Mip-definitionMIP (Mapped IP) is a 1 to 1 mapping of a public IP address to an IP address on the Internal side of the Juniper firewallMIP-to-one mapping, mapping from public IP to private network IPConfiguring a MIP to access a single device on the private networkSet int eth0/0 Zone UntrustSet int eth0/0 IP 1.1.1.250/24Set int eth0/0 routeSet int ETH0/1 Zone TrustSet int ETH0/1 IP 192.168.1.1/24Set int ETH0/1 routeSet int eth0/0 mip 1.1.1.100 host 192
1. Experiment topology:
2. ip planning:
Eth1: 192.168.101.68/24
Eth3: 192.168.100.10/24
3. device description:
The switch used in the trust region is Digital China DCS-3950S
The switch in the untrust area is the quidwayS3526E of H3C.
Firewall: Juniper Netscreen-25
4. Device Configuration
4.1 configure ns-a for the first Firewall
Login: netscreenPassword:NS-A (M)-> get systemProduct Name: NetScreen-25Serial Number: 0096052007001238, Control Number: 00
1. Firewall DNS Server
Fire-> set dns host dns1 202.106.0.20
Get config | include dns
A maximum of three DNS servers can be specified;
* The firewall can resolve the domain name address.
2. You can configure the NTP server in the firewall.
Set ntp server followed by the name, source address, and so on;
È set ntp server time.windows.com
È Set ntp server key-id 1 preshare-key cjclub
È Set ntp server src-interface eth1
È Set ntp interval 1
Request synchronization interval;
À set ntp max-adjustment
Problem description:
When the SSG series firewalls of Juniper can access each other through VPN dial-in or direct mutual access between different network segments, sometimes PING can be reached, but the service cannot be accessed, such as WEB and shared files.
Problem Analysis:
These problems are often caused by the identification of data packet fragments by devices during data transmission. Generally, data packets are too large and nee
Juniper Firewall basic CommandsCommon View CommandsGet int View interface configuration informationGet int ethx/x View specified interface configuration informationGet MIP View Map IP relationshipsGet Route View Route tableGet Policy ID x view specified policiesGet NSRP View NSRP information, then can take parameters to see the specific VSD group, port monitoring settings, etc.Get per CPU de view CPU utilization informationGet per Sessionde View new s
port for Edit Rule-set outside-to-inside1- Des-nat Set from zone Outside Edit Rule inside1-router-23 Set match source-address 0/0 Set match Destination-address 202.100.1.201/32 Set match destination-port 2323 Set then Destination-nat pool inside1-23 Up Edit Proxy-arp interface fe-0/0/0.0 address 202.100.1.201/32 Release Inbound Traffic! Edit Security Zones security-zone Inside1 Set Address-book address Inside1-router 10.1.1.1/32 up up Edit Policies From-zone Outside to-zone Insid
security-zone Untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services p IngNote: By default, ICMP is required to be released, except for business ports that are not managed to be ping-through.Second, Juniper SRX NAT1. Types of NAT1.1 Source Nat:interface1.2 Source NAT:p Ool1.3 Destination NAT1.4 Static NAT2. Configuration Example2.1 Interface-based source NAT[Email protected]# Set security NAT source Rule-set 1 from Zone Trust[Email protec
Juniper Firewall set up the system clock, there are three ways, choose a way to complete the corresponding setup work:1, using the command line method, in the CLI command line interface settings, using the command set clock mm/dd/yyyy hh:mm:ss.2. Use the "Sync Clock with Client" option in the Web management interface:650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/58/22/wKioL1SqOzKRtV5-AAVqFpekUuw546.jpg "title=" Qq20150105151906.png "alt="
First, Juniper Open SNMP
The steps to turn on SNMP are the same as yesterday's reference to configuration methods, which is skipped here.Second, install the configuration MRTG
1, installation
MRTG's official page is http://oss.oetiker.ch/mrtg/, the latest version is 2.17.4. You can choose to compile the installation using the source package, or you can select the system source installation.
The code is as follows
Copy Code
Experimental environment:
Company game online, need to build a VPN channel for authentication and billing system for different areas of internal communications, as well as daily maintenance server is also through VPN connection. To achieve a secure encrypted environment
Solution: Using juniper netscreen SSG140-SB automatic VPN function to solve this problem, because to set up a lot of points, setting almost all the same, to Shanghai room and Changch
Rollback
Set interface
Set Routing-options static
Set System login user admin class Super-user
Set System login User admin authentication plain-text-password Enter password
Set System Services SSH
Set security Zones security-zone untrust
Set the group number for the VSD, which can be used without input because the value of the default virtual security database (VSD) for the NetScreen firewall is 0.
SSG550 (M)-> set NSRP Vsd-group ID 0 Priority 50 sets the priority value of the NSRP
Master firewall configuration
unset interface e4 IP addresses e4 IP address deletion
Set interface e4 zone Ha binds E4 and ha regions together
Ssg550-> set NSRP Cluster ID 1 sets cluster group number
SSG550 (M)-> set NSRP VSD ID 0 Sets the group
As shown in the topology map, AREA2 and area0 are not directly connected, so the network does not have a full topology, at which point we can do virtual-link on the ABR area2 and AREA0 connection, the following is the configuration script:
system {
1.netscreen firewall can make ha?
So far NetScreen-100 above models can be done ha,netscreen-50 in the new OS version may also be able to do ha.
Does 2.Netscreen support load balancing? At which end?
Yes, both trust and DMZ support load balancing.
The NSAP address is up to 20 bytes long, which is much longer than an IP address with a fixed 4-byte length. The following illustration shows the address format for an NSAP address:
As shown below is an NSAP address 49.0001.1921.6800.1001.00
NetScreen FAQ SummaryCan 1.netscreen firewall be used as ha?So far more than NetScreen-100 models can do ha,netscreen-50 in the new OS version may also be able to do ha.Does 2.Netscreen support load balancing? At which end?Yes, load balancing is
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.