实用juniper SRX NAT小技巧。
来源:互联网 发布:剑三萝莉女神捏脸数据 编辑:程序博客网 时间:2024/06/07 20:05
当配置route-based IPSec VPN,对应的security tunnel 接口和external 接口在同一个zone时,为了正常的Internet 访问,需要做source nat off。
set security nat source rule-set 002 from zone trust
set security nat source rule-set 002 to zone untrust
set security nat source rule-set 002 rule 01 match source-address 172.16.0.0/24
set security nat source rule-set 002 rule 01 match destination-address 10.220.0.0/24
set security nat source rule-set 002 rule 01 then source-nat off
正常访问Internet 的配置。
set security nat source rule-set 002 rule 02 match source-address 0.0.0.0/0
set security nat source rule-set 002 rule 02 match destination-address 0.0.0.0/0
set security nat source rule-set 002 rule 02 then source-nat interface
set security policies from-zone trust to-zone untrust policy 001 match source-address any
set security policies from-zone trust to-zone untrust policy 001 match destination-address any
set security policies from-zone trust to-zone untrust policy 001 match application any
set security policies from-zone trust to-zone untrust policy 001 then permit
SRX上面做了server 的destination nat,但是在内网客户端需要通过destination nat 的地址去访问服务器,
对于TCP的应用,会有session 回流的情况出现,一般有两种解决办法,1,搭设DNS server,进行正确的解析,
2,将内网访问的客户会话通过source nat 转化为内网接口去访问的会话。
现在讲的第二种,配置如下,两点需要注意,a,destination nat 里面要添加from zone trust;
b,需要放行trust to trust 的流量(SRX security policy default 是deny)。
set security nat source rule-set 001 from zone trust
set security nat source rule-set 001 to zone trust
set security nat source rule-set 001 rule 03 match source-address 172.16.1.0/24
set security nat source rule-set 001 rule 03 match destination-address 172.16.2.0/24
set security nat source rule-set 001 rule 03 then source-nat interface
set security nat destination rule-set 001 from zone trust
set security policies from-zone trust to-zone trust policy 001 match source-address any
set security policies from-zone trust to-zone trust policy 001 match destination-address any
set security policies from-zone trust to-zone trust policy 001 match application any
set security policies from-zone trust to-zone trust policy 001 then permit
common destination nat 配置:
set security nat destination rule-set 001 from zone untrust
set security nat destination pool nfs-app address 172.16.2.100/32
set security nat destination pool nfs-app address port 2049
set security nat destination rule-set 001 from zone trust
set security nat destination rule-set 001 from zone untrust
set security nat destination rule-set 001 rule 01 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 01 match destination-port 9090
set security nat destination rule-set 001 rule 01 then destination-nat pool nfs-app
set security nat destination rule-set 001 rule 02 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 02 match destination-port 9000
set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
set security zones security-zone trust address-book address nfs 172.16.2.100/32
set security policies from-zone untrust to-zone trust policy 001 match source-address any
set security policies from-zone untrust to-zone trust policy 001 match destination-address nfs
set security policies from-zone untrust to-zone trust policy 001 match application nfs-tcp
set security policies from-zone untrust to-zone trust policy 001 match application nfs-udp
set security policies from-zone untrust to-zone trust policy 001 then permit
set security policies from-zone untrust to-zone trust policy 001 then log session-close
set applications application nfs-udp protocol udp
set applications application nfs-udp source-port 1-65535
set applications application nfs-udp destination-port 2049
set applications application nfs-tcp protocol tcp
set applications application nfs-tcp source-port 1-65535
set applications application nfs-tcp destination-port 2049
有时在进行网络改造的时候,会遇到这种情况;
设备的service 的网关是通过另外的ISP线路和另外设备,server网关不在SRX上,但是需要通过SRX做destination nat让Internet 用户可以访问。
要解决这个其实也很有意思,类似nat回流,需要做个source nat 讲Internet 用户的会话转变为接口的会话。
set security nat source rule-set 003 rule 03 match source-address 0.0.0.0/0
set security nat source rule-set 003 rule 03 match destination-address 172.16.3.100/32
set security nat source rule-set 003 rule 03 then source-nat interface
common destination nat 配置:
set security nat destination pool old-lab address 172.16.3.100/32
set security nat destination pool old-lab address port 22
set security nat destination rule-set 001 rule 02 match destination-port 9000
set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
set security zones security-zone trust address-book address old-lab 172.16.3.100/32
set security policies from-zone untrust to-zone trust policy 002 match source-address any
set security policies from-zone untrust to-zone trust policy 002 match destination-address old-lab
set security policies from-zone untrust to-zone trust policy 002 match application junos-ssh
set security policies from-zone untrust to-zone trust policy 002 then permit
set security policies from-zone untrust to-zone trust policy 002 then log session-init
实际中可能还会遇到这种问题:
客户不希望自己的Internet 接口ssh被别人用port 22暴力破解,SRX本身是没有修改ssh port 的功能,这时候就要用到nat,
做过RE-protect 的童鞋应该知道loop back 接口是data plane和control plane 的interface。
我们可以讲untrust接口的ssh关闭,讲loopback 接口的ssh 通过destination nat 转变为Internet 接口的其它port。
同理也可以将http 和https接口做类似的转换。以下是destination nat 部分的配置,policy配置烦请自行补上。
set security nat destination rule-set 001 rule 03 match source-address 0.0.0.0/0
set security nat destination rule-set 001 rule 03 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 03 match destination-port 9099
set security nat destination rule-set 001 rule 03 then destination-nat pool loop-ssh
还有中场景是做IPSec 时由于merge 或是网络规划等问题,出现了地址重合,不管是做policy-based还是routed-based的IPSec 都会遇到一点点的问题,
同样可以通过nat 的方式去解决。由于时间限制,waiting next。
set security nat source rule-set 002 from zone trust
set security nat source rule-set 002 to zone untrust
set security nat source rule-set 002 rule 01 match source-address 172.16.0.0/24
set security nat source rule-set 002 rule 01 match destination-address 10.220.0.0/24
set security nat source rule-set 002 rule 01 then source-nat off
正常访问Internet 的配置。
set security nat source rule-set 002 rule 02 match source-address 0.0.0.0/0
set security nat source rule-set 002 rule 02 match destination-address 0.0.0.0/0
set security nat source rule-set 002 rule 02 then source-nat interface
set security policies from-zone trust to-zone untrust policy 001 match source-address any
set security policies from-zone trust to-zone untrust policy 001 match destination-address any
set security policies from-zone trust to-zone untrust policy 001 match application any
set security policies from-zone trust to-zone untrust policy 001 then permit
SRX上面做了server 的destination nat,但是在内网客户端需要通过destination nat 的地址去访问服务器,
对于TCP的应用,会有session 回流的情况出现,一般有两种解决办法,1,搭设DNS server,进行正确的解析,
2,将内网访问的客户会话通过source nat 转化为内网接口去访问的会话。
现在讲的第二种,配置如下,两点需要注意,a,destination nat 里面要添加from zone trust;
b,需要放行trust to trust 的流量(SRX security policy default 是deny)。
set security nat source rule-set 001 from zone trust
set security nat source rule-set 001 to zone trust
set security nat source rule-set 001 rule 03 match source-address 172.16.1.0/24
set security nat source rule-set 001 rule 03 match destination-address 172.16.2.0/24
set security nat source rule-set 001 rule 03 then source-nat interface
set security nat destination rule-set 001 from zone trust
set security policies from-zone trust to-zone trust policy 001 match source-address any
set security policies from-zone trust to-zone trust policy 001 match destination-address any
set security policies from-zone trust to-zone trust policy 001 match application any
set security policies from-zone trust to-zone trust policy 001 then permit
common destination nat 配置:
set security nat destination rule-set 001 from zone untrust
set security nat destination pool nfs-app address 172.16.2.100/32
set security nat destination pool nfs-app address port 2049
set security nat destination rule-set 001 from zone trust
set security nat destination rule-set 001 from zone untrust
set security nat destination rule-set 001 rule 01 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 01 match destination-port 9090
set security nat destination rule-set 001 rule 01 then destination-nat pool nfs-app
set security nat destination rule-set 001 rule 02 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 02 match destination-port 9000
set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
set security zones security-zone trust address-book address nfs 172.16.2.100/32
set security policies from-zone untrust to-zone trust policy 001 match source-address any
set security policies from-zone untrust to-zone trust policy 001 match destination-address nfs
set security policies from-zone untrust to-zone trust policy 001 match application nfs-tcp
set security policies from-zone untrust to-zone trust policy 001 match application nfs-udp
set security policies from-zone untrust to-zone trust policy 001 then permit
set security policies from-zone untrust to-zone trust policy 001 then log session-close
set applications application nfs-udp protocol udp
set applications application nfs-udp source-port 1-65535
set applications application nfs-udp destination-port 2049
set applications application nfs-tcp protocol tcp
set applications application nfs-tcp source-port 1-65535
set applications application nfs-tcp destination-port 2049
有时在进行网络改造的时候,会遇到这种情况;
设备的service 的网关是通过另外的ISP线路和另外设备,server网关不在SRX上,但是需要通过SRX做destination nat让Internet 用户可以访问。
要解决这个其实也很有意思,类似nat回流,需要做个source nat 讲Internet 用户的会话转变为接口的会话。
set security nat source rule-set 003 rule 03 match source-address 0.0.0.0/0
set security nat source rule-set 003 rule 03 match destination-address 172.16.3.100/32
set security nat source rule-set 003 rule 03 then source-nat interface
common destination nat 配置:
set security nat destination pool old-lab address 172.16.3.100/32
set security nat destination pool old-lab address port 22
set security nat destination rule-set 001 rule 02 match destination-port 9000
set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
set security zones security-zone trust address-book address old-lab 172.16.3.100/32
set security policies from-zone untrust to-zone trust policy 002 match source-address any
set security policies from-zone untrust to-zone trust policy 002 match destination-address old-lab
set security policies from-zone untrust to-zone trust policy 002 match application junos-ssh
set security policies from-zone untrust to-zone trust policy 002 then permit
set security policies from-zone untrust to-zone trust policy 002 then log session-init
实际中可能还会遇到这种问题:
客户不希望自己的Internet 接口ssh被别人用port 22暴力破解,SRX本身是没有修改ssh port 的功能,这时候就要用到nat,
做过RE-protect 的童鞋应该知道loop back 接口是data plane和control plane 的interface。
我们可以讲untrust接口的ssh关闭,讲loopback 接口的ssh 通过destination nat 转变为Internet 接口的其它port。
同理也可以将http 和https接口做类似的转换。以下是destination nat 部分的配置,policy配置烦请自行补上。
set security nat destination rule-set 001 rule 03 match source-address 0.0.0.0/0
set security nat destination rule-set 001 rule 03 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 03 match destination-port 9099
set security nat destination rule-set 001 rule 03 then destination-nat pool loop-ssh
还有中场景是做IPSec 时由于merge 或是网络规划等问题,出现了地址重合,不管是做policy-based还是routed-based的IPSec 都会遇到一点点的问题,
同样可以通过nat 的方式去解决。由于时间限制,waiting next。
阅读全文
0 0
- 实用juniper SRX NAT小技巧。
- Juniper SRX防火墙-NAT
- Juniper SRX----------静态路由&NAT
- Juniper SRX Destination NAT中内网访问映射地址问题
- Juniper SRX 常用命令
- juniper SRX dhcp 设置
- juniper SRX PPPOE配置
- Juniper SRX----------远程管理实验
- juniper srx接口IP安全
- Juniper SRX 简单命令一
- Juniper SRX防火墙简明配置手册
- Juniper SRX防火墙系统会话链接的清除
- Windows 实用小技巧
- sql 实用小技巧
- Tomcat 实用小技巧
- Tomcat 实用小技巧
- 实用小技巧
- js实用小技巧
- web测试方法总结
- java获取日期的周数和所属年份
- linux -- glibc uclibc eglibc 异同
- 选择排序之简单选择排序和堆排序
- Java Web 学习笔记之十四:RestEasy添加Filter过滤器预处理请求
- 实用juniper SRX NAT小技巧。
- 【web】html5/css3 新特性总结与实践
- 多交互智能手套Miiglove
- Android计步模块优化(今日步数)
- Mysql有两种存储引擎:InnoDB与Myisam
- linux下安装pip
- 浅谈算法和数据结构: 十 平衡查找树之B树
- linux -- 启动分析及耗时分析
- 树莓派3BWIFI配置(ssh方式配置)