AI 助理
备案控制台
开发者社区 安全 文章 正文

1、SRX防火墙Static NAT解决内网无法通过公网访问内网服务问题

2017-11-09 1290
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
本文涉及的产品
云防火墙,500元 1000GB
简介:

1、实验拓扑图

wKioL1hqy4qybEYXAACwWtygUxk505.png-wh_50


2、实验配置

2.1、内网服务器访问Internet
set system host-name SRX1
set system time-zone Asia/Shanghai
set system name-server 114.114.114.114
set system services ssh
set system services web-management http
set system ntp server 62.201.225.9
set interfaces ge-0/0/0 unit 0 family inet address 192.168.130.22/24
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.254/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.130.2

set security nat source rule-set Source-NAT from zone trust
set security nat source rule-set Source-NAT to zone untrust
set security nat source rule-set Source-NAT rule Source-NAT-Rule match source-address 1.1.1.0/24
set security nat source rule-set Source-NAT rule Source-NAT-Rule then source-nat interface

set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match source-address any
set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match destination-address any
set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match application any
set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy then permit

set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/1.0

2.2、对外提供3389服务
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule  Outside10-TO-Inside10-rule match destination-address 192.168.130.10/32
set security nat static rule-set static-nat rule  Outside10-TO-Inside10-rule then static-nat prefix 1.1.1.10/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.130.10/32   

set security zones security-zone trust address-book address  Outside10-TO-Inside10-address 1.1.1.10/32
set security zones security-zone trust address-book address-set  Outside10-TO-Inside10-address-set address  Outside10-TO-Inside10-address

set applications application  Outside10-TO-Inside10-application term 3389 protocol tcp
set applications application  Outside10-TO-Inside10-application term 3389 destination-port 3389

set security policies from-zone untrust to-zone trust policy  Outside10-TO-Inside10-policy match source-address any
set security policies from-zone untrust to-zone trust policy  Outside10-TO-Inside10-policy match destination-address  Outside10-TO-Inside10-address-set
set security policies from-zone untrust to-zone trust policy  Outside10-TO-Inside10-policy match application  Outside10-TO-Inside10-application
set security policies from-zone untrust to-zone trust policy  Outside10-TO-Inside10-policy then permit

2.3、内网服务器通过192.168.130.10访问1.1.1.10的3389服务
set security nat source rule-set Source-NAT to zone trust
set security nat static rule-set static-nat from zone trust
set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match source-address any
set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match destination-address any
set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match application any
set security policies from-zone trust to-zone trust policy Source-NAT-Plicy then permit


2.4、1.1.1.20对外提供3389服务,内网服务器通过192.168.130.20访问1.1.1.20的3389服务
set security nat static rule-set static-nat from zone trust
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule  Outside20-TO-Inside20-rule match destination-address 192.168.130.20/32
set security nat static rule-set static-nat rule  Outside20-TO-Inside20-rule then static-nat prefix 1.1.1.20/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.130.20/32   

set security zones security-zone trust address-book address  Outside20-TO-Inside20-address 1.1.1.20/32
set security zones security-zone trust address-book address-set  Outside20-TO-Inside20-address-set address  Outside20-TO-Inside20-address

set applications application  Outside20-TO-Inside20-application term 3389 protocol tcp
set applications application  Outside20-TO-Inside20-application term 3389 destination-port 3389

set security policies from-zone untrust to-zone trust policy  Outside20-TO-Inside20-policy match source-address any
set security policies from-zone untrust to-zone trust policy  Outside20-TO-Inside20-policy match destination-address  Outside20-TO-Inside20-address-set
set security policies from-zone untrust to-zone trust policy  Outside20-TO-Inside20-policy match application  Outside20-TO-Inside20-application
set security policies from-zone untrust to-zone trust policy  Outside20-TO-Inside20-policy then permit

3、总结

Static NAT映射后,内网服务器无法通过外网IP访问内网服务器:需要在untrust和trust两个方向同时做Source NAT和Static NAT。


最终配置如下:

root@SRX1# show | display set 

set version 12.1X44.4

set system host-name SRX1

set system time-zone Asia/Shanghai

set system root-authentication encrypted-password "$1$rzXSdTNv$xhvtt2I62Mf/LJCFfq.Xz/"

set system name-server 114.114.114.114

set system services ssh

set system services web-management http

set system ntp server 62.201.225.9

set interfaces ge-0/0/0 unit 0 family inet address 192.168.130.22/24

set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.254/24

set routing-options static route 0.0.0.0/0 next-hop 192.168.130.2

set security nat source rule-set Source-NAT from zone trust

set security nat source rule-set Source-NAT to zone trust

set security nat source rule-set Source-NAT to zone untrust

set security nat source rule-set Source-NAT rule Source-NAT-Rule match source-address 1.1.1.0/24

set security nat source rule-set Source-NAT rule Source-NAT-Rule then source-nat interface

set security nat static rule-set static-nat from zone trust

set security nat static rule-set static-nat from zone untrust

set security nat static rule-set static-nat rule Outside10-TO-Inside10-rule match destination-address 192.168.130.10/32

set security nat static rule-set static-nat rule Outside10-TO-Inside10-rule then static-nat prefix 1.1.1.10/32

set security nat static rule-set static-nat rule Outside20-TO-Inside20-rule match destination-address 192.168.130.20/32

set security nat static rule-set static-nat rule Outside20-TO-Inside20-rule then static-nat prefix 1.1.1.20/32

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.130.10/32

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.130.20/32

set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match source-address any

set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match destination-address any

set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match application any

set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy then permit

set security policies from-zone untrust to-zone trust policy Outside10-TO-Inside10-policy match source-address any

set security policies from-zone untrust to-zone trust policy Outside10-TO-Inside10-policy match destination-address Outside10-TO-Inside10-address-set

set security policies from-zone untrust to-zone trust policy Outside10-TO-Inside10-policy match application Outside10-TO-Inside10-application

set security policies from-zone untrust to-zone trust policy Outside10-TO-Inside10-policy then permit

set security policies from-zone untrust to-zone trust policy Outside20-TO-Inside20-policy match source-address any

set security policies from-zone untrust to-zone trust policy Outside20-TO-Inside20-policy match destination-address Outside20-TO-Inside20-address-set

set security policies from-zone untrust to-zone trust policy Outside20-TO-Inside20-policy match application Outside20-TO-Inside20-application

set security policies from-zone untrust to-zone trust policy Outside20-TO-Inside20-policy then permit

set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match source-address any

set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match destination-address any

set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match application any

set security policies from-zone trust to-zone trust policy Source-NAT-Plicy then permit

set security zones security-zone untrust host-inbound-traffic system-services ping

set security zones security-zone untrust host-inbound-traffic system-services ssh

set security zones security-zone untrust host-inbound-traffic system-services http

set security zones security-zone untrust interfaces ge-0/0/0.0

set security zones security-zone trust address-book address Outside10-TO-Inside10-address 1.1.1.10/32

set security zones security-zone trust address-book address Outside20-TO-Inside20-address 1.1.1.20/32

set security zones security-zone trust address-book address-set Outside10-TO-Inside10-address-set address Outside10-TO-Inside10-address

set security zones security-zone trust address-book address-set Outside20-TO-Inside20-address-set address Outside20-TO-Inside20-address

set security zones security-zone trust host-inbound-traffic system-services ping

set security zones security-zone trust host-inbound-traffic system-services ssh

set security zones security-zone trust host-inbound-traffic system-services http

set security zones security-zone trust interfaces ge-0/0/1.0

set applications application Outside10-TO-Inside10-application term 3389 protocol tcp

set applications application Outside10-TO-Inside10-application term 3389 destination-port 3389

set applications application Outside20-TO-Inside20-application term 3389 protocol tcp

set applications application Outside20-TO-Inside20-application term 3389 destination-port 3389






      本文转自开源殿堂 51CTO博客,原文链接:http://blog.51cto.com/kaiyuandiantang/1888442,如需转载请自行联系原作者




文章标签:
云防火墙
安全
网络安全
网络协议
关键词:
NAT网关访问
云防火墙服务
云防火墙内网
云防火墙访问
云防火墙nat
技术小胖子
目录
相关文章
路边两盏灯
|
3月前
|
存储 网络协议 安全
【Azure 环境】ARM部署模板大于4MB的解决方案及Linked Template遇见存储账号防火墙无法访问
【Azure 环境】ARM部署模板大于4MB的解决方案及Linked Template遇见存储账号防火墙无法访问
路边两盏灯
41 0
Codelinghu
|
27天前
|
网络安全 Docker 容器
【Bug修复】秒杀服务器异常,轻松恢复网站访问--从防火墙到Docker服务的全面解析
【Bug修复】秒杀服务器异常,轻松恢复网站访问--从防火墙到Docker服务的全面解析
Codelinghu
19 0
路边两盏灯
|
3月前
|
存储 网络安全 数据中心
【Azure 存储服务】App Service 访问开启防火墙的存储账号时遇见 403 (This request is not authorized to perform this operation.)
【Azure 存储服务】App Service 访问开启防火墙的存储账号时遇见 403 (This request is not authorized to perform this operation.)
路边两盏灯
68 0
【Azure 存储服务】App Service 访问开启防火墙的存储账号时遇见 403 (This request is not authorized to perform this operation.)
工程师阿龙
|
3月前
|
安全 网络安全 数据安全/隐私保护
手把手教你用eNSP模拟器配置防火墙源NAT
手把手教你用eNSP模拟器配置防火墙源NAT
工程师阿龙
312 4
路边两盏灯
|
3月前
|
存储 安全 API
【Azure API Management】实现在API Management服务中使用MI(管理标识 Managed Identity)访问启用防火墙的Storage Account
【Azure API Management】实现在API Management服务中使用MI(管理标识 Managed Identity)访问启用防火墙的Storage Account
路边两盏灯
44 0
岫鹰
|
6月前
|
弹性计算 监控 安全
通过NAT网关和云防火墙防护私网出站流量安全的最佳实践
针对云上企业出站流量安全攻击,企业可以通过采用“NAT网关+NAT边界防火墙”方案实现出向流量有效监控保护,有效降低恶意软件攻陷风险、内部人员风险、数据泄露风险、供应链风险、出站流量合规风险等
岫鹰
131 3
神秘泣男子
|
6月前
|
网络协议 安全
ensp中nat server 公网访问内网服务器
ensp中nat server 公网访问内网服务器
神秘泣男子
102 1
魏红斌
|
6月前
|
弹性计算 运维 Shell
自动添加防火墙规则,开启某些服务或端口(适用于 RHEL7)
【4月更文挑战第28天】
魏红斌
87 0
jianz123
|
6月前
|
网络协议 Linux 网络安全
Centos7 防火墙策略rich-rule 限制ip访问-----图文详解
Centos7 防火墙策略rich-rule 限制ip访问-----图文详解
jianz123
967 0
游客mldfis24krfue
|
3月前
|
安全 Linux 应用服务中间件
在Linux中,包过滤防火墙与代理应用防火墙有什么区别?有哪些相应的产品?
在Linux中,包过滤防火墙与代理应用防火墙有什么区别?有哪些相应的产品?
游客mldfis24krfue
113 0

热门文章

最新文章

  • 1
    阿里云ECS Ubuntu 实例开放防火墙端口仍无法访问问题解决(安全组规则应用)
  • 2
    老男孩教育每日一题-第91天:根据要求写出itpables防火墙规则
  • 3
    Linux下iptables防火墙已停的解决办法
  • 4
    安全的Web主机iptables防火墙脚本
  • 5
    网速变得奇慢说明可能需要安装金山ARP防火墙了
  • 6
    centos7关闭防火墙
  • 7
    Windows Server 2008企业64位版防火墙添加端口的方法
  • 8
    Linux软防火墙ACL匹配的优化点
  • 9
    Linux防火墙iptables学习笔记(二)参数指令
  • 10
    iptables防火墙规则配置
  • 1
    ensp中nat server 公网访问内网服务器
    102
  • 2
    ensp中nat地址转换(静态nat 动态nat NAPT 和Easy IP)配置命令
    525
  • 3
    ENSP Nat地址转换(配置命令 )
    167
  • 4
    IPv6地址之间的转换技术:NAT66
    815
  • 5
    【专栏】NAT技术是连接私有网络与互联网的关键,缓解IPv4地址短缺,增强安全性和管理性
    552
  • 6
    NewH3C—网络地址转换(NAT)
    59
  • 7
    什么是运营商级 NAT (CGNAT)?
    2003
  • 8
    端口地址转换(PAT)与私有IP的映射
    179
  • 9
    LVS详解(五)——LVS NAT模式实战
    132
  • 10
    iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 9999 -j DNAT --to-destination 172.17.0.2:80 !
    109

    • 相关电子书

    更多
  • 《云防火墙实现多账号统一管控》
  • 探索连接的最后十秒钟“落时”的网关
  • 企业级弹性公网IP发布

    • 相关实验场景

    更多
  • 通过会话管理端口转发功能访问ECS内部服务
    • 下一篇
    DataWorks智能数据建模全面公测开始啦!