juniper srx接口IP安全

爲保證防火牆接口IP的安全，將防火牆的內網IP的22端口映射其它公網113.106.95.x的1021端口，日常外網經過113.106.95.x的1021端口訪問操做防火牆：

 

set security zones security-zone trust address-book address juniper2541 192.168.254.1/32
#創建元素
set applications application juniper1021 protocol tcp
set applications application juniper1021 source-port 0-65535
set applications application juniper1021 destination-port 1021-1021
set applications application juniper1021 inactivity-timeout 1800

#服務1021端口系統自帶。因此不須要新建
set security nat destination pool 2541 address 192.168.254.1/32
set security nat destination pool 2541 address port 22
set security nat destination rule-set 1 from zone untrust   
set security nat destination rule-set 1 rule 2541 match source-address 0.0.0.0/0
set security nat destination rule-set 1 rule 2541 match destination-address 113.106.95.x/32
set security nat destination rule-set 1 rule 2541 match destination-port 1021
set security nat destination rule-set 1 rule 2541 then destination-nat pool 2541

#NAT
set security nat proxy-arp interface ge-0/0/0.0 address 113.106.95.x/32
#代理

set security policies from-zone untrust to-zone trust policy yc2541 match source-address any set security policies from-zone untrust to-zone trust policy yc2541 match destination-address juniper2541 set security policies from-zone untrust to-zone trust policy yc2541 match application juniper1021 set security policies from-zone untrust to-zone trust policy yc2541 then permit #策略