关于如何设置juniper 的 VIP应用问题 (欢迎大家提意见,谢谢)

2018-08-28 18:53 by 哈喽,特立独行的猫!, 阅读, 评论, 收藏, 编辑

VIP 10.10.0.202  80 218.17.153.234 28080

使用目的 10.10.0.202/24  8040      公网地址 218.17.153.234/32  28080

目的NAT (VIP)

set security nat destination?rule-set from zone untrust {区域从外部过来} set security nat destination pool source-8000 address 10.10.0.202/32

set security nat destination pool source-8000 address port 80 00 set security nat destination pool source-8000 address port 8000 #set security nat destination rule-set untrust-trust-202 rule 80 match destination-address 218.17.153.234/32

set security nat destination rule-set untrust-trust-202 rule 80 match destination-prot 28080

set security nat destination rule-set untrust-trust-202 rule 80 rule 80 then destination-nat pool source-80

放行VIP策略

set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 match source-address any set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 match destination-address 10.10.0.202/32

set applications application tcp-202 protocol tcp set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 match application  tcp-202 set applications application tcp-8000 destination-port 8000 set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 then permit

set security zones security-zone Inside address-book address 10.10.0.202/32 10.10.0.202/32 策略前置

insert security polices from-zone Ten-10M-CDMA to-zone inside policy 202 before police dy-vpn commit

[edit]

lvxuede@SRX34O-A# show | display set | match 8040                                   set security nat destination pool source-8040 address 10.10.0.205/32 set security nat destination pool source-8040 address port 8040 set security nat destination rule-set untrust-trust-8081 rule 8081 match destination-port 28040 set security nat destination rule-set untrust-trust-8081 rule 8081 then destination-nat pool source-8040 set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 match source-address any set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 match destination-address 10.10.0.205/32 set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 match application tcp-8040 set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 then permit set applications application tcp-8040 protocol tcp set applications application tcp-8040 destination-port 8040

失误点: 配置遗失 show | display set | match 8040

                               set security nat destination pool source-8000 address port 8000

                               set applications application tcp-8000 destination-port 8000 (用之前的ruleset  rule  8000)

版权声明:本文为lvxuede原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://www.cnblogs.com/lvxuede/p/9550182.html