Juniper SRX Destination NAT中内网访问映射地址问题
网络设备:Juniper SRX系列防火墙 网络拓扑:问题描述:在实现Destination NAT的时候,如果需要从内网访问映射后的公网地址,默认会有一些问题,在内网可以ping 通映射地址,但是不能访问服务; 问题分析: set zones security-zone trust address-book address server-2 192.168.1.200/32set policy server-access match source-address any destination-address server-2 application anyset policy server-access then permitset pool dst-nat-pool-2 address 192.168.1.200 port 8000set rule-set rs1 from zone untrustset rule-set rs1 rule r2 match destination-address 1.1.1.101set rule-set rs1 rule r2 match destination-port 80set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2set proxy-arp interface ge-0/0/2.0 address 1.1.1.101一般的我们如上配置完设备后,外网用户便可以访问映射地址了,但是如果内网用户访问会有问题,不能通过1.1.1.101访问服务;原因是内部地址访问1.1.1.101的时候,防火墙不做地址转换,将内网地址路由给目的服务器,服务器会看到这个地址,回包的时候直接把数据包回给这个内网地址,TCP形成一个半连接,故服务不能访问。解决办法:来自信任区域的访问也做一次destination nat,需要添加以下命令; set rule-set rs1 from zone trustset rule-set rs1 rule r2 match destination-address 1.1.1.101set rule-set rs1 rule r2 match destination-port 80set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2
页:
[1]