juniper srx防火墙-nat实际现网配置实例
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
juniper srx防火墙-nat实际现网配置实例
SRX的NAT配置与ScreenOS显著不同,为保证系统的灵活性,SRX把NAT配置从安全策略里剥离出来,单独成为一个层次:即在SRX JUNOS中安全策略只负责控制业务数据的转发与否,NAT策略只控制业务数据的源地址和端口的翻译规则,两者各自独立。
SRX的NAT配置分为源地址翻译(source NAT), 目标地址翻译(destination NAT)和静态地址翻译(static NAT)三种,其配置语法都类似,只是nat rule必须被放到rule-set里使用,任意两个zone或任意两个网络逻辑接口之间只允许有一个rule-set。
值得注意的是SRX不会自动为NAT规则生成proxy-arp配置,因此如果NAT地址翻译之后的地址跟出向接口地址不同但在同一网络内时,必须手工配置相应接口proxy-arp以代理相关IP地址的ARP查询回应,否则下一条设备会由于不能通过ARP得到NAT地址的MAC地址而不能构造完整的二层以太网帧头导致通信失败。
配置:
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone untrust
set security nat source rule-set src-nat rule src-1 match source-address 192.168.1.0/24
set security nat source rule-set src-nat rule src-1 then source-nat interface
set security nat destination pool 10-26-105-172-p1812 address
10.26.105.172/32
set security nat destination pool 10-26-105-172-p1812 address port 1812 set security nat destination rule-set dst-nat from zone ggsn
set security nat destination rule-set dst-nat rule 30 match destination-address 10.0.0.173/32
set security nat destination rule-set dst-nat rule 30 match destination-port 1645
set security nat destination rule-set dst-nat rule 30 then
destination-nat pool 10-26-105-172-p1812
set security nat destination rule-set dst-nat rule 40 match destination-address 10.0.0.173/32
set security nat static rule-set static from zone cmnet
set security nat static rule-set static rule static-10 match destination-address 211.137.59.27/32
set security nat static rule-set static rule static-10 then static-nat prefix 10.26.105.170/32
set security nat proxy-arp interface reth2.0 address 211.137.59.27/32 set security nat proxy-arp interface reth0.0 address 10.0.0.173/32
lab@srx210# show security
nat {
source {
rule-set src {
from zone trust;
to zone cmnet;
rule src-10 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool 10-26-105-172-p1812 {
address 10.26.105.172/32 port 1812;
}
rule-set dst-nat {
from zone ggsn;
rule 30 {
match {
destination-address 10.0.0.173/32; destination-port 1645;
}
then {
destination-nat pool 10-26-105-172-p1812; }
}
static {
rule-set static {
from zone cmnet;
rule static-10 {
match {
destination-address 211.137.59.27/32;
}
then {
static-nat prefix 10.26.105.170/32;
}