In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
SRX source NAT
Setinterfaces ge-0/0/0 unit 0 family inet address 192.168.2.254/24
Setinterfaces ge-0/0/1 unit 0 family inet address 192.168.114.190/24
Setinterfaces ge-0/0/2 unit 0 family inet address 172.16.2.254/24
Setrouting-options static route 0.0.0.0/0 next-hop 192.168.114.254
Setsecurity zones security-zone trust interfaces ge-0/0/0.0
Setsecurity zones security-zone trust host-inbound-traffic system-services ssh
Set security zones security-zone trust host-inbound-trafficsystem-services ping
Setsecurity zones security-zone trust host-inbound-traffic system-services https
Setsecurity zones security-zone untrust interfaces ge-0/0/1.0
Setsecurity zones security-zone untrust host-inbound-traffic system-services ssh
Setsecurity zones security-zone untrust host-inbound-traffic system-services https
Set security zones security-zone dmz interfaces ge-0/0/2.0
Setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services ping
Setsecurity zones security-zone dmz interfaces ge-0/0/2.0 host-inbound-trafficsystem-services ssh
Setsecurity zones security-zone trust address-book address trust-add192.168.2.0/24
Setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchsource-address trust-add
Setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchdestination-address any
Setsecurity policies from-zone trust to-zone untrust policy trust-untrust matchapplication any
Setsecurity policies from-zone trust to-zone untrust policy trust-untrust thenpermit
1. Source NAT (port translation)
Setsecurity nat source rule-set source-NAT from zone trust
Setsecurity nat source rule-set source-NAT to zone untrust
Set security nat source rule-set source-NAT rule PAT match source-address 192.168.2.0/24
Set security nat source rule-set source-NAT rule PAT then source-nat interface
2. Source NAT (address pool)
Set security nat source poolsource-NAT-POOL address 192.168.114.100Universe 32 to 192.168.114.110Universe 32 / / address pool translation will be polled for address translation / /
Setsecurity nat source rule-set source-NAT from zone trust
Setsecurity nat source rule-set source-NAT to zone untrust
Setsecurity nat source rule-set source-NAT rule NAT1 match source-address192.168.2.0/24
Setsecurity nat source rule-set source-NAT rule NAT1 then source-nat poolsource-NAT-POOL
Set security nat proxy-arpinterface ge-0/0/1.0 address 192.168.114.100Universe 32 to 192.168.114.110Universe 32 / / ARP proxy needs to be set for address pool translation mode / /
# run show security nat source rule all
Root@vSRX# run show security policies
Root@vSRX# run show security flow session
SessionID: 2579, Policy name: trust-untrust/7, Timeout: 2, Valid
In: 192.168.2.110tic5632-> 192.168.114.20Accord512witicmprecoveryf: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.114.20 take 512-- > 192.168.114.106 hand 1138miticmpJournal if: ge-0/0/1.0, Pkts: 1, Bytes: 60
Insert rule-set source-NATrule NAT1 before rulePAT / / insert NAT1 Rule in front of PAT Rule, enable NAT pool transformation first, and then use PAT transformation / /
Root@vSRX# run show security nat source summary
Totalport number usage for port translation pool: 709632
Maximumport number for port translation pool: 16777216
Totalpools: 1
Pool Address Routing PAT Total
Name Range Instance Address
Source-NAT-POOL 192.168.114.100-192.168.114.110default yes 11
Totalrules: 2
Rulename Rule set From To Action
NAT1 source-NAT trust untrust source-NAT-POOL
PAT source-NAT trust untrust interface
Root@vSRX# run show securityflow session / / address polling multiplexing translation / /
SessionID: 3017, Policy name: trust-untrust/7, Timeout: 2, Valid
In: 192.168.2.110 + 9728-> 192.168.114.20 + 512 [WTBMP], If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.114.20 Pkts 512-> 192.168.114.103 + 12564 X icmp, If:ge-0/0/1.0, Pkts: 1, Bytes: 60
SessionID: 3018, Policy name: trust-untrust/7, Timeout: 2, Valid
In: 192.168.2.110 + 9984-> 192.168.114.20 + + 512 × ICMP, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.114.20 take 512-> 192.168.114.104 hand 16881 witch ICMP, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
Totalsessions: 2
SessionID: 3019, Policy name: trust-untrust/7, Timeout: 2, Valid
In: 192.168.2.110ax 10240-> 192.168.114.20 pick 512x ICMP, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.114.20 Pkts 512-> 192.168.114.105 ax 13679 witch ICMP, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
SessionID: 3020, Policy name: trust-untrust/7, Timeout: 2, Valid
In: 192.168.2.110 + 10496-- > 192.168.114.20 + 512 × ICMP, If: ge-0/0/0.0, Pkts: 1, Bytes: 60
Out: 192.168.114.20 take 512-> 192.168.114.106 hand 17443 witch ICMP, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
Totalsessions: 2
Root@vSRX#set securitynat source poolsource-NAT-POOL port no-translation / / disables PAT translation, dynamic one-to-one, and last interface address reuse / /
EssionID: 4546, Policy name: trust-untrust/7, Timeout: 1796, Valid
In: 192.168.2.110ax 1761-> 220.181.90.240CT, If: ge-0/0/0.0, Pkts: 4, Bytes: 912
Out: 220.181.90.240apper80-- > 192.168.114.102According 1761 mittcprecoveryf: ge-0/0/1.0, Pkts: 2, Bytes: 319
SessionID: 4556, Policy name: trust-untrust/7, Timeout: 1800, Valid
In: 192.168.2.110swap 1762-> 119.97.155.2 Universe 80tretret tcp, If: ge-0/0/0.0, Pkts: 34, Bytes: 2138
Out: 119.97.155.2 Out 80-> 192.168.114.102 Compact 1762 scarf: ge-0/0/1.0, Pkts: 61, Bytes: 75406
SessionID: 4557, Policy name: trust-untrust/7, Timeout: 1798, Valid
In: 192.168.2.110Accord 1763-> 119.97.155.2 Universe 80scape tcp, If: ge-0/0/0.0, Pkts: 7, Bytes: 837
Out: 119.97.155.2 Out 80-> 192.168.114.102 Compact 1763 scarcity tcpjurisdiction if: ge-0/0/1.0, Pkts: 8, Bytes: 8278
SRX destination NAT (cisco static PAT static port mapping)
Translate DMZ 172.16.2.22 23 port to untrust address 192.168.114.250: 2323 port
Setsecurity nat destination pool DMZ-Server-telnet address 172.16.2.22/32
Setsecurity nat destination pool DMZ-Server-telnet address port 23
Setsecurity nat destination pool DMZ-Server-http address 172.16.2.22/32
Setsecurity nat destination pool DMZ-Server-http address port 80
Setsecurity nat destination rule-set Dest-NAT from zone untrust
Set security nat destination rule-setDest-NAT rule Untrust-DMZ-NAT-telnet match source-address 0.0.0.0/0
Set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-address192.168.114.114/32
Set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet match destination-port 2323
Set security nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-telnet then destination-nat poolDMZ-Server-telnet
Setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchsource-address 0.0.0.0/0
Setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-address 192.168.114.114/32
Setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http matchdestination-port 80
Setsecurity nat destination rule-set Dest-NAT rule Untrust-DMZ-NAT-http thendestination-nat pool DMZ-Server-http
Setsecurity nat proxy-arp interface ge-0/0/1.0 address 192.168.114.114/32
Setsecurity zones security-zone dmz address-book address DMZ-Server 172.16.2.22/32
Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchsource-address any
Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchdestination-address DMZ-Server
Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-http
Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ matchapplication junos-telnet
Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ then permit
Static NAT, static one-to-one, converting both source and destination (outbound direction conversion source, inbound conversion purpose)
Setsecurity nat static rule-set Static-NAT from zone untrust
Setsecurity nat static rule-set Static-NAT rule 1to1 match destination-address192.168.114.250/32
Setsecurity nat static rule-set Static-NAT rule 1to1 then static-nat prefix172.16.2.22/32
Setsecurity nat proxy-arp interface ge-0/0/1.0 address 192.168.114.250/32
Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchsource-address any
Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchdestination-address DMZ-Server
Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp matchapplication junos-ftp
Setsecurity policies from-zone untrust to-zone dmz policy Untrust-DMZ-ftp thenpermit
#
Set authentication-order [radius password]
Setsystem radius-server 172.16.2.22 port 1812
Set system radius-server 172.16.2.22 secret freeit123
Setsystem radius-server 172.16.2.22 source-address 172.16.2.254
Set system login user user1authentication encrypted-password freeit123 / / important: a user account created on radius must create the user locally
Otherwise, the radius authentication fails, and if the radius server does not respond, it will be authenticated by the local password / /
Web authentication through the firewall:
Setaccess profile WEBAUTH authentication-order password
Set access profile WEBAUTH client user1 firewall-user password user1
Setaccess firewall-authentication web-authentication default-profile WEBAUTH
Setaccess firewall-authentication web-authentication banner success "web authlogin success"
Setsystem services web-management http interface ge-0/0/0.0
Setsecurity zones security-zone trust interfaces ge-0/0/0.0
Setsecurity zones security-zone trust host-inbound-traffic system-services http
Setinterfaces ge-0/0/0 unit 0 family inet address 172.16.1.253/24web-authentication http
Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-add
Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-add
Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication any
Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication web-authentication client-match user1
Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count
Pass-through agent:
Set access profile PT-AUTH authentication-order password
Setaccess profile PT-AUTH client test firewall-user password "$9$ I.4Rrvx7VY4Zdb"
Setaccess firewall-authentication pass-through default-profile PT-AUTH
Setaccess firewall-authentication pass-through http banner success "LoginSuccess"
Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchsource-address trust-add
Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchdestination-address dmz-add
Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p matchapplication any
Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then permitfirewall-authentication pass-through
Setsecurity policies from-zone trust to-zone dmz policy trust-dmz-p then count
Set access profile PT-AUTH authentication-order radius
Set access profile PT-AUTH radius-server192.168.2.22 secret freeit123 / radius configuration /
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 287
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.