当配置route-based IPSec ×××,对应的security tunnel 接口和external 接口在同一个zone时,为了正常的Internet 访问,需要做source nat off。 set security nat source rule-set 002 from zone trust set security nat source rule-set 002 to zone untrust set security nat source rule-set 002 rule 01 match source-address 172.16.0.0/24 set security nat source rule-set 002 rule 01 match destination-address 10.220.0.0/24 set security nat source rule-set 002 rule 01 then source-nat off

正常访问Internet 的配置。 set security nat source rule-set 002 rule 02 match source-address 0.0.0.0/0 set security nat source rule-set 002 rule 02 match destination-address 0.0.0.0/0 set security nat source rule-set 002 rule 02 then source-nat interface set security policies from-zone trust to-zone untrust policy 001 match source-address any set security policies from-zone trust to-zone untrust policy 001 match destination-address any set security policies from-zone trust to-zone untrust policy 001 match application any set security policies from-zone trust to-zone untrust policy 001 then permit

SRX上面做了server 的destination nat,但是在内网客户端需要通过destination nat 的地址去访问服务器, 对于TCP的应用,会有session 回流的情况出现,一般有两种解决办法,1,搭设DNS server,进行正确的解析, 2,将内网访问的客户会话通过source nat 转化为内网接口去访问的会话。 现在讲的第二种,配置如下,两点需要注意,a,destination nat 里面要添加from zone trust; b,需要放行trust to trust 的流量(SRX security policy default 是deny)。

set security nat source rule-set 001 from zone trust set security nat source rule-set 001 to zone trust set security nat source rule-set 001 rule 03 match source-address 172.16.1.0/24 set security nat source rule-set 001 rule 03 match destination-address 172.16.2.0/24 set security nat source rule-set 001 rule 03 then source-nat interface set security nat destination rule-set 001 from zone trust set security policies from-zone trust to-zone trust policy 001 match source-address any set security policies from-zone trust to-zone trust policy 001 match destination-address any set security policies from-zone trust to-zone trust policy 001 match application any set security policies from-zone trust to-zone trust policy 001 then permit

common destination nat 配置:

set security nat destination rule-set 001 from zone untrust set security nat destination pool nfs-app address 172.16.2.100/32 set security nat destination pool nfs-app address port 2049 set security nat destination rule-set 001 from zone trust set security nat destination rule-set 001 from zone untrust set security nat destination rule-set 001 rule 01 match destination-address 202.100.117.209/32 set security nat destination rule-set 001 rule 01 match destination-port 9090 set security nat destination rule-set 001 rule 01 then destination-nat pool nfs-app set security nat destination rule-set 001 rule 02 match destination-address 202.100.117.209/32 set security nat destination rule-set 001 rule 02 match destination-port 9000 set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab set security zones security-zone trust address-book address nfs 172.16.2.100/32 set security policies from-zone untrust to-zone trust policy 001 match source-address any set security policies from-zone untrust to-zone trust policy 001 match destination-address nfs set security policies from-zone untrust to-zone trust policy 001 match application nfs-tcp set security policies from-zone untrust to-zone trust policy 001 match application nfs-udp set security policies from-zone untrust to-zone trust policy 001 then permit set security policies from-zone untrust to-zone trust policy 001 then log session-close set applications application nfs-udp protocol udp set applications application nfs-udp source-port 1-65535 set applications application nfs-udp destination-port 2049 set applications application nfs-tcp protocol tcp set applications application nfs-tcp source-port 1-65535 set applications application nfs-tcp destination-port 2049

有时在进行网络改造的时候,会遇到这种情况; 设备的service 的网关是通过另外的ISP线路和另外设备,server网关不在SRX上,但是需要通过SRX做destination nat让Internet 用户可以访问。 要解决这个其实也很有意思,类似nat回流,需要做个source nat 讲Internet 用户的会话转变为接口的会话。 set security nat source rule-set 003 rule 03 match source-address 0.0.0.0/0 set security nat source rule-set 003 rule 03 match destination-address 172.16.3.100/32 set security nat source rule-set 003 rule 03 then source-nat interface

common destination nat 配置:

set security nat destination pool old-lab address 172.16.3.100/32 set security nat destination pool old-lab address port 22 set security nat destination rule-set 001 rule 02 match destination-port 9000 set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab set security zones security-zone trust address-book address old-lab 172.16.3.100/32 set security policies from-zone untrust to-zone trust policy 002 match source-address any set security policies from-zone untrust to-zone trust policy 002 match destination-address old-lab set security policies from-zone untrust to-zone trust policy 002 match application junos-ssh set security policies from-zone untrust to-zone trust policy 002 then permit set security policies from-zone untrust to-zone trust policy 002 then log session-init

实际中可能还会遇到这种问题: 客户不希望自己的Internet 接口ssh被别人用port 22暴力破解,SRX本身是没有修改ssh port 的功能,这时候就要用到nat, 做过RE-protect 的童鞋应该知道loop back 接口是data plane和control plane 的interface。 我们可以讲untrust接口的ssh关闭,讲loopback 接口的ssh 通过destination nat 转变为Internet 接口的其它port。 同理也可以将http 和https接口做类似的转换。以下是destination nat 部分的配置,policy配置烦请自行补上。 set security nat destination rule-set 001 rule 03 match source-address 0.0.0.0/0 set security nat destination rule-set 001 rule 03 match destination-address 202.100.117.209/32 set security nat destination rule-set 001 rule 03 match destination-port 9099 set security nat destination rule-set 001 rule 03 then destination-nat pool loop-ssh

还有中场景是做IPSec 时由于merge 或是网络规划等问题,出现了地址重合,不管是做policy-based还是routed-based的IPSec 都会遇到一点点的问题,同样可以通过nat 的方式去解决。还有种情况是在托管第三方设备的DC,需要讲同一台server 根据不同的客户,映射为不同的地址,但是在SRX上有一种限制,match 的address 同一个rule 同一个方向,最多只有8个,number of elements exceeds limit of 8,需要怎么做呢?由于时间限制,waiting next...