實用juniper SRX NAT小技巧。

當配置route-based IPSec ***，對應的security tunnel 接口和external 接口在同一個zone時，爲了正常的Internet 訪問，需要做source nat off。
set security nat source rule-set 002 from zone trust
set security nat source rule-set 002 to zone untrust
set security nat source rule-set 002 rule 01 match source-address 172.16.0.0/24
set security nat source rule-set 002 rule 01 match destination-address 10.220.0.0/24
set security nat source rule-set 002 rule 01 then source-nat off

正常訪問Internet 的配置。
set security nat source rule-set 002 rule 02 match source-address 0.0.0.0/0
set security nat source rule-set 002 rule 02 match destination-address 0.0.0.0/0
set security nat source rule-set 002 rule 02 then source-nat interface
set security policies from-zone trust to-zone untrust policy 001 match source-address any
set security policies from-zone trust to-zone untrust policy 001 match destination-address any
set security policies from-zone trust to-zone untrust policy 001 match application any
set security policies from-zone trust to-zone untrust policy 001 then permit

SRX上面做了server 的destination nat，但是在內網客戶端需要通過destination nat 的地址去訪問服務器，
對於TCP的應用，會有session 迴流的情況出現，一般有兩種解決辦法，1，搭設DNS server，進行正確的解析，
2，將內網訪問的客戶會話通過source nat 轉化爲內網接口去訪問的會話。
現在講的第二種，配置如下，兩點需要注意，a,destination nat 裏面要添加from zone trust；
b,需要放行trust to trust 的流量（SRX security policy default 是deny）。

set security nat source rule-set 001 from zone trust
set security nat source rule-set 001 to zone trust
set security nat source rule-set 001 rule 03 match source-address 172.16.1.0/24
set security nat source rule-set 001 rule 03 match destination-address 172.16.2.0/24
set security nat source rule-set 001 rule 03 then source-nat interface
set security nat destination rule-set 001 from zone trust
set security policies from-zone trust to-zone trust policy 001 match source-address any
set security policies from-zone trust to-zone trust policy 001 match destination-address any
set security policies from-zone trust to-zone trust policy 001 match application any
set security policies from-zone trust to-zone trust policy 001 then permit

common destination nat 配置：

set security nat destination rule-set 001 from zone untrust
set security nat destination pool nfs-app address 172.16.2.100/32
set security nat destination pool nfs-app address port 2049
set security nat destination rule-set 001 from zone trust
set security nat destination rule-set 001 from zone untrust
set security nat destination rule-set 001 rule 01 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 01 match destination-port 9090
set security nat destination rule-set 001 rule 01 then destination-nat pool nfs-app
set security nat destination rule-set 001 rule 02 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 02 match destination-port 9000
set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
set security zones security-zone trust address-book address nfs 172.16.2.100/32
set security policies from-zone untrust to-zone trust policy 001 match source-address any
set security policies from-zone untrust to-zone trust policy 001 match destination-address nfs
set security policies from-zone untrust to-zone trust policy 001 match application nfs-tcp
set security policies from-zone untrust to-zone trust policy 001 match application nfs-udp
set security policies from-zone untrust to-zone trust policy 001 then permit
set security policies from-zone untrust to-zone trust policy 001 then log session-close
set applications application nfs-udp protocol udp
set applications application nfs-udp source-port 1-65535
set applications application nfs-udp destination-port 2049
set applications application nfs-tcp protocol tcp
set applications application nfs-tcp source-port 1-65535
set applications application nfs-tcp destination-port 2049

有時在進行網絡改造的時候，會遇到這種情況；
設備的service 的網關是通過另外的ISP線路和另外設備，server網關不在SRX上，但是需要通過SRX做destination nat讓Internet 用戶可以訪問。
要解決這個其實也很有意思，類似nat迴流，需要做個source nat 講Internet 用戶的會話轉變爲接口的會話。
set security nat source rule-set 003 rule 03 match source-address 0.0.0.0/0
set security nat source rule-set 003 rule 03 match destination-address 172.16.3.100/32
set security nat source rule-set 003 rule 03 then source-nat interface

common destination nat 配置：

set security nat destination pool old-lab address 172.16.3.100/32
set security nat destination pool old-lab address port 22
set security nat destination rule-set 001 rule 02 match destination-port 9000
set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
set security zones security-zone trust address-book address old-lab 172.16.3.100/32
set security policies from-zone untrust to-zone trust policy 002 match source-address any
set security policies from-zone untrust to-zone trust policy 002 match destination-address old-lab
set security policies from-zone untrust to-zone trust policy 002 match application junos-ssh
set security policies from-zone untrust to-zone trust policy 002 then permit
set security policies from-zone untrust to-zone trust policy 002 then log session-init

實際中可能還會遇到這種問題：
客戶不希望自己的Internet 接口ssh被別人用port 22暴力破解，SRX本身是沒有修改ssh port 的功能，這時候就要用到nat，
做過RE-protect 的童鞋應該知道loop back 接口是data plane和control plane 的interface。
我們可以講untrust接口的ssh關閉，講loopback 接口的ssh 通過destination nat 轉變爲Internet 接口的其它port。
同理也可以將http 和https接口做類似的轉換。以下是destination nat 部分的配置，policy配置煩請自行補上。
set security nat destination rule-set 001 rule 03 match source-address 0.0.0.0/0
set security nat destination rule-set 001 rule 03 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 03 match destination-port 9099
set security nat destination rule-set 001 rule 03 then destination-nat pool loop-ssh

還有中場景是做IPSec 時由於merge 或是網絡規劃等問題，出現了地址重合，不管是做policy-based還是routed-based的IPSec 都會遇到一點點的問題，同樣可以通過nat 的方式去解決。還有種情況是在託管第三方設備的DC，需要講同一臺server 根據不同的客戶，映射爲不同的地址，但是在SRX上有一種限制，match 的address 同一個rule 同一個方向，最多隻有8個，number of elements exceeds limit of 8，需要怎麼做呢？由於時間限制，waiting next...