Juniper SRX300系列 —— 防火墙端口映射配置详解

茉清语

于 2023-09-04 14:28:20 发布

阅读量851

点赞数 1

分类专栏：网络设备文章标签：网络运维

本文链接：https://blog.csdn.net/weixin_46167705/article/details/132665804

版权

网络设备专栏收录该内容

11 篇文章 2 订阅

订阅专栏

前言

静态端口映射：就是在NAT网关上开放一个固定的端口，然后设定此端口收到的数据要转发给内网哪个IP和端口，不管有没有连接，这个映射关系都会一直存在。

内网IP：192.168.2.100/32
内网端口：8000

外网IP：114.114.114.114/32
外网端口：8000

服务端口


#端口协议为tcp，也可改为udp，根据需求而定
set applications application 8000-tcp protocol tcp

#端口范围0-65535
set applications application 8000-tcp source-port 0-65535

#配置端口8000，并命名为8000-tcp
set applications application 8000-tcp destination-port 8000

#如需端口协议为udp，则以下命令

set applications application 8000-udp protocol udp

如内外网端口不一致，则需新建两个不同的服务端口池。

内网映射端口


#映射的内网地址和端口
set security nat destination pool NAT-POOL-8000 address 192.168.2.100/32
set security nat destination pool NAT-POOL-8000 address port 8000

外网映射端口

公网端口不一定必须与内网端口一致，如需修改公网端口，则需在服务端口里新建端口。


#配置第一个端口时需要添加，其它端口不需要在配置
set security nat destination rule-set test-DES-NAT from zone untrust     
#源地址0.0.0.0/0           -
set security nat destination rule-set test-DES-NAT rule test-NAT-8000 match source-address 0.0.0.0/0
#公网IP
set security nat destination rule-set test-DES-NAT rule test-NAT-8000 match destination-address 114.114.114.114/32
#公网端口
set security nat destination rule-set test-DES-NAT rule test-NAT-8000 match destination-port 8000
#引用NAT-POOL-8000
set security nat destination rule-set test-DES-NAT rule test-NAT-8000 then destination-nat pool NAT-POOL-8000

映射策略


set security policies from-zone  untrust to-zone trust policy test-100-DES-NAT-PERMIT match source-address any
set security policies from-zone  untrust to-zone trust policy test-100-DES-NAT-PERMIT match destination-address test_100_8000
set security policies from-zone  untrust to-zone trust policy test-100-DES-NAT-PERMIT match application 8000-tcp
set security zones security-zone trust address-book address test_100_8000 192.168.2.100/32

会话日志


#以下配置，再配置同IP的多端口的情况下只需要配置一次即可
set security policies from-zone  untrust to-zone trust policy test-100-DES-NAT-PERMIT then permit
set security policies from-zone  untrust to-zone trust policy test-100-DES-NAT-PERMIT then log session-init
set security policies from-zone  untrust to-zone trust policy test-100-DES-NAT-PERMIT then log session-close