/***将接口加入zone***/
set security zones security-zone trust interfaces reth0.0 set security zones security-zone untrust interfaces reth1.0
/***在untrust zone打开允许远程登陆管理服务***/
set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone trust host-inbound-traffic system-services traceroute
set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone trust host-inbound-traffic system-services traceroute
2.2 Policy
Policy配置方法与ScreenOS基本一致,仅在配置命令上有所区别,其中策略的允许/拒绝的动作(Action)需要额外配置一条then语句(将ScreenOS的一条策略分解成两条及以上配置语句)。Policy需要手动配置policy name,policy name可以是字符串,也可以是数字(与ScreenOS的policy ID类似,只不过需要手工指定)。
定义地址或者地址组
set security zones security-zone trust address-book address pc1 10.1.1.10/32 set security zones security-zone untrust address-book address server1 10.0.2.1/32
/***与ScreenOS一样,在trust和untrust zone下分别定义地址对象便于策略调用,地址对象的名称可以是地址/掩码形式***/
set security zones security-zone trust address-book address-set addr-group1 address pc1
/***在trust zone下定义名称为add-group1的地址组,并将pc1地址放到该地址组中***/
定义application
set applications application app_name protocol tcp
set applications application app_name source-port 1-65535 set applications application app_name destination-port xxx set applications application app_name inactivity-timeout xx
定义策略
set security policies from-zone trust to-zone untrust policy 001 match source-address addr-group1 destination-address server1 application any
set security policies from-zone trust to-zone untrust policy 001 then permit
/***定义从trust 到untrust方向permit策略,允许addr-group1组的源地址访问server1地址any服务***/
第 16 页 共 32 页
或者:
set security policies from-zone trust to-zone untrust policy policy_name match source-address addressname / address_group_name
set security policies from-zone trust to-zone untrust policy policy_name match destination-address addressname / address_group_name
set security policies from-zone trust to-zone untrust policy policy_name match application application_name / application-set_name
set security policies from-zone trust to-zone untrust policy policy_name then permit
添加策略的选项
set security policies from-zone trust to-zone untrust policy policy_name then count
set security policies from-zone trust to-zone untrust policy policy_name then log session-init set security policies from-zone trust to-zone untrust policy policy_name then log session-close
2.3 NAT
SRX NAT较ScreenOS在功能实现方面基本保持一致,但在功能配置上有较大区别,配置的主要差异在于ScreenOS的NAT与policy是绑定的,无论是MIP/VIP/DIP还是基于策略的NAT,在policy中均要体现出NAT内容(除了缺省基于untrust接口的Souec-NAT模式外),而SRX 的NAT则作为网络层面基础内容进行独立配置(独立定义地址映射的方向、映射关系及地址范围),Policy中不再包含NAT相关配置信息,这样的好处是易于理解、简化运维,当网络拓朴和NAT映射关系发生改变时,无需调整Policy配置内容。
SRX NAT和Policy执行先后顺序为:目的地址转换-目的地址路由查找-执行策略检查-源地址转换,结合这个执行顺序,在配置Policy时需注意:Policy中源地址应是转换前的源地址,而目的地址应该是转换后的目的地址,换句话说,Policy中的源和目的地址应该是源和目的两端的真实IP地址,这一点和ScreenOS存在区别,需要加以注意。
SRX中不再使用MIP/VIP/DIP这些概念,其中MIP被Static静态地址转换取代,两者在功能上完全一致;DIP被Source NAT取代;基于Policy的目的地址转换及VIP被 Destination NAT取代。ScreenOS中基于Untrust zone接口的源地址转换被保留下来,但在SRX中不再是缺省模式(SRX中Trust Zone接口没有NAT模式概念),需要手工配置。类似ScreenOS,Static属于双向NAT,其他类型均属于单向NAT,
此外,SRX还多了一个proxy-arp概念,如果定义的IP Pool(可用于源或目的地址转换)与接口IP在同一子网时,需配置SRX对这个Pool内的地址提供ARP代理功能,这样对端设备能够解析到IP Pool地址的MAC地址(使用接口MAC地址响应对方),以便于返回报文能够送达SRX。下面是配置举例及相关说明:
第 17 页 共 32 页
2.3.1 Interface based NAT
NAT:
set security nat source rule-set 1 from zone trust set security nat source rule-set 1 to zone untrust
set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
set security nat source rule-set 1 rule rule1 then source-nat interface 上述配置定义NAT源地址映射规则,从Trust Zone访问Untrust Zone的所有流量用Untrust Zone接口IP做源地址转换。 Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address 10.1.2.2 set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
上述配置定义Policy策略,允许Trust zone 10.1.2.2地址访问Untrust方向任何地址,根据前面的NAT配置,SRX在建立session时自动执行接口源地址转换。
2.3.2 Pool based Source NAT
NAT:
第 18 页 共 32 页
定义pool:
set security nat source pool pool-1 address 100.1.1.10 to 100.1.1.20
定义rule-set:
set security nat source rule-set 1 from zone trust set security nat source rule-set 1 to zone untrust
set security nat source rule-set 1 rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0
set security nat source rule-set 1 rule rule1 then source-nat pool pool-1
set security nat proxy-arp interface ge-0/0/2 address 100.1.1.10 to 100.1.1.20
上述配置表示从trust方向(any)到untrust方向(any)访问时提供源地址转换,源地址池为pool1(100.1.1.10 -100.1.1.20),同时ge-0/0/2接口为此pool IP提供ARP代理。需要注意的是:定义Pool时不需要与Zone及接口进行关联。配置proxy-arp目的是让返回包能够送达SRX,如果Pool与出接口IP不在同一子网,则对端设备需要配置指向100.1.1.1的Pool地址路由。
Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address 10.1.1.2 set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
上述配置定义Policy策略,允许Trust zone 10.1.2.2地址访问Untrust方向任何地址,根据前面的NAT配置,SRX在建立session时自动执行源地址转换。
2.3.3 Pool base destination NAT
NAT:
set security nat destination pool 111 address 192.168.1.100/32 set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 111 match destination-address 100.100.100.100/32 set security nat destination rule-set 1 rule 111 then destination-nat pool 111
第 19 页 共 32 页
上述配置将外网any访问100.100.100.100地址映射到内网192.168.1.100地址,注意:定义的Dst Pool是内网真实IP地址,而不是映射前的公网地址。这点和Src-NAT Pool有所区别。
Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address 192.168.1.100 set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
上述配置定义Policy策略,允许Untrust方向任何地址访问Trust方向192.168.1.100,根据前面的NAT配置,公网访问100.100.100.100时,SRX自动执行到192.168.1.100的目的地址转换。
ScreenOS VIP功能对应的SRX Dst-nat配置:
set security nat destination pool 222 address 192.168.1.200/32 port 8000 set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule 111 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 111 match destination-address 100.100.100.100/32 set security nat destination rule-set 1 rule 111 match destination-port 8000 set security nat destination rule-set 1 rule 111 then destination-nat pool 222 上述NAT配置定义:访问100.100.100.100地址8000端口映射至192.168.1.200地址8000端口,功能与ScreenOS VIP端口映射一致。
2.3.4 Pool base Static NAT
NAT:
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule rule1 match destination-address 100.100.100.100 set security nat static rule-set static-nat rule rule1 then static-nat prefix 192.168.1.200 Policy:
set security policies from-zone trust to-zone untrust policy 1 match source-address any
set security policies from-zone trust to-zone untrust policy 1 match destination-address 192.168.1.200 set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit
Static NAT概念与ScreenOS MIP一致,属于静态双向一对一NAT,上述配置表示访问
第 20 页 共 32 页