Juniper SRX Firewall NAT Test 04/13 Update SLTechnology News&Howtos

Juniper SRX Firewall NAT Test

2025-04-13 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

1. Test topology:

2. Test Summary:

3. Basic configuration:

A. Router R1:

interface Ethernet0/0

ip address 202.100.1.1 255.255.255.0

no shut

B. Firewall SRX:

① Configuration interface address:

set interfacesge-0/0/0.0family inetaddress 202.100.1.10/24

set interfacesge-0/0/1.0family inetaddress 10.1.1.10/24

set interfacesge-0/0/2.0family inetaddress 192.168.1.10/24

② Divide interfaces into zones:

setsecurity zones security-zone untrust interfacesge-0/0/0.0

setsecurity zones security-zone trust interfacesge-0/0/1.0

setsecurity zones security-zone dmz interfacesge-0/0/2.0

③ Configure inter-zone policies to allow any access from trust to untrust:

setsecurity policies from-zone trust to-zone untrust policy Permit-All match source-address any

setsecurity policies from-zone trust to-zone untrust policy Permit-All match destination-address any

setsecurity policies from-zone trust to-zone untrust policy Permit-All match application any

setsecurity policies from-zone trust to-zone untrust policy Permit-All then permit

Configure interzone policies to allow any DMZ to untrust access:

set security policies from-zone dmz to-zoneuntrust policy Permit-All match source-address any

set security policies from-zone dmz to-zoneuntrust policy Permit-All match destination-address any

set security policies from-zone dmz to-zoneuntrust policy Permit-All match application any

set security policies from-zone dmz to-zoneuntrustpolicy Permit-All then permit

C. Host PC1:

IP:10.1.1.8/24

GW:10.1.1.10

D. Router R2:

interface f0/0

ip address 192.168.1.2 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 192.168.1.10

4. NAT configuration:

A. The first NAT:

Source NAT: Interface NAT Configuration:

A. Specify the NAT zone:

setsecurity nat sourcerule-set Source-NAT from zone trust

setsecurity nat sourcerule-setSource-NATto zone untrust

B. Configure NAT Interface:

setsecurity nat source rule-set Source-NAT rule NAT-Interface match source-address 0.0.0.0/0

setsecurity nat source rule-set Source-NAT rule NAT-Interface match destination-address 0.0.0.0/0

setsecurity nat source rule-set Source-NAT rule NAT-Interface then source-nat interface

C. Submission configuration:

commit

D. Verification:

ping router R1 interface address from host PC1 and debug ip icmp on R1, you can see that ICMP source address is firewall interface address

R1#

*Mar 2 01:35:56.797: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10

*Mar 2 01:35:57.793: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10

*Mar 2 01:35:58.809: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10

*Mar 2 01:35:59.749: ICMP: echo reply sent, src 202.100.1.1, dst 202.100.1.10

R1#

B. Second NAT:

Source NAT: pool based nat Configuration:

A. Configure the address pool:

set security nat source pool src-nat-pool1address 202.100.1.11 to 202.100.1.13

B. Specify the NAT zone (previously configured, can not be matched):

set security nat source rule-set Source-NAT from zone trust

set security nat sourcerule-set Source-NATto zone untrust

C. Configuration pool based nat:

set security nat source rule-set Source-NAT rule NAT-pool match source-address 0.0.0.0/0

sets ecurity nat source rule-set Source-NAT rule NAT-pool match destination-address 0.0.0.0/0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.