直接上配置,IP地址/端口根据具体需求配置。
admin@SRX340> show configuration | display set | no-more
set version 15.1X49-D150.2
set system host-name SRX340
set system time-zone Asia/Shanghai
set system default-address-selection
set system no-redirects
set system no-ping-record-route
set system no-ping-time-stamp
set system internet-options tcp-drop-synfin-set
set system internet-options no-tcp-reset drop-tcp-with-syn-only
set system root-authentication encrypted-password 123456
set system name-server 8.8.8.8
set system login class wheel idle-timeout 60
set system login class wheel permissions all
set system login user USER uid 2025
set system login user USER class super-user
set system login user USER authentication encrypted-password 123456
set system login user admin uid 2000
set system login user admin class wheel
set system login user admin authentication encrypted-password 123456
set system services ssh root-login deny
set system services ssh no-tcp-forwarding
set system services ssh protocol-version v2
set system services xnm-clear-text
set system syslog archive size 1m
set system syslog archive files 20
set system syslog user * any emergency
set system syslog file messages any info
set system syslog file interactive-commands interactive-commands any
set system syslog file traffic-log any any
set system syslog file traffic-log match RT_FLOW
set system syslog time-format year
set system max-configurations-on-flash 20
set system max-configuration-rollbacks 20
set chassis aggregated-devices ethernet device-count 2
set chassis alarm management-ethernet link-down ignore
set security log cache
set security log mode event
set security log event-rate 100
set security log format sd-syslog
set security address-book INTERNET address 1-ADDRESS 1.1.1.1/32
set security address-book INTERNET address NAME-IP dns-name baidu.com ipv4-only
set security address-book INTERNET address-set ADDRESS address 1-ADDRESS
set security address-book INTERNET attach zone untrust
set security address-book Host address Internet-1 range-address 172.16.40.1 to 172.16.40.10
set security address-book Host address-set Internet-pools address Internet-1
set security address-book Host attach zone trust
set security alg sccp disable
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set S-NAT-internet from interface ae0.0
set security nat source rule-set S-NAT-internet to interface ge-0/0/0.0
set security nat source rule-set S-NAT-internet rule sourceNAT-1 match source-address Host
set security nat source rule-set S-NAT-internet rule sourceNAT-1 then source-nat interface
set security nat static rule-set D-NAT from zone untrust
set security nat static rule-set D-NAT rule E-to-C match source-address 2.2.2.2/32
set security nat static rule-set D-NAT rule E-to-C then static-nat prefix 192.168.254.1/32
set security policies from-zone trust to-zone untrust policy PERMIT-1 match source-address Host
set security policies from-zone trust to-zone untrust policy PERMIT-1 match destination-address any
set security policies from-zone trust to-zone untrust policy PERMIT-1 match application any
set security policies from-zone trust to-zone untrust policy PERMIT-1 then permit
set security policies from-zone trust to-zone untrust policy PERMIT-1 then log session-init
set security policies from-zone trust to-zone untrust policy PERMIT-1 then log session-close
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/7.0
set security zones security-zone trust interfaces ae1.0
set security zones security-zone trust interfaces ae0.0
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services traceroute
set security zones security-zone untrust interfaces ge-0/0/0.0
set interfaces ge-0/0/0 description internet
set interfaces ge-0/0/0 unit 0 family inet address 3.3.3.3/29
set interfaces ge-0/0/1 description XXX
set interfaces ge-0/0/1 unit 0 family inet address 4.4.4.4/28
set interfaces ge-0/0/3 description Internet_Link_to_switch
set interfaces ge-0/0/3 gigether-options 802.3ad ae0
set interfaces ae0 description Internet_Link_to_switch
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 unit 0 family inet address 5.5.5.5/24
set routing-options static route 0.0.0.0/0 next-hop 6.6.6.6
set firewall family inet filter all term all-apply from source-address 0.0.0.0/0
set firewall family inet filter all term all-apply then accept
set firewall family inet filter dep term ping from source-address 0.0.0.0/0
set firewall family inet filter dep term ping from protocol icmp
set firewall family inet filter dep term ping then accept