win10無法登陸SSG進行WEB UI管理

• 故障描述：嘗試登錄SSG設(shè)備時，無法無法刷出頁面，但是設(shè)備時可以ping通的（內(nèi)部接口），可以Telnet上設(shè)備，就是無法通過網(wǎng)頁登錄。
• 深入測試：win7的系統(tǒng)可以登錄，win10的不行，瀏覽器報協(xié)議版本或加密算法不支持。
• 故障分析：這種情況下，可能是由于防火墻的加密算法的問題。

1、con到設(shè)備：

• SSG320M-> get ssh
• SSH V2 is active
• SSH is NOT enabled
• SSH is NOT ready for connections
• Maximum sessions: 6
• Active sessions: 0

2、查看加密算法：

• SSG320M-> get ssl
• web SSL enable.
• web SSL port number(443).
• web SSL cert: Default - System Self-Signed Cert.
• web SSL cipher(RC4_MD5)..

3、修改加密算法并保存配置：

• SSG320M-> set ssl encrypt 3des sha-1
• SSG320M-> save
• Save System Configuration ...
• Done

修改后，測試win10登錄SSG管理，正常，問題解決。

NAT

1.NAT-Src with PAT Enabled

• set interface "ethernet0/0" zone "Trust"
• set interface "ethernet0/2" zone "Untrust"
• set interface ethernet0/0 ip 172.16.1.1/24
• set interface ethernet0/0 nat
• set interface ethernet0/2 ip 192.168.0.199/24
• set interface ethernet0/2 route
• set interface ethernet0/2 gateway 192.168.0.1
• set interface ethernet0/2 dip 5 192.168.0.198
• set policy from Trust to Untrust Any Any ANY nat src dip-id 5 permit log

2.NAT-Src with PAT Disabled

• set interface "ethernet0/0" zone "Trust"
• set interface "ethernet0/2" zone "Untrust"
• set interface ethernet0/0 ip 172.16.1.1/24
• set interface ethernet0/0 nat
• set interface ethernet0/2 ip 192.168.0.199/24
• set interface ethernet0/2 route
• set interface ethernet0/2 gateway 192.168.0.1
• set interface ethernet0/2 dip 6 192.168.0.198 fix-port
• set policy from trust to untrust any any any nat src dip-ip 6 permit log

3.NAT-Src Without DIP

• set interface "ethernet0/0" zone "Trust"
• set interface "ethernet0/2" zone "Untrust"
• set interface ethernet0/0 ip 172.16.1.1/24
• set interface ethernet0/0 nat
• set interface ethernet0/2 ip 192.168.0.199/24
• set interface ethernet0/2 route
• set interface ethernet0/2 gateway 192.168.0.1
• set interface ethernet0/2 dip 5 192.168.0.198 192.168.0.198e
• set policy from trust to untrust any any any nat src permit log

透明墻

• set interface "ethernet0/0" zone "V1-Trust"
• set interface "ethernet0/2" zone "V1-Untrust"
• set policy id 3 name "towan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit
• set policy id 3

• 主要區(qū)別：
• 思科ASA5500系列防火墻在透明模式下，不會透傳CDP和BPDUs；
• Juniper的SSG系列防火墻會透傳CDP和BPDUs，有時可能會造成二層環(huán)路。

ACL生效順序和ID無關(guān)和acl 順序有關(guān)

常用命令

配置

• injoin-ssg320m-> get config
• Total Config size 3586:
• unset key protection enable
• set clock timezone 0
• set vrouter trust-vr sharable
• set vrouter "untrust-vr"
• exit
• set vrouter "trust-vr"
• unset auto-route-export
• exit
• set vrouter name "MGMT" id 1025 sharable
• set vrouter "MGMT"
• unset auto-route-export
• exit
• set alg appleichat enable
• unset alg appleichat re-assembly enable
• set alg sctp enable
• set auth-server "Local" id 0
• set auth-server "Local" server-name "Local"
• set auth default auth server "Local"
• set auth radius accounting port 1646
• set admin name "netscreen"
• set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
• set admin port 8000
• set admin http redirect
• set admin auth web timeout 10
• set admin auth server "Local"
• set admin format dos
• set zone "Trust" vrouter "trust-vr"
• set zone "Untrust" vrouter "trust-vr"
• set zone "DMZ" vrouter "trust-vr"
• set zone "VLAN" vrouter "trust-vr"
• set zone "Untrust-Tun" vrouter "trust-vr"
• set zone "Trust" tcp-rst
• set zone "Untrust" block
• unset zone "Untrust" tcp-rst
• set zone "MGT" block
• unset zone "V1-Trust" tcp-rst
• unset zone "V1-Untrust" tcp-rst
• set zone "DMZ" tcp-rst
• unset zone "V1-DMZ" tcp-rst
• unset zone "VLAN" tcp-rst
• set zone "Untrust" screen tear-drop
• set zone "Untrust" screen syn-flood
• set zone "Untrust" screen ping-death
• set zone "Untrust" screen ip-filter-src
• set zone "Untrust" screen land
• set zone "V1-Untrust" screen tear-drop
• set zone "V1-Untrust" screen syn-flood
• set zone "V1-Untrust" screen ping-death
• set zone "V1-Untrust" screen ip-filter-src
• set zone "V1-Untrust" screen land
• set interface "ethernet0/0" zone "V1-Trust"
• set interface "ethernet0/1" zone "DMZ"
• set interface "ethernet0/2" zone "V1-Untrust"
• set interface vlan1 ip 192.168.0.250/24
• unset interface vlan1 bypass-others-ipsec
• unset interface vlan1 bypass-non-ip
• set interface vlan1 ip manageable
• set interface ethernet0/0 manage mtrace
• set interface vlan1 manage mtrace
• unset flow no-tcp-seq-check
• set flow tcp-syn-check
• unset flow tcp-syn-bit-check
• set flow reverse-route clear-text prefer
• set flow reverse-route tunnel always
• set hostname injoin-ssg320m
• set pki authority default scep mode "auto"
• set pki x509 default cert-path partial
• set dns host dns1 0.0.0.0
• set dns host dns2 0.0.0.0
• set dns host dns3 0.0.0.0
• set address "Untrust" "8.8.8.8/32" 8.8.8.8 255.255.255.255
• set crypto-policy
• exit
• set ike respond-bad-spi 1
• set ike ikev2 ike-sa-soft-lifetime 60
• unset ike ikeid-enumeration
• unset ike dos-protection
• unset ipsec access-session enable
• set ipsec access-session maximum 5000
• set ipsec access-session upper-threshold 0
• set ipsec access-session lower-threshold 0
• set ipsec access-session dead-p2-sa-timeout 0
• unset ipsec access-session log-error
• unset ipsec access-session info-exch-connected
• unset ipsec access-session use-error-log
• set url protocol websense
• exit
• set policy id 2 from "Trust" to "Untrust" "Any" "Any" "ANY" nat src permit log
• set policy id 2
• exit
• set policy id 3 name "towan" from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit
• set policy id 3
• exit
• set nsmgmt bulkcli reboot-timeout 60
• set ssh version v2
• set config lock timeout 5
• unset license-key auto-update
• set telnet client enable
• set ssl encrypt 3des sha-1
• set snmp port listen 161
• set snmp port trap 162
• set snmpv3 local-engine id "JN1230D03ADD"
• set vrouter "untrust-vr"
• exit
• set vrouter "trust-vr"
• unset add-default-route
• set route 8.8.8.8/32 interface ethernet0/0 gateway 172.16.1.2
• exit
• set vrouter "MGMT"
• exit
• set vrouter "untrust-vr"
• exit
• set vrouter "trust-vr"
• exit
• set vrouter "MGMT"
• exit

初始化

設(shè)備開機狀態(tài)下，使用插到設(shè)備正前方的reset口，有手感，直到等到status燈變成橙色，再變綠色后，針?biāo)砷_2秒鐘，再將針插入reset孔不放直到燈變紅，此時所有端口燈都會滅掉。針取出即可。最后設(shè)備會自動重啟。設(shè)備即恢復(fù)出廠默認(rèn)值。

總結(jié)

以上是生活随笔為你收集整理的Juniper SSG 防火墙的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。