Juniper SRX NAT詳解

時間 2021-08-14

標籤 web 安全服務器 markdown 網絡 session app tcp ide 日誌欄目系統安全简体版

原文原文鏈接

第一部分：介紹Juniper SRX NATweb

網絡地址轉換(NAT) 是用於修改或轉換數據包包頭中的網絡地址信息的一種方法。可轉換數據包中的源和/或目標地址。NAT 中可包含端口號及IP 地址的轉換。安全

NAT類型：
一、source NAT：
a、基於Interface的source NAT
b、基於pool的source NAT
二、destination NAT
三、static NAT服務器

NAT規則：
NAT 類型決定NAT 規則的處理順序。流的第一個數據包處理期間，將按照如下順序應用NAT 規則：markdown

靜態NAT 規則
目標NAT 規則
路由查找
安全策略查找
反向映射靜態NAT 規則
源NAT 規則

下圖顯示NAT規則的處理順序
網絡

NAT規則集：
在NAT中rule set決定全部流量的方向，而rule set裏面又包含有多個rule。一旦rule set 發現到有匹配的流量後，rule set 裏面每一個rule都會開始進行匹配計算，以後rule會爲匹配的流量指定動做；而在不一樣類型的NAT中，rule set能匹配的條件是不同的session

規則集爲信息流指定一組常規匹配條件。對於靜態NAT 和目標NAT，規則集指定如下項之一：
源接口
.源區段
.源路由實例app

root@Juniper-vSRX# set security nat destination rule-set dst-nat from ?
Possible completions:tcp

interface Source interface list
routing-instance Source routing instance list
zone Source zone list
[edit]

root@Juniper-vSRX# set security nat static rule-set static-nat from ?
Possible completions:ide

interface Source interface list
routing-instance Source routing instance list
zone Source zone list
[edit]

對於源NAT 規則集，將同時配置源和目標條件：
• 源接口、區段或路由實例
• 目標接口、區段或路由實例日誌

root@Juniper-vSRX# set security nat source rule-set src-nat from ?
Possible completions:

interface Source interface list
routing-instance Source routing instance list
zone Source zone list
[edit]

root@Juniper-vSRX# set security nat source rule-set src-nat to ?
Possible completions:

interface Destination interface list
routing-instance Destination routing instance list
zone Destination zone list
[edit]

一個數據包可匹配多個規則集；在這種狀況下，將使用匹配條件更爲具體的規則集。接口匹配被視爲比區段匹配更爲具體，然後者比路由實例匹配更爲具體。

若是一個數據包同時匹配指定源區段的目標NAT 規則集和指定源接口的目標NAT 規則集，則指定源接口的規則集是更爲具體的匹配項。

源NAT 規則集匹配更爲複雜，由於在源NAT 規則集中要同時指定源和目標條件。若是一個數據包匹配多個源NAT 規則集，則規則集的選擇基於如下源/目標條件（按照優先級順序）：

源接口/目標接口
源區段/目標接口
源路由實例/目標接口
源接口/目標區段
源區段/目標區段
源路由實例/目標區段
源接口/目標路由實例
源區段/目標路由實例
源路由實例/目標路由實例
例如，可配置規則集A 和B，前者指定源接口和目標區段，後者指定源區段和目標接口。若是
一個數據包匹配兩個規則集，規則集B 爲更爲具體的匹配項。

下圖顯示NAT 規則集的優先級

第二部分：Source NAT：
1.1基於Interface的Source NAT

公司內部網絡（trust Zone）訪問Internet（untrust Zone）時，將192.168.100.0/24 映射成Juniper SRX的GE-0/0/0端口的IP地址202.5.5.1出Internet。

a、配置基於接口的source NAT
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone untrust
set security nat source rule-set src-nat rule 1 match source-address 192.168.100.0/24
set security nat source rule-set src-nat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set src-nat rule 1 then source-nat interface

b、開啓log日誌記錄
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION

c、、定義address-book，配置策略，容許192.168.100.0/24訪問Internet，並記錄log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone trust to-zone untrust policy 1 then log session-init
set security policies from-zone trust to-zone untrust policy 1 then log session-close

d、查看狀態
(1)、查看log（查看NAT轉換項）
root@Juniper-vSRX> show log nat-log
Apr 7 14:33:05 Juniper-vSRX clear-log[3384]: logfile cleared
Apr 7 14:33:16 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/60608->202.5.5.2/80 junos-http 202.5.5.1/26735->202.5.5.2/80 source rule 1 N/A N/A 6 1 trust untrust 13198 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 14:33:23 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/60608->202.5.5.2/80 junos-http 202.5.5.1/26735->202.5.5.2/80 source rule 1 N/A N/A 6 1 trust untrust 13198 15(615) 10(526) 8 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN

root@Juniper-vSRX>

(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13238, Policy name: 1/9, Timeout: 294, Valid
In: 192.168.100.10/60608 --> 202.5.5.2/80;tcp, If: ge-0/0/1.0, Pkts: 3, Bytes: 124
Out: 202.5.5.2/80 --> 202.5.5.1/26735;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 44
Total sessions: 1

(3)、查看nat source rule
root@Juniper-vSRX> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0

source NAT rule: 1 Rule-set: src-i-nat
Rule-Id : 1
Rule position : 1
From zone : trust
To zone : untrust
Match
Source addresses : 192.168.100.0 - 192.168.100.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Action : interface
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 3045
Successful sessions : 3045
Failed sessions : 0
Number of sessions : 0

1.2基於pool的source NAT

公司內部網絡（trust Zone）訪問Internet（untrust Zone）時，將192.168.100.0/24 映射成202.66.30.1-6的IP Address出Internet。

a、配置基於pool的source NAT
set security nat source pool nat-pool address 202.66.30.1/32 to 202.66.30.6/32
set security nat source rule-set src-p-nat from zone trust
set security nat source rule-set src-p-nat to zone untrust
set security nat source rule-set src-p-nat rule 1 match source-address 192.168.100.0/24
set security nat source rule-set src-p-nat rule 1 match destination-address 0.0.0.0/0
set security nat source rule-set src-p-nat rule 1 then source-nat pool nat-pool
set security nat proxy-arp interface ge-0/0/0.0 address 202.66.30.1/32 to 202.66.30.6/32 //注意：若NAT後的IP Address不是跟untrust接口的IP Address在同個subnet，則須要配置nat proxy-arp

b、開啓log日誌記錄
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION

c、定義address-book，配置策略，容許192.168.100.0/24訪問Internet，並記錄log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone trust to-zone untrust policy 1 then log session-init
set security policies from-zone trust to-zone untrust policy 1 then log session-close

d、查看NAT相關狀態
(1)、查看log（查看NAT轉換項）
root@Juniper-vSRX> show log nat-log
Apr 7 14:16:13 Juniper-vSRX clear-log[3319]: logfile cleared
Apr 7 14:16:51 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/51074->202.5.5.2/23 junos-telnet 202.66.30.3/1907->202.5.5.2/23 source rule 1 N/A N/A 6 1 trust untrust 13187 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 14:16:55 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/51074->202.5.5.2/23 junos-telnet 202.66.30.3/1907->202.5.5.2/23 source rule 1 N/A N/A 6 1 trust untrust 13187 12(512) 7(333) 4 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN

(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13245, Policy name: 1/9, Timeout: 8, Valid
In: 192.168.100.10/51074 --> 202.5.5.2/23;tcp, If: ge-0/0/1.0, Pkts: 3, Bytes: 132
Out: 202.5.5.2/23 --> 202.66.30.3/1907;tcp, If: ge-0/0/0.0, Pkts: 1, Bytes: 44
Total sessions: 1

(3)、查看nat source rule
root@Juniper-vSRX> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0

source NAT rule: 1 Rule-set: src-p-nat
Rule-Id : 2
Rule position : 1
From zone : trust
To zone : untrust
Match
Source addresses : 192.168.100.0 - 192.168.100.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Action : nat-pool
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 1100
Successful sessions : 1100
Failed sessions : 0
Number of sessions : 0

第三部分：Destination NAT：

公司內部web服務器對外提供服務，將210.5.5.1:8080映射成192.168.100.10:80。

a、配置Destination NAT
set security nat destination pool dst-nat-pool1 address 192.168.100.10/32
set security nat destination pool dst-nat-pool1 address port 80
set security nat destination rule-set 1 from zone untrust
set security nat destination rule-set 1 rule dst-nat-rule1 match destination-address 202.5.5.1/32
set security nat destination rule-set 1 rule dst-nat-rule1 match destination-port 8080
set security nat destination rule-set 1 rule dst-nat-rule1 match protocol tcp
set security nat destination rule-set 1 rule dst-nat-rule1 then destination-nat pool dst-nat-pool1

b、開啓log日誌記錄
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION

c、定義address-book，配置策略，容許192.168.100.10/30的80端口被訪問，並記錄log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address 192.168.100.10/32
set security policies from-zone untrust to-zone trust policy 1 match application junos-http
set security policies from-zone untrust to-zone trust policy 1 then permit
set security policies from-zone untrust to-zone trust policy 1 then log session-init
set security policies from-zone untrust to-zone trust policy 1 then log session-close

d、查看NAT相關狀態
(1)、查看log（查看NAT轉換項）
root@Juniper-vSRX> show log nat-log
Apr 7 15:28:43 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 202.5.5.2/13634->202.5.5.1/8080 junos-http 202.5.5.2/13634->192.168.100.10/80 N/A N/A destination rule dst-nat-rule1 6 1 untrust trust 13213 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 15:29:31 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 202.5.5.2/13634->202.5.5.1/8080 junos-http 202.5.5.2/13634->192.168.100.10/80 N/A N/A destination rule dst-nat-rule1 6 1 untrust trust 13213 9(369) 6(366) 49 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN

(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13213, Policy name: 1/6, Timeout: 290, Valid
In: 202.5.5.2/13634 --> 202.5.5.1/8080;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 124
Out: 192.168.100.10/80 --> 202.5.5.2/13634;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44
Total sessions: 1

(3)、查看nat destination rule
root@Juniper-vSRX> show security nat destination rule all
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0

Destination NAT rule: dst-nat-rule1 Rule-set: 1
Rule-Id : 1
Rule position : 1
From zone : untrust
Destination addresses : 202.5.5.1 - 202.5.5.1
Destination port : 8080 - 8080
IP protocol : tcp
Action : dst-nat-pool1
Translation hits : 7
Successful sessions : 3
Failed sessions : 4
Number of sessions : 1

第四部分：Static NAT：

靜態NAT的做用是一到一的映射。靜態的NAT是不會執行PAT的，並且靜態的NAT不須要POOL。
若是流量自來untrust區域，且目的地址是202.5.5.253的話，把它的目的地址改成192.168.100.10，相反，若是流量去往untrust區域，且源地址是192.168.100.10的話，把它的源地址改成202.5.5.253。

a、配置Static NAT
set security nat static rule-set static-nat from zone untrust
set security nat static rule-set static-nat rule 1 match destination-address 202.5.5.253/32
set security nat static rule-set static-nat rule 1 then static-nat prefix 192.168.100.10/32
set security nat proxy-arp interface ge-0/0/0.0 address 202.5.5.253/32

b、開啓log日誌記錄
set system syslog file nat-log any any
set system syslog file nat-log match RT_FLOW_SESSION

c、定義address-book，配置策略，容許192.168.100.10/30去訪問或被訪問，並記錄log。
set security zones security-zone trust address-book address 192.168.100.0/24 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match source-address 192.168.100.0/24
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
set security policies from-zone trust to-zone untrust policy 1 then log session-init
set security policies from-zone trust to-zone untrust policy 1 then log session-close

set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address 192.168.100.10/32
set security policies from-zone untrust to-zone trust policy 1 match application any
set security policies from-zone untrust to-zone trust policy 1 then permit
set security policies from-zone untrust to-zone trust policy 1 then log session-init
set security policies from-zone untrust to-zone trust policy 1 then log session-close

d、查看NAT相關信息
(1)、查看log（查看NAT轉換項）
root@Juniper-vSRX> show log nat-log

Apr 7 17:14:03 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.100.10/59188->202.5.5.2/23 junos-telnet 202.5.5.253/59188->202.5.5.2/23 static rule 1 N/A N/A 6 1 trust untrust 13235 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 17:14:19 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CREATE: session created 202.5.5.2/13604->202.5.5.253/80 junos-http 202.5.5.2/13604->192.168.100.10/80 N/A N/A static rule 1 6 1 untrust trust 13236 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN
Apr 7 17:14:47 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 192.168.100.10/59188->202.5.5.2/23 junos-telnet 202.5.5.253/59188->202.5.5.2/23 static rule 1 N/A N/A 6 1 trust untrust 13235 24(1001) 19(850) 45 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/1.0 UNKNOWN
Apr 7 17:14:51 Juniper-vSRX RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 202.5.5.2/13604->202.5.5.253/80 junos-http 202.5.5.2/13604->192.168.100.10/80 N/A N/A static rule 1 6 1 untrust trust 13236 9(369) 6(366) 33 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0 UNKNOWN

(2)、查看flow session
root@Juniper-vSRX> show security flow session
Session ID: 13235, Policy name: 1/9, Timeout: 1780, Valid
In: 192.168.100.10/59188 --> 202.5.5.2/23;tcp, If: ge-0/0/1.0, Pkts: 15, Bytes: 635
Out: 202.5.5.2/23 --> 202.5.5.253/59188;tcp, If: ge-0/0/0.0, Pkts: 11, Bytes: 518

Session ID: 13236, Policy name: 1/6, Timeout: 294, Valid
In: 202.5.5.2/13604 --> 202.5.5.253/80;tcp, If: ge-0/0/0.0, Pkts: 3, Bytes: 124
Out: 192.168.100.10/80 --> 202.5.5.2/13604;tcp, If: ge-0/0/1.0, Pkts: 1, Bytes: 44
Total sessions: 2

(3)、查看nat static rule
root@Juniper-vSRX> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0

Static NAT rule: 1 Rule-set: static-nat Rule-Id : 1 Rule position : 1From zone : untrustDestination addresses : 202.5.5.253Host addresses : 192.168.100.10Netmask : 32Host routing-instance : N/ATranslation hits : 5Successful sessions : 5Failed sessions : 0Number of sessions : 0