conquer 2007-12-18 17:12
外企在我国办事处juniper的配置文档
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nGxICpreAeBCce9ALsWF/kBt0AJSAn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
set interface "tunnel.1" zone "Trust"
set interface "tunnel.2" zone "Trust"
unset interface vlan1 ip
set interface trust ip 192.168.11.1/24
set interface trust nat
set interface untrust ip 218.18.230.189/25
set interface untrust route
set interface tunnel.1 ip unnumbered interface trust
set interface tunnel.2 ip unnumbered interface trust
set interface tunnel.1 mtu 1500
set interface tunnel.2 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage telnet
set interface untrust manage web
set interface trust dhcp server service
set interface trust dhcp server enable
set interface trust dhcp server option gateway 192.168.11.1
set interface trust dhcp server option netmask 255.255.255.0
set interface trust dhcp server option dns1 202.96.134.133
set interface trust dhcp server ip 192.168.11.100 to 192.168.11.199
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
set hostname ns5gt
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 202.96.134.133
set dns host dns2 202.96.128.68
set address "Trust" "192.168.11.193/32" 192.168.11.193 255.255.255.255
set address "Trust" "SZ_LAN" 192.168.11.0 255.255.255.0 "trust"
set address "Trust" "TRAX" 192.168.5.0 255.255.255.0
set address "Untrust" "192.168.5.0/24" 192.168.5.0 255.255.255.0
set address "Untrust" "TRAX Server 1" 192.168.5.22 255.255.255.255
set address "Untrust" "TRAX Server 2" 192.168.5.23 255.255.255.255
set address "Untrust" "TRAX Server 3" 192.168.5.24 255.255.255.255
set address "Untrust" "TRAX Server 4" 192.168.5.27 255.255.255.255
set ike gateway "TRAX-NHP 65.223.185.162" address 65.223.185.162 Aggr outgoing-interface "untrust" preshare "li3ynzt5NM6oR/s7OOCVHxY70Enkd0WHTA==" sec-level compatible
set ike gateway "TRAX-NHP 65.223.185.162" nat-traversal
set ike gateway "TRAX-NHP 65.223.185.162" nat-traversal udp-checksum
set ike gateway "TRAX-NHP 65.223.185.162" nat-traversal keepalive-frequency 5
set ike gateway "TRAX-DC 216.98.101.156" address 216.98.101.156 Aggr outgoing-interface "untrust" preshare "/0P2PnOPNXaXLEszUrCCtVMZH5nmM7+TXw==" sec-level compatible
set ike gateway "TRAX-DC 216.98.101.156" nat-traversal
set ike gateway "TRAX-DC 216.98.101.156" nat-traversal udp-checksum
set ike gateway "TRAX-DC 216.98.101.156" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
set ike gateway "TRAX-NHP 65.223.185.162" heartbeat hello 6
set ike gateway "TRAX-NHP 65.223.185.162" heartbeat reconnect 60
set ike gateway "TRAX-DC 216.98.101.156" heartbeat hello 6
set ike gateway "TRAX-DC 216.98.101.156" heartbeat reconnect 60
unset ike ikeid-enumeration
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "TRAX-NHP 65.223.185.162" gateway "TRAX-NHP 65.223.185.162" replay tunnel idletime 0 sec-level compatible
set vpn "TRAX-NHP 65.223.185.162" id 18 bind interface tunnel.2
set vpn "TRAX-DC 216.98.101.156" gateway "TRAX-DC 216.98.101.156" replay tunnel idletime 0 sec-level compatible
set vpn "TRAX-DC 216.98.101.156" id 20 bind interface tunnel.1
set group address "Untrust" "TRAX Servers"
set group address "Untrust" "TRAX Servers" add "TRAX Server 1"
set group address "Untrust" "TRAX Servers" add "TRAX Server 2"
set group address "Untrust" "TRAX Servers" add "TRAX Server 3"
set group address "Untrust" "TRAX Servers" add "TRAX Server 4"
set url protocol sc-cpa
exit
set policy id 16 from "Trust" to "Trust" "TRAX" "SZ_LAN" "ANY" permit log
set policy id 16
exit
set policy id 15 from "Trust" to "Trust" "SZ_LAN" "TRAX" "ANY" permit log
set policy id 15
exit
set policy id 14 from "Untrust" to "Trust" "192.168.5.0/24" "Any" "ANY" permit log
set policy id 14
exit
set policy id 13 from "Trust" to "Untrust" "192.168.11.193/32" "Any" "HTTP" deny log
set policy id 13
exit
set policy id 12 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 12
exit
set policy id 9 from "Untrust" to "Trust" "Any" "Any" "ANY" permit log
set policy id 9
exit
set policy id 11 from "Trust" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 11
exit
set policy id 17 from "Trust" to "Trust" "Any" "Any" "ANY" deny log
set policy id 17
exit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set source-routing enable
set route 0.0.0.0/0 interface untrust gateway 218.18.230.254 preference 20 permanent
set route source 0.0.0.0/0 vrouter "trust-vr" preference 20 metric 1
exit
set vrouter "trust-vr"
set source-routing enable
unset add-default-route
set route 192.168.5.0/24 interface tunnel.1 preference 20
set route 192.168.5.0/24 interface tunnel.2 preference 30
set route source 192.168.11.0/24 interface untrust gateway 218.18.230.254 preference 20 permanent
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20
set route source in-interface trust 192.168.11.1/24 vrouter "untrust-vr" preference 20 metric 1
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
jjjhappy 2007-12-18 17:51
很好,都是ANY
jjtangjian 2008-8-1 16:28
很好很好,呵呵,加点注解就更好了
