五、SRX完整配置

一、設置系統密碼

set system root-authentication plain-text-password 

New password:

Retype new password:

二、設置IP地址、路由、開啓SSH和HTTPS服務

set system time-zone Asia/Shanghai

set system name-server 114.114.114.114

set system services ssh

set system services web-management https port 443

set system services web-management https system-generated-certificate

set system services web-management https interface ge-0/0/0.0

set system ntp server 62.201.225.9

set security zones security-zone trust interfaces ge-0/0/1.0

set security zones security-zone untrust interfaces ge-0/0/0.0

set interfaces ge-0/0/0 unit 0 family inet address 192.168.60.212/24

set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.254/24

set routing-options static route 0.0.0.0/0 next-hop 192.168.60.254

set security zones security-zone untrust host-inbound-traffic system-services ssh

set security zones security-zone untrust host-inbound-traffic system-services https

set security zones security-zone untrust host-inbound-traffic system-services ping

三、限制只有指定IP地址能夠管理防火牆

set policy-options prefix-list manager-ip 192.168.53.137/32

set firewall filter management-acl-2 term allow-manager-networks from source-prefix-list manager-ip

set firewall filter management-acl-2 term allow-manager-networks then accept

set firewall filter management-acl-2 term deny-mgmt from destination-port ssh

set firewall filter management-acl-2 term deny-mgmt from destination-port https

set firewall filter management-acl-2 term deny-mgmt then log

set firewall filter management-acl-2 term deny-mgmt then discard

set firewall filter management-acl-2 term accept-all then accept

set interfaces lo0 unit 0 family inet filter input management-acl-2

四、設置源NAT保存內部機器能夠上網

set security nat source rule-set NAT-Policy from zone trust

set security nat source rule-set NAT-Policy to zone untrust

set security nat source rule-set NAT-Policy rule Trust-Untrust-Interface-NAT match source-address 1.1.1.0/24

set security nat source rule-set NAT-Policy rule Trust-Untrust-Interface-NAT then source-nat interface

set security policies from-zone trust to-zone untrust policy Permit-ALL match source-address any

set security policies from-zone trust to-zone untrust policy Permit-ALL match destination-address any

set security policies from-zone trust to-zone untrust policy Permit-ALL match application any

set security policies from-zone trust to-zone untrust policy Permit-ALL then permit

五、映射端口

set security nat static rule-set static-nat from zone untrust

set security nat static rule-set static-nat rule rule1 match destination-address 192.168.60.199/32

set security nat static rule-set static-nat rule rule1 then static-nat prefix 1.1.1.1/32

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.60.199/32

set security zones security-zone trust address-book address test 1.1.1.1/32

set security zones security-zone trust address-book address-set 1.1.1.1 address test

set applications application 3389 protocol tcp

set applications application 3389 destination-port 3389

set applications application-set 3389-3389 application 3389

set security policies from-zone untrust to-zone trust policy 1 match source-address any

set security policies from-zone untrust to-zone trust policy 1 match destination-address test

set security policies from-zone untrust to-zone trust policy 1 match application 3389-3389

set security policies from-zone untrust to-zone trust policy 1 then permit