SRX防火墙目标NAT实验指南


Juniper SRX防火墙-目的NAT(二)_第1张图片

规划:

1、外网电脑 用虚拟机 2003 模拟外网主机,兼模拟DNS、HTTP服务器;

IP:222.0.0.2/27

2、内网主机用虚拟机 XP 模拟内网,兼HTTP服务器,

IP: 192.168.1.8/24

3、SRX 墙untrust 地址:222.0.0.1/27

trust地址:192.168.1.1/24

4、测试软件:HFS、


功能验证

 

show security nat destination summary

show security nat destination pool poolXXX

show security nat destination rule rulexxx

show security flow session


实验脚本1

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24

set intterfaces ge-0/0/1 unit 0 family inet address 222.0.0.1/27

 

set security nat destination pool pool-1-8_8080 address 192.168.1.8/32

set security nat destination pool pool-1-8_8080 address port 8080

set security nat destination pool pool-1-8 address 192.168.1.8/32

 

set security nat destination rule-set dst-nat-rule from zone untrust

 

set security nat destination rule-set dst-nat-rule rule rule13-30_80 match destination-address 222.0.0.5/32

set security nat destination rule-set dst-nat-rule rule rule13-30_80 match destination-port 80

set security nat destination rule-set dst-nat-rule rule rule13-30_80 then destination-nat pool pool-1-8_8080

set security nat destination rule-set dst-nat-rule rule rule111_8 match destination-address 111.0.0.8/32

set security nat destination rule-set dst-nat-rule rule rule111_8 then destination-nat pool pool-1-8

set security nat proxy-arp interface ge-0/0/1.0 address 222.0.0.5/32

 

set security policies from-zone trust to-zone untrust policy rule1 match source-address any

set security policies from-zone trust to-zone untrust policy rule1 match destination-address any

set security policies from-zone trust to-zone untrust policy rule1 match application any

set security policies from-zone trust to-zone untrust policy rule1 then permit

set security policies from-zone untrust to-zone trust policy rule01 match source-address any

set security policies from-zone untrust to-zone trust policy rule01 match destination-address any

set security policies from-zone untrust to-zone trust policy rule01 match application any

set security policies from-zone untrust to-zone trust policy rule01 then permit

 

set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all


多个地址一对一对应批量NAT

set security nat destination pool 33 address 192.168.1.8/32 to192.168.1.9/32

 

set security natdestination rule-set dst-nat-rule rule 12 match destination-address 111.0.0.1/31

set security natdestination rule-set dst-nat-rule rule 12 then destination-natpool test33

 

另一种表示式:

replace pattern 111.0.0.1/31 with 111.0.0.2/31


PING如何做基于端口的NAT

set security nat destination rule-set dst-nat-rule rule test-30_80 match destination-address 222.0.0.5/32

set security nat destination rule-set dst-nat-rule rule test-30_80 match protocol icmp

set security nat destination rule-set dst-nat-rule rule test-30_80 then destination-nat pool pool-1-8

 

ICMP没有明确的端口,不能直接定义端口,

rule中可以直接用protocol icmp,或者application junos-icmp-ping,

pool中不能定义端口,直接使用服务器地址即可

多个外部端口对应一个内部端口

set security nat destination pool test3 address 192.168.1.8/32

set security nat destination pool test3 address port 8081

 

set security nat destination rule-set dst-nat-rulerule 12 match destination-address 222.0.0.8/32

set security nat destination rule-set dst-nat-rule rule 12 match destination-port 8080 to 8081

set security nat destination rule-set dst-nat-rule rule 12 then destination-natpool test3

 

set security nat proxy-arpinterface ge-0/0/1.0 address 222.0.0.8/32


Session ID: 48695, Policy name: rule01/5, Timeout: 1748, Valid

In: 222.0.0.2/1129 --> 222.0.0.8/8080;tcp, If: ge-0/0/1.0, Pkts: 5, Bytes: 743

Out: 192.168.1.8/8081 --> 222.0.0.2/1129;tcp, If: ge-0/0/0.0, Pkts: 5, Bytes: 4206

 

Session ID: 69133, Policy name: rule01/5, Timeout: 1768, Valid

In: 222.0.0.2/1128 --> 222.0.0.8/8081;tcp, If: ge-0/0/1.0, Pkts: 11, Bytes: 1982

Out: 192.168.1.8/8081 --> 222.0.0.2/1128;tcp, If: ge-0/0/0.0, Pkts: 17, Bytes: 16539



多个外部端口对应多个内部端口

set security nat destination pool test4address 192.168.1.8/32

set security nat destination pool test4address port 8080

set security nat destination pool test5address 192.168.1.8/32

set security nat destination pool test5address port 8081

set security nat destination pool test6address 192.168.1.8/32

set security nat destination pool test6address port 8082

 

set security natdestination rule-set des-natrule 12 match destination-address 222.0.0.8/32

set security natdestination rule-set des-natrule 12 match destination-port 8080

set security natdestination rule-set des-natrule 12 then destination-natpool test4

set security natdestination rule-set des-natrule 13 match destination-address 222.0.0.8/32

set security natdestination rule-set des-natrule 13match destination-port 8081

set security natdestination rule-set des-natrule 13then destination-natpool test5

set security natdestination rule-set des-natrule 14match destination-address 222.0.0.8/32

set security natdestination rule-set des-natrule 14match destination-port 8082

set security natdestination rule-set des-natrule 14then destination-natpool test6