Juniper SRX防火墻-NAT學習筆記

來源:本站原創 網絡技術 超過3,201 views圍觀 23條評論

Junos NAT
第一部分:SRX NAT介紹
第二部分:Source NAT:Interface NAT
第三部分:Source NAT:Address Pools
第四部分:Destination NAT
第五部分:Static NAT
————————————————–
SRX Nat介紹
1、Source NAT  //轉換源的NAT,NAT+Gloabl
2、Destination NAT  //Static pat
3、Static NAT  //靜態一對一轉換

SRX NAT處理流程 :

clip_image001
優先static nat ——destination nat——-source nat

NAT 查詢與處理順序
clip_image002
————————————————–
第二部分:Source NAT: Interface NAT
Interface NAT

SRX platforms support NAT configuration where the source IP addresses in flows are translated to the address assigned to the security platform’s own outgoing  interface.This behavior is commonly called interface NAT and is similar to the NAT mode interface configuration in Screen OS.

SP1————-SRX————Inside1
202.100.1.0/24  10.1.1.0/24
將內部10.1.1.0/24做PAT
配置策略,讓Inside能正常訪問Outside!!
edit security policies from-zone Inside1 to-zone Outside policy Permit-ALL
set match source-address any
set match destination-address any
set match application any
set then permit
set then log session-init session-close

配置Log
edit system syslog file nat-log
set any any
set match RT_FLOW_SESSION

配置NAT:
edit security nat source rule-set NAT-Policy  //rule-set一系列NAT的集合
set from zone Inside1
set to zone Outside
edit rule Inside1-Outside-Interface-NAT  //rule
set match source-address 10.1.1.0/24
set match desnation-address 202.100.1.0/24 //可選配置,上網就不需要了
set then source-nat interface
commit  //提交并應用!

show security flow session 
show log nat-log  //查看NAT轉換項!!
show security nat source rule all  //查看NAT轉換類型..
—————————————————
第三部分:Source NAT:Address Pool
復用外部地址池
edit security nat source
set pool nat-pool address 202.100.1.101/32 to 202.100.1.103/32
up
set proxy-arp interface fe-0/0/0.0 address 202.100.1.101/32 to 202.100.1.103/32 //嚴重注意,需要開啟代理ARP

edit source rule-set NAT-Policy
edit rule Inside-Outside-Address-Pools
set match source-address 10.1.1.0/24
set then source-nat pool nat-pool  //都是source,現在有兩個rule,誰排前面誰優先!!

insert rule Inside1-Outside-Address-Pools before rule Inside1-Outside-Internet-NAT  //將rule 地址池的NAT 靠前!!

run show security flow session  //輪流的做PAT!

禁止PAT轉換 //動態一對一,最后一個會話復用接口!
edit pool nat-pool
set port no-translation
set overflow-pool interface
set port-randomization disable  //按順序往上增長,復用地址端口!!

配置Persistent NAT  //持久NAT,維護轉換槽位,能正常看到NAT轉換!!
edit security nat socure
edit rule-set NAT-Policy rule Inside1-Outside-Address-Pools
set then source-nat pool persistent-nat permit target-host-port

run show security flow session
run show security nat source persisten-nat-table all

—————————————————
第四部分:Destination NAT  //思科static pat!!
將Inside1 10.1.1.1:23端口轉換到外部地址202.100.1.201 2323端口!!
edit security nat destination
set pool Inside1-23 address 10.1.1.1/32 port 23
edit rule-set Outside-to-Inside1-Des-NAT
set from zone Outside
edit rule Inside1-Router-23
set match source-address 0/0
set match destination-address 202.100.1.201/32
set match destination-port 2323
set then destination-nat pool Inside1-23
up
edit proxy-arp interface fe-0/0/0.0 address 202.100.1.201/32

放行Inbound流量!
edit security zones security-zone Inside1
set address-book address Inside1-Router 10.1.1.1/32
up
up
edit policies from-zone Outside to-zone Inside1
edit policy Permit-Inside1-23
set match source-address any
set match destination-address Inside1-Router
set match application junos-telnet
set then permit
commit
——————————————————
第五部分:Static NAT,靜態一對一!!即轉換源也轉換目的!!
edit security nat static
edit rule-set Outside-to-Inside
set from zone Outside
edit rule 1to1
set match destination-address 202.100.1.221/32
set then static-pat prefix 10.1.1.1/32
up
up
set proxy-arp interface fe-0/0/0.0 address 202.100.1.221/32

放行Inbound流量!
edit security zones security-zone Inside1
set address-book address Inside1-Router 10.1.1.1/32
up
up
edit policies from-zone Outside to-zone Inside1
edit policy Permit-Inside1-23
set match source-address any
set match destination-address Inside1-Router
set match application junos-telnet
set then permit
commit

出和入都能正常轉換!!
run showsecurity flow session !!

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文鏈接:http://www.qdxgqk.live/?p=3371轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
?
?
萌宠夺宝游戏