发布时间 : 星期日 文章Juniper SRX3000工程开工指导书更新完毕开始阅读6612c87fa26925c52cc5bfaa
Juniper防火墙工程开通指导书
set security policies from-zone trust to-zone untrust policy 1 then permit
上述配置定义Policy策略,允许Trust zone 10.1.2.2地址访问Untrust方向任何地址,根据前面的NAT配置,SRX在建立session时自动执行接口源地址转换。
3.1.8.2 Pool based Source NAT
NAT:
set security nat source pool pool-1 address 100.1.1.10 to 100.1.1.20 set security nat source rule-set 1 from zone trust set security nat source rule-set 1 to zone untrust
set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
set security nat source rule-set 1 rule rule1 then source-nat pool pool-1
set security nat proxy-arp interface ge-0/0/2 address 100.1.1.10 to 100.1.1.20
上述配置表示从trust方向(any)到untrust方向(any)访问时提供源地址转换,源地址池为pool1(100.1.1.10 -100.1.1.20),同时ge-0/0/2接口为此pool IP提供ARP代理。需要注意的是:定义Pool时不需要与Zone及接口进行关联。配置proxy-arp目的是让返回包能够送达SRX,如果Pool与出接口IP不在同一子网,则对端设备需要配置指向100.1.1.1的Pool地址路由。
Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address 10.1.1.2 set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
上述配置定义Policy策略,允许Trust zone 10.1.2.2地址访问Untrust方向任何地址,根据前面的NAT配置,SRX在建立session时自动执行源地址转换。
3.1.8.3 Pool base destination NAT
第33页
Juniper防火墙工程开通指导书
NAT:
set security nat destination pool 111 address 192.168.1.100/32 set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 111 match destination-address 100.100.100.100/32 set security nat destination rule-set 1 rule 111 then destination-nat pool 111
上述配置将外网any访问100.100.100.100地址映射到内网192.168.1.100地址,注意:定义的Dst Pool是内网真实IP地址,而不是映射前的公网地址。这点和Src-NAT Pool有所区别。
Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address 192.168.1.100
set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
上述配置定义Policy策略,允许Untrust方向任何地址访问Trust方向192.168.1.100,根据前面的NAT配置,公网访问100.100.100.100时,SRX自动执行到192.168.1.100的目的地址转换。
ScreenOS VIP功能对应的SRX Dst-nat配置:
set security nat destination pool 222 address 192.168.1.200/32 port 8000 set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 111 match destination-address 100.100.100.100/32 set security nat destination rule-set 1 rule 111 match destination-port 8000 set security nat destination rule-set 1 rule 111 then destination-nat pool 222
上述NAT配置定义:访问100.100.100.100地址8000端口映射至192.168.1.200地址8000端口,功能与ScreenOS VIP端口映射一致。
3.1.8.4 Pool base Static NAT
第34页
Juniper防火墙工程开通指导书
NAT:
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule rule1 match destination-address 100.100.100.100
set security nat static rule-set static-nat rule rule1 then static-nat prefix 192.168.1.200 Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address 192.168.1.200
set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
Static NAT概念与ScreenOS MIP一致,属于静态双向一对一NAT,上述配置表示访问100.100.100.100时转换为192.168.1.200,当192.168.1.200访问Internet时自动转换为100.100.100.100。
3.1.8.5 定义NAT的proxy-arp
第35页
Juniper防火墙工程开通指导书
SRX不会自动为NAT规则生成proxy-arp配置,因此如果NAT地址翻译之后的地址跟出向接口地址不同但在同一网络内时,必须手工配置相应接口proxy-arp以代理相关IP地址的ARP查询回应,否则下一条设备会由于不能通过ARP得到NAT地址的MAC地址而不能构造完整的二层以太网帧头导致通信失败。
set security nat proxy-arp interface ge-0/0/3 address 218.201.200.139/32 set security nat proxy-arp interface ge-0/0/3 address 218.201.200.140/32
3.1.9 VPN配置
RX IPSEC VPN支持Site-to-Site VPN 和基于NS-remote的拨号VPN,和ScreenOS一样,site-to-site VPN也支持路由模式和Policy模式,在配置方面也和ScreenOS基本一致。SRX中的加密/验证算法在命名上和ScreenOS存在一些区别,配置过程中建议选择ike和ipsec的proposal为 standard模式,standard中包含SRX支持的全部加密/验证算法,只要对端设备支持其中任何一种即可。SRX中通道接口使用st0接口,对应ScreenOS中的tunnel虚拟接口。
下面是图中左侧SRX基于路由方式Site-to-site VPN配置:
set interfaces st0 unit 0 family inet address 10.2.0.1/24 set security zones security-zone untrust interfaces st0.0 set routing-options static route 10.1.2.0/24 next-hop st0.0
定义st0 tunnel接口地址/Zone及通过VPN通道到对端网络路由 set security ike policy ABC mode main
set security ike policy ABC proposal-set standard
set security ike policy ABC pre-shared-key ascii-text juniper
定义IKE Phase1 policy参数,main mode,standard proposal及预共享密钥方式 set security ike gateway gw1 ike-policy ABC set security ike gateway gw1 address 10.0.2.1
set security ike gateway gw1 external-interface ge-0/0/1.0
定义IKE gaeway参数,预共享密钥认证,对端网关10.0.2.1,出接口ge-0/0/1(位于untrust zone)
set security ipsec policy AAA proposal-set standard set security ipsec vpn vpn1 bind-interface st0.0 set security ipsec vpn vpn1 ike gateway gw1
第36页