Juniper SRX防火墙-目的NAT（一）

Juniper SRX 目的NAT

基于rule的目的地址转换

互联网用户通过100.0.0.1公网地址访问内网服务器10.1.10.5

 

单地址全端口映射:

§将公网IP：100.0.0.1映射至私网IP：10.1.10.5

配置由Pool和rule组成，以下配置不启用PAT

Destination NAT with address pool:

Destination NAT with address pool:

以下配置启用PAT

将公网IP：100.0.0.1:80映射至私网IP：10.1.10.5:8080

以下配置启用PAT，

将100.0.0.1的80端口映射为10.1.10.5的8080端口

 

在NETSCREEN中，此功能称之为VIP

 

基于rule的NAT

set security natproxy-arpinterface ge-0/0/0.0 address 222.0.0.5/32

 

set security nat destination pool pool-1-8_8080 address 192.168.1.8/32

set security nat destination pool pool-1-8_8080 address port 8080

 

set security nat destination pool pool-1-8 address 192.168.1.8/32

 

set security nat destination rule-set dst-nat-rule from zone untrust

set security nat destination rule-set dst-nat-rule rule rule13-30_80 match destination-address 222.0.0.5/32

set security nat destination rule-set dst-nat-rule rule rule13-30_80 match destination-port 80

set security nat destination rule-set dst-nat-rule rule rule13-30_80 then destination-nat pool pool-1-8_8080

 

set security nat destination rule-set dst-nat-rule rule rule111_8 match destination-address 111.0.0.8/32

set security nat destination rule-set dst-nat-rule rule rule111_8 then destination-nat pool pool-1-8

同一个rule里能否多端口或range？

for i in {15100..15200}

do

echo "

set security nat destinationpool VOIP_$i address 10.10.10.10/32

set security nat destinationpool VOIP_$i address port $i

set security nat destinationrule-set SET_1 rule VOIP_$i match source-address 0.0.0.0/0

set security nat destinationrule-set SET_1 rule VOIP_$i match destination-address

74.125.225.179/32

set security nat destinationrule-set SET_1 rule VOIP_$i match destination-port $i

set security nat destinationrule-set SET_1 rule VOIP_$i then destination-nat pool VOIP_$i

"

Done

多个外部端口对应一个内部端口

set security nat destination pool test3 address 192.168.1.8/32

set security nat destination pool test3 address port 8081

 

set security natdestination rule-set dst-nat-rule rule 12 match destination-address 222.0.0.8/32

set security natdestination rule-set dst-nat-rule rule 12 match destination-port 8080 to 8081

set security natdestination rule-set dst-nat-rule rule 12 then destination-nat pool test3

端口级转换类型总结

目前版本pool不支持端口范围

功能验证

show security nat destination summary

show security nat destination pool poolXXX

show security nat destination rule rulexxx

 

show security flow session

查看NAT对应关系与命中数

查看地址池配置与命中

基于rule的目的地址转换

检查NAT、PAT的结果

user@host> show security flow session

可以看到基于端口的，内外网对应端口不同！

基于IP级的，则完整转换

 

user@host> show security nat destination pool all

再次验证一下命中