Juniper firewall multi-path selection + MIP configuration instance

Case requirements: A friend works as a network engineer in a company and prefers to search for information on the Internet. The current practice is to connect the computer to the company's Intranet via wireless connection, and connect the cable to the Internet through the Internet by default, in this way, work and entertainment are achieved. However, he complained to me that due to the unstable wireless connection, wireless gateways are often obtained automatically after being used for an hour or two. This requires manual deletion, which is very troublesome. I also tried to manually add a route entry for the local computer, so the effect is still unsatisfactory. Of course, the company's Intranet can also be directly connected to the Internet, but it needs to go through the proxy server and there are several online behavior management software monitoring in the background, he feels more uncomfortable, huh, the reason is not to mention, everyone knows. As soon as he was asked to have a firewall of juniper in his hand, it would be easy to solve the problem above. He also learned that he often needs to connect to the company's computer at home or the company's various servers to handle some things, and learned that his company VPN to the company through L2TP, this is not a problem.

Implementation principle of the case: Use two interfaces in firewall to connect the Intranet and Internet of the company, draw the two ports to the untrust zone, and then use an interface to connect the computer to the trust zone, can I create a virtual router in firewall? To make it possible for him to resolve it to the company's Intranet, You need to configure the company's intranet DNS first choice on the DNS. Bind the MAC address of a friend's computer to DHCP, and perform static port conversion MIP on the interface that firewall connects to the company's intranet. In this way, the friend's remote VPN connects to the company's network to access his computer.

Case architecture diagram:

 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "width: 587px; height: 423px" border = "0" alt = "" src = "http://www.bkjia.com/uploads/allimg/131227/091I21555-0.jpg" width = "958" height = "764"/>

Case Configuration:

Interface E0/1 configuration, public network address, for security management address and services are disabled

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image002 "border =" 0 "alt =" clip_image002 "height =" 386 "src =" http://www.bkjia.com/uploads/allimg/131227/091I24Z4-1.png "/>

Interface E0/7 Configuration

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image003 "border =" 0 "alt =" clip_image003 "height =" 385 "src =" http://www.bkjia.com/uploads/allimg/131227/091I2C06-2.png "/>

Configure static port conversion on Interface E0/7

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image004 "border =" 0 "alt =" clip_image004 "height =" 137 "src =" http://www.bkjia.com/uploads/allimg/131227/091I25P6-3.png "/>

Interface E0/0 Configuration

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image005 "border =" 0 "alt =" clip_image005 "height =" 397 "src =" http://www.bkjia.com/uploads/allimg/131227/091I22M3-4.png "/>

DHCP and MAC Address binding settings

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image006 "border =" 0 "alt =" clip_image006 "height =" 407 "src =" http://www.bkjia.com/uploads/allimg/131227/091I23Y0-5.png "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image007 "border =" 0 "alt =" clip_image007 "height =" 58 "src =" http://www.bkjia.com/uploads/allimg/131227/091I21059-6.png "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image008 "border =" 0 "alt =" clip_image008 "height =" 130 "src =" http://www.bkjia.com/uploads/allimg/131227/091I26450-7.png "/>

Route settings: The juniper has route settings based on the target address, source address, and original port. There are too many options. You can set the options based on your own situation. I directly add two routes based on the target address.

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image009 "border =" 0 "alt =" clip_image009 "height =" 289 "src =" http://www.bkjia.com/uploads/allimg/131227/091I25240-8.png "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image010 "border =" 0 "alt =" clip_image010 "height =" 85 "src =" http://www.bkjia.com/uploads/allimg/131227/091I23611-9.png "/>

Policy Settings

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image011 "border =" 0 "alt =" clip_image011 "height =" 86 "src =" http://www.bkjia.com/uploads/allimg/131227/091I22313-10.png "/>

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image012 "border =" 0 "alt =" clip_image012 "height =" 65 "src =" http://www.bkjia.com/uploads/allimg/131227/091I22b5-11.png "/>

After the settings are complete, connect your friend's computer to the E0/0 port and get the configured binding address 192.168.1.11. ping the company's Intranet to the company's Internet without any problems. From the company's Intranet to a friend's computer, no problem. I tried to apply other programs.

Solve all the problems, pat a friend's shoulder and go where to eat today.

 

This article is from the "mr0811" blog, please be sure to keep this source http://mr0811.blog.51cto.com/804916/380721