IT BLOG(KR)

안녕하세요.

오늘은 Juniper SRX Traffic Flow에 대해서 알아보겠습니다.

각 벤더마다 아키텍처가 다를수 있습니다.

이부분이 정책하게 이해해야지 설정값을 설정값을 잘 만들수 있습니다.

예를 들어서 SNAT, DNAT, Static NAT, 라우팅 테이블이 중에서

DNAT가 먼저 적용되고 변경된 Destination IP주소로 라우팅을 검색해서 라우팅을 하는지.

아니면 라우팅이 먼저 적용된다음에 DNAT가 적용 되는지.

순서에 따라서 설정값이 많이 달라집니다.

그래서 아래처럼 방화벽 Traffic Flow를 이해하는것이 중요 합니다.

주니퍼 방화벽 공식 홈페이지 URL주소 입니다.

https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-srx-devices-processing-overview.html

Traffic Processing on SRX Series Firewalls Overview | Junos OS | Juniper Networks

Junos OS for security devices integrates network security and routing capabilities of Juniper Networks. Packets that enter and exit a device undergo both packet-based and flow-based processing. Understanding the Default Processing Behavior for IPv4 Traffic

www.juniper.net

시간이 되시면 위에 공식 홈페이지에 글을 끝까지 읽어보시길 바랍니다.

지금까지 [2025][Juniper SRX #31] Traffic Flow 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #30] IDP Signature Update (0)	2025.02.16
[2025][Juniper SRX #29] Firmware Upgrade - CLI (0)	2025.02.16
[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14

안녕하세요.

오늘은 Juniper IPS Signature Update하는 방법에 대해서 알아보겠습니다.

1. Juniper SRX License Check

root> show system license
License usage:
                                 Licensed     Licensed    Licensed
                                  Feature      Feature     Feature
  Feature name                       used    installed      needed    Expiry
  idp-sig                               0            1           0    2030-01-26 00:00:00 UTC
  remote-access-ipsec-vpn-client        0            2           0    permanent
  remote-access-juniper-std             0            2           0    permanent

Licenses installed:

  License identifier: JUNOS422937473
  License version: 4
  Valid for device: CW4024AX0159
  Customer ID: KDDI ASIA PACIFIC PTE. LTD.
  Features:
    idp-sig          - IDP Signature
      date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC

root>

2. Juniper IDP Signature check.

root> show security idp security-package-version
  Attack database version:N/A(N/A)
  Detector version :N/A
  Policy template version :N/A
  Rollback Attack database version :N/A(N/A)
  Rollback Detector version : N/A

3. Juniper SRX IDP package Download- 외부에 통신 확인.

root> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=118 time=46.391 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=33.274 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=20.448 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=19.188 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=18.793 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 18.793/27.619/46.391/10.815 ms

root> request security idp security-package download
Will be processed in async mode. Check the status using the status checking CLI

root>

root> request security idp security-package download status
Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:3786(Thu Feb 27 14:04:10 2025 UTC, Detector=23.6.160240709)

root>

4. Juniper SRX IDP Package Install

root> request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI

root> request security idp security-package install status
In progress:Installing AI ...

root>

약 5분 뒤에 request security idp security-package install status 확인 합니다.

root> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=3786,ExportDate=Thu Feb 27 14:04:10 2025 UTC,Detector=23.6.160240709]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : not performed
      due to no active policy configured.

5. check version

root> show security idp security-package-version
  Attack database version:3786(Thu Feb 27 14:04:10 2025 UTC)
  Detector version :23.6.160240709
  Policy template version :N/A
  Rollback Attack database version :()
  Rollback Detector version : N/A

root>

지금까지 [2025][Juniper SRX #30] IDP Signature Update 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #31] Traffic Flow (0)	2025.02.18
[2025][Juniper SRX #29] Firmware Upgrade - CLI (0)	2025.02.16
[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14

안녕하세요.

오늘은 Juniper SRX Firmware Upgrade를 해보겠습니다.

Juniper SRX는 보통 CLI에서 많이 사용 합니다.

1. Juniper 기본 설정값을 확인 합니다.

root> show configuration | display set | no-more
set version 21.4R3-S3.4
set system root-authentication encrypted-password "$6$Kt3WFIik$0vN75BKuEZDkbTiLXUiAaTbrdkZ2EQCMo0u/G2D.nI3yQFDnN2sRwSwMra/BrVBfXg2lnWtzltwnPZkIWY2Zi."
set system services ssh
set system services netconf ssh
set system services dhcp-local-server group jdhcp-group interface irb.0
set system services web-management https system-generated-certificate
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file interactive-commands interactive-commands any
set system syslog file messages any notice
set system syslog file messages authorization info
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-compliant
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies pre-id-default-policy then log session-close
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces irb.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/7.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces dl0.0 host-inbound-traffic system-services tftp
set interfaces ge-0/0/0 unit 0 family inet dhcp vendor-id Juniper-srx320
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7 unit 0 family inet dhcp vendor-id Juniper-srx320
set interfaces cl-1/0/0 dialer-options pool 1 priority 100
set interfaces dl0 unit 0 family inet negotiate-address
set interfaces dl0 unit 0 family inet6 negotiate-address
set interfaces dl0 unit 0 dialer-options pool 1
set interfaces dl0 unit 0 dialer-options dial-string 1234
set interfaces dl0 unit 0 dialer-options always-on
set interfaces irb unit 0 family inet address 192.168.1.1/24
set access address-assignment pool junosDHCPPool family inet network 192.168.1.0/24
set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.1.2
set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.1.254
set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.1.1
set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface irb.0
set protocols l2-learning global-mode switching
set protocols rstp interface all

root>

root> show system license
License usage:
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed
  idp-sig                               0            1           0    2030-01-26 00:00:00 UTC
  remote-access-ipsec-vpn-client        0            2           0    permanent
  remote-access-juniper-std             0            2           0    permanent

Licenses installed:
  License identifier: JUNOS422937473
  License version: 4
  Valid for device: CW4024AX0159
  Customer ID: KDDI ASIA PACIFIC PTE. LTD.
  Features:
    idp-sig          - IDP Signature
      date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC

root>

root> show version
Model: srx320
Junos: 21.4R3-S3.4
JUNOS Software Release [21.4R3-S3.4]

2. UTP 케이블을 노트북과 Juniper SRX Ge-0/0/3에 연결합니다.

그리고 노트북에 192.168.1.2 255.255.255.0 설정하고

Ping 192.168.1.1

C:\Users\admin>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\Users\admin>

C:\Users\admin>

3. ftp enable 합니다.

root# set system services ftp

[edit]
root# show system services
ftp;
ssh;
netconf {
    ssh;
}
dhcp-local-server {
    group jdhcp-group {
        interface irb.0;
    }
}
web-management {
    https {
        system-generated-certificate;
    }
}

[edit]
root# commit
commit complete

[edit]
root#

또는 GUI에서 아래와 같이 확인 가능 합니다.

라이센스 정보 확인 합니다.

현재 SRX320 Firmware Version 확인

Currnet Version: 21.4R3-S3.4

Target Version: 23.4R2-S3

Firmware Upgrade Path

https://supportportal.juniper.net/s/article/Junos-upgrade-paths-for-SRX-platforms?language=en_US

CEC Juniper Community

supportportal.juniper.net

Upgrade table

To make it easy to lookup for each Junos release for SRX from which earlier releases it is supported to directly upgrade to it, please see the below table.

Before performing the upgrade, please make sure to check the Notes section below for possible caveats and limitations which may apply.

Target Junos releaseDirect upgrade supported from

24.4(*2)	24.2, 23.4, 23.2
24.2	23.4, 23.2, 22.4
23.4	23.2, 22.4, 22.3
23.2	22.4, 22.3, 22.2
22.4	22.3, 22.2, 22.1, 21.4
22.3	22.2, 22.1, 21.4
22.2	22.1, 21.4, 21.3, 21.2
22.1	21.4, 21.3, 21.2
21.4	21.3, 21.2, 21.1, 20.4
21.3	21.2, 21.1, 20.4
21.2	21.1, 20.4, 20.3, 20.2
21.1	20.4, 20.3, 20.2
20.4	20.3, 20.2, 20.1, 19.4
20.3	20.2, 20.1, 19.4
20.2	20.1, 19.4, 19.3, 19.2
20.1	19.4, 19.3, 19.2
19.4	19.3, 19.2, 19.1, 18.4, 15.1X49
19.3	19.2, 19.1, 18.4
19.2	19.1, 18.4, 18.3, 18.2
19.1	18.4, 18.3, 18.2
18.4	18.3, 18.2, 18.1, 17.4, 15.1X49
18.3	18.2, 18.1, 17.4
18.2	18.1, 17.4, 17.3
18.1	17.4, 17.3
17.4	17.3, 15.1X49
17.3	15.1X49
15.1X49	12.3X48

위에 정보를 확인한 결과

To upgrade your SRX device from Junos 21.4R3 to 23.4R2-S3
Path: 21.4R3 --> 22.4R3 --> 23.4R2-S3

Juniper 홈페이지에 접속해서 Firmware를 다운로드 합니다.

https://support.juniper.net/support/downloads/?p=srx320

Downloads

Help us improve your experience. Let us know what you think. Do you have time for a two-minute survey?

support.juniper.net

22.4R3.25 - Checksums 정보

MD5 : 22c2f625180aabe85f252f89c3f212d3
SHA1 : 6e5b2d2ef96227b1db95d265ba899854bd1b6c24
SHA256 : 12d7f2b8245c3f6610f34380a57a642d831aba83f6008b6929d3987737f93bf7
SHA512 : 024fd745d0d3e53daee5713e11aab9029ca9f9979d9b677be8e45f93446e7c2d0b228535291acdec9b3007d51f396ddd407786921cbd99be070212359edebfda

23.4R2.13 - Checksums 정보

MD5 : 18085ebeec8305f538226bd690b18954
SHA1 : 9eaa6ba139907f30863e8a53f9641ad206078d5e
SHA256 : 0728b9bf9c1576661b325a12d0fac7b5c3c2dd29dce184b9bcefca5ca4d973f8
SHA512 : 29d7c7676ca0bd8d8813f6ac2205eaf834ff0e7998ae7ff078f609630131c0136c105128707508e76e9b566ade07230af41256e6fcb0380b3977ea9a52bfdb06

Firmware업르게이드 하기전에 모든 Firmware Version를 다운로드 받았습니다.

winscp를 실행 합니다.

접속이 완료 되면 경로를 아래와 같이 합니다.

첫번째 이미지를 업로드 합니다.

파일이 업로드가 완료 되면 아래와 같이 명령어를 입력해서 확인 합니다.

root> file list /cf/var/tmp

/cf/var/tmp:
appidd_cust_app_trace
appidd_trace_debug
bcast.bdisp.log
bcast.disp.log
bcast.rstdisp.log
bcast.undisp.log
cleanup-pkgs.log
ebmq_authd_vty
eedebug_bin_file
install/
junos-srxsme-22.4R3.25.tgz
kmdchk.log
krt_rpf_filter.txt
mmcq_authd
mmcq_bbeStatsdGetCollector
mmcq_mmdb_rep_mmcq
mmcq_sdb_bbe_mmcq
nsd_restart
pfe-limit
pfe_debug_commands
phone-home/
pics/
policy_status
rtsdb/
sd-upgrade/
sec-download/
vi.recover/

root>

Firmware MD5 checksum 확인

root> file checksum md5 /cf/var/tmp/junos-srxsme-22.4R3.25.tgz MD5 (/cf/var/tmp/junos-srxsme-22.4R3.25.tgz) = 22c2f625180aabe85f252f89c3f212d3

root>

1차로 21.4R3-S3.4 -> 22.4R3.25 업그레이드

아래처럼 입력 하고 업그레이드가 완료 될때가지 기다립니다.

root> request system software add /cf/var/tmp/junos-srxsme-22.4R3.25.tgz no-validate reboot
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 596.0MB (1220680 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 149.02MB, 9537 blks, 19200 inodes.
super-block backups (for fsck -b #) at:
32, 305216, 610400, 915584
saving package file in /var/sw/pkg ...
Installing package '/altroot/cf/packages/install-tmp/junos-22.4R3.25' ...
Verified junos-boot-srxsme-22.4R3.25.tgz signed by PackageProductionECP256_2024 method ECDSA256+SHA256
Verified junos-srxsme-22.4R3.25-domestic signed by PackageProductionECP256_2024 method ECDSA256+SHA256
Verified manifest signed by PackageProductionECP256_2024 method ECDSA256+SHA256
JUNOS 22.4R3.25 will become active at next reboot
Saving state for rollback ...
Rebooting ...
shutdown: [pid 6825]
Shutdown NOW!

*** FINAL System shutdown message from root@ ***

System going down IMMEDIATELY

부팅 과정 생략

Amnesiac (ttyu0)

login:

부팅이 완료 되면 로그인 합니다.

root> show version
Model: srx320
Junos: 22.4R3.25
JUNOS Software Release [22.4R3.25]

root> show system license
License usage:
                                 Licenses     Licenses    Licenses
                                  Feature      Feature     Feature
  Feature name                       used    installed      needed  Expiry
  idp-sig                               0            1           0    2030-01                          -26 00:00:00 UTC
  remote-access-ipsec-vpn-client        0            2           0    permane                          nt
  remote-access-juniper-std             0            2           0    permane                          nt

Licenses installed:
  License identifier:
  License version: 4
  Valid for device:
  Customer ID:
  Features:
    idp-sig          - IDP Signature
      date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC

root>

1차로 21.4R3-S3.4 -> 22.4R3.25 업그레이드 완료 되었습니다.

2차로 22.4R3.25 -> 23.4R2.13 업그레이드를 하겠습니다.

우선 파일을 srx에 업로드 합니다.

root> file list /cf/var/tmp

/cf/var/tmp:
appidd_cust_app_trace
appidd_trace_debug
bcast.bdisp.log
bcast.disp.log
bcast.rstdisp.log
bcast.undisp.log
cleanup-pkgs.log
dyn_filterd_trace_debug
ebmq_authd_vty
eedebug_bin_file
install/
junos-srxsme-22.4R3.25.tgz
junos-srxsme-23.4R2.13.tgz
kmdchk.log
krt_rpf_filter.txt
mmcq_authd
mmcq_bbeStatsdGetCollector
mmcq_mmdb_rep_mmcq
mmcq_sdb_bbe_mmcq
nsd_restart
pfe-limit
pfe_debug_commands
phone-home/
pics/
policy_status
rtsdb/
sd-upgrade/
sec-download/
vi.recover/

MD5 Check

root> file checksum md5 /cf/var/tmp/junos-srxsme-23.4R2.13.tgz
MD5 (/cf/var/tmp/junos-srxsme-23.4R2.13.tgz) = 18085ebeec8305f538226bd690b18954

Firmware Upgrade and check version

root> request system software add /cf/var/tmp/junos-srxsme-23.4R2.13.tgz no-validate reboot

부팅 과정 생략

root> show version
Model: srx320
Junos: 23.4R2.13
JUNOS Software Release [23.4R2.13]

root> show system license
License usage:
                                 Licensed     Licensed    Licensed
                                  Feature      Feature     Feature
  Feature name                       used    installed      needed    Expiry
  idp-sig                               0            1           0    2030-01-26 00:00:00 UTC
  remote-access-ipsec-vpn-client        0            2           0    permanent
  remote-access-juniper-std             0            2           0    permanent

Licenses installed:

  License identifier:
  License version: 4
  Valid for device:
  Customer ID:
  Features:
    idp-sig          - IDP Signature
      date-based, 2024-12-27 00:00:00 UTC - 2030-01-26 00:00:00 UTC

root>

지금까지 [2025][Juniper SRX #29] Firmware Upgrade - CLI 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #31] Traffic Flow (0)	2025.02.18
[2025][Juniper SRX #30] IDP Signature Update (0)	2025.02.16
[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14

안녕하세요.

오늘은 Juniper SRX DNAT에 대해서 알아보겠습니다.

User01 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.

User02 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.

untrust 192.168.10.85 으로 접속하면 20.1.1.1 으로 통신가능하게 DNAT를 설정하겠습니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. User01/ USer02 설정

USER01> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

USER01 > save
Saving startup configuration to startup.vpc
. done

USER01 >
USER01 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER01 >

USER02> ip 10.1.1.2/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254

USER02 > save
Saving startup configuration to startup.vpc
. done

USER02 >
USER02 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER02 >

PC에서 ping 8.8.8.8 시도

USER01> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

USER02> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat

PC에서 다시 확인

USER01> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

USER02> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

방화벽에서 Session 확인하기

root> show security flow session
Session ID: 54102, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54387 --> 8.8.8.8/12;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/12 --> 192.168.10.83/31714;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54103, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54643 --> 8.8.8.8/8;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/8 --> 192.168.10.83/11101;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54104, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54643 --> 8.8.8.8/13;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/13 --> 192.168.10.83/8139;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54105, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54899 --> 8.8.8.8/9;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/9 --> 192.168.10.83/3136;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54106, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid
  In: 10.1.1.1/54899 --> 8.8.8.8/14;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/14 --> 192.168.10.83/13674;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
Total sessions: 5

제 PC에서도 PING를 시도 합니다.

Probing 192.168.10.85:80/tcp - No response - time=2001.746ms
Probing 192.168.10.85:80/tcp - No response - time=2003.928ms
Probing 192.168.10.85:80/tcp - No response - time=2013.536ms
Probing 192.168.10.85:80/tcp - No response - time=2006.107ms
Probing 192.168.10.85:80/tcp - No response - time=2006.452ms
Probing 192.168.10.85:80/tcp - No response - time=2005.353ms
Probing 192.168.10.85:80/tcp - No response - time=2012.393ms
Probing 192.168.10.85:80/tcp - No response - time=2012.957ms
Probing 192.168.10.85:80/tcp - No response - time=2008.528ms
Probing 192.168.10.85:80/tcp - No response - time=2011.220ms
Probing 192.168.10.85:80/tcp - No response - time=2008.000ms
Probing 192.168.10.85:80/tcp - No response - time=2008.216ms
Probing 192.168.10.85:80/tcp - No response - time=2004.983ms
Probing 192.168.10.85:80/tcp - No response - time=2000.407ms
Probing 192.168.10.85:80/tcp - No response - time=2005.790ms

우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.

set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32

set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit

SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.86

DESTINATION NAT 설정

set security nat destination pool web_server address 20.1.1.1/32

set security nat destination rule-set to_web_server from zone untrust
set security nat destination rule-set to_web_server rule web_server_incoming match destination-address 192.168.10.86/32
set security nat destination rule-set to_web_server rule web_server_incoming then destination-nat pool web_server

PC에서 통신을 확인 합니다.

정상적으로 통신 가능 합니다.

Probing 192.168.10.86:80/tcp - Port is open - time=23.372ms
Probing 192.168.10.86:80/tcp - Port is open - time=18.897ms
Probing 192.168.10.86:80/tcp - Port is open - time=14.309ms
Probing 192.168.10.86:80/tcp - Port is open - time=18.139ms
Probing 192.168.10.86:80/tcp - Port is open - time=23.166ms
Probing 192.168.10.86:80/tcp - Port is open - time=19.464ms
Probing 192.168.10.86:80/tcp - Port is open - time=18.645ms
Probing 192.168.10.86:80/tcp - Port is open - time=27.360ms
Probing 192.168.10.86:80/tcp - Port is open - time=19.947ms
Probing 192.168.10.86:80/tcp - Port is open - time=20.782ms

위와 같이 192.168.10.85 포트 80 또는 8000으로 20.1.1.1 80으로 통신 가능 합니다.

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: untrust, To zone: dmz
  Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: dmz_server_01
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

root>

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 1942        Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       untrust          dmz               untrust_to_dmz_web_server 844 Permit
4       dmz              untrust           trust_to_untrust 2010        Permit

Number of policy: 4

root>

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security nat destination pool port_foward_server address 20.1.1.1/32
set security nat destination pool port_foward_server address port 80
set security nat destination pool web_server address 20.1.1.1/32
set security nat destination rule-set to_web_server from zone untrust
set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 8000
set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server
set security nat destination rule-set to_web_server rule web_server_incoming match destination-address 192.168.10.86/32
set security nat destination rule-set to_web_server rule web_server_incoming then destination-nat pool web_server
set security nat static rule-set static_nat_01 from zone untrust
set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32
set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.86/32
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #27] Destination Nat - DNAT 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #30] IDP Signature Update (0)	2025.02.16
[2025][Juniper SRX #29] Firmware Upgrade - CLI (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14
[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0)	2025.02.14

안녕하세요.

오늘은 Juniper SRX Destination Nat - Port Forwarding 에 대해서 알아보겠습니다.

User01 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.

User02 - 외부로 통신할때 SNAT 192.168.10.83으로 변환 됩니다.

untrust 192.168.10.85:80 으로 접속하면 20.1.1.1:80으로 통신가능하게 DNAT를 설정하겠습니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. User01/ USer02 설정

USER01> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

USER01 > save
Saving startup configuration to startup.vpc
. done

USER01 >
USER01 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER01 >

USER02> ip 10.1.1.2/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254

USER02 > save
Saving startup configuration to startup.vpc
. done

USER02 >
USER02 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER02 >

PC에서 ping 8.8.8.8 시도

USER01> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

USER02> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat

PC에서 다시 확인

USER01> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

USER02> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

방화벽에서 Session 확인하기

root> show security flow session
Session ID: 54102, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54387 --> 8.8.8.8/12;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/12 --> 192.168.10.83/31714;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54103, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54643 --> 8.8.8.8/8;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/8 --> 192.168.10.83/11101;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54104, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54643 --> 8.8.8.8/13;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/13 --> 192.168.10.83/8139;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54105, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54899 --> 8.8.8.8/9;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/9 --> 192.168.10.83/3136;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54106, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid
  In: 10.1.1.1/54899 --> 8.8.8.8/14;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/14 --> 192.168.10.83/13674;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
Total sessions: 5

제 PC에서도 PING를 시도 합니다.

Probing 192.168.10.85:80/tcp - No response - time=2001.746ms
Probing 192.168.10.85:80/tcp - No response - time=2003.928ms
Probing 192.168.10.85:80/tcp - No response - time=2013.536ms
Probing 192.168.10.85:80/tcp - No response - time=2006.107ms
Probing 192.168.10.85:80/tcp - No response - time=2006.452ms
Probing 192.168.10.85:80/tcp - No response - time=2005.353ms
Probing 192.168.10.85:80/tcp - No response - time=2012.393ms
Probing 192.168.10.85:80/tcp - No response - time=2012.957ms
Probing 192.168.10.85:80/tcp - No response - time=2008.528ms
Probing 192.168.10.85:80/tcp - No response - time=2011.220ms
Probing 192.168.10.85:80/tcp - No response - time=2008.000ms
Probing 192.168.10.85:80/tcp - No response - time=2008.216ms
Probing 192.168.10.85:80/tcp - No response - time=2004.983ms
Probing 192.168.10.85:80/tcp - No response - time=2000.407ms
Probing 192.168.10.85:80/tcp - No response - time=2005.790ms

우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.

set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32

set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit

SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85

DESTINATION NAT 설정

set security nat destination pool port_foward_server address 20.1.1.1/32
set security nat destination pool port_foward_server address port 80

set security nat destination rule-set to_web_server from zone untrust
set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80
set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server

PC에서 통신을 확인 합니다.

정상적으로 통신 가능 합니다.

C:\Users\USER>tcping -t 192.168.10.85 80

** Pinging continuously. Press control-c to stop **

Probing 192.168.10.85:80/tcp - Port is open - time=65.904ms
Probing 192.168.10.85:80/tcp - Port is open - time=15.969ms
Control-C

만약에 192.168.10.85:8000 -> 20.1.1.1:80으로 통신 하고 싶다면 아래와 같이 설정 합니다.

set security nat destination rule-set to_web_server01 rule port_forwarding match destination-port 8000

내 PC에서 통신 시도

C:\Users\USER>tcping -t 192.168.10.85 8000

** Pinging continuously. Press control-c to stop **

Probing 192.168.10.85:8000/tcp - Port is open - time=14.496ms
Probing 192.168.10.85:8000/tcp - Port is open - time=17.589ms
Probing 192.168.10.85:8000/tcp - Port is open - time=13.039ms
Probing 192.168.10.85:8000/tcp - Port is open - time=15.563ms
Probing 192.168.10.85:8000/tcp - Port is open - time=15.389ms
Probing 192.168.10.85:8000/tcp - Port is open - time=13.528ms
Probing 192.168.10.85:8000/tcp - Port is open - time=11.238ms
Probing 192.168.10.85:8000/tcp - Port is open - time=14.091ms

C:\Users\USER>tcping -t 192.168.10.85 80

** Pinging continuously. Press control-c to stop **

Probing 192.168.10.85:80/tcp - Port is open - time=55.989ms
Probing 192.168.10.85:80/tcp - Port is open - time=54.255ms
Probing 192.168.10.85:80/tcp - Port is open - time=19.360ms

위와 같이 192.168.10.85 포트 80 또는 8000으로 20.1.1.1 80으로 통신 가능 합니다.

root> show security nat destination summary
Total pools: 1
Pool name            Address                           Routing        Port  Total
                     Range                             Instance             Address
port_foward_server   20.1.1.1       - 20.1.1.1                        80    1

Total rules: 1
Rule name            Rule set       From                               Action
port_forwarding      to_web_server  untrust                            port_foward_server

root>

root> show security nat destination rule all
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0
Destination NAT rule: port_forwarding        Rule-set: to_web_server
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
    Destination addresses    : 192.168.10.85   - 192.168.10.85
    Destination port         : 80              - 80
                               8000            - 8000
  Action                     : port_foward_server
  Translation hits           : 106
    Successful sessions      : 106
  Number of sessions         : 0

root>

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: untrust, To zone: dmz
  Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: dmz_server_01
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

root>

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 1942        Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       untrust          dmz               untrust_to_dmz_web_server 844 Permit
4       dmz              untrust           trust_to_untrust 2010        Permit

Number of policy: 4

root>

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security nat destination pool port_foward_server address 20.1.1.1/32
set security nat destination pool port_foward_server address port 80
set security nat destination rule-set to_web_server from zone untrust
set security nat destination rule-set to_web_server rule port_forwarding match destination-address 192.168.10.85/32
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 80
set security nat destination rule-set to_web_server rule port_forwarding match destination-port 8000
set security nat destination rule-set to_web_server rule port_forwarding then destination-nat pool port_foward_server
set security nat static rule-set static_nat_01 from zone untrust
set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32
set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.85/32
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #27] Destination Nat - Port Forwarding 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #29] Firmware Upgrade - CLI (0)	2025.02.16
[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14
[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0)	2025.02.14
[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0)	2025.02.07

안녕하세요.

오늘은 PNETLab에서 Cisco Catalyst 8000v를 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search cpsg검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search 8000v
┌────────────────────────────────────────────────────────────────┐
│ MOTD from the ishare2 team:                                    │
│ Changelog:                                                     │
│ - Fixed bug when doing integrity checks againts qemu images.   │
│                                                                │
│ Telegram: https://t.me/NetLabHub │
│ Donate: https://buymeacoffee.com/sudoalex │
│ GitHub: https://github.com/ishare2-org/ishare2-cli │
└────────────────────────────────────────────────────────────────┘
=============================
    Available QEMU images
=============================
ID   NAME                     SIZE
--   ----                     ----
151  c8000v-17.06.03          1.5 GiB
152  c8000v-17.07.01a         1.5 GiB
153  c8000v-17.08.01          1.5 GiB
154  c8000v-17.10.01a         1.5 GiB
155  c8000v-17.11.01a         1.5 GiB
172  cat8000v-17-09-01a       1.7 GiB
173  cat8000v-17-13-01a       1.9 GiB
180  catalyst8000v-17.04.01   1.3 GiB
181  catalyst8000v-17.04.01a  1.3 GiB
182  catalyst8000v-17.04.01b  1.3 GiB
183  catalyst8000v-17.05.01a  1.4 GiB
184  catalyst8000v-17.06.01a  1.5 GiB
185  catalyst8000v-17.06.02   1.5 GiB

13 QEMU images found for the term: "8000v"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "8000v"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "8000v"

root@pnetlab:~# ^C

3. Cisco Catalyst 8000v 설치

root@pnetlab:~# ishare2 pull qemu 183
[!] IMAGE INFO
- Image Name       : catalyst8000v-17.05.01a
- Image Size       : 1.4 GiB
- Image Type       : QEMU
- Image ID         : 183
- Image path       : /opt/unetlab/addons/qemu/catalyst8000v-17.05.01a
- Using host       : https://drive.labhub.eu.org
[!] DOWNLOADING IMAGE
/opt/unetlab/addons/qemu/catalyst8000v-17.05.01 100%[=====================================================================================================>]   1.38G  8.54MB/s    in 3m 26s
[+] DOWNLOAD COMPLETED!
[-] Extracting: catalyst8000v-17.05.01a.tgz file...
[+] Extracted: /opt/unetlab/addons/qemu/catalyst8000v-17.05.01a. Image ready to use.
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.254 접속합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다. 아무 이름이나 입력 후 Savve 버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. CheckPoint Security Gateay VE 선택합니다.

7. Save버튼을 클릭 합니다.

8. click 라우터

License Type: Perpetual
Next reload license Level:

Addon License Level:
Addon License Type: Subscription
Next reload addon license Level:

The current throughput level is 10000 kbps

Smart Licensing Status: Registration Not Applicable/Not Applicable

cisco C8000V (VXE) processor (revision VXE) with 2032007K/3075K bytes of memory.
Processor board ID 9DJL2EOPCI1
Router operating mode: Autonomous
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3965344K bytes of physical memory.
5234688K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102

Router>  show inven
Router>  show inventory
NAME: "Chassis", DESCR: "Cisco Catalyst 8000V Edge Chassis"
PID: C8000V            , VID: V00  , SN: 9DJL2EOPCI1

NAME: "module R0", DESCR: "Cisco Catalyst 8000V Edge Route Processor"
PID: C8000V            , VID: V00  , SN: JAB1303001C

NAME: "module F0", DESCR: "Cisco Catalyst 8000V Edge Embedded Services Processor"
PID: C8000V            , VID:      , SN:

Router>

지금까지 [PNETLab][#9]- Cisco Catalyst 8000v install 글을 읽어주셔서 감사합니다.

저작자표시

'PNETlab' 카테고리의 다른 글

[PNETLab][#10]- PNETLab Upgrade (0)	2025.02.18
[PNETLab][#8]-CheckPoint Firewall Install (0)	2025.02.13
[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10

안녕하세요.

오늘은 [2025][Juniper SRX #27] Static NAT - One to One NAT 설정해보겠습니다.

User01 - 10.1.1.1 Ge-0/0/0 192.168.10.83를 통해서 SNAT하고

User02 - 10.1.1.2 Ge-0/0/0 192.168.10.83를 통해서 SNAT하고
HTTP SERVER - 20.1.1.1에 static nat를 설정 하겠습니다.

외부에서 DMZ Server에 통신할때 192.168.10.84 -> 20.1.1.1 변경됩니다.

HTTP Server 20.1.1.1 외부로 통신할때 192.168.10.84로 변경 됩니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. User01/ USer02 설정

USER01> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

USER01 > save
Saving startup configuration to startup.vpc
. done

USER01 >
USER01 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER01 >

USER02> ip 10.1.1.2/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.2 255.255.255.0 gateway 10.1.1.254

USER02 > save
Saving startup configuration to startup.vpc
. done

USER02 >
USER02 > ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
USER02 >

PC에서 ping 8.8.8.8 시도

USER01> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

USER02> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat

PC에서 다시 확인

USER01> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

USER02> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=10.328 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=5.192 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=5.557 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=5.158 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=4.425 ms

방화벽에서 Session 확인하기

root> show security flow session
Session ID: 54102, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54387 --> 8.8.8.8/12;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/12 --> 192.168.10.83/31714;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54103, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54643 --> 8.8.8.8/8;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/8 --> 192.168.10.83/11101;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54104, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/54643 --> 8.8.8.8/13;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/13 --> 192.168.10.83/8139;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54105, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.2/54899 --> 8.8.8.8/9;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/9 --> 192.168.10.83/3136;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 54106, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid
  In: 10.1.1.1/54899 --> 8.8.8.8/14;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/14 --> 192.168.10.83/13674;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,
Total sessions: 5

DMZ에 20.1.1.1 서버에서 외부로 PING를 시도 합니다.

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/7 ms
R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

제 PC에서도 PING를 시도 합니다.

C:\Users\USER>ping 192.168.10.84

Ping 192.168.10.84 32바이트 데이터 사용:
요청 시간이 만료되었습니다.
요청 시간이 만료되었습니다.
요청 시간이 만료되었습니다.
요청 시간이 만료되었습니다.

192.168.10.84에 대한 Ping 통계:
패킷: 보냄 = 4, 받음 = 0, 손실 = 4 (100% 손실),

One to One NAT ( Static NAT)를 사용 해서 192.168.10.84 <---> 20.1.1.1로 설정합니다.

서버는 외부 통신할때 Source IP 20.1.1.1 -> 192.168.10.84 변경됩니다.

외부에서 DMZ서버랑 통신 할때 Destination IP 192.168.10.84 -> 20.1.1.1 변경 됩니다.

우선 외부 untrust에서 dmz로 통신하기 위해서 방화벽 정책을 설정 합니다.

set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32

set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit

그 이유는 SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84

Static NAT 설정

set security nat static rule-set static_nat_01 from zone untrust
set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32
set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32

WEB SERVER에서 외부로 PING

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/6 ms
R1#

내 PC에서 통신 시도

C:\Users\USER>ping 192.168.10.84

Ping 192.168.10.84 32바이트 데이터 사용:
192.168.10.84의 응답: 바이트=32 시간=40ms TTL=253
192.168.10.84의 응답: 바이트=32 시간=163ms TTL=253
192.168.10.84의 응답: 바이트=32 시간=17ms TTL=253
192.168.10.84의 응답: 바이트=32 시간=11ms TTL=253

192.168.10.84에 대한 Ping 통계:
패킷: 보냄 = 4, 받음 = 4, 손실 = 0 (0% 손실),
왕복 시간(밀리초):
최소 = 11ms, 최대 = 163ms, 평균 = 57ms

C:\Users\USER>

내 피시에서 https://192.168.10.84 접속하면 아래처럼 페이지가 열립니다.

SRX session 확인

아래처럼 20.1.1.1은 192.168.10.84로 변환하여 통신하고 있는것을 확인 가능 합니다.

root> show security flow session
Session ID: 57417, Policy name: trust_to_untrust/6, State: Stand-alone, Timeout: 2, Valid
  In: 20.1.1.1/8 --> 8.8.8.8/0;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 100,
  Out: 8.8.8.8/0 --> 192.168.10.84/8;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 100,

Session ID: 57418, Policy name: trust_to_untrust/6, State: Stand-alone, Timeout: 2, Valid
  In: 20.1.1.1/8 --> 8.8.8.8/1;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 100,
  Out: 8.8.8.8/1 --> 192.168.10.84/8;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 100,

제 PC에서 192.168.10.84 통신 했을때, 20.1.1.1로 변경되는것을 확인 가능 합니다.

root> show security flow session
Session ID: 58466, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/3 --> 192.168.10.84/11434;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 20.1.1.1/11434 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,

Session ID: 58467, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/3 --> 192.168.10.84/11436;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 20.1.1.1/11436 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,

Session ID: 58468, Policy name: untrust_to_dmz_web_server/7, State: Stand-alone, Timeout: 4, Valid
  In: 172.16.10.20/3 --> 192.168.10.84/11438;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 20.1.1.1/11438 --> 172.16.10.20/3;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 1, Bytes: 60,
Total sessions: 3

root> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: auth_server            Rule-set: static_nat_01
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
  Destination addresses      : 192.168.10.84
  Host addresses             : 20.1.1.1
  Netmask                    : 32
  Host routing-instance      : N/A
  Translation hits           : 2083
    Successful sessions      : 2083
  Number of sessions         : 4

root>

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: untrust, To zone: dmz
  Policy: untrust_to_dmz_web_server, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: dmz_server_01
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

root>

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 1942        Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       untrust          dmz               untrust_to_dmz_web_server 196 Permit
4       dmz              untrust           trust_to_untrust 2010        Permit

Number of policy: 4

root>

방화벽 NAT 확인

root> show security nat source summary
Total port number usage for port translation pool: 64512
Maximum port number for port translation pool: 50331648
Total pools: 1
Pool                 Address                  Routing              PAT  Total
Name                 Range                    Instance                  Address
source_nat           192.168.10.84-192.168.10.84 default           yes  1

Total rules: 1
Rule name          Rule set       From              To                   Action
PAT-INTERFACE      SOURCE-NAT     trust             untrust              interface
                               ^
syntax error, expecting <command>.
root> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
source NAT rule: PAT-INTERFACE          Rule-set: SOURCE-NAT
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : trust
  To zone                    : untrust
  Match
    Source addresses         : 10.1.1.0        - 10.1.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 1942
    Successful sessions      : 1942
  Number of sessions         : 0

root> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0
Static NAT rule: auth_server            Rule-set: static_nat_01
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : untrust
  Destination addresses      : 192.168.10.84
  Host addresses             : 20.1.1.1
  Netmask                    : 32
  Host routing-instance      : N/A
  Translation hits           : 2302
    Successful sessions      : 2302
  Number of sessions         : 5

root>

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security nat static rule-set static_nat_01 from zone untrust
set security nat static rule-set static_nat_01 rule auth_server match destination-address 192.168.10.84/32
set security nat static rule-set static_nat_01 rule auth_server then static-nat prefix 20.1.1.1/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match source-address any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match destination-address dmz_server_01
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server match application any
set security policies from-zone untrust to-zone dmz policy untrust_to_dmz_web_server then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz address-book address dmz_server_01 20.1.1.1/32
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #28] Destination Nat - DNAT (0)	2025.02.16
[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool (0)	2025.02.14
[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0)	2025.02.07
[2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0)	2025.02.07

안녕하세요.

오늘은 Juniper SRX에서 Source NAT를 IP Pool에 대해서 설정해보겠습니다.

토폴로지는 아래와 같습니다.

Ge-0/0/0 192.168.10.83 IP를 사용하지 않고, 192.168.10.84 IP를 통해서 Trust / DMZ Traffic를 SNAT하겠습니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. PC 설정

VPCS> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

VPCS> save
Saving startup configuration to startup.vpc
. done

VPCS>
VPCS> ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
VPCS>

PC에서 ping 8.8.8.8 시도

VPCS> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat

PC에서 다시 확인

VPCS> ping 8.8.8.8

8.8.8.8 icmp_seq=621 timeout
8.8.8.8 icmp_seq=622 timeout
8.8.8.8 icmp_seq=623 timeout
8.8.8.8 icmp_seq=624 timeout
8.8.8.8 icmp_seq=625 timeout
8.8.8.8 icmp_seq=626 timeout
8.8.8.8 icmp_seq=627 timeout
8.8.8.8 icmp_seq=628 timeout
8.8.8.8 icmp_seq=629 timeout
8.8.8.8 icmp_seq=630 timeout
8.8.8.8 icmp_seq=631 timeout
8.8.8.8 icmp_seq=632 timeout
VPCS>

그 이유는 SRX에서 Proxy로 IP POOL에 사용하는 IP 주소를 설정 해야지 Ge-0/0/0가 ARP에 대해서 응답합니다.

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84

PC에서 다시 8.8.8.8 PING

VPCS> ping 8.8.8.8 -c 1000

8.8.8.8 icmp_seq=1 timeout
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=2.049 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=1.954 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=2.603 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=2.052 ms
84 bytes from 8.8.8.8 icmp_seq=6 ttl=56 time=2.130 ms
84 bytes from 8.8.8.8 icmp_seq=7 ttl=56 time=2.229 ms
84 bytes from 8.8.8.8 icmp_seq=8 ttl=56 time=2.078 ms
84 bytes from 8.8.8.8 icmp_seq=9 ttl=56 time=2.150 ms
84 bytes from 8.8.8.8 icmp_seq=10 ttl=56 time=2.061 ms
84 bytes from 8.8.8.8 icmp_seq=11 ttl=56 time=2.151 ms
84 bytes from 8.8.8.8 icmp_seq=12 ttl=56 time=2.173 ms
84 bytes from 8.8.8.8 icmp_seq=13 ttl=56 time=2.450 ms
84 bytes from 8.8.8.8 icmp_seq=14 ttl=56 time=2.411 ms
84 bytes from 8.8.8.8 icmp_seq=15 ttl=56 time=2.296 ms
84 bytes from 8.8.8.8 icmp_seq=16 ttl=56 time=2.049 ms
84 bytes from 8.8.8.8 icmp_seq=17 ttl=56 time=2.047 ms
84 bytes from 8.8.8.8 icmp_seq=18 ttl=56 time=2.101 ms

SRX session 확인

root> show security flow session
Session ID: 3402, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2368;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2368 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,

Session ID: 3403, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/37592 --> 8.8.8.8/64;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/64 --> 192.168.10.84/20216;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 3405, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 2, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2369;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2369 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,

Session ID: 3406, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 2, Valid
  In: 10.1.1.1/37848 --> 8.8.8.8/65;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/65 --> 192.168.10.84/30540;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 3408, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 4, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2370;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2370 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,

Session ID: 3409, Policy name: trust_to_untrust/4, State: Stand-alone, Timeout: 4, Valid
  In: 10.1.1.1/38104 --> 8.8.8.8/66;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 84,
  Out: 8.8.8.8/66 --> 192.168.10.84/22474;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84,

Session ID: 3411, Policy name: self-traffic-policy/1, State: Stand-alone, Timeout: 4, Valid
  In: 172.16.10.20/1 --> 192.168.10.83/2371;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
  Out: 192.168.10.83/2371 --> 172.16.10.20/1;icmp, Conn Tag: 0x0, If: .local..0, Pkts: 1, Bytes: 60,
Total sessions: 7

root>

HTTP Server에서 Ping 8.8.8.8 시도

SRX DMZ SNAT 설정이 없어서 실패

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

SRX에서 DMZ를 위해서 SNAT설정

set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24

HTTP Server에서 Ping 시도

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
R1#

SRX에서 기본적인 부분 확인 Command

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 15          Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       dmz              untrust           trust_to_untrust 10          Permit

Number of policy: 3

root>

방화벽 NAT 확인

root> show security nat source summary
Total pools: 0

Total rules: 1
Rule name          Rule set       From              To                   Action
PAT-INTERFACE      SOURCE-NAT     dmz               untrust              interface
PAT-INTERFACE                     trust

root> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 3/0
source NAT rule: PAT-INTERFACE          Rule-set: SOURCE-NAT
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : dmz
                             : trust
  To zone                    : untrust
  Match
    Source addresses         : 10.1.1.0        - 10.1.1.255
                               20.1.1.0        - 20.1.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 10
    Successful sessions      : 10
  Number of sessions         : 0

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set system root-authentication encrypted-password "$6$foWa5m5j$QTNzAZvC.AJNs4b9yJq/18Qp038uo2x6rPM/imUQn/M3hFIJsz5FxlOXdwq6iS2UG12O3SIpFdTzZBYi4wmkY1"
set security nat source pool source_nat address 192.168.10.84/32
set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat pool source_nat
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.10.84/32
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #26] Source Nat - SNAT - IP Pool 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #27] Destination Nat - Port Forwarding (0)	2025.02.16
[2025][Juniper SRX #27] Static NAT - One to One NAT (0)	2025.02.14
[2025][Juniper SRX #24] site to site vpn - S2S VPN - OSPF (0)	2025.02.07
[2025][Juniper SRX #23] site to site vpn - S2S VPN - static route (0)	2025.02.07
[2025][Juniper SRX #22] site to site vpn - S2S VPN - 기본 설정 (0)	2025.02.07

안녕하세요.

오늘은 Juniper SRX에서 Source NAT에 대해서 설정해보겠습니다.

토폴로지는 아래와 같습니다.

1.SRX01 기본설정 입니다.

1-1 SRX 디폴트로 설정되어진 설정값을 삭제 합니다.

FreeBSD/amd64 (Amnesiac) (ttyu0)

login: root

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ # cli
root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

1-2 Interface 설정

set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

1-3 Interface를 Zone에 할당하기. 그리고 system-services all로 설정

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0

1-4 SRX에서 방화벽 정책 설정

set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit

set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit

set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit

2. HTTP SERVER 설정 - 저는 cisco router를 http enable 해서 http server로 사용하겠습니다

conf t
int g0/0
ip add 20.1.1.1 255.255.255.0
no sh
ip route 0.0.0.0 0.0.0.0 20.1.1.254
ip http server

R1#show
*Feb 14 05:15:18.099: %SYS-5-CONFIG_I: Configured from console by consoleip int brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.1.1.1        YES manual up                    up
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
R1#
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 20.1.1.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.1.1.254
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.1.1.0/24 is directly connected, GigabitEthernet0/0
L        20.1.1.1/32 is directly connected, GigabitEthernet0/0

R1#ping 20.1.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

3. PC 설정

VPCS> ip 10.1.1.1/24 10.1.1.254
Checking for duplicate address...
VPCS : 10.1.1.1 255.255.255.0 gateway 10.1.1.254

VPCS> save
Saving startup configuration to startup.vpc
. done

VPCS>
VPCS> ping 10.1.1.254

84 bytes from 10.1.1.254 icmp_seq=1 ttl=64 time=0.418 ms
84 bytes from 10.1.1.254 icmp_seq=2 ttl=64 time=0.573 ms
84 bytes from 10.1.1.254 icmp_seq=3 ttl=64 time=0.539 ms
84 bytes from 10.1.1.254 icmp_seq=4 ttl=64 time=0.567 ms
^C
VPCS>

PC에서 ping 8.8.8.8 시도

VPCS> ping 8.8.8.8

8.8.8.8 icmp_seq=1 timeout
8.8.8.8 icmp_seq=2 timeout
8.8.8.8 icmp_seq=3 timeout
8.8.8.8 icmp_seq=4 timeout

SRX에서 Source NAT (SNAT)가 설정 안되어져 있어서 통신이 불가능 합니다.

SRX에서 SNAT 설정

set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface

PC에서 다시 확인

VPCS> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq=1 ttl=56 time=23.166 ms
84 bytes from 8.8.8.8 icmp_seq=2 ttl=56 time=2.255 ms
84 bytes from 8.8.8.8 icmp_seq=3 ttl=56 time=1.980 ms
84 bytes from 8.8.8.8 icmp_seq=4 ttl=56 time=2.337 ms
84 bytes from 8.8.8.8 icmp_seq=5 ttl=56 time=2.088 ms
^C
VPCS>

HTTP Server에서 Ping 8.8.8.8 시도

SRX DMZ SNAT 설정이 없어서 실패

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

SRX에서 DMZ를 위해서 SNAT설정

set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24

HTTP Server에서 Ping 시도

R1#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/6 ms
R1#

SRX에서 기본적인 부분 확인 Command

Interface 확인

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.83/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     10.1.1.254/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     20.1.1.254/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

Routing 확인

root> show route

inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:13:56
                    >  to 192.168.10.253 via ge-0/0/0.0
10.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/1.0
10.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/1.0
20.1.1.0/24        *[Direct/0] 00:13:56
                    >  via ge-0/0/2.0
20.1.1.254/32      *[Local/0] 00:13:56
                       Local via ge-0/0/2.0
192.168.10.0/24    *[Direct/0] 00:13:56
                    >  via ge-0/0/0.0
192.168.10.83/32   *[Local/0] 00:13:56
                       Local via ge-0/0/0.0

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:30:41
                       MultiRecv

root>

Security Zone 확인

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show security zones

Security zone: dmz
  Zone ID: 10
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/2.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: trust
  Zone ID: 7
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/1.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: untrust
  Zone ID: 8
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    ge-0/0/0.0
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

Security zone: junos-host
  Zone ID: 2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
  Advanced-connection-tracking timeout: 1800
  Unidirectional-session-refreshing: No

방화벽 정책 확인

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: trust, To zone: dmz
  Policy: trust_to_untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
From zone: dmz, To zone: untrust
  Policy: trust_to_untrust, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

방화벽 Hit Count 확인

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            untrust           trust_to_untrust 15          Permit
2       trust            dmz               trust_to_untrust 0           Permit
3       dmz              untrust           trust_to_untrust 10          Permit

Number of policy: 3

root>

방화벽 NAT 확인

root> show security nat source summary
Total pools: 0

Total rules: 1
Rule name          Rule set       From              To                   Action
PAT-INTERFACE      SOURCE-NAT     dmz               untrust              interface
PAT-INTERFACE                     trust

root> show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 3/0
source NAT rule: PAT-INTERFACE          Rule-set: SOURCE-NAT
  Rule-Id                    : 1
  Rule position              : 1
  From zone                  : dmz
                             : trust
  To zone                    : untrust
  Match
    Source addresses         : 10.1.1.0        - 10.1.1.255
                               20.1.1.0        - 20.1.1.255
    Destination addresses    : 0.0.0.0         - 255.255.255.255
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 10
    Successful sessions      : 10
  Number of sessions         : 0

방화벽 설정값

root> show configuration | display set | no-more
set version 21.3R1.9
set security nat source rule-set SOURCE-NAT from zone dmz
set security nat source rule-set SOURCE-NAT from zone trust
set security nat source rule-set SOURCE-NAT to zone untrust
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 10.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match source-address 20.1.1.0/24
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set SOURCE-NAT rule PAT-INTERFACE then source-nat interface
set security policies from-zone trust to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust_to_untrust match application any
set security policies from-zone trust to-zone untrust policy trust_to_untrust then permit
set security policies from-zone trust to-zone dmz policy trust_to_untrust match source-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match destination-address any
set security policies from-zone trust to-zone dmz policy trust_to_untrust match application any
set security policies from-zone trust to-zone dmz policy trust_to_untrust then permit
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match source-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match destination-address any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust match application any
set security policies from-zone dmz to-zone untrust policy trust_to_untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz host-inbound-traffic system-services all
set security zones security-zone dmz host-inbound-traffic protocols all
set security zones security-zone dmz interfaces ge-0/0/2.0
set interfaces ge-0/0/0 unit 0 family inet address 192.168.10.83/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.254/24
set protocols lldp interface all
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

root>

지금까지 [2025][Juniper SRX #25] Source Nat - SNAT 글을 읽어주셔서 감사합니다.

저작자표시

안녕하세요.

오늘은 PNETLab에서 CheckPoint Firewall를 설치해보겠습니다.

PNETLab VMware를 실행 합니다.

설치 방법은 아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/122

[PNETLab][#1]- Installation on VMware workstation

안녕하세요. EVE-NG Community 무료 버전을 사용하고 있는데, SDWAN 테스트 할때 Jitter, Delay등등을 테스트 하기 위해서는 EVE-NG PRO로 업그레이드 해야 합니다. 그래서 이번에 PNETLab를 설치 하고 안

itblog-kr.tistory.com

1. Putty를 통해서 PNETLab에 접속 합니다.

IP주소는 위에 참고해서 접속 합니다.

2. ishare2 search cpsg검색합니다.

ishare로는 검색이 되지 않습니다.

ishare2를 설치 해야 합니다.

아래 글을 참고 부탁드립니다.

https://itblog-kr.tistory.com/123

[PNETLab][#2]- ishare command

안녕하세요. 오늘은 PNETLab에 ishare command에 대해서 알아보겠습니다.EVE-NG는 시뮬레이션 이미지를 직접 다운로드 받아서 EVE-NG에 업로드 해야합니다.하지만 PNETLab는 자체적으로 시뮬레이션 이미

itblog-kr.tistory.com

root@pnetlab:~# ishare2 search cpsg
=============================
    Available QEMU images
=============================
ID   NAME                      SIZE
--   ----                      ----
201  cpsg-R77-20 (checkpoint)  4.0 GiB
202  cpsg-R80-20M1_T14         3.9 GiB
203  cpsg-R80-40               7.4 GiB
204  cpsg-R81                  5.5 GiB
205  cpsg-R81.10               8.1 GiB
206  cpsg-R81.10               5.7 GiB
207  cpsg-R81.20-Licensed      4.9 GiB
208  cpsg2-R81.20-Licensed     4.7 GiB

8 QEMU images found for the term: "cpsg"

============================
    Available IOL images
============================
ID  NAME  SIZE
--  ----  ----

No IOL images found for the term: "cpsg"

=================================
    Available DYNAMIPS images
=================================
ID  NAME  SIZE
--  ----  ----

No DYNAMIPS images found for the term: "cpsg"

root@pnetlab:~#

3. CheckPoint Firewall 설치

root@pnetlab:~# ishare2 pull qemu 202
[!] IMAGE INFO
- Image Name       : cpsg-R80-20M1_T14
- Image Size       : 3.9 GiB
- Image Type       : QEMU
- Image ID         : 202
- Image path       : /opt/unetlab/addons/qemu/cpsg-R80-20M1_T14
- Using host       : https://drive.labhub.eu.org
[!] DOWNLOADING IMAGE
/opt/unetlab/addons 100%[===================>]   3.92G  6.78MB/s    in 14m 17s
[+] DOWNLOAD COMPLETED!
[-] Fixing permissions...

[+] Fix permissions command has been executed correctly
root@pnetlab:~#

3. https://192.168.40.250 접속 하고 아래 버튼을 클릭 합니다.

4. 아래 정보를 입력하고 Add버튼을 클릭 합니다. CheckPoint Test 그리고 Savve 버튼을 클릭 합니다.

5. 오른쪽 마우스를 클릭 후 Node를 클릭 합니다.

6. CheckPoint Security Gateay VE 선택합니다.

7. Save버튼을 클릭 합니다.

8. Network를 클릭 합니다.

9. save버튼을 클릭 합니다.

10. 아래처럼 연결하고 start버튼을 클릭 합니다.

11. 아이콘을 더블클릭 하면 아래처럼 putty 또는 CRT가 실행 됩니다.

저작자표시

'PNETlab' 카테고리의 다른 글

[PNETLab][#10]- PNETLab Upgrade (0)	2025.02.18
[PNETLab][#9]- Cisco Catalyst 8000v install (0)	2025.02.15
[PNETLab][#7]-Aruba Mobility Controller Install (0)	2025.02.13
[PNETLab][#6]-Aruba CX Switch Install (0)	2025.02.13
[PNETLab][#5]-Aruba ClearPass Install (0)	2025.02.10

내 블로그 - 관리자 홈 전환	`Q` `Q`
새 글 쓰기	`W` `W`

글 수정 (권한 있는 경우)	`E` `E`
댓글 영역으로 이동	`C` `C`

이 페이지의 URL 복사	`S` `S`
맨 위로 이동	`T` `T`
티스토리 홈 이동	`H` `H`
단축키 안내	`Shift` + `/` `⇧` + `/`

IT BLOG(KR)

전체 글

[2025][Juniper SRX #31] Traffic Flow

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #30] IDP Signature Update

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #29] Firmware Upgrade - CLI

Upgrade table

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #28] Destination Nat - DNAT

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #27] Destination Nat - Port Forwarding

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[PNETLab][#9]- Cisco Catalyst 8000v install

'PNETlab' 카테고리의 다른 글

[2025][Juniper SRX #27] Static NAT - One to One NAT

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #26] Source Nat - SNAT - IP Pool

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2025][Juniper SRX #25] Source Nat - SNAT

[PNETLab][#8]-CheckPoint Firewall Install

'PNETlab' 카테고리의 다른 글

+ Recent posts

티스토리툴바

단축키

내 블로그

블로그 게시글

모든 영역