源NAT 和 目的 NAT 的区别:

Source Nat 业务场景:内网地址访问外部地址、资源时使用;源地址是转换前的内网地址,目标地址是转换后的公网地址。

方向【源/内网地址 ------转换为-------目的/公网地址】;

Destination Nat 业务场景:从公网访问内部特定IP或特定IP的特定端口时使用;源地址是转换前的公网地址,目的地址是转换后的内网IP或IP:port.

方向【源/公网地址 ------转换为-------目的/内网地址】;

一、定义 目的 NAT

== 创建Dnat pool

set security nat destination pool DP_TRUST_MQI_8088 address 172.22.201.19/32
set security nat destination pool DP_TRUST_MQI_8088 address port 8088

==创建DNAT规则

set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_LIMS_BY_Owenli match destination-address-name WAN3006_172
set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_LIMS_BY_Owenli match destination-port 8089
set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_LIMS_BY_Owenli then destination-nat pool DP_TRUST_MQI_8088

备注:WAN3006_172 是ISP提供的公网IP,或接口地址或做了ARP_proxy

set security address-book global address WAN3006_172 210.X.X.172/32

==创建区域间的控制策略

set security policies from-zone ISP6 to-zone trust policy ISP6_TO_TRUST_IMMQI_BY_KEVIN match source-address any
set security policies from-zone ISP6 to-zone trust policy ISP6_TO_TRUST_IMMQI_BY_KEVIN match destination-address QI_PRIVATE
set security policies from-zone ISP6 to-zone trust policy ISP6_TO_TRUST_IMMQI_BY_KEVIN match application tcp-80
set security policies from-zone ISP6 to-zone trust policy ISP6_TO_TRUST_IMMQI_BY_KEVIN match application tcp-8888
set security policies from-zone ISP6 to-zone trust policy ISP6_TO_TRUST_IMMQI_BY_KEVIN match application tcp-8089
set security policies from-zone ISP6 to-zone trust policy ISP6_TO_TRUST_IMMQI_BY_KEVIN then permit
set security policies from-zone ISP6 to-zone trust policy ISP6_TO_TRUST_IMMQI_BY_KEVIN then log session-init
set security policies from-zone ISP6 to-zone trust policy ISP6_TO_TRUST_IMMQI_BY_KEVIN then log session-close
set security policies from-zone ISP6 to-zone trust policy ISP6_TO_TRUST_IMMQI_BY_KEVIN then count

二、定义源NAT【design NAT TO iplc 】
set security nat source rule-set SNAT_Design_TO_ISP1 from zone Design
set security nat source rule-set SNAT_Design_TO_ISP1 to zone ISP1

==定义Snat pool

set security nat source pool SP_ISP1_241 address 119.X.X.241/32

==定义Snat 规则
set security nat source rule-set SNAT_Design_TO_ISP1 rule Design_TO_ISP1_ANY match source-address design_team
set security nat source rule-set SNAT_Design_TO_ISP1 rule Design_TO_ISP1_ANY match destination-address 0.0.0.0/0
set security nat source rule-set SNAT_Design_TO_ISP1 rule Design_TO_ISP1_ANY then source-nat pool SP_ISP1_241

set security nat source rule-set SNAT_Design_TO_ISP1 rule Design_TO_ISP1_ANY match source-address cnspdc4
set security nat source rule-set SNAT_Design_TO_ISP1 rule Design_TO_ISP1_ANY match destination-address 0.0.0.0/0
set security nat source rule-set SNAT_Design_TO_ISP1 rule Design_TO_ISP1_ANY then source-nat pool SP_ISP1_241

===定义不同区间的控制策略

set security policies from-zone Design to-zone ISP1 policy LEGACY_YF_DE_TO_ISP1 match source-address cnspdc4
set security policies from-zone Design to-zone ISP1 policy LEGACY_YF_DE_TO_ISP1 match destination-address any
set security policies from-zone Design to-zone ISP1 policy LEGACY_YF_DE_TO_ISP1 match application any
set security policies from-zone Design to-zone ISP1 policy LEGACY_YF_DE_TO_ISP1 then permit
set security policies from-zone Design to-zone ISP1 policy LEGACY_YF_DE_TO_ISP1 then log session-init
set security policies from-zone Design to-zone ISP1 policy LEGACY_YF_DE_TO_ISP1 then log session-close
set security policies from-zone Design to-zone ISP1 policy LEGACY_YF_DE_TO_ISP1 then count

===如果你有N条策略,那么你可能需要调整你新增策略的顺序即优先级,具体视策略内容调整顺序;
===修改策略LIMS-XQ-TEST-OWEN-EDIT的顺序在策略DENY之前

insert security policies from-zone ISP6 to-zone trust policy LIMS-PY-OWEN-EDIT before policy DENY

三、验证策略是否生效

show security flow session nat interface reth15.3006

注释:reth15.3006 属于ISP6.因此,查看reth15.3006的会话,从中查找是否出现定义的“区域间访问控制策略”。有,策略成功,没有,策略错误或策略优先顺序错误;

Juniper SRX 240 Source Nat & Destination Nat_第1张图片

show security flow session nat interface reth15.3006 destination-port 443

注释:也可以用destination-port、source-port、source-prefix 、destination-prefix等参数对经过ISP6区域的数据流进行更精细的匹配,从结果中判断策略是否成功应用,加端口查询的方式尤其适用“内网服务器的业务,通过某个端口发布到外网,然后验证”

Juniper SRX 240 Source Nat & Destination Nat_第2张图片