SRX source NAT
setinterfaces ge-0/0/0 unit 0 family inet address 192.168.2.254/24
setinterfaces ge-0/0/1 unit 0 family inet address 192.168.114.190/24
setinterfaces ge-0/0/2 unit 0 family inet address 172.16.2.254/24
setrouting-options static route 0.0.0.0/0 next-hop 192.168.114.254
setsecurity zones security-zone trust interfaces ge-0/0/0.0
setsecurity zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-trafficsystem-services ping
setsecurity zones security-zone trust host-inbound-traffic system-services https
setsecurity zones security-zone untrust interfaces ge-0/0/1.0
setsecurity zones security-zone untrust host-inbound-traffic system-services ssh
setsecurity zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone dmz interfaces ge-0/0/2.0
setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services ping
setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services ssh
setsecurity zones security-zone trust address-book address trust-add192.168.2.0/24
setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchsource-address trust-add
setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchdestination-address any
setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchapplication any
setsecurity policies from-zone trust to-zone untrust policy trust-untrust thenpermit
1、Source NAT(端口转换)
setsecurity nat source rule-set source-NAT from zone trust
setsecurity nat source rule-set source-NAT to zone untrust
set security nat source rule-set source-NAT rule PAT match source-address 192.168.2.0/24
set security nat source rule-set source-NAT rule PAT then source-nat interface
2、Source NAT(地址池)
set security nat source poolsource-NAT-POOL address 192.168.114.100/32 to 192.168.114.110/32 //地址池转换将会轮询做地址转换 //
setsecurity nat source rule-set source-NAT from zone trust
setsecurity nat source rule-set source-NAT to zone untrust
setsecurity nat source rule-set source-NAT rule NAT1 match source-address192.168.2.0/24
setsecurity nat source rule-set source-NAT rule NAT1 then source-nat poolsource-NAT-POOL
set security nat proxy-arpinterface ge-0/0/1.0 address 192.168.114.100/32 to 192.168.114.110/32 // 需要为地址池转换方式设置ARP代理//
# run show security nat source rule all
root@vSRX# run show security policies
root@vSRX# run show security flow session
SessionID: 2579, Policy name: trust-untrust/7, Timeout: 2, Valid
In: 192.168.2.110/5632 --> 192.168.114.20/512;icmp,If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.114.20/512 --> 192.168.114.106/1138;icmp,If: ge-0/0/1.0, Pkts: 1, Bytes: 60
insert rule-set source-NATrule NAT1 before rulePAT //把NAT1 Rule插入到PAT Rule前面,先启用NAT pool转换,再使用PAT转换//
root@vSRX# run show security nat source summary
Totalport number usage for port translation pool: 709632
Maximumport number for port translation pool: 16777216
Totalpools: 1
Pool Address Routing PAT Total
Name Range Instance Address
source-NAT-POOL 192.168.114.100-192.168.114.110default yes 11
Totalrules: 2
Rulename Rule set From To Action
NAT1 source-NAT trust untrust source-NAT-POOL
PAT source-NAT trust untrust interface
root@vSRX# run show securityflow session //地址轮询复用转换//
SessionID: 3017, Policy name: trust-untrust/7, Timeout: 2, Valid
In: 192.168.2.110/9728 -->192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.114.20/512 --> 192.168.114.103/12564;icmp, If:ge-0/0/1.0, Pkts: 1, Bytes: 60
SessionID: 3018, Policy name: trust-untrust/7, Timeout: 2, Valid
In: 192.168.2.110/9984 -->192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.114.20/512 -->192.168.114.104/16881;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
Totalsessions: 2
SessionID: 3019, Policy name: trust-untrust/7, Timeout: 2, Valid
In: 192.168.2.110/10240 -->192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.114.20/512 -->192.168.114.105/13679;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
SessionID: 3020, Policy name: trust-untrust/7, Timeout: 2, Valid
In: 192.168.2.110/10496 -->192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.114.20/512 -->192.168.114.106/17443;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
Totalsessions: 2
root@vSRX#set securitynat source poolsource-NAT-POOL port no-translation //禁止PAT转换,动态一对一,最后一个接口地址复用//
essionID: 4546, Policy name: trust-untrust/7, Timeout: 1796, Valid
In: 192.168.2.110/1761 -->220.181.90.240/80;tcp, If: ge-0/0/0.0, Pkts: 4, Bytes: 912
Out: 220.181.90.240/80 --> 192.168.114.102/1761;tcp,If: ge-0/0/1.0, Pkts: 2, Bytes: 319
SessionID: 4556, Policy name: trust-untrust/7, Timeout: 1800, Valid
In: 192.168.2.110/1762 -->119.97.155.2/80;tcp, If: ge-0/0/0.0, Pkts: 34, Bytes: 2138
Out: 119.97.155.2/80 --> 192.168.114.102/1762;tcp,If: ge-0/0/1.0, Pkts: 61, Bytes: 75406
SessionID: 4557, Policy name: trust-untrust/7, Timeout: 1798, Valid
In: 192.168.2.110/1763 -->119.97.155.2/80;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 837
Out: 119.97.155.2/80 --> 192.168.114.102/1763;tcp,If: ge-0/0/1.0, Pkts: 8, Bytes: 8278
SRX destination NAT(cisco static PAT静态端口映射)
将DMZ 172.16.2.22:23端口转换到untrust地址192.168.114.250: 2323端口
setsecurity nat destination pool DMZ-Server-telnet address 172.16.2.22/32
setsecurity nat destination pool DMZ-Server-telnet address port 23
setsecurity nat destination pool DMZ-Server-http address 172.16.2.22/32
setsecurity nat destination pool DMZ-Server-http address port 80
setsecurity nat destination rule-set Dest-NAT from zone untrust
set security nat destination rule-setDest-NAT rule Untrust-DMZ-NAT-telnet match source-address 0.0.0.0/0
set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-address192.168.114.114/32
set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-port 2323
set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet then destination-nat poolDMZ-Server-telnet
setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchsource-address 0.0.0.0/0
setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-address 192.168.114.114/32
setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-port 80
setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http thendestination-nat pool DMZ-Server-http
setsecurity nat proxy-arp interface ge-0/0/1.0 address 192.168.114.114/32
setsecurity zones security-zone dmz address-book address DMZ-Server 172.16.2.22/32
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchsource-address any
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchdestination-address DMZ-Server
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-http
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-telnet
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ then permit
Static NAT,静态一对一,既转换源也转换目的(outbound方向转换原,inbound转换目的)
setsecurity nat static rule-set Static-NAT from zone untrust
setsecurity nat static rule-set Static-NAT rule 1to1 match destination-address192.168.114.250/32
setsecurity nat static rule-set Static-NAT rule 1to1 then static-nat prefix172.16.2.22/32
setsecurity nat proxy-arp interface ge-0/0/1.0 address 192.168.114.250/32
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchsource-address any
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchdestination-address DMZ-Server
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchapplication junos-ftp
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp thenpermit
#########################################################################################################
Set authentication-order[ radius password ]
setsystem radius-server 172.16.2.22 port 1812
set system radius-server 172.16.2.22 secret freeit123
setsystem radius-server 172.16.2.22 source-address 172.16.2.254
set system login user user1authentication encrypted-password freeit123 //重要:在radius上创建的用户账户必须在本地创建该用户,
否则radius认证失败,如果radius服务器没有响应,则通过本地密码认证//
穿越防火墙的web认证:
setaccess profile WEBAUTH authentication-order password
set access profile WEBAUTH client user1 firewall-user password user1
setaccess firewall-authentication web-authentication default-profile WEBAUTH
setaccess firewall-authentication web-authentication banner success "web authlogin success"
setsystem services web-management http interface ge-0/0/0.0
setsecurity zones security-zone trust interfaces ge-0/0/0.0
setsecurity zones security-zone trust host-inbound-traffic system-services http
setinterfaces ge-0/0/0 unit 0 family inet address 172.16.1.253/24web-authentication http
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-add
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-add
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication any
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication web-authentication client-match user1
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count
直通代理:
set access profile PT-AUTH authentication-order password
setaccess profile PT-AUTH client test firewall-user password"$9$I.4Rrvx7VY4Zdb"
setaccess firewall-authentication pass-through default-profile PT-AUTH
setaccess firewall-authentication pass-through http banner success "LoginSuccess"
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-add
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-add
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication any
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication pass-through
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count
set access profile PT-AUTH authentication-order radius
set access profile PT-AUTH radius-server192.168.2.22 secret freeit123 /radius配置/