Juniper SRX Firewall NAT Configuration

Source: Internet
Author: User
Tags juniper srx

First, the basic operating instructions:

1, Equipment Recovery Factory

root# Load Factory-default

root# Set System Root-authentication Plain-text-password

root# Commit

Root> Request System reboot

2. Basic Configuration

2.1 Configuring host names

root# Set System Host-name SRX1400

2.2 Setting the time zone

[Email protected]# Set System Time-zoneasia/shanghai

2.3 Setting Time

[Email protected]# run Set Date 201508011549.21

2.4 setting up DNS

[Email protected]# Set System name-server202.l06.0.20

2.5 Setting the interface IP

[Email protected]# set Interfaces ge-0/0/0 unit0 family inet address 10.0.0.10/24

2.6 Setting the default route

[Email protected]# set routing-options staticroute 0.0.0.0/0 next-hop 10.0.0.254

2.7 Creating a login user

[Email protected]# set System login user Adminclass Super-user authentication Plain-text-password

2.8 Creating a secure Zone

[Email protected]# set security Zonessecurity-zone untrust

2.9 interface Join Zone

[Email protected]# set security zones security-zoneuntrust interfaces ge-0/0/0.0

2.10 Service port release ICMP

[Email protected] #set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services Pi Ng

Note: By default, ICMP is required to be released, except for business ports that are not managed to be ping-through.

Second,Juniper SRX NAT

1 . Types of NAT

1.1 Source Nat:interface

1.2 Source NAT:p Ool

1.3 Destination NAT

1.4 Static NAT

2. Configuration Example

2.1 interface-based source NAT

[Email protected]# Set security Nat Sourcerule-set 1 from Zone Trust

Ro[email protected]# Set security Nat Sourcerule-set 1 to Zone untrust

[Email protected]# Set security Nat sourcerule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0 /0

[Email protected]# Set security Nat sourcerule-set 1 rule rule1 then Source-nat interface

Default Police

Policy Default-permit {

Match {

Source-address any;

Destination-address any;

Application any;

}

then {

Permit

}

}

2.2 Source NAT based on the address pool

[Email protected]# Set security NAT source Poolisp address 10.0.0.20 to 10.0.30

[Email protected]# Set security Nat Sourcerule-set 1 from Zone Trust

[Email protected]# Set security Nat Sourcerule-set 1 to Zone untrust

[Email protected]# Set security Nat sourcerule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0 /0

[Email protected]# Set security Nat sourcerule-set 1 rule rule1 then Source-nat pool ISP

[Email protected]# Set security Nat proxy-arpinterface ge-0/0/0 address 10.0.0.20 to 10.0.0.30

2.3 Destination NAT configuration

[Email protected]# Set security Nat Destinationpool DST-NAT-POOL-1 address 172.16.1.1/32

[Email protected]# Set security NAT Destinationpool DST-NAT-POOL-1 address Port 80

[Email protected]# Set security Nat Destinationrule-set rs1 from Zone untrust

[Email protected]# Set security Nat destinationrule-set Rs1 Rule 1 match destination-address 10.0.0.100/32

[Email protected]# Set security NAT Destinationpool DST-NAT-POOL-1 address Port 80

[Email protected]# Set security Nat proxy-arpinterface ge-0/0/0.0 address 10.0.0.100/32

[Email protected]# set security Address-bookglobal address Web 172.16.1.1/32

[Email protected]# Set security Nat destinationrule-set Rs1 rule 1 then Destination-nat pool DST-NAT-POOL-1

[Email protected]# set security Policiesfrom-zone untrust To-zone trust policy web match source-address any

[Email protected]# set security Policiesfrom-zone untrust To-zone trust policy web match destination-address Web match AP Plication any

[Email protected]# set security Policiesfrom-zone untrust To-zone trust policy

[Email protected]# set security Policiesfrom-zone untrust To-zone Trust policy web then permit

[Email protected]# Insert Security Policiesfrom-zone untrust to-zone Trust policy web before policy Default-deny

2.4 Static NAT configuration

[Email protected]# Set security Nat Staticrule-set rs1 from Zone untrust

[Email protected]# Set security Nat staticrule-set Rs1 rule R1 match destination-address 10.0.0.100/32

[Email protected]# Set security Nat staticrule-set Rs1 rule R1 then static-nat prefix 172.16.1.1/32

[Email protected]# Set security Nat proxy-arpinterface ge-0/0/0.0 address 10.0.0.100/32

[Email protected]# set security Address-bookglobal address Web 172.16.1.1/32

[Email protected]# set security policiesfrom-zone untrust to-zone untrust web match source-address any destination-address Web Application Any

[Email protected]# set security Policiesfrom-zone untrust To-zone Trust policy web then permit

[Email protected]# Insert Security Policiesfrom-zone untrust To-zone Trust Web before policy Default-deny


This article is from the "Network Technology" blog, please be sure to keep this source http://zhangjialin.blog.51cto.com/10512577/1680838

Juniper SRX Firewall NAT Configuration

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.