Juniper SRX防火墙-NAT

http://hi.baidu.com/ccie33/item/2a0c995c8f33e5ccd2e10c35

Juniper SRX防火墙-NAT学习笔记！！

Junos NAT

第一部分：SRX NAT介绍

第二部分：Source NAT：Interface NAT

第三部分：Source NAT：Address Pools

第四部分：Destination NAT

第五部分：Static NAT

--------------------------------------------------

SRX Nat介绍

1、Source NAT //转换源的NAT，NAT+Gloabl

2、Destination NAT //Static pat

3、Static NAT //静态一对一转换

SRX NAT处理流程 ：



优先static nat ------destination nat-------source nat

NAT 查询与处理顺序



--------------------------------------------------

第二部分：Source NAT: Interface NAT

Interface NAT

SRX platforms support NAT configuration where the source IP addresses in flows are translated to the address assigned to the security platform's own outgoing interface.This behavior is commonly called interface NAT and is similar to the NAT mode interface
configuration in Screen OS.

SP1-------------SRX------------Inside1

202.100.1.0/24 10.1.1.0/24

将内部10.1.1.0/24做PAT

配置策略，让Inside能正常访问Outside！！

edit security policies from-zone Inside1 to-zone Outside policy Permit-ALL

set match source-address any

set match destination-address any

set match application any

set then permit

set then log session-init session-close

配置Log

edit system syslog file nat-log

set any any

set match RT_FLOW_SESSION

配置NAT：

edit security nat source rule-set NAT-Policy //rule-set一系列NAT的集合

set from zone Inside1

set to zone Outside

edit rule Inside1-Outside-Interface-NAT //rule

set match source-address 10.1.1.0/24

set match desnation-address 202.100.1.0/24 //可选配置，上网就不需要了

set then source-nat interface

commit //提交并应用！

show security flow session

show log nat-log //查看NAT转换项！！

show security nat source rule all //查看NAT转换类型..

---------------------------------------------------

第三部分：Source NAT：Address Pool

复用外部地址池

edit security nat source

set pool nat-pool address 202.100.1.101/32 to 202.100.1.103/32

up

set proxy-arp interface fe-0/0/0.0 address 202.100.1.101/32 to 202.100.1.103/32 //严重注意，需要开启代理ARP

edit source rule-set NAT-Policy

edit rule Inside-Outside-Address-Pools

set match source-address 10.1.1.0/24

set then source-nat pool nat-pool //都是source,现在有两个rule,谁排前面谁优先！！

insert rule Inside1-Outside-Address-Pools before rule Inside1-Outside-Internet-NAT //将rule 地址池的NAT 靠前！！

run show security flow session //轮流的做PAT！

禁止PAT转换 //动态一对一，最后一个会话复用接口！

edit pool nat-pool

set port no-translation

set overflow-pool interface

set port-randomization disable //按顺序往上增长，复用地址端口！！

配置Persistent NAT //持久NAT,维护转换槽位，能正常看到NAT转换！！

edit security nat socure

edit rule-set NAT-Policy rule Inside1-Outside-Address-Pools

set then source-nat pool persistent-nat permit target-host-port

run show security flow session

run show security nat source persisten-nat-table all

---------------------------------------------------

第四部分：Destination NAT //思科static pat!!

将Inside1 10.1.1.1:23端口转换到外部地址202.100.1.201 2323端口！！

edit security nat destination

set pool Inside1-23 address 10.1.1.1/32 port 23

edit rule-set Outside-to-Inside1-Des-NAT

set from zone Outside

edit rule Inside1-Router-23

set match source-address 0/0

set match destination-address 202.100.1.201/32

set match destination-port 2323

set then destination-nat pool Inside1-23

up

edit proxy-arp interface fe-0/0/0.0 address 202.100.1.201/32

放行Inbound流量！

edit security zones security-zone Inside1

set address-book address Inside1-Router 10.1.1.1/32

up

up

edit policies from-zone Outside to-zone Inside1

edit policy Permit-Inside1-23

set match source-address any

set match destination-address Inside1-Router

set match application junos-telnet

set then permit

commit

------------------------------------------------------

第五部分：Static NAT，静态一对一！！即转换源也转换目的！！

edit security nat static

edit rule-set Outside-to-Inside

set from zone Outside

edit rule 1to1

set match destination-address 202.100.1.221/32

set then static-pat prefix 10.1.1.1/32

up

up

set proxy-arp interface fe-0/0/0.0 address 202.100.1.221/32

放行Inbound流量！

edit security zones security-zone Inside1

set address-book address Inside1-Router 10.1.1.1/32

up

up

edit policies from-zone Outside to-zone Inside1

edit policy Permit-Inside1-23

set match source-address any

set match destination-address Inside1-Router

set match application junos-telnet

set then permit

commit

出和入都能正常转换！！

run showsecurity flow session !!

/article/4348415.html

为保证防火墙接口IP的安全，将防火墙的内网IP的22端口映射其它公网113.106.95.x的1021端口，平常外网通过113.106.95.x的1021端口访问操作防火墙：

set security zones security-zone trust address-book address juniper2541 192.168.254.1/32

#建立元素

set applications application juniper1021 protocol tcp

set applications application juniper1021 source-port 0-65535

set applications application juniper1021 destination-port 1021-1021

set applications application juniper1021 inactivity-timeout 1800

#服务1021端口系统自带。所以不需要新建

set security nat destination pool 2541 address 192.168.254.1/32

set security nat destination pool 2541 address port 22

set security nat destination rule-set 1 from zone untrust

set security nat destination rule-set 1 rule 2541 match source-address 0.0.0.0/0

set security nat destination rule-set 1 rule 2541 match destination-address 113.106.95.x/32

set security nat destination rule-set 1 rule 2541 match destination-port 1021

set security nat destination rule-set 1 rule 2541 then destination-nat pool 2541

#NAT

set security nat proxy-arp interface ge-0/0/0.0 address 113.106.95.x/32

#代理

set security policies from-zone untrust to-zone trust policy yc2541 match source-address any

set security policies from-zone untrust to-zone trust policy yc2541 match destination-address juniper2541

set security policies from-zone untrust to-zone trust policy yc2541 match application juniper1021

set security policies from-zone untrust to-zone trust policy yc2541 then permit

#策略