Juniper SSG 設定紀錄

最近拿到一台Juniper SSG 系列的防火牆，拿來測試一下

1. 恢復預設值
2. 網路架構圖
3. 基本設定
4. 設定NAT Mode
5. 設定Transparent Mode

1. 恢復預設值
透過Console登入

Setting	Value
Speed	9600
Data Bits	8Bit
Parity	None
Stop Bits	1
Flow Control	NO

a. Reset 按鈕
使用迴紋針壓下Reset 會提示以下訊息
Configuration Erasure Process has been initated.
長壓6秒後，Console 提示以下訊息
Waiting for 2nd confirmed.
放開2秒後，Console 提示以下訊息
2nd push has been confirmed.
再次長壓6秒，Console提示以下訊息
Configuration Erase sequence accepted, unit reset.

b.機器序號登入Reset

Username: Serial Number

Password: Serial Number

輸入完成後會提示以下訊息
!!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all current configuration and settings. Would you like to continue? y/[n] y

!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen, password: netscreen. Would you like to continue? y/[n] y

SSG5 網卡預設配置，接上eth2~eth7之間的Port 可連線到192.168.1.1

Port	Zone	IP Address
eth0	Untrust	0.0.0.0
eth1	DMZ	0.0.0.0
eth2	Trust	192.168.1.1/24
eth3
eth4
eth5
eth6
eth7

Note:SSG 會自動檢測網路環境是否有DHCP Server

2. 網路架構圖
NAT Mode

Transparent Mode

3. 基本設定
透過瀏覽器 http://192.168.1.1/

Username: netscreen

Password: netscreen

設定Interface bgroup0 (LAN)
Network >> Interfaces >> List >> Edit bgroup0

Zone	Trust
IP Address	192.168.1.1/24
Interface Mode	NAT
Service Option	Web UI Telnet SSH SNMP SSL PING
Bind Port	eth2~eth6

設定Interface eth0/1 (DMZ)
Network >> Interfaces >> List >> Edit eth0/1

Zone	DMZ
IP Address	192.168.2.1
Interface Mode	NAT
Service Option	Web UI SSL Ping

設定Interface eth0/0 (WAN)
Network >> Interfaces >> List >> Edit eth0/0

Zone	Untrust
IP Address	192.168.10.189
Interface Mode	Route
Service Option	Web UI SSL Ping

設定Default Route

IP Address / Netmask	0.0.0.0/0
Interface	eth0
Gateway IP Address	192.168.10.254
Metric	1

Network >> Routing >> Destination >> New

透過CLI測試ping 168.95.1.1

DNS 設定
Network >> DNS >> Host

Host	ssg5
Domain Name	chmost.com
Primary DNS Server Secondary DNS Server Teriary DNS Server	168.95.1.1 8.8.8.8 168.95.192.1

DHCP Server 設定
Nework >> DHCP >> Edit bgroup0

Server Mode	Auto
Gateway	192.168.1.1
Netmask	255.255.255.0
DNS	168.95.1.1
Dynamic IP Start & End	192.168.1.100 ~ 192.168.1.150

時區設定
Configuration >> Date / Time

Set Time Zone	+8 Hours 0 minutes
Update system clock every	10 minutes
Primary server ip name	time.stdtime.gov.tw
Source Interface	ethernet0/0

管理者設定
Configuration >> Admin >> Administrators >> New

Administrators	fred
Password	123456
Privileges	Read-Write

Configuration >> Admin >> Management

4. 設定NAT Mode
a.NAT-src
Default Trust >> Untrust 只需要設定Policy Permit 既可通過
Policy >> Policies

From	Trust
To	Untrust
Source Address	Any
Destination Address	Any
Service	Any
Action	Permit

DMZ >> Untrust 必須設定DIP
並且DMZ Outgoing IP 為192.168.10.221
Network >> Interfaces >> List >> Edit eth0/0 >> DIP >> New

IP Address Range

192.168.10.221~192.168.10.221

Policy >> Policies

From	DMZ
To	Untrust
Source Address	Any
Destination Address	Any
Service	Any
Action	Permit
Source Translation	DIP:192.168.10.221

b.NAT-dst (Policy-Based NAT-dst)
Untrust >> DMZ 192.168.10.222:80 to 192.168.1.181:80

# ssg5-serial-> set arp nat-dst

Policy >> Policy Elements >> Addresses >> New

Address Name	192.168.10.222
IP Address / Netmask	192.168.10.222 / 32
Zone	Untrust

Policy >> Policies

From	Untrust
To	Untrust
Source Address	Any
Destination Address	192.168.10.222
Service	HTTP
Action	Permit
Destination Translation	Translate to IP 192.168.2.181 Map to Port 80