Shulou(Shulou.com)06/01 Report--

1. Source NAT

For network segments that do not need to do NAT (such as IPSec × ×), you need to disable the NAT of these addresses first (if not, skip)

Set security nat source rule-set trust-untrust rule no-nat match source-address 192.168.0.0/16

Set security nat source rule-set trust-untrust rule no-nat match destination-address 10.10.0.0/24

Set security nat source rule-set trust-untrust rule no-nat then source-nat off

For all the network segments that need to surf the Internet or do address translation, do source-nat.

First, define an address pool (the public network address to be translated):

Set security nat source pool natpool1 address 112.48.20.11/32 to 112.48.20.15/32

Set security nat source pool natpool2 address 112.48.20.21/32 to 112.48.20.30/32

Configure NAT rules to match source, destination, and translation address pools

Set security nat source rule-set trust-untrust from zone trust

Set security nat source rule-set trust-untrust to zone untrust

/ / match a specific address for translation (no specific address can be omitted)

Set security nat source rule-set trust-untrust rule nat1 match source-address 0.0.0.0/0

Set security nat source rule-set trust-untrust rule nat1 match destination-address 183.253.58.253/32

Set security nat source rule-set trust-untrust rule nat1 then source-nat pool natpool1

/ / all source and destination addresses are translated by default

Set security nat source rule-set trust-untrust rule nat2 match source-address 0.0.0.0/0

Set security nat source rule-set trust-untrust rule nat2 match destination-address 0.0.0.0/0

Set security nat source rule-set trust-untrust rule nat2 then source-nat pool natpool2

If the NAT address pool has multiple addresses, except the interface address, then the other addresses need to be proxy-arp

Set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.11/32 to 112.48.20.15/32

Set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.21/32 to 112.48.20.30/32

Is that all you need to do? NO! NO! NO! The strategy between fire walls should not be forgotten.

/ / first define two address pools and add them to the address group NET

Set security zones security-zone trust address-book address 192.168.100.0 192.168.100.0/24

Set security zones security-zone trust address-book address 192.168.200.0 192.168.200.0/24

Set security zones security-zone trust address-book address-set NET address 192.168.100.0

Set security zones security-zone trust address-book address-set NET address 192.168.200.0

/ / match the address group to the policy from trust to untrust and release it

Set security policies from-zone trust to-zone untrust policy 1 match source-address NET

Set security policies from-zone trust to-zone untrust policy 1 match destination-address any

Set security policies from-zone trust to-zone untrust policy 1 match application any

Set security policies from-zone trust to-zone untrust policy 1 then permit

At this point, these 192.168.100.0 and 192.168.200.0 can surf the Internet through NAT.

II. Destination NAT

Some servers need to be mapped to the public network. What should I do? So look down:

/ / first create a pool of server addresses to be mapped (including IP addresses and ports)

Set security nat destination pool 1 address 192.168.168.168/32

Set security nat destination pool 1 address port 443

/ / create a pool of server addresses (including IP addresses and ports) to be mapped by Destination NAT rules

Set security nat destination rule-set desnat from zone untrust

Set security nat destination rule-set desnat to zone trust

Set security nat destination rule-set desnat rule server1 match source-address 0.0.0.0/0

/ / match the port 4430 that accesses 112.48.20.2 to convert to the intranet server

Set security nat destination rule-set desnat rule server1 match destination-address 112.48.20.2/32

Set security nat destination rule-set desnat rule server1 match destination-port 4430

Set security nat destination rule-set desnat rule server1 then destination-nat pool 1

There is also the essential inter-domain strategy of fire walls.

/ / create private network server address group and port

Set security zones security-zone trust address-book address server1 192.168.168.168/32

Set applications application Service_4430 term Service_4430 protocol tcp

Set applications application Service_4430 term Service_4430 source-port 0-65535

Set applications application Service_4430 term Service_4430 destination-port 4430-4430

/ / create a policy for untrust to trust. The address matches the address and port of the private network server.

Set security policies from-zone untrust to-zone trust policy 1 match source-address any

Set security policies from-zone untrust to-zone trust policy 1 match destination-address server1

Set security policies from-zone untrust to-zone trust policy 1 match application Service_4430

Set security policies from-zone untrust to-zone trust policy 1 then permit

At this point, the external network can use http://112.48.20.2:4430/ to access the server of the intranet.

Another problem is that users in the private network cannot use this public network address to access the internal server. You need to do an internal address translation on the NAT, as follows:

/ / create an address pool for source address mapping (address mapped by internal server)

Set security nat source pool sorpool4 address 112.48.20.2/32

/ / the strategy for creating trust to trust is as follows

Set security nat source rule-set trust-trust from zone trust

Set security nat source rule-set trust-trust to zone trust

Set security nat source rule-set trust-trust rule server1 match source-address 0.0.0.0/0

Set security nat source rule-set trust-trust rule server1 match destination-address 192.168.168.168/32

Set security nat source rule-set trust-trust rule server1 match destination-port 443

Set security nat source rule-set trust-trust rule server1 then source-nat pool sorpool4

At this point, the intranet can also access the internal server through the public network address!

If there are similarities, it is a pure coincidence, welcome to correct!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.