If the SRX could only assign interfaces to zones and allow certain services in and out, there wouldn't be much to it. But the SRX is much more powerful. After you have zones and interfaces set up, you can tap into the real power of the SRX: the security policies themselves.
Without security policies, all the SRX could do is create interface zones and screen out certain services. Security policies allow you to configure the details of what is and is not allowed through the SRX.
The first step is to configure an address book to hold a group of IP addresses or prefixes. The address book is referenced by both the source and the destinations in an SRX security policy, which makes the Junos operating system different than a lot of other vendors. Make sure you create the address book for the correct zone!
You create an address book called PC1 for a device on the admins LAN as follows:
[edit security zones security-zone admins]
root# set address-book address PC1 192.168.2.2
If you use this as a destination address book, only this single device will be reachable. If you want to allow access to all devices on the subnet, you can use the following prefix:
[edit security zones security-zone admins]
root# set address-book address PC-all 192.168.2.0/24
To create multiple address books for a zone and gather them together, use an address-set.
For this simple example, you won’t establish address books at all. You just specify the addresses as any when the time comes.
dummies
Source:http://www.dummies.com/how-to/content/how-to-configure-address-books-on-srx-services-gat.html
No comments:
Post a Comment