2010年8月12日星期四

配置Juniper SSG 5的NAT模式

网络拓扑图如上图,ssg5 trust接口采用nat模式,映射关系如图中所指。

1、bgroup属于trust zone,ip地址10.1.1.254/24,端口模式为nat(trust zone的端口默认即为nat模式),manageable,不设另外manage ip,service options作为模板支持web ui,telnet,ssh和ping。

2、eth0/0属于untrust zone,ip地址为220.220.1.1/24,端口模式为route,manageble,不设另外manage ip,service options作为模板支持web ui,telnet,ssh和ping。

3、在端口eth0/0中设置mip。
mapped ip: 220.220.1.100
host ip: 10.1.1.100
netmask: 255.255.255.255
vrouter: trust-vr

4、在端口eth0/0设置vip
先添加virtual ip address:220.220.1.80
分别new vip service:
virtual ip: 220.220.1.80
virtual port: 80
map to service: 80
map to ip: 10.1.1.10
server auto detection: checked

virtual ip: 220.220.1.80
virtual port: 8080
map to service: 80
map to ip: 10.1.1.20
server auto detection: checked

virtual ip: 220.220.1.80
virtual port: 8800
map to service: 80
map to ip: 10.1.1.30
server auto detection: checked

可以看出mip和vip的区别,mip是一对一的ip映射,vip可以进行端口映射,ip地址的映射可以是一对多。

5、添加costom services
set service "TCP-8080" protocol tcp src-port 0-65535 dst-port 8080-8080
set service "TCP-8800" protocol tcp src-port 0-65535 dst-port 8800-8800

6、添加policy
set policy from trust to untrust any any any permit
set policy from untrust to trust "any" "MIP(220.220.1.100)" "POP3" permit log
set policy from untrust to trust "any" "VIP(220.220.1.80)" "HTTP" permit log
set policy from untrust to trust "any" "VIP(220.220.1.80)" "TCP-8080" permit log
set policy from untrust to trust "any" "VIP(220.220.1.80)" "TCP-8800" permit log

OK!

标签: ,


// 发贴者:放牛娃的春天 @ 八月 12, 2010
评论: 发表评论

订阅 博文评论 [Atom]





<< 主页

This page is powered by Blogger. Isn't yours?

订阅 博文 [Atom]