简介
基于PNET-LAB模拟器,使用 vSRX-NG 23.4R1.9 镜像进行实验。
博客:https://songxwn.com/Juniper-SRX-snat/
实验需求
配置WAN口 LAN口,实现基础的上网功能。配置NAT、DHCP。
ISP 路由器使用Cisco IOS模拟,与SRX对接口配置 1.1.1.2,Lookback0配置114.114.114.114/32
实验步骤
实验拓扑
基础配置 - root密码、主机名、时区NTP。
set system root-authentication plain-text-password
# vSRX 默认无root密码,会强制要求配置一个。
set system host-name SRX01
# 配置设备的主机名,方便标识。
set system time-zone Asia/Shanghai
# 配置设备时区,可能需要手动导入时区文件。https://www.juniper.net/documentation/cn/zh/software/junos/time-mgmt/topics/topic-map/configure-time-zone.html
set system ntp server 1.1.1.1
# 配置NTP服务器地址。如果目标是域名,需要配置DNS服务器。(安全类产品时间很重要)
show | compare
commit
# 最后查看要提交的配置,然后提交生效。
配置公/内网接口地址,默认路由。
set interfaces ge-0/0/0 description LAN1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.1/24
set interfaces ge-0/0/1 description WAN1
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.1/24
# 配置接口描述、配置IP地址。
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2
# 配置默认路由指向公网出口网关。
show route
inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:00:33
> to 1.1.1.2 via ge-0/0/1.0
1.1.1.0/24 *[Direct/0] 00:02:15
> via ge-0/0/1.0
1.1.1.1/32 *[Local/0] 00:02:15
Local via ge-0/0/1.0
192.168.0.0/24 *[Direct/0] 00:02:46
> via ge-0/0/0.0
192.168.0.1/32 *[Local/0] 00:02:46
Local via ge-0/0/0.0
192.168.1.1/32 *[Local/0] 00:18:13
Reject
# 查看路由表验证。
ping 114.114.114.114
# Ping ISP路由器的LookBack0验证。
配置安全区域并关联接口
安全区域(Security Zone):它是一个或多个接口的集合,是防火墙区别于路由器的主要特性。 防火墙通过安全区域来划分网络、标识报文流动的“路线”,当报文在不同的安全区域之间流动时,才会触发安全检查。 相同区域不受限制,不同区域必须按照安全策略进行控制。
set security zones security-zone LAN
set security zones security-zone LAN host-inbound-traffic system-services all
set security zones security-zone LAN host-inbound-traffic protocols all
set security zones security-zone LAN interfaces ge-0/0/0.0
# 内网区域配置允许所有服务、允许所有协议进入,并把 ge-0/0/0.0 加入内网区域。
set security zones security-zone WAN
set security zones security-zone WAN host-inbound-traffic system-services ping
set security zones security-zone WAN interfaces ge-0/0/1.0
# 外网区域配置只允许ICMP进入区域,并把 ge-0/0/1.0 加入外网区域
配置 SNAT 规则
set security nat source rule-set LAN_to_WAN_SNAT from zone LAN
# 配置NAT源区域
set security nat source rule-set LAN_to_WAN_SNAT to zone WAN
# 配置NAT目标区域
set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT match source-address 0.0.0.0/0
# 不限制源地址
set security nat source rule-set LAN_to_WAN_SNAT rule Default_NAT then source-nat interface
# 配置NAT地址为接口IP。
配置安全策略规则LAN 到 WAN
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone LAN to-zone WAN policy Default-Permit match source-address any
set security policies from-zone LAN to-zone WAN policy Default-Permit match destination-address any
set security policies from-zone LAN to-zone WAN policy Default-Permit match application any
set security policies from-zone LAN to-zone WAN policy Default-Permit then permit
# 配置LAN区域到WAN区域允许所有IP和APP。
配置DHCP,为LAN口下联终端分配IP
set system services dhcp pool 192.168.0.0/24 address-range low 192.168.0.101
set system services dhcp pool 192.168.0.0/24 address-range high 192.168.0.200
# 配置地址池192.168.0.0/24 配置分配地址范围。
set system services dhcp pool 192.168.0.0/24 name-server 114.114.114.114
# 配置DNS服务器
set system services dhcp pool 192.168.0.0/24 router 192.168.0.1
# 配置默认网关
set system services dhcp pool 192.168.0.0/24 default-lease-time 3600
# 配置IP地址保留时间
set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
# 配置LAN区域指定接口允许DHCP服务通过。
PS:接口的 IP 地址必须与 DHCP 池位于同网段中。配置完成之后,会自动关联。
DHCP服务验证
show system services dhcp pool
# 查看所有Pool
show system services dhcp binding
IP address Hardware address Type Lease expires at
192.168.0.101 50:11:1b:00:97:00 dynamic 2024-03-22 06:50:12 UTC
# 查看已分配IP
show system services dhcp statistics
# 查看状态
最终验证
最终win-PC 可以DHCP自动获取到IP,并可以ping通 114.114.114.114;
