Juniper SRX防火墙-NAT学习笔记!

Junos NAT
第一部分:SRX NAT介绍
第二部分:Source NAT:Interface NAT
第三部分:Source NAT:Address Pools
第四部分:Destination NAT
第五部分:Static NAT
--------------------------------------------------
SRX Nat介绍
1、Source NAT   //转换源的NAT,NAT+Gloabl
2、Destination NAT  //Static pat
3、Static NAT   //静态一对一转换

SRX NAT处理流程 :

优先static nat ------destination nat-------source nat

NAT 查询与处理顺序

--------------------------------------------------
第二部分:Source NAT: Interface NAT
Interface NAT

SRX platforms support NAT configuration where the source IP addresses in flows are translated to the address assigned to the security platform‘s own outgoing  interface.This behavior is commonly called interface NAT and is similar to the NAT mode interface configuration in Screen OS.

SP1-------------SRX------------Inside1
202.100.1.0/24       10.1.1.0/24
将内部10.1.1.0/24做PAT
配置策略,让Inside能正常访问Outside!!
edit security policies from-zone Inside1 to-zone Outside policy Permit-ALL
set match source-address any
set match destination-address any
set match application any
set then permit
set then log session-init session-close

配置Log
edit system syslog file nat-log
set any any
set match RT_FLOW_SESSION

配置NAT:
edit security nat source rule-set NAT-Policy    //rule-set一系列NAT的集合
set from zone Inside1
set to zone Outside
edit rule Inside1-Outside-Interface-NAT  //rule
set match source-address 10.1.1.0/24
set match desnation-address 202.100.1.0/24 //可选配置,上网就不需要了
set then source-nat interface
commit   //提交并应用!

show security flow session 
show log nat-log    //查看NAT转换项!!
show security nat source rule all  //查看NAT转换类型..
---------------------------------------------------
第三部分:Source NAT:Address Pool
复用外部地址池
edit security nat source
set pool nat-pool address 202.100.1.101/32 to 202.100.1.103/32
up
set proxy-arp interface fe-0/0/0.0 address 202.100.1.101/32 to 202.100.1.103/32 //严重注意,需要开启代理ARP

edit source rule-set NAT-Policy
edit rule Inside-Outside-Address-Pools
set match source-address 10.1.1.0/24
set then source-nat pool nat-pool    //都是source,现在有两个rule,谁排前面谁优先!!

insert rule Inside1-Outside-Address-Pools before rule Inside1-Outside-Internet-NAT  //将rule 地址池的NAT 靠前!!

run show security flow session  //轮流的做PAT!

禁止PAT转换 //动态一对一,最后一个会话复用接口!
edit pool nat-pool
set port no-translation
set overflow-pool interface
set port-randomization disable  //按顺序往上增长,复用地址端口!!

配置Persistent NAT  //持久NAT,维护转换槽位,能正常看到NAT转换!!
edit security nat socure
edit rule-set NAT-Policy rule Inside1-Outside-Address-Pools
set then source-nat pool persistent-nat permit target-host-port

run show security flow session
run show security nat source persisten-nat-table all

---------------------------------------------------
第四部分:Destination NAT  //思科static pat!!
将Inside1 10.1.1.1:23端口转换到外部地址202.100.1.201 2323端口!!
edit security nat destination
set pool Inside1-23 address 10.1.1.1/32 port 23
edit rule-set Outside-to-Inside1-Des-NAT
set from zone Outside
edit rule Inside1-Router-23
set match source-address 0/0
set match destination-address 202.100.1.201/32
set match destination-port 2323
set then destination-nat pool Inside1-23
up
edit proxy-arp interface fe-0/0/0.0 address 202.100.1.201/32

放行Inbound流量!
edit security zones security-zone Inside1
set address-book address Inside1-Router 10.1.1.1/32
up
up
edit policies from-zone Outside to-zone Inside1
edit policy Permit-Inside1-23
set match source-address any
set match destination-address Inside1-Router
set match application junos-telnet
set then permit
commit
------------------------------------------------------
第五部分:Static NAT,静态一对一!!即转换源也转换目的!!
edit security nat static
edit rule-set Outside-to-Inside
set from zone Outside
edit rule 1to1
set match destination-address 202.100.1.221/32
set then static-pat prefix 10.1.1.1/32
up
up
set proxy-arp interface fe-0/0/0.0 address 202.100.1.221/32

放行Inbound流量!
edit security zones security-zone Inside1
set address-book address Inside1-Router 10.1.1.1/32
up
up
edit policies from-zone Outside to-zone Inside1
edit policy Permit-Inside1-23
set match source-address any
set match destination-address Inside1-Router
set match application junos-telnet
set then permit
commit

出和入都能正常转换!!
run showsecurity flow session !!

时间: 2024-10-14 17:32:09

Juniper SRX防火墙-NAT学习笔记!的相关文章

Juniper srx防火墙NAT配置

一.基础操作说明: 1.  设备恢复出厂化 root# load factory-default root# set system root-authentication plain-text-password root# commit root> request system reboot 2.  基本配置 2.1 配置主机名 root# set system host-name SRX1400 2.2设置时区 [email protected]# set system time-zoneAs

juniper SRX防火墙NAT测试

1.测试拓扑: 2.测试总结: 3.基本配置: A.路由器R1: interface Ethernet0/0  ip address 202.100.1.1 255.255.255.0  no shut B.防火墙SRX: ①配置接口地址: set interfacesge-0/0/0.0family inetaddress 202.100.1.10/24 set interfacesge-0/0/1.0family inetaddress 10.1.1.10/24 set interfaces

Juniper老司机经验谈(SRX防火墙NAT与策略篇)视频课程上线了

继前面的<Juniper老司机经验谈(SRX防火墙优化篇)>之后,Juniper老司机经验谈(SRX防火墙NAT与策略篇)第二部视频课程也录制上线了 1.两个课程完全独立又相结合, SRX防火墙优化篇是针对防火墙双机.配置优化内容. SRX防火墙NAT与策略篇则是针对防火NAT.策略内容 . 两部除了前几4单节基础理论与模拟环境搭建部分一样外,其他内容完全不重叠. 2.本课程内容: 大家在QQ群.论坛里经常提的问题,许多人对SRX使用中NAT\策略问题不是很理解,实际工作中碰见太多问题,惹出了

Juniper SRX防火墙系统会话链接的清除

Juniper SRX防火墙系统会话链接的清除 维护Juniper防火墙SRX系列防火墙,一段时间后,发现防火墙老是有时候登录不上去,有时候可以登录. 查看用户的时候,发现,系统挂了很多连接会话,怪不得老是无法登录,资料被消耗了. 用户并不多: {primary:node0}[email protected]> show system users node0:---------------------------------------------------------------------

Juniper SRX防火墙HA配置

一.实验环境介绍1)vsrx 12.1X47-D20.7 二.实验拓扑 vSRXA1与vSRXA2之间建议Chassis Clusterge-0/0/0为带外管理接口(系列默认,不可改)ge-0/0/1为control-link(系统配置,不可改)ge-0/0/4为data-link(手工配置,可改)control-link与data-link采用背靠背的连接方式. 在低端的SRX防火墙带外管理接口.控制接口.数据接口都是业务接口.在高端的SRX防火墙管理接口.控制接口即为专用接口,只有数据接口

NAT学习笔记

NAT介绍 NAT, 全称网络地址转换(Network Address Translation),是一种在IP封包通过路由器或防火墙时重写来源IP地址或目的IP地址的技术. NAT的分类及介绍 NAT设备中最重要的是映射表了,映射表结构: 其中 外部协议:NAT设备的外部网络分配给该设备的IP地址 外部端口:NAT设备为这次连接从设备的端口池中分配的端口号 内部地址:NAT设备内部网络设备如PC,智能手机的局域网IP地址 内部端口:NAT设备内部网络中的设备发出网络消息时用的端口号 目的地址:希

juniper SRX防火墙DHCP配置

set system services dhcp pool 192.168.68.0/24 address-range low 192.168.68.2set system services dhcp pool 192.168.68.0/24 address-range high 192.168.68.254set system services dhcp pool 192.168.68.0/24 default-lease-time 36000set system services dhcp

Juniper SRX(Junos)配置拨号VPN (Dynamic VPN)

1) Junper SRX 防火墙,默认 License 支持2个VPN 并发连接. 2) Juniper SRX 防火墙的软件版本需要注意下,测试时发现 12.1X46-D40.2 有问题,因为测试设备是SRX210HE,在高的版本升级不上去,使用版本 12.1X44-D60.2 没问题. 配置: set access profile dyn-vpn-access-profile client vpnuser1 firewall-user password "vpnuserpassword01

Juniper SRX550防火墙之基本配置

一.管理配置 1.1 主机名 [email protected]# set system host-name SRX550 1.2 设置时区 [email protected]# set system time-zone Asia/Shanghai 1.3 开启远程服务 [email protected]# set system services ssh [email protected]# set system services telnet 1.4 开启web管理并允许从0/0/1接口管理