2016年8月23日 星期二

Unetlab-SRX-LAB-1_NAT

剛好公司的防火牆是Juniper SRX,為了去考JNCIS-SEC,所以看文件資料後,能夠有相關Lab就把它紀錄下來了。

NAT剛好是SRX主要功能之一,所以也把相關所有NAT的部分都練習一下

  • Source NAT (包含interface 跟source pool 兩種方式)
  • Destination NAT
  • Static NAT

環境是使用UnetLab搭建的,不知道UnetLab的可以參考我之前的文章

以上是架構圖,需要基本的設定

*10.10.10.1能夠ping 到10.10.10.10

*100.100.100.1能夠ping到100.100.100.100

*1.1.1.2能夠ping到1.1.1.1

因為是Lab,所以基本上policy都先設定為permit

要先完成以上的部分,再繼續後面正題

NAT-Lab開始

1.1-測試Source NAT-with interface

Task:

10.10.10.1要能夠Ping到1.1.1.2,source IP換成1.1.1.1

Source NAT設定:
root# show security nat | display set
set security nat source rule-set lab1 from zone lab1
set security nat source rule-set lab1 to zone untrust
set security nat source rule-set lab1 rule 1 match source-address 10.10.10.0/24
set security nat source rule-set lab1 rule 1 match destination-address 1.1.1.0/24
set security nat source rule-set lab1 rule 1 then source-nat interface
FW policy的設定
set security policies from-zone lab1 to-zone untrust policy lab1 match source-address any
set security policies from-zone lab1 to-zone untrust policy lab1 match destination-address any
set security policies from-zone lab1 to-zone untrust policy lab1 match application any
set security policies from-zone lab1 to-zone untrust policy lab1 then permit

驗證一下

>show security flow session nat -->可看到NAT的狀態

>show securtity nat source rule all -->看一下nat rule的資訊

由以上狀態而知,NAT成interface則PNAT預設就開啟了。

再變換VPC上成為同網段其他的IP看是否也換NAT去Ping到1.1.1.2

VPC端狀態:

vSRX端

10.10.10.100也是成功換成1.1.1.2

1.2-Source NAT with pool(single IP)

換成Souce Pool後再次驗證

以上同樣指令確認一下

SRX端的狀態,確認有NAT

但是在VPC端卻是Ping不通的,為什麼?

因為設定的soure pool IP網段並沒有辦法回應對端的arp需求,所以導致封包從srx出去後卻回不來

修正設定檔為單一IP及egress interface加入proxy-arp
set security nat source pool lab1 address 1.1.1.3/32
set security nat proxy-arp interface ge-0/0/1.0 address 1.1.1.3/32
再度測試就可以正常Ping了

VPC端狀態

vSRX端NAT狀態,都已成功把1.1.1.3來當作NAT後IP。

主要的原因應是arp及routing的問題,當使用pool而又是/24網段時,NAT換成1.1.1.x的IP後,arp無法回應終端加上routing table無NAT後IP的訊息,而讓封包無法NAT回覆,所以需要加入proxy-arp讓routing table有一筆route可以讓後續封包回覆NAT table中去對映。
官方相關proxy-arp的解釋,https://kb.juniper.net/InfoCenter/index?page=content&id=KB21785&actp=search
其中使用proxy-arp的時機有以下兩點。
• When addresses defined in the static NAT and source NAT pool are in the same subnet as that of the ingress interface   (Source NAT and Static NAT scenario)
• When addresses in the original destination address entry in the destination NAT rules are in the same subnet as that of the ingress interface   (Destination NAT scenario)
等於說只要NAT後的IP與destination address是同一個網段,都必須使用proxy-arp。
變動的設定如下:
set security nat source pool lab1 address 1.1.1.3/32
set security nat proxy-arp interface ge-0/0/1.0 address 1.1.1.3/32

1.3 Source NAT with pool(Prefix)

接下來就驗證使用網段來當作pool使用時加入proxy-arp驗證是否NAT可正常運作

刪除舊有的pool設定

delete security nat source pool lab1 address 1.1.1.3/32

增加1.1.1.4/30網段

set security nat source pool lab1 address 1.1.1.4/30

理論上應該proxy-arp要加入1.1.1.5&1.1.1.6才對,但是先不加入看是否NAT會成功還是失敗。

VPC不能Ping到1.1.1.2

但是從vSRX上顯示NAT狀態是有的。而且有1.1.1.4-1.1.1.7這四個IP位址。跟剛剛我以為只有1.1.1.5&1.1.1.6這兩個IP會當成NAT後IP的想法不太一樣。

那就proxy-arp先加入1.1.1.5&1.1.1.6看看。
set security nat proxy-arp interface ge-0/0/1.0 address 1.1.1.5/32 to 1.1.1.6/32
結果就變成時好時壞了

感覺就是NAT到1.1.1.5 跟1.1.1.6才正常,另外NAT成1.1.1.4 跟1.1.1.7就不正常了。

變更為1.1.1.4-1.1.1.7
set security nat proxy-arp interface ge-0/0/1.0 address 1.1.1.4/32 to 1.1.1.7/32
再度測試看看結果
VPC端-忽略一開始的timeout後,後面就正常了。

vSRX-去回也都有回應

Routing-table看一下,receive的route就是proxy-arp設定後才產生的。

1.4 Destination NAT

這個用另一邊100.100.100.x網段來做測試

測試環境就是在100.100.100.1要Ping 1.1.1.100,SRX則會幫忙NAT destination address為1.1.1.10

加入Destination NAT設定
set security nat destination pool lab2 address 1.1.1.10/32
set security nat destination rule-set lab2 from zone lab2
set security nat destination rule-set lab2 rule lab2 match destination-address 1.1.1.100/32
set security nat destination rule-set lab2 rule lab2 then destination-nat pool lab2
set security nat proxy-arp interface ge-0/0/1.0 address 1.1.1.10/32
policy部分也加入,一樣也是預設都permit
set security policies from-zone lab2 to-zone untrust policy lab2 match source-address any
set security policies from-zone lab2 to-zone untrust policy lab2 match destination-address any
set security policies from-zone lab2 to-zone untrust policy lab2 match application any
set security policies from-zone lab2 to-zone untrust policy lab2 then permit

VPN端及vSRX端狀態
Ping 1.1.1.100是OK的,vSRX上看NAT狀態也都是有正常轉換的。

1.5 STATIC NAT

最後一個常用的NAT型態。
測試情境
1.1.1.2 ping 10.10.10.1會static換成10.10.10.254
1.1.1.2 ping 100.100.100.1會static換成100.100.100.254
設定如下:
set security nat static rule-set lab3 from zone untrust
set security nat static rule-set lab3 rule 10-254 match source-address 1.1.1.2/32
set security nat static rule-set lab3 rule 10-254 match destination-address 10.10.10.1/32
set security nat static rule-set lab3 rule 10-254 then static-nat prefix 10.10.10.254/32
set security nat static rule-set lab3 rule 100-254 match source-address 1.1.1.2/32
set security nat static rule-set lab3 rule 100-254 match destination-address 100.100.100.1/32
set security nat static rule-set lab3 rule 100-254 then static-nat prefix 100.100.100.254/32

Proxy-arp

set security nat proxy-arp interface ge-0/0/0.0 address 10.10.10.254/32
set security nat proxy-arp interface ge-0/0/2.0 address 100.100.100.254/32


Policy部分
set security policies from-zone untrust to-zone lab1 policy lab3 match source-address any
set security policies from-zone untrust to-zone lab1 policy lab3 match destination-address any
set security policies from-zone untrust to-zone lab1 policy lab3 match application any
set security policies from-zone untrust to-zone lab1 policy lab3 then permit
set security policies from-zone untrust to-zone lab2 policy lab3 match source-address any
set security policies from-zone untrust to-zone lab2 policy lab3 match destination-address any
set security policies from-zone untrust to-zone lab2 policy lab3 match application any
set security policies from-zone untrust to-zone lab2 policy lab3 then permit

Cisco router的部分
需加一筆default route
ip route 0.0.0.0 0.0.0.0 1.1.1.1

vSRX端
NAT成10.10.10.254的部分

vSRX端

NAT成100.100.100.x的部分

最後所有的設定

root# show | display set | no-more
set version 12.1X47-D10.4
set system root-authentication encrypted-password "$1$H9.Z4eqq$l/CABbw5bIu78VscRK2t9."
set system services ssh
set system services web-management http interface ge-0/0/0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.10/24
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 100.100.100.100/24
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source pool lab1 address 1.1.1.4/30
set security nat source rule-set lab1 from zone lab1
set security nat source rule-set lab1 to zone untrust
set security nat source rule-set lab1 rule 1 match source-address 10.10.10.0/24
set security nat source rule-set lab1 rule 1 match destination-address 1.1.1.0/24
set security nat source rule-set lab1 rule 1 then source-nat pool lab1
set security nat destination pool lab2 address 1.1.1.10/32
set security nat destination rule-set lab2 from zone lab2
set security nat destination rule-set lab2 rule lab2 match destination-address 1.1.1.100/32
set security nat destination rule-set lab2 rule lab2 then destination-nat pool lab2
set security nat static rule-set lab3 from zone untrust
set security nat static rule-set lab3 rule 10-254 match source-address 1.1.1.2/32
set security nat static rule-set lab3 rule 10-254 match destination-address 10.10.10.1/32
set security nat static rule-set lab3 rule 10-254 then static-nat prefix 10.10.10.254/32
set security nat static rule-set lab3 rule 100-254 match source-address 1.1.1.2/32
set security nat static rule-set lab3 rule 100-254 match destination-address 100.100.100.1/32
set security nat static rule-set lab3 rule 100-254 then static-nat prefix 100.100.100.254/32
set security nat proxy-arp interface ge-0/0/1.0 address 1.1.1.10/32
set security nat proxy-arp interface ge-0/0/1.0 address 1.1.1.4/32 to 1.1.1.7/32
set security nat proxy-arp interface ge-0/0/0.0 address 10.10.10.254/32
set security nat proxy-arp interface ge-0/0/2.0 address 100.100.100.254/32
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies from-zone lab1 to-zone untrust policy lab1 match source-address any
set security policies from-zone lab1 to-zone untrust policy lab1 match destination-address any
set security policies from-zone lab1 to-zone untrust policy lab1 match application any
set security policies from-zone lab1 to-zone untrust policy lab1 then permit
set security policies from-zone lab2 to-zone untrust policy lab2 match source-address any
set security policies from-zone lab2 to-zone untrust policy lab2 match destination-address any
set security policies from-zone lab2 to-zone untrust policy lab2 match application any
set security policies from-zone lab2 to-zone untrust policy lab2 then permit
set security policies from-zone untrust to-zone lab1 policy lab3 match source-address any
set security policies from-zone untrust to-zone lab1 policy lab3 match destination-address any
set security policies from-zone untrust to-zone lab1 policy lab3 match application any
set security policies from-zone untrust to-zone lab1 policy lab3 then permit
set security policies from-zone untrust to-zone lab2 policy lab3 match source-address any
set security policies from-zone untrust to-zone lab2 policy lab3 match destination-address any
set security policies from-zone untrust to-zone lab2 policy lab3 match application any
set security policies from-zone untrust to-zone lab2 policy lab3 then permit
set security zones security-zone trust tcp-rst
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone lab1 interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone lab2 interfaces ge-0/0/2.0 host-inbound-traffic system-services all

沒有留言: