kim-aa, я только вчера о Вас вспоминал. Я просил у Вас в icq поделиться документацией по Juniper где-то год (!) назад. Вчера я вспомнил, что Вы мне эту документацию высылали. И я ее долго искал и нашел
Прочитал еще раз. И вот Вы тут )) Неожиданно))
А по теме:
- начертил схему в кореле. Сто лет не юзал корел - извиняюсь
- конфиг прилагаю. Он у всех офисов по идее одинаковый. В данном примере конфиг от Джунипера 192.168.5.1/24
- куда и как цеплять сервер с ISA Server 192.168.4.254/24, который натит и управляет трафиком всех офисов?
Код:
version 10.4R6.5;
system {
host-name gw5;
domain-name local.int;
root-authentication {
encrypted-password "12345"; ## SECRET-DATA
}
name-server {
192.168.5.2;
192.168.4.2;
}
login {
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password "12345"; ## SECRET-DATA
}
}
}
services {
ssh;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 20;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 192.168.4.2;
}
}
interfaces {
interface-range interfaces-trust {
member fe-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/0 {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
st0.0 {
unit 0 {
family inet {
address 10.0.0.5/24;
}
}
}
st0.1 {
unit 0 {
family inet {
address 10.0.0.5/24;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.4.254;
route 172.16.4.0/24 next-hop st0.0;
route 172.16.6.0/24 next-hop st0.1;
}
}
protocols {
stp;
}
security {
ike {
traceoptions {
flag all;
flag policy-manager;
flag ike;
flag routing-socket;
}
proposal P1-AES {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-policy-1 {
mode main;
proposals P1-AES;
pre-shared-key ascii-text "12345"; ## SECRET-DATA
}
gateway gw1 {
ike-policy ike-policy-1;
address 192.168.5.1;
external-interface fe-0/0/0.0;
}
}
ipsec {
proposal P2-AES {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-policy-1 {
perfect-forward-secrecy {
keys group2;
}
proposals P2-AES;
}
vpn vpn1 {
bind-interface st0.0;
ike {
gateway gw1;
proxy-identity {
local 192.168.4.0/24;
remote 192.168.5.0/24;
service any;
}
ipsec-policy ipsec-policy-1;
}
establish-tunnels immediately;
}
vpn vpn2 {
bind-interface st0.0;
ike {
gateway gw1;
proxy-identity {
local 192.168.6.0/24;
remote 192.168.5.0/24;
service any;
}
ipsec-policy ipsec-policy-1;
}
establish-tunnels immediately;
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
fe-0/0/1.0;
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy policy-name {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
