set security nat proxy-arp interface ge-0/0/2 address 100.1.1.10 to 100.1.1.20
上述配置表示从trust方向(any)到untrust方向(any)访问时提供源地址转换,源地址池为pool1(100.1.1.10 -100.1.1.20),同时ge-0/0/2接口为此pool IP提供ARP代理。需要注意的是:定义Pool时不需要与Zone及接口进行关联。配置proxy-arp目的是让返回包能够送达SRX,如果Pool与出接口IP不在同一子网,则对端设备需要配置指向100.1.1.1的Pool地址路由。 Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address 10.1.1.2 set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
上述配置定义Policy策略,允许Trust zone 10.1.2.2地址访问Untrust方向任何地址,根据前面的NAT配置,SRX在建立session时自动执行源地址转换。
2.3.3 Pool base destination NAT
NAT:
set security nat destination pool 111 address 192.168.1.100/32 set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 111 match destination-address 100.100.100.100/32
第 11 页 共 23 页
set security nat destination rule-set 1 rule 111 then destination-nat pool 111
上述配置将外网any访问100.100.100.100地址映射到内网192.168.1.100地址,注意:定义的Dst Pool是内网真实IP地址,而不是映射前的公网地址。这点和Src-NAT Pool有所区别。 Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address 192.168.1.100
set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
上述配置定义Policy策略,允许Untrust方向任何地址访问Trust方向192.168.1.100,根据前面的NAT配置,公网访问100.100.100.100时,SRX自动执行到192.168.1.100的目的地址转换。 ScreenOS VIP功能对应的SRX Dst-nat配置:
set security nat destination pool 222 address 192.168.1.200/32 port 8000 set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 111 match destination-address 100.100.100.100/32 set security nat destination rule-set 1 rule 111 match destination-port 8000 set security nat destination rule-set 1 rule 111 then destination-nat pool 222
上述NAT配置定义:访问100.100.100.100地址8000端口映射至192.168.1.200地址8000端口,功能与ScreenOS VIP端口映射一致。
2.3.4 Pool base Static NAT
第 12 页 共 23 页
NAT:
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule rule1 match destination-address 100.100.100.100 set security nat static rule-set static-nat rule rule1 then static-nat prefix 192.168.1.200 Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address 192.168.1.200
set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
Static NAT概念与ScreenOS MIP一致,属于静态双向一对一NAT,上述配置表示访问100.100.100.100时转换为192.168.1.200,当192.168.1.200访问Internet时自动转换为100.100.100.100。
2.4 IPSEC VPN
SRX IPSEC VPN支持Site-to-Site VPN 和基于NS-remote的拨号VPN,和ScreenOS一样,site-to-site VPN也支持路由模式和Policy模式,在配置方面也和ScreenOS基本一致。SRX中的加密/验证算法在命名上和ScreenOS存在一些区别,配置过程中建议选择ike和ipsec的proposal为 standard模式,standard中包含SRX支持的全部加密/验证算法,只要对端设备支持其中任何一种即可。SRX中通道接口使用st0接口,对应ScreenOS中的tunnel虚拟接口。
第 13 页 共 23 页
下面是图中左侧SRX基于路由方式Site-to-site VPN配置: set interfaces st0 unit 0 family inet address 10.2.0.1/24 set security zones security-zone untrust interfaces st0.0 set routing-options static route 10.1.2.0/24 next-hop st0.0 定义st0 tunnel接口地址/Zone及通过VPN通道到对端网络路由 set security ike policy ABC mode main
set security ike policy ABC proposal-set standard
set security ike policy ABC pre-shared-key ascii-text juniper
定义IKE Phase1 policy参数,main mode,standard proposal及预共享密钥方式 set security ike gateway gw1 ike-policy ABC set security ike gateway gw1 address 10.0.2.1
set security ike gateway gw1 external-interface ge-0/0/1.0
定义IKE gaeway参数,预共享密钥认证,对端网关10.0.2.1,出接口ge-0/0/1(位于untrust zone) set security ipsec policy AAA proposal-set standard set security ipsec vpn vpn1 bind-interface st0.0 set security ipsec vpn vpn1 ike gateway gw1 set security ipsec vpn vpn1 ike ipsec-policy AAA set security ipsec vpn vpn1 establish-tunnels immediately
第 14 页 共 23 页
定义ipsec Phase 2 VPN参数:standard proposal、与st0.0接口绑定,调用Phase 1 gw1 ike网关。 set security policies from-zone untrust to-zone trust policy vpn-policy match source-address any set security policies from-zone untrust to-zone trust policy vpn-policy match destination-address any
set security policies from-zone untrust to-zone trust policy vpn-policy match application any set security policies from-zone untrust to-zone trust policy vpn-policy then permit
set security policies from-zone trust to-zone untrust policy vpn-policy match source-address any set security policies from-zone trust to-zone untrust policy vpn-policy match destination-address any
set security policies from-zone trust to-zone untrust policy vpn-policy match application any set security policies from-zone trust to-zone untrust policy vpn-policy then permit 开启双向policy以允许VPN流量通过
2.5 Application and ALG
SRX中自定义服务及ALG使用方法与ScreenOS保持一致,系统缺省开启FTP ALG,为TCP 21服务提供FTP应用ALG。自定义服务如果属于FTP类应用,需要将此自定义服务(非TCP 21端口)与FTP应用进行关联。下面举例定义一个FTP类服务ftp-test,使用目的端口为TCP 2100,服务超时时间为3600秒,并将此自定义服务与FTP应用关联(ALG),系统将识别此服务为FTP应用并开启FTP ALG来处理该应用流量。
set applications application ftp-test protocol tcp destination-port 2100 inactivity-timeout 3600 set applications application ftp-test application-protocol ftp
2.6 JSRP
JSRP是Juniper SRX的私有HA协议,对应ScreenOS的NSRP双机集群协议,支持A/P和A/A模式,JSRP对ScreenOS NSRP协议和JUNOS Cluster集群技术进行了整合集成,熟悉NSRP协议有助于对JSRP协议的理解。JSRP和NSRP最大的区别在于JSRP是完全意义上的Cluster概念,两台设备完全当作一台设备来看待,两台设备的接口板卡顺序编号、运维变更将对两台设
第 15 页 共 23 页
百度搜索“yundocx”或“云文档网”即可找到本站免费阅读全部范文。收藏本站方便下次阅读,云文档网,提供经典综合文库Juniper SRX防火墙配置手册-命令行模式在线全文阅读。
最新更新:
