编辑: 达达恰西瓜 2013-04-11
更多原创技术文档尽在 http://k968888.

blog.sohu.com 手把手教你一步一步配置 Juniper SRX 防火墙基于 IP POOL 的 目的地址转换(Dst-NAT) 由[email protected] 原创 Juniper ID:JPR29525 JNCIS-FWV/JNCIS-ER/JNSS-S SRX 防火墙型号/JUNOS 版本 netscreen@SRX3600B> show version Hostname: SRX3600B Model: srx3600 JUNOS Software Release [10.2R1.8] 网络拓朴如下: 案例说明: 1. Server 操作系统为 Novell SuSe Linux,接在 Juniper SRX3600 防火墙 ge-0/0/7 物理 接口上,Server IP:192.168.3.100,网关指向 192.168.3.1. 更多原创技术文档尽在 http://k968888.blog.sohu.com 2. PC 操作系统为 Windows XP,接在 Juniper SRX3600 防火墙 ge-0/0/0 物理接口上,PC IP: 10.200.51.202,不设置网关.

3、 通过配置基于 IP POOL 的目的地址转换, 实现 Pc 访问 (ping /telnet) 2.2.2.2 时, SRX3600 防火墙自动执行到 192.168.3.100 的目的地址转换. Pc 设置 C:\>route add 2.2.2.2 mask 255.255.255.255 10.200.51.203 Server IP 和路由设置 更多原创技术文档尽在 http://k968888.blog.sohu.com SRX 防火墙配置步骤

一、配置 Zones netscreen@SRX3600B# set security zones security-zone trust netscreen@SRX3600B# set security zones security-zone untrust

二、配置接口 IP netscreen@SRX3600B# set interfaces ge-0/0/0 unit

0 family inet address 10.200.51.203/16 netscreen@SRX3600B# set interfaces ge-0/0/7 unit

0 family inet address 192.168.3.1/24

三、把接口绑定到 Zones netscreen@SRX3600B# set security zones security-zone untrust interfaces ge-0/0/0.0 netscreen@SRX3600B# set security zones security-zone trust interfaces ge-0/0/7.0

四、配置地址本 netscreen@SRX3600B# set security zones security-zone trust address-book address Server 192.168.3.100/32 netscreen@SRX3600B# set security zones security-zone untrust address-book address Pc 10.200.51.202/32

五、配置基于 IP POOL 的Dst-NAT 下面配置将 Untrust 10.200.51.202 访问 2.2.2.2 地址映射到内网 192.168.3.100 地址, 注意: 定义的 Dst Pool 是内网真实 IP 地址,而不是映射前的公网地址.这点和 Src-NAT Pool 有所 区别. 更多原创技术文档尽在 http://k968888.blog.sohu.com netscreen@SRX3600B# set security nat destination pool testpool address 192.168.3.100/32 netscreen@SRX3600B# set security nat destination rule-set

1 from zone untrust netscreen@SRX3600B# set security nat destination rule-set

1 rule testrule match source-address 10.200.51.202/32 netscreen@SRX3600B# set security nat destination rule-set

1 rule testrule match destination-address 2.2.2.2/32 netscreen@SRX3600B# set security nat destination rule-set

1 rule testrule then destination-nat pool testpool

六、配置策略 netscreen@SRX3600B# set security policies from-zone untrust to-zone trust policy

1 match source-address Pc netscreen@SRX3600B# set security policies from-zone untrust to-zone trust policy

1 match destination-address Server netscreen@SRX3600B# set security policies from-zone untrust to-zone trust policy

1 match application junos-icmp-ping netscreen@SRX3600B# set security policies from-zone untrust to-zone trust policy

1 match application junos-telnet netscreen@SRX3600B# set security policies from-zone untrust to-zone trust policy

1 then permit 验证测试 分别在 Pc 上ping/telnet 2.2.2.2,如下所示: 更多原创技术文档尽在 http://k968888.blog.sohu.com 查看防火墙会话表: 查看基于 IP POOL 的Dst-NAT Translation hits 数量 更多原创技术文档尽在 http://k968888.blog.sohu.com 更多原创技术文档尽在 http://k968888.blog.sohu.com 版本申明 转载请注明原始出自 http://k968888.blog.sohu.com

下载(注:源文件不在本站服务器,都将跳转到源网站下载)
备用下载
发帖评论
相关话题
发布一个新话题