SRX source NAT
setinterfaces ge-0/0/0 unit 0 family inet address 192.168.2.254/24setinterfaces ge-0/0/1 unit 0 family inet address 192.168.114.190/24setinterfaces ge-0/0/2 unit 0 family inet address 172.16.2.254/24setrouting-options static route 0.0.0.0/0 next-hop 192.168.114.254setsecurity zones security-zone trust interfaces ge-0/0/0.0setsecurity zones security-zone trust host-inbound-traffic system-services sshset security zones security-zone trust host-inbound-trafficsystem-services pingsetsecurity zones security-zone trust host-inbound-traffic system-services httpssetsecurity zones security-zone untrust interfaces ge-0/0/1.0setsecurity zones security-zone untrust host-inbound-traffic system-services sshsetsecurity zones security-zone untrust host-inbound-traffic system-services httpsset security zones security-zone dmz interfaces ge-0/0/2.0setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services pingsetsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services sshsetsecurity zones security-zone trust address-book address trust-add192.168.2.0/24setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchsource-address trust-addsetsecurity policies from-zone trust to-zone untrust policy trust-untrust matchdestination-address anysetsecurity policies from-zone trust to-zone untrust policy trust-untrust matchapplication anysetsecurity policies from-zone trust to-zone untrust policy trust-untrust thenpermit1、Source NAT(端口转换)setsecurity nat source rule-set source-NAT from zone trustsetsecurity nat source rule-set source-NAT to zone untrustset security nat source rule-set source-NAT rule PAT match source-address 192.168.2.0/24set security nat source rule-set source-NAT rule PAT then source-nat interface2、Source NAT(地址池)set security nat source poolsource-NAT-POOL address 192.168.114.100/32 to 192.168.114.110/32//地址池转换将会轮询做地址转换 //setsecurity nat source rule-set source-NAT from zone trustsetsecurity nat source rule-set source-NAT to zone untrustsetsecurity nat source rule-set source-NAT rule NAT1 match source-address192.168.2.0/24setsecurity nat source rule-set source-NAT rule NAT1 then source-nat poolsource-NAT-POOLset security nat proxy-arpinterface ge-0/0/1.0 address 192.168.114.100/32 to 192.168.114.110/32// 需要为地址池转换方式设置ARP代理//# run show security nat source rule allroot@vSRX# run show security policiesroot@vSRX# run show securi免费云主机域名ty flow sessionSessionID: 2579, Policy name: trust-untrust/7, Timeout: 2, Valid In: 192.168.2.110/5632 –> 192.168.114.20/512;icmp,If: ge-0/0/0.0, Pkts: 1, Bytes: 60 Out: 192.168.114.20/512 –> 192.168.114.106/1138;icmp,If: ge-0/0/1.0, Pkts: 1, Bytes: 60insert rule-set source-NATrule NAT1 before rulePAT//把NAT1 Rule插入到PAT Rule前面,先启用NAT pool转换,再使用PAT转换//root@vSRX# run show security nat source summaryTotalport number usage for port translation pool: 709632Maximumport number for port translation pool: 16777216Totalpools: 1Pool Address Routing PAT TotalName Range Instance Addresssource-NAT-POOL 192.168.114.100-192.168.114.110default yes 11Totalrules: 2Rulename Rule set From To ActionNAT1 source-NAT trust untrust source-NAT-POOLPAT source-NAT trust untrust interfaceroot@vSRX# run show securityflow session //地址轮询复用转换//SessionID: 3017, Policy name: trust-untrust/7, Timeout: 2, Valid In: 192.168.2.110/9728 –>192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60 Out: 192.168.114.20/512 –> 192.168.114.103/12564;icmp, If:ge-0/0/1.0, Pkts: 1, Bytes: 60SessionID: 3018, Policy name: trust-untrust/7, Timeout: 2, Valid In: 192.168.2.110/9984 –>192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60Out: 192.168.114.20/512 –>192.168.114.104/16881;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60Totalsessions: 2SessionID: 3019, Policy name: trust-untrust/7, Timeout: 2, Valid In: 192.168.2.110/10240 –>192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60Out: 192.168.114.20/512 –>192.168.114.105/13679;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60SessionID: 3020, Policy name: trust-untrust/7, Timeout: 2, Valid In: 192.168.2.110/10496 –>192.168.114.20/512;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 60Out: 192.168.114.20/512 –>192.168.114.106/17443;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60Totalsessions: 2root@vSRX#set securitynat source poolsource-NAT-POOL port no-translation //禁止PAT转换,动态一对一,最后一个接口地址复用//essionID: 4546, Policy name: trust-untrust/7, Timeout: 1796, Valid In: 192.168.2.110/1761 –>220.181.90.240/80;tcp, If: ge-0/0/0.0, Pkts: 4, Bytes: 912 Out: 220.181.90.240/80 –> 192.168.114.102/1761;tcp,If: ge-0/0/1.0, Pkts: 2, Bytes: 319SessionID: 4556, Policy name: trust-untrust/7, Timeout: 1800, Valid In: 192.168.2.110/1762 –>119.97.155.2/80;tcp, If: ge-0/0/0.0, Pkts: 34, Bytes: 2138 Out: 119.97.155.2/80 –> 192.168.114.102/1762;tcp,If: ge-0/0/1.0, Pkts: 61, Bytes: 75406SessionID: 4557, Policy name: trust-untrust/7, Timeout: 1798, Valid In: 192.168.2.110/1763 –>119.97.155.2/80;tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 837 Out: 119.97.155.2/80 –> 192.168.114.102/1763;tcp,If: ge-0/0/1.0, Pkts: 8, Bytes: 8278SRX destination NAT(cisco static PAT静态端口映射)将DMZ172.16.2.22:23端口转换到untrust地址192.168.114.250: 2323端口setsecurity nat destination pool DMZ-Server-telnet address 172.16.2.22/32setsecurity nat destination pool DMZ-Server-telnet address port 23setsecurity nat destination pool DMZ-Server-http address 172.16.2.22/32setsecurity nat destination pool DMZ-Server-http address port 80setsecurity nat destination rule-set Dest-NAT from zone untrustset security nat destination rule-setDest-NAT rule Untrust-DMZ-NAT–telnet match source-address 0.0.0.0/0set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-address192.168.114.114/32set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-port 2323set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet then destination-nat poolDMZ-Server-telnetsetsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchsource-address 0.0.0.0/0setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-address 192.168.114.114/32setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-port 80setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http thendestination-nat pool DMZ-Server-httpsetsecurity nat proxy-arp interface ge-0/0/1.0 address 192.168.114.114/32setsecurity zones security-zone dmz address-book address DMZ-Server 172.16.2.22/32setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchsource-address anysetsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchdestination-address DMZ-Serversetsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-httpsetsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-telnetsetsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ then permitStatic NAT,静态一对一,既转换源也转换目的(outbound方向转换原,inbound转换目的)
setsecurity nat static rule-set Static-NAT from zone untrustsetsecurity nat static rule-set Static-NAT rule 1to1 match destination-address192.168.114.250/32setsecurity nat static rule-set Static-NAT rule 1to1 then static-nat prefix172.16.2.22/32setsecurity nat proxy-arp interface ge-0/0/1.0 address 192.168.114.250/32setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchsource-address anysetsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchdestination-address DMZ-Serversetsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchapplication junos-ftpsetsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp thenpermit#########################################################################################################Set authentication-order[ radius password ]setsystem radius-server 172.16.2.22 port 1812set system radius-server 172.16.2.22 secret freeit123setsystem radius-server 172.16.2.22 source-address 172.16.2.254set system login user user1authentication encrypted-password freeit123 //重要:在radius上创建的用户账户必须在本地创建该用户,否则radius认证失败,如果radius服务器没有响应,则通过本地密码认证//穿越防火墙的web认证:setaccess profile WEBAUTH authentication-order passwordset access profile WEBAUTH client user1 firewall-user password user1setaccess firewall-authentication web-authentication default-profile WEBAUTHsetaccess firewall-authentication web-authentication banner success “web authlogin success”setsystem services web-management http interface ge-0/0/0.0setsecurity zones security-zone trust interfaces ge-0/0/0.0setsecurity zones security-zone trust host-inbound-traffic system-services httpsetinterfaces ge-0/0/0 unit 0 family inet address 172.16.1.253/24web-authentication httpsetsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-addsetsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-addsetsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication anysetsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication web-authentication client-match user1setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count直通代理:set access profile PT-AUTH authentication-order passwordsetaccess profile PT-AUTH client test firewall-user password”$9$I.4Rrvx7VY4Zdb”setaccess firewall-authentication pass-through default-profile PT-AUTHsetaccess firewall-authentication pass-through http banner success “LoginSuccess”setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-addsetsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-addsetsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication anysetsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication pass-throughsetsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then countset access profile PT-AUTH authentication-order radiusset access profile PT-AUTH radius-server192.168.2.22 secret freeit123 /radius配置/
源码包: libpcap-0.8.3.tar.gz rrdtool-1.2.13.tar.gz ntop-3.3.tar.gz 安装顺序: 先libpcap-0.8.3.tar.gz 或rrdtool-1.2.13.tar.gz,后ntop-3.3.tar.g…
免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。
微信扫一扫 
