Настройка Juniper SRX Destination NAT / Port Forwarding




Полезная ссылка: О нас и наших клиентах

 

 

В данной статье destination NAT настроен для port forward traffic through to multiple servers based upon the destination port.

 

This type of NAT configuration is equivalent to a ScreenOS VIP. 

This example syntax is based upon the following setup :

172.16.1.2:22    --> 192.168.1.5:2222
172.16.1.2:3389 --> 192.168.1.6:3389 


Configure Address Book


First the real addresses of the servers are configured using address-book entries.

set security zones security-zone trust address-book address Server1 192.168.1.5/32
set security zones security-zone trust address-book address Server2 192.168.1.6/32



Configure Ports


Next the pre-translated ports are defined.

set applications application SSH-DNAT protocol tcp
set applications application SSH-DNAT destination-port 2222
set applications application RDP protocol tcp
set applications application RDP destination-port 3389


Configure NAT Pool


Each server and port is defined. These settings relate to the real IP and port configured on the server.

set security nat destination pool dnat-192_168_1_5m32 address 192.168.1.5/32
set security nat destination pool dnat-192_168_1_5m32 address port 22
set security nat destination pool dnat-192_168_1_6m32 address 192.168.1.6/32
set security nat destination pool dnat-192_168_1_6m32 address port 3389


Configure NAT Policy


Next the NAT policy is configured which specifies the NAT pool that the traffic should be translated to. This defines both the destination IP and destination port address.

set security nat destination rule-set dst-nat from zone untrus


Server 1


set security nat destination rule-set dst-nat rule rule1 match destination-address 172.16.1.2/32
set security nat destination rule-set dst-nat rule rule1 match destination-port 2222
set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-192_168_1_5m32


Server 2

Полезная ссылка: Консультация по настройке оборудования Juniper

set security nat destination rule-set dst-nat rule rule2 match destination-address 172.16.1.2/32
set security nat destination rule-set dst-nat rule rule2 match destination-port 3389
set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnat-192_168_1_6m32


Configure Security Policy


Finally the security policy is configured. Note that the internal (real) IP address and port of the server is defined within the policy.

set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match destination-address server1
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match application SSH
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 then permit
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match destination-address server2
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match application RDP
set security policies from-zone untrust to-zone trust policy untrust-to-trust2 then permit



Обновлен 12 июл 2014. Создан 28 фев 2014



  Комментарии       
Имя или Email


При указании email на него будут отправляться ответы
Как имя будет использована первая часть email до @
Сам email нигде не отображается!
Зарегистрируйтесь, чтобы писать под своим ником

____

______
Яндекс.Метрика