First, the basic operating instructions:
1, Equipment Recovery factory
root# Load Factory-default
root# Set System Root-authentication Plain-text-password
root# Commit
Root> Request System reboot
2. Basic Configuration
2.1 Configuring host Names
root# Set System Host-name SRX1400
2.2 Setting the time zone
[Email protected]# set System Time-zone Asia/shanghai
2.3 Setting the time
[Email protected]# run Set Date 201508011549.21
2.4 Setting up DNS
[Email protected]# set System Name-server 202.l06.0.20
2.5 Setting the interface IP
[Email protected]# set interfaces ge-0/0/0 Unit 0 family inet address 10.0.0.10/24
2.6 Setting the default route
[Email protected]# set routing-options static route 0.0.0.0/0 Next-hop 10.0.0.254
2.7 Creating a login user
[Email protected]# Set System login user admin class super-user authentication Plain-text-password
2.8 Creating a secure zone
[Email protected]# set security zones Security-zone Untrust
2.9 Interface Join Zone
[Email protected]# set security zones security-zone Untrust interfaces ge-0/0/0.0
2.10 Service Port release ICMP
[Email protected]# set security zones security-zone Untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services p Ing
Note: By default, ICMP is required to be released, except for business ports that are not managed to be ping-through.
Second, Juniper SRX NAT
1. Types of NAT
1.1 Source Nat:interface
1.2 Source NAT:p Ool
1.3 Destination NAT
1.4 Static NAT
2. Configuration Example
2.1 Interface-based source NAT
[Email protected]# Set security NAT source Rule-set 1 from Zone Trust
[Email protected]# Set security NAT source Rule-set 1 to Zone untrust
[Email protected]# Set security Nat source Rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0. 0/0
[Email protected]# Set security Nat source Rule-set 1 rule rule1 then Source-nat interface
Default police
Policy Default-permit {
Match {
Source-address any;
Destination-address any;
Application any;
}
then {
Permit
}
}
2.2 Source NAT based on the address pool
[Email protected]# Set security NAT source pool ISP address 10.0.0.20 to 10.0.30
[Email protected]# Set security NAT source Rule-set 1 from Zone Trust
[Email protected]# Set security NAT source Rule-set 1 to Zone untrust
[Email protected]# Set security Nat source Rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0. 0/0
[Email protected]# Set security Nat source Rule-set 1 rule rule1 then Source-nat pool ISP
[Email protected]# Set security Nat Proxy-arp interface ge-0/0/0 address 10.0.0.20 to 10.0.0.30
2.3 Destination NAT Configuration
[Email protected] rx1400# set security Nat destination Pool DST-NAT-POOL-1 address 172.16.1.1/32
[Email protected]# set security NAT destination Pool DST-NAT-POOL-1 address port 80
[Email protected]# Set security Nat destination Rule-set rs1 from Zone untrust
[Email protected]# Set security Nat Destination Rule-set rs1 rule 1 match destination-address 10.0.0.100/32
[Email protected]# set security NAT destination Pool DST-NAT-POOL-1 address port 80
[Email protected]# Set security Nat Proxy-arp interface ge-0/0/0.0 address 10.0.0.100/32
[Email protected]# Set Security address-book Global Address Web 172.16.1.1/32
[Email protected]# Set security Nat Destination Rule-set rs1 rule 1 then Destination-nat pool DST-NAT-POOL-1
[Email protected]# set security policies From-zone Untrust To-zone trust policy web match source-address any
[Email protected]# set security policies From-zone Untrust To-zone trust policy web match destination-address Web match a Pplication any
[Email protected]# set security policies From-zone Untrust To-zone trust policy
[Email protected]# set security policies From-zone Untrust To-zone Trust policy web then permit
[Email protected]# Insert security Policies From-zone untrust To-zone Trust policy web before policy Default-deny
2.4 Static NAT Configuration
[Email protected]# set security nat static Rule-set rs1 from Zone untrust
[Email protected]# set security nat static Rule-set rs1 rule R1 match destination-address 10.0.0.100/32
[Email protected]# set security nat static Rule-set rs1 rule R1 then static-nat prefix 172.16.1.1/32
[Email protected]# Set security Nat Proxy-arp interface ge-0/0/0.0 address 10.0.0.100/32
[Email protected]# Set Security address-book Global Address Web 172.16.1.1/32
[Email protected]# set security policies From-zone Untrust to-zone untrust web match source-address any destination-addres s Web application any
[Email protected]# set security policies From-zone Untrust To-zone Trust policy web then permit
[Email protected]# Insert security Policies From-zone untrust To-zone Trust Web before policy Default-deny
Juniper SRX Firewall NAT Configuration