Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Juniper srx Firewall configuration case

2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

SRX source NAT

Setinterfaces ge-0/0/0 unit 0 family inet address 192.168.2.254/24

Setinterfaces ge-0/0/1 unit 0 family inet address 192.168.114.190/24

Setinterfaces ge-0/0/2 unit 0 family inet address 172.16.2.254/24

Setrouting-options static route 0.0.0.0/0 next-hop 192.168.114.254

Setsecurity zones security-zone trust interfaces ge-0/0/0.0

Setsecurity zones security-zone trust host-inbound-traffic system-services ssh

Set security zones security-zone trust host-inbound-trafficsystem-services ping

Setsecurity zones security-zone trust host-inbound-traffic system-services https

Setsecurity zones security-zone untrust interfaces ge-0/0/1.0

Setsecurity zones security-zone untrust host-inbound-traffic system-services ssh

Setsecurity zones security-zone untrust host-inbound-traffic system-services https

Set security zones security-zone dmz interfaces ge-0/0/2.0

Setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services ping

Setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services ssh

Setsecurity zones security-zone trust address-book address trust-add192.168.2.0/24

Setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchsource-address trust-add

Setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchdestination-address any

Setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchapplication any

Setsecurity policies from-zone trust to-zone untrust policy trust-untrust thenpermit

1. Source NAT (port translation)

Setsecurity nat source rule-set source-NAT from zone trust

Setsecurity nat source rule-set source-NAT to zone untrust

Set security nat source rule-set source-NAT rule PAT match source-address 192.168.2.0/24

Set security nat source rule-set source-NAT rule PAT then source-nat interface

2. Source NAT (address pool)

Set security nat source poolsource-NAT-POOL address 192.168.114.100Universe 32 to 192.168.114.110Universe 32 / / address pool translation will be polled for address translation / /

Setsecurity nat source rule-set source-NAT from zone trust

Setsecurity nat source rule-set source-NAT to zone untrust

Setsecurity nat source rule-set source-NAT rule NAT1 match source-address192.168.2.0/24

Setsecurity nat source rule-set source-NAT rule NAT1 then source-nat poolsource-NAT-POOL

Set security nat proxy-arpinterface ge-0/0/1.0 address 192.168.114.100Universe 32 to 192.168.114.110Universe 32 / / ARP proxy needs to be set for address pool translation mode / /

# run show security nat source rule all

Root@vSRX# run show security policies

Root@vSRX# run show security flow session

SessionID: 2579, Policy name: trust-untrust/7, Timeout: 2, Valid

In: 192.168.2.110tic5632-> 192.168.114.20Accord512witicmprecoveryf: ge-0/0/0.0, Pkts: 1, Bytes: 60

Out: 192.168.114.20 take 512-- > 192.168.114.106 hand 1138miticmpJournal if: ge-0/0/1.0, Pkts: 1, Bytes: 60

Insert rule-set source-NATrule NAT1 before rulePAT / / insert NAT1 Rule in front of PAT Rule, enable NAT pool transformation first, and then use PAT transformation / /

Root@vSRX# run show security nat source summary

Totalport number usage for port translation pool: 709632

Maximumport number for port translation pool: 16777216

Totalpools: 1

Pool Address Routing PAT Total

Name Range Instance Address

Source-NAT-POOL 192.168.114.100-192.168.114.110default yes 11

Totalrules: 2

Rulename Rule set From To Action

NAT1 source-NAT trust untrust source-NAT-POOL

PAT source-NAT trust untrust interface

Root@vSRX# run show securityflow session / / address polling multiplexing translation / /

SessionID: 3017, Policy name: trust-untrust/7, Timeout: 2, Valid

In: 192.168.2.110 + 9728-> 192.168.114.20 + 512 [WTBMP], If: ge-0/0/0.0, Pkts: 1, Bytes: 60

Out: 192.168.114.20 Pkts 512-> 192.168.114.103 + 12564 X icmp, If:ge-0/0/1.0, Pkts: 1, Bytes: 60

SessionID: 3018, Policy name: trust-untrust/7, Timeout: 2, Valid

In: 192.168.2.110 + 9984-> 192.168.114.20 + + 512 × ICMP, If: ge-0/0/0.0, Pkts: 1, Bytes: 60

Out: 192.168.114.20 take 512-> 192.168.114.104 hand 16881 witch ICMP, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Totalsessions: 2

SessionID: 3019, Policy name: trust-untrust/7, Timeout: 2, Valid

In: 192.168.2.110ax 10240-> 192.168.114.20 pick 512x ICMP, If: ge-0/0/0.0, Pkts: 1, Bytes: 60

Out: 192.168.114.20 Pkts 512-> 192.168.114.105 ax 13679 witch ICMP, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

SessionID: 3020, Policy name: trust-untrust/7, Timeout: 2, Valid

In: 192.168.2.110 + 10496-- > 192.168.114.20 + 512 × ICMP, If: ge-0/0/0.0, Pkts: 1, Bytes: 60

Out: 192.168.114.20 take 512-> 192.168.114.106 hand 17443 witch ICMP, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Totalsessions: 2

Root@vSRX#set securitynat source poolsource-NAT-POOL port no-translation / / disables PAT translation, dynamic one-to-one, and last interface address reuse / /

EssionID: 4546, Policy name: trust-untrust/7, Timeout: 1796, Valid

In: 192.168.2.110ax 1761-> 220.181.90.240CT, If: ge-0/0/0.0, Pkts: 4, Bytes: 912

Out: 220.181.90.240apper80-- > 192.168.114.102According 1761 mittcprecoveryf: ge-0/0/1.0, Pkts: 2, Bytes: 319

SessionID: 4556, Policy name: trust-untrust/7, Timeout: 1800, Valid

In: 192.168.2.110swap 1762-> 119.97.155.2 Universe 80tretret tcp, If: ge-0/0/0.0, Pkts: 34, Bytes: 2138

Out: 119.97.155.2 Out 80-> 192.168.114.102 Compact 1762 scarf: ge-0/0/1.0, Pkts: 61, Bytes: 75406

SessionID: 4557, Policy name: trust-untrust/7, Timeout: 1798, Valid

In: 192.168.2.110Accord 1763-> 119.97.155.2 Universe 80scape tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 837

Out: 119.97.155.2 Out 80-> 192.168.114.102 Compact 1763 scarcity tcpjurisdiction if: ge-0/0/1.0, Pkts: 8, Bytes: 8278

SRX destination NAT (cisco static PAT static port mapping)

Translate DMZ 172.16.2.22 23 port to untrust address 192.168.114.250: 2323 port

Setsecurity nat destination pool DMZ-Server-telnet address 172.16.2.22/32

Setsecurity nat destination pool DMZ-Server-telnet address port 23

Setsecurity nat destination pool DMZ-Server-http address 172.16.2.22/32

Setsecurity nat destination pool DMZ-Server-http address port 80

Setsecurity nat destination rule-set Dest-NAT from zone untrust

Set security nat destination rule-setDest-NAT rule Untrust-DMZ-NAT-telnet match source-address 0.0.0.0/0

Set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-address192.168.114.114/32

Set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-port 2323

Set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet then destination-nat poolDMZ-Server-telnet

Setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchsource-address 0.0.0.0/0

Setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-address 192.168.114.114/32

Setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-port 80

Setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http thendestination-nat pool DMZ-Server-http

Setsecurity nat proxy-arp interface ge-0/0/1.0 address 192.168.114.114/32

Setsecurity zones security-zone dmz address-book address DMZ-Server 172.16.2.22/32

Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchsource-address any

Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchdestination-address DMZ-Server

Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-http

Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-telnet

Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ then permit

Static NAT, static one-to-one, converting both source and destination (outbound direction conversion source, inbound conversion purpose)

Setsecurity nat static rule-set Static-NAT from zone untrust

Setsecurity nat static rule-set Static-NAT rule 1to1 match destination-address192.168.114.250/32

Setsecurity nat static rule-set Static-NAT rule 1to1 then static-nat prefix172.16.2.22/32

Setsecurity nat proxy-arp interface ge-0/0/1.0 address 192.168.114.250/32

Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchsource-address any

Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchdestination-address DMZ-Server

Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchapplication junos-ftp

Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp thenpermit

#

Set authentication-order [radius password]

Setsystem radius-server 172.16.2.22 port 1812

Set system radius-server 172.16.2.22 secret freeit123

Setsystem radius-server 172.16.2.22 source-address 172.16.2.254

Set system login user user1authentication encrypted-password freeit123 / / important: a user account created on radius must create the user locally

Otherwise, the radius authentication fails, and if the radius server does not respond, it will be authenticated by the local password / /

Web authentication through the firewall:

Setaccess profile WEBAUTH authentication-order password

Set access profile WEBAUTH client user1 firewall-user password user1

Setaccess firewall-authentication web-authentication default-profile WEBAUTH

Setaccess firewall-authentication web-authentication banner success "web authlogin success"

Setsystem services web-management http interface ge-0/0/0.0

Setsecurity zones security-zone trust interfaces ge-0/0/0.0

Setsecurity zones security-zone trust host-inbound-traffic system-services http

Setinterfaces ge-0/0/0 unit 0 family inet address 172.16.1.253/24web-authentication http

Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-add

Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-add

Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication any

Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication web-authentication client-match user1

Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count

Pass-through agent:

Set access profile PT-AUTH authentication-order password

Setaccess profile PT-AUTH client test firewall-user password "$9$ I.4Rrvx7VY4Zdb"

Setaccess firewall-authentication pass-through default-profile PT-AUTH

Setaccess firewall-authentication pass-through http banner success "LoginSuccess"

Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-add

Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-add

Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication any

Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication pass-through

Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count

Set access profile PT-AUTH authentication-order radius

Set access profile PT-AUTH radius-server192.168.2.22 secret freeit123 / radius configuration /

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 287

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report