标签:
juniper srx系列防火墙默认ssh管理的端口是无法更改的,但要想使用其它端口实现ssh管理,可通过将外网的其它端口映射到环回接口的22端口实现
思路:
1.新建环回接口并配置IP地址
2.将环回接口划入到loopback_zone 这个安全域,并在接口层面开放ssh管理
3.配置端口映射,将外网端口22222映射环回接口端口22上
4.放行untrust到loopbaco_zone ssh的流量
实验配置:
set version 12.1X47-D20.7 set system root-authentication encrypted-password "$1$Cu1r32.n$ivA34PWVEXK9lNKzaf1" set system services ssh set interfaces ge-0/0/0 unit 0 family inet address 192.168.2.200/24 set interfaces lo0 unit 0 family inet address 1.1.1.1/24 set security nat destination pool ssh_manage address 1.1.1.1/32 set security nat destination pool ssh_manage address port 22 set security nat destination rule-set ssh_manage from zone untrust set security nat destination rule-set ssh_manage rule 1 match source-address 0.0.0.0/0 set security nat destination rule-set ssh_manage rule 1 match destination-address 192.168.2.200/32 set security nat destination rule-set ssh_manage rule 1 match destination-port 22222 set security nat destination rule-set ssh_manage rule 1 then destination-nat pool ssh_manage set security policies from-zone untrust to-zone loopback_zone policy untrust-to-loopback match source-address any set security policies from-zone untrust to-zone loopback_zone policy untrust-to-loopback match destination-address ssh-manage-address set security policies from-zone untrust to-zone loopback_zone policy untrust-to-loopback match application junos-ssh set security policies from-zone untrust to-zone loopback_zone policy untrust-to-loopback then permit set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping set security zones security-zone loopback_zone address-book address ssh-manage-address 1.1.1.1/32 set security zones security-zone loopback_zone interfaces lo0.0 host-inbound-traffic system-services ssh
version 12.1X47-D20.7; system { root-authentication { encrypted-password "$1$Cu1r32.n$ivACpMVEXK9lNKzaf1"; ## SECRET-DATA } services { ssh; } } interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.2.200/24; } } } lo0 { unit 0 { family inet { address 1.1.1.1/24; } } } } security { nat { destination { pool ssh_manage { address 1.1.1.1/32 port 22; } rule-set ssh_manage { from zone untrust; rule 1 { match { source-address 0.0.0.0/0; destination-address 192.168.2.200/32; destination-port { 22222; } } then { destination-nat { pool { ssh_manage; } } } } } } } policies { from-zone untrust to-zone loopback_zone { policy untrust-to-loopback { match { source-address any; destination-address ssh-manage-address; application junos-ssh; } then { permit; } } } } zones { security-zone untrust { interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { ping; } } } } } security-zone loopback_zone { address-book { address ssh-manage-address 1.1.1.1/32; } interfaces { lo0.0 { host-inbound-traffic { system-services { ssh; } } } } } } }
标签:
原文地址:http://www.cnblogs.com/id404/p/5930855.html