关于如何设置juniper 的 VIP应用问题 （欢迎大家提意见，谢谢）

VIP 10.10.0.202  80 218.17.153.234 28000

使用目的 10.10.0.202/24  8000      公网地址 218.17.153.234/32  28000

目的NAT （VIP)

set security nat destination?rule-set from zone untrust {区域从外部过来} set security nat destination pool source-8000 address 10.10.0.202/32

set security nat destination pool source-8000 address port 80 00 set security nat destination pool source-8000 address port 8000 #set security nat destination rule-set untrust-trust-202 rule 80 match destination-address 218.17.153.234/32

set security nat destination rule-set untrust-trust-202 rule 8000 match destination-prot 28000

set security nat destination rule-set untrust-trust-202 rule 8000 rule 8000 then destination-nat pool source-8000

放行VIP策略

set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 match source-address any set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 match destination-address 10.10.0.202/32

set applications application tcp-202 protocol tcp set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 match application  tcp-202 set applications application tcp-8000 destination-port 8000 set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 then permit

set security zones security-zone Inside address-book address 10.10.0.202/32 10.10.0.202/32 策略前置

insert security polices from-zone Ten-10M-CDMA to-zone inside policy 202 before police dy-vpn commit

[edit]

lvxuede@SRX34O-A# show | display set | match 8040        （查看以前的配置）                      

 set security nat destination pool source-8040 address 10.10.0.205/32 set security nat destination pool source-8040 address port 8040 set security nat destination rule-set untrust-trust-8081 rule 8081 match destination-port 28040 set security nat destination rule-set untrust-trust-8081 rule 8081 then destination-nat pool source-8040 set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 match source-address any set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 match destination-address 10.10.0.205/32 set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 match application tcp-8040 set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 then permit set applications application tcp-8040 protocol tcp set applications application tcp-8040 destination-port 8040

失误点： 配置遗失 show | display set | match 8040

                               set security nat destination pool source-8000 address port 8000

                               set applications application tcp-8000 destination-port 8000 （用之前的ruleset  rule  8000）