juniperSRX防火墙NAT测试-创新互联
1.测试拓扑:
创新互联主打移动网站、网站设计制作、成都网站建设、网站改版、网络推广、网站维护、域名注册、等互联网信息服务,为各行业提供服务。在技术实力的保障下,我们为客户承诺稳定,放心的服务,根据网站的内容与功能再决定采用什么样的设计。最后,要实现符合网站需求的内容、功能与设计,我们还会规划稳定安全的技术方案做保障。2.测试总结:
3.基本配置:
A.路由器R1:
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
B.防火墙SRX:
①配置接口地址:
set interfacesge-0/0/0.0family inetaddress 202.100.1.10/24
set interfacesge-0/0/1.0family inetaddress 10.1.1.10/24
set interfacesge-0/0/2.0family inetaddress 192.168.1.10/24
②将接口划入zone:
setsecurity zones security-zone untrust interfacesge-0/0/0.0
setsecurity zones security-zone trust interfacesge-0/0/1.0
setsecurity zones security-zone dmz interfacesge-0/0/2.0
③配置zone间策略,允许trust到untrust的任何访问:
setsecurity policies from-zone trust to-zone untrust policy Permit-All match source-address any
setsecurity policies from-zone trust to-zone untrust policy Permit-All match destination-address any
setsecurity policies from-zone trust to-zone untrust policy Permit-All match application any
setsecurity policies from-zone trust to-zone untrust policy Permit-All then permit
④配置zone间策略,允许DMZ到untrust的任何访问:
set security policies from-zone dmz to-zoneuntrust policy Permit-All match source-address any
set security policies from-zone dmz to-zoneuntrust policy Permit-All match destination-address any
set security policies from-zone dmz to-zoneuntrust policy Permit-All match application any
set security policies from-zone dmz to-zoneuntrustpolicy Permit-All then permit
C.主机PC1:
IP:10.1.1.8/24
GW:10.1.1.10
D.路由器R2:
interface f0/0
ip address 192.168.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.10
4.NAT配置:
A.第一种NAT:
Source NAT:Interface NAT配置:
A.指定NAT的zone:
setsecurity nat sourcerule-set Source-NAT from zone trust
setsecurity nat sourcerule-setSource-NATto zone untrust
B.配置Interface NAT:
setsecurity nat source rule-set Source-NAT rule NAT-Interface match source-address 0.0.0.0/0
setsecurity nat source rule-set Source-NAT rule NAT-Interface match destination-address 0.0.0.0/0
setsecurity nat source rule-set Source-NAT rule NAT-Interface then source-nat interface
C.提交配置:
commit
D.验证:
从主机PC1上面ping路由器R1接口地址,并在R1上debug ip icmp,可以看到ICMP源地址为防火墙接口地址
R1#
*Mar 2 01:35:56.797: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*Mar 2 01:35:57.793: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*Mar 2 01:35:58.809: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*Mar 2 01:35:59.749: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
R1#
B.第二种NAT:
Source NAT:pool based nat配置:
A.配置地址池:
set security nat source pool src-nat-pool1address 202.100.1.11 to 202.100.1.13
B.指定NAT的zone(前面已经配置,可以不配):
set security nat source rule-set Source-NAT from zone trust
set security nat sourcerule-set Source-NATto zone untrust
C.配置pool based nat:
set security nat source rule-set Source-NAT rule NAT-pool match source-address 0.0.0.0/0
sets ecurity nat source rule-set Source-NAT rule NAT-pool match destination-address 0.0.0.0/0
另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。
本文名称:juniperSRX防火墙NAT测试-创新互联
链接地址:http://azwzsj.com/article/djioeo.html