.0 up up inet 172.16.1.1/24 dmz lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null
root>
Interface에 IP주소를 확인합니다.
저희가 ge-0/0/0 dhcp 설정하였으나 IP주소가 없습니다.
그 이유는 Juniper SRX은 ge-0/0/0 dhcp 기능을 허용해 주어야지 IP주소를 DHCP에서 받아 올 수 있습니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up
ge-0/0/0 dhcp 기능받아오기 위해서 zone에 system-services에서 dhcp기능 그리고 ping테스트를 위해서 ping를 허용합니다.
set security zones security-zone untrust host-inbound-traffic system-services dhcp set security zones security-zone untrust host-inbound-traffic system-services ping
그리고 show interface terse을 이용해서 ge-0/0/0 IP주소를 확인합니다.
DHCP로부터 192.168.10.105/24 IP주소를 받았습니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.105/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
ge-0/0/1 그리고 ge-0/0/2 ping도 허용해 줍니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone dmz host-inbound-traffic system-services ping
SW01#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.1.1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, GigabitEthernet0/0 L 192.168.1.2/32 is directly connected, GigabitEthernet0/0 SW01#
Switch>en Switch#conf t Switch(config)#ho SW02 SW02(config)#int gigabitEthernet 0/0 SW02(config-if)#no sw SW02(config-if)#ip add 172.16.1.2 255.255.255.0 SW02(config-if)#no shutdown SW02(config-if)#end SW02# SW02#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms SW02#
그리고 Default Gateway 설정
SW02(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1 SW02(config)# SW02#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.1.1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, GigabitEthernet0/0 L 172.16.1.2/32 is directly connected, GigabitEthernet0/0 SW02#
SW02에 http, https, telnet 그리고 ssh서비스를 Enable 합니다.
SW02#conf t SW02(config)#ip http server SW02(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) Failed to generate persistent self-signed certificate. Secure server will use temporary self-signed certificate.
SW02(config)#ip domain-name cisco SW02(config)#crypto key generate rsa The name for the keys will be: SW02.cisco Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds)
SW02(config)#username cisco privilege 15 password cisco SW02(config)#line vty 0 15 SW02(config-line)#login local SW02(config-line)#transport input all SW02(config-line)#
Juniper SRX에서 방화벽 정책을 생성하겠습니다.
방화벽 정책 1)
192.168.1.2 -> 172.16.1.2 http 허용
방화벽 정책 2)
192.168.1.2 -> 172.16.1.2 https 허용
방화벽 정책 3)
192.168.1.2 -> 172.16.1.2 ssh 허용
Address-book이랑 application 정
set security address-book global address H-192.168.1.2/32 192.168.1.2/32 set security address-book global address H-172.16.1.2/32 172.16.1.2/32
set applications application T-443 protocol tcp set applications application T-443 source-port 0-65535 set applications application T-443 destination-port 443 set applications application T-443 inactivity-timeout 20
set applications application T-80 protocol tcp set applications application T-80 source-port 0-65535 set applications application T-80 destination-port 80 set applications application T-80 inactivity-timeout 20
set applications application T-22 protocol tcp set applications application T-22 source-port 0-65535 set applications application T-22 destination-port 22 set applications application T-22 inactivity-timeout 20
정책 생성
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match application T-80 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then count
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then count
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match application T-22 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then count
Firewall 정책 순서 확인
root> show configuration security policies from-zone trust to-zone dmz | display set | no-more
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match application T-80 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then count set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then count set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match application T-22 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then count
방화벽 정책 순서 확인 하는 방법
순서는 방화벽 정책을 생성한 순서입니다.
그리고 default 정책은 deny-all인데 순서는 안 보이지만 default policy:에 보시면 deny-all이라고 표시됩니다.
위에서부터 아래까지 방화벽 정책을 확인 후 아무것도 match 되지 않으면 default policy 즉 deny-all이 적용됩니다.
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count
SW01에서 SW02로 테스트해 보겠습니다.
192.168.1.2 -> 172.16.1.2 http - 성공
192.168.1.2 -> 172.16.1.2 https - 성공
192.168.1.2 -> 172.16.1.2 ssh - 성공
192.168.1.2 -> 172.16.1.2 telnet - 실패 방화벽 정책이 없어서 default policy - deny-all 적
SW01#telnet 172.16.1.2 80 Trying 172.16.1.2, 80 ... Open ^C HTTP/1.1 400 Bad Request Date: Sun, 23 Jun 2024 09:04:47 GMT Server: cisco-IOS Accept-Ranges: none
400 Bad Request [Connection to 172.16.1.2 closed by foreign host] SW01#telnet 172.16.1.2 443 Trying 172.16.1.2, 443 ... Open ^C ^C [Connection to 172.16.1.2 closed by foreign host] SW01#ssh -l cisco 172.16.1.2
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password:
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02#exit
[Connection to 172.16.1.2 closed by foreign host] SW01# SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... % Connection timed out; remote host not responding
hit-count 확인 - 여기에서 index번호는 방화벽 순서를 나타내지 않습니다. 주의 바랍니다.
root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust dmz trust-to-dmz-ssh 1 Permit 2 trust dmz trust-to-dmz-http 1 Permit 3 trust dmz trust-to-dmz-https 1 Permit
방화벽 순서 확인 하기 위해서 deny-any 정책을 생성하겠습니다. 가시성 있게 deny-all 정책을 만들고 count랑 log를 생성하게 설정하겠습니다.
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match source-address any set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match destination-address any set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match application any set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then deny set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then count
방화벽 정책 순서 확인- 특정 명령어 없이 방화벽 정책을 생성하면 맨 아래에 생성됩니다.
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: deny, log, count
root>
이 상태에서 추가적으로 다른 방화벽 정책을 생성하게 되면 Deny 밑에 방화벽 정책이 생성 되게 됩니다.
우선 테스트를 위해서 192.168.1.2 -> 172.16.1.2 telnet를 허용하는 방화벽 정책을 생성하겠습니다.
set applications application T-22 protocol tcp set applications application T-22 source-port 0-65535 set applications application T-22 destination-port 22 set applications application T-22 inactivity-timeout 20
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then count
commit
telnet 허용 정책이 deny-any 정책 밑에 생성되었습니다.
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: deny, log, count Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-23 Source identity feeds: any Destination identity feeds: any Action: permit, log, count
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then count
after - 특정 정책 다음에 새로운 방화벽 정책을 생성합니다.
before - 특정 정책 이전에 새로운 방화벽 정책을 생성합니다.
trust-to-dmz-deny-all 이전에 생성해 보겠습니다.
insert security policies from-zone trust to-zone dmzpolicy trust-to-dmz-telnet ? Possible completions: after Insert after given data element + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups before Insert before given data element > match Specify security policy match-criteria > then Specify policy action to take when packet match criteria
나가는 Traffic을 허용하는 방화벽 정책이 있으면 Return되는 Traffic은 자동으로 허용됩니다.
자세한 내용은 나중에 다른 강좌에서 설명 하겠습니다.
2. 방화벽이 정책이 여러개가 있다면 맨 위에서부터 아래로 차근차근 방화벽 정책을 확인합니다.
3. 맨 아래 deny 정책이 없어도 default로 모든 traffic은 차단됩니다. - 즉 default deny all이라는 정책이 있습니다.
4. 방화벽 정책을 만들 때에는,
4-1 match
4-1-1 source-ip
4-1-2 destination-ip
4-1-3 destination application
위에 조건문을 입력하고 어떻게 처리할 것인지 정의 ㅎ합니다
4-2 action
4-2-1 permit - 허용
4-2-2 reject - 차단
4-2-3 log - 로그 생성 - 꼭 하위옵션 session-init/close 명령어를 추가로 입력해야 합니다.
4-2-3-1 session-init - 세션이 시작될 때 로그 생성
4-2-3-2 session-close - 세션이 종료될 때 로그 생성
4-2-4 count - 해당조건 트래픽 누적 치 사용량 정보 제공
permit, log, count를 동시에 설정 가능 합니다.
SRX side
1. 기존 설정값을 다 삭제합니다.
root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
2. Inteface에 IP주소를 설정합니다.
root# set interfaces ge-0/0/0 unit 0 family inet dhcp
[edit] root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24
[edit] root# set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.1/24
[edit] root# commit
그리고 Interface에 IP주소를 확인합니다.
root# set security zones security-zone unturst root# set security zones security-zone untrust interfaces ge-0/0/0
root# set security zones security-zone trust root# set security zones security-zone trust interfaces ge-0/0/1
root# set security zones security-zone dmz root# set security zones security-zone dmz interfaces ge-0/0/2
root# commit commit complete
root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security
root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 192.168.10.105/24 untrust sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null ge-0/0/1.0 up up inet 192.168.1.1/24 trust ge-0/0/2.0 up up inet 172.16.1.1/24 dmz lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null
root>
Interface에 IP주소를 확인합니다.
저희가 ge-0/0/0 dhcp 설정하였으나 IP주소가 없습니다.
그 이유는 Juniper SRX은 ge-0/0/0 dhcp 기능을 허용해 주어야지 IP주소를 DHCP에서 받아 올 수 있습니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up
ge-0/0/0 dhcp 기능받아오기 위해서 zone에 system-services에서 dhcp기능 그리고 ping테스트를 위해서 ping를 허용합니다.
set security zones security-zone untrust host-inbound-traffic system-services dhcp set security zones security-zone untrust host-inbound-traffic system-services ping
그리고 show interface terse을 이용해서 ge-0/0/0 IP주소를 확인합니다.
DHCP로부터 192.168.10.105/24 IP주소를 받았습니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.105/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
ge-0/0/1 그리고 ge-0/0/2 ping도 허용해 줍니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone dmz host-inbound-traffic system-services ping
SW01#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.1.1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, GigabitEthernet0/0 L 192.168.1.2/32 is directly connected, GigabitEthernet0/0 SW01#
Switch>en Switch#conf t Switch(config)#ho SW02 SW02(config)#int gigabitEthernet 0/0 SW02(config-if)#no sw SW02(config-if)#ip add 172.16.1.2 255.255.255.0 SW02(config-if)#no shutdown SW02(config-if)#end SW02# SW02#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms SW02#
그리고 Default Gateway 설정
SW02(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1 SW02(config)# SW02#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.1.1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, GigabitEthernet0/0 L 172.16.1.2/32 is directly connected, GigabitEthernet0/0 SW02#
방화벽 정책을 테스트하기 위해서 SW01과 SW02를 http, https, telnet, ssh를 Enable 합니다.
SW01(config)#ip http server SW01(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) Failed to generate persistent self-signed certificate. Secure server will use temporary self-signed certificate.
SW01(config)#ip domain-name cisco SW01(config)#crypto key generate rsa The name for the keys will be: SW01.cisco Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds)
SW01(config)#line vty 0 15 SW01(config-line)#login local SW01(config-line)#transport input all
SW02에서도 똑같이 설정합니다.
SW02#conf t SW02(config)#ip http server SW02(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) Failed to generate persistent self-signed certificate. Secure server will use temporary self-signed certificate.
SW02(config)#ip domain-name cisco SW02(config)#crypto key generate rsa The name for the keys will be: SW02.cisco Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds)
SW02(config)#username cisco privilege 15 password cisco SW02(config)#line vty 0 15 SW02(config-line)#login local SW02(config-line)#transport input all SW02(config-line)#
우선 http, https, telnet, ssh가 제대로 동작하는지 확인하기 위해서 Juniper SRX 방화벽 정책을 Any Any로 먼저 설정하고 테스트를 진행합니다.
turst zone에서 dmz zone으로 가는 Traffic은 모두 허용합니다.
set security policies from-zone trust to-zone dmz policy trsut-to-dmz match source-address any set security policies from-zone trust to-zone dmz policy trsut-to-dmz match destination-address any set security policies from-zone trust to-zone dmz policy trsut-to-dmz match application any set security policies from-zone trust to-zone dmz policy trsut-to-dmz then permit set security policies from-zone trust to-zone dmz policy trsut-to-dmz then log session-init set security policies from-zone trust to-zone dmz policy trsut-to-dmz then count
SW01 in trust zone에서 SW02 in dmz zone에 Ping시도
SW01#ping 172.16.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/126 ms SW01#
SW01 in trust zone에서 SW02 in dmz zone에 http, https, telnet, ssh 시도
telnet 172.16.1.2 80 - http 성공
telnet 172.16.1.2 443 - https 성공
telnet 172.16.1.2 23 - telnet 성공
ssh -l cisco 172.16.1.2 - ssh 성공
SW01#telnet 172.16.1.2 80 Trying 172.16.1.2, 80 ... Open ^C HTTP/1.1 400 Bad Request Date: Sun, 23 Jun 2024 07:37:36 GMT Server: cisco-IOS Accept-Ranges: none
400 Bad Request [Connection to 172.16.1.2 closed by foreign host] SW01# SW01# SW01#telnet 172.16.1.2 443 Trying 172.16.1.2, 443 ... Open
[Connection to 172.16.1.2 closed by foreign host] SW01# SW01# SW01#
SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... Open
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************
User Access Verification
Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02#
SW01# SW01#ssh -l cisco 172.16.1.2
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password:
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************SW02# SW02# SW02#
SW02 in dmz zone에서 SW01 in trust zone으로 Ping 시도합니다.
Juniper SRX에서 dmz zone에서 trust zone에 방화벽 정책이 없기 때문에 실패합니다.
SW02#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) SW02#
테스트를 위해서 dmz zone에서 trust zone에 방화벽 정책 any를 설정합니다.
set security policies from-zone dmz to-zone trust policy dmz-to-trustmatch source-address any set security policies from-zonedmzto-zonetrustpolicydmz-to-trust match destination-address any set security policies from-zonedmzto-zonetrustpolicydmz-to-trustmatch application any set security policies from-zonedmzto-zonetrustpolicydmz-to-trustthen permit set security policies from-zonedmzto-zonetrustpolicydmz-to-trustthen log session-init set security policies from-zonedmzto-zonetrustpolicydmz-to-trustthen count
SW02 in dmz zone에서 SW01 in trust zone으로 Ping 시도합니다.
SW02#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/15 ms SW02#
SW02 in trust zone에서 SW01 in dmz zone에 http, https, telnet, ssh 시도
telnet 192.168.1.2 80 - http 성공
telnet 192.168.1.2 443 - https 성공
telnet 192.168.1.2 23 - telnet 성공
ssh -l cisco 192.168.1.2 - ssh 성공
SW02#telnet 192.168.1.2 80 Trying 192.168.1.2, 80 ... Open ^C HTTP/1.1 400 Bad Request Date: Sun, 23 Jun 2024 07:49:11 GMT Server: cisco-IOS Accept-Ranges: none
400 Bad Request [Connection to 192.168.1.2 closed by foreign host] SW02#telnet 192.168.1.2 443 Trying 192.168.1.2, 443 ... Open
^C^[[A [Connection to 192.168.1.2 closed by foreign host] SW02#telnet 192.168.1.2 Trying 192.168.1.2 ... Open
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************
User Access Verification
Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW01#
SW01#ssh -l cisco 192.168.1.2
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password:
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW01#exit
[Connection to 192.168.1.2 closed by foreign host] SW01#
Juniper SRX방화벽 정책에서 Hit-Count 확인하는 방법
root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust dmz trsut-to-dmz 9 Permit 2 dmz trust trsut-to-dmz 8 Permit
set security address-book global address H-192.168.1.2/32 192.168.1.2/32 set security address-book global address H-172.16.1.2/32 172.16.1.2/32
set applications application T-23 protocol tcp set applications application T-23 source-port 0-65535 set applications application T-23 destination-port 23 set applications application T-23 inactivity-timeout 20
set applications application T-443 protocol tcp set applications application T-443 source-port 0-65535 set applications application T-443 destination-port 443 set applications application T-443 inactivity-timeout 20
방화벽 정책을 생성합니다.
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match source-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match destination-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match application any set security policies from-zone dmz to-zone trust policy trsut-to-dmz then permit set security policies from-zone dmz to-zone trust policy trsut-to-dmz then log session-init set security policies from-zone dmz to-zone trust policy trsut-to-dmz then count
commit
방화벽 정책 확인하는 방법
root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: dmz, To zone: trust Policy: trsut-to-dmz, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: permit, log, count From zone: trust, To zone: dmz Policy: trust-to-dmz, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-23, T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count
root>
방화벽 정책 설정값 확인 방법 - 전체
root> show configuration security | display set | no-more set security address-book global address H-192.168.1.2/32 192.168.1.2/32 set security address-book global address H-172.16.1.2/32 172.16.1.2/32 set security policies from-zone dmz to-zone trust policy trsut-to-dmz match source-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match destination-address any set security policies from-zone dmz to-zone trust policy trsut-to-dmz match application any set security policies from-zone dmz to-zone trust policy trsut-to-dmz then permit set security policies from-zone dmz to-zone trust policy trsut-to-dmz then log session-init set security policies from-zone dmz to-zone trust policy trsut-to-dmz then count set security policies from-zone trust to-zone dmz policy trust-to-dmz match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz then count set security zones security-zone untrust host-inbound-traffic system-services dhcp set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/1.0 set security zones security-zone dmz host-inbound-traffic system-services ping set security zones security-zone dmz interfaces ge-0/0/2.0
root>
방화벽 정책 trust zone에서 dmz zone만 확인 하는 방법
root> show configuration security policies from-zone trust to-zone dmz | display set | no-more set security policies from-zone trust to-zone dmz policy trust-to-dmz match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz then count
테스트해보겠습니다.
trust zone - SW01에서 dmz zone -SW02에 방화벽 정책
1. 192.168.1.2 -> 172.16.1.2 https 허용
2. 192.168.1.2 -> 172.16.1.2 telnet 허용
3. 192.168.1.2 -> 172.16.1.2 http 차단
4. 192.168.1.2 -> 172.16.1.2 ssh 차단
나머지는 모두 차단
SW01#telnet 172.16.1.2 443 Trying 172.16.1.2, 443 ... Open ^C ^^ v [Connection to 172.16.1.2 closed by foreign host] SW01# SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... Open
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************
User Access Verification
Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02#exit
root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust dmz trust-to-dmz 2 Permit 2 dmz trust trsut-to-dmz 8 Permit
현재 방화벽 flow session를 확인하는 방법
SW01 -> SW02 telnet 시도
SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... Open
************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * **************************************************************************
User Access Verification
Username: cisco Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02#
Juniper SRX에서 show security flow session으로 세션 상태 확인
standard way는 이미 Juniper SRX에서 정의된 포트를 말합니다. 주로 well-known port를 의미합니다.
set applications application standard-way application-protocol http
root# set applications application KK application-protocol ? Possible completions: dns Domain Name Service ftp File Transfer Protocol ftp-data File Transfer Protocol Data Session gprs-gtp-c GPRS Tunneling Control Plane gprs-gtp-u GPRS Tunneling User Plane gprs-gtp-v0 GPRS Tunneling Version 0 gprs-sctp GPRS Stream Control Protocol http Hypertext Transfer Protocol https Hypertext Transfer Protocol ignore Ignore application type ike-esp-nat IKE/ESP with NAT imap Internet Mail Access Protocol imaps Internet Mail Access Protocol Over TLS mgcp-ca MGCP-CA mgcp-ua MGCP-UA ms-rpc Microsoft RPC none None pop3 Post Office Protocol 3 Protocol pop3s Post Office Protocol 3 Protocol Over TLS pptp Point-to-Point Tunneling Protocol q931 Q.931 ras RAS realaudio RealAudio rsh Remote Shell rtsp Real Time Streaming Protocol sccp Skinny Client Control Protocol sip Session Initiation Protocol smtp Simple Mail Transfer Protocol smtps Simple Mail Transfer Protocol Over TLS sqlnet-v2 Oracle SQL*Net Version 2 ssh Secure Shell Protocol sun-rpc Sun Microsystems RPC talk Talk Program telnet Telnet Protocol tftp Trivial File Transfer Protocol twamp Two Way Active Meaurement Protocol [edit]
이번에는 custom 방식에 대해서 알아보겠습니다.
Protocol -> tcp
Source-port - 0-65535 -> source port는 랜덤으로 선택됩니다. 특정 Application은 source-port가 특정 포트로 동작하는 APP도 있습니다
Destination-port - 23
inactivity-timeout - 20초
set applications application telnet-1 protocol tcp set applications application telnet-1 source-port 0-65535 set applications application telnet-1 destination-port 23 set applications application telnet-1inactivity-timeout 20
방화벽 정책 설정 시 application를 아래처럼 불러와서 사용 가능 합니다.
set security policies from-zone trust to-zone untrust policy p1 match application telnet-1
만약에 하나에 방화벽 정책에 여러 개 application를 사용하고 싶으면 아래와 같이 설정 가능 합니다
set applications application http-1 protocol tcp set applications applicationhttp-1source-port 0-65535 set applications applicationhttp-1destination-port 80 set applications applicationhttp-1inactivity-timeout 20
아래처럼 application 정책을 계속 추가해야 합니다.
set security policies from-zone trust to-zone untrust policy p1 match application telnet-1 set security policies from-zone trust to-zone untrust policy p1 match application http-1
하지만 application-set을 이용하면 하나에 정책에 많은 application 추가해서 사용할 수 있습니다.
application-set에 http-1이랑 telnet-1을 할당합니다.
set applications application-set app-group application http-1 set applications application-set app-group application telnet-1
그리고 방화벽 정책에 application-set를 설정합니다.
set security policies from-zone trust to-zone untrust policy p1 match application-set app-group
application 설정값 확인 하는 명령어
root> show configuration applications | display set set applications application standard-way application-protocol http set applications application http-1 protocol tcp set applications application http-1 source-port 0-65535 set applications application http-1 destination-port 80 set applications application http-1 inactivity-timeout 20 set applications application telnet-1 protocol tcp set applications application telnet-1 source-port 0-65535 set applications application telnet-1 destination-port 23 set applications application telnet-1 inactivity-timeout 20 set applications application-set app-group application http-1 set applications application-set app-group application telnet-1
root>
지금까지 [2024][Juniper SRX #12] application and application-set 글을 읽어주셔서 감사합니다.
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT입니다.
Juniper SRX에 SSH 또는 Telnet 또는 J-web를 설정하여 Juniper SRX 관리할 수 있지만 보안 설정을 안 하면 모든 IP대역이 Juniper SRX를 SSH 또는 Telent 또는 J-web를 접속하여 로그인할 수 있습니다.
회사에서 보안상 특정 IP대역만 Juniper SRX MGMT IP를 통하여 주니퍼 방화벽을 관리해야 하는 경우에는 아래와 같이 설정 가능 합니다.
토폴로지
Juniper SRX 기본 설정은 아래와 같습니다.
root> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$Ea7ce5UJ$33Cef6CXrDrf7O1iHX0Skwii8sjgCAeFvM5CXzEbX3/5QyNQxTMpRtregTUO/84DdvZhnEXel5WPvXKOu0hyx1" set system login user juniper uid 2000 set system login user juniper class super-user set system login user juniper authentication encrypted-password "$6$.zIMNUej$r05Ie68YwDsLLShNbIIYdL.TjI9p/ndcvxF0YOuOAbD.OlQWmgaABWskuOtmcU9ZRhp.VqM/tVcA2.tZMwc.W/" set system services ssh root-login allow set system services telnet set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set interfaces fxp0 unit 0 family inet address 192.168.10.220/24 set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
Cisco 스위치 기본 설정입니다.
Switch#conf t Switch(config)#hostname SW1 SW1(config)#int g0/0 SW1(config-if)#no sw SW1(config-if)#ip add dhcp SW1(config-if)#no sh
Juniper Interface를 상태를 확인합니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.220/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
Cisco Interface를 확인합니다.
SW1#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet0/0 192.168.10.104 YES DHCP up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up SW1#
Juniper SRX fxp0 IP: 192.168.10.220
Cisco Gi0/0 IP: 192.168.10.104
Cisco에서 Juniper fxp0로 Ping를 시도합니다
SW1#ping 192.168.10.220 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.220, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms SW1#
Telnet Test - 정상적으로 동작합니다.
SW1#telnet 192.168.10.220 Trying 192.168.10.220 ... Open login: juniper Password: Last login: Thu Jun 20 09:49:37 from 172.16.10.15
SW1#ssh -l root 192.168.10.220 Password: Last login: Sat Jun 22 06:12:39 2024 --- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil root@:~ #
현재 Cisco IP주소는 192.168.10.104인데, 보안 설정을 192.168.10.105만 Juniper SRX로 접속 가능 하게 설정해 보겠습니다.
1. IP 대상을 입력합니다. 여러 IP를 허용하면 여러 개를 입력합니다.
set policy-options prefix-list manager-ip 192.168.10.105/32
2. IP를 이용해서 Filter 정책을 만듭니다.
IP: 192.168.10.105
Protocol: tcp
Destination port: telnet https ssh
만 허용합니다. 그리고 나머지는 차단합니다.
set firewall filter manager-ip term accept_manager from prefix-list manager-ip set firewall filter manager-ip term accept_manager from protocol tcp set firewall filter manager-ip term accept_manager from destination-port telnet set firewall filter manager-ip term accept_manager from destination-port https set firewall filter manager-ip term accept_manager from destination-port ssh set firewall filter manager-ip term accept_manager then accept set firewall filter manager-ip term block_non_manager then discard
3. MGMT interface fxp0에 filter를 적용합니다.
set interfaces fxp0 unit 0 family inet filter input manager-ip
commit
그리고 설정을 적용합니다.
Cisco Side
Telent를 시도합니다. Juniper Filter정책 때문에 Telnet 접속이 실패합니다.
Cisco Switch에서 IP주소를 192.168.10.105로 변경 후 Telnet과 SSH를 시도해 보겠습니다.
SW1(config)#int g0/0 SW1(config-if)#ip add 192.168.10.105 255.255.255.0 SW1(config-if)#no sh
SW1#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet0/0 192.168.10.105 YES manual up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up SW1#
Telnet 시도 - 허용된 IP이기 때문에 telnet이 성공합니다.
SW1#telnet 192.168.10.220 Trying 192.168.10.220 ... Open login: juniper Password: Last login: Sat Jun 22 06:19:21 from 192.168.10.104
Juniper SRX은 fxp0이 MGMT interface입니다. 여기에 IP주소를 설정하고 외부에서 SSH나 Telent를 통해서 접속해 보겠습니다.
토폴로지는 아래와 같습니다.
기본적으로 설정값들을 지웁니다.
root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
root# set system root-authentication plain-text-password New password: Retype new password:
root# commit commit complete
[edit] root# commit commit complete
fxp0에 IP주소를 할당합니다.
DHCP기능이 동작하면 자동으로 IP주소를 받을 수 있고 또는 수동으로 설정 가능 합니다.
DHCP로 IP주소 받기
root# set interfaces fxp0 unit 0 family inet dhcp
[edit] root# commit
Interface에 IP 확인하기
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.220/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
수동으로 IP주소 설정하기
delete interfaces fxp0 unit 0 family inet dhcp commit
root# set interfaces fxp0 unit 0 family inet address 192.168.10.104/24 root# set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
[edit] root# commit
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.220/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
Juniper SRX에 SSH 설정합니다.
root# set system services ssh root-login allow
[edit] root# commit commit complete
노트북에서 putty 또는 CRT를 이용해서 접속을 테스트합니다.
정상적으로 동작합니다.
이번에는 Telent를 설정합니다.
root# set system services telnet
[edit] root# commit commit complete
telnet은 기본적으로 root를 허용하지 않습니다. root계정으로 로그인을 시도해도 실패합니다.
만약에 telnet를 사용해야 하는 경우에는 user를 따로 생성합니다.
root# set system login user juniper class super-user
[edit] root# set system login user juniper authentication plain-text-password New password: Retype new password:
[edit] root# commit commit complete
juniper 계정을 새로 생성하였고 로그인을 시도합니다.
성공적으로 로그인됩니다.
Juniper SRX는 Web 기반에 방화벽에 설정을 지원합니다. 이번에는 j-web를 설정해 보겠습니다.
set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0
테스트를 위해서 fxp0 ip를 입력합니다.
지금까지 [2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 글을 읽어주셔서 감사합니다.
Juniper SRX는 Zone base Firewall입니다. Interface가 독자적으로 동작하지 못하고 interface는 하나에 Zone에 포함되어야 하고 방화벽 정책은 Zone를 기반으로 허용 또는 차단이 가능합니다.
이 부분은 추후에 방화벽 정책을 테스트할 때 좀 더 자세히 진행하겠습니다.
테스트 토폴로지는 아래와 같습니다.
1.vIOS Switch
2.vSRX를 사용 하였습니다.
IP정보는 아래와 같습니다
SRX:
ge-0/0/0 - 10.1.1.1/24 untrust zone
ge-0/0/1 - 172.16.1.1/24 dmz zone
ge-0/0/2 - 192.168.1.1/24 trust zone
fxp0 - dhcp - management zone
SW1
gi0/0 - 10.1.1.2/24
SW2
gi0/0 - 172.16.1.2/24
SW3
gi0/0 - 192.168.1.2/24
Juniper SRX Zone Types
1. fuctional zone (management Zone) - dedicate an interface just for the purpose of management
일반적으로 fxp0이 management 인터페이스인데, data interface를 MGMT로 사용할 때 이 명령어를 사용하여
MGMT역활한 할 수 있게 설정할 수 있습니다.
2. Security zone - to control traffic between different security zone
3. junos-host - control traffic between security zone and juniper device itself
4. null - discard traffic
현재 생성된 zone 리스트를 출력 하는 명령어
show security zones terse
root> show security zones terse Zone Type junos-host Security
아래 interface를 보면 fxp0이 SRX management interface입니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
fxp0 인터페이스에 IP주소를 DHCP 통해서 할당 받겠습니다.
간단하게 제 테스트랩을 설명하겠습니다
1. 제 노트북에서 Global Protect(VPN agent)로 팔로알토에 접속합니다.
2. EVE-NG는 VMware ESXi안에 설치되어 있스비다.
3. 팔로알토가 DHCP기능을 수행합니다.
그래서 fxp0 인터페이스는 자동으로 팔로알토로부터 IP를 받을 수 있습니다.
아니면 수동으로 설정하셔도 됩니다.
root# set interfaces fxp0 unit 0 family inet dhcp
[edit] root# commit commit complete
그리고 Interface에 IP주소를 확인합니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.104/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0
제 PC에서 SRX fxp0 192.168.10.104 ping 테스트입니다.
핑이 성공합니다.
C:\Users\admin>ping 192.168.10.104
Pinging 192.168.10.104 with 32 bytes of data: Reply from 192.168.10.104: bytes=32 time=4ms TTL=63 Reply from 192.168.10.104: bytes=32 time=5ms TTL=63 Reply from 192.168.10.104: bytes=32 time=7ms TTL=63 Reply from 192.168.10.104: bytes=32 time=14ms TTL=63
Ping statistics for 192.168.10.104: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 4ms, Maximum = 14ms, Average = 7ms
C:\Users\admin>
fxp0를 수동으로 IP주소를 설정하기.
set interfaces fxp0 unit 0 family inet address 192.168.10.104/24 set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253
PC에서 PIng테스트
C:\Users\admin>ping 192.168.10.104
Pinging 192.168.10.104 with 32 bytes of data: Reply from 192.168.10.104: bytes=32 time=5ms TTL=63 Reply from 192.168.10.104: bytes=32 time=6ms TTL=63 Reply from 192.168.10.104: bytes=32 time=6ms TTL=63 Reply from 192.168.10.104: bytes=32 time=13ms TTL=63
Ping statistics for 192.168.10.104: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 13ms, Average = 7ms
어떤 Interface가 어떤 Zone에 할당되었는지 확인하는 명령어입니다.
show interfaces zone terse
root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 10.1.1.1/24 Null sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null fxp0.0 up up inet 192.168.10.104/24 Null lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null
fxp0는 기본적으로 null zone에 할당되어 있습니다.
일반적은 data용 interface를 MGMT interface로 사용할 때 사용 됩니다.
테스트를 위해서 ge-0/0/0를 MGMT interface로 만들어 보겠습니다.
root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
[edit] root# set security zones functional-zone management interfaces ge-0/0/0
[edit] root# commit commit complete
root> show security zones terse Zone Type management Functional junos-host Security
root>
Zone를 확인하고 Interface 할당된 Zone도 확인합니다.
root> show security zones terse Zone Type management Functional junos-host Security
root>
root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 10.1.1.1/24 Management sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null fxp0.0 up up inet 192.168.10.104/24 Null lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null
root>
테스트를 위해서 기존에 Ge-0/0/0 zone를 삭제합니다.
delete security zones functional-zone management interfaces ge-0/0/0.0 commit
root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 10.1.1.1/24 Null sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null fxp0.0 up up inet 192.168.10.104/24 Null lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null
root>
2
2. Security zone - to control traffic between different security zone
테스트를 위해서 IP를 설정합니다.
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.1/24
commit
인터페이스를 확인합니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 172.16.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 192.168.1.1/24 dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.104/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
Zone를 생성합니다.
set security zones security-zone trust set security zones security-zone untrust set security zones security-zone dmz
commit
Zone를 생성을 확인합니다.
root> show security zones terse Zone Type management Functional dmz Security trust Security untrust Security junos-host Security
root>
Interface를 Zone에 할당합니다.
set security zones security-zone trust interfaces ge-0/0/2.0 set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz interfaces ge-0/0/1.0
commit
Zone에 할당된 interface를 확인합니다.
root> show interfaces zone terse | match ge- ge-0/0/0.0 up up inet 10.1.1.1/24 ge-0/0/1.0 up up inet 172.16.1.1/24 ge-0/0/2.0 up up inet 192.168.1.1/24
root>
Ping 테스트를 위해서 각 Zone에 PING를 허용합니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone dmz host-inbound-traffic system-services ping
주니퍼 SRX장비는 방화벽(보안) 장비이기 때문에, SRX에 interface가 목적지인 경우에는 기본적으로 패킷이 차단됩니다.
방법은 2가지입니다.
1. zone에서 host-inbound-traffic를 허용하는 방법 - Zone안에 있는 Interface에 일괄적으로 적용
2. Interface별로 host-inbound-trafic를 허용하는 방법 - Interface별로 개별 적용.
root# ...rity-zone trust host-inbound-traffic ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > protocols Protocol type of incoming traffic to accept > system-services Type of incoming system-service traffic to accept
Protocols를 선택하면 아래와 같습니다.
root# ...rity-zone trust host-inbound-traffic protocols ? Possible completions: all All protocols bfd Bidirectional Forwarding Detection bgp Border Gateway Protocol dvmrp Distance Vector Multicast Routing Protocol igmp Internet Group Management Protocol ldp Label Distribution Protocol msdp Multicast Source Discovery Protocol nhrp Next Hop Resolution Protocol ospf Open Shortest Path First ospf3 Open Shortest Path First version 3 pgm Pragmatic General Multicast pim Protocol Independent Multicast rip Routing Information Protocol ripng Routing Information Protocol next generation router-discovery Router Discovery rsvp Resource Reservation Protocol sap Session Announcement Protocol vrrp Virtual Router Redundancy Protocol [edit]
System-services를 선택하면 아래와 같습니다.
root# ...rity-zone trust host-inbound-traffic system-services ? Possible completions: all All system services any-service Enable services on entire port range appqoe APPQOE active probe service bootp Bootp and dhcp relay-agent service dhcp Dynamic Host Configuration Protocol dhcpv6 Enable Dynamic Host Configuration Protocol for IPv6 dns DNS service finger Finger service ftp FTP high-availability High Availability service http Web management service using HTTP https Web management service using HTTP secured by SSL ident-reset Send back TCP RST to IDENT request for port 113 ike Internet Key Exchange lsping Label Switched Path ping service netconf NETCONF service ntp Network Time Protocol service ping Internet Control Message Protocol echo requests r2cp Enable Radio-Router Control Protocol service reverse-ssh Reverse SSH service reverse-telnet Reverse telnet service rlogin Rlogin service rpm Real-time performance monitoring rsh Rsh service snmp Simple Network Management Protocol service snmp-trap Simple Network Management Protocol traps ssh SSH service tcp-encap Tcp encapsulation service telnet Telnet service tftp TFTP traceroute Traceroute service webapi-clear-text Webapi service using http webapi-ssl Webapi service using HTTP secured by SSL xnm-clear-text JUNOScript API for unencrypted traffic over TCP xnm-ssl JUNOScript API service over SSL [edit]
테스트를 해보겠습니다.
토폴로지 아래와 같습니다.
Juniper
1. Ge-0/0/0 - 10.1.1.1/24
2. Zone Trust 생성
3. Ge-0/0/0를 Zone Trust 할당
4. OSPF 설정
Cisco
1. g0/0 - 10.1.1.2/24 설정
2. lo0 - 192.168.1.1/24 설정
3. OSPF 설정
테스트
1. Juniper랑 Cisco랑 OSPF 네이버 확인
2. Juniper라우팅 테이블에 192.168.1.0/24 확인
2. Cisco에서 Juniper Interface ge-0/0/0 10.1.1.1로 PIng 시도
위에 테스트를 하기 위해서는 주니퍼에 host-inbound-traffic 기능이 필요합니다.
Juniper Side
1. 설정값을 초기화합니다.
root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
2. Juniper Ge-0/0/0에 10.1.1.1/24 IP 할
root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
3. Zone Trust 생성
[edit] root# set security zones security-zone Trust
[edit] root# set security zones security-zone Trust interfaces ge-0/0/0
4. Ospf 설정
root# set routing-options router-id 10.1.1.1 root# set protocols ospf area 0.0.0.0 interface ge-0/0/0
Cisco Side
1. Interface에 IP 할당하기
Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface gigabitEthernet 0/0 Switch(config-if)#no sw Switch(config-if)#no switchport Switch(config-if)#ip address 10.1.1.2 255.255.255.0 Switch(config-if)#no shutdown
Switch(config)#router ospf 1 Switch(config-router)#router-id 10.1.1.2 Switch(config-router)#network 0.0.0.0 0.0.0.0 area 0
테스트
Cisco에서 Juniper Ge-0/0/0 10.1.1.1로 PIng 테스
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
Cisco랑 Juniper Interface 상태 확인
Switch#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.2 YES manual up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Loopback0 unassigned YES unset up up Loopback1 192.168.1.1 YES manual up up Switch#
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
Interface상태가 모두 다 up인데도 Ping 실패
Juniper Side
Zone에서 ping를 허용하는 host-inbound-traffic system-service 커맨드를 사용하여 허용하겠습니다.
root# set security zones security-zone Trust host-inbound-traffic system-services ping
[edit] root# commit
Cisco에서 다시 Ping 테스트 시도 합니다
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/94 ms Switch#
이번에는 Cisco에서 ospf 네이버를 확인하겠습니다. 네이버가 Full 상태가 아니라 INIT상태입니다.
Cisco랑 Juniper 사이에 네이버가 생성되지 않습니다.
Switch#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 128 INIT/DROTHER 00:00:38 10.1.1.1 GigabitEthernet0/0 Switch#
Juniper Side
Zone에서 host-inbound-traffic protocol 커맨드를 사용하여 ospf를 허용하겠습니다.
root# set security zones security-zone Trust host-inbound-traffic protocols ospf
[edit] root# commit commit complete
Cisco에서 네이버를 확인해 보겠습니다.
아래처럼 네이버가 생성되었습니다.
Switch#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 128 INIT/DROTHER 00:00:38 10.1.1.1 GigabitEthernet0/0
Juniper에서 네이버를 확인합니다. 그리고 라우팅 테이블에 192.168.1.0/24를 Cisco에서 받아 왔는지 확인합니다.
root> show ospf neighbor Address Interface State ID Pri Dead 10.1.1.2 ge-0/0/0.0 Full 10.1.1.2 1 33
root> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
10.1.1.0/24 *[Direct/0] 00:16:43 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:16:43 Local via ge-0/0/0.0 192.168.1.0/24 *[OSPF/10] 00:00:29, metric 2 > to 10.1.1.2 via ge-0/0/0.0 224.0.0.5/32 *[OSPF/10] 00:07:06, metric 1 MultiRecv
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:44:15 MultiRecv
root>
아래처럼 Zone에서 host-inbound-traffic 사용하여 해결합니다.
set security zones security-zone Trust host-inbound-traffic system-services ping set security zones security-zone Trust host-inbound-traffic protocols ospf
이번에는 Zone에 Interface ge-0/0/0에 host-inbound-traffic 사용하여 해결해 보겠습니다.
Juniper Side
Zone에 설정된 host-inbound-traffic를 삭제합니다.
root#security zones security-zone Trust host-inbound-traffic system-services ping root#security zones security-zone Trust host-inbound-traffic protocols ospf root# commit commit complete
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Switch#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface 10.1.1.1 128 FULL/DR 00:00:33 10.1.1.1 GigabitEthernet0/0 Switch#
Juniper에서 ospf네이버랑 라우팅 테이블 확인
root> show ospf neighbor Address Interface State ID Pri Dead 10.1.1.2 ge-0/0/0.0 Full 10.1.1.2 1 36
root> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
10.1.1.0/24 *[Direct/0] 00:22:05 > via ge-0/0/0.0 10.1.1.1/32 *[Local/0] 00:22:05 Local via ge-0/0/0.0 192.168.1.0/24 *[OSPF/10] 00:05:51, metric 2 > to 10.1.1.2 via ge-0/0/0.0 224.0.0.5/32 *[OSPF/10] 00:12:28, metric 1 MultiRecv
inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
ff02::2/128 *[INET6/0] 00:49:37 MultiRecv
root>
모두 다 정상적으로 동작합니다.
지금까지 [2024][Juniper SRX #7] host-inbound-traffic 글을 읽어 주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
2. vSRX side
vlan을 생성합니다.
vlan name: VL10, VL20, V30
vlan-id: 10, 20, 30
그리고 vlan를 확인합니다.
root# set vlans VL10 vlan-id 10
[edit] root# set vlans VL20 vlan-id 20
[edit] root# set vlans VL30 vlan-id 30
[edit] root# commit commit complete
[edit] root# exit Exiting configuration mode
root> show vlans brief
Routing instance VLAN name Tag Interfaces default-switch VL10 10
default-switch VL20 20
default-switch VL30 30
default-switch default 1
root>
Interface ge-0/0/0를 Trunk mode를 설정합니다.
그리고 VL10, VL20, VL30만 사용할 수 있도록 설정합니다.
root#set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk root#set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10 members VL20 members VL30
IRB를 설정합니다.
IRB10 - 10.1.1.1/24
IRB20 - 20.1.1.1/24
IRB30 - 30.1.1.1/24
root# set interfaces irb unit 10 family inet address 10.1.1.1/24
[edit] root# set interfaces irb unit 20 family inet address 20.1.1.1/24
[edit] root# set interfaces irb unit 30 family inet address 30.1.1.1/24
[edit] root# commit commit complete
[edit] root#
IRB interface를 VLAN이랑 mapping를 합니다.
root# set vlans VL10 l3-interface irb.10
[edit] root# set vlans VL20 l3-interface irb.20
[edit] root# set vlans VL30 l3-interface irb.30
[edit] root# commit commit complete
[edit]
Interface 상태를 확인합니다.
root> show interfaces terse | no-more Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up eth-switch gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up irb.10 up up inet 10.1.1.1/24 irb.20 up up inet 20.1.1.1/24 irb.30 up up inet 30.1.1.1/24 lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down vtep up up
Switch#show ip int brie Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Vlan10 10.1.1.2 YES manual up up Vlan20 20.1.1.2 YES manual up up Vlan30 30.1.1.2 YES manual up up Switch#
Cisco Switch에서 vSRX로 ping를 시도합니다.
vSRX는 보안 장비이기 때문에 기본적으로 icmp 패킷을 차단합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX side
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
irb.10 -> trust_vl10
irb.20 -> trust_vl20
irb.30 -> trust_vl30
set security zones security-zone trust_vl10 interfaces irb.10 set security zones security-zone trust_vl10 host-inbound-traffic system-services ping set security zones security-zone trust_vl20 interfaces irb.20 set security zones security-zone trust_vl20 host-inbound-traffic system-services ping
set security zones security-zone trust_vl30 interfaces irb.30 set security zones security-zone trust_vl30 host-inbound-traffic system-services ping
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
2. vSRX side
vlan을 생성합니다.
vlan name: VL10
vlan-id: 10
그리고 vlan를 확인합니다.
root# set vlans VL10 vlan-id 10
root> show vlans
Routing instance VLAN name Tag Interfaces default-switch VL10 10 ge-0/0/0.0* default-switch default 1
ge-0/0/0 access mode - untagged mode로 변경합니다.
ge-0/0/0 interface에 VL10를 설정합니다.
인터페이스는 VLAN10만 허용합니다. tagged 포트가 아니기 때문에, VLAN 1개 이상 허용 할 수 없습니다.
root# set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access root# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10
VL10를 l3-interface irb.10이랑 Mapping 합니다.
root# set vlans VL10 l3-interface irb.10
Interface상태를 확인합니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up eth-switch gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up irb.10 up up inet 10.1.1.1/24 lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down vtep up up
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10 set interfaces irb unit 10 family inet address 10.1.1.1/24 set vlans VL10 vlan-id 10
set vlans VL10 l3-interface irb.10
Cisco Side
Vlan10를 만들고 Vlan를 확인합니다.
Switch(config)#vlan 10 Switch(config-vlan)#end Switch#show vlan br *Jun 10 08:47:47.665: %SYS-5-CONFIG_I: Configured from console by consoleie
VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3, Gi1/0 Gi1/1, Gi1/2, Gi1/3 10 VLAN0010 active Gi0/0 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Switch#
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/0.0
root# set security zones security-zone trust interfaces ge-0/0/0.0 root# set security zones security-zone trust host-inbound-trafic system-services ping
[edit] root# commit commit complete
[edit] root#
Cisco Side
다시 Ping를 시도합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/23/109 ms Switch#
지금까지 [2024][Juniper SRX #5] Interface 설정 - RVI - untagged mode 글을 읽어 주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
VLAN를 3개를 생성합니다.
VL10 - 10 VL20 - 20 VL30 - 30
왼쪽은 VLAN이름을 입니다.
오른쪽은 VLAN번호입니다.
root# set vlans VL10 vlan-id 10
[edit] root# set vlans VL20 vlan-id 20
[edit] root# set vlans VL30 vlan-id 30
[edit] root#
ge-0/0/0 인터페이스를 tagging 인터페이스로 설정합니다. 이 인터페이스를 통해서 VLAN 1개 이상을 전달받을 수 있습니다 즉 위에 설정한 VLAN 10, 20, 30이 Juniper Ge-0/0/0 tagging port로 트래픽을 받을 수 있습니다.
root# set interfaces ge-0/0/0 vlan-tagging [edit] root# set interfaces ge-0/0/0 unit 10 vlan-id 10 [edit] root# set interfaces ge-0/0/0 unit 10 family inet address 10.1.1.1/24 [edit] root# set interfaces ge-0/0/0 unit 20 vlan-id 20 [edit] root# set interfaces ge-0/0/0 unit 20 family inet address 20.1.1.1/24 [edit] root# set interfaces ge-0/0/0 unit 30 vlan-id 30 [edit] root# set interfaces ge-0/0/0 unit 30 family inet address 30.1.1.1/24
Interface 상태를 확인합니다.
root> show interfaces terse | match inet ge-0/0/0.10 up up inet 10.1.1.1/24 ge-0/0/0.20 up up inet 20.1.1.1/24 ge-0/0/0.30 up up inet 30.1.1.1/24 sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0
Switch#show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Vlan10 10.1.1.2 YES manual up up Vlan20 20.1.1.2 YES manual up up Vlan30 30.1.1.3 YES manual up up Switch#
Cisco Switch에서 vSRX로 ping를 시도합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
root#set security zones security-zone trust_vl10 interfaces ge-0/0/0.10 root#set security zones security-zone trust_vl10 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl20 interfaces ge-0/0/0.20 root#set security zones security-zone trust_vl20 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl30 interfaces ge-0/0/0.30 root#set security zones security-zone trust_vl30 host-inbound-traffic system-services ping
root#set security zones security-zone trust_vl10 interfaces ge-0/0/0.10 root#set security zones security-zone trust_vl10 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl20 interfaces ge-0/0/0.20 root#set security zones security-zone trust_vl20 host-inbound-traffic system-services ping root#set security zones security-zone trust_vl30 interfaces ge-0/0/0.30 root#set security zones security-zone trust_vl30 host-inbound-traffic system-services ping
root# commit commit complete
Cisco Switch에서 다시 Ping테스트를 시도합니다.
Switch# Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms Switch#ping 20.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms Switch#ping 30.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 30.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms Switch#
지금까지 [2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface 글을 읽어 주셔서 감사합니다.
[edit] root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
[edit] root# set system root-authentication plain-text-password New password: Retype new password:
[edit] root# commit
commit complete
[edit] root#
Interface ge-0/0/0에 10.1.1.1/24 설정합니다.
그리고 show interface terse | match ge-0/0/0를 통해서 IP를 확인합니다.
- Set interfaces [인터페이스이름] [논리적 인터페이스넘버] [protocol종류] [IP주소/서브넷마스크] ※ 논리적 인터페이스는 일반적으로 0을 사용하며, protocol종류는 아래와 같음. inet : ipv4inet6 : ipv6 mpls: mpls ethernet-switching : L2스위칭
root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
[edit] root# commit commit complete
root> show interfaces terse | match ge-0/0/0 ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24
Cisco Switch Side
Switch>en Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#int g0/0 Switch(config-if)#no sw Switch(config-if)#ip add 10.1.1.2 255.255.25 Switch(config-if)#no sh Switch(config-if)#end Switch#show ip interface brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.2 YES manual up up GigabitEthernet0/1 unassigned YES unset up up GigabitEthernet0/2 unassigned YES unset up up GigabitEthernet0/3 unassigned YES unset up up GigabitEthernet1/0 unassigned YES unset up up GigabitEthernet1/1 unassigned YES unset up up GigabitEthernet1/2 unassigned YES unset up up GigabitEthernet1/3 unassigned YES unset up up Switch# Switch#
Cisco Switch에서 vSRX 쪽으로 Ping 테스트
하지만 실패하였습니다. 그 이유는 vSRX장비는 보안 장비이기 때문에 기본 적으로 ping를 차단하기 때문에 ping이 실패합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Switch#
vSRX
Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust interfaces ge-0/0/0.0
root# set security zones security-zone trust interfaces ge-0/0/0 root# set security zones security-zone trust host-inbound-traffic system-services ping [edit] root# commit commit complete
Cisco Side
Cisco Switch에서 vSRX Interface로 Ping를 시도 시 아래와 같이 성공합니다.
Switch#ping 10.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/96/473 ms Switch#
지금까지 [2024][Juniper SRX #3] Interface 설정 - Layer3 Physical Interface 글을 읽어 주셔서 감사합니다.
4. ae: Aggregated Ethernet 포트를 의미합니다. ae1: 두 번째 논리적인 인터페이
5. reth: Redundant Ethernet 포트를 의미합니다. reth0: 첫 번째 Redundant Ethernet 포를 의미합니다.
장비 콘솔 연결 후 커맨드로 확인이 가능합니다.
show chassis hardware 입력하면 아래처럼 표시됩니다.
FPC 0
PIC 0
root> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis fd45efae5e05 VSRX Midplane System IO Routing Engine VSRX-2CPU-4G memory FPC 0 BUILTIN BUILTIN FPC PIC 0 VSRX DPDK GE Power Supply 0
이번에는 Interface port를 확인해 보겠습니다. 현재 EVE-NG에서 Juniper SRX를 생성했을 때 디폴트 값으로 인터페이스를 4개입니다.
ge-0/0/0
ge-0/0/1
ge-0/0/2
fxp0 - MGMT Interface
root> show interfaces terse | grep ge-0/0 ge-0/0/0 up up ge-0/0/1 up up ge-0/0/2 up up
만약에 인터페이스를 더 추가하고 싶다면 아래처럼 수정합니다.
Ethernets에 숫자를 8로 입력하고 SRX를 부팅합니다.
장비를 부팅 후 확인해 보겠습니다.
ge-0/0/0 ~ 6 그리고 fxp0를 더 하면 총 8개 인터페이스를 확인할 수 있습니다.
인터페이스가 더 필요하시면 위에 사진처럼 인터페이스를 추가하면 됩니다.
root> show interfaces terse | match ge-0/0 ge-0/0/0 up up ge-0/0/1 up up ge-0/0/2 up up ge-0/0/3 up up ge-0/0/4 up up ge-0/0/5 up up ge-0/0/6 up up
지금까지 [2024][Juniper SRX #2] Interface Numbering 글을 읽어주셔서 감사합니다.
이 모드에서는 show, monitor, request 등 주로 설정값 등을 확인할 때 이 모드를 사용합니다.
root>
예를 들어 Interface 상태를 확인하고 싶을 경우
show interface terse
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
root>
2. configuration mode
이 모드로 들어가기 위해서는 아래처럼 operation mode에서 configure 명령어를 입력합니다.
만약에 configuration mode에서 operation mode에 있는 명령어를 사용하고 싶으면 run 명령어를 앞에 사용합니다.
root# run show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down
[edit] root#
3. 계층 간 이동 명령어
3-1 edit
3-2 top
3-3 up
3-4 exit
Juniper는 리눅스 기반에 동작하기 때문에 리눅스에 Statement Hierarchy 구조를 사용합니다.
top 명령어
현재 interfaces 안에 있습니다. 이 상태에서 top명령어를 이용하고 최상으로 돌아갑니다.
최송이는 configuration mode입니다.
root# edit interfaces
[edit interfaces]
root# top
[edit] root#
up 명령어
현재 system -> services -> ftp 위치에 있습니다.
up 명령어를 사용하면 바로 윗단계 services로 이동합니다.
root# edit system services ftp
[edit system services ftp] root#
root# up
[edit system services] root#
만약에 2단계 위로 올라가고 싶으면 up 2 입력하면 됩니다.
[edit system services ftp] root# up 2
[edit system] root#
exit 명령어
한 단계 위로 이동 합니다.
또 configuration mode 최상위에서 exit 입력하면 operation mode로 진입합니다.
root# edit system
[edit system] root#
root# exit
[edit] root#
root# exit
Exiting configuration mode
root>
4. 명령어 단축키 사용방법
- Ctrl + p 또는 위 화살표키: 직전명령어호출 - Ctrl + n 또는 아래 화살표키 : 직전명령어 간 이동 - Ctrl + a, e : 명령어 제일 앞, 뒤으로 커서 이동 - Ctrl + w : 커서 앞 또는 커서가 위치한 단어 삭제
5. 설정 추가 삭제 명령어
set: 설정 추가 명령어
delete: 설정 삭제 명령어
set 명령어로 hostname를 설정해 보겠습니다.
주니퍼 디폴트 값으로 root 비밀번호가 없기 때문에 commit를 눌러서 변경값이 저장되지 않습니다.
우선 root password를 입력합니다.
set system root-authentication plain-text-password
그리고 호스트이름을 변경합니다
set system host-name vSRX
그리고 설정값을 저장 및 즉시 변경 합니다.
commit
Hostname이 바뀌었습니다.
root> configure root# set system root-authentication plain-text-password New password: Retype new password:
root# set system host-name vSRX
[edit] root# commit commit complete
[edit] root@vSRX#
이번에는 delete 명령어를 사용해 보겠습니다.
set system services ftp 이 명령어를 삭제해 보겠습니다.
delete system services ftp
root@vSRX> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ftp set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
root@vSRX> configure Entering configuration mode
[edit] root@vSRX# delete system services ftp
[edit] root@vSRX# commit commit complete
[edit] root@vSRX# run show configuration | display set | match ftp
[edit] root@vSRX#
6. Pipe 명령어 사용 방법
- count : 표시되는 값의 라인 수를 출력함 - display : 설정값등을 보여주는 방식을 변경하여 표시 detail : 설정값에 주석으로 추가설정 가능한 예제를 표시 set : 설정값을 set형식으로 표시 xml : 설정값을 xml형식으로 표시 - except : 특정 값을 제외한 모든 값을 표시 - find : 특정값이 처음으로 시작되는 위치부터 표시 - match : 특정값이 포함된 값만 표시 - no-more : 표시내용이 한 페이지를 넘더라도 한 번에 모든 내용을 출력함 - hold : 표시내용이 한 페이지를 넘을 때 한 페이지단위로 표시하며 마지막에 --More-- 표시를 하지 않음 - save : 표시되는 값을 파일로 바로 저장 ex) show config | save 20120406.txt - last : 표시내용의 마지막 부분을 표시 ex ) show log message | last 30(마지막 30라인만 출력) - trim : 표시되는 값을 왼쪽을 기준으로 특정문자 수만큼 삭제하고 표시 * show log message Apr 6 15:55:22 SRX210 login: Login attempt for user stcon from host 1.1.1.100 * show log message | trim 15 (왼쪽기준으로 15자 삭제하고 출력) SRX210 login: Login attempt for user stcon from host 1.1.1.100
root@vSRX> show configuration | display set set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land ---(more)---
위에 --(more)-- 표시 없이 한꺼번에 output 표시하기.
root@vSRX> show configuration | display set | no-more set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
- find 명령어 - 특정값이 처음으로 시작되는 위치부터 추력
위에 설정값에서 policies 줄이 있는 곳부터 끝까지 출력해 보겠습니다.
root@vSRX> show configuration | display set | find policies set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
- match 특정값이 포함된 값만 표시해 보겠습니다
zones이라는 단어가 있는 줄만 표시해 보겠습니다.
root@vSRX> show configuration | display set | match zones set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen
root@vSRX>
- except: 특정 값을 제외한 모든 값을 표시합니다.
zones이라는 단어가 있는 줄을 제외하고 출력해 보겠습니다
root@vSRX> show configuration | display set | except zones set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set interfaces fxp0 unit 0
root@vSRX>
save - 출력값을 파일로 저장하는 명령어입니다
설정값을 file로 저장해 보겠습니다.
file 이름은 config_backup입니다.
파일을 확인하기 위해서는 file list 명령어를 입력합니다.
root@vSRX> show configuration | display set | save config_backup Wrote 32 lines of output to 'config_backup'
root@vSRX> file show config_backup set version 21.3R1.9 set system root-authentication encrypted-password "$6$L1Uj2iTj$/c8wM7UteO/L/q5NWbwvvTiYhwADjApBAJ7LQCQaZDVQfgwStnuOH36if38V.CMAxpr3Ia2Yyul0TGgHTdSbg/" set system services ssh set system services web-management http interface fxp0.0 set system services web-management https system-generated-certificate set system services web-management https interface fxp0.0 set system syslog file interactive-commands interactive-commands any set system syslog file messages any any set system syslog file messages authorization info set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security policies from-zone trust to-zone untrust policy default-permit match source-address any set security policies from-zone trust to-zone untrust policy default-permit match destination-address any set security policies from-zone trust to-zone untrust policy default-permit match application any set security policies from-zone trust to-zone untrust policy default-permit then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust tcp-rst set security zones security-zone untrust screen untrust-screen set interfaces fxp0 unit 0
root@vSRX>
last: 표시내용의 마지막 부분을 표시합니다.
ex) 로그에 마지막 10줄만 표시 - 즉 최신 로그 10개만 출력입니다.
root@vSRX> show log messages | last 10 Jun 9 13:02:53 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:03:05 vSRX last message repeated 4 times Jun 9 13:03:14 vSRX last message repeated 3 times Jun 9 13:03:17 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages ' Jun 9 13:03:17 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:03:35 vSRX last message repeated 6 times Jun 9 13:03:53 vSRX last message repeated 6 times Jun 9 13:03:55 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages | last 10 '
root@vSRX>
Pipe옵션은 중복에서도 사용 가능 합니다.
show log messages 출력
match VSRX 이 단어가 있는 messages만 출력
last 10 마지막으로부터 최신 10개 log만 출
root@vSRX> show log messages | match VSRX | last 10 Jun 9 13:03:56 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:04:06 vSRX last message repeated 3 times Jun 9 13:04:45 vSRX last message repeated 13 times Jun 9 13:04:47 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages | match VSRX ' Jun 9 13:04:48 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:04:51 vSRX srxpfe[20805]: pconn_client_create: RE address for IRI1 1000080 cid is 0 Jun 9 13:04:53 vSRX mgd[23313]: UI_CMDLINE_READ_LINE: User 'root', command 'show log messages | match VSRX | last 10 '
root@vSRX>
?
입력하면 실행 가능한 명려어가 표시 됩니다.
root@vSRX> ? Possible completions: clear Clear PPM related statistics information configure Manipulate software configuration information file Perform file operations help Provide help information load Load information from file monitor Show real-time debugging information mtrace Trace multicast path from source to receiver op Invoke an operation script ping Ping remote target probe Probe interfaces on remote target quit Exit the management session request Make system-level requests restart Restart software process scp Copy files via ssh set Set CLI properties, date/time, craft interface message show Show system information ssh Start secure shell on another host start Start shell telnet Telnet to another host test Perform diagnostic debugging traceroute
지금까지 [2024][Juniper SRX #1] 기본 CLI 명령어 글을 읽어주셔서 감사합니다.
