ジュニパーネットワークスSRXシリーズおよびJシリーズのNAT(ScreenOSユーザー向け)

Similar documents
SRXシリーズおよびJシリーズのネットワークアドレス変換

SCREENOS NAT ScreenOS J-Series(JUNOS9.5 ) NAT ScreenOS J-Series(JUNOS9.5 ) NAT : Destination NAT Zone NAT Pool DIP IF NAT Pool Egress IF Loopback Grou

Juniper Networks Corporate PowerPoint Template

SRX300 Line of Services Gateways for the Branch

FW Migration Guide (Single)

Junos Space

Dynamic VPN Dynamic VPN IPSec VPN PC SRX IPSec VPN SRX PC IPSec 2 Copyright 2010 Juniper Networks, Inc.

Win XP SP3 Japanese Ed. NCP IPSec client Hub L3 SW SRX100 Policy base VPN fe-0/0/0 vlan.0 Win 2003 SVR /

IPSEC-VPN IPsec(Security Architecture for Internet Protocol) IP SA(Security Association, ) SA IKE IKE 1 1 ISAKMP SA( ) IKE 2 2 IPSec SA( 1 ) IPs

Juniper Networks Corporate PowerPoint Template

ScreenOS 5.0 ScreenOS 5.0 Deep Inspection VLAN NetScreen-25/-50/-204/-208 HA NetScreen-25 HA Lite NetScreen-25 NetScreen-50) ALG(Application Layer Gat

Junos Pulse Mobile Security Dashboard Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California Copyr

拠点/支社向けSRXシリーズおよびJシリーズのWebフィルタリング

SRX IDP Full IDP Stateful Inspection 8 Detection mechanisms including Stateful Signatures and Protocol Anomalies Reassemble, normalize, eliminate ambi

契約№2020-XXXX

相続支払い対策ポイント

150423HC相続資産圧縮対策のポイント

ハピタス のコピー.pages

Copyright 2008 All Rights Reserved 2

Campus LAN Design Guide

ScreenOS Copyright (C) 2005 NOX Co., Ltd. All Rights Reserved. Version1.00

Copyright 2008 NIFTY Corporation All rights reserved. 2

初心者にもできるアメブロカスタマイズ新2016.pages

- 2 Copyright (C) All Rights Reserved.

SRX License

スライド 1

NetSkate

シナリオ:DMZ の設定

Copyright All Rights Reserved. -2 -!

untitled

設定例集_Rev.8.03, Rev.9.00, Rev.10.01対応

IPA:セキュアなインターネットサーバー構築に関する調査

VNSTProductDes3.0-1_jp.pdf

Microsoft Word - 最終版 バックせどりismマニュアル .docx

All Rights Reserved. Copyright(c)1997 Internet Initiative Japan Inc. 1

Agenda IPv4 over IPv6 MAP MAP IPv4 over IPv6 MAP packet MAP Protocol MAP domain MAP domain ASAMAP ASAMAP 2

IPv4aaSを実現する技術の紹介

untitled

Releases080909

Copyright Qetic Inc. All Rights Reserved. 2

untitled

- 2 Copyright (C) All Rights Reserved.

Microsoft Word - AT _A.doc

how-to-decide-a-title

Cisco® ASA シリーズルーター向けDigiCert® 統合ガイド

URL AdobeReader Copyright (C) All Rights Reserved.

Testing XML Performance

9.pdf

健康保険組合のあゆみ_top

リバースマップ原稿2

SRT/RTX/RT設定例集

Packet Tracer: 拡張 ACL の設定 : シナリオ 1 トポロジ アドレステーブル R1 デバイスインターフェイス IP アドレスサブネットマスクデフォルトゲートウェイ G0/ N/A G0/

untitled

Managed Firewall NATユースケース

設定例集

untitled

アライドテレシス コア・スイッチ AT-x900 シリーズ とディストリビューションスイッチ AT-x600 シリーズ で実現するOSPFv3/OSPFv2 & RIP/RIPng デュアルスタック ・ ネットワーク

untitled

VLAN.dvi

リング型IPカメラ監視ソリューション(マルチキャスト編)

% 11.1% +6.% 4, % %+12.2% 54,16 6.6% EV7, ,183 Copyright 216 JAPAN POST GROUP. All Rights Reserved. 1

untitled

untitled

IOS ゾーン ベースのポリシー ファイアウォールを使用した IOS ルータでの AnyConnect VPN クライアントの設定例

改訂履歴 版番号改訂日改訂者改訂内容 年 2 月 12 日ネットワールド 新規 I

[ ][ ] HTML [ ] HTML HTML

2 1: OSI OSI,,,,,,,,, 4 TCP/IP TCP/IP, TCP, IP 2,, IP, IP. IP, ICMP, TCP, UDP, TELNET, FTP, HTTP TCP IP

untitled

やよいの顧客管理

弥生給与/やよいの給与計算

弥生 シリーズ

弥生会計 プロフェッショナル/スタンダード/やよいの青色申告

弥生会計/やよいの青色申告

弥生会計 ネットワーク/プロフェッショナル2ユーザー

perimeter gateway


untitled

ソーシャルメディアとまちづくり(1)

FW Migration Guide(ipsec1)

改訂履歴 版番号改訂日改訂者改訂内容 年 2 月 9 日ネットワールド 新規 I

IPv6における

MultiPASS Suite 3.20 使用説明書

FW Migration Guide(ipsec2)

改訂履歴 版番号改訂日改訂者改訂内容 年 2 月 9 日ネットワールド 新規 I

owners.book

Si-R30取扱説明書

LAN

Clos IP Fabrics with QFX5100 Switches

リング型IPカメラ監視ソリューション

SSG5 and SSG20 Secure Services Gateways

PowerPoint プレゼンテーション

Copyright 2006 KDDI Corporation. All Rights Reserved page1

PowerPoint プレゼンテーション

ip nat outside source list コマンドを使用した設定例

MultiPASS B-20 MultiPASS Suite 3.10使用説明書


Juniper NetworksJunosSteel-Belted RadiusNetScreenScreenOS Juniper Networks, Inc. Juniper Networks Junos JunosE Juniper Networks, Inc. Juniper Networks

IP ICMP Redirec

$ ifconfig lo Link encap: inet : : inet6 : ::1/128 : UP LOOPBACK RUNNING MTU:65536 :1 RX :8 :0 :0 :0 :0 TX :8 :0 :0 :0 :0 (Collision

KDDI

Transcription:

APPLICATION NOTE SRX J NAT ScreenOS ScreenOS Junos OS CLI Copyright 2014, Juniper Networks, Inc.

...1...1...1... 1... 1...1 NAT... 1 NAT... 1... 1...2 IP NAT / IP....2....2....2....2....2 IP NAT...3...3...3 IP DIP NAT...3...3...4 NAT...4 NAT..........................................................................4...4...4 NAT..........................................................................4...5...5 IP...5...5...5 NAT...6...6...6...6....6...7...7...7...7...7 ii Copyright 2014, Juniper Networks, Inc.

...8...8 1 NAT...1 2 DIP NAT...3 3 NAT...4 4 IP VIP....5 5 NAT...6 Copyright 2014, Juniper Networks, Inc. iii

SRX J Junos OS CLI Command-line Interface ScreenOS NAT CLI ScreenOS NAT Network Address Translation CLI NAT SRX J Junos OS NAT SRX J NAT ScreenOS NAT J2320 J2350 J4350 J6350 SRX 9.2 SRX 9.2 SRX 9.5 J SRX J NAT NAT IP NAT インターネット 1.1.1.1/24 SRX210 10.1.1.0/24 1 NAT NAT IP Ethernet 0/0 untrust 1.1.1.1/24 Ethernet 0/1 trust 10.1.1.1/24 set policy id 1 from trust to untrust any any any nat src permit Copyright 2014, Juniper Networks, Inc. 1

set security nat source rule-set interface-nat from zone trust set security nat source rule-set interface-nat to zone untrust set security nat source rule-set interface-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 set security nat source rule-set interface-nat rule rule1 then source-nat interface set security policies from-zone trust to-zone untrust policy permit-all match source-address any destination-address any application any set security policies from-zone trust to-zone untrust policy permit-all then permit IP NAT / IP IP Ethernet 0/0 untrust 1.1.1.1/24 Ethernet 0/1 trust 10.1.1.1/24 set int e0/0 dip 4 1.1.1.10 1.1.1.15 set policy id 1 from trust to untrust any any any nat src dip-id 4 permit set security nat source pool pool-1 address 1.1.1.10 to 1.1.1.15 set security nat source rule-set pool-nat from zone trust set security nat source rule-set pool-nat to zone untrust set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1 set security nat proxy-arp interface ge-0/0/0 address 1.1.1.10 to 1.1.1.15 set security policies from-zone trust to-zone untrust policy permit-all match source-address any destination-address any application any set security policies from-zone trust to-zone untrust policy permit-all then permit set int e0/0 dip 4 1.1.1.10 1.1.1.15 fix-port set security nat source pool pool-1 address 1.1.1.10 to 1.1.1.15 set security nat source pool pool-1 port no-translation set security nat source rule-set pool-nat from zone trust set security nat source rule-set pool-nat to zone untrust set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1 set security policies from-zone trust to-zone untrust policy permit-all match source-address set security nat proxy-arp interface ge-0/0/0 address 1.1.1.10 to 1.1.1.15 any destination-address any application any set security policies from-zone trust to-zone untrust policy permit-all then permit 2 Copyright 2014, Juniper Networks, Inc.

IP NAT IP Ethernet 0/0 untrust 1.1.1.1/24 Ethernet 0/1 trust 10.1.1.1/24 set int e0/0 dip 4 shift-from 10.1.1.100 to 1.1.1.100 1.1.1.109 set security nat source pool pool-1 address 1.1.1.100 to 1.1.1.109 set security nat source pool pool-1 host-address-base 10.1.1.100 set security nat source rule-set pool-nat from zone trust set security nat source rule-set pool-nat to zone untrust set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1 set security policies from-zone trust to-zone untrust policy permit-all match source-address set security nat proxy-arp interface ge-0/0/0 address 1.1.1.100 to 1.1.1.109 any destination-address any application any set security policies from-zone trust to-zone untrust policy permit-all then permit IP DIP NAT IP Ethernet 0/0 untrust Ethernet 0/1 trust Loopback.1 untrust 1.1.1.1/24 Ethernet 0/1 trust 10.1.1.1/24 インターネット SRX210 10.1.1.0/24 2 DIP NAT set int e0/0 loopback-group lo.1 set int e0/2 loopback-group lo.1 set int loopback.1 dip 4 1.1.1.10 1.1.1.15 set policy id 1 from trust to untrust any any any nat src dip-id 4 permit Copyright 2014, Juniper Networks, Inc. 3

set security nat source pool pool-1 address 1.1.1.10 to 1.1.1.15 set security nat source rule-set pool-nat from zone trust set security nat source rule-set pool-nat to interface ge-0/0/0 interface ge-0/0/2 set security nat source rule-set pool-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 set security nat source rule-set pool-nat rule rule1 then source-nat pool pool-1 set security policies from-zone trust to-zone untrust policy permit-all match source-address set security nat proxy-arp interface ge-0/0/0 address 1.1.1.10 to 1.1.1.15 set security nat proxy-arp interface ge-0/0/2 address 1.1.1.10 to 1.1.1.15 any destination-address any application any set security policies from-zone trust to-zone untrust policy permit-all then permit NAT インターネット 1.1.1.1/24 SRX210 10.1.1.0/24 3 NAT IP IP NAT IP NAT IP IP 1.1.1.100 10.1.1.100 set int e0/0 mip 1.1.1.100 host 10.1.1.100 set pol from untrust to trust any mip(1.1.1.100) http permit set security nat proxy-arp interface ge-0/0/0 address 1.1.1.100/32 set security nat static rule-set static-nat from zone untrust set security nat static rule-set static-nat rule rule1 match destination-address 1.1.1.100 set security nat static rule-set static-nat rule rule1 then static-nat prefix 10.1.1.100 set security zones security-zone trust address-book address webserver 10.1.1.100 set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address webserver application junos-http set security policies from-zone untrust to-zone trust policy static-nat then permit NAT IP IP 1.1.1.0/28 10.1.1.0/28 4 Copyright 2014, Juniper Networks, Inc.

set int e0/0 mip 1.1.1.0 host 10.1.1.0 netmask 255.255.255.240 set policy from untrust to trust any mip(1.1.1.0/28) http permit set security zones security-zone trust address-book address webserver-group 10.1.1.0/28 set security nat proxy-arp interface ge-0/0/0 address 1.1.1.0/28 set security nat static rule-set static-nat from zone untrust set security nat static rule-set static-set rule rule1 match destination-address 1.1.1.0/28 set security nat static rule-set static-set rule rule1 then static-nat prefix 10.1.1.0/28 set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address webserver-group application junos-http set security policies from-zone untrust to-zone trust policy static-nat then permit IP IP/ IP 1.1.1.100/80 HTTP 10.1.1.100 1.1.1.100/110 POP3 10.1.1.200 インターネット 1.1.1.1/24 SRX210 10.1.1.0/24 4 IP VIP set int e0/0 vip 1.1.1.100 80 http 10.1.1.100 set int e0/0 vip 1.1.1.100 110 pop3 10.1.1.200 set policy from untrust to trust any vip(1.1.1.100) http permit set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100 set security nat destination pool dnat-pool-1 address 10.1.1.100/32 set security nat destination pool dnat-pool-2 address 10.1.1.200/32 set security nat destination rule-set dst-nat from zone untrust set security nat destination rule-set dst-nat rule rule1 match destination-address 1.1.1.100/32 set security nat destination rule-set dst-nat rule rule1 match destination-port 80 set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnatpool-1 set security nat destination rule-set dst-nat rule rule2 match destination-address 1.1.1.100/32 set security nat destination rule-set dst-nat rule rule2 match destination-port 110 set security nat destination rule-set dst-nat rule rule2 then destination-nat pool dnatpool-2 set security zones security-zone trust address-book address webserver 10.1.1.100 set security zones security-zone trust address-book address mailserver 10.1.1.200 Copyright 2014, Juniper Networks, Inc. 5

set security zones security-zone trust address-book address-set servergroup address webserver set security zones security-zone trust address-book address-set servergroup address mailserver set security policies from-zone untrust to-zone trust policy static-nat match source-address any destination-address servergroup application junos-http set security policies from-zone untrust to-zone trust policy static-nat match application junos-pop3 set security policies from-zone untrust to-zone trust policy static-nat then permit NAT インターネット 1.1.1.1/24 SRX210 10.1.1.0/24 5 NAT IP IP IP IP 2.1.1.100 10.1.1.100 set route 2.1.1.100/32 int e0/1 set address trust webserver 2.1.1.100/32 set pol from untrust to trust any webserver http nat dst ip 10.1.1.100 permit set security nat proxy-arp interface ge-0/0/0.0 address 2.1.1.100 set security nat destination pool dnat-pool-1 address 10.1.1.100 set security nat destination rule-set dst-nat from zone untrust set security nat destination rule-set dst-nat rule r1 match destination-address 2.1.1.100 set security nat destination rule-set dst-nat rule r1 then destination-nat pool dnat-pool-1 set security zones security-zone trust address-book address webserver 10.1.1.100 set security policies from-zone untrust to-zone trust policy dst-nat match source-address any destination-address webserver application junos-http set security policies from-zone untrust to-zone trust policy dst-nat then permit IP/ IP/ 2.1.1.100/80 10.1.1.100/8000 6 Copyright 2014, Juniper Networks, Inc.

set route 2.1.1.100/32 int e0/1 set address trust webserver 2.1.1.100/32 set policy from untrust to trust any webserver http nat dst ip 10.1.1.100 port 8000 permit set security nat proxy-arp interface ge-0/0/0.0 address 2.1.1.100 set security nat destination pool dnat-pool-1 address 10.1.1.100 port 8000 set security nat destination rule-set dst-nat from zone untrust set security nat destination rule-set dst-nat rule r1 match destination-address 2.1.1.100 set security nat destination rule-set dst-nat rule r1 then destination-nat pool dnat-pool-1 set security zones security-zone trust address-book address webserver 10.1.1.100 set applications application http-8000 protocol tcp destination-port 8000 set security policies from-zone untrust to-zone trust policy dst-nat match source-address any destination-address webserver application http-8000 set security policies from-zone untrust to-zone trust policy dst-nat then permit IP IP IP IP 1.1.1.100 10.1.1.100 set arp nat set address trust webserver 1.1.1.100/32 set pol from untrust to trust any webserver http nat dst ip 10.1.1.100 permit set security nat destination pool dnat-pool-1 address 10.1.1.100/32 set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.100 set security nat destination rule-set dst-nat from zone untrust set security nat destination rule-set dst-nat rule r1 match destination-address 1.1.1.100 set security nat destination rule-set dst-nat rule r1 then destination-nat pool dnat-pool-1 set security policies from-zone untrust to-zone trust policy dst-nat match source-address any destination-address any application junos-http set security policies from-zone untrust to-zone trust policy dst-nat then permit Copyright 2014, Juniper Networks, Inc. 7

SRX J Junos OS CLI CLI NAT http://www.juniper.net/jp/ Twitter Facebook Juniper Networks, Inc. Juniper Networks International B.V. 163-1445 3-20-2 45F 03-5333-7400 FAX 03-5333-7401 541-0041 1-1-27 URL http://www.juniper.net/jp/ 1194 North Mathilda Ave Sunnyvale, CA 94089 USA 888-JUNIPER (888-586-4737) 408-745-2000 FAX 408-745-2100 URL http://www.juniper.net Boeing Avenue 240 1119 PZ Schiphol-Rijk Amsterdam, The Netherlands 31-0-207-125-700 FAX 31-0-207-125-701 Copyright 2014, Juniper Networks, Inc. All rights reserved. Juniper Networks Junos QFabric Juniper Networks Juniper Networks, Inc. 3500152-003 JP Apr 2014 8 Copyright 2014, Juniper Networks, Inc.

2024 © docsplayer.net プライバシー | 利用規約 | フィードバック