我正在尝试在 Juniper 上打一个洞,以允许访问在 DHCP IP 地址和端口 8081 上运行的 rasperry pi 网络摄像头。这是我尝试过的:
set security zones security-zone trust address-book address rCam 10.203.0.42/32
set applications application CAM-DNAT protocol tcp
set applications application CAM-DNAT destination-port 8081
set security nat destination pool dnat-10_230_0_42m32 address 10.203.0.42/32
set security nat destination pool dnat-10_230_0_42m32 address port 8081
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule rule1 match destination-address x.x.x.x
set security nat destination rule-set dst-nat rule rule1 match destination-port 8081
set security nat destination rule-set dst-nat rule rule1 then destination-nat pool dnat-10_230_0_42m32
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match source-address any
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match destination-address rCam
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 match application CAM-DNAT
set security policies from-zone untrust to-zone trust policy untrust-to-trust1 then permit```
xxxx 是 Juniper 的外部地址,10.203.0.42 是 raspberry pi 的 DHCP 地址。如果我在 LAN 上,我可以通过 10.203.0.42:8081 访问摄像头的显示屏,但在 LAN 之外,我无法连接到 xxxx:8081。如果这很重要,这是一个带有 Juniper 硬件的 CenturyLink 千兆位,但我有管理员访问权限。
答案1
此配置似乎有效。问题在于,尽管设置为静态绑定,但 IP 地址仍在不断变化。我必须将 pi 也设置为静态,它才能正常工作。