In this example, you perform the following tasks:
•
Create a destination NAT pool called dst-nat-pool-1 to include the IP address
192.168.2.2.
•
Create a destination NAT rule set rs1, where rule r1 matches the packets received from
the ge-0/0/0.0 interface with the destination IP address 1.1.1.3. For matching packets,
the destination address is translated to the address in the dst-nat-pool-1 pool.
•
Use an existing address book (as applicable) or create a new address book for
Server-HTTP-1.
•
Configure traffic from the untrust zone with a destination address of 1.1.1.3 to be
translated to the private address 192.168.2.2 in the DMZ zone.
•
Configure the device to respond to proxy ARP for the addresses in the IP pool.
•
Create a security policy to permit HTTP traffic from the untrust zone to the DMZ zone.
NOTE: Because the destination NAT rule sets are evaluated before a
security policy, the address referred to in the security policy must be the
real IP address of the end host.
CLI Quick
Configuration
To quickly configure this example, copy the following commands, paste them into a text
file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.
set security nat destination pool dst-nat-pool-1 address 192.168.2.2/32
set security nat destination rule-set rs1 from interface ge-0/0/0.0
set security nat destination rule-set rs1 rule r1 match destination-address 1.1.1.3/29
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.3/29
set security zones security-zone DMZ address-book address Server-HTTP-1 192.168.2.2/32
set security policies from-zone untrust to-zone DMZ policy server-access match
source-address any
set security policies from-zone untrust to-zone DMZ policy server-access match
destination-address Server-HTTP-1
set security policies from-zone untrust to-zone DMZ policy server-access match application
junos-http
set security policies from-zone untrust to-zone DMZ policy server-access then permit
To configure a destination NAT rule:
1. Create the destination NAT pool to include the IP address of the server
(Server-HTTP-1).
[edit]
user@srx210-host# set security nat destination pool dst-nat-pool-1 address
192.168.2.2/32
2. Create a destination NAT rule set.
[edit]
user@srx210-host# set security nat destination rule-set rs1 from interface ge-0/0/0.0
Copyright © 2016, Juniper Networks, Inc.42
Getting Started Guide for Branch SRX Series
To Next Page
Loading...
Need help?
General
