構成
### 構成1
Global Local
(Internet)---------------[FW]---------------(PC)
|<------------->| |<------------->|
10.0.0.0/24 192.168.0.0/24
### 構成2
Global Local
|--------.100(PC)
(Internet).100-------------.1[SRX].1--------|
|--------.200(PC)
|<----------------->| |<--------------------->|
10.0.0.0/24 192.168.0.0/24
### 構成3
Global Local
|--------.100(PC)
(Internet).100-------------.1[SRX].1--------|--------.200(PC)
|--------.250(PC)
|<----------------->| |<--------------------->|
10.0.0.0/24 192.168.0.0/24
構成
- 機器
- FW: SRX (DHCP-Server)
- PC: CiscoRT (RouterをPCとして利用)
- Internet: CiscoRT (RouterをPCとして利用)
- SRX
- I/F
- ge-0/0/0: Internet側(UnTrust)
- ge-0/0/1: Local側(Trust)
- IP
- ge-0/0/0: 10.0.0.1
- ge-0/0/1: 192.168.0.1
- IP情報
- WAN: 10.0.0.0/24
- LAN: 192.168.0.0/24
- NAT
- Type: SourceNAT
- Interface Based
- TranslationIP: WAN-IP [10.0.0.1]
- Pool Based
- TranslationIP: Pool-IP [10.0.0.10-20]
- Pool Based (NoPAD)
- TranslationIP(Default): Pool-IP [10.0.0.10-11]
- TranslationIP(Overflow): WAN-IP [10.0.0.1]
- Option
- NoPAT: ポート変換なし
- OverflowIP: Interface IP
前提設定
Internet (CiscoRT)
interface GigabitEthernet0/0
ip address 10.0.0.2 255.255.255.0
PC (CiscoRT)
interface GigabitEthernet0/0
ip address 192.168.0.2 255.255.255.0
FW
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.0.1/24
NAT確認コマンド
show security nat source persistent-nat-table all
show security flow session
Interface Based (NAPT)
通信
Global Local
(Internet).100-------------.1[SRX].1--------------.100(PC)
|<----------------->| |<------------------>|
10.0.0.0/24 192.168.0.0/24
全設定
set security nat source rule-set NAT_SRC-IF from interface ge-0/0/1.0
set security nat source rule-set NAT_SRC-IF to interface ge-0/0/0.0
set security nat source rule-set NAT_SRC-IF rule NAT-RULE_SOURCE-IF match source-address 192.168.0.0/24
set security nat source rule-set NAT_SRC-IF rule NAT-RULE_SOURCE-IF match application junos-icmp-ping
set security nat source rule-set NAT_SRC-IF rule NAT-RULE_SOURCE-IF then source-nat interface
設定詳細
set security nat source rule-set [NAME] from zone [ZONE] :NATのFromをZone単位で指定
set security nat source rule-set [NAME] to zone [ZONE] :NATのToをZone単位で指定
set security nat source rule-set [NAME] from interface [IF] :NATのFromをI/F単位で指定
set security nat source rule-set [NAME] to interface [IF] :NATのToをI/F単位で指定
set security nat source rule-set [NAME] rule [NAME] match [OPTION] [PARAMETER] :NAT対象の条件オプションとパラメータを指定
set security nat source rule-set [NAME] rule [NAME] match source-address [SUBNET] :NAT対象の条件に送信元アドレスを追加
set security nat source rule-set [NAME] rule [NAME] match application [APP] :NAT対象の条件にアプリを追加
set security nat source rule-set [NAME] rule [NAME] then source-nat interface :NATモードをSourceNATで変換先IPをI/FのIPに指定
通信
root# run show security flow session
Session ID: 7350, Policy name: default-permit/5, Timeout: 2, Valid
In: 192.168.0.100/7302 --> 10.0.0.100/10;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 100
Out: 10.0.0.100/10 --> 10.0.0.1/29986;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 100
Pool Based
通信
Global Local
|--------.100(PC)
(Internet).100-------------.1[SRX].1--------|
|--------.200(PC)
|<----------------->| |<--------------------->|
10.0.0.0/24 192.168.0.0/24
全設定
set security nat source rule-set NAT_SRC-POOL-NAT from interface ge-0/0/1.0
set security nat source rule-set NAT_SRC-POOL-NAT to interface ge-0/0/0.0
set security nat source pool NAT-POOL_SRC-POOL-NAT address 10.0.0.10/32 to 10.0.0.20/32
set security nat source rule-set NAT_SRC-POOL-NAT rule NAT-RULE_SRC-POOL-NAT match source-address 192.168.0.0/24
set security nat source rule-set NAT_SRC-POOL-NAT rule NAT-RULE_SRC-POOL-NAT then source-nat pool NAT-POOL_SRC-POOL-NAT
set security nat proxy-arp interface ge-0/0/0.0 address 10.0.0.10/32 to 10.0.0.20/32
設定詳細
set security nat source rule-set [NAME] from interface [IF] :NATのFromをI/F単位で指定
set security nat source rule-set [NAME] to interface [IF] :NATのToをI/F単位で指定
set security nat source pool [NAME] address [Low-IP] to [High-IP] :NAT変換先IPプールを作成
set security nat source rule-set [NAME] rule [NAME] match source-address [SUBNET] :NAT対象の条件に送信元アドレスを追加
set security nat source rule-set [NAME] rule [NAME] then source-nat pool [NAME] :NATモードをSourceNATで変換先IPをPoolのIPに指定
set security nat proxy-arp interface [I/F] address [Low-IP] to [High-IP] :I/FでProxy-ARPを有効化
通信
root# run show security flow session
Session ID: 28, Policy name: default-permit/5, Timeout: 2, Valid
In: 192.168.0.100/0 --> 10.0.0.100/3;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 100
Out: 10.0.0.100/3 --> 10.0.0.15/25829;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 100
Session ID: 27, Policy name: default-permit/5, Timeout: 2, Valid
In: 192.168.0.200/0 --> 10.0.0.100/3;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 100
Out: 10.0.0.100/3 --> 10.0.0.14/2132;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 100
Pool Based [No PAD]
通信
Global Local
|--------.100(PC)
(Internet).100-------------.1[SRX].1--------|--------.200(PC)
|--------.250(PC)
|<----------------->| |<--------------------->|
10.0.0.0/24 192.168.0.0/24
全設定
set security nat source rule-set NAT_SRC-POOL-NAT from interface ge-0/0/1.0
set security nat source rule-set NAT_SRC-POOL-NAT to interface ge-0/0/0.0
set security nat source pool NAT-POOL_SRC-POOL-NAT address 10.0.0.10/32 to 10.0.0.11/32
set security nat source pool NAT-POOL_SRC-POOL-NAT port no-translation
set security nat source pool NAT-POOL_SRC-POOL-NAT overflow-pool interface
set security nat source rule-set NAT_SRC-POOL-NAT rule NAT-RULE_SRC-POOL-NAT match source-address 192.168.0.0/24
set security nat source rule-set NAT_SRC-POOL-NAT rule NAT-RULE_SRC-POOL-NAT then source-nat pool NAT-POOL_SRC-POOL-NAT
set security nat proxy-arp interface ge-0/0/0.0 address 10.0.0.10/32 to 10.0.0.20/32
設定詳細
set security nat source rule-set [NAME] from interface [IF] :NATのFromをI/F単位で指定
set security nat source rule-set [NAME] to interface [IF] :NATのToをI/F単位で指定
set security nat source pool [NAME] address [Low-IP] to [High-IP] :NAT変換先IPプールを作成
set security nat source pool [NAME] port no-translation :ポート変換を無効化
set security nat source pool [NAME] port overflow-pool interface :プールIPが足りない時の動作をI/F-NAPTに指定
set security nat source rule-set [NAME] rule [NAME] match source-address [SUBNET] :NAT対象の条件に送信元アドレスを追加
set security nat source rule-set [NAME] rule [NAME] then source-nat pool [NAME] :NATモードをSourceNATで変換先IPをPoolのIPに指定
set security nat proxy-arp interface [I/F] address [Low-IP] to [High-IP] :I/FでProxy-ARPを有効化
通信
root# run show security flow session
### ↓Pool内IP NoPAD
Session ID: 10818, Policy name: default-permit/5, Timeout: 2, Valid
In: 192.168.0.100/180 --> 10.0.0.100/14;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 100
Out: 10.0.0.100/14 --> 10.0.0.10/180;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 100
Session ID: 10819, Policy name: default-permit/5, Timeout: 2, Valid
In: 192.168.0.200/64 --> 10.0.0.100/10;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 100
Out: 10.0.0.100/10 --> 10.0.0.11/64;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 100
### ↓PoolOverflow(Interface) NAPT
Session ID: 10881, Policy name: default-permit/5, Timeout: 2, Valid
In: 192.168.0.250/1 --> 10.0.0.100/3;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 100
Out: 10.0.0.100/3 --> 10.0.0.1/17704;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 100
