Juniper SRX 目的NAT
基于rule的目的地址转换
互联网用户通过100.0.0.1公网地址访问内网服务器10.1.10.5
单地址全端口映射:
§将公网IP:100.0.0.1映射至私网IP:10.1.10.5
配置由Pool和rule组成,以下配置不启用PAT
Destination NAT with address pool:
Destination NAT with address pool:
以下配置启用PAT
将公网IP:100.0.0.1:80映射至私网IP:10.1.10.5:8080
以下配置启用PAT,
将100.0.0.1的80端口映射为10.1.10.5的8080端口
在NETSCREEN中,此功能称之为VIP
基于rule的NAT
set security natproxy-arpinterface ge-0/0/0.0 address 222.0.0.5/32
set security nat destination pool pool-1-8_8080 address 192.168.1.8/32
set security nat destination pool pool-1-8_8080 address port 8080
set security nat destination pool pool-1-8 address 192.168.1.8/32
set security nat destination rule-set dst-nat-rule from zone untrust
set security nat destination rule-set dst-nat-rule rule rule13-30_80 match destination-address 222.0.0.5/32
set security nat destination rule-set dst-nat-rule rule rule13-30_80 match destination-port 80
set security nat destination rule-set dst-nat-rule rule rule13-30_80 then destination-nat pool pool-1-8_8080
set security nat destination rule-set dst-nat-rule rule rule111_8 match destination-address 111.0.0.8/32
set security nat destination rule-set dst-nat-rule rule rule111_8 then destination-nat pool pool-1-8
同一个rule里能否多端口或range?
for i in {15100..15200}
do
echo "
set security nat destinationpool VOIP_$i address 10.10.10.10/32
set security nat destinationpool VOIP_$i address port $i
set security nat destinationrule-set SET_1 rule VOIP_$i match source-address 0.0.0.0/0
set security nat destinationrule-set SET_1 rule VOIP_$i match destination-address
74.125.225.179/32
set security nat destinationrule-set SET_1 rule VOIP_$i match destination-port $i
set security nat destinationrule-set SET_1 rule VOIP_$i then destination-nat pool VOIP_$i
"
Done
多个外部端口对应一个内部端口
set security nat destination pool test3 address 192.168.1.8/32
set security nat destination pool test3 address port 8081
set security natdestination rule-set dst-nat-rule rule 12 match destination-address 222.0.0.8/32
set security natdestination rule-set dst-nat-rule rule 12 match destination-port 8080 to 8081
set security natdestination rule-set dst-nat-rule rule 12 then destination-nat pool test3
端口级转换类型总结
目前版本pool不支持端口范围
功能验证
show security nat destination summary
show security nat destination pool poolXXX
show security nat destination rule rulexxx
show security flow session
查看NAT对应关系与命中数
查看地址池配置与命中
基于rule的目的地址转换
检查NAT、PAT的结果
user@host> show security flow session
可以看到基于端口的,内外网对应端口不同!
基于IP级的,则完整转换
user@host> show security nat destination pool all
再次验证一下命中