使用 Juniper SRX100 分配多个外部 IP

Question 1

我不同意上面的回答。

SRX 设备（如 NetScreen 设备）处理区域。您需要将一个端口放在“不信任”区域中，其余端口放在“信任”区域中。SRX 应该为此设置开箱即用。不信任区域中的端口现在可能设置为 DHCP，您需要覆盖它并执行如下操作：

set interfaces ge-0/0/0 unit 0 description ISP Link
set interfaces ge-0/0/0 unit 0 family inet address 99.10.15.173/29

现在...为了使其他 IP 地址可从同一接口使用，您需要在 NAT 配置下使用代理 arp 语句。

set security nat proxy-arp interface ge-0/0/0.0 address 99.10.15.170/32
set security nat proxy-arp interface ge-0/0/0.0 address 99.10.15.171/32

然后，您需要静态 NAT 将这些 IP 地址映射到内部主机：

set security nat static rule-set emailservers from zone untrust
set security nat static rule-set emailservers rule exchange-direct match destination-address 99.10.15.170/32
set security nat static rule-set emailservers rule exchange-direct then static-nat prefix 192.168.1.70/32
set security nat static rule-set emailservers rule proofpoint match destination-address 99.10.15.171/32
set security nat static rule-set emailservers rule proofpoint then static-nat prefix 192.168.1.74/32

然后，您必须有一个允许上述流量的政策！

set security policies from-zone untrust to-zone trust policy mailservers match source-address any
set security policies from-zone untrust to-zone trust policy mailservers match destination-address mailservers
set security policies from-zone untrust to-zone trust policy mailservers match application junos-smtp
set security policies from-zone untrust to-zone trust policy mailservers match application junos-https
set security policies from-zone untrust to-zone trust policy mailservers match application junos-http
set security policies from-zone untrust to-zone trust policy mailservers match application junos-icmp-all
set security policies from-zone untrust to-zone trust policy mailservers match application junos-imap
set security policies from-zone untrust to-zone trust policy mailservers match application junos-imaps
set security policies from-zone untrust to-zone trust policy mailservers match application junos-pop3
set security policies from-zone untrust to-zone trust policy mailservers then permit

我遗漏了一些内容：设置区域的地址簿条目等等...但总结一下：

1）设置外部接口 2）设置代理 arp 3）设置静态 NAT（或您需要的任何 nat）4）配置安全策略以允许流量。

Answer

我不同意上面的回答。

SRX 设备（如 NetScreen 设备）处理区域。您需要将一个端口放在“不信任”区域中，其余端口放在“信任”区域中。SRX 应该为此设置开箱即用。不信任区域中的端口现在可能设置为 DHCP，您需要覆盖它并执行如下操作：

set interfaces ge-0/0/0 unit 0 description ISP Link
set interfaces ge-0/0/0 unit 0 family inet address 99.10.15.173/29

现在...为了使其他 IP 地址可从同一接口使用，您需要在 NAT 配置下使用代理 arp 语句。

set security nat proxy-arp interface ge-0/0/0.0 address 99.10.15.170/32
set security nat proxy-arp interface ge-0/0/0.0 address 99.10.15.171/32

然后，您需要静态 NAT 将这些 IP 地址映射到内部主机：

set security nat static rule-set emailservers from zone untrust
set security nat static rule-set emailservers rule exchange-direct match destination-address 99.10.15.170/32
set security nat static rule-set emailservers rule exchange-direct then static-nat prefix 192.168.1.70/32
set security nat static rule-set emailservers rule proofpoint match destination-address 99.10.15.171/32
set security nat static rule-set emailservers rule proofpoint then static-nat prefix 192.168.1.74/32

然后，您必须有一个允许上述流量的政策！

set security policies from-zone untrust to-zone trust policy mailservers match source-address any
set security policies from-zone untrust to-zone trust policy mailservers match destination-address mailservers
set security policies from-zone untrust to-zone trust policy mailservers match application junos-smtp
set security policies from-zone untrust to-zone trust policy mailservers match application junos-https
set security policies from-zone untrust to-zone trust policy mailservers match application junos-http
set security policies from-zone untrust to-zone trust policy mailservers match application junos-icmp-all
set security policies from-zone untrust to-zone trust policy mailservers match application junos-imap
set security policies from-zone untrust to-zone trust policy mailservers match application junos-imaps
set security policies from-zone untrust to-zone trust policy mailservers match application junos-pop3
set security policies from-zone untrust to-zone trust policy mailservers then permit

我遗漏了一些内容：设置区域的地址簿条目等等...但总结一下：

1）设置外部接口 2）设置代理 arp 3）设置静态 NAT（或您需要的任何 nat）4）配置安全策略以允许流量。

Question 2

是的。只需让服务器位于 dmz 中，并在其接口上使用网关地址，当然，您必须创建允许策略等。

例如，服务器 1 的 IP 为 1.1.1.2/24，网关为 1.1.1.1；服务器 2 的 IP 为 1.1.1.3/24，网关为 1.1.1.1

SRX接口的IP是1.1.1.1。

祝你好运。

Answer