Juniper SRX Firewall NAT Configuration

Source: Internet
Author: User
Tags juniper srx

First, the basic operating instructions:

1, Equipment Recovery factory

root# Load Factory-default

root# Set System Root-authentication Plain-text-password

root# Commit

Root> Request System reboot

2. Basic Configuration

2.1 Configuring host Names

root# Set System Host-name SRX1400

2.2 Setting the time zone

[Email protected]# set System Time-zone Asia/shanghai

2.3 Setting the time

[Email protected]# run Set Date 201508011549.21

2.4 Setting up DNS

[Email protected]# set System Name-server 202.l06.0.20

2.5 Setting the interface IP

[Email protected]# set interfaces ge-0/0/0 Unit 0 family inet address 10.0.0.10/24

2.6 Setting the default route

[Email protected]# set routing-options static route 0.0.0.0/0 Next-hop 10.0.0.254

2.7 Creating a login user

[Email protected]# Set System login user admin class super-user authentication Plain-text-password

2.8 Creating a secure zone

[Email protected]# set security zones Security-zone Untrust

2.9 Interface Join Zone

[Email protected]# set security zones security-zone Untrust interfaces ge-0/0/0.0

2.10 Service Port release ICMP

[Email protected]# set security zones security-zone Untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services p Ing

Note: By default, ICMP is required to be released, except for business ports that are not managed to be ping-through.

Second, Juniper SRX NAT

1. Types of NAT

1.1 Source Nat:interface

1.2 Source NAT:p Ool

1.3 Destination NAT

1.4 Static NAT

2. Configuration Example

2.1 Interface-based source NAT

[Email protected]# Set security NAT source Rule-set 1 from Zone Trust

[Email protected]# Set security NAT source Rule-set 1 to Zone untrust

[Email protected]# Set security Nat source Rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0. 0/0

[Email protected]# Set security Nat source Rule-set 1 rule rule1 then Source-nat interface

Default police

Policy Default-permit {

Match {

Source-address any;

Destination-address any;

Application any;

}

then {

Permit

}

}

2.2 Source NAT based on the address pool

[Email protected]# Set security NAT source pool ISP address 10.0.0.20 to 10.0.30

[Email protected]# Set security NAT source Rule-set 1 from Zone Trust

[Email protected]# Set security NAT source Rule-set 1 to Zone untrust

[Email protected]# Set security Nat source Rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0. 0/0

[Email protected]# Set security Nat source Rule-set 1 rule rule1 then Source-nat pool ISP

[Email protected]# Set security Nat Proxy-arp interface ge-0/0/0 address 10.0.0.20 to 10.0.0.30

2.3 Destination NAT Configuration

[Email protected] rx1400# set security Nat destination Pool DST-NAT-POOL-1 address 172.16.1.1/32

[Email protected]# set security NAT destination Pool DST-NAT-POOL-1 address port 80

[Email protected]# Set security Nat destination Rule-set rs1 from Zone untrust

[Email protected]# Set security Nat Destination Rule-set rs1 rule 1 match destination-address 10.0.0.100/32

[Email protected]# set security NAT destination Pool DST-NAT-POOL-1 address port 80

[Email protected]# Set security Nat Proxy-arp interface ge-0/0/0.0 address 10.0.0.100/32

[Email protected]# Set Security address-book Global Address Web 172.16.1.1/32

[Email protected]# Set security Nat Destination Rule-set rs1 rule 1 then Destination-nat pool DST-NAT-POOL-1

[Email protected]# set security policies From-zone Untrust To-zone trust policy web match source-address any

[Email protected]# set security policies From-zone Untrust To-zone trust policy web match destination-address Web match a Pplication any

[Email protected]# set security policies From-zone Untrust To-zone trust policy

[Email protected]# set security policies From-zone Untrust To-zone Trust policy web then permit

[Email protected]# Insert security Policies From-zone untrust To-zone Trust policy web before policy Default-deny

2.4 Static NAT Configuration

[Email protected]# set security nat static Rule-set rs1 from Zone untrust

[Email protected]# set security nat static Rule-set rs1 rule R1 match destination-address 10.0.0.100/32

[Email protected]# set security nat static Rule-set rs1 rule R1 then static-nat prefix 172.16.1.1/32

[Email protected]# Set security Nat Proxy-arp interface ge-0/0/0.0 address 10.0.0.100/32

[Email protected]# Set Security address-book Global Address Web 172.16.1.1/32

[Email protected]# set security policies From-zone Untrust to-zone untrust web match source-address any destination-addres s Web application any

[Email protected]# set security policies From-zone Untrust To-zone Trust policy web then permit

[Email protected]# Insert security Policies From-zone untrust To-zone Trust Web before policy Default-deny

Juniper SRX Firewall NAT Configuration

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.