一、基礎操作說明:
1、 設備恢復出廠化
root# load factory-default
root# set system root-authentication plain-text-password
root# commit
root> request system reboot
2、 基本配置
2.1 配置主機名
root# set system host-name SRX1400
2.2設置時區
root@SRX1400# set system time-zone Asia/Shanghai
2.3設置時間
root@SRX1400# run set date 201508011549.21
2.4設置dns
root@SRX1400# set system name-server 202.l06.0.20
2.5設置接口IP
root@SRX1400# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.10/24
2.6設置默認路由
root@SRX1400# set routing-options static route 0.0.0.0/0 next-hop 10.0.0.254
2.7創建登陸用戶
root@SRX1400# set system login user admin class super-user authentication plain-text-password
2.8創建安全Zone
root@SRX1400# set security zones security-zone untrust
2.9接口加入zone
root@SRX1400# set security zones security-zone untrust interfaces ge-0/0/0.0
2.10業務口放行icmp
root@SRX1400# set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
說明:默認情況下,除管理口外的業務口是無法ping通的,需要放行icmp。
二、juniper srx nat
1、NAT的類型
1.1 source nat :interface
1.2 source nat :pool
1.3 destination nat
1.4 static nat
2、配置實例
2.1 基於接口的source nat
root@SRX1400# set security nat source rule-set 1 from zone trust
root@SRX1400# set security nat source rule-set 1 to zone untrust
root@SRX1400# set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
root@SRX1400# set security nat source rule-set 1 rule rule1 then source-nat interface
默認police
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
2.2基於地址池的source nat
root@SRX1400# set security nat source pool isp address 10.0.0.20 to 10.0.30
root@SRX1400# set security nat source rule-set 1 from zone trust
root@SRX1400# set security nat source rule-set 1 to zone untrust
root@SRX1400# set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
root@SRX1400# set security nat source rule-set 1 rule rule1 then source-nat pool isp
root@SRX1400# set security nat proxy-arp interface ge-0/0/0 address 10.0.0.20 to 10.0.0.30
2.3 destination nat 配置
root@SRX1400# set security nat destination pool dst-nat-pool-1 address 172.16.1.1/32
root@SRX1400# set security nat destination pool dst-nat-pool-1 address port 80
root@SRX1400# set security nat destination rule-set rs1 from zone untrust
root@SRX1400# set security nat destination rule-set rs1 rule 1 match destination-address 10.0.0.100/32
root@SRX1400# set security nat destination pool dst-nat-pool-1 address port 80
root@SRX1400# set security nat proxy-arp interface ge-0/0/0.0 address 10.0.0.100/32
root@SRX1400# set security address-book global address web 172.16.1.1/32
root@SRX1400# set security nat destination rule-set rs1 rule 1 then destination-nat pool dst-nat-pool-1
root@SRX1400# set security policies from-zone untrust to-zone trust policy web match source-address any
root@SRX1400# set security policies from-zone untrust to-zone trust policy web match destination-address web match application any
root@SRX1400# set security policies from-zone untrust to-zone trust policy
root@SRX1400# set security policies from-zone untrust to-zone trust policy web then permit
root@SRX1400# insert security policies from-zone untrust to-zone trust policy web before policy default-deny
2.4 static nat配置
root@SRX1400# set security nat static rule-set rs1 from zone untrust
root@SRX1400# set security nat static rule-set rs1 rule r1 match destination-address 10.0.0.100/32
root@SRX1400# set security nat static rule-set rs1 rule r1 then static-nat prefix 172.16.1.1/32
root@SRX1400# set security nat proxy-arp interface ge-0/0/0.0 address 10.0.0.100/32
root@SRX1400# set security address-book global address web 172.16.1.1/32
root@SRX1400# set security policies from-zone untrust to-zone untrust web match source-address any destination-address web application any
root@SRX1400# set security policies from-zone untrust to-zone trust policy web then permit
root@SRX1400# insert security policies from-zone untrust to-zone trust web before policy default-deny