AI 助理
文档备案控制台
开发者社区 安全 文章 正文

1、SRX防火墙Static NAT解决内网无法通过公网访问内网服务问题

2017-11-09 1419
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介:

1、实验拓扑图

wKioL1hqy4qybEYXAACwWtygUxk505.png-wh_50


2、实验配置

2.1、内网服务器访问Internet
set system host-name SRX1
set system time-zone Asia/Shanghai
set system name-server 114.114.114.114
set system services ssh
set system services web-management http
set system ntp server 62.201.225.9
set interfaces ge-0/0/0 unit 0 family inet address 192.168.130.22/24
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.254/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.130.2

set security nat source rule-set Source-NAT from zone trust
set security nat source rule-set Source-NAT to zone untrust
set security nat source rule-set Source-NAT rule Source-NAT-Rule match source-address 1.1.1.0/24
set security nat source rule-set Source-NAT rule Source-NAT-Rule then source-nat interface

set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match source-address any
set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match destination-address any
set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match application any
set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy then permit

set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/1.0

2.2、对外提供3389服务
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule  Outside10-TO-Inside10-rule match destination-address 192.168.130.10/32
set security nat static rule-set static-nat rule  Outside10-TO-Inside10-rule then static-nat prefix 1.1.1.10/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.130.10/32   

set security zones security-zone trust address-book address  Outside10-TO-Inside10-address 1.1.1.10/32
set security zones security-zone trust address-book address-set  Outside10-TO-Inside10-address-set address  Outside10-TO-Inside10-address

set applications application  Outside10-TO-Inside10-application term 3389 protocol tcp
set applications application  Outside10-TO-Inside10-application term 3389 destination-port 3389

set security policies from-zone untrust to-zone trust policy  Outside10-TO-Inside10-policy match source-address any
set security policies from-zone untrust to-zone trust policy  Outside10-TO-Inside10-policy match destination-address  Outside10-TO-Inside10-address-set
set security policies from-zone untrust to-zone trust policy  Outside10-TO-Inside10-policy match application  Outside10-TO-Inside10-application
set security policies from-zone untrust to-zone trust policy  Outside10-TO-Inside10-policy then permit

2.3、内网服务器通过192.168.130.10访问1.1.1.10的3389服务
set security nat source rule-set Source-NAT to zone trust
set security nat static rule-set static-nat from zone trust
set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match source-address any
set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match destination-address any
set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match application any
set security policies from-zone trust to-zone trust policy Source-NAT-Plicy then permit


2.4、1.1.1.20对外提供3389服务,内网服务器通过192.168.130.20访问1.1.1.20的3389服务
set security nat static rule-set static-nat from zone trust
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule  Outside20-TO-Inside20-rule match destination-address 192.168.130.20/32
set security nat static rule-set static-nat rule  Outside20-TO-Inside20-rule then static-nat prefix 1.1.1.20/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.130.20/32   

set security zones security-zone trust address-book address  Outside20-TO-Inside20-address 1.1.1.20/32
set security zones security-zone trust address-book address-set  Outside20-TO-Inside20-address-set address  Outside20-TO-Inside20-address

set applications application  Outside20-TO-Inside20-application term 3389 protocol tcp
set applications application  Outside20-TO-Inside20-application term 3389 destination-port 3389

set security policies from-zone untrust to-zone trust policy  Outside20-TO-Inside20-policy match source-address any
set security policies from-zone untrust to-zone trust policy  Outside20-TO-Inside20-policy match destination-address  Outside20-TO-Inside20-address-set
set security policies from-zone untrust to-zone trust policy  Outside20-TO-Inside20-policy match application  Outside20-TO-Inside20-application
set security policies from-zone untrust to-zone trust policy  Outside20-TO-Inside20-policy then permit

3、总结

Static NAT映射后,内网服务器无法通过外网IP访问内网服务器:需要在untrust和trust两个方向同时做Source NAT和Static NAT。


最终配置如下:

root@SRX1# show | display set 

set version 12.1X44.4

set system host-name SRX1

set system time-zone Asia/Shanghai

set system root-authentication encrypted-password "$1$rzXSdTNv$xhvtt2I62Mf/LJCFfq.Xz/"

set system name-server 114.114.114.114

set system services ssh

set system services web-management http

set system ntp server 62.201.225.9

set interfaces ge-0/0/0 unit 0 family inet address 192.168.130.22/24

set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.254/24

set routing-options static route 0.0.0.0/0 next-hop 192.168.130.2

set security nat source rule-set Source-NAT from zone trust

set security nat source rule-set Source-NAT to zone trust

set security nat source rule-set Source-NAT to zone untrust

set security nat source rule-set Source-NAT rule Source-NAT-Rule match source-address 1.1.1.0/24

set security nat source rule-set Source-NAT rule Source-NAT-Rule then source-nat interface

set security nat static rule-set static-nat from zone trust

set security nat static rule-set static-nat from zone untrust

set security nat static rule-set static-nat rule Outside10-TO-Inside10-rule match destination-address 192.168.130.10/32

set security nat static rule-set static-nat rule Outside10-TO-Inside10-rule then static-nat prefix 1.1.1.10/32

set security nat static rule-set static-nat rule Outside20-TO-Inside20-rule match destination-address 192.168.130.20/32

set security nat static rule-set static-nat rule Outside20-TO-Inside20-rule then static-nat prefix 1.1.1.20/32

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.130.10/32

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.130.20/32

set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match source-address any

set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match destination-address any

set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy match application any

set security policies from-zone trust to-zone untrust policy Source-NAT-Plicy then permit

set security policies from-zone untrust to-zone trust policy Outside10-TO-Inside10-policy match source-address any

set security policies from-zone untrust to-zone trust policy Outside10-TO-Inside10-policy match destination-address Outside10-TO-Inside10-address-set

set security policies from-zone untrust to-zone trust policy Outside10-TO-Inside10-policy match application Outside10-TO-Inside10-application

set security policies from-zone untrust to-zone trust policy Outside10-TO-Inside10-policy then permit

set security policies from-zone untrust to-zone trust policy Outside20-TO-Inside20-policy match source-address any

set security policies from-zone untrust to-zone trust policy Outside20-TO-Inside20-policy match destination-address Outside20-TO-Inside20-address-set

set security policies from-zone untrust to-zone trust policy Outside20-TO-Inside20-policy match application Outside20-TO-Inside20-application

set security policies from-zone untrust to-zone trust policy Outside20-TO-Inside20-policy then permit

set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match source-address any

set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match destination-address any

set security policies from-zone trust to-zone trust policy Source-NAT-Plicy match application any

set security policies from-zone trust to-zone trust policy Source-NAT-Plicy then permit

set security zones security-zone untrust host-inbound-traffic system-services ping

set security zones security-zone untrust host-inbound-traffic system-services ssh

set security zones security-zone untrust host-inbound-traffic system-services http

set security zones security-zone untrust interfaces ge-0/0/0.0

set security zones security-zone trust address-book address Outside10-TO-Inside10-address 1.1.1.10/32

set security zones security-zone trust address-book address Outside20-TO-Inside20-address 1.1.1.20/32

set security zones security-zone trust address-book address-set Outside10-TO-Inside10-address-set address Outside10-TO-Inside10-address

set security zones security-zone trust address-book address-set Outside20-TO-Inside20-address-set address Outside20-TO-Inside20-address

set security zones security-zone trust host-inbound-traffic system-services ping

set security zones security-zone trust host-inbound-traffic system-services ssh

set security zones security-zone trust host-inbound-traffic system-services http

set security zones security-zone trust interfaces ge-0/0/1.0

set applications application Outside10-TO-Inside10-application term 3389 protocol tcp

set applications application Outside10-TO-Inside10-application term 3389 destination-port 3389

set applications application Outside20-TO-Inside20-application term 3389 protocol tcp

set applications application Outside20-TO-Inside20-application term 3389 destination-port 3389






      本文转自开源殿堂 51CTO博客,原文链接:http://blog.51cto.com/kaiyuandiantang/1888442,如需转载请自行联系原作者




文章标签:
云防火墙
安全
网络安全
网络协议
关键词:
NAT网关服务
云防火墙nat
防火墙NAT网关
NAT网关访问
云防火墙服务
技术小胖子
目录
相关文章
Paraverse平行云
|
开发者 ice
实时云渲染中的NAT转发服务支持个人电脑秒变云渲染服务器
实时云渲染技术广泛应用于XR领域,助力数千客户完成云端部署。平行云推出的转发服务解决了家庭网络动态IP问题,使个人电脑成为实时云渲染服务器,按实际使用分钟数计费,无用户访问不收费。通过配置LarkXR的代理转发Server和ICE Server,开发者可轻松实现互联网访问内网XR应用,极大提升了开发、测试和演示的便利性。
Paraverse平行云
235 11
Echo_Wish
|
运维 安全 Linux
全面提升系统安全:禁用不必要服务、更新安全补丁、配置防火墙规则的实战指南
全面提升系统安全:禁用不必要服务、更新安全补丁、配置防火墙规则的实战指南
Echo_Wish
659 12
土木林森
|
存储 网络协议 安全
30 道初级网络工程师面试题,涵盖 OSI 模型、TCP/IP 协议栈、IP 地址、子网掩码、VLAN、STP、DHCP、DNS、防火墙、NAT、VPN 等基础知识和技术,帮助小白们充分准备面试,顺利踏入职场
本文精选了 30 道初级网络工程师面试题,涵盖 OSI 模型、TCP/IP 协议栈、IP 地址、子网掩码、VLAN、STP、DHCP、DNS、防火墙、NAT、VPN 等基础知识和技术,帮助小白们充分准备面试,顺利踏入职场。
土木林森
1844 2
Codelinghu
|
网络安全 Docker 容器
【Bug修复】秒杀服务器异常,轻松恢复网站访问--从防火墙到Docker服务的全面解析
【Bug修复】秒杀服务器异常,轻松恢复网站访问--从防火墙到Docker服务的全面解析
Codelinghu
563 0
工程师阿龙
|
安全 网络安全 数据安全/隐私保护
手把手教你用eNSP模拟器配置防火墙源NAT
手把手教你用eNSP模拟器配置防火墙源NAT
工程师阿龙
2238 4
路边两盏灯
|
存储 安全 API
【Azure API Management】实现在API Management服务中使用MI(管理标识 Managed Identity)访问启用防火墙的Storage Account
【Azure API Management】实现在API Management服务中使用MI(管理标识 Managed Identity)访问启用防火墙的Storage Account
路边两盏灯
170 0
岫鹰
|
弹性计算 监控 安全
通过NAT网关和云防火墙防护私网出站流量安全的最佳实践
针对云上企业出站流量安全攻击,企业可以通过采用“NAT网关+NAT边界防火墙”方案实现出向流量有效监控保护,有效降低恶意软件攻陷风险、内部人员风险、数据泄露风险、供应链风险、出站流量合规风险等
岫鹰
491 3
土木林森
|
监控 安全 Serverless
SAE 防火墙的震撼之举:默认拦截公网一切流量,开启网络安全的无敌模式!
【8月更文挑战第7天】在数字化时代,网络安全至关重要。SAE(Serverless Application Engine,无服务器应用引擎)的防火墙功能默认阻止所有公网流量,为应用与数据提供坚实保护。这像坚固城门,将潜在威胁拒之门外,减少恶意攻击风险。如同在混沌中建立秩序,划定网络安全边界。但依赖默认设置不足,需根据业务需求配置规则,如开放特定端口或IP范围。还需持续监控防火墙效果,通过分析访问日志等手段及时调整优化,确保最佳防护效果。
土木林森
238 0
神秘泣男子
|
网络协议 安全
ensp中nat server 公网访问内网服务器
ensp中nat server 公网访问内网服务器
神秘泣男子
667 1
魏红斌
|
弹性计算 运维 Shell
自动添加防火墙规则,开启某些服务或端口(适用于 RHEL7)
【4月更文挑战第28天】
魏红斌
191 0