Networking
Juniper SRX210,如何為 192.168.1.151 本地 IP 啟用埠 554、9001?
我一直在努力解決這個問題,但我仍然無法解決它。我有 192.168.1.151 PC,它打開了 554 和 9001 TCP/UDP。但我需要公開訪問它。在我的瞻博網路 srx210 中,我也有以下配置。但我無法理解它不起作用。
version 10.0R3.10; system { root-authentication { encrypted-password "secret-password-goes-in-here"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh { root-login allow; } telnet; web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; } propagate-settings ge-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { interface-range interfaces-trust { member ge-0/0/1; member fe-0/0/2; member fe-0/0/3; member fe-0/0/4; member fe-0/0/5; member fe-0/0/6; member fe-0/0/7; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/0 { mac 0a:00:xx:00:00:00; unit 0 { family inet { dhcp; } } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } } } security { nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool pool1 { address 192.168.1.151/32; } pool pool2 { address 192.168.1.41/32; } pool pool3 { address 192.168.1.1/32; } pool pool4 { address 192.168.1.125/32; } rule-set ruleset1 { from zone untrust; rule rule1 { match { destination-address 0.0.0.0/0; destination-port 554; } then { destination-nat pool pool1; } } rule rule2 { match { destination-address 0.0.0.0/0; destination-port 49152; } then { destination-nat pool pool1; } } rule rule3 { match { destination-address 0.0.0.0/0; destination-port 49500; } then { destination-nat pool pool1; } } rule rule6 { match { destination-address 0.0.0.0/0; } then { destination-nat pool pool4; } } rule rule5 { match { destination-address 0.0.0.0/0; destination-port 22; } then { destination-nat pool pool3; } } rule rule4 { match { destination-address 0.0.0.0/0; destination-port 9001; } then { destination-nat pool pool1; } } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone trust { address-book { address mydmz 192.168.1.125/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; ping; telnet; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy server-access { match { source-address any; destination-address mydmz; application any; } then { permit; } } } } alg { sip { disable; inactive-media-timeout 90; maximum-call-duration 3000; retain-hold-resource; application-screen { unknown-message { permit-nat-applied; permit-routed; } } } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }
您的 DNAT 看起來不錯,但您還沒有創建防火牆策略來允許流量。您應該編輯信任區域的地址簿並為內部的主機添加條目,然後創建與這些目標和應用程序匹配的區域不信任到區域信任策略。您可以參考內置應用程序,或者您可以創建自己的應用程序,但這是在配置頂部的其自己的部分完成的,而不是在安全節下。這是一個策略範例,為了達到這個級別,我輸入了“edit security policys from-zone untrust to-zone trust”。然後輸入以下內容。
policy exchange { match { source-address any; destination-address [ exchange1 exchange2 ]; application [ junos-https junos-smtp junos-http junos-imap junos-ping junos-imaps junos-pop3 ]; } then { permit; count; }