Juniper SRX NAT详解

浪尽此生 提交于 2019-12-22 00:00:21

第一部分:介绍Juniper SRX NAT

网络地址转换(NAT) 是用于修改或转换数据包包头中的网络地址信息的一种方法。可转换数据包中的源和/或目标地址。NAT 中可包含端口号及IP 地址的转换。

NAT类型:
1、source NAT:
a、基于Interface的source NAT
b、基于pool的source NAT
2、destination NAT
3、static NAT

NAT规则:
NAT 类型决定NAT 规则的处理顺序。流的第一个数据包处理期间,将按照以下顺序应用NAT 规则:

  1. 静态NAT 规则
  2. 目标NAT 规则
  3. 路由查找
  4. 安全策略查找
  5. 反向映射静态NAT 规则
  6. 源NAT 规则

下图显示NAT规则的处理顺序
Juniper SRX NAT详解

NAT规则集:
在NAT中rule set决定所有流量的方向,而rule set里面又包含有多个rule。一旦rule set 发现到有匹配的流量后,rule set 里面每个rule都会开始进行匹配计算,之后rule会为匹配的流量指定动作;而在不同类型的NAT中,rule set能匹配的条件是不一样的

规则集为信息流指定一组常规匹配条件。对于静态NAT 和目标NAT,规则集指定以下项之一:
源接口
.源区段
.源路由实例

root@Juniper-vSRX# set security nat destination rule-set dst-nat from ?
Possible completions:

  • interface Source interface list
  • routing-instance Source routing instance list
  • zone Source zone list
    [edit]

root@Juniper-vSRX# set security nat static rule-set static-nat from ?
Possible completions:

  • interface Source interface list
  • routing-instance Source routing instance list
  • zone Source zone list
    [edit]

对于源NAT 规则集,将同时配置源和目标条件:
• 源接口、区段或路由实例
• 目标接口、区段或路由实例

root@Juniper-vSRX# set security nat source rule-set src-nat from ?
Possible completions:

  • interface Source interface list
  • routing-instance Source routing instance list
  • zone Source zone list
    [edit]

root@Juniper-vSRX# set security nat source rule-set src-nat to ?
Possible completions:

  • interface Destination interface list
  • routing-instance Destination routing instance list
  • zone Destination zone list
    [edit]

一个数据包可匹配多个规则集;在这种情况下,将使用匹配条件更为具体的规则集。接口匹配被视为比区段匹配更为具体,而后者比路由实例匹配更为具体。

如果一个数据包同时匹配指定源区段的目标NAT 规则集和指定源接口的目标NAT 规则集,则指定源接口的规则集是更为具体的匹配项。

源NAT 规则集匹配更为复杂,因为在源NAT 规则集中要同时指定源和目标条件。如果一个数据包匹配多个源NAT 规则集,则规则集的选择基于以下源/目标条件(按照优先级顺序):

  1. 源接口/目标接口
  2. 源区段/目标接口
  3. 源路由实例/目标接口
  4. 源接口/目标区段
  5. 源区段/目标区段
  6. 源路由实例/目标区段
  7. 源接口/目标路由实例
  8. 源区段/目标路由实例
  9. 源路由实例/目标路由实例
    例如,可配置规则集A 和B,前者指定源接口和目标区段,后者指定源区段和目标接口。如果
    一个数据包匹配两个规则集,规则集B 为更为具体的匹配项。

下图显示NAT 规则集的优先级
Juniper SRX NAT详解

第二部分:Source NAT:
1.1基于Interface的Source NAT
Juniper SRX NAT详解

公司内部网络(trust Zone)访问Internet(untrust Zone)时,将192.168.100.0/24 映射成Juniper SRX的GE-0/0/0端口的IP地址202.5.5.1出Internet。

a、配置基于接口的source NAT
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone untrust
set security nat source rule-set src-nat rule 1 match source-address 192.168.100.0/24
set security nat source rule-set src-nat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set src-nat rule 1 then source-nat interface

b、开启log日志记录
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION

c、、定义address-book,配置策略,允许192.168.100.0/24访问Internet,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone trust to-zone untrust policy 1 then log session-init
set security policies from-zone trust to-zone untrust policy 1 then log session-close

d、查看状态
(1)、查看log(查看NAT转换项)
root@Juniper-vSRX> show log nat-log
Apr 7 14:33:05 Juniper-vSRX clear-log[3384]: logfile cleared
Apr 7 14:33:16 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/60608->202.5.5.2/80 junos-http 202.5.5.1/26735->202.5.5.2/80 source rule 1 N/A N/A 6 1 trust untrust 13198 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 14:33:23 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/60608->202.5.5.2/80 junos-http 202.5.5.1/26735->202.5.5.2/80 source rule 1 N/A N/A 6 1 trust untrust 13198 15(615) 10(526) 8 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN

root@Juniper-vSRX>

(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13238, Policy name: 1/9, Timeout: 294, Valid
In: 192.168.100.10/60608 --> 202.5.5.2/80;tcp, If: ge-0/0/1.0, Pkts: 3, Bytes: 124
Out: 202.5.5.2/80 --> 202.5.5.1/26735;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 44
Total sessions: 1

(3)、查看nat source rule
root@Juniper-vSRX> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0

source NAT rule: 1 Rule-set: src-i-nat
Rule-Id : 1
Rule position : 1
From zone : trust
To zone : untrust
Match
Source addresses : 192.168.100.0 - 192.168.100.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Action : interface
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 3045
Successful sessions : 3045
Failed sessions : 0
Number of sessions : 0

1.2基于pool的source NAT
Juniper SRX NAT详解

公司内部网络(trust Zone)访问Internet(untrust Zone)时,将192.168.100.0/24 映射成202.66.30.1-6的IP Address出Internet。

a、配置基于pool的source NAT
set security nat source pool nat-pool address 202.66.30.1/32 to 202.66.30.6/32
set security nat source rule-set src-p-nat from zone trust
set security nat source rule-set src-p-nat to zone untrust
set security nat source rule-set src-p-nat rule 1 match source-address 192.168.100.0/24
set security nat source rule-set src-p-nat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set src-p-nat rule 1 then source-nat pool nat-pool
set security nat proxy-arp interface ge-0/0/0.0 address 202.66.30.1/32 to 202.66.30.6/32 //注意:若NAT后的IP Address不是跟untrust接口的IP Address在同个subnet,则需要配置nat proxy-arp

b、开启log日志记录
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION

c、定义address-book,配置策略,允许192.168.100.0/24访问Internet,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone trust to-zone untrust policy 1 then log session-init
set security policies from-zone trust to-zone untrust policy 1 then log session-close

d、查看NAT相关状态
(1)、查看log(查看NAT转换项)
root@Juniper-vSRX> show log nat-log
Apr 7 14:16:13 Juniper-vSRX clear-log[3319]: logfile cleared
Apr 7 14:16:51 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/51074->202.5.5.2/23 junos-telnet 202.66.30.3/1907->202.5.5.2/23 source rule 1 N/A N/A 6 1 trust untrust 13187 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 14:16:55 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/51074->202.5.5.2/23 junos-telnet 202.66.30.3/1907->202.5.5.2/23 source rule 1 N/A N/A 6 1 trust untrust 13187 12(512) 7(333) 4 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN

(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13245, Policy name: 1/9, Timeout: 8, Valid
In: 192.168.100.10/51074 --> 202.5.5.2/23;tcp, If: ge-0/0/1.0, Pkts: 3, Bytes: 132
Out: 202.5.5.2/23 --> 202.66.30.3/1907;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 44
Total sessions: 1

(3)、查看nat source rule
root@Juniper-vSRX> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0

source NAT rule: 1 Rule-set: src-p-nat
Rule-Id : 2
Rule position : 1
From zone : trust
To zone : untrust
Match
Source addresses : 192.168.100.0 - 192.168.100.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Action : nat-pool
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 1100
Successful sessions : 1100
Failed sessions : 0
Number of sessions : 0

第三部分:Destination NAT:
Juniper SRX NAT详解

公司内部web服务器对外提供服务,将210.5.5.1:8080映射成192.168.100.10:80。

a、配置Destination NAT
set security nat destination pool dst-nat-pool1 address 192.168.100.10/32
set security nat destination pool dst-nat-pool1 address port 80
set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule dst-nat-rule1 match destination-address 202.5.5.1/32
set security nat destination rule-set 1 rule dst-nat-rule1 match destination-port 8080
set security nat destination rule-set 1 rule dst-nat-rule1 match protocol tcp
set security nat destination rule-set 1 rule dst-nat-rule1 then destination-nat pool dst-nat-pool1

b、开启log日志记录
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION

c、定义address-book,配置策略,允许192.168.100.10/30的80端口被访问,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address 192.168.100.10/32
set security policies from-zone untrust to-zone trust policy 1 match application junos-http
set security policies from-zone untrust to-zone trust policy 1 then permit
set security policies from-zone untrust to-zone trust policy 1 then log session-init
set security policies from-zone untrust to-zone trust policy 1 then log session-close

d、查看NAT相关状态
(1)、查看log(查看NAT转换项)
root@Juniper-vSRX> show log nat-log
Apr 7 15:28:43 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 202.5.5.2/13634->202.5.5.1/8080 junos-http 202.5.5.2/13634->192.168.100.10/80 N/A N/A destination rule dst-nat-rule1 6 1 untrust trust 13213 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 15:29:31 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 202.5.5.2/13634->202.5.5.1/8080 junos-http 202.5.5.2/13634->192.168.100.10/80 N/A N/A destination rule dst-nat-rule1 6 1 untrust trust 13213 9(369) 6(366) 49 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN

(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13213, Policy name: 1/6, Timeout: 290, Valid
In: 202.5.5.2/13634 --> 202.5.5.1/8080;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 124
Out: 192.168.100.10/80 --> 202.5.5.2/13634;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44
Total sessions: 1

(3)、查看nat destination rule
root@Juniper-vSRX> show security nat destination rule all
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0

Destination NAT rule: dst-nat-rule1 Rule-set: 1
Rule-Id : 1
Rule position : 1
From zone : untrust
Destination addresses : 202.5.5.1 - 202.5.5.1
Destination port : 8080 - 8080
IP protocol : tcp
Action : dst-nat-pool1
Translation hits : 7
Successful sessions : 3
Failed sessions : 4
Number of sessions : 1

第四部分:Static NAT:

Juniper SRX NAT详解

静态NAT的作用是一到一的映射。静态的NAT是不会执行PAT的,而且静态的NAT不需要POOL。
如果流量自来untrust区域,且目的地址是202.5.5.253的话,把它的目的地址改为192.168.100.10,相反,如果流量去往untrust区域,且源地址是192.168.100.10的话,把它的源地址改为202.5.5.253。

a、配置Static NAT
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule 1 match destination-address 202.5.5.253/32
set security nat static rule-set static-nat rule 1 then static-nat prefix 192.168.100.10/32
set security nat proxy-arp interface ge-0/0/0.0 address 202.5.5.253/32

b、开启log日志记录
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION

c、定义address-book,配置策略,允许192.168.100.10/30去访问或被访问,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone trust to-zone untrust policy 1 then log session-init
set security policies from-zone trust to-zone untrust policy 1 then log session-close

set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address 192.168.100.10/32
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
set security policies from-zone untrust to-zone trust policy 1 then log session-init
set security policies from-zone untrust to-zone trust policy 1 then log session-close

d、查看NAT相关信息
(1)、查看log(查看NAT转换项)
root@Juniper-vSRX> show log nat-log

Apr 7 17:14:03 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/59188->202.5.5.2/23 junos-telnet 202.5.5.253/59188->202.5.5.2/23 static rule 1 N/A N/A 6 1 trust untrust 13235 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 17:14:19 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 202.5.5.2/13604->202.5.5.253/80 junos-http 202.5.5.2/13604->192.168.100.10/80 N/A N/A static rule 1 6 1 untrust trust 13236 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 17:14:47 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/59188->202.5.5.2/23 junos-telnet 202.5.5.253/59188->202.5.5.2/23 static rule 1 N/A N/A 6 1 trust untrust 13235 24(1001) 19(850) 45 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN
Apr 7 17:14:51 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 202.5.5.2/13604->202.5.5.253/80 junos-http 202.5.5.2/13604->192.168.100.10/80 N/A N/A static rule 1 6 1 untrust trust 13236 9(369) 6(366) 33 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN

(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13235, Policy name: 1/9, Timeout: 1780, Valid
In: 192.168.100.10/59188 --> 202.5.5.2/23;tcp, If: ge-0/0/1.0, Pkts: 15, Bytes: 635
Out: 202.5.5.2/23 --> 202.5.5.253/59188;tcp, If: ge-0/0/0.0, Pkts: 11, Bytes: 518

Session ID: 13236, Policy name: 1/6, Timeout: 294, Valid
In: 202.5.5.2/13604 --> 202.5.5.253/80;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 124
Out: 192.168.100.10/80 --> 202.5.5.2/13604;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44
Total sessions: 2

(3)、查看nat static rule
root@Juniper-vSRX> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0

Static NAT rule: 1 Rule-set: static-nat
Rule-Id : 1
Rule position : 1
From zone : untrust
Destination addresses : 202.5.5.253
Host addresses : 192.168.100.10
Netmask : 32
Host routing-instance : N/A
Translation hits : 5
Successful sessions : 5
Failed sessions : 0
Number of sessions : 0

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!