场景一:两个出接口属于不同zone
概述
-
vMX28
vMX28模拟公网server,发起远程访问 -
vMX26 、vMX27
vMX26 和 vMX27模拟公网中的路由器 -
vSRX
SRX的ge-0/0/0属于zone:u1,ge-0/0/1属于zone:u2,ge-0/0/0模拟内网口,属于zone:t1
zone | interface |
---|---|
u1 | ge-0/0/0 |
u2 | ge-0/0/1 |
t1 | ge-0/0/2 |
SRX有2条等价的默认路由指向外网,目的地址8.8.8.8的路由指向ge-0/0/1出口
SRX对HOST主机做SNAT
- vMX20
vMX20模拟客户端HOST
配置
- vMX28
root@vmx28> show configuration | display set
set version 14.1R1.10
set system host-name vmx28
set system root-authentication encrypted-password "$1$YAK4YGui$Bo00KOUGQf9kTprjnhmDu1"
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces lo0 unit 0 family inet address 8.8.8.8/32
set routing-options static route 12.0.0.0/8 next-hop 10.1.1.2
set routing-options static route 13.0.0.0/8 next-hop 10.1.1.3
- vMX26
root@vmx26> show configuration | display set
set version 14.1R1.10
set system host-name vmx26
set system root-authentication encrypted-password "$1$ZtBdrlLY$PDHVUiIsqYD4ojqlduIFE/"
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24
set interfaces ge-0/0/1 unit 0 family inet address 12.1.1.2/24
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
- vMX27
root@vmx27# show | display set
set version 14.1R1.10
set system host-name vmx27
set system root-authentication encrypted-password "$1$0JpxfheZ$XcjNMxlYqmI16tcn3DYhg/"
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.3/24
set interfaces ge-0/0/1 unit 0 family inet address 13.1.1.3/24
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.1
- vSRX
root> show configuration | display set
set version 15.1X49-D110.4
set system root-authentication encrypted-password "$5$fClhtNWg$Bx4unZAqkZsXI3VAhXF1wFhJiNGcOXqrCMZjyMxrd04"
set system services ssh
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security flow traceoptions file aaa
set security flow traceoptions flag basic-datapath
set security nat source rule-set SNAT from zone t
set security nat source rule-set SNAT to zone u1
set security nat source rule-set SNAT to zone u2
set security nat source rule-set SNAT rule snat match source-address 0.0.0.0/0
set security nat source rule-set SNAT rule snat match destination-address 0.0.0.0/0
set security nat source rule-set SNAT rule snat then source-nat interface
set security nat destination pool dpool1 address 192.168.1.100/32
set security nat destination rule-set DSET from zone u1
set security nat destination rule-set DSET rule r1 match destination-address 12.1.1.100/32
set security nat destination rule-set DSET rule r1 then destination-nat pool dpool1
set security nat proxy-arp interface ge-0/0/0.0 address 12.1.1.100/32
set security policies default-policy permit-all
set security zones security-zone t host-inbound-traffic system-services all
set security zones security-zone t host-inbound-traffic protocols all
set security zones security-zone t interfaces ge-0/0/2.0
set security zones security-zone u1 host-inbound-traffic system-services all
set security zones security-zone u1 host-inbound-traffic protocols all
set security zones security-zone u1 interfaces ge-0/0/0.0
set security zones security-zone u2 host-inbound-traffic system-services all
set security zones security-zone u2 host-inbound-traffic protocols all
set security zones security-zone u2 interfaces ge-0/0/1.0
set interfaces ge-0/0/0 unit 0 family inet address 12.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 13.1.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.1/24
set routing-options static route 0.0.0.0/0 next-hop 13.1.1.3
set routing-options static route 0.0.0.0/0 next-hop 12.1.1.2
set routing-options static route 8.8.8.8/32 next-hop 13.1.1.3
set routing-options forwarding-table export lb
set policy-options policy-statement lb then load-balance per-packet
- vMX20
root@HOST> show configuration |display set
set version 14.1R1.10
set system host-name HOST
set system root-authentication encrypted-password "$1$eyw1d1zh$E9pzhoYkS4EChb83gztrX0"
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.100/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
测试分析
以8.8.8.8为源ping 不通SRX的对外映射地址12.1.1.100/32
root@vmx28> ping 12.1.1.100 source 8.8.8.8 count 5
PING 12.1.1.100 (12.1.1.100): 56 data bytes
--- 12.1.1.100 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
查看SRX的session表
root> show security flow session
Session ID: 1655, Policy name: default-policy-logical-system-00/2, Timeout: 2, Valid
In: 8.8.8.8/1 --> 12.1.1.100/4266;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
Out: 192.168.1.100/4266 --> 8.8.8.8/1;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 0, Bytes: 0,
Session ID: 1656, Policy name: default-policy-logical-system-00/2, Timeout: 4, Valid
In: 8.8.8.8/2 --> 12.1.1.100/4266;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
Out: 192.168.1.100/4266 --> 8.8.8.8/2;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 0, Bytes: 0,
Session ID: 1657, Policy name: default-policy-logical-system-00/2, Timeout: 6, Valid
In: 8.8.8.8/3 --> 12.1.1.100/4266;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
Out: 192.168.1.100/4266 --> 8.8.8.8/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 0, Bytes: 0,
Total sessions: 3
SRX上开启traceoption,查看SRX的traceopotion信息
root@vSRX> show log aaa
Nov 28 09:40:18 vSRX clear-log[12662]: logfile cleared
Nov 28 09:40:29 09:4