溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
1.測試拓撲:
2.測試總結:
3.基本配置:
A.路由器R1:
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shut
B.防火墻SRX:
①配置接口地址:
set interfacesge-0/0/0.0family inetaddress 202.100.1.10/24
set interfacesge-0/0/1.0family inetaddress 10.1.1.10/24
set interfacesge-0/0/2.0family inetaddress 192.168.1.10/24
②將接口劃入zone:
setsecurity zones security-zone untrust interfacesge-0/0/0.0
setsecurity zones security-zone trust interfacesge-0/0/1.0
setsecurity zones security-zone dmz interfacesge-0/0/2.0
③配置zone間策略,允許trust到untrust的任何訪問:
setsecurity policies from-zone trust to-zone untrust policy Permit-All match source-address any
setsecurity policies from-zone trust to-zone untrust policy Permit-All match destination-address any
setsecurity policies from-zone trust to-zone untrust policy Permit-All match application any
setsecurity policies from-zone trust to-zone untrust policy Permit-All then permit
④配置zone間策略,允許DMZ到untrust的任何訪問:
set security policies from-zone dmz to-zoneuntrust policy Permit-All match source-address any
set security policies from-zone dmz to-zoneuntrust policy Permit-All match destination-address any
set security policies from-zone dmz to-zoneuntrust policy Permit-All match application any
set security policies from-zone dmz to-zoneuntrustpolicy Permit-All then permit
C.主機PC1:
IP:10.1.1.8/24
GW:10.1.1.10
D.路由器R2:
interface f0/0
ip address 192.168.1.2 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.10
4.NAT配置:
A.第一種NAT:
Source NAT:Interface NAT配置:
A.指定NAT的zone:
setsecurity nat sourcerule-set Source-NAT from zone trust
setsecurity nat sourcerule-setSource-NATto zone untrust
B.配置Interface NAT:
setsecurity nat source rule-set Source-NAT rule NAT-Interface match source-address 0.0.0.0/0
setsecurity nat source rule-set Source-NAT rule NAT-Interface match destination-address 0.0.0.0/0
setsecurity nat source rule-set Source-NAT rule NAT-Interface then source-nat interface
C.提交配置:
commit
D.驗證:
從主機PC1上面ping路由器R1接口地址,并在R1上debug ip icmp,可以看到ICMP源地址為防火墻接口地址
R1#
*Mar 2 01:35:56.797: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*Mar 2 01:35:57.793: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*Mar 2 01:35:58.809: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
*Mar 2 01:35:59.749: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10
R1#
B.第二種NAT:
Source NAT:pool based nat配置:
A.配置地址池:
set security nat source pool src-nat-pool1address 202.100.1.11 to 202.100.1.13
B.指定NAT的zone(前面已經配置,可以不配):
set security nat source rule-set Source-NAT from zone trust
set security nat sourcerule-set Source-NATto zone untrust
C.配置pool based nat:
set security nat source rule-set Source-NAT rule NAT-pool match source-address 0.0.0.0/0
sets ecurity nat source rule-set Source-NAT rule NAT-pool match destination-address 0.0.0.0/0
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
