• Juniper SRX防火墙-NAT学习笔记!


    Junos NAT
    第一部分:SRX NAT介绍
    第二部分:Source NAT:Interface NAT
    第三部分:Source NAT:Address Pools
    第四部分:Destination NAT
    第五部分:Static NAT
    --------------------------------------------------
    SRX Nat介绍
    1、Source NAT   //转换源的NAT,NAT+Gloabl
    2、Destination NAT  //Static pat
    3、Static NAT   //静态一对一转换

    SRX NAT处理流程 :

    Juniper <wbr>SRX防火墙-NAT学习笔记!!



    优先static nat ------destination nat-------source nat 

    NAT 查询与处理顺序

    Juniper <wbr>SRX防火墙-NAT学习笔记!!


    --------------------------------------------------
    第二部分:Source NAT: Interface NAT
    Interface NAT

    SRX platforms support NAT configuration where the source IP addresses in flows are translated to the address assigned to the security platform's own outgoing  interface.This behavior is commonly called interface NAT and is similar to the NAT mode interface configuration in Screen OS.

    SP1-------------SRX------------Inside1
    202.100.1.0/24       10.1.1.0/24
    将内部10.1.1.0/24做PAT
    配置策略,让Inside能正常访问Outside!!
    edit security policies from-zone Inside1 to-zone Outside policy Permit-ALL
    set match source-address any
    set match destination-address any
    set match application any
    set then permit
    set then log session-init session-close

    配置Log
    edit system syslog file nat-log
    set any any
    set match RT_FLOW_SESSION

    配置NAT:
    edit security nat source rule-set NAT-Policy    //rule-set一系列NAT的集合
    set from zone Inside1
    set to zone Outside
    edit rule Inside1-Outside-Interface-NAT  //rule
    set match source-address 10.1.1.0/24
    set match desnation-address 202.100.1.0/24 //可选配置,上网就不需要了
    set then source-nat interface
    commit   //提交并应用!

    show security flow session 
    show log nat-log    //查看NAT转换项!!
    show security nat source rule all  //查看NAT转换类型..
    ---------------------------------------------------
    第三部分:Source NAT:Address Pool
    复用外部地址池
    edit security nat source
    set pool nat-pool address 202.100.1.101/32 to 202.100.1.103/32
    up
    set proxy-arp interface fe-0/0/0.0 address 202.100.1.101/32 to 202.100.1.103/32 //严重注意,需要开启代理ARP

    edit source rule-set NAT-Policy
    edit rule Inside-Outside-Address-Pools
    set match source-address 10.1.1.0/24
    set then source-nat pool nat-pool    //都是source,现在有两个rule,谁排前面谁优先!!

    insert rule Inside1-Outside-Address-Pools before rule Inside1-Outside-Internet-NAT  //将rule 地址池的NAT 靠前!!

    run show security flow session  //轮流的做PAT!

    禁止PAT转换 //动态一对一,最后一个会话复用接口!
    edit pool nat-pool
    set port no-translation
    set overflow-pool interface
    set port-randomization disable  //按顺序往上增长,复用地址端口!!

    配置Persistent NAT  //持久NAT,维护转换槽位,能正常看到NAT转换!!
    edit security nat socure
    edit rule-set NAT-Policy rule Inside1-Outside-Address-Pools
    set then source-nat pool persistent-nat permit target-host-port

    run show security flow session
    run show security nat source persisten-nat-table all

    ---------------------------------------------------
    第四部分:Destination NAT  //思科static pat!!
    将Inside1 10.1.1.1:23端口转换到外部地址202.100.1.201 2323端口!!
    edit security nat destination
    set pool Inside1-23 address 10.1.1.1/32 port 23
    edit rule-set Outside-to-Inside1-Des-NAT
    set from zone Outside
    edit rule Inside1-Router-23
    set match source-address 0/0
    set match destination-address 202.100.1.201/32
    set match destination-port 2323
    set then destination-nat pool Inside1-23
    up
    edit proxy-arp interface fe-0/0/0.0 address 202.100.1.201/32

    放行Inbound流量!
    edit security zones security-zone Inside1
    set address-book address Inside1-Router 10.1.1.1/32
    up
    up
    edit policies from-zone Outside to-zone Inside1
    edit policy Permit-Inside1-23
    set match source-address any
    set match destination-address Inside1-Router
    set match application junos-telnet
    set then permit
    commit
    ------------------------------------------------------
    第五部分:Static NAT,静态一对一!!即转换源也转换目的!!
    edit security nat static
    edit rule-set Outside-to-Inside
    set from zone Outside
    edit rule 1to1
    set match destination-address 202.100.1.221/32
    set then static-pat prefix 10.1.1.1/32
    up
    up
    set proxy-arp interface fe-0/0/0.0 address 202.100.1.221/32

    放行Inbound流量!
    edit security zones security-zone Inside1
    set address-book address Inside1-Router 10.1.1.1/32
    up
    up
    edit policies from-zone Outside to-zone Inside1
    edit policy Permit-Inside1-23
    set match source-address any
    set match destination-address Inside1-Router
    set match application junos-telnet
    set then permit
    commit

    出和入都能正常转换!!
    run showsecurity flow session !!

  • 相关阅读:
    (三)Java秒杀项目之实现秒杀功能
    多模块环境下修改包名Rename directory与Rename package
    pom.xml标签页名称
    mac终端命令
    @Select 数据表的字段与实体类的属性值
    Markedown换行
    链表问题-不开辟新空间
    Java机器学习框架(1)【待完成】
    奇妙的算法【3】- 贪心算法【待完成】
    奇妙的算法【2】- 韩信点兵问题优化
  • 原文地址:https://www.cnblogs.com/fklin/p/4678376.html
Copyright © 2020-2023  润新知