關於Juniper SRX JUNOS NAT方面的設定



關於Juniper SRX JUNOS NAT方面的設定

網路位址轉換Network Address Translation,縮寫為NAT),也叫做網路掩蔽或者IP掩蔽IP masquerading),是一種在IP封包通過路由器或防火牆時重寫來源IP位址或目的IP地址的技術。這種技術被普遍使用在有多台主機但只通過一個公有IP位址存取網際網路的私有網路中
1990年代中期,NAT是作為一種解決IPv4位址短缺以避免保留IP位址困難的方案而流行起來的。網路位址轉換在很多國家有廣泛的使用。所以NAT就成了家庭和小型辦公室網路連線上的路由器的一個標準特徵,因為對他們來說,申請獨立的IP位址的代價要高於所帶來的效益。
在一個具有NAT功能的路由器下的主機並沒有建立真正的IP位址,並且不能參與一些網際網路協定。一些需要初始化從外部網路建立的TCP連線和無狀態協定(比如UDP)無法實現。除非NAT路由器管理者預先設定了規則,否則送來的封包將不能到達正確的目的位址。
在一定程度上,NAT依賴於本地網路上的一台機器來初始化和路由器另一邊的主機的任何連接,它可以阻止外部網路上的主機的惡意活動。這樣就可以阻止網路蠕 蟲病毒來提高本地系統的可靠性,阻擋惡意瀏覽來提高本地系統的私密性。很多具有NAT功能的防火牆都是使用這種功能來提供核心保護的。
(以上內容出自維基百科)

SRX NATScreenOS在功能使用上基本一樣但在功能設定上有較大區別配置的主要差異在於ScreenOSNATpolicy是綁定的無論是MIP/VIP/DIP還是基於PolicyNATpolicy中均要設定NAT內容除了預設untrust介面的Souec-NAT模式外),SRX NAT則作為網路層面為基礎的獨立配置獨立定義位址映射的方向、映射關係及位址範圍),Policy中不再包含NAT相關配置資訊這樣的好處是易於理解、簡化運維當網路topologyNAT對映關係發生改變時無需調整Policy配置內容。
SRX NATPolicy執行先後順序為
目的地址NAT>目的地route lookup>執行policy檢查來源位址NAT結合這個執行順序在配置Policy時需注意Policy中來源位址應是轉換前的來源位址而目的地址應該是轉換後的目的地址換句話說Policy中的來源和目的地址應該是來源和目的兩端的真實IP地址這一點和ScreenOS NAT不同需要加以注意。
SRX中不再使用MIP/VIP/DIP這些概念
MIPStatic靜態位址轉換取代兩者在功能上完全一致。
DIPSource NAT取代。
VIPPolicy-baseNAT轉換被 Destination NAT取代。
ScreenOSUntrust zone介面的來源位址NAT轉換被保留下來但在SRX中不再是default模式SRXTrust Zone介面沒有NAT模式概念),需要手工配置。
類似ScreenOSStatic屬於雙向NAT其他類型(Source NATDistination NAT)均屬於單向NAT

 此外,SRX還多了一個proxy-arp概念,當定義的IP Pool位址與wan介面IP在同一子網時,我們需要為其配置proxy-arp來對這個IP Pool內的地址提供ARP代理功能(使用wan介面MAC地址來回應對端設備),這樣對端設備才能夠將訊息送達WAN介面,好讓JUNOS OS能利用其維護分配的埠號清單,返回的封包正確對應到並送達內部的IP用戶。
(以上內容部分出自湛揚科技SRX NAT設定一文)

我們還可以參考以下之文章:


下面是配置舉例及相關說明

Configuring NAT Using the NAT Wizard
You can use the NAT Wizard to perform basic NAT configuration on SRX100SRX210SRX300SRX320SRX340SRX345and SRX550M devices. To perform more advanced configurationuse the J-Web interface or the CLI.
To configure NAT using the NAT Wizard:
  1. Select Configure>Tasks>Configure NAT in the J-Web interface.
  2. Click the Launch NAT Wizard button.
  3. Follow the wizard prompts.
The upper-left area of the wizard page shows where you are in the configuration process. The lower-left area of the page shows field-sensitive help. When you click a link under the Resources headingthe document opens in your browser. If the document opens in a new tabbe sure to close only the tab (not the browser window) when you close the document.


Source NAT
當我們要從內部網路去訪問外部網路(例如Internet上網)時,就會用到source NAT設定。

Interface-Based Source NAT (外送介面source NAT)
必要的設定,若不設定就會無法上網。

INTERFACE
ZONE
IP ADDRESS
Ethernet 0/0
untrust
1.1.1.1/24
Ethernet 0/1
trust
10.1.1.1/24



ScreenOS Configuration
set policy id 1 from trust to untrust any any any nat src permit
JUNOS Configuration
set security nat source rule-set interface-nat from zone trust
set security nat source rule-set interface-nat to zone untrust
set security nat source rule-set interface-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
set security nat source rule-set interface-nat rule rule1 then source-nat interface
上述設定NAT來源位址轉換規則Trust ZoneUntrust Zone的所有流量用Untrust Zone介面IP源位址轉換。這也是SRX設備恢復出廠配置後所自動配置,讓內部用戶能順利上網的NAT設定。
set security policies from-zone trust to-zone untrust policy permit-all match source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy permit-all then permit
上述配置定義Policy策略允許Trust zone任何位址訪問Untrust安全區任何位址根據前面的NAT配置SRX在建立session時自動執行介面Source NAT,將內部(trust zone)私有IP轉換成外部(untrust zone)介面IP來上網


Source NAT with IP Pool (Dynamic Internet Protocol Pool with Port Translation)
當您有一些公有IP要提供給內部用戶來上網時會使用到。

ScreenOS Configuration (with Port Translation)
set int e0/0 dip 4 1.1.1.10 1.1.1.15
set policy id 1 from trust to untrust any any any nat src dip-id 4 permit
JUNOS Configuration (with Port Translation – PAT) – 當公有IP不足時使用
使用 PAT 多個主機可以共用相同的 IP 位址來上網。JUNOS OS維護分配的埠號清單以區分哪個會話屬於哪個主機。啟用 PAT 多達63488個主機可以共用單個 IP 位址,範圍 (102465535) 可用於每個 IP 位址的埠號映射。
每個source pool都可以包含多個 ip 位址、多個 ip 位址範圍或兩者。對於具有 PAT 的源池JUNOS OS可能為不同的併發會話為單個主機分配不同的位址除非源池或JUNOS OS 具有持久位址(persistent IP address)功能或啟用了配對的位址集區功能(paired address pooling)
當主機啟動若干個與需要網路位址轉譯的策略相匹配的會話並從啟用 PAT 的源池分配位址時該設備為每個會話分配不同的源 IP 位址。對於為每個會話創建需要相同源 IP 位址的多個會話的服務這種隨機位址分配可能會有問題。例如在使用 AOL 即時消息 (AIM) 用戶端時對於多個會話具有相同的 IP 位址是很重要的。
為確保路由器為多個併發會話將同一 ip 位址從源池分配給主機可以為每個路由器啟用persistent IP address。為確保設備在單個會話期間將同一 IP 位址從源池分配給主機可以啟用paired address pooling
下列為設定範例:
set security nat source pool pool-1 address 1.1.1.10 to 1.1.1.20
set security nat source pool pool-1 address-pooling paired
set security nat source address-persistent
set security nat source rule-set pool-nat from zone trust
set security nat source rule-set pool-nat to zone untrust
set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1
set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.10 to 1.1.1.20
上述配置的情境是:某公司有一個真實IP網段1.1.1.0/24可用,但是設定內部人員上網一律使用1.1.1.10--1.1.1.20IP位址範圍,而這個範圍的IP位址是隨機分配不固定的,但是因為當IP Pool位址wan介面IP在同一子網時,我們需要為其配置proxy-arp對這個IP Pool內的地址提供ARP代理功能(使用wan介面MAC地址來回應對端設備),這樣對端設備才能夠將訊息送達WAN介面,好讓JUNOS OS能利用其維護分配的埠號清單返回的封包正確對應到並送達內部的IP用戶,如果Pool與出介面IP不在同一子網,則對端設備需要配置指向本端WAN介面位址的Pool地址路由。
上述配置表示當我們要從內部(Trust安全區)訪問外部(Untrust安全區)時設備會提供來源位址轉換來源位址池為Pool-1(範圍從1.1.1.10 -1.1.1.20)同時ge-0/0/0介面為此pool IP提供ARP代理。

set security policies from-zone trust to-zone untrust policy permit-all match source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy permit-all then permit
上述配置定義Policy策略允許Trust zone任何位址訪問Untrust安全區任何位址根據前面的NAT配置SRX在建立session時自動執行來源位址轉換。


Source NAT with IP Address Shifting
此設定可以讓內部連續的私有IP位址轉移對應到外部連續公有IP位址上,此為單向作業,即僅讓內部私有IP位址會轉移成相對應的外部公有IP位址來上網。
您可以定義一個一對一的對應,自原始來源 IP 位址至某一 IP 位址範圍的已轉譯來源 IP 位址。這樣的對應可確保安全性裝置一律將來範圍內的特定來源 IP 位址轉譯為 DIP 集區內的相同已轉譯位址。範圍內的位址數不定。您甚至可以將子網路對應至另一子網路 ( 子網路內各個原始位址至另一子網路內已轉譯原始位址的一致一對一對應)
您可以在政策中使用已啟用位址轉移的 DIP 集區(DIP pool with address shifting enabled in a policy) ( 此政策套用於超出集區中所指定之範圍外的來源位址)。在這樣的情況下,安全性裝置會讓來自政策中所允許之所有來源位址的通訊流量通過,將具位址轉移的 NAT 套用至 DIP 集區(pool)內的位址,但讓 DIP 集區範圍外的位址保持不變。
若您希望安全性裝置將 NAT 套用至所有來源位址,請確保來源位址範圍大小小於或等於 DIP 集區範圍

ScreenOS Configuration
set interface ethernet0/1 zone trust
set interface ethernet0/1 ip 192.168.1.1/24
set interface ethernet0/1 nat
set interface ethernet0/0 zone untrust
set interface ethernet0/0 ip 1.1.1.1/24
set interface ethernet0/0 dip 10 shift-from 192.168.1.10 to 203.0.113.30 203.0.113.40
set address trust host1 192.168.1.10/32
set address trust host2 192.168.1.11/32
set address trust host3 192.168.1.12/32
set address trust host4 192.168.1.13/32
set address trust host5 192.168.1.14/32
set address trust host6 192.168.1.15/32
set address trust host7 192.168.1.16/32
set address trust host8 192.168.1.17/32
set address trust host9 192.168.1.18/32
set address trust host10 192.168.1.19/32
set address trust host11 192.168.1.20/32
set group address trust group1 add host1
set group address trust group1 add host2
set group address trust group1 add host3
set group address trust group1 add host4
set group address trust group1 add host5
set group address trust group1 add host6
set group address trust group1 add host7
set group address trust group1 add host8
set group address trust group1 add host9
set group address trust group1 add host10
set group address trust group1 add host11
set policy from trust to untrust group1 any any nat src dip-id 10 permit
save

JUNOS Configuration
set security nat source pool src-nat-pool-1 address 203.0.113.30 to 203.0.113.40
set security nat source pool src-nat-pool-1 host-address-base 192.168.1.10
set security nat source rule-set rs1 from zone trust
set security nat source rule-set rs1 to zone untrust
set security nat source rule-set rs1 rule r1 match source-address 192.168.1.0/24
set security nat source rule-set rs1 rule r1 then source-nat pool src-nat-pool-1
set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.30 to 203.0.113.40
set security policies from-zone trust to-zone untrust policy internet-access match source-address any destination-address any application any
set security policies from-zone trust to-zone untrust policy internet-access then permit


Static NAT
當我們要在內部網路架設一台伺服器(例如網頁伺服器)來提供網頁服務給大眾使用時,就會用到Static NAT設定。



Static NAT to a Single Host





ScreenOS Configuration
set int e0/0 mip 1.1.1.100 host 10.1.1.100
set pol from untrust to trust any mip(1.1.1.100) http permit
JUNOS Configuration
set security nat proxy-arp interface ge-0/0/0 address 1.1.1.100/32
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule rule1 match destination-address 1.1.1.100
set security nat static rule-set static-nat rule rule1 then static-nat prefix 10.1.1.100
set security zones security-zone trust address-book address webserver 10.1.1.100
Static NAT概念與ScreenOS MIP一樣屬於靜態雙向一對一NAT上述配置表示當外界訪問公有IP 1.1.1.100時會srx設備會自動將其對應到內部的私有IP 10.1.1.100內部的私有IP 10.1.1.100訪問Internet時則會自動轉換成公有IP 1.1.1.100來上網
set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address webserver application junos-http
set security policies from-zone untrust to-zone trust policy static-nat then permit

Static NAT to a Subnet




ScreenOS Configuration
set int e0/0 mip 1.1.1.0 host 10.1.1.0 netmask 255.255.255.240
set policy from untrust to trust any mip(1.1.1.0/28) http permit
JUNOS Configuration
set security zones security-zone trust address-book address webserver-group 10.1.1.0/28
set security nat proxy-arp interface ge-0/0/0 address 1.1.1.0/28
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-set rule rule1 match destination-address 1.1.1.0/28
set security nat static rule-set static-set rule rule1 then static-nat prefix 10.1.1.0/28
set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address webserver-group application junos-http
set security policies from-zone untrust to-zone trust policy static-nat then permit


Destination NAT
當我們要從外部網路(例如Internet)去訪問內部網路時,就會用到Destination NAT設定。


Destination Address Translation to a Single Host
ScreenOS Configuration
set route 2.1.1.100/32 int e0/1
set address trust webserver 2.1.1.100/32
set pol from untrust to trust any webserver http nat dst ip 10.1.1.100 permit
JUNOS Configuration Commands
set security nat proxy-arp interface ge-0/0/0.0 address 2.1.1.100
set security nat destination pool dnat-pool-1 address 10.1.1.100
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule r1 match destination-address 2.1.1.100
set security nat destination rule-set dst-nat rule r1 then destination-nat pool dnat-pool-1
上述配置將外網any訪問2.1.1.100位址映射到內網10.1.1.100位址。
注意:定義的dnat-pool-1 Pool是內網真實IP位址,而不是映射前的Public位址。這點和Src-NAT Pool有所區別。

set security zones security-zone trust address-book address webserver 10.1.1.100
set security policies from-zone untrust to-zone trust policy dst-nat match source-address any destination-address webserver application junos-http
set security policies from-zone untrust to-zone trust policy dst-nat then permit
上述配置定義Policy策略,只允許Untrust安全區任何位址訪問Trust安全區10.1.1.10080 port (http服務),而其他未設定的服務則不被允許也因此保障了主機的安全(只開放主機所提供的服務之必要的port number)


Destination Address and Port Translation to a Single Host
當您需要外網訪問某IP時直接將其對應到內網某IP的某PORT時。

ScreenOS Configuration
set route 2.1.1.100/32 int e0/1
set address trust webserver 2.1.1.100/32
set policy from untrust to trust any webserver http nat dst ip 10.1.1.100 port 8000 permit
JUNOS Configuration
set security nat proxy-arp interface ge-0/0/0.0 address 2.1.1.100
set security nat destination pool dnat-pool-1 address 10.1.1.100 port 8000
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule r1 match destination-address 2.1.1.100
set security nat destination rule-set dst-nat rule r1 then destination-nat pool dnat-pool-1
上述配置將外網any訪問2.1.1.100位址時自動映射到內網10.1.1.100主機的port 8000
set security zones security-zone trust address-book address webserver 10.1.1.100
set applications application http-8000 protocol tcp destination-port 8000
set security policies from-zone untrust to-zone trust policy dst-nat match source-address any destination-address webserver application http-8000
set security policies from-zone untrust to-zone trust policy dst-nat then permit
策略設定允許外網到內網10.1.1.100 port 8000webserver服務。

Destination Address Translation to a Single Host
ScreenOS Configuration
set arp nat
set address trust webserver 1.1.1.100/32
set pol from untrust to trust any webserver http nat dst ip 10.1.1.100 permit
JUNOS Configuration
set security nat destination pool dnat-pool-1 address 10.1.1.100/32
set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule r1 match destination-address 1.1.1.100
set security nat destination rule-set dst-nat rule r1 then destination-nat pool dnat-pool-1
set security policies from-zone untrust to-zone trust policy dst-nat match source-address any destination-address any application junos-http
set security policies from-zone untrust to-zone trust policy dst-nat then permit

Virtual IP
ScreenOS Configuration
set int e0/0 vip 1.1.1.100 80 http 10.1.1.100
set int e0/0 vip 1.1.1.100 110 pop3 10.1.1.200
set policy from untrust to trust any vip(1.1.1.100) http permit
JUNOS Configuration
set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100
set security nat destination pool dnat-pool-1 address 10.1.1.100/32
set security nat destination pool dnat-pool-2 address 10.1.1.200/32
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule rule1 match destination-address 1.1.1.100/32
set security nat destination rule-set dst-nat rule rule1 match destination-port 80
set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-pool-1
set security nat destination rule-set dst-nat rule rule2 match destination-address 1.1.1.100/32
set security nat destination rule-set dst-nat rule rule2 match destination-port 110
set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-pool-2
set security zones security-zone trust address-book address webserver 10.1.1.100
set security zones security-zone trust address-book address mailserver 10.1.1.200
set security zones security-zone trust address-book address-set servergroup address webserver
set security zones security-zone trust address-book address-set servergroup address mailserver
set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-http
set security policies from-zone untrust to-zone trust policy static-nat match application junos-pop3
set security policies from-zone untrust to-zone trust policy static-nat then permit


這個網誌中的熱門文章

如何測試網路連線--網路斷線了怎麼辦?

筆記電腦刷BIOS失敗無法開機—用CH341A編程器重刷BIOS教學!

查理王的電腦部落格-首頁