hvostat: Jeeslaya (Default)
[personal profile] hvostat
Задача:
Есть сеть за NAT 192.168.0.1/24.
Внешний IP у её роутера 1.1.1.1.
На роутере настроен DST NAT 1.1.1.1:80 => 192.168.0.2:80
"Cнаружи" все работает, но если пользователь захочет из самой сети зайти на 1.1.1.1:80, то получит экологически чистый кукиш с маслом вместо вебсайта.

Решение:
Воспользоваться технологией NAT loopback / hairpin NAT.

В Juniper SRX настраивается следующим образом:

set security nat source rule-set hairpin from zone default
set security nat source rule-set hairpin to zone default
set security nat source rule-set hairpin rule hairpin-source match source-address 192.168.0.1/24
set security nat source rule-set hairpin rule hairpin-source then source-nat interface

set security nat destination pool server address 192.168.0.2/32
set security nat destination rule-set hairpin from zone default
set security nat destination rule-set hairpin rule hairpin-destination match destination-address 1.1.1.1/32
set security nat destination rule-set hairpin rule hairpin-destination then destination-nat pool server

set security policies from-zone default to-zone default policy INTRA-default match source-address any
set security policies from-zone default to-zone default policy INTRA-default match destination-address any
set security policies from-zone default to-zone default policy INTRA-default match application any
set security policies from-zone default to-zone default policy INTRA-default then permit

__
From:
Anonymous( )Anonymous This account has disabled anonymous posting.
OpenID( )OpenID You can comment on this post while signed in with an account from many other sites, once you have confirmed your email address. Sign in using OpenID.
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

hvostat: Jeeslaya (Default)
hvostat

June 2017

S M T W T F S
    123
45678910
11121314151617
181920212223 24
252627282930 

Style Credit

Expand Cut Tags

No cut tags
Page generated 21 September 2017 17:50
Powered by Dreamwidth Studios