Juniper SRX防火墙-静态NAT（一）（juniper认证）

Juniper SRX防火墙-静态NAT（一）（juniper认证）

Juniper SRX 静态NAT

win xp----Juniper SRX------win2003

规划：

1、外网电脑 用虚拟机 2003 模拟外网主机，兼模拟DNS、HTTP服务器；

IP：222.0.0.2/27

2、内网主机用虚拟机 XP 模拟内网，兼HTTP服务器，

IP: 192.168.1.8/24

3、SRX 墙untrust 地址：222.0.0.1/27

trust地址：192.168.1.1/24

4、测试软件：HFS、

实验脚本1

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24

set interfaces ge-0/0/1 unit 0 family inet address 222.0.0.1/27

set security nat static rule-set static-nat from zone untrust

set security nat static rule-set static-nat rule 1 match destination-address 222.0.0.6/32

set security nat static rule-set static-nat rule 1 then static-nat prefix 192.168.1.6/32

set security nat static rule-set static-nat rule 2 match destination-address 222.0.0.7/32

set security nat static rule-set static-nat rule 2 then static-nat prefix 192.168.1.7/32

set security nat static rule-set static-nat rule 3 match destination-address 222.0.0.8/32

set security nat static rule-set static-nat rule 3 then static-nat prefix 192.168.1.8/32

set security nat proxy-arp interface ge-0/0/1.0 address 222.0.0.8/32

set security nat proxy-arp interface ge-0/0/1.0 address 222.0.0.7/32

set security nat proxy-arp interface ge-0/0/1.0 address 222.0.0.9/32

set security policies from-zone trust to-zone untrust policy rule1 match source-address any

set security policies from-zone trust to-zone untrust policy rule1 match destination-address any

set security policies from-zone trust to-zone untrust policy rule1 match application any

set security policies from-zone trust to-zone untrust policy rule1 then permit

set security policies from-zone untrust to-zone trust policy rule01 match source-address any

set security policies from-zone untrust to-zone trust policy rule01 match destination-address any

set security policies from-zone untrust to-zone trust policy rule01 match application any

set security policies from-zone untrust to-zone trust policy rule01 then permit

set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

root@SRX-1> show security flow session

Session ID: 1344, Policy name: rule1/4, Timeout: 2, Valid

In: 192.168.1.8/295 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

Out: 220.0.0.2/61201 --> 220.0.0.8/295;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Session ID: 1345, Policy name: rule1/4, Timeout: 2, Valid

In: 192.168.1.8/296 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

Out: 220.0.0.2/61201 --> 220.0.0.8/296;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Session ID: 1347, Policy name: rule1/4, Timeout: 4, Valid

In: 192.168.1.8/297 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

Out: 220.0.0.2/61201 --> 220.0.0.8/297;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Total sessions: 3

root@SRX-1> show security nat static rule all

Total static-nat rules: 3

Total referenced IPv4/IPv6 ip-prefixes: 6/0

Static NAT rule: 1                    Rule-set: static-nat

Rule-Id                    : 1

Rule position              : 1

From zone                  : untrust

Destination addresses      : 220.0.0.6

Host addresses             : 192.168.1.6

Netmask                    : 32

Host routing-instance      : N/A

Translation hits           : 0

Successful sessions      : 0

Failed sessions          : 0

Number of sessions         : 0

Static NAT rule: 3                    Rule-set: static-nat

Rule-Id                    : 3

Rule position              : 3

From zone                  : untrust

Destination addresses      : 220.0.0.8

Host addresses             : 192.168.1.8

Netmask                    : 32

Host routing-instance      : N/A

Translation hits           : 719

Successful sessions      : 719

Failed sessions          : 0

Number of sessions         : 4

root@SRX-1> show security flow session

Session ID: 2437, Policy name: self-traffic-policy/1, Timeout: 2, Valid

In: 220.0.0.2/0 --> 220.0.0.9/34064;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Out: 220.0.0.9/34064 --> 220.0.0.2/0;icmp, If: .local..0, Pkts: 1, Bytes: 84

Session ID: 2438, Policy name: rule1/4, Timeout: 2, Valid

In: 192.168.1.8/1233 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

Out: 220.0.0.2/61201 --> 220.0.0.8/1233;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Session ID: 2439, Policy name: self-traffic-policy/1, Timeout: 2, Valid

In: 220.0.0.2/1 --> 220.0.0.9/34064;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Out: 220.0.0.9/34064 --> 220.0.0.2/1;icmp, If: .local..0, Pkts: 1, Bytes: 84

Session ID: 2440, Policy name: rule1/4, Timeout: 2, Valid

In: 192.168.1.8/1234 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

Out: 220.0.0.2/61201 --> 220.0.0.8/1234;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Session ID: 2441, Policy name: self-traffic-policy/1, Timeout: 4, Valid

In: 220.0.0.2/2 --> 220.0.0.9/34064;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Out: 220.0.0.9/34064 --> 220.0.0.2/2;icmp, If: .local..0, Pkts: 1, Bytes: 84

Session ID: 2442, Policy name: rule1/4, Timeout: 4, Valid

In: 192.168.1.8/1235 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

Out: 220.0.0.2/61201 --> 220.0.0.8/1235;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Total sessions: 6

非接口子网段NAT实验

set security nat static rule-set static-nat rule 4 match destination-address 111.0.0.8/32

set security nat static rule-set static-nat rule 4 then static-nat prefix 192.168.1.8/32

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。