JUNIPER SRX650:(static nat很浪费IP地址):
实例一、
set security nat static rule-set 1 from zone untrust
set security nat static rule-set 1 rule 198-staticnat match destination-address 113.106.x.x/32
set security nat static rule-set 1 rule 198-staticnat then static-nat prefix 192.168.1.198/32
set security zones security-zone trust address-book address server198 192.168.1.198/32
set security policies from-zone untrust to-zone trust policy s198 match source-address any
set security policies from-zone untrust to-zone trust policy s198 match destination-address server198
set security policies from-zone untrust to-zone trust policy s198 match application any
set security policies from-zone untrust to-zone trust policy s198 then permit
set security nat proxy-arp interface ge-0/0/0.0 address 113.106.x.x/32
实例二、
set security zones security-zone trust address-book address server198 192.168.1.198/32
NAT:
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule rule1 match destination-address 113.106.95.x
set security nat static rule-set static-nat rule rule1 then static-nat prefix 192.168.1.198
Policy:
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address server198
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
set security nat proxy-arp interface ge-0/0/0.0 address 113.106.95.x/32
解决内网telnet 113.106.95.x port的方法:
/*/静态一对一映射:
set security zones security-zone trust address-book address server198 192.168.1.198/32
NAT:
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule rule1 match destination-address 113.106.95.116
set security nat static rule-set static-nat rule rule1 then static-nat prefix 192.168.1.198
Policy:
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address server198
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
set security nat proxy-arp interface ge-0/0/0.0 address 113.106.95.116/32
Static NAT 概念与ScreenOS MIP 一致,属于静态双向一对一NAT,上述配置表示访问113.106.95.116 时转换为
192.168.1.198,当192.168.1.198 访问Internet 时自动转换为113.106.95.116,并且优先级比其他类型NAT 高。
解决内网telnet 113.106.95.116 port
set security nat static rule-set static-nat from zone trust
set security nat source rule-set src-nat rule src then source-nat
interface
set security nat source rule-set src-nat rule src match destination-address 192.168.1.198/32
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone trust