SRX防火墙目标NAT实验指南
规划:
1、外网电脑 用虚拟机 2003 模拟外网主机,兼模拟DNS、HTTP服务器;
IP:222.0.0.2/27
2、内网主机用虚拟机 XP 模拟内网,兼HTTP服务器,
IP: 192.168.1.8/24
3、SRX 墙untrust 地址:222.0.0.1/27
trust地址:192.168.1.1/24
4、测试软件:HFS、
功能验证
show security nat destination summary
show security nat destination pool poolXXX
show security nat destination rule rulexxx
show security flow session
实验脚本1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
set intterfaces ge-0/0/1 unit 0 family inet address 222.0.0.1/27
set security nat destination pool pool-1-8_8080 address 192.168.1.8/32
set security nat destination pool pool-1-8_8080 address port 8080
set security nat destination pool pool-1-8 address 192.168.1.8/32
set security nat destination rule-set dst-nat-rule from zone untrust
set security nat destination rule-set dst-nat-rule rule rule13-30_80 match destination-address 222.0.0.5/32
set security nat destination rule-set dst-nat-rule rule rule13-30_80 match destination-port 80
set security nat destination rule-set dst-nat-rule rule rule13-30_80 then destination-nat pool pool-1-8_8080
set security nat destination rule-set dst-nat-rule rule rule111_8 match destination-address 111.0.0.8/32
set security nat destination rule-set dst-nat-rule rule rule111_8 then destination-nat pool pool-1-8
set security nat proxy-arp interface ge-0/0/1.0 address 222.0.0.5/32
set security policies from-zone trust to-zone untrust policy rule1 match source-address any
set security policies from-zone trust to-zone untrust policy rule1 match destination-address any
set security policies from-zone trust to-zone untrust policy rule1 match application any
set security policies from-zone trust to-zone untrust policy rule1 then permit
set security policies from-zone untrust to-zone trust policy rule01 match source-address any
set security policies from-zone untrust to-zone trust policy rule01 match destination-address any
set security policies from-zone untrust to-zone trust policy rule01 match application any
set security policies from-zone untrust to-zone trust policy rule01 then permit
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
多个地址一对一对应批量NAT
set security nat destination pool 33 address 192.168.1.8/32 to192.168.1.9/32
set security natdestination rule-set dst-nat-rule rule 12 match destination-address 111.0.0.1/31
set security natdestination rule-set dst-nat-rule rule 12 then destination-natpool test33
另一种表示式:
replace pattern 111.0.0.1/31 with 111.0.0.2/31
PING如何做基于端口的NAT
set security nat destination rule-set dst-nat-rule rule test-30_80 match destination-address 222.0.0.5/32
set security nat destination rule-set dst-nat-rule rule test-30_80 match protocol icmp
set security nat destination rule-set dst-nat-rule rule test-30_80 then destination-nat pool pool-1-8
ICMP没有明确的端口,不能直接定义端口,
rule中可以直接用protocol icmp,或者application junos-icmp-ping,
pool中不能定义端口,直接使用服务器地址即可
多个外部端口对应一个内部端口
set security nat destination pool test3 address 192.168.1.8/32
set security nat destination pool test3 address port 8081
set security nat destination rule-set dst-nat-rulerule 12 match destination-address 222.0.0.8/32
set security nat destination rule-set dst-nat-rule rule 12 match destination-port 8080 to 8081
set security nat destination rule-set dst-nat-rule rule 12 then destination-natpool test3
set security nat proxy-arpinterface ge-0/0/1.0 address 222.0.0.8/32
Session ID: 48695, Policy name: rule01/5, Timeout: 1748, Valid
In: 222.0.0.2/1129 --> 222.0.0.8/8080;tcp, If: ge-0/0/1.0, Pkts: 5, Bytes: 743
Out: 192.168.1.8/8081 --> 222.0.0.2/1129;tcp, If: ge-0/0/0.0, Pkts: 5, Bytes: 4206
Session ID: 69133, Policy name: rule01/5, Timeout: 1768, Valid
In: 222.0.0.2/1128 --> 222.0.0.8/8081;tcp, If: ge-0/0/1.0, Pkts: 11, Bytes: 1982
Out: 192.168.1.8/8081 --> 222.0.0.2/1128;tcp, If: ge-0/0/0.0, Pkts: 17, Bytes: 16539
多个外部端口对应多个内部端口
set security nat destination pool test4address 192.168.1.8/32
set security nat destination pool test4address port 8080
set security nat destination pool test5address 192.168.1.8/32
set security nat destination pool test5address port 8081
set security nat destination pool test6address 192.168.1.8/32
set security nat destination pool test6address port 8082
set security natdestination rule-set des-natrule 12 match destination-address 222.0.0.8/32
set security natdestination rule-set des-natrule 12 match destination-port 8080
set security natdestination rule-set des-natrule 12 then destination-natpool test4
set security natdestination rule-set des-natrule 13 match destination-address 222.0.0.8/32
set security natdestination rule-set des-natrule 13match destination-port 8081
set security natdestination rule-set des-natrule 13then destination-natpool test5
set security natdestination rule-set des-natrule 14match destination-address 222.0.0.8/32
set security natdestination rule-set des-natrule 14match destination-port 8082
set security natdestination rule-set des-natrule 14then destination-natpool test6