Juniper SRX Firewall NAT Configuration

Last Update:2015-08-01 Source: Internet

Author: User

Tags juniper srx

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

First, the basic operating instructions:

1, Equipment Recovery factory

root# Load Factory-default

root# Set System Root-authentication Plain-text-password

root# Commit

Root> Request System reboot

2. Basic Configuration

2.1 Configuring host Names

root# Set System Host-name SRX1400

2.2 Setting the time zone

[Email protected]# set System Time-zone Asia/shanghai

2.3 Setting the time

[Email protected]# run Set Date 201508011549.21

2.4 Setting up DNS

[Email protected]# set System Name-server 202.l06.0.20

2.5 Setting the interface IP

[Email protected]# set interfaces ge-0/0/0 Unit 0 family inet address 10.0.0.10/24

2.6 Setting the default route

[Email protected]# set routing-options static route 0.0.0.0/0 Next-hop 10.0.0.254

2.7 Creating a login user

[Email protected]# Set System login user admin class super-user authentication Plain-text-password

2.8 Creating a secure zone

[Email protected]# set security zones Security-zone Untrust

2.9 Interface Join Zone

[Email protected]# set security zones security-zone Untrust interfaces ge-0/0/0.0

2.10 Service Port release ICMP

[Email protected]# set security zones security-zone Untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services p Ing

Note: By default, ICMP is required to be released, except for business ports that are not managed to be ping-through.

Second, Juniper SRX NAT

1. Types of NAT

1.1 Source Nat:interface

1.2 Source NAT:p Ool

1.3 Destination NAT

1.4 Static NAT

2. Configuration Example

2.1 Interface-based source NAT

[Email protected]# Set security NAT source Rule-set 1 from Zone Trust

[Email protected]# Set security NAT source Rule-set 1 to Zone untrust

[Email protected]# Set security Nat source Rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0. 0/0

[Email protected]# Set security Nat source Rule-set 1 rule rule1 then Source-nat interface

Default police

Policy Default-permit {

Match {

Source-address any;

Destination-address any;

Application any;

}

then {

Permit

}

2.2 Source NAT based on the address pool

[Email protected]# Set security NAT source pool ISP address 10.0.0.20 to 10.0.30

[Email protected]# Set security NAT source Rule-set 1 from Zone Trust

[Email protected]# Set security NAT source Rule-set 1 to Zone untrust

[Email protected]# Set security Nat source Rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0. 0/0

[Email protected]# Set security Nat source Rule-set 1 rule rule1 then Source-nat pool ISP

[Email protected]# Set security Nat Proxy-arp interface ge-0/0/0 address 10.0.0.20 to 10.0.0.30

2.3 Destination NAT Configuration

[Email protected] rx1400# set security Nat destination Pool DST-NAT-POOL-1 address 172.16.1.1/32

[Email protected]# set security NAT destination Pool DST-NAT-POOL-1 address port 80

[Email protected]# Set security Nat destination Rule-set rs1 from Zone untrust

[Email protected]# Set security Nat Destination Rule-set rs1 rule 1 match destination-address 10.0.0.100/32

[Email protected]# set security NAT destination Pool DST-NAT-POOL-1 address port 80

[Email protected]# Set security Nat Proxy-arp interface ge-0/0/0.0 address 10.0.0.100/32

[Email protected]# Set Security address-book Global Address Web 172.16.1.1/32

[Email protected]# Set security Nat Destination Rule-set rs1 rule 1 then Destination-nat pool DST-NAT-POOL-1

[Email protected]# set security policies From-zone Untrust To-zone trust policy web match source-address any

[Email protected]# set security policies From-zone Untrust To-zone trust policy web match destination-address Web match a Pplication any

[Email protected]# set security policies From-zone Untrust To-zone trust policy

[Email protected]# set security policies From-zone Untrust To-zone Trust policy web then permit

[Email protected]# Insert security Policies From-zone untrust To-zone Trust policy web before policy Default-deny

2.4 Static NAT Configuration

[Email protected]# set security nat static Rule-set rs1 from Zone untrust

[Email protected]# set security nat static Rule-set rs1 rule R1 match destination-address 10.0.0.100/32

[Email protected]# set security nat static Rule-set rs1 rule R1 then static-nat prefix 172.16.1.1/32

[Email protected]# Set security Nat Proxy-arp interface ge-0/0/0.0 address 10.0.0.100/32

[Email protected]# Set Security address-book Global Address Web 172.16.1.1/32

[Email protected]# set security policies From-zone Untrust to-zone untrust web match source-address any destination-addres s Web application any

[Email protected]# set security policies From-zone Untrust To-zone Trust policy web then permit

[Email protected]# Insert security Policies From-zone untrust To-zone Trust Web before policy Default-deny

Juniper SRX Firewall NAT Configuration

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More