Juniper SRX防火墙-NAT学习笔记

来源:本站原创 网络技术 超过3,243 views围观 23条评论

Junos NAT
第一部分:SRX NAT介绍
第二部分:Source NAT:Interface NAT
第三部分:Source NAT:Address Pools
第四部分:Destination NAT
第五部分:Static NAT
————————————————–
SRX Nat介绍
1、Source NAT  //转换源的NAT,NAT+Gloabl
2、Destination NAT  //Static pat
3、Static NAT  //静态一对一转换

SRX NAT处理流程 :

clip_image001
优先static nat ——destination nat——-source nat

NAT 查询与处理顺序
clip_image002
————————————————–
第二部分:Source NAT: Interface NAT
Interface NAT

SRX platforms support NAT configuration where the source IP addresses in flows are translated to the address assigned to the security platform’s own outgoing  interface.This behavior is commonly called interface NAT and is similar to the NAT mode interface configuration in Screen OS.

SP1————-SRX————Inside1
202.100.1.0/24  10.1.1.0/24
将内部10.1.1.0/24做PAT
配置策略,让Inside能正常访问Outside!!
edit security policies from-zone Inside1 to-zone Outside policy Permit-ALL
set match source-address any
set match destination-address any
set match application any
set then permit
set then log session-init session-close

配置Log
edit system syslog file nat-log
set any any
set match RT_FLOW_SESSION

配置NAT:
edit security nat source rule-set NAT-Policy  //rule-set一系列NAT的集合
set from zone Inside1
set to zone Outside
edit rule Inside1-Outside-Interface-NAT  //rule
set match source-address 10.1.1.0/24
set match desnation-address 202.100.1.0/24 //可选配置,上网就不需要了
set then source-nat interface
commit  //提交并应用!

show security flow session 
show log nat-log  //查看NAT转换项!!
show security nat source rule all  //查看NAT转换类型..
—————————————————
第三部分:Source NAT:Address Pool
复用外部地址池
edit security nat source
set pool nat-pool address 202.100.1.101/32 to 202.100.1.103/32
up
set proxy-arp interface fe-0/0/0.0 address 202.100.1.101/32 to 202.100.1.103/32 //严重注意,需要开启代理ARP

edit source rule-set NAT-Policy
edit rule Inside-Outside-Address-Pools
set match source-address 10.1.1.0/24
set then source-nat pool nat-pool  //都是source,现在有两个rule,谁排前面谁优先!!

insert rule Inside1-Outside-Address-Pools before rule Inside1-Outside-Internet-NAT  //将rule 地址池的NAT 靠前!!

run show security flow session  //轮流的做PAT!

禁止PAT转换 //动态一对一,最后一个会话复用接口!
edit pool nat-pool
set port no-translation
set overflow-pool interface
set port-randomization disable  //按顺序往上增长,复用地址端口!!

配置Persistent NAT  //持久NAT,维护转换槽位,能正常看到NAT转换!!
edit security nat socure
edit rule-set NAT-Policy rule Inside1-Outside-Address-Pools
set then source-nat pool persistent-nat permit target-host-port

run show security flow session
run show security nat source persisten-nat-table all

—————————————————
第四部分:Destination NAT  //思科static pat!!
将Inside1 10.1.1.1:23端口转换到外部地址202.100.1.201 2323端口!!
edit security nat destination
set pool Inside1-23 address 10.1.1.1/32 port 23
edit rule-set Outside-to-Inside1-Des-NAT
set from zone Outside
edit rule Inside1-Router-23
set match source-address 0/0
set match destination-address 202.100.1.201/32
set match destination-port 2323
set then destination-nat pool Inside1-23
up
edit proxy-arp interface fe-0/0/0.0 address 202.100.1.201/32

放行Inbound流量!
edit security zones security-zone Inside1
set address-book address Inside1-Router 10.1.1.1/32
up
up
edit policies from-zone Outside to-zone Inside1
edit policy Permit-Inside1-23
set match source-address any
set match destination-address Inside1-Router
set match application junos-telnet
set then permit
commit
——————————————————
第五部分:Static NAT,静态一对一!!即转换源也转换目的!!
edit security nat static
edit rule-set Outside-to-Inside
set from zone Outside
edit rule 1to1
set match destination-address 202.100.1.221/32
set then static-pat prefix 10.1.1.1/32
up
up
set proxy-arp interface fe-0/0/0.0 address 202.100.1.221/32

放行Inbound流量!
edit security zones security-zone Inside1
set address-book address Inside1-Router 10.1.1.1/32
up
up
edit policies from-zone Outside to-zone Inside1
edit policy Permit-Inside1-23
set match source-address any
set match destination-address Inside1-Router
set match application junos-telnet
set then permit
commit

出和入都能正常转换!!
run showsecurity flow session !!

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=3371转载请注明转自CCIE那点事
如果喜欢:点此订阅本站