Juniper SRX NAT详解
本文共 14466 字,大约阅读时间需要 48 分钟。
第一部分:介绍Juniper SRX NAT
网络地址转换(NAT) 是用于修改或转换数据包包头中的网络地址信息的一种方法。可转换数据包中的源和/或目标地址。NAT 中可包含端口号及IP 地址的转换。
NAT类型:
1、source NAT:a、基于Interface的source NATb、基于pool的source NAT2、destination NAT3、static NATNAT规则:
NAT 类型决定NAT 规则的处理顺序。流的第一个数据包处理期间,将按照以下顺序应用NAT 规则:- 静态NAT 规则
- 目标NAT 规则
- 路由查找
- 安全策略查找
- 反向映射静态NAT 规则
- 源NAT 规则
下图显示NAT规则的处理顺序
NAT规则集:
在NAT中rule set决定所有流量的方向,而rule set里面又包含有多个rule。一旦rule set 发现到有匹配的流量后,rule set 里面每个rule都会开始进行匹配计算,之后rule会为匹配的流量指定动作;而在不同类型的NAT中,rule set能匹配的条件是不一样的规则集为信息流指定一组常规匹配条件。对于静态NAT 和目标NAT,规则集指定以下项之一:
源接口.源区段.源路由实例root@Juniper-vSRX# set security nat destination rule-set dst-nat from ?
Possible completions:- interface Source interface list
- routing-instance Source routing instance list
- zone Source zone list[edit]
root@Juniper-vSRX# set security nat static rule-set static-nat from ?
Possible completions:- interface Source interface list
- routing-instance Source routing instance list
- zone Source zone list[edit]
对于源NAT 规则集,将同时配置源和目标条件:
• 源接口、区段或路由实例• 目标接口、区段或路由实例root@Juniper-vSRX# set security nat source rule-set src-nat from ?
Possible completions:- interface Source interface list
- routing-instance Source routing instance list
- zone Source zone list[edit]
root@Juniper-vSRX# set security nat source rule-set src-nat to ?
Possible completions:- interface Destination interface list
- routing-instance Destination routing instance list
- zone Destination zone list[edit]
一个数据包可匹配多个规则集;在这种情况下,将使用匹配条件更为具体的规则集。接口匹配被视为比区段匹配更为具体,而后者比路由实例匹配更为具体。
如果一个数据包同时匹配指定源区段的目标NAT 规则集和指定源接口的目标NAT 规则集,则指定源接口的规则集是更为具体的匹配项。
源NAT 规则集匹配更为复杂,因为在源NAT 规则集中要同时指定源和目标条件。如果一个数据包匹配多个源NAT 规则集,则规则集的选择基于以下源/目标条件(按照优先级顺序):
- 源接口/目标接口
- 源区段/目标接口
- 源路由实例/目标接口
- 源接口/目标区段
- 源区段/目标区段
- 源路由实例/目标区段
- 源接口/目标路由实例
- 源区段/目标路由实例
- 源路由实例/目标路由实例例如,可配置规则集A 和B,前者指定源接口和目标区段,后者指定源区段和目标接口。如果一个数据包匹配两个规则集,规则集B 为更为具体的匹配项。
下图显示NAT 规则集的优先级
第二部分:Source NAT:
1.1基于Interface的Source NAT
公司内部网络(trust Zone)访问Internet(untrust Zone)时,将192.168.100.0/24 映射成Juniper SRX的GE-0/0/0端口的IP地址202.5.5.1出Internet。
a、配置基于接口的source NAT
set security nat source rule-set src-nat from zone trustset security nat source rule-set src-nat to zone untrustset security nat source rule-set src-nat rule 1 match source-address 192.168.100.0/24set security nat source rule-set src-nat rule 1 match destination-address 0.0.0.0/0set security nat source rule-set src-nat rule 1 then source-nat interfaceb、开启log日志记录
set system syslog file nat-log any anyset system syslog file nat-log match RT_FLOW_SESSIONc、、定义address-book,配置策略,允许192.168.100.0/24访问Internet,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24set security policies from-zone trust to-zone untrust policy 1 match destination-address anyset security policies from-zone trust to-zone untrust policy 1 match application anyset security policies from-zone trust to-zone untrust policy 1 then permitset security policies from-zone trust to-zone untrust policy 1 then log session-initset security policies from-zone trust to-zone untrust policy 1 then log session-closed、查看状态
(1)、查看log(查看NAT转换项)root@Juniper-vSRX> show log nat-log Apr 7 14:33:05 Juniper-vSRX clear-log[3384]: logfile clearedApr 7 14:33:16 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/60608->202.5.5.2/80 junos-http 202.5.5.1/26735->202.5.5.2/80 source rule 1 N/A N/A 6 1 trust untrust 13198 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWNApr 7 14:33:23 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/60608->202.5.5.2/80 junos-http 202.5.5.1/26735->202.5.5.2/80 source rule 1 N/A N/A 6 1 trust untrust 13198 15(615) 10(526) 8 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWNroot@Juniper-vSRX>
(2)、查看flow session
root@Juniper-vSRX> show security flow session Session ID: 13238, Policy name: 1/9, Timeout: 294, ValidIn: 192.168.100.10/60608 --> 202.5.5.2/80;tcp, If: ge-0/0/1.0, Pkts: 3, Bytes: 124Out: 202.5.5.2/80 --> 202.5.5.1/26735;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 44Total sessions: 1(3)、查看nat source rule
root@Juniper-vSRX> show security nat source rule all Total rules: 1Total referenced IPv4/IPv6 ip-prefixes: 2/0source NAT rule: 1 Rule-set: src-i-nat
Rule-Id : 1 Rule position : 1From zone : trustTo zone : untrustMatchSource addresses : 192.168.100.0 - 192.168.100.255Destination addresses : 0.0.0.0 - 255.255.255.255Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0Max session number : 0 Translation hits : 3045Successful sessions : 3045Failed sessions : 0Number of sessions : 01.2基于pool的source NAT
公司内部网络(trust Zone)访问Internet(untrust Zone)时,将192.168.100.0/24 映射成202.66.30.1-6的IP Address出Internet。
a、配置基于pool的source NAT
set security nat source pool nat-pool address 202.66.30.1/32 to 202.66.30.6/32set security nat source rule-set src-p-nat from zone trustset security nat source rule-set src-p-nat to zone untrustset security nat source rule-set src-p-nat rule 1 match source-address 192.168.100.0/24set security nat source rule-set src-p-nat rule 1 match destination-address 0.0.0.0/0set security nat source rule-set src-p-nat rule 1 then source-nat pool nat-poolset security nat proxy-arp interface ge-0/0/0.0 address 202.66.30.1/32 to 202.66.30.6/32 //注意:若NAT后的IP Address不是跟untrust接口的IP Address在同个subnet,则需要配置nat proxy-arpb、开启log日志记录
set system syslog file nat-log any anyset system syslog file nat-log match RT_FLOW_SESSIONc、定义address-book,配置策略,允许192.168.100.0/24访问Internet,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24set security policies from-zone trust to-zone untrust policy 1 match destination-address anyset security policies from-zone trust to-zone untrust policy 1 match application anyset security policies from-zone trust to-zone untrust policy 1 then permitset security policies from-zone trust to-zone untrust policy 1 then log session-initset security policies from-zone trust to-zone untrust policy 1 then log session-closed、查看NAT相关状态
(1)、查看log(查看NAT转换项)root@Juniper-vSRX> show log nat-log Apr 7 14:16:13 Juniper-vSRX clear-log[3319]: logfile clearedApr 7 14:16:51 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/51074->202.5.5.2/23 junos-telnet 202.66.30.3/1907->202.5.5.2/23 source rule 1 N/A N/A 6 1 trust untrust 13187 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWNApr 7 14:16:55 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/51074->202.5.5.2/23 junos-telnet 202.66.30.3/1907->202.5.5.2/23 source rule 1 N/A N/A 6 1 trust untrust 13187 12(512) 7(333) 4 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN(2)、查看flow session
root@Juniper-vSRX> show security flow session Session ID: 13245, Policy name: 1/9, Timeout: 8, ValidIn: 192.168.100.10/51074 --> 202.5.5.2/23;tcp, If: ge-0/0/1.0, Pkts: 3, Bytes: 132Out: 202.5.5.2/23 --> 202.66.30.3/1907;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 44Total sessions: 1(3)、查看nat source rule
root@Juniper-vSRX> show security nat source rule all Total rules: 1Total referenced IPv4/IPv6 ip-prefixes: 2/0source NAT rule: 1 Rule-set: src-p-nat
Rule-Id : 2 Rule position : 1From zone : trustTo zone : untrustMatchSource addresses : 192.168.100.0 - 192.168.100.255Destination addresses : 0.0.0.0 - 255.255.255.255Action : nat-pool Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0Max session number : 0 Translation hits : 1100Successful sessions : 1100Failed sessions : 0Number of sessions : 0第三部分:Destination NAT:
公司内部web服务器对外提供服务,将210.5.5.1:8080映射成192.168.100.10:80。
a、配置Destination NAT
set security nat destination pool dst-nat-pool1 address 192.168.100.10/32set security nat destination pool dst-nat-pool1 address port 80set security nat destination rule-set 1 from zone untrustset security nat destination rule-set 1 rule dst-nat-rule1 match destination-address 202.5.5.1/32set security nat destination rule-set 1 rule dst-nat-rule1 match destination-port 8080set security nat destination rule-set 1 rule dst-nat-rule1 match protocol tcpset security nat destination rule-set 1 rule dst-nat-rule1 then destination-nat pool dst-nat-pool1b、开启log日志记录
set system syslog file nat-log any anyset system syslog file nat-log match RT_FLOW_SESSIONc、定义address-book,配置策略,允许192.168.100.10/30的80端口被访问,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24set security policies from-zone untrust to-zone trust policy 1 match source-address anyset security policies from-zone untrust to-zone trust policy 1 match destination-address 192.168.100.10/32set security policies from-zone untrust to-zone trust policy 1 match application junos-httpset security policies from-zone untrust to-zone trust policy 1 then permitset security policies from-zone untrust to-zone trust policy 1 then log session-initset security policies from-zone untrust to-zone trust policy 1 then log session-closed、查看NAT相关状态
(1)、查看log(查看NAT转换项)root@Juniper-vSRX> show log nat-logApr 7 15:28:43 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 202.5.5.2/13634->202.5.5.1/8080 junos-http 202.5.5.2/13634->192.168.100.10/80 N/A N/A destination rule dst-nat-rule1 6 1 untrust trust 13213 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWNApr 7 15:29:31 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 202.5.5.2/13634->202.5.5.1/8080 junos-http 202.5.5.2/13634->192.168.100.10/80 N/A N/A destination rule dst-nat-rule1 6 1 untrust trust 13213 9(369) 6(366) 49 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN(2)、查看flow session
root@Juniper-vSRX> show security flow session Session ID: 13213, Policy name: 1/6, Timeout: 290, ValidIn: 202.5.5.2/13634 --> 202.5.5.1/8080;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 124Out: 192.168.100.10/80 --> 202.5.5.2/13634;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44Total sessions: 1(3)、查看nat destination rule
root@Juniper-vSRX> show security nat destination rule all Total destination-nat rules: 1Total referenced IPv4/IPv6 ip-prefixes: 1/0Destination NAT rule: dst-nat-rule1 Rule-set: 1
Rule-Id : 1 Rule position : 1From zone : untrustDestination addresses : 202.5.5.1 - 202.5.5.1Destination port : 8080 - 8080IP protocol : tcpAction : dst-nat-pool1 Translation hits : 7Successful sessions : 3Failed sessions : 4Number of sessions : 1第四部分:Static NAT:
静态NAT的作用是一到一的映射。静态的NAT是不会执行PAT的,而且静态的NAT不需要POOL。
如果流量自来untrust区域,且目的地址是202.5.5.253的话,把它的目的地址改为192.168.100.10,相反,如果流量去往untrust区域,且源地址是192.168.100.10的话,把它的源地址改为202.5.5.253。a、配置Static NAT
set security nat static rule-set static-nat from zone untrustset security nat static rule-set static-nat rule 1 match destination-address 202.5.5.253/32set security nat static rule-set static-nat rule 1 then static-nat prefix 192.168.100.10/32set security nat proxy-arp interface ge-0/0/0.0 address 202.5.5.253/32b、开启log日志记录
set system syslog file nat-log any anyset system syslog file nat-log match RT_FLOW_SESSIONc、定义address-book,配置策略,允许192.168.100.10/30去访问或被访问,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24set security policies from-zone trust to-zone untrust policy 1 match destination-address anyset security policies from-zone trust to-zone untrust policy 1 match application anyset security policies from-zone trust to-zone untrust policy 1 then permitset security policies from-zone trust to-zone untrust policy 1 then log session-initset security policies from-zone trust to-zone untrust policy 1 then log session-closeset security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address 192.168.100.10/32set security policies from-zone untrust to-zone trust policy 1 match application anyset security policies from-zone untrust to-zone trust policy 1 then permitset security policies from-zone untrust to-zone trust policy 1 then log session-initset security policies from-zone untrust to-zone trust policy 1 then log session-closed、查看NAT相关信息
(1)、查看log(查看NAT转换项)root@Juniper-vSRX> show log nat-logApr 7 17:14:03 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/59188->202.5.5.2/23 junos-telnet 202.5.5.253/59188->202.5.5.2/23 static rule 1 N/A N/A 6 1 trust untrust 13235 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 17:14:19 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 202.5.5.2/13604->202.5.5.253/80 junos-http 202.5.5.2/13604->192.168.100.10/80 N/A N/A static rule 1 6 1 untrust trust 13236 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWNApr 7 17:14:47 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/59188->202.5.5.2/23 junos-telnet 202.5.5.253/59188->202.5.5.2/23 static rule 1 N/A N/A 6 1 trust untrust 13235 24(1001) 19(850) 45 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWNApr 7 17:14:51 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 202.5.5.2/13604->202.5.5.253/80 junos-http 202.5.5.2/13604->192.168.100.10/80 N/A N/A static rule 1 6 1 untrust trust 13236 9(369) 6(366) 33 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN(2)、查看flow session
root@Juniper-vSRX> show security flow session Session ID: 13235, Policy name: 1/9, Timeout: 1780, ValidIn: 192.168.100.10/59188 --> 202.5.5.2/23;tcp, If: ge-0/0/1.0, Pkts: 15, Bytes: 635Out: 202.5.5.2/23 --> 202.5.5.253/59188;tcp, If: ge-0/0/0.0, Pkts: 11, Bytes: 518Session ID: 13236, Policy name: 1/6, Timeout: 294, Valid
In: 202.5.5.2/13604 --> 202.5.5.253/80;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 124Out: 192.168.100.10/80 --> 202.5.5.2/13604;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44Total sessions: 2(3)、查看nat static rule
root@Juniper-vSRX> show security nat static rule all Total static-nat rules: 1Total referenced IPv4/IPv6 ip-prefixes: 2/0Static NAT rule: 1 Rule-set: static-nat
Rule-Id : 1 Rule position : 1From zone : untrustDestination addresses : 202.5.5.253Host addresses : 192.168.100.10Netmask : 32Host routing-instance : N/ATranslation hits : 5Successful sessions : 5Failed sessions : 0Number of sessions : 0转载于:https://blog.51cto.com/zoran/2095309
你可能感兴趣的文章
一个简单版的波纹css3动画
查看>>
Web安全之Cookie劫持
查看>>
关于禁止ViewPager预加载问题【转】
查看>>
【iCore4 双核心板_uC/OS-II】例程八:消息邮箱
查看>>
Swift 泛型
查看>>
WPF自定义控件(四)の自定义控件
查看>>
Cocos2d-x中点九图(Scale9Sprite)创建图片按钮
查看>>
PC远程调试移动设备
查看>>
HDU 4819 Mosaic (二维线段树)
查看>>
c# implicit explicit关键字(隐式和显式数据类型转换)
查看>>
JdbcUtils针对事务问题作出的第三次修改
查看>>
检测代码运行时间(微秒级)
查看>>
【转载】数据仓库的基本架构
查看>>
更新ADT20后无法创建Android项目
查看>>
贴个ALSA例程
查看>>
hdu1358
查看>>
Leetcode: Word Break
查看>>
2014 网选 广州赛区 hdu 5025 Saving Tang Monk(bfs+四维数组记录状态)
查看>>
图像处理之opencv---mat、cvmat、IplImage之间的转换
查看>>
linux环境变量配置
查看>>