当配置route-based IPSec ***,对应的security tunnel 接口和external 接口在同一个zone时,为了正常的Internet 访问,需要做source nat off。
set security nat source rule-set 002 from zone trust
set security nat source rule-set 002 to zone untrust
set security nat source rule-set 002 rule 01 match source-address 172.16.0.0/24
set security nat source rule-set 002 rule 01 match destination-address 10.220.0.0/24
set security nat source rule-set 002 rule 01 then source-nat off
正常访问Internet 的配置。
set security nat source rule-set 002 rule 02 match source-address 0.0.0.0/0
set security nat source rule-set 002 rule 02 match destination-address 0.0.0.0/0
set security nat source rule-set 002 rule 02 then source-nat interface
set security policies from-zone trust to-zone untrust policy 001 match source-address any
set security policies from-zone trust to-zone untrust policy 001 match destination-address any
set security policies from-zone trust to-zone untrust policy 001 match application any
set security policies from-zone trust to-zone untrust policy 001 then permit
SRX上面做了server 的destination nat,但是在内网客户端需要通过destination nat 的地址去访问服务器,
对于TCP的应用,会有session 回流的情况出现,一般有两种解决办法,1,搭设DNS server,进行正确的解析,
2,将内网访问的客户会话通过source nat 转化为内网接口去访问的会话。
现在讲的第二种,配置如下,两点需要注意,a,destination nat 里面要添加from zone trust;
b,需要放行trust to trust 的流量(SRX security policy default 是deny)。
set security nat source rule-set 001 from zone trust
set security nat source rule-set 001 to zone trust
set security nat source rule-set 001 rule 03 match source-address 172.16.1.0/24
set security nat source rule-set 001 rule 03 match destination-address 172.16.2.0/24
set security nat source rule-set 001 rule 03 then source-nat interface
set security nat destination rule-set 001 from zone trust
set security policies from-zone trust to-zone trust policy 001 match source-address any
set security policies from-zone trust to-zone trust policy 001 match destination-address any
set security policies from-zone trust to-zone trust policy 001 match application any
set security policies from-zone trust to-zone trust policy 001 then permit
common destination nat 配置:
set security nat destination rule-set 001 from zone untrust
set security nat destination pool nfs-app address 172.16.2.100/32
set security nat destination pool nfs-app address port 2049
set security nat destination rule-set 001 from zone trust
set security nat destination rule-set 001 from zone untrust
set security nat destination rule-set 001 rule 01 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 01 match destination-port 9090
set security nat destination rule-set 001 rule 01 then destination-nat pool nfs-app
set security nat destination rule-set 001 rule 02 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 02 match destination-port 9000
set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
set security zones security-zone trust address-book address nfs 172.16.2.100/32
set security policies from-zone untrust to-zone trust policy 001 match source-address any
set security policies from-zone untrust to-zone trust policy 001 match destination-address nfs
set security policies from-zone untrust to-zone trust policy 001 match application nfs-tcp
set security policies from-zone untrust to-zone trust policy 001 match application nfs-udp
set security policies from-zone untrust to-zone trust policy 001 then permit
set security policies from-zone untrust to-zone trust policy 001 then log session-close
set applications application nfs-udp protocol udp
set applications application nfs-udp source-port 1-65535
set applications application nfs-udp destination-port 2049
set applications application nfs-tcp protocol tcp
set applications application nfs-tcp source-port 1-65535
set applications application nfs-tcp destination-port 2049
有时在进行网络改造的时候,会遇到这种情况;
设备的service 的网关是通过另外的ISP线路和另外设备,server网关不在SRX上,但是需要通过SRX做destination nat让Internet 用户可以访问。
要解决这个其实也很有意思,类似nat回流,需要做个source nat 讲Internet 用户的会话转变为接口的会话。
set security nat source rule-set 003 rule 03 match source-address 0.0.0.0/0
set security nat source rule-set 003 rule 03 match destination-address 172.16.3.100/32
set security nat source rule-set 003 rule 03 then source-nat interface
common destination nat 配置:
set security nat destination pool old-lab address 172.16.3.100/32
set security nat destination pool old-lab address port 22
set security nat destination rule-set 001 rule 02 match destination-port 9000
set security nat destination rule-set 001 rule 02 then destination-nat pool old-lab
set security zones security-zone trust address-book address old-lab 172.16.3.100/32
set security policies from-zone untrust to-zone trust policy 002 match source-address any
set security policies from-zone untrust to-zone trust policy 002 match destination-address old-lab
set security policies from-zone untrust to-zone trust policy 002 match application junos-ssh
set security policies from-zone untrust to-zone trust policy 002 then permit
set security policies from-zone untrust to-zone trust policy 002 then log session-init
实际中可能还会遇到这种问题:
客户不希望自己的Internet 接口ssh被别人用port 22暴力破解,SRX本身是没有修改ssh port 的功能,这时候就要用到nat,
做过RE-protect 的童鞋应该知道loop back 接口是data plane和control plane 的interface。
我们可以讲untrust接口的ssh关闭,讲loopback 接口的ssh 通过destination nat 转变为Internet 接口的其它port。
同理也可以将http 和https接口做类似的转换。以下是destination nat 部分的配置,policy配置烦请自行补上。
set security nat destination rule-set 001 rule 03 match source-address 0.0.0.0/0
set security nat destination rule-set 001 rule 03 match destination-address 202.100.117.209/32
set security nat destination rule-set 001 rule 03 match destination-port 9099
set security nat destination rule-set 001 rule 03 then destination-nat pool loop-ssh
还有中场景是做IPSec 时由于merge 或是网络规划等问题,出现了地址重合,不管是做policy-based还是routed-based的IPSec 都会遇到一点点的问题,同样可以通过nat 的方式去解决。还有种情况是在托管第三方设备的DC,需要讲同一台server 根据不同的客户,映射为不同的地址,但是在SRX上有一种限制,match 的address 同一个rule 同一个方向,最多只有8个,number of elements exceeds limit of 8,需要怎么做呢?由于时间限制,waiting next...