您的位置:360文档中心› SRX防火墙Turst内私网访问到映射公网地址配置小技巧

SRX防火墙Turst内私网访问到映射公网地址配置小技巧

合集下载
  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

Trust内私网到公网访问需求
一、测试目的
四川移动音乐基地是移动的8大基地之一,全国新歌有98%的首发在四川,在线歌曲点击量86%来自四川,2006年带动全网收入超50亿元,2007年突破100亿元,2008年则达到180亿元。

2009年突破220亿元,
四川移动音乐中心内部有大量的服务器,处于Juniper SRX3600下面,防火墙trust里面的都是私网地址,公网Untrust访问私网的trust是通过地址映射来访问的,在trust内部的服务器有相互访问的需求,但是相互访问的时候,不是访问私有地址(程序开发的问题,服务器之间互访就是公布的公网地址能够访问),而是访问公网地址,缺省情况下,不能实现这个功能,需要做一些额外的配置才能实现。

二、测试拓扑
本实验主要测试Juniper SRX3600防火墙对同一安全区域下StaticNAT和DestinationNAT的支持情况,拓扑图如下;
三、实验要求
Untrust区域PC通过访问防火墙虚拟IP200.1.1.10映射为Trust区域服务器1即SER1 IP 10.10.10.10;通过访问虚拟IP 200.1.1.11映射为Trust区域服务器2即SER2 IP 10.10.10.11;
DMZ区域PC通过访问防火墙虚拟IP 200.1.1.10映射为Trust区域服务器1即SER1 IP 10.10.10.10;通过访问虚拟IP 200.1.1.11映射为Trust区域服务器2即SER2 IP 10.10.10.11;
Trust区域内SER1通过防火墙虚拟IP 200.1.1.11映射为Trust区域服务器2即SER2 IP 10.10.10.11;SER2通过访问防火墙虚拟IP 200.1.1.10映射为Trust区域服务器1即SER1 IP 10.10.10.10;
Trust区域两台SER均能正常访问Untrust区域资源和DMZ区域资源;
四、配置脚本:
(STATIC NAT)
接口:
Untrust区域Static NAT映射:
set security nat static rule-set s-untrust-trust from zone untrust
set security nat static rule-set s-untrust-trust rule test-1 match destination-address 200.1.1.10/32set security nat static rule-set s-untrust-trust rule test-1 then static-nat prefix 10.10.10.10/32set security nat static rule-set s-untrust-trust rule test-2 match destination-address 200.1.1.11/32set security nat static rule-set s-untrust-trust rule test-2 then static-nat prefix 10.10.10.11/32DMZ区域Static NAT映射:
set security nat static rule-set dmz-s-dmz-trust from zone dmz
set security nat static rule-set dmz-s-dmz-trust rule test-11 match destination-address 200.1.1.10/32set security nat static rule-set dmz-s-dmz-trust rule test-11 then static-nat prefix 10.10.10.10/32
set security nat static rule-set dmz-s-dmz-trust rule test-12 match destination-address 200.1.1.11/32set security nat static rule-set dmz-s-dmz-trust rule test-12 then static-nat prefix 10.10.10.11/32Trust区域Static NAT映射;
set security nat static rule-set s-trust-trust from zone trust
set security nat static rule-set s-trust-trust rule test-301 match destination-address 200.1.1.10/32set security nat static rule-set s-trust-trust rule test-301 then static-nat prefix 10.10.10.10/32set security nat static rule-set s-trust-trust rule test-302 match destination-address 200.1.1.11/32set security nat static rule-set s-trust-trust rule test-302 then static-nat prefix 10.10.10.11/32untrust区域----trust区域策略:
set security policies from-zone untrust to-zone trust policy 10 match source-address any set security policies from-zone untrust to-zone trust policy 10 match destination-address any set security policies from-zone untrust to-zone trust policy 10 match application any
set security policies from-zone untrust to-zone trust policy 10 then permit
untrust区域---DMZ区域策略:
set security policies from-zone untrust to-zone dmz policy 10 match source-address any
set security policies from-zone untrust to-zone dmz policy 10 match destination-address any set security policies from-zone untrust to-zone dmz policy 10 match application any
set security policies from-zone untrust to-zone dmz policy 10 then permit
dmz区域---trust区域策略
set security policies from-zone dmz to-zone trust policy 10 match source-address any
set security policies from-zone dmz to-zone trust policy 10 match destination-address any set security policies from-zone dmz to-zone trust policy 10 match application any
set security policies from-zone dmz to-zone trust policy 10 then permit
trust区域---dmz区域策略
set security policies from-zone trust to-zone dmz policy 10 match source-address any
set security policies from-zone trust to-zone dmz policy 10 match destination-address any set security policies from-zone trust to-zone dmz policy 10 match application any
set security policies from-zone trust to-zone dmz policy 10 then permit
trust区域---trust区域策略
set security policies from-zone trust to-zone trust policy Trust-to-Trust match source-address any set security policies from-zone trust to-zone trust policy Trust-to-Trust match destination-address any set security policies from-zone trust to-zone trust policy Trust-to-Trust match application any set security policies from-zone trust to-zone trust policy Trust-to-Trust then permit
五、配置脚本:
(Destination NAT)
Destination NAT与static NAT配置基本一样,需要注意的是当做destination NAT时要同时做源地址翻译即Source NAT,原因是当SER2 10.10.10.11去访问防火墙虚拟IP地址200.1.1.10时,防火墙首先检查destination NAT并把目IP 200.1.1.10转换成SER1 10.10.10.10,当服务器回包时检查目的ip为10.10.10.11发现为同一网段所以会不经过防火墙直接通过交换机回送数据包,所以防火墙不会成功创建session表项。

set security nat source pool 333 address 200.1.1.100/32
set security nat source pool 888 address 200.1.1.101/32
set security nat source rule-set 1 from zone trust
set security nat source rule-set 1 to zone untrust
set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0
set security nat source rule-set 1 rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set 1 rule rule1 then source-nat pool 333
set security nat source rule-set 888 from zone trust
set security nat source rule-set 888 to zone trust
set security nat source rule-set 888 rule rule888 match source-address 0.0.0.0/0
set security nat source rule-set 888 rule rule888 match destination-address 0.0.0.0/0
set security nat source rule-set 888 rule rule888 then source-nat pool 888
set security nat destination pool 111 address 10.10.10.20/32
set security nat destination pool 112 address 10.10.10.21/32
set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 111 match destination-address 200.1.1.20/32
set security nat destination rule-set 1 rule 111 then destination-nat pool 111
set security nat destination rule-set 1 rule 112 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 112 match destination-address 200.1.1.21/32
set security nat destination rule-set 1 rule 112 then destination-nat pool 112
set security nat destination rule-set 101 from zone trust
set security nat destination rule-set 101 rule 211 match source-address
0.0.0.0/0
set security nat destination rule-set 101 rule 211 match destination-address 200.1.1.20/32set security nat destination rule-set 101 rule 211 then destination-nat pool 111
set security nat destination rule-set 101 rule 212 match source-address
0.0.0.0/0
set security nat destination rule-set 101 rule 212 match destination-address 200.1.1.21/32set security nat destination rule-set 101 rule 212 then destination-nat pool 112
set security nat destination rule-set 301 from zone dmz
set security nat destination rule-set 301 rule 311 match source-address
0.0.0.0/0
set security nat destination rule-set 301 rule 311 match destination-address 200.1.1.20/32set security nat destination rule-set 301 rule 311 then destination-nat pool 111
set security nat destination rule-set 301 rule 312 match source-address
0.0.0.0/0
set security nat destination rule-set 301 rule 312 match destination-address 200.1.1.21/32set security nat destination rule-set 301 rule 312 then destination-nat pool 112
set security nat static rule-set s-untrust-trust from zone untrust
set security nat static rule-set s-untrust-trust rule test-1 match destination-address 200.1.1.10/32set security nat static rule-set s-untrust-trust rule test-1 then static-nat prefix 10.10.10.10/32set security nat static rule-set s-untrust-trust rule test-2 match destination-address 200.1.1.11/32set security nat static rule-set s-untrust-trust rule test-2 then static-nat prefix 10.10.10.11/32set security nat static rule-set dmz-s-dmz-trust from zone dmz
set security nat static rule-set dmz-s-dmz-trust rule test-11 match destination-address 200.1.1.10/32set security nat static rule-set dmz-s-dmz-trust rule test-11 then static-nat prefix 10.10.10.10/32set security nat static rule-set dmz-s-dmz-trust rule test-12 match destination-address 200.1.1.11/32set security nat static rule-set dmz-s-dmz-trust rule test-12 then static-nat prefix 10.10.10.11/32set security nat static rule-set s-trust-trust from zone trust
set security nat static rule-set s-trust-trust rule test-301 match destination-address 200.1.1.10/32set security nat static rule-set s-trust-trust rule test-301 then static-nat prefix 10.10.10.10/32set security nat static rule-set s-trust-trust rule test-302 match destination-address 200.1.1.11/32set security nat static rule-set s-trust-trust rule test-302 then static-nat prefix 10.10.10.11/32set security policies from-
zone trust to-zone trust policy Trust-to-Trust match source-address any set security policies from-zone trust to-zone trust policy Trust-to-Trust match destination-address any set security policies from-zone trust to-zone trust policy Trust-to-Trust match application any set security policies from-zone trust to-zone trust policy Trust-to-Trust then permit
set security policies from-zone untrust to-zone trust policy 10 match source-address any set security policies from-zone untrust to-zone trust policy 10 match destination-address any set security policies from-zone untrust to-zone trust policy 10 match application any
set security policies from-zone untrust to-zone trust policy 10 then permit
set security policies from-zone untrust to-zone dmz policy 10 match source-address any
set security policies from-zone untrust to-zone dmz policy 10 match destination-address any set security policies from-zone untrust to-zone dmz policy 10 match application any
set security policies from-zone untrust to-zone dmz policy 10 then permit
set security policies from-zone dmz to-zone trust policy 10 match source-address any
set security policies from-zone dmz to-zone trust policy 10 match destination-address any set security policies from-zone dmz to-zone trust policy 10 match application any
set security policies from-zone dmz to-zone trust policy 10 then permit
set security policies from-zone trust to-zone dmz policy 10 match source-address any
set security policies from-zone trust to-zone dmz policy 10 match destination-address any set security policies from-zone trust to-zone dmz policy 10 match application any
set security policies from-zone trust to-zone dmz policy 10 then permit 六、测试结果:
lab@SRX3600-Active# run show security flow session
Session ID:
4, Policy name:
Trust-to-Trust/4, State:
Active, Timeout:
1760, ValidIn:
10.10.10.21/13320 --> 200.1.1.20/80;tcp, If:
ge-0/0/5.0, Pkts:
5, Bytes:
214
Out:
10.10.10.20/80 --> 200.1.1.20/32735;tcp, If:
ge-0/0/5.0, Pkts:
4, Bytes:
168
Session ID:
7, Policy name:
Trust-to-Trust/4, State:
Active, Timeout:
1790, ValidIn:
10.10.10.21/13321 --> 200.1.1.20/80;tcp, If: ge-0/0/5.0, Pkts:
2, Bytes:
88
Out:
10.10.10.20/80 --> 200.1.1.101/47263;tcp, If: ge-0/0/5.0, Pkts:
1, Bytes:
48。

相关文档
最新文档