3-NAT

最新推荐文章于 2024-07-27 12:20:46 发布
weixin_33857230
最新推荐文章于 2024-07-27 12:20:46 发布
阅读量100
点赞数
文章标签： python 网络
原文链接：https://my.oschina.net/eddylinux/blog/1798755
版权
2019独角兽企业重金招聘Python工程师标准>>>
#NAT分类
#NAT有优先级
首先是static--->destination---->source
#1.source nat
1.1 interface nat
其实就把内部地址转换为外部出口地址
202.100.100.2-------202.100.100.1---juniper----192.168.100.1----192.168.100.2
内部访问202.100.100.2的时候把192.168.100.2的源地址转换为202.100.100.1的出口地址

eddy# edit security nat source rule-set NAT-Policy 

[edit security nat source rule-set NAT-Policy]
eddy# set from zone Inside     

[edit security nat source rule-set NAT-Policy]
eddy# set to zone Outside 

[edit security nat source rule-set NAT-Policy]
eddy# edit rule inside-outside-interface-NAT 

[edit security nat source rule-set NAT-Policy rule inside-outside-interface-NAT]
eddy# set match source-address?  
Possible completions:
+ source-address       Source address
+ source-address-name  Address/address-set from address book
[edit security nat source rule-set NAT-Policy rule inside-outside-interface-NAT]
eddy# set match source-address 192.168.100.0/24 

[edit security nat source rule-set NAT-Policy rule inside-outside-interface-NAT]
eddy# set match destination-address 202.100.100.0/24 

[edit security nat source rule-set NAT-Policy rule inside-outside-interface-NAT]
eddy# set then source-nat interface 

[edit security]
eddy# show 
nat {
    source {
        rule-set NAT-Policy {
            from zone Inside;
            to zone Outside;
            rule inside-outside-interface-NAT {
                match {
                    source-address 192.168.100.0/24;
                    destination-address 202.100.100.0/24;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }
}
这里说明以下
地址哪里可用写地址集
也可用定义端口
eddy# run show security flow session                                     
Session ID: 43, Policy name: Permit-All/4, Timeout: 1796, Valid
  In: 192.168.100.2/54540 --> 202.100.100.2/22;tcp, If: ge-0/0/0.0, Pkts: 15, Bytes: 2105
  Out: 202.100.100.2/22 --> 202.100.100.1/28488;tcp, If: ge-0/0/1.0, Pkts: 13, Bytes: 2809
Total sessions: 1

看的出来从100.2来到juniper的出去之后变成了202.100.100.1了
也可用不设置destination-address

1.2 address pool
首先要定义池子
source {
    pool nat-pool {
        address {
            202.100.100.101/32 to 202.100.100.103/32;
        }
    }

其次定义proxy-arp
proxy-arp {
    interface ge-0/0/0.0 {              
        address {
            202.100.100.101/32 to 202.100.100.103/32;
        }
    }
}

最后加入rule
[edit security nat]
eddy# edit source rule-set NAT-Policy 

[edit security nat source rule-set NAT-Policy]
eddy# set rule inside1-outside-addreess-Pools 

[edit security nat source rule-set NAT-Policy]
eddy# edit rule inside1-outside-addreess-Pools   

[edit security nat source rule-set NAT-Policy rule inside1-outside-addreess-Pools]
eddy# set match source-address 192.168.100.0/24 

[edit security nat source rule-set NAT-Policy rule inside1-outside-addreess-Pools]
eddy# set then source-nat pool nat-pool 

[edit security nat source rule-set NAT-Policy]
eddy# show 
from zone Inside;
to zone Outside;
rule inside1-outside-addreess-Pools {
    match {
        source-address 192.168.100.0/24;
    }
    then {
        source-nat {
            pool {
                nat-pool;
            }
        }
    }
}
rule inside-outside-interface-NAT {
    match {
        source-address 192.168.100.0/24;
        destination-address 202.100.100.0/24;
    }
    then {
        source-nat {
            interface;
        }
    }                                   
}

这里需要注意以下在同一个nat下面上面的优先匹配如果要改变顺序
eddy# insert security nat source rule-set NAT-Policy rule \
inside1-outside-addreess-Pools before rule inside-outside-interface-NAT
不建议再source nat中使用pool池因为他会轮流使用池中的ip
如果要用就要加上
在pool中
port no-translation
overflow-pool interface

禁用随机端口扰乱
pool中
port-randomizaion disable

nat pool中
persistent-nat
permit target-host-port
持久化nat

主要为了解决内部上网问题

#2.destination nat
2.1定义目的转换
eddy# show security nat destination 
pool inside-22 {
    address 192.168.100.2/32 port 22;
}
rule-set Outside-to-Inside-Des-NAT {
    from zone Outside;
    rule Inside-Node1-22 {
        match {
            source-address 0.0.0.0/0;
            destination-address 202.100.100.1/32;
            destination-port {
                2222;
            }
        }
        then {
            destination-nat {
                pool {
                    inside-22;
                }
            }
        }
    }
}
这里就是把访问202.100.100.1/32的2222端口转为192.168.100.2的22端口
对于外部访问来说就是目的地址被转换了

2.2
[edit security nat proxy-arp]
eddy# set interface ge-0/0/0.0 address 202.100.100.1/32 

2.3
先要定义地址集
eddy# show zones security-zone Inside 
address-book {
    address inside-all 192.168.100.0/24;
    address inside-node-1 192.168.100.2/32;
}

然后policy中

[edit security policies from-zone Outside to-zone Inside policy Pemit-Inside-22]
eddy# show 
match {
    source-address any;
    destination-address inside-node-1;
    application junos-ssh;
}
then {
    permit;
}
注意这里填写的目的地址和目的端口都写真真实的不要写转换之后的



#3.static nat
最优先的进行地址转换的
进出都可用进行地址转换

3.1
[edit security nat static rule-set static-nat]
root# 
[edit security nat static rule-set static-nat]
root# set from zone Outside 
root# edit rule 1to1     

[edit security nat static rule-set static-nat rule 1to1]
root#
[edit security nat static rule-set static-nat rule 1to1]
root# set match destination-address 202.100.100.150/32 

[edit security nat static rule-set static-nat rule 1to1]
root# set then static-nat prefix 192.168.100.21/32
[edit security nat static]
root# show 
rule-set static-nat {
    from zone Outside;
    rule 1to1 {
        match {
            destination-address 202.100.100.150/32;
        }
        then {
            static-nat {
                prefix {
                    192.168.100.21/32;
                }
            }
        }
    }
}
这里注意也是设置策略放过的
policies {
        from-zone Inside to-zone Outside {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
把内部到外部的放出来了

 from-zone Outside to-zone Inside {
            policy ssh-22 {
                match {
                    source-address any;
                    destination-address web_21;
                    application junos-ssh;
                }
                then {
                    permit;
                }
            }
            policy web-8000 {
                match {
                    source-address any;
                    destination-address web_21;
                    application TCP_8000;
                }
                then {
                    permit;
                }
            }
            policy web-8080 {
                match {
                    source-address any;
                    destination-address web_21;
                    application TCP_8080;
                }
                then {
                    permit;
                }
            }
        }
把外部的到内部按需求进行配置

还有就是在实际配置中需要加上路由
set route-option static route.....
转载于:https://my.oschina.net/eddylinux/blog/1798755