#NAT分类
#NAT有优先级
首先是static--->destination---->source
#1.source nat
1.1 interface nat
其实就把内部地址转换为外部出口地址
202.100.100.2-------202.100.100.1---juniper----192.168.100.1----192.168.100.2
内部访问202.100.100.2的时候把192.168.100.2的源地址转换为202.100.100.1的出口地址
eddy# edit security nat source rule-set NAT-Policy
[edit security nat source rule-set NAT-Policy]
eddy# set from zone Inside
[edit security nat source rule-set NAT-Policy]
eddy# set to zone Outside
[edit security nat source rule-set NAT-Policy]
eddy# edit rule inside-outside-interface-NAT
[edit security nat source rule-set NAT-Policy rule inside-outside-interface-NAT]
eddy# set match source-address?
Possible completions:
+ source-address Source address
+ source-address-name Address/address-set from address book
[edit security nat source rule-set NAT-Policy rule inside-outside-interface-NAT]
eddy# set match source-address 192.168.100.0/24
[edit security nat source rule-set NAT-Policy rule inside-outside-interface-NAT]
eddy# set match destination-address 202.100.100.0/24
[edit security nat source rule-set NAT-Policy rule inside-outside-interface-NAT]
eddy# set then source-nat interface
[edit security]
eddy# show
nat {
source {
rule-set NAT-Policy {
from zone Inside;
to zone Outside;
rule inside-outside-interface-NAT {
match {
source-address 192.168.100.0/24;
destination-address 202.100.100.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
}
这里说明以下
地址哪里可用写地址集
也可用定义端口
eddy# run show security flow session
Session ID: 43, Policy name: Permit-All/4, Timeout: 1796, Valid
In: 192.168.100.2/54540 --> 202.100.100.2/22;tcp, If: ge-0/0/0.0, Pkts: 15, Bytes: 2105
Out: 202.100.100.2/22 --> 202.100.100.1/28488;tcp, If: ge-0/0/1.0, Pkts: 13, Bytes: 2809
Total sessions: 1
看的出来从100.2来到juniper的出去之后变成了202.100.100.1了
也可用不设置destination-address
1.2 address pool
首先要定义池子
source {
pool nat-pool {
address {
202.100.100.101/32 to 202.100.100.103/32;
}
}
其次定义proxy-arp
proxy-arp {
interface ge-0/0/0.0 {
address {
202.100.100.101/32 to 202.100.100.103/32;
}
}
}
最后加入rule
[edit security nat]
eddy# edit source rule-set NAT-Policy
[edit security nat source rule-set NAT-Policy]
eddy# set rule inside1-outside-addreess-Pools
[edit security nat source rule-set NAT-Policy]
eddy# edit rule inside1-outside-addreess-Pools
[edit security nat source rule-set NAT-Policy rule inside1-outside-addreess-Pools]
eddy# set match source-address 192.168.100.0/24
[edit security nat source rule-set NAT-Policy rule inside1-outside-addreess-Pools]
eddy# set then source-nat pool nat-pool
[edit security nat source rule-set NAT-Policy]
eddy# show
from zone Inside;
to zone Outside;
rule inside1-outside-addreess-Pools {
match {
source-address 192.168.100.0/24;
}
then {
source-nat {
pool {
nat-pool;
}
}
}
}
rule inside-outside-interface-NAT {
match {
source-address 192.168.100.0/24;
destination-address 202.100.100.0/24;
}
then {
source-nat {
interface;
}
}
}
这里需要注意以下在同一个nat下面上面的优先匹配如果要改变顺序
eddy# insert security nat source rule-set NAT-Policy rule \
inside1-outside-addreess-Pools before rule inside-outside-interface-NAT
不建议再source nat中使用pool池因为他会轮流使用池中的ip
如果要用就要加上
在pool中
port no-translation
overflow-pool interface
禁用随机端口扰乱
pool中
port-randomizaion disable
nat pool中
persistent-nat
permit target-host-port
持久化nat
主要为了解决内部上网问题
#2.destination nat
2.1定义目的转换
eddy# show security nat destination
pool inside-22 {
address 192.168.100.2/32 port 22;
}
rule-set Outside-to-Inside-Des-NAT {
from zone Outside;
rule Inside-Node1-22 {
match {
source-address 0.0.0.0/0;
destination-address 202.100.100.1/32;
destination-port {
2222;
}
}
then {
destination-nat {
pool {
inside-22;
}
}
}
}
}
这里就是把访问202.100.100.1/32的2222端口转为192.168.100.2的22端口
对于外部访问来说就是目的地址被转换了
2.2
[edit security nat proxy-arp]
eddy# set interface ge-0/0/0.0 address 202.100.100.1/32
2.3
先要定义地址集
eddy# show zones security-zone Inside
address-book {
address inside-all 192.168.100.0/24;
address inside-node-1 192.168.100.2/32;
}
然后policy中
[edit security policies from-zone Outside to-zone Inside policy Pemit-Inside-22]
eddy# show
match {
source-address any;
destination-address inside-node-1;
application junos-ssh;
}
then {
permit;
}
注意这里填写的目的地址和目的端口都写真真实的不要写转换之后的
#3.static nat
最优先的进行地址转换的
进出都可用进行地址转换
3.1
[edit security nat static rule-set static-nat]
root#
[edit security nat static rule-set static-nat]
root# set from zone Outside
root# edit rule 1to1
[edit security nat static rule-set static-nat rule 1to1]
root#
[edit security nat static rule-set static-nat rule 1to1]
root# set match destination-address 202.100.100.150/32
[edit security nat static rule-set static-nat rule 1to1]
root# set then static-nat prefix 192.168.100.21/32
[edit security nat static]
root# show
rule-set static-nat {
from zone Outside;
rule 1to1 {
match {
destination-address 202.100.100.150/32;
}
then {
static-nat {
prefix {
192.168.100.21/32;
}
}
}
}
}
这里注意也是设置策略放过的
policies {
from-zone Inside to-zone Outside {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
把内部到外部的放出来了
from-zone Outside to-zone Inside {
policy ssh-22 {
match {
source-address any;
destination-address web_21;
application junos-ssh;
}
then {
permit;
}
}
policy web-8000 {
match {
source-address any;
destination-address web_21;
application TCP_8000;
}
then {
permit;
}
}
policy web-8080 {
match {
source-address any;
destination-address web_21;
application TCP_8080;
}
then {
permit;
}
}
}
把外部的到内部按需求进行配置
还有就是在实际配置中需要加上路由
set route-option static route.....