Phần này chuyển port ssh từ 22 sẽ NAT sang port 2202. Các service khác tương tự
-Cấu hình NAT
root@iLab.SRX# set security nat destination pool ssh-internal address 172.16.1.3/32
root@iLab.SRX# set security nat destination pool ssh-internal address port 22
root@iLab.SRX# set security nat destination rule-set rs1 from zone Internet
root@iLab.SRX# set security nat destination rule-set rs1 rule SSH-rule match destination-address 192.168.221.11/32
root@iLab.SRX# set security nat destination rule-set rs1 rule SSH-rule match destination-port 2202
root@iLab.SRX# set security nat destination rule-set rs1 rule SSH-rule then destination-nat pool ssh-internal
-Cấu hình security policy
root@iLab.SRX# set security policies from-zone Internet to-zone DMZ policy allow-ssh match source-address any
root@iLab.SRX# set security policies from-zone Internet to-zone DMZ policy allow-ssh match destination-address SSH
root@iLab.SRX# set security policies from-zone Internet to-zone DMZ policy allow-ssh match application junos-ssh
root@iLab.SRX# set security policies from-zone Internet to-zone DMZ policy allow-ssh then permit
- Modify application ssh from port 22 to port 2202
root@iLab.SRX#set applications application custom-ssh protocol tcp
root@iLab.SRX#set applications application custom-ssh destination-port 2202
[ Nếu sử dụng proxy-arp tương tự bài ]
PHẦN SHOW CONFIGURE
- NAT
root@iLab.SRX# show security nat
destination {
pool ssh-internal {
address 172.16.1.3/32 port 22;
}
rule-set rs1 {
from zone Internet;
rule SSH-rule {
match {
destination-address 192.168.221.11/32;
destination-port {
2202;
}
}
then {
destination-nat {
pool {
ssh-internal;
}
}
}
}
}
}
[edit]
- Security policy
root@iLab.SRX# show security policies from-zone Internet to-zone DMZ
policy allow-ssh {
match {
source-address any;
destination-address SSH;
application junos-ssh;
}
then {
permit;
}
}
[edit]
- Modify application
root@iLab.SRX# show applications
application custom-ssh {
protocol tcp;
destination-port 2202;
}
[edit
No comments:
Post a Comment