I. In junos, Nat is similar to netscreen's VIP, but the setting process varies greatly.
NAT configuration interface introduction:
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/49/14/wKioL1QOfdehhPnbAAFtZxJDW9M528.jpg "Title =" jnat01.png "alt =" wkiol1qofdehhpnbaaftzxjdw9m528.jpg "/>
Rule name: name of the NAT service (configuration is not affected );
Source Address: Specifies the source address. (You can leave it empty. to restrict the source address, you can set it in the policy ).
Deatination address & Port: Internet address, corresponding Internet address port.
Actions: sets NAT behavior;
Ii. configuration method
1. Configure Nat
① Configure the port ing of the NAT internal terminal.
Select Nat ----- deastination Nat pool ----- add
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/49/14/wKioL1QOffjArMgMAAUYCTPzjIo060.jpg "Title =" jnat02.png "alt =" wkiol1qoffjarmgmaauyctpzjio060.jpg "/>
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/49/12/wKiom1QOff_h-pzHAAETqonw9O8875.jpg "Title =" jnat03.png "alt =" wKiom1QOff_h-pzHAAETqonw9O8875.jpg "/>
Set the name of the pool and the IP address of the internal terminal.
Return destination rule set to configure Nat ing.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/49/12/wKiom1QOfhDwGAx-AAWxmTefIiY961.jpg "Title =" jnat04.png "alt =" wKiom1QOfhDwGAx-AAWxmTefIiY961.jpg "/>
Create a NAT ing in the R1 rule and select Add in the lower right corner.
① Enter the rule name (configuration is not affected );
② Corresponding Internet address, the mapped Internet port.
③ Select do destination nat with pool on the right, and select the previously created deastination Nat pool.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/14/wKioL1QOfkGzggjEAAJrppaWWtw421.jpg "Title =" jnat05.png "alt =" wkiol1qofkgzggjeaajrppawwtw421.jpg "/>
2. Nat has been configured so far, but you still need to configure the policy so that the access from the terminal can be successful.
① Add the address book, and select Security ---- policy elements ---- Address Book ------ in the upper-right corner.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/12/wKiom1QOfkXy8ALbAAMDh4jTqIE315.jpg "Title =" jnat06.png "alt =" wkiom1qofkxy8albaamdh4jtqie315.jpg "/>
Enter the information about the Intranet terminal, the firewall zone, the address name (without affecting the configuration), and the IP address of the Intranet terminal.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/14/wKioL1QOfmDjsz7QAAD-NRF1oyg346.jpg "Title =" jnat07.png "alt =" wKioL1QOfmDjsz7QAAD-NRF1oyg346.jpg "/>
② Add a service port
Path: Security ---- policy elements ---- applications ------ click Add in the upper-right corner
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/49/12/wKiom1QOfmXBHU1LAALlpFBAWqU322.jpg "Title =" jnat08.png "alt =" wkiom1qofmxbhu1laallbawqu322.jpg "/>
Enter the service name (which does not affect the settings), use the protocol, and the corresponding port.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/49/12/wKiom1QOfpvhnvt4AAH_3M9c3-0120.jpg "Title =" jnat09.png "alt =" wKiom1QOfpvhnvt4AAH_3M9c3-0120.jpg "/>
③ Set the policy
Select security ---- policy ----- apply policy, select the application region of the policy (unrust to DMZ), and select Add;
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/49/14/wKioL1QOfs6xqjpbAASjmYId88I119.jpg "Title =" jnat10.png "alt =" wkiol1qofs6xqjpbaasjmyid88i119.jpg "/>
Enter the Policy Name (which does not affect the configuration );
Select policy action (permit allowed, deny blocked, reject );
Select the application region, which is generally untrust to DNZ.
Select which external addresses are affected by the policy (Source Address). Generally, select any, which means that all addresses are affected by this policy.
Select the internal host (Destination Address). In this step, set the previous address book and select the address book with this name.
Select the corresponding service (applications). In this step, set the previous applications. However, it is worth noting that it is set based on the services provided by the Internal host. For example, port 22 of the internal host a is mapped to port 1880 of the Internet, so port 22 is selected here, instead of port 1880.
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/49/12/wKiom1QOfufxljV0AAN7llhHVG4145.jpg "Title =" jnat11.png "alt =" wkiom1qofufxljv0aan7llhhvg4145.jpg "/>
3. After the configuration is complete, commit is required.
This is one of the unique features of junos. It aims to avoid system malfunction due to misconfiguration.
Configred shared
Commit confirm 10 (trial run for 10 minutes, automatic rollback)
Juniper (junos) establishes Nat port ing