SRX source NAT
setinterfaces ge-0/0/0 unit 0 family inet address
setinterfaces ge-0/0/1 unit 0 family inet address
setinterfaces ge-0/0/2 unit 0 family inet address
setrouting-options static route next-hop
setsecurity zones security-zone trust interfaces ge-0/0/0.0
setsecurity zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-trafficsystem-services ping
setsecurity zones security-zone trust host-inbound-traffic system-services https
setsecurity zones security-zone untrust interfaces ge-0/0/1.0
setsecurity zones security-zone untrust host-inbound-traffic system-services ssh
setsecurity zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone dmz interfaces ge-0/0/2.0
setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services ping
setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services ssh
setsecurity zones security-zone trust address-book address trust-add192.168.2.0/24
setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchsource-address trust-add
setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchdestination-address any
setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchapplication any
setsecurity policies from-zone trust to-zone untrust policy trust-untrust thenpermit
1、Source NAT(端口转换)
setsecurity nat source rule-set source-NAT from zone trust
setsecurity nat source rule-set source-NAT to zone untrust
set security nat source rule-set source-NAT rule PAT match source-address
set security nat source rule-set source-NAT rule PAT then source-nat interface
2、Source NAT(地址池)
set security nat source poolsource-NAT-POOL address to //地址池转换将会轮询做地址转换 //
setsecurity nat source rule-set source-NAT from zone trust
setsecurity nat source rule-set source-NAT to zone untrust
setsecurity nat source rule-set source-NAT rule NAT1 match source-address192.168.2.0/24
setsecurity nat source rule-set source-NAT rule NAT1 then source-nat poolsource-NAT-POOL
set security nat proxy-arpinterface ge-0/0/1.0 address to // 需要为地址池转换方式设置ARP代理//
# run show security nat source rule all
root@vSRX# run show security policies
root@vSRX# run show security flow session
SessionID: 2579, Policy name: trust-untrust/7, Timeout: 2, Valid
In: -->;icmp,If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: -->;icmp,If: ge-0/0/1.0, Pkts: 1, Bytes: 60
insert rule-set source-NATrule NAT1 before rulePAT //把NAT1 Rule插入到PAT Rule前面,先启用NAT pool转换,再使用PAT转换//
root@vSRX# run show security nat source summary
Totalport number usage for port translation pool: 709632
Maximumport number for port translation pool: 16777216
Totalpools: 1
Pool Address Routing PAT Total
Name Range Instance Address
source-NAT-POOL yes 11
Totalrules: 2
Rulename Rule set From To Action
NAT1 source-NAT trust untrust source-NAT-POOL
PAT source-NAT trust untrust interface
root@vSRX# run show securityflow session //地址轮询复用转换//
SessionID: 3017, Policy name: trust-untrust/7, Timeout: 2, Valid
In: -->;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: -->;icmp, If:ge-0/0/1.0, Pkts: 1, Bytes: 60
SessionID: 3018, Policy name: trust-untrust/7, Timeout: 2, Valid
In: -->;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: -->;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
Totalsessions: 2
SessionID: 3019, Policy name: trust-untrust/7, Timeout: 2, Valid
In: -->;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: -->;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
SessionID: 3020, Policy name: trust-untrust/7, Timeout: 2, Valid
In: -->;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: -->;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
Totalsessions: 2
root@vSRX#set securitynat source poolsource-NAT-POOL port no-translation //禁止PAT转换,动态一对一,最后一个接口地址复用//
essionID: 4546, Policy name: trust-untrust/7, Timeout: 1796, Valid
In: -->;tcp, If: ge-0/0/0.0, Pkts: 4, Bytes: 912
Out: -->;tcp,If: ge-0/0/1.0, Pkts: 2, Bytes: 319
SessionID: 4556, Policy name: trust-untrust/7, Timeout: 1800, Valid
In: -->;tcp, If: ge-0/0/0.0, Pkts: 34, Bytes: 2138
Out: -->;tcp,If: ge-0/0/1.0, Pkts: 61, Bytes: 75406
SessionID: 4557, Policy name: trust-untrust/7, Timeout: 1798, Valid
In: -->;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 837
Out: -->;tcp,If: ge-0/0/1.0, Pkts: 8, Bytes: 8278
SRX destination NAT(cisco static PAT静态端口映射)
将DMZ端口转换到untrust地址192.168.114.250: 2323端口
setsecurity nat destination pool DMZ-Server-telnet address
setsecurity nat destination pool DMZ-Server-telnet address port 23
setsecurity nat destination pool DMZ-Server-http address
setsecurity nat destination pool DMZ-Server-http address port 80
setsecurity nat destination rule-set Dest-NAT from zone untrust
set security nat destination rule-setDest-NAT rule Untrust-DMZ-NAT-telnet match source-address
set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-address192.168.114.114/32
set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-port 2323
set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet then destination-nat poolDMZ-Server-telnet
setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchsource-address
setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-address
setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-port 80
setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http thendestination-nat pool DMZ-Server-http
setsecurity nat proxy-arp interface ge-0/0/1.0 address
setsecurity zones security-zone dmz address-book address DMZ-Server
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchsource-address any
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchdestination-address DMZ-Server
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-http
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-telnet
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ then permit
setsecurity nat static rule-set Static-NAT from zone untrust
setsecurity nat static rule-set Static-NAT rule 1to1 match destination-address192.168.114.250/32
setsecurity nat static rule-set Static-NAT rule 1to1 then static-nat prefix172.16.2.22/32
setsecurity nat proxy-arp interface ge-0/0/1.0 address
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchsource-address any
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchdestination-address DMZ-Server
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchapplication junos-ftp
setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp thenpermit
Set authentication-order[ radius password ]
setsystem radius-server port 1812
set system radius-server secret freeit123
setsystem radius-server source-address
set system login user user1authentication encrypted-password freeit123 //重要:在radius上创建的用户账户必须在本地创建该用户,
setaccess profile WEBAUTH authentication-order password
set access profile WEBAUTH client user1 firewall-user password user1
setaccess firewall-authentication web-authentication default-profile WEBAUTH
setaccess firewall-authentication web-authentication banner success "web authlogin success"
setsystem services web-management http interface ge-0/0/0.0
setsecurity zones security-zone trust interfaces ge-0/0/0.0
setsecurity zones security-zone trust host-inbound-traffic system-services http
setinterfaces ge-0/0/0 unit 0 family inet address http
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-add
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-add
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication any
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication web-authentication client-match user1
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count
set access profile PT-AUTH authentication-order password
setaccess profile PT-AUTH client test firewall-user password"$9$I.4Rrvx7VY4Zdb"
setaccess firewall-authentication pass-through default-profile PT-AUTH
setaccess firewall-authentication pass-through http banner success "LoginSuccess"
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-add
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-add
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication any
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication pass-through
setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count
set access profile PT-AUTH authentication-order radius
set access profile PT-AUTH radius-server192.168.2.22 secret freeit123 /radius配置/
亿速云「云服务器」,即开即用、新一代英特尔至强铂金CPU、三副本存储NVMe SSD云盘,价格低至29元/月。点击查看>>