Juniper SRX防火墙-NAT
2013-05-08 08:46
302 查看
Juniper SRX防火墙-NAT学习笔记!!
Junos NAT第一部分:SRX NAT介绍
第二部分:Source NAT:Interface NAT
第三部分:Source NAT:Address Pools
第四部分:Destination NAT
第五部分:Static NAT
--------------------------------------------------
SRX Nat介绍
1、Source NAT //转换源的NAT,NAT+Gloabl
2、Destination NAT //Static pat
3、Static NAT //静态一对一转换
SRX NAT处理流程 :
优先static nat ------destination nat-------source nat
NAT 查询与处理顺序
--------------------------------------------------
第二部分:Source NAT: Interface NAT
Interface NAT
SRX platforms support NAT configuration where the source IP addresses in flows are translated to the address assigned to the security platform's own outgoing interface.This behavior is commonly called interface NAT and is similar to the NAT mode interface
configuration in Screen OS.
SP1-------------SRX------------Inside1
202.100.1.0/24 10.1.1.0/24
将内部10.1.1.0/24做PAT
配置策略,让Inside能正常访问Outside!!
edit security policies from-zone Inside1 to-zone Outside policy Permit-ALL
set match source-address any
set match destination-address any
set match application any
set then permit
set then log session-init session-close
配置Log
edit system syslog file nat-log
set any any
set match RT_FLOW_SESSION
配置NAT:
edit security nat source rule-set NAT-Policy //rule-set一系列NAT的集合
set from zone Inside1
set to zone Outside
edit rule Inside1-Outside-Interface-NAT //rule
set match source-address 10.1.1.0/24
set match desnation-address 202.100.1.0/24 //可选配置,上网就不需要了
set then source-nat interface
commit //提交并应用!
show security flow session
show log nat-log //查看NAT转换项!!
show security nat source rule all //查看NAT转换类型..
---------------------------------------------------
第三部分:Source NAT:Address Pool
复用外部地址池
edit security nat source
set pool nat-pool address 202.100.1.101/32 to 202.100.1.103/32
up
set proxy-arp interface fe-0/0/0.0 address 202.100.1.101/32 to 202.100.1.103/32 //严重注意,需要开启代理ARP
edit source rule-set NAT-Policy
edit rule Inside-Outside-Address-Pools
set match source-address 10.1.1.0/24
set then source-nat pool nat-pool //都是source,现在有两个rule,谁排前面谁优先!!
insert rule Inside1-Outside-Address-Pools before rule Inside1-Outside-Internet-NAT //将rule 地址池的NAT 靠前!!
run show security flow session //轮流的做PAT!
禁止PAT转换 //动态一对一,最后一个会话复用接口!
edit pool nat-pool
set port no-translation
set overflow-pool interface
set port-randomization disable //按顺序往上增长,复用地址端口!!
配置Persistent NAT //持久NAT,维护转换槽位,能正常看到NAT转换!!
edit security nat socure
edit rule-set NAT-Policy rule Inside1-Outside-Address-Pools
set then source-nat pool persistent-nat permit target-host-port
run show security flow session
run show security nat source persisten-nat-table all
---------------------------------------------------
第四部分:Destination NAT //思科static pat!!
将Inside1 10.1.1.1:23端口转换到外部地址202.100.1.201 2323端口!!
edit security nat destination
set pool Inside1-23 address 10.1.1.1/32 port 23
edit rule-set Outside-to-Inside1-Des-NAT
set from zone Outside
edit rule Inside1-Router-23
set match source-address 0/0
set match destination-address 202.100.1.201/32
set match destination-port 2323
set then destination-nat pool Inside1-23
up
edit proxy-arp interface fe-0/0/0.0 address 202.100.1.201/32
放行Inbound流量!
edit security zones security-zone Inside1
set address-book address Inside1-Router 10.1.1.1/32
up
up
edit policies from-zone Outside to-zone Inside1
edit policy Permit-Inside1-23
set match source-address any
set match destination-address Inside1-Router
set match application junos-telnet
set then permit
commit
------------------------------------------------------
第五部分:Static NAT,静态一对一!!即转换源也转换目的!!
edit security nat static
edit rule-set Outside-to-Inside
set from zone Outside
edit rule 1to1
set match destination-address 202.100.1.221/32
set then static-pat prefix 10.1.1.1/32
up
up
set proxy-arp interface fe-0/0/0.0 address 202.100.1.221/32
放行Inbound流量!
edit security zones security-zone Inside1
set address-book address Inside1-Router 10.1.1.1/32
up
up
edit policies from-zone Outside to-zone Inside1
edit policy Permit-Inside1-23
set match source-address any
set match destination-address Inside1-Router
set match application junos-telnet
set then permit
commit
出和入都能正常转换!!
run showsecurity flow session !!
/article/4348415.html
为保证防火墙接口IP的安全,将防火墙的内网IP的22端口映射其它公网113.106.95.x的1021端口,平常外网通过113.106.95.x的1021端口访问操作防火墙:
set security zones security-zone trust address-book address juniper2541 192.168.254.1/32
#建立元素
set applications application juniper1021 protocol tcp
set applications application juniper1021 source-port 0-65535
set applications application juniper1021 destination-port 1021-1021
set applications application juniper1021 inactivity-timeout 1800
#服务1021端口系统自带。所以不需要新建
set security nat destination pool 2541 address 192.168.254.1/32
set security nat destination pool 2541 address port 22
set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule 2541 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 2541 match destination-address 113.106.95.x/32
set security nat destination rule-set 1 rule 2541 match destination-port 1021
set security nat destination rule-set 1 rule 2541 then destination-nat pool 2541
#NAT
set security nat proxy-arp interface ge-0/0/0.0 address 113.106.95.x/32
#代理
set security policies from-zone untrust to-zone trust policy yc2541 match source-address any
set security policies from-zone untrust to-zone trust policy yc2541 match destination-address juniper2541
set security policies from-zone untrust to-zone trust policy yc2541 match application juniper1021
set security policies from-zone untrust to-zone trust policy yc2541 then permit
#策略
相关文章推荐
- Juniper srx防火墙NAT配置
- Juniper SRX防火墙-NAT学习笔记!!
- Juniper老司机经验谈(SRX防火墙NAT与策略篇)视频课程上线了
- Juniper SRX防火墙-NAT学习笔记!
- juniper SRX防火墙NAT测试
- Juniper防火墙DIP(NAT)配置
- juniper防火墙(SSG and SRX)排障抓包命令
- 1、SRX防火墙Static NAT解决内网无法通过公网访问内网服务问题
- juniper srx防火墙,ex交换机,wlc880无线控制台的配置
- juniper路由器与SRX防火墙运行静态路由
- Juniper SRX系列防火墙 配置文档
- Juniper SRX----------静态路由&NAT
- Ping通Juniper SRX防火墙接口条件
- Juniper SRX防火墙已经录制到第7部分
- Juniper SRX防火墙入门之如何创建Zone
- 现任明教教主Juniper SRX防火墙开课通知
- Juniper Junos SRX NAT ARP代理
- Juniper SRX防火墙与Juniper ScreenOS防火墙配置不同点之一
- Juniper防火墙基于策略NAT实现与接口不同网段公网IP对内网地址的映射
- Juniper SRX220防火墙CPU达到100%的故障解决办法