我在设置 SRX300 防火墙上的源 NAT 时遇到了问题。防火墙通过端口 0/6 中的光纤电缆连接到 LC 面板。我已在该接口上设置了公共 IP,并配置了 DNS 服务器和默认网关。此外,我在端口 0/3 上运行了一个 DHCP 服务器。SRX 有一个连接,可以 ping 远程主机,将设备连接到端口 0/3 将为其提供来自池的 IP 地址。端口 3 上的设备可以 ping SRX,但无法访问公共互联网,我认为我的源 NAT 配置中缺少了某些内容。
这是我的 nat 安全性(203.0.113.192/30 代表我的公共 IP):
security {
nat {
source {
pool src-nat-pool-1 {
address {
203.0.113.192/30;
}
}
rule-set rs1 {
from zone trust;
to zone untrust;
rule r1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
src-nat-pool-1;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy internet-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/4.0;
ge-0/0/5.0;
ge-0/0/6.0 {
host-inbound-traffic {
system-services {
ping;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
}
}
}
并且相关接口配置如下:
interfaces {
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.3.1/24;
}
}
}
ge-0/0/6 {
unit 0 {
family inet {
address 203.0.113.192/30;
}
}
}
}