juniper SRX防火墙NAT测试

1.测试拓扑:

2.测试总结:

3.基本配置:

A.路由器R1:

interface Ethernet0/0
 ip address 202.100.1.1 255.255.255.0
 no shut

B.防火墙SRX:

①配置接口地址:

set interfacesge-0/0/0.0family inetaddress 202.100.1.10/24

set interfacesge-0/0/1.0family inetaddress 10.1.1.10/24

set interfacesge-0/0/2.0family inetaddress 192.168.1.10/24

②将接口划入zone:

setsecurity zones security-zone untrust interfacesge-0/0/0.0

setsecurity zones security-zone trust interfacesge-0/0/1.0

setsecurity zones security-zone dmz interfacesge-0/0/2.0

③配置zone间策略,允许trust到untrust的任何访问:

setsecurity policies from-zone trust to-zone untrust policy Permit-All match source-address any

setsecurity policies from-zone trust to-zone untrust policy Permit-All match destination-address any

setsecurity policies from-zone trust to-zone untrust policy Permit-All match application any

setsecurity policies from-zone trust to-zone untrust policy Permit-All then  permit

配置zone间策略,允许DMZ到untrust的任何访问:

set security policies from-zone dmz to-zoneuntrust policy Permit-All match source-address any

set security policies from-zone dmz to-zoneuntrust policy Permit-All match destination-address any

set security policies from-zone dmz to-zoneuntrust policy Permit-All match application any

set security policies from-zone dmz to-zoneuntrustpolicy Permit-All then permit

C.主机PC1:

IP:10.1.1.8/24

GW:10.1.1.10

D.路由器R2:

interface f0/0
 ip address 192.168.1.2 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 192.168.1.10

4.NAT配置:

A.第一种NAT:

Source NAT:Interface NAT配置:

A.指定NAT的zone:

setsecurity nat sourcerule-set Source-NAT from zone trust

setsecurity nat sourcerule-setSource-NATto zone untrust

B.配置Interface NAT:

setsecurity nat source rule-set Source-NAT rule NAT-Interface match source-address 0.0.0.0/0

setsecurity nat source rule-set Source-NAT rule NAT-Interface match destination-address 0.0.0.0/0

setsecurity nat source rule-set Source-NAT rule NAT-Interface then source-nat interface

C.提交配置:

commit

D.验证:

从主机PC1上面ping路由器R1接口地址,并在R1上debug ip icmp,可以看到ICMP源地址为防火墙接口地址

R1#
*Mar 2 01:35:56.797: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*Mar 2 01:35:57.793: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*Mar 2 01:35:58.809: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*Mar 2 01:35:59.749: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
R1#

B.第二种NAT:

Source NAT:pool based nat配置:

A.配置地址池:

set security nat source pool src-nat-pool1address 202.100.1.11 to 202.100.1.13

B.指定NAT的zone(前面已经配置,可以不配):

set security nat source rule-set Source-NAT from zone trust

set security nat sourcerule-set Source-NATto zone untrust

C.配置pool based nat:

set security nat source rule-set Source-NAT rule NAT-pool match source-address 0.0.0.0/0

sets ecurity nat source rule-set Source-NAT rule NAT-pool match destination-address 0.0.0.0/0

时间: 2024-08-25 10:15:40

juniper SRX防火墙NAT测试的相关文章

Juniper srx防火墙NAT配置

一.基础操作说明: 1.  设备恢复出厂化 root# load factory-default root# set system root-authentication plain-text-password root# commit root> request system reboot 2.  基本配置 2.1 配置主机名 root# set system host-name SRX1400 2.2设置时区 [email protected]# set system time-zoneAs

Juniper SRX防火墙-NAT学习笔记!

Junos NAT第一部分:SRX NAT介绍第二部分:Source NAT:Interface NAT第三部分:Source NAT:Address Pools第四部分:Destination NAT第五部分:Static NAT--------------------------------------------------SRX Nat介绍1.Source NAT   //转换源的NAT,NAT+Gloabl2.Destination NAT  //Static pat3.Static

Juniper老司机经验谈(SRX防火墙NAT与策略篇)视频课程上线了

继前面的<Juniper老司机经验谈(SRX防火墙优化篇)>之后,Juniper老司机经验谈(SRX防火墙NAT与策略篇)第二部视频课程也录制上线了 1.两个课程完全独立又相结合, SRX防火墙优化篇是针对防火墙双机.配置优化内容. SRX防火墙NAT与策略篇则是针对防火NAT.策略内容 . 两部除了前几4单节基础理论与模拟环境搭建部分一样外,其他内容完全不重叠. 2.本课程内容: 大家在QQ群.论坛里经常提的问题,许多人对SRX使用中NAT\策略问题不是很理解,实际工作中碰见太多问题,惹出了

Juniper SRX防火墙系统会话链接的清除

Juniper SRX防火墙系统会话链接的清除 维护Juniper防火墙SRX系列防火墙,一段时间后,发现防火墙老是有时候登录不上去,有时候可以登录. 查看用户的时候,发现,系统挂了很多连接会话,怪不得老是无法登录,资料被消耗了. 用户并不多: {primary:node0}[email protected]> show system users node0:---------------------------------------------------------------------

Juniper SRX防火墙HA配置

一.实验环境介绍1)vsrx 12.1X47-D20.7 二.实验拓扑 vSRXA1与vSRXA2之间建议Chassis Clusterge-0/0/0为带外管理接口(系列默认,不可改)ge-0/0/1为control-link(系统配置,不可改)ge-0/0/4为data-link(手工配置,可改)control-link与data-link采用背靠背的连接方式. 在低端的SRX防火墙带外管理接口.控制接口.数据接口都是业务接口.在高端的SRX防火墙管理接口.控制接口即为专用接口,只有数据接口

juniper SRX防火墙DHCP配置

set system services dhcp pool 192.168.68.0/24 address-range low 192.168.68.2set system services dhcp pool 192.168.68.0/24 address-range high 192.168.68.254set system services dhcp pool 192.168.68.0/24 default-lease-time 36000set system services dhcp

Juniper SRX(Junos)配置拨号VPN (Dynamic VPN)

1) Junper SRX 防火墙,默认 License 支持2个VPN 并发连接. 2) Juniper SRX 防火墙的软件版本需要注意下,测试时发现 12.1X46-D40.2 有问题,因为测试设备是SRX210HE,在高的版本升级不上去,使用版本 12.1X44-D60.2 没问题. 配置: set access profile dyn-vpn-access-profile client vpnuser1 firewall-user password "vpnuserpassword01

Juniper SRX550防火墙之基本配置

一.管理配置 1.1 主机名 [email protected]# set system host-name SRX550 1.2 设置时区 [email protected]# set system time-zone Asia/Shanghai 1.3 开启远程服务 [email protected]# set system services ssh [email protected]# set system services telnet 1.4 开启web管理并允许从0/0/1接口管理

查看Juniper SRX系列防火墙的系统相关限制(Policy策略最大数、NAT最大数等)

通过show log nsd_chk_only | no-more 可查看Juniper SRX系列防火墙的系统相关限制.比如说Policy策略最大数.策略调用Address地址簿最大数.策略调用Applications应用最大数.NAT最大数.Zone区域最大数等相关信息. 以下为Juniper SRX5600输出结果 SRX5600> show log nsd_chk_only | no-more Matching platform :Model Name = srx5600Hardware