Network device:Juniper SRX series Firewall
Network Topology:
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0Z54GD6-0.jpg "/>
Problem description:When implementing Destination NAT, if you need to access the mapped public IP address from the Intranet, there will be some problems by default. You can ping the ing IP address on the Intranet but cannot access the service;
Problem Analysis:
[Edit security]Set zones security-zone trust address-book address server-2 192.168.1.200/32
[Edit security policies ies from-zone untrust to-zone trust]Set policy server-access match source-address any destination-address server-2 application anyset policy server-access then permit
[Edit security nat destination]Set pool dst-nat-pool-2 address 192.168.1.200 port 8000 set rule-set rs1 from zone untrustset rule-set rs1 rule r2 match destination-address 1.1.1.101set rule-set rs1 rule r2 match destination-port 80 set rule-set- set rs1 rule r2 then destination-nat pool dst-nat-pool-2
[Edit security nat]Set proxy-arp interface ge-0/0/2.0 address 1.1.1.101 after we configure the device above, the Internet user can access the ing address, but if the intranet user access problems, the service cannot be accessed through 1.1.1.101. The reason is that when the internal address accesses 1.1.1.101, the firewall does not perform address translation and routes the Intranet address to the target server. The server will see this address, when the packet is returned, the data packet is directly returned to this Intranet address. TCP forms a semi-connection, so the service cannot be accessed.
Solution:
Access from trusted areas is also performed once.
Destination nat
, You need to add the following command
;
[Edit security nat destination]Set rule-set rs1 from zone trustset rule-set rs1 rule r2 match destination-address 1.1.1.101set rule-set rs1 rule r2 match destination-port 80 set rule-set rs1 rule r2 then destination- nat pool dst-nat-pool-2
This article is from the genisystem blog, please be sure to keep this source http://genisystem.blog.51cto.com/39344/414452