Juniper SRX Destination NAT
Based rule destination address conversion
Internet users through the public network within the address 100.0.0.1 network access server 10.1.10.5
Full single address port mapping:
§ The public network IP: 100.0.0.1 is mapped to the private network IP: 10.1.10.5
Pool and configured by the composition rule, the following configuration is not enabled PAT
Destination NAT with address pool:
Destination NAT with address pool:
The following configuration enables PAT
The public network IP: 100.0.0.1: 80 mapped to the private network IP: 10.1.10.5: 8080
The following configuration enables PAT,
The 80 port mapping 100.0.0.1 to 10.1.10.5 of 8080
In NETSCREEN, this function is called VIP
Based on the rule of NAT
set security natproxy-arpinterface ge-0/0/0.0 address 222.0.0.5/32
set security nat destination pool pool-1-8_8080 address 192.168.1.8/32
set security nat destination pool pool-1-8_8080 address port 8080
set security nat destination pool pool-1-8 address 192.168.1.8/32
set security nat destination rule-set dst-nat-rule from zone untrust
set security nat destination rule-set dst-nat-rule rule rule13-30_80 match destination-address 222.0.0.5/32
set security nat destination rule-set dst-nat-rule rule rule13-30_80 match destination-port 80
set security nat destination rule-set dst-nat-rule rule rule13-30_80 then destination-nat pool pool-1-8_8080
set security nat destination rule-set dst-nat-rule rule rule111_8 match destination-address 111.0.0.8/32
set security nat destination rule-set dst-nat-rule rule rule111_8 then destination-nat pool pool-1-8
The same rule in the ability to multi-port or the Range ?
for i in {15100..15200}
do
echo "
set security nat destinationpool VOIP_$i address 10.10.10.10/32
set security nat destinationpool VOIP_$i address port $i
set security nat destinationrule-set SET_1 rule VOIP_$i match source-address 0.0.0.0/0
set security nat destinationrule-set SET_1 rule VOIP_$i match destination-address
74.125.225.179/32
set security nat destinationrule-set SET_1 rule VOIP_$i match destination-port $i
set security nat destinationrule-set SET_1 rule VOIP_$i then destination-nat pool VOIP_$i
"
Done
多个外部端口对应一个内部端口
set security nat destination pool test3 address 192.168.1.8/32
set security nat destination pool test3 address port 8081
set security natdestination rule-set dst-nat-rule rule 12 match destination-address 222.0.0.8/32
set security natdestination rule-set dst-nat-rule rule 12 match destination-port 8080 to 8081
set security natdestination rule-set dst-nat-rule rule 12 then destination-nat pool test3
端口级转换类型总结
目前版本pool不支持端口范围
功能验证
show security nat destination summary
show security nat destination pool poolXXX
show security nat destination rule rulexxx
show security flow session
View NAT correspondence between the number of hits
View address pool with a hit
Based rule destination address conversion
Check the results NAT, PAT's
user@host> show security flow session
It can be seen on the port, corresponding to different internal and external network port!
IP-based level, the full conversion
user@host> show security nat destination pool all
Has once again proven what hit