Juniper SRX240H2 Source NAT配置

 未分类  Add comments
11 月 052014
 

默认SNAT规则

username@SRX240H2# show security nat source
rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule source-nat-rule {
        match {
            source-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

新增SNAT规则(内网主机访问外网使用IP地址
新增地址池

pool SNAT_100_165 {
    address {
        113.106.100.165/32;
    }
}

新增规则

    rule single-ip-nat {
        match {
            source-address 192.168.153.110/22;
        }
        then {
            source-nat {
                pool {
                    SNAT_100_165;
                }
            }
        }
    }

调整SNAT规则顺序

username@SRX240H2# insert rule single-ip-nat before rule source-nat-rule

查看SNAT配置

username@SRX240H2# show security nat source
pool SNAT_100_165 {
    address {
        113.106.100.165/32;
    }
}
rule-set trust-to-untrust {
    from zone trust;
    to zone untrust;
    rule single-ip-nat {
        match {
            source-address 192.168.153.110/22;
        }
        then {
            source-nat {
                pool {
                    SNAT_100_165;
                }
            }
        }
    }
    rule source-nat-rule {
        match {
            source-address 0.0.0.0/0;
        }
        then {
            source-nat {
                interface;
            }
        }
    }
}

查看和验证

username@SRX240H2# run show security nat source summary
Total port number usage for port translation pool: 645120
Maximum port number for port translation pool: 67108864
Total pools: 10
Pool                 Address                  Routing              PAT  Total
Name                 Range                    Instance                  Address
SNAT_100_165         113.106.100.165-113.106.100.165 default           yes  1
SNAT_100_164         113.106.100.164-113.106.100.164 default           yes  1
SNAT_100_196         113.106.100.196-113.106.100.196 default           yes  1
SNAT_100_197         113.106.100.197-113.106.100.197 default           yes  1
SNAT_100_198         113.106.100.198-113.106.100.198 default           yes  1
SNAT_100_199         113.106.100.199-113.106.100.199 default           yes  1
SNAT_100_200         113.106.100.200-113.106.100.200 default           yes  1
SNAT_100_201         113.106.100.201-113.106.100.201 default           yes  1
SNAT_100_202         113.106.100.202-113.106.100.202 default           yes  1
SNAT_100_203         113.106.100.203-113.106.100.203 default           yes  1

Total rules: 2
Rule name          Rule set       From              To                   Action
single-ip-nat      trust-to-untrust trust           untrust              SNAT_100_165
source-nat-rule    trust-to-untrust trust           untrust              interface

[edit]
username@SRX240H2#

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)