網絡設備:
Juniper SRX系列防火牆
網絡拓撲:
問題描述:
在實現Destination NAT的時候,如果需要從內網訪問映射後的公網地址,默認會有一些問題,在內網可以ping 通映射地址,但是不能訪問服務;
問題分析:
[edit security]
set zones security-zone trust address-book address server-2 192.168.1.200/32
[edit security policies from-zone untrust to-zone trust]
set policy server-access match source-address any destination-address server-2 application any
set policy server-access then permit
[edit security nat destination]
set pool dst-nat-pool-2 address 192.168.1.200 port 8000
set rule-set rs1 from zone untrust
set rule-set rs1 rule r2 match destination-address 1.1.1.101
set rule-set rs1 rule r2 match destination-port 80
set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2
[edit security nat]
set proxy-arp interface ge-0/0/2.0 address 1.1.1.101
一般的我們如上配置完設備後,外網用戶便可以訪問映射地址了,但是如果內網用戶訪問會有問題,不能通過1.1.1.101訪問服務;
原因是內部地址訪問1.1.1.101的時候,防火牆不做地址轉換,將內網地址路由給目的服務器,服務器會看到這個地址,回包的時候直接把數據包回給這個內網地址,TCP形成一個半連接,故服務不能訪問。
解決辦法:
來自信任區域的訪問也做一次destination nat,需要添加以下命令;
[edit security nat destination]
set rule-set rs1 from zone trust
set rule-set rs1 rule r2 match destination-address 1.1.1.101
set rule-set rs1 rule r2 match destination-port 80
set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2