Networking

Juniper SRX210,如何為 192.168.1.151 本地 IP 啟用埠 554、9001?

  • January 16, 2012

我一直在努力解決這個問題,但我仍然無法解決它。我有 192.168.1.151 PC,它打開了 554 和 9001 TCP/UDP。但我需要公開訪問它。在我的瞻博網路 srx210 中,我也有以下配置。但我無法理解它不起作用。

version 10.0R3.10;
system {
   root-authentication {
       encrypted-password "secret-password-goes-in-here"; ## SECRET-DATA
   }
   name-server {
       208.67.222.222;
       208.67.220.220;
   }
   services {
       ssh {
           root-login allow;
       }
       telnet;
       web-management {
           http {
               interface vlan.0;
           }
           https {
               system-generated-certificate;
               interface vlan.0;
           }
       }
       dhcp {
           router {
               192.168.1.1;
           }
           pool 192.168.1.0/24 {
               address-range low 192.168.1.2 high 192.168.1.254;
           }
           propagate-settings ge-0/0/0.0;
       }
   }
   syslog {
       archive size 100k files 3;
       user * {
           any emergency;
       }
       file messages {
           any critical;
           authorization info;
       }
       file interactive-commands {
           interactive-commands error;
       }
   }
   max-configurations-on-flash 5;
   max-configuration-rollbacks 5;
   license {       
       autoupdate {
           url https://ae1.juniper.net/junos/key_retrieval;
       }           
   }               
}                   
interfaces {        
   interface-range interfaces-trust {
       member ge-0/0/1;
       member fe-0/0/2;
       member fe-0/0/3;
       member fe-0/0/4;
       member fe-0/0/5;
       member fe-0/0/6;
       member fe-0/0/7;
       unit 0 {    
           family ethernet-switching {
               vlan {
                   members vlan-trust;
               }   
           }       
       }           
   }               
   ge-0/0/0 {      
       mac 0a:00:xx:00:00:00;
       unit 0 {    
           family inet {
               dhcp;
           }       
       }           
   }               
   vlan {          
       unit 0 {    
           family inet {
               address 192.168.1.1/24;
           }       
       }           
   }               
}                   
security {          
   nat {           
       source {    
           rule-set trust-to-untrust {
               from zone trust;
               to zone untrust;
               rule source-nat-rule {
                   match {
                       source-address 0.0.0.0/0;
                   }
                   then {
                       source-nat {
                           interface;
                       }
                   }
               }   
           }       
       }           
       destination {
           pool pool1 {
               address 192.168.1.151/32;
           }       
           pool pool2 {
               address 192.168.1.41/32;
           }       
           pool pool3 {
               address 192.168.1.1/32;
           }       
           pool pool4 {
               address 192.168.1.125/32;
           }       
           rule-set ruleset1 {
               from zone untrust;
               rule rule1 {
                   match {
                       destination-address 0.0.0.0/0;
                       destination-port 554;
                   }
                   then {
                       destination-nat pool pool1;
                   }
               }   
               rule rule2 {
                   match {
                       destination-address 0.0.0.0/0;
                       destination-port 49152;
                   }
                   then {
                       destination-nat pool pool1;
                   }
               }   
               rule rule3 {
                   match {
                       destination-address 0.0.0.0/0;
                       destination-port 49500;
                   }
                   then {
                       destination-nat pool pool1;
                   }
               }   
               rule rule6 {
                   match {
                       destination-address 0.0.0.0/0;
                   }
                   then {
                       destination-nat pool pool4;
                   }
               }   
               rule rule5 {
                   match {
                       destination-address 0.0.0.0/0;
                       destination-port 22;
                   }
                   then {
                       destination-nat pool pool3;
                   }
               }   
               rule rule4 {
                   match {
                       destination-address 0.0.0.0/0;
                       destination-port 9001;
                   }
                   then {
                       destination-nat pool pool1;
                   }
               }   
           }       
       }           
   }               
   screen {        
       ids-option untrust-screen {
           icmp {  
               ping-death;
           }       
           ip {    
               source-route-option;
               tear-drop;
           }       
           tcp {   
               syn-flood {
                   alarm-threshold 1024;
                   attack-threshold 200;
                   source-threshold 1024;
                   destination-threshold 2048;
                   timeout 20;
               }   
               land;
           }       
       }           
   }               
   zones {         
       security-zone trust {
           address-book {
               address mydmz 192.168.1.125/32;
           }       
           host-inbound-traffic {
               system-services {
                   all;
               }   
               protocols {
                   all;
               }   
           }       
           interfaces {
               vlan.0;
           }       
       }           
       security-zone untrust {
           screen untrust-screen;
           interfaces {
               ge-0/0/0.0 {
                   host-inbound-traffic {
                       system-services {
                           dhcp;
                           tftp;
                           ping;
                           telnet;
                       }
                   }
               }   
           }       
       }           
   }               
   policies {      
       from-zone trust to-zone untrust {
           policy trust-to-untrust {
               match {
                   source-address any;
                   destination-address any;
                   application any;
               }   
               then {
                   permit;
               }   
           }       
       }           
       from-zone untrust to-zone trust {
           policy server-access {
               match {
                   source-address any;
                   destination-address mydmz;
                   application any;
               }   
               then {
                   permit;
               }   
           }       
       }           
   }               
   alg {           
       sip {       
           disable;
           inactive-media-timeout 90;
           maximum-call-duration 3000;
           retain-hold-resource;
           application-screen {
               unknown-message {
                   permit-nat-applied;
                   permit-routed;
               }   
           }       
       }           
   }               
}                   
vlans {             
   vlan-trust {    
       vlan-id 3;  
       l3-interface vlan.0;
   }               
} 

您的 DNAT 看起來不錯,但您還沒有創建防火牆策略來允許流量。您應該編輯信任區域的地址簿並為內部的主機添加條目,然後創建與這些目標和應用程序匹配的區域不信任到區域信任策略。您可以參考內置應用程序,或者您可以創建自己的應用程序,但這是在配置頂部的其自己的部分完成的,而不是在安全節下。這是一個策略範例,為了達到這個級別,我輸入了“edit security policys from-zone untrust to-zone trust”。然後輸入以下內容。

policy exchange {
   match {                             
       source-address any;
       destination-address [ exchange1 exchange2 ];
       application [ junos-https junos-smtp junos-http junos-imap junos-ping junos-imaps junos-pop3 ];
   }
   then {
       permit;
       count;
   }

引用自:https://serverfault.com/questions/350232