为保证防火墙接口IP的安全,将防火墙的内网IP的22端口映射其它公网113.106.95.x的1021端口,平常外网通过113.106.95.x的1021端口访问操作防火墙:
set security zones security-zone trust address-book address juniper2541 192.168.254.1/32 #建立元素 set applications application juniper1021 protocol tcp set applications application juniper1021 source-port 0-65535 set applications application juniper1021 destination-port 1021-1021 set applications application juniper1021 inactivity-timeout 1800
#服务1021端口系统自带。所以不需要新建 set security nat destination pool 2541 address 192.168.254.1/32 set security nat destination pool 2541 address port 22 set security nat destination rule-set 1 from zone untrust set security nat destination rule-set 1 rule 2541 match source-address 0.0.0.0/0 set security nat destination rule-set 1 rule 2541 match destination-address 113.106.95.x/32 set security nat destination rule-set 1 rule 2541 match destination-port 1021 set security nat destination rule-set 1 rule 2541 then destination-nat pool 2541
#NAT set security nat proxy-arp interface ge-0/0/0.0 address 113.106.95.x/32 #代理
set security policies from-zone untrust to-zone trust policy yc2541 match source-address any set security policies from-zone untrust to-zone trust policy yc2541 match destination-address juniper2541 set security policies from-zone untrust to-zone trust policy yc2541 match application juniper1021 set security policies from-zone untrust to-zone trust policy yc2541 then permit #策略