我配置了srx300设备,但无法从设备后面的客户端访问Internet。我不知道我的配置不正确。我没有这方面的经验。希望有所帮助!
这是我的配置:
version 15.1X49-D45;
system {
host-name SRX300;
time-zone GMT+7;
root-authentication {
encrypted-password "$5$dHbwv06Q$dmi.4XlI3.GcZh3wdgahFDXS2IS3xtatYP0JHQSVCP2"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
10.59.3.11;
10.59.1.3;
8.8.8.8;
4.2.2.2;
}
name-resolution {
no-resolve-on-input;
}
services {
ssh;
telnet;
web-management {
http {
interface ge-0/0/1.0;
}
https {
system-generated-certificate;
interface ge-0/0/1.0;
}
session {
idle-timeout 60;
}
}
dhcp {
pool 10.1.1.0/24 {
address-range low 10.1.1.192 high 10.1.1.250;
name-server {
8.8.8.8;
4.2.2.2;
}
router {
10.1.1.1;
}
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set NAT_Outside {
from zone [ DMZ Inside ];
to zone Outside;
rule src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool WEBSERVER {
address 10.2.2.200/32 port 80;
}
rule-set WEB_NAT {
from zone Outside;
rule Rule_Web_NAT {
match {
source-address 0.0.0.0/0;
destination-address 100.100.100.100/32;
destination-port {
80;
}
}
then {
destination-nat {
pool {
WEBSERVER;
}
}
}
}
}
}
}
policies {
from-zone Inside to-zone Outside {
policy Inside_Outside {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Inside to-zone DMZ {
policy Web_Inside_DMZ {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit;
}
}
}
from-zone Outside to-zone DMZ {
policy Web_Outside_DMZ {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit;
}
}
}
}
zones {
security-zone Admin {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/5.0;
}
}
security-zone Inside {
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
dhcp;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone DMZ {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
http;
https;
ssh;
telnet;
}
}
}
}
}
security-zone Outside {
interfaces {
pp0.0;
ge-0/0/0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
mac aa:bb:cc:dd:ee:ff;
unit 0 {
encapsulation ppp-over-ether;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.2.2.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 20.0.0.1/24;
}
}
}
pp0 {
traceoptions {
flag all;
}
unit 0 {
point-to-point;
ppp-options {
pap {
default-password "$9$wXsoGmPQF39DiT369B1dbsYJDf5FCpB1RNd"; ## SECRET-DATA
local-name phamhuuthu-pppoe;
local-password "$9$JfZi.3nCtpBP59p0Byr4aZGkP6/t1Eyre24"; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
client;
}
no-keepalives;
family inet {
mtu 1492;
negotiate-address;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
答案 0 :(得分:-1)
我有类似的问题,并且通过正确设置DNS来解决。我可以看到您的设备上没有配置DNS服务。您可以使用拥有的任何本地DNS服务器,也可以使用Google DNS服务器。
ge-0 / 0 / 1.0(内部)可以访问互联网的示例。您可以在services / dns / dns-proxy上添加另一个接口,以允许其他接口上的其他设备。选择所有名称服务器或将其添加到转发器列表。
services {
dns {
dns-proxy {
interface {
ge-0/0/1.0;
}
default-domain * {
forwarders {
8.8.8.8;
8.8.4.4;
}
}
}
}
}
接下来,请确保内部区域中的设备已将DNS服务器集(在网络配置上)设置为瞻博网络接口,即ge-0 / 0/1/0 IP(在您的情况下为10.1.1.1)。
希望这会有所帮助。