Juniper srx 240 端口映射\\N个ISP出口 之 “浮动路由+指定资源走指定线路”（juniper networks）

Juniper srx 240 端口映射\\N个ISP出口 之 “浮动路由+指定资源走指定线路”（juniper networks）

172.18.18.42 port 2020、2009 ISP_IP Port XXXX、XXXX172.18.18.45 port 2020、2009 ISP_IP Port XXXX、XXXX

步骤一：定义全局地址set security address-book global address Nutanix_Cluster 172.18.18.50/32步骤二：定义协议端口set applications application tcp-2020 protocol tcpset applications application tcp-2020 destination-port 2020set applications application tcp-2009 protocol tcpset applications application tcp-2009 destination-port 2009步骤三：定义目的NAT+Port之定义内网IP匹配端口set security nat destination pool DP_Nutanix_Cluster_2020 address 172.18.18.50/32set security nat destination pool DP_Nutanix_Cluster_2020 address port 2020set security nat destination pool DP_Nutanix_Cluster_2009 address 172.18.18.50/32set security nat destination pool DP_Nutanix_Cluster_2009 address port 2009步骤三：定义目的NAT+Port之定义内外网NAT规则set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2020_Owenli match destination-address-name WAN3006_162set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2020_Owenli match destination-port 2020set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2020_Owenli then destination-nat pool DP_Nutanix_Cluster_2020set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2009_Owenli match destination-address-name WAN3006_162set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2009_Owenli match destination-port 2009set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_Nutanix_2009_Owenli then destination-nat pool DP_Nutanix_Cluster_2009

步骤四：定义源区域访问内网特定区域的控制策略set security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT match source-address any destination-address Nutanix_Cluster application tcp-2020 application tcp-2009set security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT then permitset security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT then log session-initset security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT then log session-closeset security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT then count步骤五：新定义之策略插入拒绝策略之前，即调整策略优先顺序insert security policies from-zone ISP6 to-zone trust policy Nutanix_Cluster-OWEN-EDIT before policy DENY

set security policies from-zone trust to-zone ISP6 policy Nutanix_Cluster-OWEN-EDIT match source-address Nutanix_Cluster destination-address any application tcp-2020 application tcp-2009set security policies from-zone trust to-zone ISP6 policy Nutanix_Cluster-OWEN-EDIT then permitset security policies from-zone trust to-zone ISP6 policy Nutanix_Cluster-OWEN-EDIT then log session-initset security policies from-zone trust to-zone ISP6 policy Nutanix_Cluster-OWEN-EDIT then log session-closeset security policies from-zone trust to-zone ISP6 policy Nutanix_Cluster-OWEN-EDIT then count步骤六：定义网段或特定IP从那条ISP线路访问外网资源

INGRESS_FROM_TRUST---- 在内网接口应用过滤器filter [reth3.500 zone trust]

set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.45/32set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.50/32set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.42/32set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.48/32set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.52/32set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.55/32set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from source-address 172.18.18.58/32set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster from destination-address 0.0.0.0/0set firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster then routing-instance FORWARD_TO_ISP6步骤七：新定义之firewall filter策略执行 then acceppt，若之前已有跳至步骤八；set firewall family inet filter INGRESS_FROM_TRUST term ACCEPT_ALL then accept步骤八：把步骤六插入步骤七之前，即调整策略优先顺序；insert firewall family inet filter INGRESS_FROM_TRUST term Nutanix_Cluster before term ACCEPT_ALL 步骤九：查询NAT会话，确定IN AND OUT双向策略是否正确；

show security flow session nat destination-port 2020 node0:

Session ID: 91904, Policy name: LEGACY_ID_15/89, State: Backup, Timeout: 14342, ValidIn: 172.18.18.45/46082 --> 202.82.130.199/2020;tcp, If: reth3.500, Pkts: 0, Bytes: 0Out: 202.82.130.199/2020 --> 119.145.16.241/24323;tcp, If: reth15.3001, Pkts: 0, Bytes: 0

Session ID: 234948, Policy name: Nutanix_Cluster-OWEN-EDIT/263, State: Backup, Timeout: 14292, ValidIn: 202.82.130.199/6688 --> 210.21.218.163/2020;tcp, If: reth15.3006, Pkts: 0, Bytes: 0Out: 172.18.18.50/2020 --> 202.82.130.199/6688;tcp, If: reth3.500, Pkts: 0, Bytes: 0Total sessions: 2

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。