Copyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›Juniper防火墙地址翻译(Nat-Src、Nat-Dst、DIP、MIP、VIP)ITman论坛©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›Policy-basedNATe8:1.1.8.1NAT-src10.1.1.5200.100.8.51.1.8.1200.100.8.5SADASADA10.1.20.5:21200.100.8.51.1.8.100:21200.100.8.5NAT-dstSADASADAMIP10.1.1.5200.100.8.51.1.8.2200.100.8.5200.100.8.510.1.10.5200.100.8.51.1.8.2SADASADAVIP10.1.20.5:21200.100.8.5200.100.8.51.1.8.100:2110.1.30.5:80200.100.8.5SADASADA200.100.8.51.1.8.100:80Copyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›e1e2e3e7e8••••••••DynamicIP(DIP)AspecifiedIPorrangeofIPaddressesusedforsourceaddresstranslationDefinedonoutboundinterfaceDIPrangemustbeinthesamesubnetrangeaseither•TheinterfaceprimaryIPaddress•TheinterfacesecondaryIPaddress•TheinterfaceextendedIPaddressCanbeusedbymultiplepolicysets10.0.0.510.1.1.5ABE8primary:1.1.8.1E8secondary:1.1.10.1E8extended:1.1.11.1DIP4:1.1.8.10-1.1.8.20DIP10:1.1.10.2-1.1.10.254DIP42:1.1.11.1-1.1.11.254Copyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›e1e2e3e7e8••••••••NAT-srcExamples10.0.0.510.1.1.5ABCDE200.100.8.5E8:1.1.8.1NAT-src10.1.1.5:1099200.100.8.51.1.8.1:1024200.100.8.5DIPw/porttranslation10.1.1.5:6550200.100.8.51.1.8.10:1024200.100.8.510.0.0.5:4251200.100.8.51.1.8.10:1025200.100.8.5DIPw/fixed-port10.1.1.5:6550200.100.8.51.1.8.10:6550200.100.8.5IPshift10.1.1.5200.100.8.51.1.8.10200.100.8.510.1.1.6200.100.8.51.1.8.11200.100.8.510.1.20.5FTPServer10.1.30.5WebServerPrivateExternalCopyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›NAT-srcConfigurationProcedure1.CreateDIP(ifused)1aPorttranslationon1bPorttranslationoff1cAddressshifting2.Createpolicye1e2e3e7e8••••••••10.0.0.510.1.1.5ABE200.100.8.5E8:1.1.8.1PrivateExternalDIPCopyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›Step1:CreateDIP–WebUINetworkInterfaceEditDIP(clickonnew)PrivatestartPublicstartPublicendCopyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›Step1:CreateDIP-CLIsetinterfacenamedip4-255start_address[end_address]ns208setinterfacee8dip51.1.10.21.1.10.254Forextendedaddressrange:setinterfacenameextipaddress/maskdip4-255startaddress[endaddress]ns208setinterfacee8extip1.1.11.1/24dip421.1.11.21.1.11.254Noporttranslationsetinterfacenamedip4-255start_address[end_address]fix-portns208setinterfacee8dip51.1.10.21.1.10.254fix-portAddressshiftingsetinterfacenamedip4-255shift-frompriv-addrstart_address[end_address]ns208setinterfacee8dip5shift-from10.1.1.51.1.10.21.1.10.40Copyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›Step2:CreatePolicysetpolicyfromzonetozoneSADAservicenatsrc[dipidnum]permitWithoutDIP:ns208setpolicyfromPrivatetoExternalanyanyanynatsrcpermitWithDIP:ns208setpolicyfromPrivatetoExternalanyanyanynatsrcdip5permitPoliciesEdit(Advanced)Copyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›VerifyingDIPConfigurationns208-getdipDipIdDipLowDipHighInterfaceAttribute41.1.10.51.1.10.10ethernet8port-xlatePort-xlateddipsticknessoffNetworkInterfaceDIPCopyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›VerifyingNAT-src-WebUIPoliciesReportsPoliciesTrafficLogCopyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›VerifyingNAT-src-CLIns208-getpolicyid1id1,namenone,fromzonePrivatetozoneExternalactionPermit,statusenabledsrcAny,dstAny,servANYPoliciesonthisvpntunnel:0natsrcdip-id4,serv_timeout0(minute)vpnunknownvpn,policyflag00,sessionbackup:ontrafficshappingOFF,urlfilteringOFF,schedulern/a,servflag00logno,logcount0,alertno,counterno(0)rate(min/sec)0/0totaloctets2220,counter(session/packet/octet)0/0/0priority7,diffservmarkingOfftadapter:stateOFF,gbw/mbw0/-1NoAuthenticationNoUser,UserGrouporGroupexpressionsetns208-getsessionalloc2/max128000,allocfailed0id142/s**,vsys0,flag00000010/00/00,policy1,time10(01):10.1.10.5/50944-200.5.5.5/512,1,0010db12cea1,vlan0,tun0,vsd010(20):1.1.8.10/1024-200.5.5.5/512,1,0010db21c041,vlan0,tun0,vsd0id143/s**,vsys0,flag00000010/00/00,policy1,time1Copyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›e1e2e3e7e8••••••••MappedIP(MIP)One-to-onestaticmappingforbi-directionalcommunication•NoporttranslationMIPsaredefinedonthe“public”interfaceMIPscanbedefinedinANYsubnet10.1.10.5=1.1.1.1510.1.10.5Copyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›MIPConfigurationProcedure1.DefineMIPon“public”interface2.Createpolicyto“invoke”MIPe1e2e3e7e8••••••••10.1.10.5=1.1.1.1510.1.10.5Copyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›Step1:DefineMIPNetworkInterface(SelectInterface–clickonMIP)setintnamemippublicIPhostprivateIPns208setinte8mip1.1.8.15host10.1.10.5Copyright©2007JuniperNetworks,Inc.ProprietaryandConfidential‹#›Step2:Con