温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

Juniper SRX550防火墙NAT配置

发布时间:2020-07-02 07:33:53 来源:网络 阅读:1080 作者:飞奔的鱼儿 栏目:安全技术

一、Source NAT

对于不需要做NAT的网段(比如IPSec×××),需要先关闭这些地址的NAT(如果没有则跳过

set security nat source rule-set trust-untrust rule no-nat match source-address 192.168.0.0/16

set security nat source rule-set trust-untrust rule no-nat match destination-address 10.10.0.0/24

set security nat source rule-set trust-untrust rule no-nat then source-nat off

 

对于需要上网或者所有的网段(做地址转换的网段),做source-nat

首先定义一个地址池(要转换的公网地址):

set security nat source pool natpool1 address 112.48.20.11/32 to 112.48.20.15/32

set security nat source pool natpool2 address 112.48.20.21/32 to 112.48.20.30/32

 

配置NAT规则匹配源、目、转换地址池

set security nat source rule-set trust-untrust from zone trust

set security nat source rule-set trust-untrust to zone untrust

 

//匹配特定的地址进行转换(没有特定可省略)

set security nat source rule-set trust-untrust rule nat1 match source-address 0.0.0.0/0

set security nat source rule-set trust-untrust rule nat1 match destination-address 183.253.58.253/32

set security nat source rule-set trust-untrust rule nat1 then source-nat pool natpool1

 

//默认所有的源、目地址进行转换

set security nat source rule-set trust-untrust rule nat2 match source-address 0.0.0.0/0

set security nat source rule-set trust-untrust rule nat2 match destination-address 0.0.0.0/0

set security nat source rule-set trust-untrust rule nat2 then source-nat pool natpool2

 

如果NAT地址池有多个地址,除了接口地址,那么其它地址需要做proxy-arp

set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.11/32 to 112.48.20.15/32

set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.21/32 to 112.48.20.30/32

 

做完这些就可以了? NO! NO! NO!防火墙域间策略不能忘

//首先定义两个地址池,并加入到地址组NET中

set security zones security-zone trust address-book address 192.168.100.0 192.168.100.0/24

set security zones security-zone trust address-book address 192.168.200.0 192.168.200.0/24

set security zones security-zone trust address-book address-set NET address 192.168.100.0

set security zones security-zone trust address-book address-set NET address 192.168.200.0

 

//将地址组匹配到trust到untrust的策略中,并放行

set security policies from-zone trust to-zone untrust policy 1 match source-address NET

set security policies from-zone trust to-zone untrust policy 1 match destination-address any

set security policies from-zone trust to-zone untrust policy 1 match application any

set security policies from-zone trust to-zone untrust policy 1 then permit

 

到此,这192.168.100.0192.168.200.0就可以通过NAT上网了

二、Destination NAT

部分服务器需要映射到公网去,怎么做呢?那么往下看:

//首先创建要映射的服务器地址池(包括IP地址和端口)

set security nat destination pool 1 address 192.168.168.168/32

set security nat destination pool 1 address port 443

 

//创建Destination NAT规则要映射的服务器地址池(包括IP地址和端口)

set security nat destination rule-set desnat from zone untrust

set security nat destination rule-set desnat to zone trust

set security nat destination rule-set desnat rule server1 match source-address 0.0.0.0/0

//匹配访问112.48.20.2的4430端口转换到内网服务器的443端口

set security nat destination rule-set desnat rule server1 match destination-address 112.48.20.2/32

set security nat destination rule-set desnat rule server1 match destination-port 4430

set security nat destination rule-set desnat rule server1 then destination-nat pool 1

 

还有必不可少的防火墙域间策略

//创建内网服务器地址组及端口

set security zones security-zone trust address-book address server1 192.168.168.168/32

set applications application Service_4430 term Service_4430 protocol tcp

set applications application Service_4430 term Service_4430 source-port 0-65535

set applications application Service_4430 term Service_4430 destination-port 4430-4430

 

//创建untrust到trust的策略,目前地址匹配内网服务器地址及端口

set security policies from-zone untrust to-zone trust policy 1 match source-address any

set security policies from-zone untrust to-zone trust policy 1 match destination-address server1

set security policies from-zone untrust to-zone trust policy 1 match application Service_4430

set security policies from-zone untrust to-zone trust policy 1 then permit

 

 

至此,外网就可以使用http://112.48.20.2:4430/访问内网的服务器了

 

 

还有一个问题,此时内网的用户却不能使用这个公网地址访问内部的服务器,这个需要在NAT上再做一个内部的地址转换,如下:

//创建一个源地址映射的地址池(内部服务器映射的地址)

set security nat source pool sorpool4 address 112.48.20.2/32

//创建trust到trust的策略如下

set security nat source rule-set trust-trust from zone trust

set security nat source rule-set trust-trust to zone trust

set security nat source rule-set trust-trust rule server1 match source-address 0.0.0.0/0

set security nat source rule-set trust-trust rule server1 match destination-address 192.168.168.168/32

set security nat source rule-set trust-trust rule server1 match destination-port 443

set security nat source rule-set trust-trust rule server1 then source-nat pool sorpool4

 

至此,内网也可以通过公网地址访问内部服务器了!!!

 

    如有雷同,纯属巧合,欢迎指正!

向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI