Juniper SRX550防火墙NAT配置
1、Source NAT
对于不须要作NAT的网段(好比IPSec×××),须要先关闭这些地址的NAT(若是没有则跳过)服务器
set security nat source rule-set trust-untrust rule no-nat match source-address 192.168.0.0/16app
set security nat source rule-set trust-untrust rule no-nat match destination-address 10.10.0.0/24tcp
set security nat source rule-set trust-untrust rule no-nat then source-nat offide
对于须要上网或者全部的网段(作地址转换的网段),作source-natspa
首先定义一个地址池(要转换的公网地址):server
set security nat source pool natpool1 address 112.48.20.11/32 to 112.48.20.15/32接口
set security nat source pool natpool2 address 112.48.20.21/32 to 112.48.20.30/32ci
配置NAT规则匹配源、目、转换地址池it
set security nat source rule-set trust-untrust from zone trustio
set security nat source rule-set trust-untrust to zone untrust
//匹配特定的地址进行转换(没有特定可省略)
set security nat source rule-set trust-untrust rule nat1 match source-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat1 match destination-address 183.253.58.253/32
set security nat source rule-set trust-untrust rule nat1 then source-nat pool natpool1
//默认全部的源、目地址进行转换
set security nat source rule-set trust-untrust rule nat2 match source-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat2 match destination-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat2 then source-nat pool natpool2
若是NAT地址池有多个地址,除了接口地址,那么其它地址须要作proxy-arp
set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.11/32 to 112.48.20.15/32
set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.21/32 to 112.48.20.30/32
作完这些就能够了? NO! NO! NO!防火墙域间策略不能忘
//首先定义两个地址池,并加入到地址组NET中
set security zones security-zone trust address-book address 192.168.100.0 192.168.100.0/24
set security zones security-zone trust address-book address 192.168.200.0 192.168.200.0/24
set security zones security-zone trust address-book address-set NET address 192.168.100.0
set security zones security-zone trust address-book address-set NET address 192.168.200.0
//将地址组匹配到trust到untrust的策略中,并放行
set security policies from-zone trust to-zone untrust policy 1 match source-address NET
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
到此,这192.168.100.0和192.168.200.0就能够经过NAT上网了
2、Destination NAT
部分服务器须要映射到公网去,怎么作呢?那么往下看:
//首先建立要映射的服务器地址池(包括IP地址和端口)
set security nat destination pool 1 address 192.168.168.168/32
set security nat destination pool 1 address port 443
//建立Destination NAT规则要映射的服务器地址池(包括IP地址和端口)
set security nat destination rule-set desnat from zone untrust
set security nat destination rule-set desnat to zone trust
set security nat destination rule-set desnat rule server1 match source-address 0.0.0.0/0
//匹配访问112.48.20.2的4430端口转换到内网服务器的443端口
set security nat destination rule-set desnat rule server1 match destination-address 112.48.20.2/32
set security nat destination rule-set desnat rule server1 match destination-port 4430
set security nat destination rule-set desnat rule server1 then destination-nat pool 1
还有必不可少的防火墙域间策略
//建立内网服务器地址组及端口
set security zones security-zone trust address-book address server1 192.168.168.168/32
set applications application Service_4430 term Service_4430 protocol tcp
set applications application Service_4430 term Service_4430 source-port 0-65535
set applications application Service_4430 term Service_4430 destination-port 4430-4430
//建立untrust到trust的策略,目前地址匹配内网服务器地址及端口
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address server1
set security policies from-zone untrust to-zone trust policy 1 match application Service_4430
set security policies from-zone untrust to-zone trust policy 1 then permit
至此,外网就能够使用http://112.48.20.2:4430/访问内网的服务器了
还有一个问题,此时内网的用户却不能使用这个公网地址访问内部的服务器,这个须要在NAT上再作一个内部的地址转换,以下:
//建立一个源地址映射的地址池(内部服务器映射的地址)
set security nat source pool sorpool4 address 112.48.20.2/32
//建立trust到trust的策略以下
set security nat source rule-set trust-trust from zone trust
set security nat source rule-set trust-trust to zone trust
set security nat source rule-set trust-trust rule server1 match source-address 0.0.0.0/0
set security nat source rule-set trust-trust rule server1 match destination-address 192.168.168.168/32
set security nat source rule-set trust-trust rule server1 match destination-port 443
set security nat source rule-set trust-trust rule server1 then source-nat pool sorpool4
至此,内网也能够经过公网地址访问内部服务器了!!!
若有雷同,纯属巧合,欢迎指正!
- 1. Juniper防火墙DIP(NAT)配置
- 2. Juniper防火墙MIP配置
- 3. juniper防火墙×××的配置
- 4. juniper防火墙开启NAT功能
- 5. juniper SRX防火墙NAT测试
- 6. 三、防火墙配置(2)---防火墙NAT配置
- 7. Juniper防火墙配置备份
- 8. Juniper SRX防火墙HA配置
- 9. Juniper SSG520 防火墙MIP配置
- 10. juniper SRX防火墙配置详解
- 更多相关文章...
- • 使用TCP协议检测防火墙 - TCP/IP教程
- • Eclipse Debug 配置 - Eclipse 教程
- • IntelliJ IDEA 代码格式化配置和快捷键
- • IDEA下SpringBoot工程配置文件没有提示
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. CVPR 2020 论文大盘点-光流篇
- 2. Photoshop教程_ps中怎么载入图案?PS图案如何导入?
- 3. org.pentaho.di.core.exception.KettleDatabaseException:Error occurred while trying to connect to the
- 4. SonarQube Scanner execution execution Error --- Failed to upload report - 500: An error has occurred
- 5. idea 导入源码包
- 6. python学习 day2——基础学习
- 7. 3D将是页游市场新赛道?
- 8. osg--交互
- 9. OSG-交互
- 10. Idea、spring boot 图片(pgn显示、jpg不显示)解决方案