Juniper SRX防火墙Virtual Router配置实例
实例拓扑图:
一虚拟路由器(记住来流量入口);
需求:
外网用户访问防火墙的外网接口3389端口NAT到内网服务器192.168.3.5:3389,流量按原路返回;
放行所有外网用户到主机192.168.3.5的3389端口;(双线接入)配置:
t routing-instances Tel instance-type virtual-router
t routing-instances Tel interface ge-0/0/4.0
t routing-instances Tel routing-options interface-routes rib-group inet Big-rib
t routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2
t routing-instances CNC instance-type virtual-router
t routing-instances CNC interface ge-0/0/5.0
t routing-instances CNC routing-options interface-routes rib-group inet Big-rib
t routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2
t interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24
t interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24
t interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24
t interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24
t routing-options interface-routes rib-group inet Big-rib
t routing-options static route 10.0.0.0/8 next-hop 10.10.30.1
t routing-options static route 0.0.0.0/0 next-hop 192.168.4.2
t routing-options static route 0.0.0.0/0 install
t routing-options static route 0.0.0.0/0 no-readverti
t routing-options rib-groups Big-rib import-rib inet.0
t routing-options rib-groups Big-rib import-rib CNC.inet.0
t routing-options rib-groups Big-rib import-rib Tel.inet.0
t curity nat destination pool 111 address 192.168.3.5/32
t curity nat destination rule-t 1 from zone Tel-trust
t curity nat destination rule-t 1 rule 111 match source-address 0.0.0.0/0
t curity nat destination rule-t 1 rule 111 match destination-address 192.168.4.1/32
t curity nat destination rule-t 1 rule 111 match destination-port 3389
t curity nat destination rule-t 1 rule 111 then destination-nat pool 111
t curity nat destination rule-t 2 from zone CNC-trust
t curity nat destination rule-t 2 rule 222 match source-address 0.0.0.0/0
t curity nat destination rule-t 2 rule 222 match destination-address 192.168.5.1/32
t curity nat destination rule-t 1 rule 111 match destination-port 3389
t curity nat destination rule-t 2 rule 222 then destination-nat pool 111
t applications application tcp_3389 protocol tcp
t applications application tcp_3389 destination-port 3389
t curity zones curity-zone trust address-book address H_192.168.3.5 192.168.3.5/32
t curity policies from-zone Tel-trust to-zone trust policy default-permit match source-address any
t curity policies from-zone Tel-trust to-zone trust policy default-permit match destination-address H_192.168.3.5
t curity policies from-zone Tel-trust to-zone trust policy default-permit match application tcp_3389
t curity policies from-zone Tel-trust to-zone trust policy default-permit then permit
t curity policies from-zone CNC-trust to-zone trust policy default-permit match source-address any
t curity policies from-zone CNC-trust to-zone trust policy default-permit match destination-address H_192.168.3.5
t curity policies from-zone CNC-trust to-zone trust policy default-permit match application tcp_3389
t curity policies from-zone CNC-trust to-zone trust policy default-permit then permit
t curity zones curity-zone trust host-inbound-traffic system-rvices all
t curity zones curity-zone trust host-inbound-traffic protocols all
t curity zones curity-zone trust interfaces ge-0/0/3.0
t curity zones curity-zone Tel-trust host-inbound-traffic system-rvices all
t curity zones curity-zone Tel-trust host-inbound-traffic protocols all
t curity zones curity-zone Tel-trust interfaces ge-0/0/4.0
t curity zones curity-zone CNC-trust host-inbound-traffic system-rvices all
t curity zones curity-zone CNC-trust host-inbound-traffic protocols all
t curity zones curity-zone CNC-trust interfaces ge-0/0/5.0
t curity zones curity-zone MGT host-inbound-traffic system-rvices all
t curity zones curity-zone MGT host-inbound-traffic protocols all
t curity zones curity-zone MGT interfaces ge-0/0/6.0
验证:
root@SRX-Ipc-A> show curity flow ssion
Session ID: 9696, Policy name: default-permit/5, Timeout: 1794, Valid
In: 192.168.100.211/57408 --> 192.168.5.1/3389;tcp, If: ge-0/0/5.0, Pkts: 2, Bytes: 112
Out: 192.168.3.5/3389 --> 192.168.100.211/57408;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60 ==========================================================================
== root@SRX-Ipc-A> show curity flow ssion
Session ID: 9697, Policy name: default-permit/4, Timeout: 1796, Valid
In: 192.168.100.211/57409 --> 192.168.4.1/3389;tcp, If: ge-0/0/4.0, Pkts: 2, Bytes: 112
Out: 192.168.3.5/3389 --> 192.168.100.211/57409;tcp, If: ge-0/0/3.0, Pkts: 1, Bytes: 60
配置解析:
t routing-instances Tel instance-type virtual-router //创建虚拟VR Tel
t routing-instances Tel interface ge-0/0/4.0 //把逻辑接口加入虚拟VR
t routing-instances Tel routing-options interface-routes rib-group inet Big-rib //定义新增的路由表属于路由组“Big-rib” t routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2 //为Tel路由表配置路由
t routing-instances CNC instance-type virtual-router t routing-instances CNC interface ge-0/0/5.0
t routing-instances CNC routing-options interface-routes rib-group inet Big-rib
t routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2 //配置路由表CNC相关信息t interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24
t interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24
t interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24
t interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24 //配置逻辑接口的IP地址
t routing-options interface-routes rib-group inet Big-rib //定义路由表组,并把接口路由加入到Big-rib路由组中t routing-options static route 10.0.0.0/8 next-hop 10.10.30.1
t routing-options static route 0.0.0.0/0 next-hop 192.168.4.2 //配置全局路由表路由信息
t routing-options static route 0.0.0.0/0 install //把路由表安装到转发表
t routing-options static route 0.0.0.0/0 no-readverti //
t routing-options rib-groups Big-rib import-rib inet.0
t routing-options rib-groups Big-rib import-rib CNC.inet.0
t routing-options rib-groups Big-rib import-rib Tel.inet.0 //导入三张路由表之间的直连路由到路由表组
t curity nat destination pool 111 address 192.168.3.5/32 //定义目的NAT后的内部服务器的IP地址
t curity nat destination rule-t 1 from zone Tel-trust
t curity nat destination rule-t 1 rule 111 match source-address 0.0.0.0/0
t curity nat destination rule-t 1 rule 111 match destination-address 192.168.4.1/32
t curity nat destination rule-t 1 rule 111 match destination-port 3389
t curity nat destination rule-t 1 rule 111 then destination-nat pool 111 //配置ZONE Tel-trust的目的NAT
t curity nat destination rule-t 2 from zone CNC-trust
t curity nat destination rule-t 2 rule 222 match source-address 0.0.0.0/0
t curity nat destination rule-t 2 rule 222 match destination-address 192.168.5.1/32
t curity nat destination rule-t 1 rule 111 match destination-port 3389
t curity nat destination rule-t 2 rule 222 then destination-nat pool 111 //配置ZONE CNC-trust的目的NAT t applications application tcp_3389 protocol tcp
t applications application tcp_3389 destination-port 3389
t curity zones curity-zone trust address-book address H_192.168.3.5 192.168.3.5/32 //自定义端口和配置地址表
t curity policies from-zone Tel-trust to-zone trust policy default-permit match source-address any
t curity policies from-zone Tel-trust to-zone trust policy default-permit match destination-address H_192.168.3.5 t curity policies from-zone Tel-trust to-zone trust policy default-permit match application tcp_3389
t curity policies from-zone Tel-trust to-zone trust policy default-permit then permit //配置Tel-trust到trust策略
t curity policies from-zone CNC-trust to-zone trust policy default-permit match source-address any
t curity policies from-zone CNC-trust to-zone trust policy default-permit match destination-address H_192.168.3.5
t curity policies from-zone CNC-trust to-zone trust policy default-permit match application tcp_3389
t curity policies from-zone CNC-trust to-zone trust policy default-permit then permit //配置CNC-trust到trust策略
t curity zones curity-zone trust host-inbound-traffic system-rvices all
t curity zones curity-zone trust host-inbound-traffic protocols all
t curity zones curity-zone trust interfaces ge-0/0/3.0
t curity zones curity-zone Tel-trust host-inbound-traffic system-rvices all
t curity zones curity-zone Tel-trust host-inbound-traffic protocols all
t curity zones curity-zone Tel-trust interfaces ge-0/0/4.0
t curity zones curity-zone CNC-trust host-inbound-traffic system-rvices all
t curity zones curity-zone CNC-trust host-inbound-traffic protocols all
t curity zones curity-zone CNC-trust interfaces ge-0/0/5.0
t curity zones curity-zone MGT host-inbound-traffic system-rvices all
t curity zones curity-zone MGT host-inbound-traffic protocols all
t curity zones curity-zone MGT interfaces ge-0/0/6.0 //定义逻辑接口到ZONE,并开放所有的协议及服务来访问防火墙的直连接口
二虚拟路由器(多链路负载冗余);
需求:
内网用户访问端口22.3389.8080,走电信,其他所有流量走CNC;
所有内网访问外网的流量NAT为对应外网接口IP地址;
实现负载冗余的功能;
放行所有服务;(双线接入)
配置:
t routing-instances Tel instance-type virtual-router
t routing-instances Tel interface ge-0/0/4.0
t routing-instances Tel routing-options interface-routes rib-group inet Big-rib
t routing-instances Tel routing-options static route 0.0.0.0/0 next-hop 192.168.4.2
t routing-instances Tel routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.5.2 preference 100
t routing-instances CNC instance-type virtual-router t routing-instances CNC interface ge-0/0/5.0
t routing-instances CNC routing-options interface-routes rib-group inet Big-rib
t routing-instances CNC routing-options static route 0.0.0.0/0 next-hop 192.168.5.2
t routing-instances CNC routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.4.2 preference 100 t interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24
t interfaces ge-0/0/4 unit 0 family inet address 192.168.4.1/24
t interfaces ge-0/0/5 unit 0 family inet address 192.168.5.1/24
t interfaces ge-0/0/6 unit 0 family inet address 10.10.30.189/24
