实用juniper SRX NAT小技巧。
当配置route-based IPSec ×××,对应的security tunnel 接口和external 接口在同一个zone时,为了正常的Internet 访问,需要做source nat off。
set security nat source rule-set 002 from zone trust
set security nat source rule-set 002 to zone untrust
set security nat source rule-set 002 rule 01 match source-address 172.16.0.0/24
set security nat source rule-set 002 rule 01 match destination-address 10.220.0.0/24
set security nat source rule-set 002 rule 01 then source-nat off
正常访问Internet 的配置。
set security nat source rule-set 002 rule 02 match source-address 0.0.0.0/0
set security nat source rule-set 002 rule 02 match destination-address 0.0.0.0/0
set security nat source rule-set 002 rule 02 then source-nat interface
set security policies from-zone trust to-zone untrust policy 001 match source-address any
set security policies from-zone trust to-zone untrust policy 001 match destination-address any
set security policies from-zone trust to-zone untrust policy 001 match application any
set security policies from-zone trust to-zone untrust policy 001 then permit
SRX上面做了server 的destination nat,但是在内网客户端需要通过destination nat 的地址去访问服务器,
对于TCP的应用,会有session 回流的情况出现,一般有两种解决办法,1,搭设DNS server,进行正确的解析,
2,将内网访问的客户会话通过source nat 转化为内网接口去访问的会话。
现在讲的第二种,配置如下,两点需要注意,a,destination nat 里面要添加from zone trust;
b,需要放行trust to trust 的流量(SRX security policy default 是deny)。
set security nat source rule-set 001 from zone trust
set security nat source rule-set 001 to zone trust
set security nat source rule-set 001 rule 03 match source-address 172.16.1.0/24
set security nat source rule-set 001 rule 03 match destination-address 172.16.2.0/24
set security nat source rule-set 001 rule 03 then source-nat interface
set security nat destination rule-set 001 from zone trust
set security policies from-zone trust to-zone trust policy 001 match source-address any
set security policies from-zone trust to-zone trust policy 001 match destination-address any
set security policies from-zone trust to-zone trust policy 001 match application any
set security policies from-zone trust to-zone trust policy 001 then permit
common destination nat 配置:
set security nat destination rule-set 001 from zone untrust
set security nat destination pool nfs-app address 172.16.2.100/32
set security nat destination pool nfs-app address port 2049
set security nat destination rule-set 001 from zone trust
set security nat destination rule-set 001 from zone untrust
set security nat destination rule-set 001 rule 01 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 01 match destination-port 9090
set security nat destination rule-set 001 rule 01 then destination-nat pool nfs-app
set security nat destination rule-set 001 rule 02 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 02 match destination-port 9000
set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
set security zones security-zone trust address-book address nfs 172.16.2.100/32
set security policies from-zone untrust to-zone trust policy 001 match source-address any
set security policies from-zone untrust to-zone trust policy 001 match destination-address nfs
set security policies from-zone untrust to-zone trust policy 001 match application nfs-tcp
set security policies from-zone untrust to-zone trust policy 001 match application nfs-udp
set security policies from-zone untrust to-zone trust policy 001 then permit
set security policies from-zone untrust to-zone trust policy 001 then log session-close
set applications application nfs-udp protocol udp
set applications application nfs-udp source-port 1-65535
set applications application nfs-udp destination-port 2049
set applications application nfs-tcp protocol tcp
set applications application nfs-tcp source-port 1-65535
set applications application nfs-tcp destination-port 2049
有时在进行网络改造的时候,会遇到这种情况;
设备的service 的网关是通过另外的ISP线路和另外设备,server网关不在SRX上,但是需要通过SRX做destination nat让Internet 用户可以访问。
要解决这个其实也很有意思,类似nat回流,需要做个source nat 讲Internet 用户的会话转变为接口的会话。
set security nat source rule-set 003 rule 03 match source-address 0.0.0.0/0
set security nat source rule-set 003 rule 03 match destination-address 172.16.3.100/32
set security nat source rule-set 003 rule 03 then source-nat interface
common destination nat 配置:
set security nat destination pool old-lab address 172.16.3.100/32
set security nat destination pool old-lab address port 22
set security nat destination rule-set 001 rule 02 match destination-port 9000
set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
set security zones security-zone trust address-book address old-lab 172.16.3.100/32
set security policies from-zone untrust to-zone trust policy 002 match source-address any
set security policies from-zone untrust to-zone trust policy 002 match destination-address old-lab
set security policies from-zone untrust to-zone trust policy 002 match application junos-ssh
set security policies from-zone untrust to-zone trust policy 002 then permit
set security policies from-zone untrust to-zone trust policy 002 then log session-init
实际中可能还会遇到这种问题:
客户不希望自己的Internet 接口ssh被别人用port 22暴力破解,SRX本身是没有修改ssh port 的功能,这时候就要用到nat,
做过RE-protect 的童鞋应该知道loop back 接口是data plane和control plane 的interface。
我们可以讲untrust接口的ssh关闭,讲loopback 接口的ssh 通过destination nat 转变为Internet 接口的其它port。
同理也可以将http 和https接口做类似的转换。以下是destination nat 部分的配置,policy配置烦请自行补上。
set security nat destination rule-set 001 rule 03 match source-address 0.0.0.0/0
set security nat destination rule-set 001 rule 03 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 03 match destination-port 9099
set security nat destination rule-set 001 rule 03 then destination-nat pool loop-ssh
还有中场景是做IPSec 时由于merge 或是网络规划等问题,出现了地址重合,不管是做policy-based还是routed-based的IPSec 都会遇到一点点的问题,同样可以通过nat 的方式去解决。还有种情况是在托管第三方设备的DC,需要讲同一台server 根据不同的客户,映射为不同的地址,但是在SRX上有一种限制,match 的address 同一个rule 同一个方向,最多只有8个,number of elements exceeds limit of 8,需要怎么做呢?由于时间限制,waiting next...
转载于:https://blog.51cto.com/10242469/2053639
实用juniper SRX NAT小技巧。相关推荐
- 超强干货,11个灰常实用的AI设计小技巧!
11个超级实用的AI设计小技巧!涉及到很多的实用操作,纯干货经验总结,灰常值得收藏,赶快转走学起来吧! 编辑:千锋UI设计
- office 高效办公智慧树_干货高效实用的office办公小技巧之word篇
对于office三剑客ppt.Word.Excel的使用成了日常,作为办公党,今天就拿出自己在平时工作之中发现.学到的小技巧来做个总结,分享给大家. 相信很多大神对于这些小技巧都已经精通,所以lz会先 ...
- vb6 word 2002 合并单元格_干货来了!最实用的Word表格小技巧!
有小伙伴说Word表格太不好做了,不如Excel里面方便,文字方向不听指挥,数据又不好排序,整个表格做起来很不好看.但我们的工作中很多表格又都是在Word中完成的,今天就给大家介绍一下在Word文档中 ...
- python将2个列表list合并到1个列表使用appenden_【新手入门】20个很实用的 Python 学习小技巧...
本文为大家介绍20个值得记住的 Python 技巧,可以提升您编程技巧, 并为您节省大量时间.在平常编程过程中,以下技巧大多非常有用. 1 字符串反转 使用切片反转字符串. str1="qw ...
- python常用技巧_python 实用的30个小技巧
所有的这些技巧都能帮助你压缩代码并且优化运行.此外,你可以在日常工作中很容易地在真实项目中使用他们. 贴士#1. 原地交换两个数字 Python 提供了一个直观的在一行代码中赋值与交换(变量值)的方法 ...
- 几条简单实用的谷歌搜索小技巧
几条简单实用的谷歌搜索技巧 1. 只搜索某个网站的页面: site:xxxxx.com,若是想搜索整个句子,则使用双引号,如:"English education",若同时搜 ...
- Python最实用的25个小技巧
Python 是一种通用的高级编程语言.用它可以做许多事,比如开发桌面 GUI 应用程序.网站和 Web 应用程序等. 并且,通过处理常见的编程任务,Python 能让开发者专注应用程序的核心功能.此 ...
- Juniper SRX NAT回流
- wps高亮怎么取消_一组WPS表格小技巧,简单实用
小伙伴们好啊,今天咱们继续来分享几个实用的WPS表格小技巧. 1.筛选合并单元格 筛选合并单元格,操作简单没的说. 这个功能很适合一些不规范表格的处理,确实方便. 2.工作表批量取消隐藏 取消隐藏工作 ...
最新文章
- 甲骨文落寞、SAP跃进:商用软件巨头的突围与宿命
- C++ vector容器类型
- php session传数组,php把数组存到session的方法
- python适合编程语言吗_为什么说python是适合新手入门的编程语言
- 计算机二级vb操作题如何给分,计算机二级vb操作题.docx
- C语言 二维数组(指针)动态分配和释放(转)
- c string erase_威刚推出SE770G移动固态硬盘:提供两年质保 附送双头USB-C
- excel两表格怎么根据关键词比较指定数据差异
- python编写错误怎么修改_在Python的Django框架中编写错误提示页面
- esp分区创建 linux_怎样向esp分区添加引导文件?
- 『玩转Mybatis』Mybatis超强大的动态SQL大全
- 谁知道下面这个视频中的特效是用什么软件做的?
- 计算机领域中的CAE,什么是CAE?
- 2014华为实习生招聘机试题
- 配置yun源和在虚拟机中安装JDK
- 冬季12种食物减肥巧妙止饿
- JavaWeb知识整理-增强篇
- CAD 学习笔记 Mac
- 【IT修真院】接口文档规范以及示例
- OceanConnect编解码插件开发教程