First, the basic operating instructions:
1, Equipment Recovery Factory
root# Load Factory-default
root# Set System Root-authentication Plain-text-password
root# Commit
Root> Request System reboot
2. Basic Configuration
2.1 Configuring host names
root# Set System Host-name SRX1400
2.2 Setting the time zone
[Email protected]# Set System Time-zoneasia/shanghai
2.3 Setting Time
[Email protected]# run Set Date 201508011549.21
2.4 setting up DNS
[Email protected]# Set System name-server202.l06.0.20
2.5 Setting the interface IP
[Email protected]# set Interfaces ge-0/0/0 unit0 family inet address 10.0.0.10/24
2.6 Setting the default route
[Email protected]# set routing-options staticroute 0.0.0.0/0 next-hop 10.0.0.254
2.7 Creating a login user
[Email protected]# set System login user Adminclass Super-user authentication Plain-text-password
2.8 Creating a secure Zone
[Email protected]# set security Zonessecurity-zone untrust
2.9 interface Join Zone
[Email protected]# set security zones security-zoneuntrust interfaces ge-0/0/0.0
2.10 Service port release ICMP
[Email protected] #set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services Pi Ng
Note: By default, ICMP is required to be released, except for business ports that are not managed to be ping-through.
Second,Juniper SRX NAT
1 . Types of NAT
1.1 Source Nat:interface
1.2 Source NAT:p Ool
1.3 Destination NAT
1.4 Static NAT
2. Configuration Example
2.1 interface-based source NAT
[Email protected]# Set security Nat Sourcerule-set 1 from Zone Trust
Ro[email protected]# Set security Nat Sourcerule-set 1 to Zone untrust
[Email protected]# Set security Nat sourcerule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0 /0
[Email protected]# Set security Nat sourcerule-set 1 rule rule1 then Source-nat interface
Default Police
Policy Default-permit {
Match {
Source-address any;
Destination-address any;
Application any;
}
then {
Permit
}
}
2.2 Source NAT based on the address pool
[Email protected]# Set security NAT source Poolisp address 10.0.0.20 to 10.0.30
[Email protected]# Set security Nat Sourcerule-set 1 from Zone Trust
[Email protected]# Set security Nat Sourcerule-set 1 to Zone untrust
[Email protected]# Set security Nat sourcerule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0 /0
[Email protected]# Set security Nat sourcerule-set 1 rule rule1 then Source-nat pool ISP
[Email protected]# Set security Nat proxy-arpinterface ge-0/0/0 address 10.0.0.20 to 10.0.0.30
2.3 Destination NAT configuration
[Email protected]# Set security Nat Destinationpool DST-NAT-POOL-1 address 172.16.1.1/32
[Email protected]# Set security NAT Destinationpool DST-NAT-POOL-1 address Port 80
[Email protected]# Set security Nat Destinationrule-set rs1 from Zone untrust
[Email protected]# Set security Nat destinationrule-set Rs1 Rule 1 match destination-address 10.0.0.100/32
[Email protected]# Set security NAT Destinationpool DST-NAT-POOL-1 address Port 80
[Email protected]# Set security Nat proxy-arpinterface ge-0/0/0.0 address 10.0.0.100/32
[Email protected]# set security Address-bookglobal address Web 172.16.1.1/32
[Email protected]# Set security Nat destinationrule-set Rs1 rule 1 then Destination-nat pool DST-NAT-POOL-1
[Email protected]# set security Policiesfrom-zone untrust To-zone trust policy web match source-address any
[Email protected]# set security Policiesfrom-zone untrust To-zone trust policy web match destination-address Web match AP Plication any
[Email protected]# set security Policiesfrom-zone untrust To-zone trust policy
[Email protected]# set security Policiesfrom-zone untrust To-zone Trust policy web then permit
[Email protected]# Insert Security Policiesfrom-zone untrust to-zone Trust policy web before policy Default-deny
2.4 Static NAT configuration
[Email protected]# Set security Nat Staticrule-set rs1 from Zone untrust
[Email protected]# Set security Nat staticrule-set Rs1 rule R1 match destination-address 10.0.0.100/32
[Email protected]# Set security Nat staticrule-set Rs1 rule R1 then static-nat prefix 172.16.1.1/32
[Email protected]# Set security Nat proxy-arpinterface ge-0/0/0.0 address 10.0.0.100/32
[Email protected]# set security Address-bookglobal address Web 172.16.1.1/32
[Email protected]# set security policiesfrom-zone untrust to-zone untrust web match source-address any destination-address Web Application Any
[Email protected]# set security Policiesfrom-zone untrust To-zone Trust policy web then permit
[Email protected]# Insert Security Policiesfrom-zone untrust To-zone Trust Web before policy Default-deny
This article is from the "Network Technology" blog, please be sure to keep this source http://zhangjialin.blog.51cto.com/10512577/1680838
Juniper SRX Firewall NAT Configuration