Как пробросить порт с белого на серый адрес Juniper SRX.
Определяем адрес и порт устройства внутри сети (серые адреса):
set security nat destination pool DST80-MNG-CONTROLLER address 192.168.xx.yy/32
set security nat destination pool DST80-MNG-CONTROLLER address port 443
Создаем правило NAT трансляции:
set security nat destination rule-set DST-NAT from zone INTERNET-ZONE
set security nat destination rule-set DST-NAT rule MNG-CONTROLLER match source-address 0.0.0.0/0
set security nat destination rule-set DST-NAT rule MNG-CONTROLLER match destination-address 91.211.xx.yy/32
set security nat destination rule-set DST-NAT rule MNG-CONTROLLER match destination-port 443
set security nat destination rule-set DST-NAT rule MNG-CONTROLLER then destination-nat pool DST80-MNG-CONTROLLER
Добавляем к адресную книгу адрес сервера (серный адрес):
set security zones security-zone MNG-ZONE address-book address CONTROLLER-GREY 192.168.xx.yy/32
Создаем политику из зоны Интернет в серую зону:
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES match source-address any
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES match destination-address CONTROLLER-GREY
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES match application junos-https
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES then permit
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES then log session-init
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES then log session-close
Проверка:
show security nat destination rule all
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Destination NAT rule: MNG-CONTROLLER Rule-set: DST-NAT
Rule-Id : 1
Rule position : 1
From zone : INTERNET-ZONE
Match
Source addresses : 0.0.0.0 - 255.255.255.255
Destination addresses : 91.211.xx.yy - 91.211.xx.yy
Destination port : 443 - 443
Action : DST80-MNG-CONTROLLER
Translation hits : 1241
Successful sessions : 407
Failed sessions : 834
Number of sessions : 2
show security flow session source-prefix 109.108.88.94 extensive
Session ID: 20063618, Status: Normal
Flags: 0x4000000/0x0/0x8003
Policy name: MNG-DEVICES/7
Source NAT pool: Null, Application: junos-https/58
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 1800, Current timeout: 1794
Session State: Valid
Start time: 74775, Duration: 5
In: 109.108.xx.yy/30844 --> 91.211.xx.yy/443;tcp,
Interface: ge-0/0/0.0,
Session token: 0x7, Flag: 0x1021
Route: 0xb0010, Gateway: 91.211.xx.yy, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 9, Bytes: 1805
Out: 192.168.xx.yy/443 --> 109.108.xx.yy/30844;tcp,
Interface: ae0.168,
Session token: 0x8, Flag: 0x1020
Route: 0x8689b02, Gateway: 192.168.12.7, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 14, Bytes: 7983
Определяем адрес и порт устройства внутри сети (серые адреса):
set security nat destination pool DST80-MNG-CONTROLLER address 192.168.xx.yy/32
set security nat destination pool DST80-MNG-CONTROLLER address port 443
Создаем правило NAT трансляции:
set security nat destination rule-set DST-NAT from zone INTERNET-ZONE
set security nat destination rule-set DST-NAT rule MNG-CONTROLLER match source-address 0.0.0.0/0
set security nat destination rule-set DST-NAT rule MNG-CONTROLLER match destination-address 91.211.xx.yy/32
set security nat destination rule-set DST-NAT rule MNG-CONTROLLER match destination-port 443
set security nat destination rule-set DST-NAT rule MNG-CONTROLLER then destination-nat pool DST80-MNG-CONTROLLER
Добавляем к адресную книгу адрес сервера (серный адрес):
set security zones security-zone MNG-ZONE address-book address CONTROLLER-GREY 192.168.xx.yy/32
Создаем политику из зоны Интернет в серую зону:
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES match source-address any
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES match destination-address CONTROLLER-GREY
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES match application junos-https
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES then permit
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES then log session-init
set security policies from-zone INTERNET-ZONE to-zone MNG-ZONE policy MNG-DEVICES then log session-close
Проверка:
show security nat destination rule all
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Destination NAT rule: MNG-CONTROLLER Rule-set: DST-NAT
Rule-Id : 1
Rule position : 1
From zone : INTERNET-ZONE
Match
Source addresses : 0.0.0.0 - 255.255.255.255
Destination addresses : 91.211.xx.yy - 91.211.xx.yy
Destination port : 443 - 443
Action : DST80-MNG-CONTROLLER
Translation hits : 1241
Successful sessions : 407
Failed sessions : 834
Number of sessions : 2
show security flow session source-prefix 109.108.88.94 extensive
Session ID: 20063618, Status: Normal
Flags: 0x4000000/0x0/0x8003
Policy name: MNG-DEVICES/7
Source NAT pool: Null, Application: junos-https/58
Dynamic application: junos:UNKNOWN,
Encryption: Unknown
Application traffic control rule-set: INVALID, Rule: INVALID
Maximum timeout: 1800, Current timeout: 1794
Session State: Valid
Start time: 74775, Duration: 5
In: 109.108.xx.yy/30844 --> 91.211.xx.yy/443;tcp,
Interface: ge-0/0/0.0,
Session token: 0x7, Flag: 0x1021
Route: 0xb0010, Gateway: 91.211.xx.yy, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 9, Bytes: 1805
Out: 192.168.xx.yy/443 --> 109.108.xx.yy/30844;tcp,
Interface: ae0.168,
Session token: 0x8, Flag: 0x1020
Route: 0x8689b02, Gateway: 192.168.12.7, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 14, Bytes: 7983
Комментариев нет:
Отправить комментарий