NTTフレッツのサービス情報サイト(フレッツ・スクウェア)に繋ぐ必要がありましたので
以下の設定で接続出来るようにしました。
適宜書き換えてますので間違いがあるかもしれませんが、脳内補完しといて下さい。
サービス情報サイト
http://v4flets-east.jp/
PPPoE接続情報
ユーザ名:guest@v4flets-east.jp
パスワード:guest
追加ルーティング情報
220.210.194.0/25 > 今回追加したPPPoEセッション
123.107.190.0/24 > 今回追加したPPPoEセッション
その他
IX2015、CISCO1812に続いて、SRX210の設定サンプルです。
適宜書き換えてますので間違いがあるかもしれませんが、脳内補完しといて下さい。
対象機器:Juniper SRX210H(JUNOS:11.2R4.3)
グローバルIP...
2012-06-06 15:51
また、当家のDNSはデフォルトのフォワード先をGoogleのDNSに向けてますが
“v4flets-east.jp”の名前解決時は”123.107.190.5,123.107.190.6″に条件付フォワードしてます。
1.NTTフレッツのサービス情報サイトへのPPPoEインターフェイスを追加
# edit interface pp0 unit 1 # set description ToFletsInfo # set ppp-options chap default-chap-secret guest local-name "guest@v4flets-east.jp" no-rfc2486 passive # set pppoe-options underlying-interface fe-0/0/2.0 idle-timeout 0 auto-reconnect 120 family inet mtu 1454 negotiate-address # show description ToFletsInfo; ppp-options { chap { default-chap-secret "$9$IWBcyKX7Vg4Z-VmT"; ## SECRET-DATA local-name "guest@v4flets-east.jp"; no-rfc2486; passive; } } pppoe-options { underlying-interface fe-0/0/2.0; idle-timeout 0; auto-reconnect 120; } family inet { mtu 1454; negotiate-address;
2.ルーティングを追加
# edit routing-options # set static route 220.210.194.0/25 next-hop pp0.1 # set static route 123.107.190.0/24 next-hop pp0.1 # show static { route 0.0.0.0/0 next-hop pp0.0; route 220.210.194.0/25 next-hop pp0.1; route 123.107.190.0/24 next-hop pp0.1; } }
3.セキュリティゾーンにNTTフレッツのサービス情報サイトへのPPPoEインターフェイスを追加
# edit security zones security-zone untrust interfaces # set pp0.1 # show pp0.0; pp0.1;
コンフィグの全文
system {
host-name SRX210H;
domain-name ys-network.info;
time-zone Asia/Tokyo;
root-authentication {
encrypted-password "XXXXXXXXXX"; ## SECRET-DATA
}
name-server {
192.168.254.1;
}
services {
ssh;
xnm-clear-text;
web-management {
https {
system-generated-certificate;
interface vlan.0;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 192.168.254.1;
}
}
chassis {
aggregated-devices {
ethernet {
device-count 1;
}
}
}
interfaces {
ge-0/0/0 {
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
gigether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching;
}
}
fe-0/0/2 {
fastether-options {
auto-negotiation;
}
unit 0 {
encapsulation ppp-over-ether;
}
}
fe-0/0/4 {
fastether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching;
}
}
fe-0/0/5 {
fastether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching;
}
}
fe-0/0/6 {
fastether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching;
}
}
fe-0/0/7 {
fastether-options {
auto-negotiation;
}
unit 0 {
family ethernet-switching;
}
}
lo0 {
unit 0 {
family inet {
address 116.91.118.97/32 {
primary;
}
}
}
}
pp0 {
unit 0 {
description ToInternet;
ppp-options {
chap {
default-chap-secret "XXXXXXXXXXXXX"; ## SECRET-DATA
local-name "XXXXXXXX";
no-rfc2486;
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/2.0;
idle-timeout 0;
auto-reconnect 120;
}
family inet {
mtu 1454;
unnumbered-address lo0.0;
}
}
unit 1 {
description ToFletsInfo;
ppp-options {
chap {
default-chap-secret "$9$IWBcyKX7Vg4Z-VmT"; ## SECRET-DATA
local-name "guest@v4flets-east.jp";
no-rfc2486;
passive;
}
}
pppoe-options {
underlying-interface fe-0/0/2.0;
idle-timeout 0;
auto-reconnect 120;
}
family inet {
mtu 1454;
negotiate-address;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.0.254/24;
}
}
unit 1 {
family inet {
address 192.168.254.254/24;
}
}
}
}
snmp {
description SRX210;
location "Juniper SRX210H";
contact "yukio_sumadera@ys-network.info";
community public {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
route 220.210.194.0/25 next-hop pp0.1;
route 123.107.190.0/24 next-hop pp0.1;
}
}
protocols {
}
security {
screen {
ids-option untrust-screen {
icmp {
ip-sweep threshold 1000;
fragment;
large;
flood threshold 1000;
ping-death;
}
ip {
spoofing;
source-route-option;
tear-drop;
}
tcp {
port-scan threshold 1000;
syn-flood {
alarm-threshold 2048;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
}
}
}
nat {
source {
rule-set Servers {
from zone dmz;
to zone untrust;
rule Servers {
match {
source-address 192.168.254.0/24;
}
then {
source-nat {
interface;
}
}
}
}
rule-set DesktopPC {
from zone trust;
to zone untrust;
rule DesktopPCs {
match {
source-address [ 192.168.0.0/24 ];
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool HTTP {
address 192.168.254.1/32 port 80;
}
pool HTTPS {
address 192.168.254.1/32 port 443;
}
rule-set vectant {
from zone untrust;
rule HTTP {
match {
destination-address 116.91.118.97/32;
destination-port 80;
}
then {
destination-nat pool HTTP;
}
}
rule HTTPS {
match {
destination-address 116.91.118.97/32;
destination-port 443;
}
then {
destination-nat pool HTTPS;
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any-ipv4;
destination-address any-ipv4;
application [ junos-icmp-all junos-ping ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy trust-to-untrust-tcp {
match {
source-address any-ipv4;
destination-address any-ipv4;
application junos-tcp-any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy trust-to-untrust-udp {
match {
source-address any-ipv4;
destination-address any-ipv4;
application junos-udp-any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any-ipv4;
destination-address any-ipv4;
application [ junos-icmp-all junos-icmp-ping junos-ping ];
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone trust to-zone dmz {
policy trust-to-dmz {
match {
source-address any-ipv4;
destination-address any-ipv4;
application [ junos-icmp-ping junos-ping junos-icmp-all ];
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone untrust to-zone dmz {
policy untrust-to-dmz {
match {
source-address any-ipv4;
destination-address any-ipv4;
application [ junos-icmp-ping junos-ping junos-icmp-all ];
}
then {
permit;
log {
session-close;
}
}
}
policy untrust-to-dmz-tcp {
match {
source-address any-ipv4;
destination-address any-ipv4;
application junos-tcp-any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy untrust-to-dmz-udp {
match {
source-address any-ipv4;
destination-address any-ipv4;
application junos-udp-any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any-ipv4;
destination-address any-ipv4;
application [ junos-icmp-all junos-icmp-ping junos-ping ];
}
then {
permit;
log {
session-init;
}
}
}
}
from-zone dmz to-zone trust {
policy dmz-to-trust {
match {
source-address any-ipv4;
destination-address any-ipv4;
application [ junos-ping junos-icmp-all junos-icmp-ping ];
}
then {
permit;
log {
session-close;
}
}
}
}
from-zone dmz to-zone untrust {
policy dmz-to-untrust {
match {
source-address any-ipv4;
destination-address any-ipv4;
application [ junos-ping junos-icmp-ping ];
}
then {
permit;
log {
session-close;
}
}
}
policy dmz-to-untrust-tcp {
match {
source-address any-ipv4;
destination-address any-ipv4;
application junos-tcp-any;
}
then {
permit;
log {
session-close;
}
}
}
policy dmz-to-untrust-udp {
match {
source-address any-ipv4;
destination-address any-ipv4;
application junos-udp-any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
tcp-rst;
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
pp0.0;
pp0.1;
}
}
security-zone dmz {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.1;
}
}
}
}
ethernet-switching-options {
voip;
}
vlans {
v0001 {
vlan-id 1;
interface {
ge-0/0/0.0;
ge-0/0/1.0;
}
l3-interface vlan.0;
}
v0254 {
vlan-id 254;
interface {
fe-0/0/4.0;
fe-0/0/5.0;
fe-0/0/6.0;
}
l3-interface vlan.1;
}
}
===================================================
条件付フォワード(Windows Server2008R2)
条件付フォワード(Windows Server2008R2のDNSにて)