juniper srx 240 cluster 内网服务器端口发布到外网配置实例-白红宇

juniper srx 240 cluster 内网服务器端口发布到外网配置实例

阅读量：6588 次

发布时间：2019-06-24

本文共 5235 字，大约阅读时间需要 17 分钟。

========================================================================================================================

-----------------------------------------内网地址端口发布到外网步骤-----------------------------------------------------

set security address-book global address IMMQI_PRIVATE 172.22.201.20/32

步骤一：创建 NAT pool

set security nat destination pool DP_TRUST_IMMQI_10089 address 172.22.201.20/32

set security nat destination pool DP_TRUST_IMMQI_10089 address port 10089

步骤二：创建 NAT Rule

set security nat destination rule-set DNAT_FROM_ISP1 rule ISP1_TCP10089_TO_IMMQI_10089 match destination-address-name WAN3001_241 -----119.145.16.241

set security nat destination rule-set DNAT_FROM_ISP1 rule ISP1_TCP10089_TO_IMMQI_10089 match destination-port 10089

set security nat destination rule-set DNAT_FROM_ISP1 rule ISP1_TCP10089_TO_IMMQI_10089 then destination-nat pool DP_TRUST_IMMQI_10089

步骤三：创建放行端口及协议类型

set applications application tcp-10089 protocol tcp

set applications application tcp-10089 destination-port 10089

set applications application tcp-10090 protocol tcp

set applications application tcp-10090 destination-port 10090

步骤四：创建区域策略，并具体匹配源地址和目标地址端口

set security policies from-zone ISP1 to-zone trust policy P_IMMQI_80_9998 match source-address any

set security policies from-zone ISP1 to-zone trust policy P_IMMQI_80_9998 match destination-address IMMQI_PRIVATE

set security policies from-zone ISP1 to-zone trust policy P_IMMQI_80_9998 match application tcp-80

set security policies from-zone ISP1 to-zone trust policy P_IMMQI_80_9998 match application tcp-9998

set security policies from-zone ISP1 to-zone trust policy P_IMMQI_80_9998 match application tcp-10089

set security policies from-zone ISP1 to-zone trust policy P_IMMQI_80_9998 then permit

set security policies from-zone ISP1 to-zone trust policy P_IMMQI_80_9998 then log session-init

set security policies from-zone ISP1 to-zone trust policy P_IMMQI_80_9998 then log session-close

步骤五：如果新建协议，则需要调整策略优先级

insert security policies from-zone Design to-zone trust policy RM-201_84-Cost-Lectra before policy DENY ----新增加策略需要检查是否需要修改策略优先级

set security address-book global address QI_PRIVATE 172.22.201.19/32

正式环境

set security nat destination pool DP_TRUST_IQCSAP_10090 address 172.22.201.19/32

set security nat destination pool DP_TRUST_IQCSAP_10090 address port 10089

ISP1电信线路

set security nat destination rule-set DNAT_FROM_ISP1 rule ISP1_TO_TRUST_IQCSAP_10090 match destination-address-name WAN3001_241

set security nat destination rule-set DNAT_FROM_ISP1 rule ISP1_TO_TRUST_IQCSAP_10090 match destination-port 10090

set security nat destination rule-set DNAT_FROM_ISP1 rule ISP1_TO_TRUST_IQCSAP_10090 then destination-nat pool DP_TRUST_IQCSAP_10090

set security policies from-zone ISP1 to-zone trust policy P_IQCSAP_10090 match source-address any

set security policies from-zone ISP1 to-zone trust policy P_IQCSAP_10090 match destination-address QI_PRIVATE

set security policies from-zone ISP1 to-zone trust policy P_IQCSAP_10090 match application tcp-10089

set security policies from-zone ISP1 to-zone trust policy P_IQCSAP_10090 then permit

set security policies from-zone ISP1 to-zone trust policy P_IQCSAP_10090 then log session-init

set security policies from-zone ISP1 to-zone trust policy P_IQCSAP_10090 then log session-close

set security policies from-zone ISP1 to-zone trust policy P_IQCSAP_10090 then count

ISP6 联通线路

set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_TRUST_IQCSAP_10090 match destination-address-name WAN3006_165

set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_TRUST_IQCSAP_10090 match destination-port 10090

set security nat destination rule-set DNAT_FROM_ISP6 rule ISP6_TO_TRUST_IQCSAP_10090 then destination-nat pool DP_TRUST_IQCSAP_10090

set security policies from-zone ISP6 to-zone trust policy P_IQCSAP_10090 match source-address any

set security policies from-zone ISP6 to-zone trust policy P_IQCSAP_10090 match destination-address QI_PRIVATE

set security policies from-zone ISP6 to-zone trust policy P_IQCSAP_10090 match application tcp-10089

set security policies from-zone ISP6 to-zone trust policy P_IQCSAP_10090 then permit

set security policies from-zone ISP6 to-zone trust policy P_IQCSAP_10090 then log session-init

set security policies from-zone ISP6 to-zone trust policy P_IQCSAP_10090 then log session-close

set security policies from-zone ISP6 to-zone trust policy P_IQCSAP_10090 then count

insert security policies from-zone ISP6 to-zone trust policy P_IQCSAP_10090 before policy DENY

验证

{primary:node0}
owenli@cfw01a.cn1> show security flow session nat destination-port 10090
node0:

Session ID: 124271, Policy name: P_IQCSAP_10090/276, State: Backup, Timeout: 14396, Valid

In: 113.X.X.199/57104 --> X.X.X.165/10090;tcp, If: reth15.3006, Pkts: 0, Bytes: 0

Out: 172.22.201.19/10089 --> 113.X.X.199/57104;tcp, If: reth3.500, Pkts: 0, Bytes: 0

Total sessions: 1

node1:

Session ID: 140801, Policy name: P_IQCSAP_10090/276, State: Active, Timeout: 1796, Valid

In: 113.X.X.199/57104 --> X.X.X.165/10090;tcp, If: reth15.3006, Pkts: 2, Bytes: 92

Out: 172.22.201.19/10089 --> 113.X.X.199/57104;tcp, If: reth3.500, Pkts: 1, Bytes: 52

Total sessions: 1

转载于:https://blog.51cto.com/13637805/2334618

你可能感兴趣的文章

C# 线程手册第三章使用线程 Monitor.TryEnter()

查看>>

分享11个超棒的移动应用(mobile apps)开发解决方案

Chalubo僵尸网络来袭 IOT设备或将受到DDoS攻击

查看>>

如何实现百万TPS？详解JMQ4的存储设计

查看>>

这么说吧,NIO很简单,其实就是个牛逼IO

查看>>

七、【应用的主要框架】

查看>>

使用Python快速获取公众号文章定制电子书(二)

查看>>

iOS下JS与OC互相调用（七）--Cordova 基础

查看>>

Three.js 关于立方体贴图产生边缘锯齿问题

查看>>

Nacos v0.7.0：对接CMDB，实现基于标签的服务发现能力

查看>>

【开发问题记录①】关于滑动CollectionView时ContentSize变化的问题

查看>>

java中GC的基本概念

查看>>

building xxx gradle project info的解决办法

查看>>

【Leetcode】98. 验证二叉搜索树

查看>>

{primary:node0}owenli@cfw01a.cn1> show security flow session nat destination-port 10090 node0:

node1:

{primary:node0}
owenli@cfw01a.cn1> show security flow session nat destination-port 10090
node0: