打印

请教NetScreen 5GT 的配置问题

本主题由 admin 于 2008-1-31 08:46 移动

ticeman 注册会员精华: 0 积分: 60 帖子: 7 威望: 25 点金钱: 6 币贡献: 9 点经验: 01级阅读权限: 20 注册: 2007-12-24 状态: 发短消息加为好友	1^# 大中小发表于 2007-12-26 03:19 只看该作者请教NetScreen 5GT 的配置问题我想限制某些内网的IP不能上互联网, 在策略里从Trust 到 Untrust 禁止一个IP后, 所有的IP都不能上互联网了, 相反若允许一个IP,则所有的IP都能上网. 这是怎么回事? 请高手指教.
查看详细资料	TOP

jjjhappy 高级会员精华: 0 积分: 500 帖子: 57 威望: 181 点金钱: 109 币贡献: 63 点经验: 02级阅读权限: 50 注册: 2007-11-19 状态: 发短消息加为好友	2^# 大中小发表于 2007-12-26 09:22 只看该作者配置发上来，可能是你配错了
查看详细资料	TOP

conquer 金牌会员精华: 1 积分: 1100 帖子: 136 威望: 469 点金钱: 89 币贡献: 179 点经验: 03级阅读权限: 70 注册: 2007-12-13 状态: 发短消息加为好友	3^# 大中小发表于 2007-12-26 09:25 只看该作者在policy 里面有个Action 有两个选项permit /deny.注意这两个选项.
查看详细资料	TOP

ticeman

注册会员

精华: 0

积分: 60

帖子: 7

威望: 25 点

金钱: 6 币

贡献: 9 点

经验: 01级

阅读权限: 20

注册: 2007-12-24

状态:

发短消息加为好友

4^# 大中小发表于 2007-12-26 15:37 只看该作者

配置如下, 请帮忙看看, 谢谢.

set clock timezone -7
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set admin name "admin"
set admin password "nB4IOprMAwlJc4hJssxIBvMtqAJ8sn"
set admin manager-ip 192.168.0.179 255.255.255.0
set admin port 8080
set admin scs password disable username admin
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "Trust"
set interface "untrust" zone "Untrust"
unset interface vlan1 ip
set interface trust ip 192.168.0.254/16
set interface trust nat
set interface untrust ip 207.138.207.231/24
set interface untrust nat
set interface untrust gateway 207.138.207.1
set interface trust mtu 1500
set interface untrust mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface trust ip manageable
set interface untrust ip manageable
set interface untrust manage ping
set interface untrust manage ssh
set interface untrust manage ssl
set interface untrust manage web
set interface untrust dip interface-ip incoming
set interface "untrust" mip 207.138.207.231 host 192.168.0.10 netmask 255.255.255.255 vrouter

"trust-vr"

set flow tcp-mss
unset flow tcp-syn-check
set domain ns5gt.sunserver.local
set hostname ns5gt
set dns host dns1 192.168.0.10
set dns host schedule 04:00 interval 4

set address "Trust" "admin32" 192.168.0.115 255.255.255.0
set address "Trust" "admin33" 192.168.0.116 255.255.255.0

set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial

set group address "Trust" "Internet Access"
set group address "Trust" "Internet Access" add "admin32"

set group address "Trust" "NoInternet"
set group address "Trust" "NoInternet" add "admin33"

set group service "SunD"
set group service "SunD" add "HTTP"
set group service "SunD" add "HTTPS"

set url protocol sc-cpa
exit
set policy id 1 from "Untrust" to "Trust"  "Any" "MIP(207.138.207.231)" "SunD" permit log
set policy id 3 from "Trust" to "Untrust"  "NoInternet" "Any" "ANY" deny
set policy id 2 from "Trust" to "Untrust"  "Internet Access" "Any" "ANY" permit

exit
set syslog config "192.168.0.254"
set syslog config "192.168.0.254" facilities local0 local0
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set scp enable
set config lock timeout 5
set dl-buf size 7340032
set ssl port 8443
set ssl encrypt 3des sha-1
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

TOP

conquer 金牌会员精华: 1 积分: 1100 帖子: 136 威望: 469 点金钱: 89 币贡献: 179 点经验: 03级阅读权限: 70 注册: 2007-12-13 状态: 发短消息加为好友	5^# 大中小发表于 2007-12-27 09:20 只看该作者 set interface untrust ip 207.138.207.231/24 set interface untrust route set policy id 3 from "Trust" to "Untrust" "NoInternet" "Any" "ANY" deny set policy id 2 from "Trust" to "Untrust" "Internet Access" "Any" "ANY" permit 这样配置肯定是没有效果的.
查看详细资料	TOP

jjjhappy

高级会员

精华: 0

积分: 500

帖子: 57

威望: 181 点

金钱: 109 币

贡献: 63 点

经验: 02级

阅读权限: 50

注册: 2007-11-19

状态:

发短消息加为好友

6^# 大中小发表于 2007-12-27 11:50 只看该作者

....
set address "Trust" "admin32" 192.168.0.115 255.255.255.0
set address "Trust" "admin33" 192.168.0.116 255.255.255.0

掩码24为，包含整个网段，改成255.255.255.255

竟然犯这样低级的错误，单个IP一定要是32位掩码的

LS的说的不对，LZ的策略并无不妥

[ 本帖最后由 jjjhappy 于 2007-12-27 11:54 编辑 ]

TOP

cxcsnake 高级会员精华: 0 积分: 719 帖子: 84 威望: 260 点金钱: 157 币贡献: 69 点经验: 02级阅读权限: 50 注册: 2007-11-1 状态: 发短消息加为好友	7^# 大中小发表于 2007-12-27 14:17 只看该作者是的单个IP要 255.255.255.255 或 32
查看详细资料	TOP

ticeman 注册会员精华: 0 积分: 60 帖子: 7 威望: 25 点金钱: 6 币贡献: 9 点经验: 01级阅读权限: 20 注册: 2007-12-24 状态: 发短消息加为好友	8^# 大中小发表于 2007-12-27 16:28 只看该作者谢谢楼上各位，等公司网络闲时按jjjhappy 的建议去试试。咳，以前路由器和防火墙都是请供货单位给配，在旁边光看印象不深。
查看详细资料	TOP