我一直在努力解决这个问题,但我仍然无法解决这个问题。 我有192.168.1.151 PC,它有554和9001 TCP / UDP打开。 但我需要公开访问。 在我的juniper srx210我也有这个以下configuration。 但我不明白它不工作。
version 10.0R3.10; system { root-authentication { encrypted-password "secret-password-goes-in-here"; ## SECRET-DATA } name-server { 208.67.222.222; 208.67.220.220; } services { ssh { root-login allow; } telnet; web-management { http { interface vlan.0; } https { system-generated-certificate; interface vlan.0; } } dhcp { router { 192.168.1.1; } pool 192.168.1.0/24 { address-range low 192.168.1.2 high 192.168.1.254; } propagate-settings ge-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { interface-range interfaces-trust { member ge-0/0/1; member fe-0/0/2; member fe-0/0/3; member fe-0/0/4; member fe-0/0/5; member fe-0/0/6; member fe-0/0/7; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/0 { mac 0a:00:xx:00:00:00; unit 0 { family inet { dhcp; } } } vlan { unit 0 { family inet { address 192.168.1.1/24; } } } } security { nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool pool1 { address 192.168.1.151/32; } pool pool2 { address 192.168.1.41/32; } pool pool3 { address 192.168.1.1/32; } pool pool4 { address 192.168.1.125/32; } rule-set ruleset1 { from zone untrust; rule rule1 { match { destination-address 0.0.0.0/0; destination-port 554; } then { destination-nat pool pool1; } } rule rule2 { match { destination-address 0.0.0.0/0; destination-port 49152; } then { destination-nat pool pool1; } } rule rule3 { match { destination-address 0.0.0.0/0; destination-port 49500; } then { destination-nat pool pool1; } } rule rule6 { match { destination-address 0.0.0.0/0; } then { destination-nat pool pool4; } } rule rule5 { match { destination-address 0.0.0.0/0; destination-port 22; } then { destination-nat pool pool3; } } rule rule4 { match { destination-address 0.0.0.0/0; destination-port 9001; } then { destination-nat pool pool1; } } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone trust { address-book { address mydmz 192.168.1.125/32; } host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; ping; telnet; } } } } } } policies { from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy server-access { match { source-address any; destination-address mydmz; application any; } then { permit; } } } } alg { sip { disable; inactive-media-timeout 90; maximum-call-duration 3000; retain-hold-resource; application-screen { unknown-message { permit-nat-applied; permit-routed; } } } } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } } 你的DNAT看起来很好,但是你也没有创build防火墙策略来允许stream量。 您应该编辑信任区域的地址簿,并为其内部的主机添加条目,然后创build一个与这些目标和应用程序匹配的策略从区域的不信任区域信任。 有可以引用的内置应用程序,或者您可以创build自己的应用程序,但是在configuration的顶部是自己的部分,而不是在安全节的下面。 这里是一个策略的例子,为了达到这个级别,我input了“编辑安全策略从区域到不区分的区域信任”。 然后input下面。
policy exchange { match { source-address any; destination-address [ exchange1 exchange2 ]; application [ junos-https junos-smtp junos-http junos-imap junos-ping junos-imaps junos-pop3 ]; } then { permit; count; }