设为首页 收藏本站

运维网

 找回密码
 立即注册
查看: 1206|回复: 0

[经验分享] 实用juniper SRX NAT小技巧。

[复制链接]
苍天有泪

尚未签到
发表于 2018-7-27 12:28:51 | 显示全部楼层 |阅读模式
  当配置route-based IPSec ***,对应的security tunnel 接口和external 接口在同一个zone时,为了正常的Internet 访问,需要做source nat off。
  set security nat source rule-set 002 from zone trust
  set security nat source rule-set 002 to zone untrust
  set security nat source rule-set 002 rule 01 match source-address 172.16.0.0/24
  set security nat source rule-set 002 rule 01 match destination-address 10.220.0.0/24
  set security nat source rule-set 002 rule 01 then source-nat off
  正常访问Internet 的配置。
  set security nat source rule-set 002 rule 02 match source-address 0.0.0.0/0
  set security nat source rule-set 002 rule 02 match destination-address 0.0.0.0/0
  set security nat source rule-set 002 rule 02 then source-nat interface
  set security policies from-zone trust to-zone untrust policy 001 match source-address any
  set security policies from-zone trust to-zone untrust policy 001 match destination-address any
  set security policies from-zone trust to-zone untrust policy 001 match application any
  set security policies from-zone trust to-zone untrust policy 001 then permit
  SRX上面做了server 的destination nat,但是在内网客户端需要通过destination nat 的地址去访问服务器,
  对于TCP的应用,会有session 回流的情况出现,一般有两种解决办法,1,搭设DNS server,进行正确的解析,
  2,将内网访问的客户会话通过source nat 转化为内网接口去访问的会话。
  现在讲的第二种,配置如下,两点需要注意,a,destination nat 里面要添加from zone trust;
  b,需要放行trust to trust 的流量(SRX security policy default 是deny)。
  set security nat source rule-set 001 from zone trust
  set security nat source rule-set 001 to zone trust
  set security nat source rule-set 001 rule 03 match source-address 172.16.1.0/24
  set security nat source rule-set 001 rule 03 match destination-address 172.16.2.0/24
  set security nat source rule-set 001 rule 03 then source-nat interface
  set security nat destination rule-set 001 from zone trust
  set security policies from-zone trust to-zone trust policy 001 match source-address any
  set security policies from-zone trust to-zone trust policy 001 match destination-address any
  set security policies from-zone trust to-zone trust policy 001 match application any
  set security policies from-zone trust to-zone trust policy 001 then permit
  common destination nat 配置:
  set security nat destination rule-set 001 from zone untrust
  set security nat destination pool nfs-app address 172.16.2.100/32
  set security nat destination pool nfs-app address port 2049
  set security nat destination rule-set 001 from zone trust
  set security nat destination rule-set 001 from zone untrust
  set security nat destination rule-set 001 rule 01 match destination-address 202.100.117.209/32
  set security nat destination rule-set 001 rule 01 match destination-port 9090
  set security nat destination rule-set 001 rule 01 then destination-nat pool nfs-app
  set security nat destination rule-set 001 rule 02 match destination-address 202.100.117.209/32
  set security nat destination rule-set 001 rule 02 match destination-port 9000
  set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
  set security zones security-zone trust address-book address nfs 172.16.2.100/32
  set security policies from-zone untrust to-zone trust policy 001 match source-address any
  set security policies from-zone untrust to-zone trust policy 001 match destination-address nfs
  set security policies from-zone untrust to-zone trust policy 001 match application nfs-tcp
  set security policies from-zone untrust to-zone trust policy 001 match application nfs-udp
  set security policies from-zone untrust to-zone trust policy 001 then permit
  set security policies from-zone untrust to-zone trust policy 001 then log session-close
  set applications application nfs-udp protocol udp
  set applications application nfs-udp source-port 1-65535
  set applications application nfs-udp destination-port 2049
  set applications application nfs-tcp protocol tcp
  set applications application nfs-tcp source-port 1-65535
  set applications application nfs-tcp destination-port 2049
  有时在进行网络改造的时候,会遇到这种情况;
  设备的service 的网关是通过另外的ISP线路和另外设备,server网关不在SRX上,但是需要通过SRX做destination nat让Internet 用户可以访问。
  要解决这个其实也很有意思,类似nat回流,需要做个source nat 讲Internet 用户的会话转变为接口的会话。
  set security nat source rule-set 003 rule 03 match source-address 0.0.0.0/0
  set security nat source rule-set 003 rule 03 match destination-address 172.16.3.100/32
  set security nat source rule-set 003 rule 03 then source-nat interface
  common destination nat 配置:
  set security nat destination pool old-lab address 172.16.3.100/32
  set security nat destination pool old-lab address port 22
  set security nat destination rule-set 001 rule 02 match destination-port 9000
  set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
  set security zones security-zone trust address-book address old-lab 172.16.3.100/32
  set security policies from-zone untrust to-zone trust policy 002 match source-address any
  set security policies from-zone untrust to-zone trust policy 002 match destination-address old-lab
  set security policies from-zone untrust to-zone trust policy 002 match application junos-ssh
  set security policies from-zone untrust to-zone trust policy 002 then permit
  set security policies from-zone untrust to-zone trust policy 002 then log session-init
  实际中可能还会遇到这种问题:
  客户不希望自己的Internet 接口ssh被别人用port 22暴力破解,SRX本身是没有修改ssh port 的功能,这时候就要用到nat,
  做过RE-protect 的童鞋应该知道loop back 接口是data plane和control plane 的interface。
  我们可以讲untrust接口的ssh关闭,讲loopback 接口的ssh 通过destination nat 转变为Internet 接口的其它port。
  同理也可以将http 和https接口做类似的转换。以下是destination nat 部分的配置,policy配置烦请自行补上。
  set security nat destination rule-set 001 rule 03 match source-address 0.0.0.0/0
  set security nat destination rule-set 001 rule 03 match destination-address 202.100.117.209/32
  set security nat destination rule-set 001 rule 03 match destination-port 9099
  set security nat destination rule-set 001 rule 03 then destination-nat pool loop-ssh
  还有中场景是做IPSec 时由于merge 或是网络规划等问题,出现了地址重合,不管是做policy-based还是routed-based的IPSec 都会遇到一点点的问题,同样可以通过nat 的方式去解决。还有种情况是在托管第三方设备的DC,需要讲同一台server 根据不同的客户,映射为不同的地址,但是在SRX上有一种限制,match 的address 同一个rule 同一个方向,最多只有8个,number of elements exceeds limit of 8,需要怎么做呢?由于时间限制,waiting next...

运维网声明 1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
2、本站所有主题由该帖子作者发表,该帖子作者与运维网享有帖子相关版权
3、所有作品的著作权均归原作者享有,请您和我们一样尊重他人的著作权等合法权益。如果您对作品感到满意,请购买正版
4、禁止制作、复制、发布和传播具有反动、淫秽、色情、暴力、凶杀等内容的信息,一经发现立即删除。若您因此触犯法律,一切后果自负,我们对此不承担任何责任
5、所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其内容的准确性、可靠性、正当性、安全性、合法性等负责,亦不承担任何法律责任
6、所有作品仅供您个人学习、研究或欣赏,不得用于商业或者其他用途,否则,一切后果均由您自己承担,我们对此不承担任何法律责任
7、如涉及侵犯版权等问题,请您及时通知我们,我们将立即采取措施予以解决
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com

所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其承担任何法律责任,如涉及侵犯版权等问题,请您及时通知我们,我们将立即处理,联系人Email:kefu@iyunv.com,QQ:1061981298 本贴地址:https://www.yunweiku.com/thread-542075-1-1.html 上篇帖子: juniper srx 基础配置--命令行 下篇帖子: 配置juniper交换机web管理界面
回复

使用道具 举报

返回列表
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

扫码加入运维网微信交流群X

扫码加入运维网微信交流群

扫描二维码加入运维网微信交流群,最新一手资源尽在官方微信交流群!快快加入我们吧...

扫描微信二维码查看详情

客服 E-mail:iyunvcom@gmail.com

本站由青云提供云计算服务

运维网--中国最专业的运维工程师交流社区

豫ICP备20007574号-1 Copyright © 2012-2025

关于我们

发展历程

联系我们

关注我们

广告服务

广告案例

隐私条款

免责声明

用户登录

用户注册

版主守则

申请版主

手机版

金币获取

帮助中心

每日签到

Good Good

Study

Day Day

UP


客服E-mail:kefu@iyunv.com 客服QQ:1061981298


QQ群⑦:运维网交流群⑦ QQ群⑧:运维网交流群⑧ k8s群:运维网kubernetes交流群


提醒:禁止发布任何违反国家法律、法规的言论与图片等内容;本站内容均来自个人观点与网络等信息,非本站认同之观点.


本站大部分资源是网友从网上搜集分享而来,其版权均归原作者及其网站所有,我们尊重他人的合法权益,如有内容侵犯您的合法权益,请及时与我们联系进行核实删除!



合作伙伴: 青云cloud

快速回复 返回顶部 返回列表