Juniper srx防火墙NAT配置
一、基础操作说明:
1、 设备恢复出厂化
root# load factory-default
root# set system root-authentication plain-text-password
root# commit
root> request system reboot
2、 基本配置
2.1 配置主机名
root# set system host-name SRX1400
2.2设置时区
root@SRX1400# set system time-zoneAsia/Shanghai
2.3设置时间
root@SRX1400# run set date 201508011549.21
2.4设置dns
root@SRX1400# set system name-server202.l06.0.20
2.5设置接口IP
root@SRX1400# set interfaces ge-0/0/0 unit0 family inet address 10.0.0.10/24
2.6设置默认路由
root@SRX1400# set routing-options staticroute 0.0.0.0/0 next-hop 10.0.0.254
2.7创建登陆用户
root@SRX1400# set system login user adminclass super-user authentication plain-text-password
2.8创建安全Zone
root@SRX1400# set security zonessecurity-zone untrust
2.9接口加入zone
root@SRX1400# set security zones security-zoneuntrust interfaces ge-0/0/0.0
2.10业务口放行icmp
root@SRX1400#set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
说明:默认情况下,除管理口外的业务口是无法ping通的,需要放行icmp。
二、juniper srx nat
1、NAT的类型
1.1 source nat :interface
1.2 source nat :pool
1.3 destination nat
1.4 static nat
2、配置实例
2.1 基于接口的source nat
root@SRX1400# set security nat sourcerule-set 1 from zone trust
root@SRX1400# set security nat sourcerule-set 1 to zone untrust
root@SRX1400# set security nat sourcerule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
root@SRX1400# set security nat sourcerule-set 1 rule rule1 then source-nat interface
默认police
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
2.2基于地址池的source nat
root@SRX1400# set security nat source poolisp address 10.0.0.20 to 10.0.30
root@SRX1400# set security nat sourcerule-set 1 from zone trust
root@SRX1400# set security nat sourcerule-set 1 to zone untrust
root@SRX1400# set security nat sourcerule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
root@SRX1400# set security nat sourcerule-set 1 rule rule1 then source-nat pool isp
root@SRX1400# set security nat proxy-arpinterface ge-0/0/0 address 10.0.0.20 to 10.0.0.30
2.3 destination nat 配置
root@SRX1400# set security nat destinationpool dst-nat-pool-1 address 172.16.1.1/32
root@SRX1400# set security nat destinationpool dst-nat-pool-1 address port 80
root@SRX1400# set security nat destinationrule-set rs1 from zone untrust
root@SRX1400# set security nat destinationrule-set rs1 rule 1 match destination-address 10.0.0.100/32
root@SRX1400# set security nat destinationpool dst-nat-pool-1 address port 80
root@SRX1400# set security nat proxy-arpinterface ge-0/0/0.0 address 10.0.0.100/32
root@SRX1400# set security address-bookglobal address web 172.16.1.1/32
root@SRX1400# set security nat destinationrule-set rs1 rule 1 then destination-nat pool dst-nat-pool-1
root@SRX1400# set security policiesfrom-zone untrust to-zone trust policy web match source-address any
root@SRX1400# set security policiesfrom-zone untrust to-zone trust policy web match destination-address web match application any
root@SRX1400# set security policiesfrom-zone untrust to-zone trust policy
root@SRX1400# set security policiesfrom-zone untrust to-zone trust policy web then permit
root@SRX1400# insert security policiesfrom-zone untrust to-zone trust policy web before policy default-deny
2.4 static nat配置
root@SRX1400# set security nat staticrule-set rs1 from zone untrust
root@SRX1400# set security nat staticrule-set rs1 rule r1 match destination-address 10.0.0.100/32
root@SRX1400# set security nat staticrule-set rs1 rule r1 then static-nat prefix 172.16.1.1/32
root@SRX1400# set security nat proxy-arpinterface ge-0/0/0.0 address 10.0.0.100/32
root@SRX1400# set security address-bookglobal address web 172.16.1.1/32
root@SRX1400# set security policiesfrom-zone untrust to-zone untrust web match source-address any destination-addressweb application any
root@SRX1400# set security policiesfrom-zone untrust to-zone trust policy web then permit
root@SRX1400# insert security policiesfrom-zone untrust to-zone trust web before policy default-deny
