The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"forwarding нескольких портов на juniper srx210"
Вариант для распечатки  
Пред. тема | След. тема 
Форум Маршрутизаторы CISCO и др. оборудование. (Другое оборудование)
Изначальное сообщение [ Отслеживать ]

"forwarding нескольких портов на juniper srx210"  +/
Сообщение от qreco (ok) on 10-Мрт-11, 09:32 
Пытаюсь настроить сабж,сделал проброс ftp, работает, как только прописываю rdp, rdp работает ftp уже нет , уже третий день бьюсь понять не могу в чем дело.
конф.
root@jgate# show
## Last changed: 2011-03-10 00:00:51 GMT+5
version 10.0R1.8;
system {
    host-name jgate;
    time-zone GMT+5;
    root-authentication {
        encrypted-password "$"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 49;
    max-configuration-rollbacks 49;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 195.16.42.125;
        server 93.91.6.81;
        server 194.190.16.51;
        server 130.236.254.102;
    }
}
interfaces {
    interface-range interfaces-trust {
        member ge-0/0/1;
        member fe-0/0/4;
        member fe-0/0/5;
        member fe-0/0/6;
        member fe-0/0/7;
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 172.24.130.46/29;
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family inet {
                address 10.0.0.1/24;
                address 1.1.1.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
}
routing-options {
    static {
        route 172.23.0.0/16 next-hop [ 172.24.130.41 172.24.130.42 ];
        route 0.0.0.0/0 next-hop 1.1.1.2;
    }
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool ftp-pool {
                address 192.168.0.103/32 port 21;
            }
            pool rdp-pool {
                address 192.168.0.103/32 port 3389;
            }
            pool 34567-pool {
                address 192.168.0.201/32 port 34567;
            }
            pool 36963-pool {
                address 192.168.0.201/32 port 36963;
            }
            pool test {
                address 192.168.0.103/32 port 3690;
            }
            rule-set door {
                from zone untrust;
                rule ftp {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                        destination-port 21;
                    }
                    then {
                        destination-nat pool ftp-pool;
                    }
                }
                inactive: rule rdp {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                        destination-port 3389;
                    }
                    then {
                        destination-nat pool rdp-pool;
                    }
                }
                inactive: rule 34567{
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 34567;
                    }
                    then {
                        destination-nat pool 34567-pool;
                    }
                }
                inactive: rule 36963{
                    match {
                        destination-address 0.0.0.0/0;
                        destination-port 36963;
                    }
                    then {
                        destination-nat pool 36963-pool;
                    }
                }
                inactive: rule t {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 1.1.1.1/32;
                        destination-port 3690;
                    }
                    then {
                        destination-nat pool test;
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address serv103 192.168.0.103/32;
                address serv201 192.168.0.201/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ping;
                            traceroute;
                        }
                    }
                }
                fe-0/0/3.0 {
                    host-inbound-traffic {
                        system-services {
                            ftp;
                            ping;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy untrust-trust {
                match {
                    source-address any;
                    destination-address [ serv103 serv201 ];
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}
Ответить | Правка | Cообщить модератору

Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "forwarding нескольких портов на juniper srx210"  +/
Сообщение от KostyaK email on 11-Мрт-11, 02:28 
>            
> rule-set door {
>     from zone untrust;
>     rule ftp {
>         match {
>              source-address 0.0.0.0/0;
>              destination-address 0.0.0.0/0;
>              destination-port 21;
>         }
>            

Я не очень большой спец по Junos'у, но как-то напрягает, что source и destination указаны ВСЕ. Получается, что вход на FTP/RDP на ЛЮБОЙ адрес вашей сети должен отправляться на ОДИН сервер, т.е. связь много-к-одному. Не сносит ли от этого у SRX'a крышу?

У меня match'и прописаны отдельно для каждого внешнего IP. Примерно так:
         match {
              destination-address 85.86.87.88/32;
              destination-port 21;
         }
...
         match {
              destination-address 85.86.87.88/32;
              destination-port 3389;
         }

...
         match {
              destination-address 101.102.103.104/32;
              destination-port 3389;
         }

then'ы для правил 2 и 3 - одинаковые.

Все работает...

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру