案例1:内部服务器网段需要上网访问internet (源地址NAT,出口用1个IP)
需求:内部服务器网段172.16.1.0/24想要访问internet,172.16.1.0/24属于trust区域,互联网专线的接口属于untrust。
分析:此时需要配置源地址转换,将源地址172.16.1.0/24转换为互联网的出接口地址。
配置示例:
set security nat source rule-set src-nat from zone trustset security nat source rule-set src-nat to zone untrustset security nat source rule-set src-nat rule 1 match source-address 172.16.1.0/24set security nat source rule-set src-nat rule 1 match destination-address 0.0.0.0/0set security nat source rule-set src-nat rule 1 then source-nat interfacenat配置完成后,还需要开通相关网络策略
set security zones security-zone trust address-book address 172.16.1.0/24 172.16.1.0/24set security policies from-zone trust to-zone untrust policy 1 match source-address 172.16.1.0/24set security policies from-zone trust to-zone untrust policy 1 match destination-address anyset security policies from-zone trust to-zone untrust policy 1 match application anyset security policies from-zone trust to-zone untrust policy 1 then permit-------------------------------------------------------------------------------------------------
案例2:内部服务器网段需要上网访问internet (源地址NAT,出口用多个IP)
如果内部设备超过1000个IP建议使用此配置方式
需求:有时候内部服务器地址过多,互联网接口使用一个NAT IP可能会出现nat源端口号用尽的情况(总共有65535个),造成网络不稳定,这时候就需要使用pool,使用多个互联网IP作为internet出口IP。
分析:使用pool的方式配置源地址NAT,此案例互联网IP使用 111.111.111.111-111.111.111.120这10个地址作为nat pool
配置示例:
set security nat source pool pool_111_111_111_111-120 address 111.111.111.111 to 111.111.111.120set security nat proxy-arp interface ge-0/0/0.0 address 111.111.111.111 to 111.111.111.120set security nat source rule-set src-nat from zone trustset security nat source rule-set src-nat to zone untrustset security nat source rule-set src-nat rule 1 match source-address 172.16.1.0/24set security nat source rule-set src-nat rule 1 match destination-address 0.0.0.0/0set security nat source rule-set src-nat rule 1 then source-nat pool pool_111_111_111_111-120nat配置完成后,还需要开通相关网络策略
set security zones security-zone trust address-book address 172.16.1.0/24 172.16.1.0/24set security policies from-zone trust to-zone untrust policy 1 match source-address 172.16.1.0/24set security policies from-zone trust to-zone untrust policy 1 match destination-address anyset security policies from-zone trust to-zone untrust policy 1 match application anyset security policies from-zone trust to-zone untrust policy 1 then permit-------------------------------------------------------------------------------------------------
案例3:发布服务到internet(目的地址NAT)
需求:将服务器172.16.1.100端口443发布到internet
分析:内部服务器 172.16.1.100 互联网接口IP:111.111.111.111
将172.16.1.100的443端口映射到111.111.111.111的443,客户从互联网访问 111.111.111.111:443就相当于访问172.16.1.100:443
开通相关网络策略
set security zones security-zone trust address-book address 172.16.1.100/24 172.16.1.100/24set security policies from-zone untrust to-zone trust policy 1 match source-address anyset security policies from-zone untrust to-zone trust policy 1 match destination-address 172.16.1.100/32set security policies from-zone untrust to-zone trust policy 1 match application junos-httpsset security policies from-zone untrust to-zone trust policy 1 then permit
-------------------------------------------------------------------------------------------------
案例4:配置静态的地址转换(网段到网段的转换)
需求:10.128.0.0/16访问10.31.255.0/24的地址,将目的地址转换为10.131.255.0/24;
10.31.255.0/24访问10.128.0.0/16,将源地址转换为10.131.255.0/24
分析:配置静态nat,虽然配置的是网段到网段的转换,但是地址转换是有对应关系的,比如10.31.255.1对应10.131.255.1
set security nat static rule-set static-nat from zone DMZ_OUTset security nat static rule-set static-nat rule rule1 match source-address 10.128.0.0/16set security nat static rule-set static-nat rule rule1 match destination-address 10.131.255.0/24set security nat static rule-set static-nat rule rule1 then static-nat prefix 10.31.255.0/24开通相关网络策略,策略要使用转换前的地址
set security policies from-zone trust to-zone untrust policy 1 match source-address 10.128.0.0/16set security policies from-zone trust to-zone untrust policy 1 match destination-address 10.31.255.0/24set security policies from-zone trust to-zone untrust policy 1 match application anyset security policies from-zone trust to-zone untrust policy 1 then permit-------------------------------------------------------------------------------------------------
案例5:配置静态的地址转换(一对一的转换)
需求:公网地址111.111.111.111 和服务器地址 172.16.1.101 做一对一的映射
set security nat static rule-set static-nat from zone untrustset security nat static rule-set static-nat rule 1 match destination-address 111.111.111.111/32set security nat static rule-set static-nat rule 1 then static-nat prefix 172.16.1.101/32set security nat proxy-arp interface ge-0/0/0.0 address 111.111.111.111/32开通对应的网络策略
set security policies from-zone untrust to-zone trust policy 1 match source-address anyset security policies from-zone untrust to-zone trust policy 1 match destination-address 172.16.1.101/32set security policies from-zone untrust to-zone trust policy 1 match application anyset security policies from-zone untrust to-zone trust policy 1 then permit-------------------------------------------------------------------------------------------------
NAT相关的查看命令:
show security flow session #查看会话
show security nat source rule all #查看配置的nat规则和状态
show security nat destination rule all #查看配置的nat规则和状态
show security nat static rule all #查看配置的nat规则和状态