Juniper SRX NAT详解

精选原创

zzljames 2018-04-07 01:06:06 博主文章分类：Juniper ©著作权

文章标签 Juniper SRX NAT 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者zzljames的原创作品，谢绝转载，否则将追究法律责任

第一部分：介绍Juniper SRX NAT

网络地址转换(NAT) 是用于修改或转换数据包包头中的网络地址信息的一种方法。可转换数据包中的源和/或目标地址。NAT 中可包含端口号及IP 地址的转换。

NAT类型： 1、source NAT： a、基于Interface的source NAT b、基于pool的source NAT 2、destination NAT 3、static NAT

NAT规则： NAT 类型决定NAT 规则的处理顺序。流的第一个数据包处理期间，将按照以下顺序应用NAT 规则：

静态NAT 规则
目标NAT 规则
路由查找
安全策略查找
反向映射静态NAT 规则
源NAT 规则

下图显示NAT规则的处理顺序

NAT规则集： 在NAT中rule set决定所有流量的方向，而rule set里面又包含有多个rule。一旦rule set 发现到有匹配的流量后，rule set 里面每个rule都会开始进行匹配计算，之后rule会为匹配的流量指定动作；而在不同类型的NAT中，rule set能匹配的条件是不一样的

规则集为信息流指定一组常规匹配条件。对于静态NAT 和目标NAT，规则集指定以下项之一：源接口 .源区段 .源路由实例

root@Juniper-vSRX# set security nat destination rule-set dst-nat from ? Possible completions:

interface Source interface list
routing-instance Source routing instance list
zone Source zone list [edit]

root@Juniper-vSRX# set security nat static rule-set static-nat from ? Possible completions:

interface Source interface list
routing-instance Source routing instance list
zone Source zone list [edit]

对于源NAT 规则集，将同时配置源和目标条件： • 源接口、区段或路由实例 • 目标接口、区段或路由实例

root@Juniper-vSRX# set security nat source rule-set src-nat from ?
Possible completions:

interface Source interface list
routing-instance Source routing instance list
zone Source zone list [edit]

root@Juniper-vSRX# set security nat source rule-set src-nat to ?
Possible completions:

interface Destination interface list
routing-instance Destination routing instance list
zone Destination zone list [edit]

一个数据包可匹配多个规则集；在这种情况下，将使用匹配条件更为具体的规则集。接口匹配被视为比区段匹配更为具体，而后者比路由实例匹配更为具体。

如果一个数据包同时匹配指定源区段的目标NAT 规则集和指定源接口的目标NAT 规则集，则指定源接口的规则集是更为具体的匹配项。

源NAT 规则集匹配更为复杂，因为在源NAT 规则集中要同时指定源和目标条件。如果一个数据包匹配多个源NAT 规则集，则规则集的选择基于以下源/目标条件（按照优先级顺序）：

源接口/目标接口
源区段/目标接口
源路由实例/目标接口
源接口/目标区段
源区段/目标区段
源路由实例/目标区段
源接口/目标路由实例
源区段/目标路由实例
源路由实例/目标路由实例例如，可配置规则集A 和B，前者指定源接口和目标区段，后者指定源区段和目标接口。如果一个数据包匹配两个规则集，规则集B 为更为具体的匹配项。

下图显示NAT 规则集的优先级

第二部分：Source NAT： 1.1基于Interface的Source NAT

公司内部网络（trust Zone）访问Internet（untrust Zone）时，将192.168.100.0/24 映射成Juniper SRX的GE-0/0/0端口的IP地址202.5.5.1出Internet。

a、配置基于接口的source NAT set security nat source rule-set src-nat from zone trust set security nat source rule-set src-nat to zone untrust set security nat source rule-set src-nat rule 1 match source-address 192.168.100.0/24 set security nat source rule-set src-nat rule 1 match destination-address 0.0.0.0/0 set security nat source rule-set src-nat rule 1 then source-nat interface

b、开启log日志记录 set system syslog file nat-log any any set system syslog file nat-log match RT_FLOW_SESSION

c、、定义address-book，配置策略，允许192.168.100.0/24访问Internet，并记录log。 set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24 set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24 set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit set security policies from-zone trust to-zone untrust policy 1 then log session-init set security policies from-zone trust to-zone untrust policy 1 then log session-close

d、查看状态 (1)、查看log（查看NAT转换项） root@Juniper-vSRX> show log nat-log Apr 7 14:33:05 Juniper-vSRX clear-log[3384]: logfile cleared Apr 7 14:33:16 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/60608->202.5.5.2/80 junos-http 202.5.5.1/26735->202.5.5.2/80 source rule 1 N/A N/A 6 1 trust untrust 13198 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN Apr 7 14:33:23 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/60608->202.5.5.2/80 junos-http 202.5.5.1/26735->202.5.5.2/80 source rule 1 N/A N/A 6 1 trust untrust 13198 15(615) 10(526) 8 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN

root@Juniper-vSRX>

(2)、查看flow session root@Juniper-vSRX> show security flow session
Session ID: 13238, Policy name: 1/9, Timeout: 294, Valid In: 192.168.100.10/60608 --> 202.5.5.2/80;tcp, If: ge-0/0/1.0, Pkts: 3, Bytes: 124 Out: 202.5.5.2/80 --> 202.5.5.1/26735;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 44 Total sessions: 1

(3)、查看nat source rule root@Juniper-vSRX> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0

source NAT rule: 1 Rule-set: src-i-nat Rule-Id : 1
Rule position : 1 From zone : trust To zone : untrust Match Source addresses : 192.168.100.0 - 192.168.100.255 Destination addresses : 0.0.0.0 - 255.255.255.255 Action : interface Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 3045 Successful sessions : 3045 Failed sessions : 0 Number of sessions : 0

1.2基于pool的source NAT

公司内部网络（trust Zone）访问Internet（untrust Zone）时，将192.168.100.0/24 映射成202.66.30.1-6的IP Address出Internet。

a、配置基于pool的source NAT set security nat source pool nat-pool address 202.66.30.1/32 to 202.66.30.6/32 set security nat source rule-set src-p-nat from zone trust set security nat source rule-set src-p-nat to zone untrust set security nat source rule-set src-p-nat rule 1 match source-address 192.168.100.0/24 set security nat source rule-set src-p-nat rule 1 match destination-address 0.0.0.0/0 set security nat source rule-set src-p-nat rule 1 then source-nat pool nat-pool set security nat proxy-arp interface ge-0/0/0.0 address 202.66.30.1/32 to 202.66.30.6/32 //注意：若NAT后的IP Address不是跟untrust接口的IP Address在同个subnet，则需要配置nat proxy-arp

b、开启log日志记录 set system syslog file nat-log any any set system syslog file nat-log match RT_FLOW_SESSION

c、定义address-book，配置策略，允许192.168.100.0/24访问Internet，并记录log。 set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24 set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24 set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit set security policies from-zone trust to-zone untrust policy 1 then log session-init set security policies from-zone trust to-zone untrust policy 1 then log session-close

d、查看NAT相关状态 (1)、查看log（查看NAT转换项） root@Juniper-vSRX> show log nat-log
Apr 7 14:16:13 Juniper-vSRX clear-log[3319]: logfile cleared Apr 7 14:16:51 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/51074->202.5.5.2/23 junos-telnet 202.66.30.3/1907->202.5.5.2/23 source rule 1 N/A N/A 6 1 trust untrust 13187 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN Apr 7 14:16:55 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/51074->202.5.5.2/23 junos-telnet 202.66.30.3/1907->202.5.5.2/23 source rule 1 N/A N/A 6 1 trust untrust 13187 12(512) 7(333) 4 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN

(2)、查看flow session root@Juniper-vSRX> show security flow session Session ID: 13245, Policy name: 1/9, Timeout: 8, Valid In: 192.168.100.10/51074 --> 202.5.5.2/23;tcp, If: ge-0/0/1.0, Pkts: 3, Bytes: 132 Out: 202.5.5.2/23 --> 202.66.30.3/1907;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 44 Total sessions: 1

(3)、查看nat source rule root@Juniper-vSRX> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0

source NAT rule: 1 Rule-set: src-p-nat Rule-Id : 2
Rule position : 1 From zone : trust To zone : untrust Match Source addresses : 192.168.100.0 - 192.168.100.255 Destination addresses : 0.0.0.0 - 255.255.255.255 Action : nat-pool Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 1100 Successful sessions : 1100 Failed sessions : 0 Number of sessions : 0

第三部分：Destination NAT：

公司内部web服务器对外提供服务，将210.5.5.1:8080映射成192.168.100.10:80。

a、配置Destination NAT set security nat destination pool dst-nat-pool1 address 192.168.100.10/32 set security nat destination pool dst-nat-pool1 address port 80 set security nat destination rule-set 1 from zone untrust set security nat destination rule-set 1 rule dst-nat-rule1 match destination-address 202.5.5.1/32 set security nat destination rule-set 1 rule dst-nat-rule1 match destination-port 8080 set security nat destination rule-set 1 rule dst-nat-rule1 match protocol tcp set security nat destination rule-set 1 rule dst-nat-rule1 then destination-nat pool dst-nat-pool1

b、开启log日志记录 set system syslog file nat-log any any set system syslog file nat-log match RT_FLOW_SESSION

c、定义address-book，配置策略，允许192.168.100.10/30的80端口被访问，并记录log。 set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24 set security policies from-zone untrust to-zone trust policy 1 match source-address any set security policies from-zone untrust to-zone trust policy 1 match destination-address 192.168.100.10/32 set security policies from-zone untrust to-zone trust policy 1 match application junos-http set security policies from-zone untrust to-zone trust policy 1 then permit set security policies from-zone untrust to-zone trust policy 1 then log session-init set security policies from-zone untrust to-zone trust policy 1 then log session-close

d、查看NAT相关状态 (1)、查看log（查看NAT转换项） root@Juniper-vSRX> show log nat-log Apr 7 15:28:43 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 202.5.5.2/13634->202.5.5.1/8080 junos-http 202.5.5.2/13634->192.168.100.10/80 N/A N/A destination rule dst-nat-rule1 6 1 untrust trust 13213 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN Apr 7 15:29:31 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 202.5.5.2/13634->202.5.5.1/8080 junos-http 202.5.5.2/13634->192.168.100.10/80 N/A N/A destination rule dst-nat-rule1 6 1 untrust trust 13213 9(369) 6(366) 49 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN

(2)、查看flow session root@Juniper-vSRX> show security flow session Session ID: 13213, Policy name: 1/6, Timeout: 290, Valid In: 202.5.5.2/13634 --> 202.5.5.1/8080;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 124 Out: 192.168.100.10/80 --> 202.5.5.2/13634;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44 Total sessions: 1

(3)、查看nat destination rule root@Juniper-vSRX> show security nat destination rule all
Total destination-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/0

Destination NAT rule: dst-nat-rule1 Rule-set: 1 Rule-Id : 1
Rule position : 1 From zone : untrust Destination addresses : 202.5.5.1 - 202.5.5.1 Destination port : 8080 - 8080 IP protocol : tcp Action : dst-nat-pool1 Translation hits : 7 Successful sessions : 3 Failed sessions : 4 Number of sessions : 1

第四部分：Static NAT：

静态NAT的作用是一到一的映射。静态的NAT是不会执行PAT的，而且静态的NAT不需要POOL。如果流量自来untrust区域，且目的地址是202.5.5.253的话，把它的目的地址改为192.168.100.10，相反，如果流量去往untrust区域，且源地址是192.168.100.10的话，把它的源地址改为202.5.5.253。

a、配置Static NAT set security nat static rule-set static-nat from zone untrust set security nat static rule-set static-nat rule 1 match destination-address 202.5.5.253/32 set security nat static rule-set static-nat rule 1 then static-nat prefix 192.168.100.10/32 set security nat proxy-arp interface ge-0/0/0.0 address 202.5.5.253/32

b、开启log日志记录 set system syslog file nat-log any any set system syslog file nat-log match RT_FLOW_SESSION

c、定义address-book，配置策略，允许192.168.100.10/30去访问或被访问，并记录log。 set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24 set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24 set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit set security policies from-zone trust to-zone untrust policy 1 then log session-init set security policies from-zone trust to-zone untrust policy 1 then log session-close

set security policies from-zone untrust to-zone trust policy 1 match source-address any set security policies from-zone untrust to-zone trust policy 1 match destination-address 192.168.100.10/32 set security policies from-zone untrust to-zone trust policy 1 match application any set security policies from-zone untrust to-zone trust policy 1 then permit set security policies from-zone untrust to-zone trust policy 1 then log session-init set security policies from-zone untrust to-zone trust policy 1 then log session-close

d、查看NAT相关信息 (1)、查看log（查看NAT转换项） root@Juniper-vSRX> show log nat-log

Apr 7 17:14:03 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/59188->202.5.5.2/23 junos-telnet 202.5.5.253/59188->202.5.5.2/23 static rule 1 N/A N/A 6 1 trust untrust 13235 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN Apr 7 17:14:19 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 202.5.5.2/13604->202.5.5.253/80 junos-http 202.5.5.2/13604->192.168.100.10/80 N/A N/A static rule 1 6 1 untrust trust 13236 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN Apr 7 17:14:47 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/59188->202.5.5.2/23 junos-telnet 202.5.5.253/59188->202.5.5.2/23 static rule 1 N/A N/A 6 1 trust untrust 13235 24(1001) 19(850) 45 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN Apr 7 17:14:51 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 202.5.5.2/13604->202.5.5.253/80 junos-http 202.5.5.2/13604->192.168.100.10/80 N/A N/A static rule 1 6 1 untrust trust 13236 9(369) 6(366) 33 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN

(2)、查看flow session root@Juniper-vSRX> show security flow session
Session ID: 13235, Policy name: 1/9, Timeout: 1780, Valid In: 192.168.100.10/59188 --> 202.5.5.2/23;tcp, If: ge-0/0/1.0, Pkts: 15, Bytes: 635 Out: 202.5.5.2/23 --> 202.5.5.253/59188;tcp, If: ge-0/0/0.0, Pkts: 11, Bytes: 518

Session ID: 13236, Policy name: 1/6, Timeout: 294, Valid In: 202.5.5.2/13604 --> 202.5.5.253/80;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 124 Out: 192.168.100.10/80 --> 202.5.5.2/13604;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44 Total sessions: 2

(3)、查看nat static rule root@Juniper-vSRX> show security nat static rule all Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 2/0

Static NAT rule: 1 Rule-set: static-nat Rule-Id : 1
Rule position : 1 From zone : untrust Destination addresses : 202.5.5.253 Host addresses : 192.168.100.10 Netmask : 32 Host routing-instance : N/A Translation hits : 5 Successful sessions : 5 Failed sessions : 0 Number of sessions : 0