Juning address of Intranet access in Juniper SRX Destination NAT

Source: Internet
Author: User
Tags juniper srx

 

Network device:Juniper SRX series Firewall Network Topology: 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0Z54GD6-0.jpg "/>

Problem description:When implementing Destination NAT, if you need to access the mapped public IP address from the Intranet, there will be some problems by default. You can ping the ing IP address on the Intranet but cannot access the service;   Problem Analysis:   [Edit security]Set zones security-zone trust address-book address server-2 192.168.1.200/32 [Edit security policies ies from-zone untrust to-zone trust]Set policy server-access match source-address any destination-address server-2 application anyset policy server-access then permit [Edit security nat destination]Set pool dst-nat-pool-2 address 192.168.1.200 port 8000 set rule-set rs1 from zone untrustset rule-set rs1 rule r2 match destination-address 1.1.1.101set rule-set rs1 rule r2 match destination-port 80 set rule-set- set rs1 rule r2 then destination-nat pool dst-nat-pool-2 [Edit security nat]Set proxy-arp interface ge-0/0/2.0 address 1.1.1.101 after we configure the device above, the Internet user can access the ing address, but if the intranet user access problems, the service cannot be accessed through 1.1.1.101. The reason is that when the internal address accesses 1.1.1.101, the firewall does not perform address translation and routes the Intranet address to the target server. The server will see this address, when the packet is returned, the data packet is directly returned to this Intranet address. TCP forms a semi-connection, so the service cannot be accessed.   Solution: Access from trusted areas is also performed once. Destination nat , You need to add the following command ;   [Edit security nat destination]Set rule-set rs1 from zone trustset rule-set rs1 rule r2 match destination-address 1.1.1.101set rule-set rs1 rule r2 match destination-port 80 set rule-set rs1 rule r2 then destination- nat pool dst-nat-pool-2

This article is from the genisystem blog, please be sure to keep this source http://genisystem.blog.51cto.com/39344/414452

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.