Juniper SRX防火墙-静态NAT（一）

Juniper SRX 静态NAT

win xp----Juniper SRX------win2003

规划：

1、外网电脑 用虚拟机 2003 模拟外网主机，兼模拟DNS、HTTP服务器；

IP：222.0.0.2/27

2、内网主机用虚拟机 XP 模拟内网，兼HTTP服务器，

IP: 192.168.1.8/24

3、SRX 墙untrust 地址：222.0.0.1/27

trust地址：192.168.1.1/24

4、测试软件：HFS、

实验脚本1

 

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24

set interfaces ge-0/0/1 unit 0 family inet address 222.0.0.1/27

 

set security nat static rule-set static-nat from zone untrust

set security nat static rule-set static-nat rule 1 match destination-address 222.0.0.6/32

set security nat static rule-set static-nat rule 1 then static-nat prefix 192.168.1.6/32

set security nat static rule-set static-nat rule 2 match destination-address 222.0.0.7/32

set security nat static rule-set static-nat rule 2 then static-nat prefix 192.168.1.7/32

set security nat static rule-set static-nat rule 3 match destination-address 222.0.0.8/32

set security nat static rule-set static-nat rule 3 then static-nat prefix 192.168.1.8/32

set security nat proxy-arp interface ge-0/0/1.0 address 222.0.0.8/32

set security nat proxy-arp interface ge-0/0/1.0 address 222.0.0.7/32

set security nat proxy-arp interface ge-0/0/1.0 address 222.0.0.9/32

 

set security policies from-zone trust to-zone untrust policy rule1 match source-address any

set security policies from-zone trust to-zone untrust policy rule1 match destination-address any

set security policies from-zone trust to-zone untrust policy rule1 match application any

set security policies from-zone trust to-zone untrust policy rule1 then permit

set security policies from-zone untrust to-zone trust policy rule01 match source-address any

set security policies from-zone untrust to-zone trust policy rule01 match destination-address any

set security policies from-zone untrust to-zone trust policy rule01 match application any

set security policies from-zone untrust to-zone trust policy rule01 then permit

set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

 

root@SRX-1> show security flow session

Session ID: 1344, Policy name: rule1/4, Timeout: 2, Valid

  In: 192.168.1.8/295 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

  Out: 220.0.0.2/61201 --> 220.0.0.8/295;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

 

Session ID: 1345, Policy name: rule1/4, Timeout: 2, Valid

  In: 192.168.1.8/296 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

  Out: 220.0.0.2/61201 --> 220.0.0.8/296;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

 

Session ID: 1347, Policy name: rule1/4, Timeout: 4, Valid

  In: 192.168.1.8/297 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

  Out: 220.0.0.2/61201 --> 220.0.0.8/297;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Total sessions: 3

 

root@SRX-1> show security nat static rule all

Total static-nat rules: 3

Total referenced IPv4/IPv6 ip-prefixes: 6/0

 

Static NAT rule: 1                    Rule-set: static-nat

  Rule-Id                    : 1 

  Rule position              : 1

  From zone                  : untrust

  Destination addresses      : 220.0.0.6

  Host addresses             : 192.168.1.6

  Netmask                    : 32

  Host routing-instance      : N/A

  Translation hits           : 0

    Successful sessions      : 0

    Failed sessions          : 0

  Number of sessions         : 0

 

Static NAT rule: 3                    Rule-set: static-nat

  Rule-Id                    : 3 

  Rule position              : 3

  From zone                  : untrust

  Destination addresses      : 220.0.0.8

  Host addresses             : 192.168.1.8

  Netmask                    : 32

  Host routing-instance      : N/A

  Translation hits           : 719

    Successful sessions      : 719

    Failed sessions          : 0

  Number of sessions         : 4

 

 

root@SRX-1> show security flow session   

Session ID: 2437, Policy name: self-traffic-policy/1, Timeout: 2, Valid

  In: 220.0.0.2/0 --> 220.0.0.9/34064;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

  Out: 220.0.0.9/34064 --> 220.0.0.2/0;icmp, If: .local..0, Pkts: 1, Bytes: 84

 

Session ID: 2438, Policy name: rule1/4, Timeout: 2, Valid

  In: 192.168.1.8/1233 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

  Out: 220.0.0.2/61201 --> 220.0.0.8/1233;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

 

Session ID: 2439, Policy name: self-traffic-policy/1, Timeout: 2, Valid

  In: 220.0.0.2/1 --> 220.0.0.9/34064;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

  Out: 220.0.0.9/34064 --> 220.0.0.2/1;icmp, If: .local..0, Pkts: 1, Bytes: 84

 

Session ID: 2440, Policy name: rule1/4, Timeout: 2, Valid

  In: 192.168.1.8/1234 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

  Out: 220.0.0.2/61201 --> 220.0.0.8/1234;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

 

Session ID: 2441, Policy name: self-traffic-policy/1, Timeout: 4, Valid

  In: 220.0.0.2/2 --> 220.0.0.9/34064;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

  Out: 220.0.0.9/34064 --> 220.0.0.2/2;icmp, If: .local..0, Pkts: 1, Bytes: 84

                                       

Session ID: 2442, Policy name: rule1/4, Timeout: 4, Valid

  In: 192.168.1.8/1235 --> 220.0.0.2/61201;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 84

  Out: 220.0.0.2/61201 --> 220.0.0.8/1235;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84

Total sessions: 6

 

 

非接口子网段NAT实验

set security nat static rule-set static-nat rule 4 match destination-address 111.0.0.8/32

set security nat static rule-set static-nat rule 4 then static-nat prefix 192.168.1.8/32