Juniper srx防火墙NAT配置

一、基础操作说明：

1、  设备恢复出厂化

root# load factory-default

root# set system root-authentication plain-text-password

root# commit

root> request system reboot

2、  基本配置

2.1 配置主机名

root# set system host-name SRX1400

2.2设置时区

[email protected]# set system time-zoneAsia/Shanghai

2.3设置时间

[email protected]# run set date 201508011549.21

2.4设置dns

[email protected]# set system name-server202.l06.0.20

2.5设置接口IP

[email protected]# set interfaces ge-0/0/0 unit0 family inet address 10.0.0.10/24

2.6设置默认路由

[email protected]# set routing-options staticroute 0.0.0.0/0  next-hop 10.0.0.254

2.7创建登陆用户

[email protected]# set system login user adminclass super-user authentication plain-text-password

2.8创建安全Zone

[email protected]# set security zonessecurity-zone untrust

2.9接口加入zone

[email protected]# set security zones security-zoneuntrust interfaces  ge-0/0/0.0

2.10业务口放行icmp

[email protected]#set security zones security-zone untrust interfaces  ge-0/0/0.0 host-inbound-traffic system-services ping

说明：默认情况下，除管理口外的业务口是无法ping通的，需要放行icmp。

二、juniper srx nat

1、NAT的类型

1.1 source nat :interface

1.2 source nat :pool

1.3 destination nat

1.4 static nat

2、配置实例

2.1 基于接口的source nat

[email protected]# set security nat sourcerule-set 1 from zone trust

[email protected]# set security nat sourcerule-set 1 to zone untrust

[email protected]# set security nat sourcerule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0

[email protected]# set security nat sourcerule-set 1 rule rule1 then source-nat interface

默认police

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

}

2.2基于地址池的source nat

[email protected]# set security nat source poolisp address 10.0.0.20 to 10.0.30

[email protected]# set security nat sourcerule-set 1 from zone trust

[email protected]# set security nat sourcerule-set 1 to zone untrust

[email protected]# set security nat sourcerule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0

[email protected]# set security nat sourcerule-set 1 rule rule1 then source-nat pool isp

[email protected]# set security nat proxy-arpinterface ge-0/0/0 address 10.0.0.20 to 10.0.0.30

2.3 destination nat 配置

[email protected]# set security nat destinationpool dst-nat-pool-1 address 172.16.1.1/32

[email protected]# set security nat destinationpool dst-nat-pool-1 address port 80

[email protected]# set security nat destinationrule-set rs1 from zone untrust

[email protected]# set security nat destinationrule-set rs1 rule 1 match destination-address 10.0.0.100/32

[email protected]# set security nat destinationpool dst-nat-pool-1 address port 80

[email protected]# set security nat proxy-arpinterface ge-0/0/0.0 address 10.0.0.100/32

[email protected]# set security address-bookglobal address web 172.16.1.1/32

[email protected]# set security nat destinationrule-set rs1 rule 1 then destination-nat pool dst-nat-pool-1

[email protected]# set security policiesfrom-zone untrust to-zone trust policy web match source-address any

[email protected]# set security policiesfrom-zone untrust to-zone trust policy web match destination-address web  match application any

[email protected]# set security policiesfrom-zone untrust to-zone trust policy

[email protected]# set security policiesfrom-zone untrust to-zone trust policy web then permit

[email protected]# insert security policiesfrom-zone untrust to-zone trust policy web before policy default-deny

2.4 static nat配置

[email protected]# set security nat staticrule-set rs1 from zone untrust

[email protected]# set security nat staticrule-set rs1 rule r1 match destination-address 10.0.0.100/32

[email protected]# set security nat staticrule-set rs1 rule r1 then static-nat prefix 172.16.1.1/32

[email protected]# set security nat proxy-arpinterface ge-0/0/0.0 address 10.0.0.100/32

[email protected]# set security address-bookglobal address web 172.16.1.1/32

[email protected]# set security policiesfrom-zone untrust to-zone untrust web match source-address any destination-addressweb application any

[email protected]# set security policiesfrom-zone untrust to-zone trust policy web then permit

[email protected]# insert security policiesfrom-zone untrust to-zone trust web before policy default-deny