代码改变世界

关于如何设置juniper 的 VIP应用问题 (欢迎大家提意见,谢谢)

2018-08-28 18:53  2024,加油  阅读(653)  评论(0编辑  收藏  举报

VIP 10.10.0.202  80 218.17.153.234 28000

使用目的 10.10.0.202/24  8000      公网地址 218.17.153.234/32  28000

目的NAT (VIP)

set security nat destination?rule-set from zone untrust {区域从外部过来} set security nat destination pool source-8000 address 10.10.0.202/32

set security nat destination pool source-8000 address port 80 00 set security nat destination pool source-8000 address port 8000 #set security nat destination rule-set untrust-trust-202 rule 80 match destination-address 218.17.153.234/32

set security nat destination rule-set untrust-trust-202 rule 8000 match destination-prot 28000

set security nat destination rule-set untrust-trust-202 rule 8000 rule 8000 then destination-nat pool source-8000

放行VIP策略

set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 match source-address any set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 match destination-address 10.10.0.202/32

set applications application tcp-202 protocol tcp set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 match application  tcp-202 set applications application tcp-8000 destination-port 8000 set security polices from-zone Ten-10M-CDMA to-zone inside policy 8000 then permit

set security zones security-zone Inside address-book address 10.10.0.202/32 10.10.0.202/32 策略前置

insert security polices from-zone Ten-10M-CDMA to-zone inside policy 202 before police dy-vpn commit

[edit]

lvxuede@SRX34O-A# show | display set | match 8040        (查看以前的配置)                      

 set security nat destination pool source-8040 address 10.10.0.205/32 set security nat destination pool source-8040 address port 8040 set security nat destination rule-set untrust-trust-8081 rule 8081 match destination-port 28040 set security nat destination rule-set untrust-trust-8081 rule 8081 then destination-nat pool source-8040 set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 match source-address any set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 match destination-address 10.10.0.205/32 set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 match application tcp-8040 set security policies from-zone Ten-10M-CDMA to-zone Inside policy 8040 then permit set applications application tcp-8040 protocol tcp set applications application tcp-8040 destination-port 8040

失误点: 配置遗失 show | display set | match 8040

                               set security nat destination pool source-8000 address port 8000

                               set applications application tcp-8000 destination-port 8000 (用之前的ruleset  rule  8000)