Apéndice: Configuración completa de SRX
En las secciones anteriores, elegimos omitir las partes predeterminadas de la configuración para ayudar a centrarse en lo que necesitaba cambiar.
En este apéndice, proporcionamos la configuración completa para el SRX380 que utilizamos para escribir este documento. Recuerde que una pequeña parte de esta configuración provenía de sus actividades iniciales de embarque de Day One+, es decir, el nombre de host y la contraseña raíz.
Configuración completa de SRX en formato de conjunto
[edit] root@branch-srx# show | display set set version 21.4R1.12 set system host-name branch-srx set system root-authentication encrypted-password "$ABCD_dont-load this as a plain text, set your own root password!" set system login user sduser uid 2001 set system login user sduser class super-user set system login user sduser authentication encrypted-password "$6$ma2havhhEP3TAJxx$ubRCVg/nXbEKHpRjD16M1dTy22MKvFdhIwLlmLDC6HlcU30JIiwf1v3DPB7TE1nSdmj0ESjVrQ55nmt1qAa0e." set system services ssh set system services netconf ssh set system services netconf rfc-compliant set system services dhcp-local-server group jdhcp-group interface fxp0.0 set system services dhcp-local-server group jdhcp-group interface irb.0 set system services dhcp-local-server group CONTRACTORS-POOL interface irb.30 set system services dhcp-local-server group GUEST-POOL interface irb.20 set system services web-management https system-generated-certificate set system services outbound-ssh client EMS-srx.sdscale.juniperclouds.net device-id 946d0091-e32b-4564-82d4-0ebccb332ee1.JUNOS set system services outbound-ssh client EMS-srx.sdscale.juniperclouds.net secret "$9$0NBEOhSrlMNVw8LqmPfzF69AuORLX7-wY1RVwgoGUz3n6p0hclW87lebsg4DjHqm5T39CuRhS0ORSleXxmf5F9A0BIyevz3hSyeW8xNdVwg" set system services outbound-ssh client EMS-srx.sdscale.juniperclouds.net keep-alive set system services outbound-ssh client EMS-srx.sdscale.juniperclouds.net services netconf set system services outbound-ssh client EMS-srx.sdscale.juniperclouds.net srx.sdscale.juniperclouds.net port 7804 set system name-server 8.8.8.8 set system name-server 8.8.4.4 set system syslog archive size 100k set system syslog archive files 3 set system syslog user * any emergency set system syslog file interactive-commands interactive-commands any set system syslog file messages any notice set system syslog file messages authorization info set system syslog file sdcloud-messages any any set system syslog file sdcloud-messages match "(UI_COMMIT_COMPLETED)|ifAdminStatus|ifOperStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|Transferred|transfer-file|(license add)|(license delete)|JSRPD_HA_HEALTH_WEIGHT|PKID_PV_CERT_LOAD|PKID_PV_CERT_DEL" set system syslog file sdcloud-messages structured-data set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security ike proposal standard authentication-method pre-shared-keys set security ike policy ike-pol mode aggressive set security ike policy ike-pol proposals standard set security ike policy ike-pol pre-shared-key ascii-text "$9$Yj4oGjHmf5FJGi.m56/dVwgZjk.5T39" set security ike gateway ike-gw ike-policy ike-pol set security ike gateway ike-gw address 172.16.1.1 set security ike gateway ike-gw local-identity hostname branch set security ike gateway ike-gw remote-identity hostname hq set security ike gateway ike-gw external-interface ge-0/0/0 set security ipsec proposal standard set security ipsec policy ipsec-pol proposals standard set security ipsec vpn to_hq bind-interface st0.0 set security ipsec vpn to_hq ike gateway ike-gw set security ipsec vpn to_hq ike ipsec-policy ipsec-pol set security ipsec vpn to_hq establish-tunnels immediately set security flow traceoptions file flow-debug set security flow traceoptions flag basic-datapath set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set trust-to-untrust from zone trust set security nat source rule-set trust-to-untrust to zone untrust set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface set security nat source rule-set guests-to-untrust from zone guests set security nat source rule-set guests-to-untrust to zone untrust set security nat source rule-set guests-to-untrust rule guest-nat-rule match source-address 0.0.0.0/0 set security nat source rule-set guests-to-untrust rule guest-nat-rule then source-nat interface set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone guests to-zone untrust policy guests-to-untrust match source-address any set security policies from-zone guests to-zone untrust policy guests-to-untrust match destination-address any set security policies from-zone guests to-zone untrust policy guests-to-untrust match application junos-http set security policies from-zone guests to-zone untrust policy guests-to-untrust match application junos-https set security policies from-zone guests to-zone untrust policy guests-to-untrust match application junos-ping set security policies from-zone guests to-zone untrust policy guests-to-untrust match application junos-dns-udp set security policies from-zone guests to-zone untrust policy guests-to-untrust then permit set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit set security policies from-zone trust to-zone contractors policy trust-to-contractors match source-address any set security policies from-zone trust to-zone contractors policy trust-to-contractors match destination-address any set security policies from-zone trust to-zone contractors policy trust-to-contractors match application junos-http set security policies from-zone trust to-zone contractors policy trust-to-contractors match application junos-ping set security policies from-zone trust to-zone contractors policy trust-to-contractors then permit set security policies pre-id-default-policy then log session-close set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.0 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces xe-0/0/19.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces xe-0/0/19.0 host-inbound-traffic system-services tftp set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp set security zones security-zone contractors host-inbound-traffic system-services dhcp set security zones security-zone contractors host-inbound-traffic system-services ping set security zones security-zone contractors interfaces irb.30 set security zones security-zone guests host-inbound-traffic system-services dhcp set security zones security-zone guests host-inbound-traffic system-services ping set security zones security-zone guests interfaces irb.20 set security zones security-zone vpn host-inbound-traffic system-services ping set security zones security-zone vpn interfaces st0.0 set interfaces ge-0/0/0 unit 0 family inet dhcp vendor-id Juniper-srx380 set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members guests set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members contractors set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-trust set interfaces xe-0/0/16 unit 0 family ethernet-switching vlan members vlan-trust set interfaces xe-0/0/17 unit 0 family ethernet-switching vlan members vlan-trust set interfaces xe-0/0/18 unit 0 family ethernet-switching vlan members vlan-trust set interfaces xe-0/0/19 unit 0 family inet dhcp vendor-id Juniper-srx380 set interfaces cl-1/0/0 dialer-options pool 1 priority 100 set interfaces dl0 unit 0 family inet negotiate-address set interfaces dl0 unit 0 family inet6 negotiate-address set interfaces dl0 unit 0 dialer-options pool 1 set interfaces dl0 unit 0 dialer-options dial-string 1234 set interfaces dl0 unit 0 dialer-options always-on set interfaces fxp0 unit 0 family inet address 192.168.1.1/24 set interfaces irb unit 0 family inet address 192.168.2.1/24 set interfaces irb unit 20 family inet address 192.168.20.1/24 set interfaces irb unit 30 family inet address 192.168.30.1/24 set interfaces st0 unit 0 family inet address 10.0.0.1/24 set access address-assignment pool junosDHCPPool1 family inet network 192.168.1.0/24 set access address-assignment pool junosDHCPPool1 family inet range junosRange low 192.168.1.2 set access address-assignment pool junosDHCPPool1 family inet range junosRange high 192.168.1.254 set access address-assignment pool junosDHCPPool1 family inet dhcp-attributes router 192.168.1.1 set access address-assignment pool junosDHCPPool1 family inet dhcp-attributes propagate-settings ge-0/0/0.0 set access address-assignment pool junosDHCPPool2 family inet network 192.168.2.0/24 set access address-assignment pool junosDHCPPool2 family inet range junosRange low 192.168.2.2 set access address-assignment pool junosDHCPPool2 family inet range junosRange high 192.168.2.254 set access address-assignment pool junosDHCPPool2 family inet dhcp-attributes router 192.168.2.1 set access address-assignment pool junosDHCPPool2 family inet dhcp-attributes propagate-settings ge-0/0/0.0 set access address-assignment pool CONTRACTORS-POOL family inet network 192.168.30.0/24 set access address-assignment pool CONTRACTORS-POOL family inet range CONTRACTORS-POOL-IP-RANGE low 192.168.30.10 set access address-assignment pool CONTRACTORS-POOL family inet range CONTRACTORS-POOL-IP-RANGE high 192.168.30.100 set access address-assignment pool CONTRACTORS-POOL family inet dhcp-attributes domain-name srx-branch.com set access address-assignment pool CONTRACTORS-POOL family inet dhcp-attributes name-server 8.8.8.8 set access address-assignment pool CONTRACTORS-POOL family inet dhcp-attributes router 192.168.30.1 set access address-assignment pool GUEST-POOL family inet network 192.168.20.0/24 set access address-assignment pool GUEST-POOL family inet range GUEST-POOL---IP-RANGE low 192.168.20.10 set access address-assignment pool GUEST-POOL family inet range GUEST-POOL---IP-RANGE high 192.168.20.100 set access address-assignment pool GUEST-POOL family inet dhcp-attributes domain-name srx-branch.com set access address-assignment pool GUEST-POOL family inet dhcp-attributes name-server 8.8.8.8 set access address-assignment pool GUEST-POOL family inet dhcp-attributes router 192.168.20.1 set vlans contractors vlan-id 30 set vlans contractors l3-interface irb.30 set vlans guests vlan-id 20 set vlans guests l3-interface irb.20 set vlans vlan-trust vlan-id 3 set vlans vlan-trust l3-interface irb.0 set protocols l2-learning global-mode switching set protocols rstp interface all set routing-options static route 172.16.200.0/24 next-hop st0.0
Configuración SRX en formato de llave
Algunos lectores prefieren el formato de llave. Aquí tiene:
[edit] root@branch-srx# show | no-more root@branch-srx# show | no-more ## Last changed: 2022-04-20 03:39:09 UTC version 21.4R1.12; system { host-name branch-srx; root-authentication { encrypted-password "$ABCD_dont-load this as a plain text, set your own root password!"; ## SECRET-DATA } login { user sduser { uid 2001; class super-user; authentication { encrypted-password "$6$ma2havhhEP3TAJxx$ubRCVg/nXbEKHpRjD16M1dTy22MKvFdhIwLlmLDC6HlcU30JIiwf1v3DPB7TE1nSdmj0ESjVrQ55nmt1qAa0e."; ## SECRET-DATA } } } services { ssh; netconf { ssh; rfc-compliant; } dhcp-local-server { group jdhcp-group { interface fxp0.0; interface irb.0; } group CONTRACTORS-POOL { interface irb.30; } group GUEST-POOL { interface irb.20; } } web-management { https { system-generated-certificate; } } outbound-ssh { client EMS-srx.sdscale.juniperclouds.net { device-id 946d0091-e32b-4564-82d4-0ebccb332ee1.JUNOS; secret "$9$0NBEOhSrlMNVw8LqmPfzF69AuORLX7-wY1RVwgoGUz3n6p0hclW87lebsg4DjHqm5T39CuRhS0ORSleXxmf5F9A0BIyevz3hSyeW8xNdVwg"; ## SECRET-DATA keep-alive; services netconf; srx.sdscale.juniperclouds.net port 7804; } } } name-server { 8.8.8.8; 8.8.4.4; } syslog { archive size 100k files 3; user * { any emergency; } file interactive-commands { interactive-commands any; } file messages { any notice; authorization info; } file sdcloud-messages { any any; match "(UI_COMMIT_COMPLETED)|ifAdminStatus|ifOperStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|(vc add)|(vc delete)|transitioned|Transferred|transfer-file|(license add)|(license delete)|JSRPD_HA_HEALTH_WEIGHT|PKID_PV_CERT_LOAD|PKID_PV_CERT_DEL"; structured-data; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } security { ike { proposal standard { authentication-method pre-shared-keys; } policy ike-pol { mode aggressive; proposals standard; pre-shared-key ascii-text "$9$Yj4oGjHmf5FJGi.m56/dVwgZjk.5T39"; ## SECRET-DATA } gateway ike-gw { ike-policy ike-pol; address 172.16.1.1; local-identity hostname branch; remote-identity hostname hq; external-interface ge-0/0/0; } } ipsec { proposal standard; policy ipsec-pol { proposals standard; } vpn to_hq { bind-interface st0.0; ike { gateway ike-gw; ipsec-policy ipsec-pol; } establish-tunnels immediately; } } flow { traceoptions { file flow-debug; flag basic-datapath; } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set guests-to-untrust { from zone guests; to zone untrust; rule guest-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } policies { from-zone trust to-zone trust { policy trust-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone guests to-zone untrust { policy guests-to-untrust { match { source-address any; destination-address any; application [ junos-http junos-https junos-ping junos-dns-udp ]; } then { permit; } } } from-zone trust to-zone vpn { policy trust-to-vpn { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone contractors { policy trust-to-contractors { match { source-address any; destination-address any; application [ junos-http junos-ping ]; } then { permit; } } } pre-id-default-policy { then { log { session-close; } } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { irb.0; } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; https; ike; ping; } } } xe-0/0/19.0 { host-inbound-traffic { system-services { dhcp; tftp; } } } dl0.0 { host-inbound-traffic { system-services { tftp; } } } } } security-zone contractors { host-inbound-traffic { system-services { dhcp; ping; } } interfaces { irb.30; } } security-zone guests { host-inbound-traffic { system-services { dhcp; ping; } } interfaces { irb.20; } } security-zone vpn { host-inbound-traffic { system-services { ping; } } interfaces { st0.0; } } } } interfaces { ge-0/0/0 { unit 0 { family inet { dhcp { vendor-id Juniper-srx380; } } } } ge-0/0/1 { unit 0 { family ethernet-switching { vlan { members guests; } } } } ge-0/0/2 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members contractors; } } } } ge-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/6 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/7 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/8 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/9 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/10 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/11 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/12 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/13 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/14 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/15 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } xe-0/0/16 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } xe-0/0/17 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } xe-0/0/18 { unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } xe-0/0/19 { unit 0 { family inet { dhcp { vendor-id Juniper-srx380; } } } } cl-1/0/0 { dialer-options { pool 1 priority 100; } } dl0 { unit 0 { family inet { negotiate-address; } family inet6 { negotiate-address; } dialer-options { pool 1; dial-string 1234; always-on; } } } fxp0 { unit 0 { family inet { address 192.168.1.1/24; } } } irb { unit 0 { family inet { address 192.168.2.1/24; } } unit 20 { family inet { address 192.168.20.1/24; } } unit 30 { family inet { address 192.168.30.1/24; } } } st0 { unit 0 { family inet { address 10.0.0.1/24; } } } } access { address-assignment { pool junosDHCPPool1 { family inet { network 192.168.1.0/24; range junosRange { low 192.168.1.2; high 192.168.1.254; } dhcp-attributes { router { 192.168.1.1; } propagate-settings ge-0/0/0.0; } } } pool junosDHCPPool2 { family inet { network 192.168.2.0/24; range junosRange { low 192.168.2.2; high 192.168.2.254; } dhcp-attributes { router { 192.168.2.1; } propagate-settings ge-0/0/0.0; } } } pool CONTRACTORS-POOL { family inet { network 192.168.30.0/24; range CONTRACTORS-POOL-IP-RANGE { low 192.168.30.10; high 192.168.30.100; } dhcp-attributes { domain-name srx-branch.com; name-server { 8.8.8.8; } router { 192.168.30.1; } } } } pool GUEST-POOL { family inet { network 192.168.20.0/24; range GUEST-POOL---IP-RANGE { low 192.168.20.10; high 192.168.20.100; } dhcp-attributes { domain-name srx-branch.com; name-server { 8.8.8.8; } router { 192.168.20.1; } } } } } } vlans { contractors { vlan-id 30; l3-interface irb.30; } guests { vlan-id 20; l3-interface irb.20; } vlan-trust { vlan-id 3; l3-interface irb.0; } } protocols { l2-learning { global-mode switching; } rstp { interface all; } } routing-options { static { route 172.16.200.0/24 next-hop st0.0; } }