JUNIPER SRX双ISP部署Destination-nat配置实验1.0

时间 2019-12-22

标签 juniper srx isp 部署 destination nat 配置实验 1.0 栏目系统安全繁體版

原文原文链接

企业网环境中，客户一般会部署多条运营商线路。同一台服务器的不一样端口会经过不一样运营商线的线路发布出去。也有客户会问:没法经过ISP2的地址管理设备。咱们经过简单的路由实例就能够实现这一要求。web

实验拓扑：浏览器

实验需求：1.客户经过电信访问服务器8080端口，经过联通ip访问服务器80端口；服务器

2.（后续）SRX监控电信的443端口，一旦443单口被封掉，业务当即切换到联通ip的443。ide

实验配置：测试

1.接口：优化

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24
spa

set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.2/24
3d

set interfaces ge-0/0/2 unit 0 family inet address 172.16.10.1/24
orm

2.主路由inet.0：router

set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

set routing-options static route 172.188.10.0/24 next-hop st0.1

3.路由实例：

set routing-options interface-routes rib-group inet share

set routing-options rib-groups share import-rib inet.0

set routing-options rib-groups share import-rib isp2.inet.0

set routing-instances isp2 instance-type virtual-router

set routing-instances isp2 interface ge-0/0/1.0

set routing-instances isp2 routing-options static route 0.0.0.0/0 next-hop 10.10.10.1

4.NAT设置：

set security nat source rule-set 1 from zone trust

set security nat source rule-set 1 to zone untrust

set security nat source rule-set 1 rule 1 match source-address 0.0.0.0/0

set security nat source rule-set 1 rule 1 match destination-address 0.0.0.0/0

set security nat source rule-set 1 rule 1 then source-nat interface

set security nat source rule-set 2 from zone trust

set security nat source rule-set 2 to zone isp2

set security nat source rule-set 2 rule 2 match source-address 0.0.0.0/0

set security nat source rule-set 2 rule 2 match destination-address 0.0.0.0/0

set security nat source rule-set 2 rule 2 then source-nat interface

set security nat destination pool test address 172.16.10.2/32

set security nat destination pool test address port 23

set security nat destination pool test_web address 172.16.10.2/32

set security nat destination pool test_web address port 8080

set security nat destination rule-set 1 from zone isp2

set security nat destination rule-set 1 rule 1 match destination-address 10.10.10.2/32

set security nat destination rule-set 1 rule 1 match destination-port 23

set security nat destination rule-set 1 rule 1 then destination-nat pool test

set security nat destination rule-set 2 from zone untrust

set security nat destination rule-set 2 rule 2 match destination-address 1.1.1.2/32

set security nat destination rule-set 2 rule 2 match destination-port 8080

set security nat destination rule-set 2 rule 2 then destination-nat pool test_web

实验验证：

1.测试联通线路NAT端口。实验环境就用telnet的23号端口作测试。从2.2.2.2上telnet 10.10.10.2 23端口登陆到了server:

查看10.10.10.2上的NAT HIT：

nat装换成功。

查看10.10.10.2上的会话：

2.测试电信线路8080端口，用web代替。远端pc浏览器输入1.1.1.2端口8080跳转到了server的web管理界面：

正常的业务流量就经过电线的ip出去：

老司机们常常会提到一个问题，就是xx环境不太好，考虑到实际状况下运营商物理线路不多会出问题，后续针对500和433端口会作一些SRX上面的rpm实验，进而更加优化主备***和地址映射等相关功能。