Note: dùng để publish 1 website,... ra ngoài internet
- Cấu hình ip interface và gán vào zone
root@iLab.SRX#set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.11/24
root@iLab.SRX#set security zones security-zone DMZ
root@iLab.SRX#set security zones security-zone DMZ interfaces ge-0/0/1.0
root@iLab.SRX#set interfaces ge-0/0/2 unit 0 family inet address 192.168.221.11/24
root@iLab.SRX#set security zones security-zone Internet
root@iLab.SRX#set security zones security-zone Internet interfaces ge-0/0/2.0
-Cấu hình Destination NAT
root@iLab.SRX#set security nat destination pool dst-nat-pool-1 address 172.16.1.3/32
root@iLab.SRX#set security nat destination rule-set rs1 from zone Internet
hoăc:
root@iLab.SRX#set security nat destination rule-set rs1 rule r1 match destination-address 192.168.221.11/24
Hoăc:
Nếu muốn NAT ra 1 ip public khác thì có thể cấu hình sau:
root@iLab.SRX#set security nat destination rule-set rs1 rule r1 match destination-address 192.168.221.12/24
root@iLab.SRX#set security nat proxy-arp interface ge-0/0/1.0 address 192.168.221.12/24
root@iLab.SRX#set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
root@iLab.SRX#set security nat destination rule-set rs1 rule r1 match destination-port 80
-Cấu hình Security Policy
root@iLab.SRX#set security zones security-zone DMZ address-book address Server-HTTP-1 172.16.1.3/32
root@iLab.SRX#set security policies from-zone Internet to-zone DMZ policy server-access match source-address any
root@iLab.SRX#set security policies from-zone Internet to-zone DMZ policy server-access match destination-address Server-HTTP-1
root@iLab.SRX#set security policies from-zone Internet to-zone DMZ policy server-access match application junos-http
root@iLab.SRX#set security policies from-zone Internet to-zone DMZ policy server-access then permit
Kiểm tra:
+ Trên client ngoài internet ( ip: 192.168.221.128 ) chạy http://192.168.221.11 ( http://192.168.221.12)
+ Trên SRX:
root@iLab.SRX# run show security flow session destination-port 80
Session ID: 10582, Policy name: server-access/7, Timeout: 16, Valid
In: 192.168.221.128/41756 --> 192.168.221.11/80;tcp, If: ge-0/0/2.0, Pkts: 3, Bytes: 164
Out: 172.16.1.3/80 --> 192.168.221.128/41756;tcp, If: ge-0/0/1.0, Pkts: 2, Bytes: 120
Total sessions: 1
Phần cấu hình tổng quát:
- NAT:
root@iLab.SRX# show security nat destination
pool dst-nat-pool-1 {
address 172.16.1.3/32;
}
rule-set rs1 {
from zone Internet;
rule r1 {
match {
destination-address 192.168.221.11/24;
destination-port {
80;
}
}
then {
destination-nat {
pool {
dst-nat-pool-1;
}
}
}
}
}
[edit]
- Security policy
root@iLab.SRX# show security policies from-zone Internet to-zone DMZ
policy server-access {
match {
source-address any;
destination-address Server-HTTP-1;
application junos-http;
}
then {
permit;
}
}
[edit]
Proxy-arp
root@iLab.SRX# show security nat proxy-arp
interface ge-0/0/1.0 {
address {
192.168.221.12/24;
}
}
[edit]
- NAT:
root@iLab.SRX# show security nat destination
pool dst-nat-pool-1 {
address 172.16.1.3/32;
}
rule-set rs1 {
from zone Internet;
rule r1 {
match {
destination-address 192.168.221.11/24;
destination-port {
80;
}
}
then {
destination-nat {
pool {
dst-nat-pool-1;
}
}
}
}
}
[edit]
- Security policy
root@iLab.SRX# show security policies from-zone Internet to-zone DMZ
policy server-access {
match {
source-address any;
destination-address Server-HTTP-1;
application junos-http;
}
then {
permit;
}
}
[edit]
Proxy-arp
root@iLab.SRX# show security nat proxy-arp
interface ge-0/0/1.0 {
address {
192.168.221.12/24;
}
}
[edit]
Còn tiếp ....
No comments:
Post a Comment