2010年10月11日星期一
基于Juniper SSG520和SSG5的两端NAT的LAN to LAN实验
实验拓扑如下图:
要求:
1、ssg5后的主机192.168.1.100可以访问ssg520后的主机192.168.1.100,两台主机均在NAT后,如图所示。
2、ssg520后的主机192.168.2.100可以访问ssg5后的主机192.168.2.100,两台主机均在NAT后,如图所示。
配置步骤:
SSG520:
1、添加三层区段zone_test1、zone_test2
set zone id 100 "zone_test1"
set zone id 101 "zone_test2"
2、设置接口基本信息
set interface "ethernet0/0" zone "zone_test1"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 route
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface "ethernet0/1" zone "zone_test2"
set interface ethernet0/1 ip 192.168.2.1/24
set interface ethernet0/1 route
set interface ethernet0/1 ip manageable
set interface ethernet0/1 manage ping
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage snmp
set interface ethernet0/1 manage ssl
set interface ethernet0/1 manage web
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/2 ip 10.0.1.1/24
set interface ethernet0/2 route
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
3、在非信任端口上设置MIP
set interface "ethernet0/2" mip 10.0.1.100 host 192.168.1.100 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 10.0.1.200 host 192.168.2.100 netmask 255.255.255.255 vr "trust-vr"
4、设置地址,为policy做准备
set address "Untrust" "10.0.1.0" 10.0.1.0 255.255.255.0
set address "Untrust" "10.0.2.0" 10.0.2.0 255.255.255.0
set address "zone_test1" "192.168.1.0" 192.168.1.0 255.255.255.0
set address "zone_test2" "192.168.2.0" 192.168.2.0 255.255.255.0
set address "zone_test1" "192.168.1.100/32" 192.168.1.100 255.255.255.255
5、设置规则
set policy id 1 from "zone_test2" to "Untrust" "192.168.2.0" "10.0.1.0" "PING" permit
set policy id 1
exit
set policy id 2 from "zone_test2" to "Untrust" "192.168.2.0" "10.0.2.0" "ANY" permit
set policy id 2
exit
set policy id 3 from "Untrust" to "zone_test1" "10.0.2.0" "MIP(10.0.1.100)" "ANY" permit
set policy id 3
exit
6、设置必要的路由。
set route 10.0.2.0/24 interface ethernet0/2 gateway 10.0.1.254
SSG5:
set address "Untrust" "10.0.2.0" 10.0.2.0 255.255.255.0
set address "zone_test1" "192.168.1.0" 192.168.1.0 255.255.255.0
set address "zone_test2" "192.168.2.0" 192.168.2.0 255.255.255.0
set address "zone_test2" "192.168.2.100/32" 192.168.2.100 255.255.255.255
set policy id 1 from "zone_test1" to "Untrust" "192.168.1.0" "10.0.2.0" "PING" permit
set policy id 1
exit
set policy id 2 from "zone_test1" to "Untrust" "192.168.1.0" "10.0.1.0" "ANY" permit
set policy id 2
exit
set policy id 3 from "Untrust" to "zone_test2" "10.0.1.0" "MIP(10.0.2.200)" "ANY" permit
set policy id 3
exit
3750上
vlan 11:
gateway: 10.0.1.254
端口:gi1/0/1
vlan 12:
gateway: 10.0.2.254
端口:gi1/0/2
打通vlan之间路由:
ip routing
添加静态路由:
ip route 192.168.1.0 255.255.255.0 10.0.2.1
这样ssg5后的不在mip后的主机192.168.1.101就可以ping通3750。
ok!
1、ssg5后的主机192.168.1.100可以访问ssg520后的主机192.168.1.100,两台主机均在NAT后,如图所示。
2、ssg520后的主机192.168.2.100可以访问ssg5后的主机192.168.2.100,两台主机均在NAT后,如图所示。
配置步骤:
SSG520:
1、添加三层区段zone_test1、zone_test2
set zone id 100 "zone_test1"
set zone id 101 "zone_test2"
2、设置接口基本信息
set interface "ethernet0/0" zone "zone_test1"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 route
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface "ethernet0/1" zone "zone_test2"
set interface ethernet0/1 ip 192.168.2.1/24
set interface ethernet0/1 route
set interface ethernet0/1 ip manageable
set interface ethernet0/1 manage ping
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage snmp
set interface ethernet0/1 manage ssl
set interface ethernet0/1 manage web
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/2 ip 10.0.1.1/24
set interface ethernet0/2 route
set interface ethernet0/2 ip manageable
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage telnet
set interface ethernet0/2 manage snmp
set interface ethernet0/2 manage ssl
set interface ethernet0/2 manage web
3、在非信任端口上设置MIP
set interface "ethernet0/2" mip 10.0.1.100 host 192.168.1.100 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/2" mip 10.0.1.200 host 192.168.2.100 netmask 255.255.255.255 vr "trust-vr"
4、设置地址,为policy做准备
set address "Untrust" "10.0.1.0" 10.0.1.0 255.255.255.0
set address "Untrust" "10.0.2.0" 10.0.2.0 255.255.255.0
set address "zone_test1" "192.168.1.0" 192.168.1.0 255.255.255.0
set address "zone_test2" "192.168.2.0" 192.168.2.0 255.255.255.0
set address "zone_test1" "192.168.1.100/32" 192.168.1.100 255.255.255.255
5、设置规则
set policy id 1 from "zone_test2" to "Untrust" "192.168.2.0" "10.0.1.0" "PING" permit
set policy id 1
exit
set policy id 2 from "zone_test2" to "Untrust" "192.168.2.0" "10.0.2.0" "ANY" permit
set policy id 2
exit
set policy id 3 from "Untrust" to "zone_test1" "10.0.2.0" "MIP(10.0.1.100)" "ANY" permit
set policy id 3
exit
6、设置必要的路由。
set route 10.0.2.0/24 interface ethernet0/2 gateway 10.0.1.254
SSG5:
1、添加三层区段zone_test1、zone_test2
set zone id 100 "zone_test1"
set zone id 101 "zone_test2"
2、设置接口基本信息
set interface "ethernet0/0" zone "Untrust"
set interface ethernet0/0 ip 10.0.2.1/24
set interface ethernet0/0 route
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface "ethernet0/6" zone "zone_test1"
set interface ethernet0/6 ip 192.168.1.1/24
set interface ethernet0/6 route
set interface ethernet0/6 ip manageable
set interface ethernet0/6 manage ping
set interface ethernet0/6 manage ssh
set interface ethernet0/6 manage telnet
set interface ethernet0/6 manage snmp
set interface ethernet0/6 manage ssl
set interface ethernet0/6 manage web
set interface "ethernet0/5" zone "zone_test2"
set interface ethernet0/5 ip 192.168.2.1/24
set interface ethernet0/5 route
set interface ethernet0/5 ip manageable
set interface ethernet0/5 manage ping
set interface ethernet0/5 manage ssh
set interface ethernet0/5 manage telnet
set interface ethernet0/5 manage snmp
set interface ethernet0/5 manage ssl
set interface ethernet0/5 manage web
3、在非信任端口上设置MIP
set interface "ethernet0/0" mip 10.0.2.100 host 192.168.1.100 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip 10.0.2.200 host 192.168.2.100 netmask 255.255.255.255 vr "trust-vr"
4、设置地址,为policy做准备
set address "Untrust" "10.0.1.0" 10.0.1.0 255.255.255.0set address "Untrust" "10.0.2.0" 10.0.2.0 255.255.255.0
set address "zone_test1" "192.168.1.0" 192.168.1.0 255.255.255.0
set address "zone_test2" "192.168.2.0" 192.168.2.0 255.255.255.0
set address "zone_test2" "192.168.2.100/32" 192.168.2.100 255.255.255.255
5、设置规则
set policy id 1
exit
set policy id 2 from "zone_test1" to "Untrust" "192.168.1.0" "10.0.1.0" "ANY" permit
set policy id 2
exit
set policy id 3 from "Untrust" to "zone_test2" "10.0.1.0" "MIP(10.0.2.200)" "ANY" permit
set policy id 3
exit
6、设置必要的路由。
set route 10.0.1.0/24 interface ethernet0/0 gateway 10.0.2.254
3750上
vlan 11:
gateway: 10.0.1.254
端口:gi1/0/1
vlan 12:
gateway: 10.0.2.254
端口:gi1/0/2
打通vlan之间路由:
ip routing
添加静态路由:
ip route 192.168.1.0 255.255.255.0 10.0.2.1
这样ssg5后的不在mip后的主机192.168.1.101就可以ping通3750。
ok!
// 发贴者:放牛娃的春天 @ 十月 11, 2010 
订阅 博文 [Atom]