'Juniper' 태그의 글 목록

To resolve the issue, use the following procedure to recover the root password for SRX Branch devices running on Junos release versions 10.0R1, 10.0R2, and 10.1R1. This involves disabling watchdog functionality to allow the system to properly boot into single-user mode.

Press the power button on the front panel to power on the router.  Verify that the POWER LED on the front panel turns green. The console should continuously display the boot message.
When the prompt appears, press the spacebar to access the router’s bootstrap loader and type these commands:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...

Loader>
Loader> watchdog disable
Loader> boot –s

The firewall starts up in single-user mode. In single-user mode, a multiuser operating system such as Junos boots into a single superuser. Single-use mode is mainly used for maintenance of multi-user environments such as network servers.
At the prompt, enter " recovery " to start the root password recovery procedure.
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
The device directly enters operational mode without asking for an user ID or password..
Starting CLI ...

root@host> edit

When in configuration mode, set the root password.
root@host# set system root-authentication plain-text-password
On pressing the return key, type in the new root password.  Reenter the new root password when the second prompt appears.

New password: juniper1
Retype new password: juniper1
Commit the changes.
root@host# commit
commit complete
Reboot the device again.
root@host# run request system reboot
Reboot the system ? [yes,no] (no) yes

The boot messages display on the console.
Press the spacebar one time, to access the router’s bootstrap loader prompt. This sequence appears on the console:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...

Loader>
Loader> watchdog enable
Loader> boot
The device reboots again and this time it asks for an user ID and password.  Enter the newly configured password.
Wed Jun 16 14:20:21 UTC 2010
Amnesiac (ttyu0)
login: root
Password: juniper1
For more information, refer to PR499745 .

Modification History
2019-08-28: Article reviewed for accuracy. Only applicable on the specific versions
request system zeroize    공장초기화
리부팅
set system root-authentication plain-text-password
commit
show system chassis       ,, J 대문자 Juniper
set chassis cluster disable reboot   이중화 종료
delete interfaces vlan unit 0 family inet address 192.168.1.222/24
root# show | display set
request system power-off at now    시스템 종료

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

How to Deploy and Manage FortiEndpoint \| Endpoint Security (7)	2024.11.08
DeepFinder (웹방화벽) (6)	2024.10.23
FortiGate SIP Debug (1)	2023.05.02
SRX IPSec Tunnel Sample (0)	2023.05.02
AhnLab Network Solutions (0)	2022.11.21

1.부팅시 스페이스 연타로 부트로더로 들어간다.

2. loader>boot -s
   를 누르면 싱글유저 모드로 부팅

3. 부팅 중 아래와 같이 나오면 recovery 입력
   Enter full path name of shell or 'recovery' for root password recovery or RETURN for /bin/sh:  recovery
----------------------------------------------------------------------------------------------
패스워드 설정 안해도 되는 초기화법

1. 위의 3번에서 recovery 치지말고 그냥 엔터

2. mount -a
    mkdir /config/temp
    mv /config/*.gz /config/temp
    shutdown -r now

입력 하면 재부팅 되면서 초기설정으로 들어감.

request system zeroize    공장초기화
리부팅

set system root-authentication plain-text-password
usb 설치 하고 부팅
install file:///jinstall-ex-3200-12.3R6.6-domestic-signed.tgz
request system power-off at now    시스템 종료
================================================================
show chassis hardware  하드웨어 보는 명령어

저작자표시

'업무이야기 > Network' 카테고리의 다른 글

Arista 스위치 초기화 방법 (7)	2024.10.24
cisco 3650,3850 시리즈 패스워드 초기화 (6)	2024.10.23
Cisco Nexus 9000 시리즈 초기화 (4)	2024.10.23
Cisco Nexus 7000 시리즈 초기화 (3)	2024.10.23
Cisco Nexus 5000 시리즈 초기화 (4)	2024.10.23

Juniper EX2200 이중화

root@sw1# show | display set

set version 12.3R12.4

set system host-name sw1

set system root-authentication encrypted-password "$1$d0yTDOZ4$bLLpP/AQfwJFSjfGFBTjc/"

set system services ssh

set system services web-management https system-generated-certificate

set system syslog user * any emergency

set system syslog file messages any notice

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands any

set chassis aggregated-devices ethernet device-count 1

set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan10

set interfaces ge-0/0/1 unit 0 family ethernet-switching

set interfaces ge-0/0/2 unit 0 family ethernet-switching

set interfaces ge-0/0/3 unit 0 family ethernet-switching

set interfaces ge-0/0/4 unit 0 family ethernet-switching

set interfaces ge-0/0/5 unit 0 family ethernet-switching

set interfaces ge-0/0/6 unit 0 family ethernet-switching

set interfaces ge-0/0/7 unit 0 family ethernet-switching

set interfaces ge-0/0/8 unit 0 family ethernet-switching

set interfaces ge-0/0/9 unit 0 family ethernet-switching

set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vlan20

set interfaces ge-0/0/11 unit 0 family ethernet-switching

set interfaces ge-0/1/0 ether-options 802.3ad ae0

set interfaces ge-0/1/1 ether-options 802.3ad ae0

set interfaces ae0 description "###Interlink###"

set interfaces ae0 aggregated-ether-options lacp active

set interfaces ae0 unit 0 family ethernet-switching port-mode trunk

set interfaces ae0 unit 0 family ethernet-switching vlan members all

set interfaces me0 unit 0 family inet address 10.10.11.121/24

set interfaces vlan unit 10 family inet address 7.7.1.252/24 vrrp-group 10 virtual-address 7.7.1.254

set interfaces vlan unit 10 family inet address 7.7.1.252/24 vrrp-group 10 priority 150

set interfaces vlan unit 10 family inet address 7.7.1.252/24 vrrp-group 10 accept-data

set interfaces vlan unit 20 family inet address 7.7.2.2/24 vrrp-group 20 virtual-address 7.7.2.1

set interfaces vlan unit 20 family inet address 7.7.2.2/24 vrrp-group 20 priority 150

set interfaces vlan unit 20 family inet address 7.7.2.2/24 vrrp-group 20 accept-data

set routing-options static route 0.0.0.0/0 next-hop 7.7.1.1

set routing-options static route 7.7.3.0/24 next-hop 7.7.2.254

set protocols igmp-snooping vlan all

set protocols rstp

set protocols vstp vlan all

set protocols lldp interface all

set protocols lldp-med interface all

set ethernet-switching-options storm-control interface all

set vlans vlan10 vlan-id 10

set vlans vlan10 l3-interface vlan.10

set vlans vlan20 vlan-id 20

set vlans vlan20 l3-interface vlan.20

{master:0}[edit]

root@sw1#

root@sw2# show | display set

set version 12.3R11.2

set system host-name sw2

set system root-authentication encrypted-password "$1$BUPw3//d$FEuV4FGlCQFaNJ7dADWep0"

set system services ssh

set system services web-management https system-generated-certificate

set system syslog user * any emergency

set system syslog file messages any notice

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands any

set chassis aggregated-devices ethernet device-count 1

set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan10

set interfaces ge-0/0/1 unit 0 family ethernet-switching

set interfaces ge-0/0/2 unit 0 family ethernet-switching

set interfaces ge-0/0/3 unit 0 family ethernet-switching

set interfaces ge-0/0/4 unit 0 family ethernet-switching

set interfaces ge-0/0/5 unit 0 family ethernet-switching

set interfaces ge-0/0/6 unit 0 family ethernet-switching

set interfaces ge-0/0/7 unit 0 family ethernet-switching

set interfaces ge-0/0/8 unit 0 family ethernet-switching

set interfaces ge-0/0/9 unit 0 family ethernet-switching

set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vlan20

set interfaces ge-0/0/11 unit 0 family ethernet-switching

set interfaces ge-0/1/0 ether-options 802.3ad ae0

set interfaces ge-0/1/1 ether-options 802.3ad ae0

set interfaces ae0 description "###Interlink###"

set interfaces ae0 aggregated-ether-options lacp active

set interfaces ae0 unit 0 family ethernet-switching port-mode trunk

set interfaces ae0 unit 0 family ethernet-switching vlan members all

set interfaces me0 unit 0 family inet address 10.10.11.122/24

set interfaces vlan unit 10 family inet address 7.7.1.253/24 vrrp-group 10 virtual-address 7.7.1.254

set interfaces vlan unit 10 family inet address 7.7.1.253/24 vrrp-group 10 accept-data

set interfaces vlan unit 20 family inet address 7.7.2.3/24 vrrp-group 20 virtual-address 7.7.2.1

set interfaces vlan unit 20 family inet address 7.7.2.3/24 vrrp-group 20 accept-data

set routing-options static route 0.0.0.0/0 next-hop 7.7.1.1

set routing-options static route 7.7.3.0/24 next-hop 7.7.2.254

set protocols igmp-snooping vlan all

set protocols rstp

set protocols vstp vlan all

set protocols lldp interface all

set protocols lldp-med interface all

set ethernet-switching-options storm-control interface all

set vlans vlan10 vlan-id 10

set vlans vlan10 l3-interface vlan.10

set vlans vlan20 vlan-id 20

set vlans vlan20 l3-interface vlan.20

{master:0}[edit]

root@sw2#

저작자표시

'업무이야기 > Network' 카테고리의 다른 글

Cisco OSPF Basic (1)	2023.07.26
Wireshark Filter (0)	2023.07.06
Juniper Switch Virtual-Chassis (STACK) (0)	2023.05.02
Juniper RestAPI Sample (0)	2021.08.06
Juniper VRRP and Load Sharing (0)	2021.06.14

Juniper Switch Virtual-Chassis (STACK)

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/virtual-chassis-ex4200-cli.html

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/virtual-chassis-ex2200-cli.html

# set virtual-chassis member 0 mastership-priority 255

# set virtual-chassis member 1 mastership-priority 200

# set virtual-chassis member 2 role line-card

# run request virtual-chassis vc-port set pic-slot 0 port 1

set virtual-chassis preprovisioned

X) set virtual-chassis member 0 mastership-priority 255

set virtual-chassis member 0 role routing-engine

set virtual-chassis member 0 serial-number GP0215320225

X) set virtual-chassis member 1 mastership-priority 200

set virtual-chassis member 1 role routing-engine

set virtual-chassis member 1 serial-number GP0215320481

set virtual-chassis no-split-detection

S/N 높은게 마스터

저작자표시

'업무이야기 > Network' 카테고리의 다른 글

Wireshark Filter (0)	2023.07.06
Juniper EX2200 이중화 (1)	2023.05.02
Juniper RestAPI Sample (0)	2021.08.06
Juniper VRRP and Load Sharing (0)	2021.06.14
Juniper show command (RSI : request support information) (0)	2021.03.29

SRX IPSec Tunnel Sample

root@SRX_Test# show | display set | no-more

set version 15.1X49-D90.7

set system host-name SRX_Test

set system root-authentication encrypted-password "$5$ZZrR8Xx5$ZPpG6X5ugNL7s0dHqj.URP4v6YhfzLqkDk3TrtfWHh8"

set system name-server 8.8.8.8

set system login user isd uid 2001

set system login user isd class super-user

set system login user isd authentication encrypted-password "$5$7i/tv6W2$eU0ilDNMbZQhZHff4gUFbtqTFIwigO3SiY8yqpD/.n0"

set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys

set security ike proposal IKE-PROPOSAL dh-group group5

set security ike proposal IKE-PROPOSAL authentication-algorithm sha1

set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc

set security ike proposal IKE-PROPOSAL lifetime-seconds 28800

set security ike policy IKE-POLICY mode main

set security ike policy IKE-POLICY proposals IKE-PROPOSAL

set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$-nd4aJGiqPQdbmTQ3tp0BIhlM7Nbg4Z8L2aZU.mcylvNd"

set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY

set security ike gateway VPN-GATEWAY address 10.1.2.201

set security ike gateway VPN-GATEWAY dead-peer-detection interval 10

set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1

set security ike gateway VPN-GATEWAY nat-keepalive 10

set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0

set security ipsec proposal IPSEC-PROPOSAL protocol esp

set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96

set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc

set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400

set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5

set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL

set security ipsec vpn IPSEC-VPN bind-interface st0.1

set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY

set security ipsec vpn IPSEC-VPN ike proxy-identity local 172.15.0.0/24

set security ipsec vpn IPSEC-VPN ike proxy-identity remote 172.15.1.0/24

set security ipsec vpn IPSEC-VPN ike proxy-identity service any

set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY

set security ipsec vpn IPSEC-VPN establish-tunnels immediately

set security flow tcp-mss ipsec-vpn mss 1350

set security nat source rule-set src-nat from zone trust

set security nat source rule-set src-nat to zone untrust

set security nat source rule-set src-nat rule r1 match source-address 0.0.0.0/0

set security nat source rule-set src-nat rule r1 then source-nat interface

set security forwarding-process enhanced-services-mode

set security policies from-zone trust to-zone untrust policy permit-all match source-address any

set security policies from-zone trust to-zone untrust policy permit-all match destination-address any

set security policies from-zone trust to-zone untrust policy permit-all match application any

set security policies from-zone trust to-zone untrust policy permit-all then permit

set security policies from-zone trust to-zone vpn policy permit-all match source-address any

set security policies from-zone trust to-zone vpn policy permit-all match destination-address any

set security policies from-zone trust to-zone vpn policy permit-all match application any

set security policies from-zone trust to-zone vpn policy permit-all then permit

set security policies from-zone vpn to-zone trust policy permit-all match source-address any

set security policies from-zone vpn to-zone trust policy permit-all match destination-address any

set security policies from-zone vpn to-zone trust policy permit-all match application any

set security policies from-zone vpn to-zone trust policy permit-all then permit

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

set security zones security-zone vpn interfaces st0.1

set interfaces ge-0/0/0 unit 0 family inet address 10.1.2.115/24

set interfaces ge-0/0/1 unit 0 family inet address 172.15.0.1/24

set interfaces st0 unit 1 family inet

set routing-options static route 0.0.0.0/0 next-hop 10.1.2.1

set routing-options static route 172.15.1.0/24 next-hop st0.1

[edit]

root@SRX_Test# run show security ike sa

Index State Initiator cookie Responder cookie Mode Remote Address

6299423 UP f51982a09b260851 3fcd24f6bec6f419 Main 10.1.2.201

6299424 UP 25885c239e958271 92d1dde980db90c8 Main 10.1.2.201

[edit]

root@SRX_Test# run show security ipsec sa

Total active tunnels: 1

ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway

<131073 ESP:3des/sha1 44d00f02 84435/unlim - root 500 10.1.2.201

>131073 ESP:3des/sha1 46f0dfb7 84435/unlim - root 500 10.1.2.201

[edit]

root@SRX_Test#

======================================================================================================================================================

FWF90D3Z13006231 # get vpn ipsec tunnel details

gateway

name: 'VPN-GW'

type: route-based

local-gateway: 10.1.2.201:0 (static)

remote-gateway: 10.1.2.115:0 (static)

mode: ike-v1

interface: 'wan1' (6)

rx packets: 0 bytes: 0 errors: 0

tx packets: 0 bytes: 0 errors: 7870

dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0

selectors

name: 'VPN-TUNNEL'

auto-negotiate: disable

mode: tunnel

src: 0:172.15.1.0/255.255.255.0:0

dst: 0:172.15.0.0/255.255.255.0:0

SA

lifetime/rekey: 86400/79426

mtu: 1446

tx-esp-seq: 1

replay: enabled

inbound

spi: 46f0dfb7

enc: 3des 6b1ddb0ba8c46a879e22dd055ae0c5b643983f4d68d72ff1

auth: sha1 ce45021dbfac556674600ff9cb08faf7d942d48f

outbound

spi: 44d00f02

enc: 3des aa81515e22c7e8eefce24d6ff740b1b3c4cec463d6dd15b5

auth: sha1 69dff90febd00f5d4e64637c73dec32527ddbba7

NPU acceleration: none

FWF90D3Z13006231 #

FWF90D3Z13006231 # get vpn ip tunnel summary

'VPN-GW' 10.1.2.115:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/7902

FWF90D3Z13006231 # get ipsec tunnel list

NAME REMOTE-GW PROXY-ID-SOURCE PROXY-ID-DESTINATION STATUS TIMEOUT

VPN-GW 10.1.2.115:0 172.15.1.0/255.255.255.0 172.15.0.0/255.255.255.0 up 79367

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

DeepFinder (웹방화벽) (6)	2024.10.23
FortiGate SIP Debug (1)	2023.05.02
AhnLab Network Solutions (0)	2022.11.21
FortiGate FSSO 설정 (0)	2022.08.10
Juniper SRX Cluster configuration (2)	2021.08.26

- Node 0
# set chassis cluster cluster-id 1 node 0 reboot
- Node 1
# set chassis cluster cluster-id 1 node 1 reboot

set groups node0 system host-name srx1500-1
set groups node0 interfaces fxp0 unit 0 family inet address 192.16.35.46/24
set groups node1 system host-name srx1500-2
set groups node1 interfaces fxp0 unit 0 family inet address 192.16.35.47/24
set groups node0 system backup-router <backup next-hop from fxp0> destination <management network/mask>
set groups node1 system backup-router <backup next-hop from fxp0> destination <management network/mask>
set apply-groups "${node}"
set interfaces fab0 fabric-options member-interfaces ge-0/0/1
set interfaces fab1 fabric-options member-interfaces ge-7/0/1
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-7/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-7/0/4 weight 255
set chassis cluster reth-count 2
set interfaces ge-0/0/5 gigether-options redundant-parent reth1
set interfaces ge-7/0/5 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 203.0.113.233/24
set interfaces ge-0/0/4 gigether-options redundant-parent reth0
set interfaces ge-7/0/4 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth0 unit 0 family inet address 198.51.100.1/24
set security zones security-zone Untrust interfaces reth1.0
set security zones security-zone Trust interfaces reth0.0

Verification
>show chassis cluster status
>show chassis cluster interfaces
>show chassis cluster statistics
>clear chassis cluster statistics
>show chassis cluster control-plane statistics
>show chassis cluster data-plane statistics
>show chassis cluster status redundancy-group 1
>show chassis cluster information configuration-synchronization
> show log jsrpd
>show log chassisd
>show log messages
>show log dcd
>show traceoptions

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

AhnLab Network Solutions (0)	2022.11.21
FortiGate FSSO 설정 (0)	2022.08.10
Juniper SRX Policy-Based IPSec VPN (0)	2021.08.26
Juniper SRX Routed-Based IPSec VPN (0)	2021.08.26
DefensePro CLI (0)	2021.04.26

set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals standard
set security ike policy IKE-POL pre-shared-key ascii-text $ABC123
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 172.16.13.1
set security ike gateway IKE-GW external-interface ge-0/0/1
set security ipsec proposal standard
set security ipsec policy IPSEC-POL proposals standard
set security ipsec vpn VPN-to-Host1 ike gateway IKE-GW
set security ipsec vpn VPN-to-Host1 ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-to-Host1 establish-tunnels immediately
set security address-book Host1 address Host1-Net 10.100.11.0/24
set security address-book Host1 attach zone untrust
set security address-book Host2 address Host2-Net 10.100.22.0/24
set security address-book Host2 attach zone trust
set security flow tcp-mss ipsec-vpn mss 1350
set security policies from-zone trust to-zone untrust policy VPN-OUT match source-address Host2-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match destination-address Host1-Net
set security policies from-zone trust to-zone untrust policy VPN-OUT match application any
set security policies from-zone trust to-zone untrust policy VPN-OUT then permit tunnel ipsec-vpn VPN-to-Host1
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy VPN-IN match source-address Host1-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match destination-address Host2-Net
set security policies from-zone untrust to-zone trust policy VPN-IN match application any
set security policies from-zone untrust to-zone trust policy VPN-IN then permit tunnel ipsec-vpn VPN-to-Host1
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0
set interfaces ge-0/0/0 unit 0 family inet address 10.100.22.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.23.1/24
set interfaces lo0 unit 0 family inet address 10.100.100.2/32
set routing-options static route 0.0.0.0/0 next-hop 172.16.23.2

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

FortiGate FSSO 설정 (0)	2022.08.10
Juniper SRX Cluster configuration (2)	2021.08.26
Juniper SRX Routed-Based IPSec VPN (0)	2021.08.26
DefensePro CLI (0)	2021.04.26
Juniper SRX request chassis cluster failover redundancy-group (0)	2021.04.13

set security ike proposal standard authentication-method pre-shared-keys
set security ike policy IKE-POL mode main
set security ike policy IKE-POL proposals standard
set security ike policy IKE-POL pre-shared-key ascii-text $ABC123
set security ike gateway IKE-GW ike-policy IKE-POL
set security ike gateway IKE-GW address 172.16.13.1
set security ike gateway IKE-GW external-interface ge-0/0/1
set security ipsec proposal standard
set security ipsec policy IPSEC-POL proposals standard
set security ipsec vpn VPN-to-Host1 bind-interface st0.0
set security ipsec vpn VPN-to-Host1 ike gateway IKE-GW
set security ipsec vpn VPN-to-Host1 ike ipsec-policy IPSEC-POL
set security ipsec vpn VPN-to-Host1 establish-tunnels immediately
set security address-book Host1 address Host1-Net 10.100.11.0/24
set security address-book Host1 attach zone VPN
set security address-book Host2 address Host2-Net 10.100.22.0/24
set security address-book Host2 attach zone trust
set security flow tcp-mss ipsec-vpn mss 1350
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone VPN policy VPN-OUT match source-address Host2-Net
set security policies from-zone trust to-zone VPN policy VPN-OUT match destination-address Host1-Net
set security policies from-zone trust to-zone VPN policy VPN-OUT match application any
set security policies from-zone trust to-zone VPN policy VPN-OUT then permit
set security policies from-zone VPN to-zone trust policy VPN-IN match source-address Host1-Net
set security policies from-zone VPN to-zone trust policy VPN-IN match destination-address Host2-Net
set security policies from-zone VPN to-zone trust policy VPN-IN match application any
set security policies from-zone VPN to-zone trust policy VPN-IN then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone VPN host-inbound-traffic system-services ping
set security zones security-zone VPN interfaces st0.0
set interfaces ge-0/0/0 unit 0 family inet address 10.100.22.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.23.1/24
set interfaces lo0 unit 0 family inet address 10.100.100.2/32
set interfaces st0 unit 0 family inet address 10.100.200.2/24
set routing-options static route 10.100.11.0/24 next-hop st0.0
set routing-options static route 0.0.0.0/0 next-hop 172.16.23.2

저작자표시

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX Cluster configuration (2)	2021.08.26
Juniper SRX Policy-Based IPSec VPN (0)	2021.08.26
DefensePro CLI (0)	2021.04.26
Juniper SRX request chassis cluster failover redundancy-group (0)	2021.04.13
IPS (Sniper) 기본 Command (3)	2021.03.29

쫑콩아빠의 지금 이 순간...

Juniper

Juniper SRX(방화벽) 패스워드 초기화

'업무이야기 > Security' 카테고리의 다른 글

Juniper EX 스위치 패스워드 초기화

'업무이야기 > Network' 카테고리의 다른 글

Juniper EX2200 이중화

'업무이야기 > Network' 카테고리의 다른 글

Juniper Switch Virtual-Chassis (STACK)

'업무이야기 > Network' 카테고리의 다른 글

SRX IPSec Tunnel Sample

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX Cluster configuration

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX Policy-Based IPSec VPN

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX Routed-Based IPSec VPN

'업무이야기 > Security' 카테고리의 다른 글

+ Recent posts

티스토리툴바