Juniper SSG 防火墙
2024-06-02 23:35:03
win10无法登陆SSG进行WEB UI管理
- 故障描述:尝试登录SSG设备时,无法无法刷出页面,但是设备时可以ping通的(内部接口),可以Telnet上设备,就是无法通过网页登录。
- 深入测试:win7的系统可以登录,win10的不行,浏览器报协议版本或加密算法不支持。
- 故障分析:这种情况下,可能是由于防火墙的加密算法的问题。
1、con到设备:
- SSG320M-> get ssh
- SSH V2 is active
- SSH is NOT enabled
- SSH is NOT ready for connections
- Maximum sessions: 6
- Active sessions: 0
2、查看加密算法:
- SSG320M-> get ssl
- web SSL enable.
- web SSL port number(443).
- web SSL cert: Default - System Self-Signed Cert.
- web SSL cipher(RC4_MD5)..
3、修改加密算法并保存配置:
- SSG320M-> set ssl encrypt 3des sha-1
- SSG320M-> save
- Save System Configuration ...
- Done
修改后,测试win10登录SSG管理,正常,问题解决。
NAT
1.NAT-Src with PAT Enabled
- set interface "ethernet0/0" zone "Trust"
- set interface "ethernet0/2" zone "Untrust"
- set interface ethernet0/0 ip 172.16.1.1/24
- set interface ethernet0/0 nat
- set interface ethernet0/2 ip 192.168.0.199/24
- set interface ethernet0/2 route
- set interface ethernet0/2 gateway 192.168.0.1
- set interface ethernet0/2 dip 5 192.168.0.198
- set policy from Trust to Untrust Any Any ANY nat src dip-id 5 permit log
2.NAT-Src with PAT Disabled
- set interface "ethernet0/0" zone "Trust"
- set interface "ethernet0/2" zone "Untrust"
- set interface ethernet0/0 ip 172.16.1.1/24
- set interface ethernet0/0 nat
- set interface ethernet0/2 ip 192.168.0.199/24
- set interface ethernet0/2 route
- set interface ethernet0/2 gateway 192.168.0.1
- set interface ethernet0/2 dip 6 192.168.0.198 fix-port
- set policy from trust to untrust any any any nat src dip-ip 6 permit log
3.NAT-Src Without DIP
- set interface "ethernet0/0" zone "Trust"
- set interface "ethernet0/2" zone "Untrust"
- set interface ethernet0/0 ip 172.16.1.1/24
- set interface ethernet0/0 nat
- set interface ethernet0/2 ip 192.168.0.199/24
- set interface ethernet0/2 route
- set interface ethernet0/2 gateway 192.168.0.1
- set interface ethernet0/2 dip 5 192.168.0.198 192.168.0.198e
- set policy from trust to untrust any any any nat src permit log
透明墙
- set interface "ethernet0/0" zone "V1-Trust"
- set interface "ethernet0/2" zone "V1-Untrust"
- set policy id 3 name "towan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit
- set policy id 3
- 主要区别:
- 思科ASA5500系列防火墙在透明模式下,不会透传CDP和BPDUs;
- Juniper的SSG系列防火墙会透传CDP和BPDUs,有时可能会造成二层环路。
ACL生效顺序和ID无关和acl 顺序有关
常用命令
配置
- injoin-ssg320m-> get config
- Total Config size 3586:
- unset key protection enable
- set clock timezone 0
- set vrouter trust-vr sharable
- set vrouter "untrust-vr"
- exit
- set vrouter "trust-vr"
- unset auto-route-export
- exit
- set vrouter name "MGMT" id 1025 sharable
- set vrouter "MGMT"
- unset auto-route-export
- exit
- set alg appleichat enable
- unset alg appleichat re-assembly enable
- set alg sctp enable
- set auth-server "Local" id 0
- set auth-server "Local" server-name "Local"
- set auth default auth server "Local"
- set auth radius accounting port 1646
- set admin name "netscreen"
- set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
- set admin port 8000
- set admin http redirect
- set admin auth web timeout 10
- set admin auth server "Local"
- set admin format dos
- set zone "Trust" vrouter "trust-vr"
- set zone "Untrust" vrouter "trust-vr"
- set zone "DMZ" vrouter "trust-vr"
- set zone "VLAN" vrouter "trust-vr"
- set zone "Untrust-Tun" vrouter "trust-vr"
- set zone "Trust" tcp-rst
- set zone "Untrust" block
- unset zone "Untrust" tcp-rst
- set zone "MGT" block
- unset zone "V1-Trust" tcp-rst
- unset zone "V1-Untrust" tcp-rst
- set zone "DMZ" tcp-rst
- unset zone "V1-DMZ" tcp-rst
- unset zone "VLAN" tcp-rst
- set zone "Untrust" screen tear-drop
- set zone "Untrust" screen syn-flood
- set zone "Untrust" screen ping-death
- set zone "Untrust" screen ip-filter-src
- set zone "Untrust" screen land
- set zone "V1-Untrust" screen tear-drop
- set zone "V1-Untrust" screen syn-flood
- set zone "V1-Untrust" screen ping-death
- set zone "V1-Untrust" screen ip-filter-src
- set zone "V1-Untrust" screen land
- set interface "ethernet0/0" zone "V1-Trust"
- set interface "ethernet0/1" zone "DMZ"
- set interface "ethernet0/2" zone "V1-Untrust"
- set interface vlan1 ip 192.168.0.250/24
- unset interface vlan1 bypass-others-ipsec
- unset interface vlan1 bypass-non-ip
- set interface vlan1 ip manageable
- set interface ethernet0/0 manage mtrace
- set interface vlan1 manage mtrace
- unset flow no-tcp-seq-check
- set flow tcp-syn-check
- unset flow tcp-syn-bit-check
- set flow reverse-route clear-text prefer
- set flow reverse-route tunnel always
- set hostname injoin-ssg320m
- set pki authority default scep mode "auto"
- set pki x509 default cert-path partial
- set dns host dns1 0.0.0.0
- set dns host dns2 0.0.0.0
- set dns host dns3 0.0.0.0
- set address "Untrust" "8.8.8.8/32" 8.8.8.8 255.255.255.255
- set crypto-policy
- exit
- set ike respond-bad-spi 1
- set ike ikev2 ike-sa-soft-lifetime 60
- unset ike ikeid-enumeration
- unset ike dos-protection
- unset ipsec access-session enable
- set ipsec access-session maximum 5000
- set ipsec access-session upper-threshold 0
- set ipsec access-session lower-threshold 0
- set ipsec access-session dead-p2-sa-timeout 0
- unset ipsec access-session log-error
- unset ipsec access-session info-exch-connected
- unset ipsec access-session use-error-log
- set url protocol websense
- exit
- set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit log
- set policy id 2
- exit
- set policy id 3 name "towan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit
- set policy id 3
- exit
- set nsmgmt bulkcli reboot-timeout 60
- set ssh version v2
- set config lock timeout 5
- unset license-key auto-update
- set telnet client enable
- set ssl encrypt 3des sha-1
- set snmp port listen 161
- set snmp port trap 162
- set snmpv3 local-engine id "JN1230D03ADD"
- set vrouter "untrust-vr"
- exit
- set vrouter "trust-vr"
- unset add-default-route
- set route 8.8.8.8/32 interface ethernet0/0 gateway 172.16.1.2
- exit
- set vrouter "MGMT"
- exit
- set vrouter "untrust-vr"
- exit
- set vrouter "trust-vr"
- exit
- set vrouter "MGMT"
- exit
初始化
设备开机状态下,使用插到设备正前方的reset口,有手感,直到等到status灯变成橙色,再变绿色后,针松开2秒钟,再将针插入reset孔不放直到灯变红,此时所有端口灯都会灭掉。针取出即可。最后设备会自动重启。设备即恢复出厂默认值。
Juniper SSG 防火墙相关推荐
- Juniper SSG 防火墙安全防护之拒绝服务×××[新任帮主]
Juniper SSG 防火墙安全防护之拒绝服务××× 一.拒绝服务×××的介绍: 所谓的拒绝服务就是指所有一切以耗尽网络资源,使其无法再网络中发挥正常的功能为目的的行为都叫拒绝服务×××,DoS×× ...
- juniper SSG防火墙与飞塔防火墙配置点到点IPSEC ***
背景:公司办公区的网关防火使用的是飞塔防火墙,公司IDC机房使用的juniper SSG550M防火墙,现在想在办公网和机房生产网中间创建一条ipsec ***用于公司用户访问机房网络,公司网段为19 ...
- 关于Juniper SSG或ISG系列防火墙配置NAT映射(VIP)时的 Server Auto Enable参数问题
记录一下Juniper SSG或者ISG 系列防火墙上配置一对多NAT映射 VIP(Viritual Internet Protocol)时碰到的一个特殊的问题, 就是在内部服务器ICMP报文被阻断的 ...
- Hillstone SA-5020 与Juniper SSG 520 的×××互联
Hillstone SA-5020 与Juniper SSG 520 的×××互联<?xml:namespace prefix = o ns = "urn:schemas-micros ...
- Juniper SRX防火墙系统会话链接的清除
Juniper SRX防火墙系统会话链接的清除 维护Juniper防火墙SRX系列防火墙,一段时间后,发现防火墙老是有时候登录不上去,有时候可以登录. 查看用户的时候,发现,系统挂了很多连接会话,怪不 ...
- Juniper SRX防火墙批量导入set格式配置
Juniper SRX防火墙批量导入set格式配置 SRX在进行大量配置时可能会出现一些小问题,可以使用load set terminal命令导入大量set格式的配置. root# load set ...
- PPPOE拨号之五:juniper SRX 防火墙 PPPOE拨号配置
拓扑 Juniper SRX防火墙 PPPOE拨号配置 封装PPPOE GW-root# set interfaces ge-0/0/0.0 encapsulation ppp-over-ether ...
- Juniper SRX防火墙默认用户名和密码
处理过程: Juniper SRX系列防火墙是基于Juniper的JNOS系统的.初次登陆用户名是root和密码分别空. 进入后请首先更改密码.命令如下: root> root> con ...
- Juniper SRX340防火墙恢复出厂设置
1.物理重置防火墙 在面板上有一个标识为 reset 的小孔,使用曲别针粗细的针状物,顶到底等待约至少 15 秒,看到 Status 状态灯,又绿转为桔色后放开,再待 Status 灯又桔转为绿色,我 ...
最新文章
- 深入浅出多网卡绑定技术
- 《菜菜的机器学习sklearn课堂》聚类算法Kmeans
- SQL 引擎如何把语句转换为一个抽象语法树?
- B VUE系列 七:vue的脚手架项目是用webpack构建的本地服务环境,如何在手机上访问?...
- XP下安装ubuntu双系统
- Skype和LibFetion无法输入中文的解决方法
- 中国高新技术企业名单数据
- xcode打包ipa配置手动配置证书
- UE5 预览版载具模板工程车不能移动的问题
- python requests爬网页加速
- 跳马周游c++_汉诺塔,n皇后,跳马问题汇总
- 网页在线视频下载教程(m3u8格式介绍及下载教程)
- vue中路由传参方式之二(this.$router.push进行编程式路由跳转传参)
- html后续及css
- 《人性的弱点》经典语录
- java 简单的聊天室_Java简单聊天室
- 关于时间与字符串相互转换
- 计算机台式右上角三个灯作用,键盘上的三个灯分别代表什么意思 三个灯各有什么作用呢...
- 23hh小说网——爬虫1.0python
- 机器学习笔记——回归(Regression)