第一部分:介绍Juniper SRX NAT
网络地址转换(NAT) 是用于修改或转换数据包包头中的网络地址信息的一种方法。可转换数据包中的源和/或目标地址。NAT 中可包含端口号及IP 地址的转换。
NAT类型:
1、source NAT:
a、基于Interface的source NAT
b、基于pool的source NAT
2、destination NAT
3、static NAT
NAT规则:
NAT 类型决定NAT 规则的处理顺序。流的第一个数据包处理期间,将按照以下顺序应用NAT 规则:
- 静态NAT 规则
- 目标NAT 规则
- 路由查找
- 安全策略查找
- 反向映射静态NAT 规则
- 源NAT 规则
下图显示NAT规则的处理顺序
NAT规则集:
在NAT中rule set决定所有流量的方向,而rule set里面又包含有多个rule。一旦rule set 发现到有匹配的流量后,rule set 里面每个rule都会开始进行匹配计算,之后rule会为匹配的流量指定动作;而在不同类型的NAT中,rule set能匹配的条件是不一样的
规则集为信息流指定一组常规匹配条件。对于静态NAT 和目标NAT,规则集指定以下项之一:
源接口
.源区段
.源路由实例
root@Juniper-vSRX# set security nat destination rule-set dst-nat from ?
Possible completions:
- interface Source interface list
- routing-instance Source routing instance list
- zone Source zone list
[edit]
root@Juniper-vSRX# set security nat static rule-set static-nat from ?
Possible completions:
- interface Source interface list
- routing-instance Source routing instance list
- zone Source zone list
[edit]
对于源NAT 规则集,将同时配置源和目标条件:
• 源接口、区段或路由实例
• 目标接口、区段或路由实例
root@Juniper-vSRX# set security nat source rule-set src-nat from ?
Possible completions:
- interface Source interface list
- routing-instance Source routing instance list
- zone Source zone list
[edit]
root@Juniper-vSRX# set security nat source rule-set src-nat to ?
Possible completions:
- interface Destination interface list
- routing-instance Destination routing instance list
- zone Destination zone list
[edit]
一个数据包可匹配多个规则集;在这种情况下,将使用匹配条件更为具体的规则集。接口匹配被视为比区段匹配更为具体,而后者比路由实例匹配更为具体。
如果一个数据包同时匹配指定源区段的目标NAT 规则集和指定源接口的目标NAT 规则集,则指定源接口的规则集是更为具体的匹配项。
源NAT 规则集匹配更为复杂,因为在源NAT 规则集中要同时指定源和目标条件。如果一个数据包匹配多个源NAT 规则集,则规则集的选择基于以下源/目标条件(按照优先级顺序):
- 源接口/目标接口
- 源区段/目标接口
- 源路由实例/目标接口
- 源接口/目标区段
- 源区段/目标区段
- 源路由实例/目标区段
- 源接口/目标路由实例
- 源区段/目标路由实例
- 源路由实例/目标路由实例
例如,可配置规则集A 和B,前者指定源接口和目标区段,后者指定源区段和目标接口。如果
一个数据包匹配两个规则集,规则集B 为更为具体的匹配项。
下图显示NAT 规则集的优先级
第二部分:Source NAT:
1.1基于Interface的Source NAT
公司内部网络(trust Zone)访问Internet(untrust Zone)时,将192.168.100.0/24 映射成Juniper SRX的GE-0/0/0端口的IP地址202.5.5.1出Internet。
a、配置基于接口的source NAT
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone untrust
set security nat source rule-set src-nat rule 1 match source-address 192.168.100.0/24
set security nat source rule-set src-nat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set src-nat rule 1 then source-nat interface
b、开启log日志记录
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION
c、、定义address-book,配置策略,允许192.168.100.0/24访问Internet,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone trust to-zone untrust policy 1 then log session-init
set security policies from-zone trust to-zone untrust policy 1 then log session-close
d、查看状态
(1)、查看log(查看NAT转换项)
root@Juniper-vSRX> show log nat-log
Apr 7 14:33:05 Juniper-vSRX clear-log[3384]: logfile cleared
Apr 7 14:33:16 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/60608->202.5.5.2/80 junos-http 202.5.5.1/26735->202.5.5.2/80 source rule 1 N/A N/A 6 1 trust untrust 13198 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 14:33:23 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/60608->202.5.5.2/80 junos-http 202.5.5.1/26735->202.5.5.2/80 source rule 1 N/A N/A 6 1 trust untrust 13198 15(615) 10(526) 8 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN
root@Juniper-vSRX>
(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13238, Policy name: 1/9, Timeout: 294, Valid
In: 192.168.100.10/60608 --> 202.5.5.2/80;tcp, If: ge-0/0/1.0, Pkts: 3, Bytes: 124
Out: 202.5.5.2/80 --> 202.5.5.1/26735;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 44
Total sessions: 1
(3)、查看nat source rule
root@Juniper-vSRX> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
source NAT rule: 1 Rule-set: src-i-nat
Rule-Id : 1
Rule position : 1
From zone : trust
To zone : untrust
Match
Source addresses : 192.168.100.0 - 192.168.100.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Action : interface
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 3045
Successful sessions : 3045
Failed sessions : 0
Number of sessions : 0
1.2基于pool的source NAT
公司内部网络(trust Zone)访问Internet(untrust Zone)时,将192.168.100.0/24 映射成202.66.30.1-6的IP Address出Internet。
a、配置基于pool的source NAT
set security nat source pool nat-pool address 202.66.30.1/32 to 202.66.30.6/32
set security nat source rule-set src-p-nat from zone trust
set security nat source rule-set src-p-nat to zone untrust
set security nat source rule-set src-p-nat rule 1 match source-address 192.168.100.0/24
set security nat source rule-set src-p-nat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set src-p-nat rule 1 then source-nat pool nat-pool
set security nat proxy-arp interface ge-0/0/0.0 address 202.66.30.1/32 to 202.66.30.6/32 //注意:若NAT后的IP Address不是跟untrust接口的IP Address在同个subnet,则需要配置nat proxy-arp
b、开启log日志记录
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION
c、定义address-book,配置策略,允许192.168.100.0/24访问Internet,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone trust to-zone untrust policy 1 then log session-init
set security policies from-zone trust to-zone untrust policy 1 then log session-close
d、查看NAT相关状态
(1)、查看log(查看NAT转换项)
root@Juniper-vSRX> show log nat-log
Apr 7 14:16:13 Juniper-vSRX clear-log[3319]: logfile cleared
Apr 7 14:16:51 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/51074->202.5.5.2/23 junos-telnet 202.66.30.3/1907->202.5.5.2/23 source rule 1 N/A N/A 6 1 trust untrust 13187 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 14:16:55 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/51074->202.5.5.2/23 junos-telnet 202.66.30.3/1907->202.5.5.2/23 source rule 1 N/A N/A 6 1 trust untrust 13187 12(512) 7(333) 4 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN
(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13245, Policy name: 1/9, Timeout: 8, Valid
In: 192.168.100.10/51074 --> 202.5.5.2/23;tcp, If: ge-0/0/1.0, Pkts: 3, Bytes: 132
Out: 202.5.5.2/23 --> 202.66.30.3/1907;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 44
Total sessions: 1
(3)、查看nat source rule
root@Juniper-vSRX> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
source NAT rule: 1 Rule-set: src-p-nat
Rule-Id : 2
Rule position : 1
From zone : trust
To zone : untrust
Match
Source addresses : 192.168.100.0 - 192.168.100.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Action : nat-pool
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 1100
Successful sessions : 1100
Failed sessions : 0
Number of sessions : 0
第三部分:Destination NAT:
公司内部web服务器对外提供服务,将210.5.5.1:8080映射成192.168.100.10:80。
a、配置Destination NAT
set security nat destination pool dst-nat-pool1 address 192.168.100.10/32
set security nat destination pool dst-nat-pool1 address port 80
set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule dst-nat-rule1 match destination-address 202.5.5.1/32
set security nat destination rule-set 1 rule dst-nat-rule1 match destination-port 8080
set security nat destination rule-set 1 rule dst-nat-rule1 match protocol tcp
set security nat destination rule-set 1 rule dst-nat-rule1 then destination-nat pool dst-nat-pool1
b、开启log日志记录
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION
c、定义address-book,配置策略,允许192.168.100.10/30的80端口被访问,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address 192.168.100.10/32
set security policies from-zone untrust to-zone trust policy 1 match application junos-http
set security policies from-zone untrust to-zone trust policy 1 then permit
set security policies from-zone untrust to-zone trust policy 1 then log session-init
set security policies from-zone untrust to-zone trust policy 1 then log session-close
d、查看NAT相关状态
(1)、查看log(查看NAT转换项)
root@Juniper-vSRX> show log nat-log
Apr 7 15:28:43 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 202.5.5.2/13634->202.5.5.1/8080 junos-http 202.5.5.2/13634->192.168.100.10/80 N/A N/A destination rule dst-nat-rule1 6 1 untrust trust 13213 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 15:29:31 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 202.5.5.2/13634->202.5.5.1/8080 junos-http 202.5.5.2/13634->192.168.100.10/80 N/A N/A destination rule dst-nat-rule1 6 1 untrust trust 13213 9(369) 6(366) 49 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN
(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13213, Policy name: 1/6, Timeout: 290, Valid
In: 202.5.5.2/13634 --> 202.5.5.1/8080;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 124
Out: 192.168.100.10/80 --> 202.5.5.2/13634;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44
Total sessions: 1
(3)、查看nat destination rule
root@Juniper-vSRX> show security nat destination rule all
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0
Destination NAT rule: dst-nat-rule1 Rule-set: 1
Rule-Id : 1
Rule position : 1
From zone : untrust
Destination addresses : 202.5.5.1 - 202.5.5.1
Destination port : 8080 - 8080
IP protocol : tcp
Action : dst-nat-pool1
Translation hits : 7
Successful sessions : 3
Failed sessions : 4
Number of sessions : 1
第四部分:Static NAT:
静态NAT的作用是一到一的映射。静态的NAT是不会执行PAT的,而且静态的NAT不需要POOL。
如果流量自来untrust区域,且目的地址是202.5.5.253的话,把它的目的地址改为192.168.100.10,相反,如果流量去往untrust区域,且源地址是192.168.100.10的话,把它的源地址改为202.5.5.253。
a、配置Static NAT
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule 1 match destination-address 202.5.5.253/32
set security nat static rule-set static-nat rule 1 then static-nat prefix 192.168.100.10/32
set security nat proxy-arp interface ge-0/0/0.0 address 202.5.5.253/32
b、开启log日志记录
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION
c、定义address-book,配置策略,允许192.168.100.10/30去访问或被访问,并记录log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone trust to-zone untrust policy 1 then log session-init
set security policies from-zone trust to-zone untrust policy 1 then log session-close
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address 192.168.100.10/32
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
set security policies from-zone untrust to-zone trust policy 1 then log session-init
set security policies from-zone untrust to-zone trust policy 1 then log session-close
d、查看NAT相关信息
(1)、查看log(查看NAT转换项)
root@Juniper-vSRX> show log nat-log
Apr 7 17:14:03 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/59188->202.5.5.2/23 junos-telnet 202.5.5.253/59188->202.5.5.2/23 static rule 1 N/A N/A 6 1 trust untrust 13235 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 17:14:19 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 202.5.5.2/13604->202.5.5.253/80 junos-http 202.5.5.2/13604->192.168.100.10/80 N/A N/A static rule 1 6 1 untrust trust 13236 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 17:14:47 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/59188->202.5.5.2/23 junos-telnet 202.5.5.253/59188->202.5.5.2/23 static rule 1 N/A N/A 6 1 trust untrust 13235 24(1001) 19(850) 45 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN
Apr 7 17:14:51 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 202.5.5.2/13604->202.5.5.253/80 junos-http 202.5.5.2/13604->192.168.100.10/80 N/A N/A static rule 1 6 1 untrust trust 13236 9(369) 6(366) 33 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN
(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13235, Policy name: 1/9, Timeout: 1780, Valid
In: 192.168.100.10/59188 --> 202.5.5.2/23;tcp, If: ge-0/0/1.0, Pkts: 15, Bytes: 635
Out: 202.5.5.2/23 --> 202.5.5.253/59188;tcp, If: ge-0/0/0.0, Pkts: 11, Bytes: 518
Session ID: 13236, Policy name: 1/6, Timeout: 294, Valid
In: 202.5.5.2/13604 --> 202.5.5.253/80;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 124
Out: 192.168.100.10/80 --> 202.5.5.2/13604;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44
Total sessions: 2
(3)、查看nat static rule
root@Juniper-vSRX> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: 1 Rule-set: static-nat
Rule-Id : 1
Rule position : 1
From zone : untrust
Destination addresses : 202.5.5.253
Host addresses : 192.168.100.10
Netmask : 32
Host routing-instance : N/A
Translation hits : 5
Successful sessions : 5
Failed sessions : 0
Number of sessions : 0
来源:51CTO
作者:zzljames
链接:https://blog.51cto.com/zoran/2095309