{"id":356,"date":"2014-07-16T11:04:43","date_gmt":"2014-07-16T07:04:43","guid":{"rendered":"http:\/\/www.vassiliev.me\/?p=356"},"modified":"2019-05-11T08:14:26","modified_gmt":"2019-05-11T04:14:26","slug":"%d0%bd%d0%b0%d1%81%d1%82%d1%80%d0%be%d0%b9%d0%ba%d0%b0-%d0%bf%d1%80%d0%be%d0%b1%d1%80%d0%be%d1%81%d0%b0-%d0%bf%d0%be%d1%80%d1%82%d0%be%d0%b2-%d0%b4%d0%bb%d1%8f-%d0%b2%d0%bd%d1%83%d1%82","status":"publish","type":"post","link":"https:\/\/www.vassiliev.me\/?p=356","title":{"rendered":"\u041d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 \u00ab\u043f\u0440\u043e\u0431\u0440\u043e\u0441\u0430\u00bb \u043f\u043e\u0440\u0442\u043e\u0432 \u0434\u043b\u044f \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0435\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430."},"content":{"rendered":"

\u0418\u0442\u0430\u043a, \u0438\u043c\u0435\u0435\u043c \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0439 \u0438 Web \u0441\u0435\u0440\u0432\u0435\u0440 \u0437\u0430 «\u0440\u043e\u0443\u0442\u0435\u0440\u043e\u043c». \u041d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043d\u0430\u043b\u0430\u0434\u0438\u0442\u044c \u0435\u0433\u043e \u0440\u0430\u0431\u043e\u0442\u0443 \u0437\u0430 NAT.
\n\u0421\u0435\u0440\u0432\u0435\u0440 \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d \u0432 \u043f\u043e\u0440\u0442 fe-0\/0\/7 ,\u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0447\u043b\u0435\u043d\u043e\u043c  vlan.1 (\u0437\u043e\u043d\u0430 DMZ)<\/p>\n

\"\"<\/a><\/p>\n

\u0414\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u0441\u0434\u0435\u043b\u0430\u0435\u043c «\u043f\u0440\u043e\u0431\u0440\u043e\u0441» \u043f\u043e\u0440\u0442\u043e\u0432 \u00ab\u0441\u043d\u0430\u0440\u0443\u0436\u0438\u00bb, \u043f\u0440\u0438 \u044d\u0442\u043e\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0435 \u043d\u043e\u043c\u0435\u0440\u0430 \u043f\u043e\u0440\u0442\u043e\u0432 (\u0442.\u0435. \u0442\u0440\u0430\u043d\u0441\u043b\u044f\u0446\u0438\u044f \u043f\u043e\u0440\u0442 \u0432 \u043f\u043e\u0440\u0442).<\/p>\n

\u0421\u043f\u0435\u0440\u0432\u0430 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0430\u0434\u0440\u0435\u0441\u043d\u0443\u044e \u0437\u0430\u043f\u0438\u0441\u044c (pool)<\/strong><\/p>\n

set security nat destination pool HTTP address 192.168.1.200\/32
\nset security nat destination pool HTTP address port 80
\nset security nat destination pool HTTPS address 192.168.1.200\/32
\nset security nat destination pool HTTPS address port 443
\nset security nat destination pool SMTP address 192.168.1.200\/32
\nset security nat destination pool SMTP address port 25
\nset security nat destination pool POP3S address 192.168.1.200\/32
\nset security nat destination pool POP3S address port 995
\nset security nat destination pool POP3 address 192.168.1.200\/32
\nset security nat destination pool POP3 address port 110
\nset security nat destination pool IMAP address 192.168.1.200\/32
\nset security nat destination pool IMAP address port 143
\nset security nat destination pool IMAPS address 192.168.1.200\/32
\nset security nat destination pool IMAPS address port 993
\nset security nat destination pool NTP address 192.168.1.200\/32
\nset security nat destination pool NTP address port 123
\nset security nat destination pool SMTPs address 192.168.1.200\/32
\nset security nat destination pool SMTPs address port 465
\nset security nat destination pool SMTPS address 192.168.1.200\/32
\nset security nat destination pool SMTPS address port 587<\/p>\n

\u0414\u0430\u043b\u0435\u0435<\/strong> \u0441\u043e\u0437\u0434\u0430\u0435\u043c<\/strong> rule-set, \u0442<\/strong>.\u0435<\/strong>. \u0441\u0432\u043e\u0434<\/strong> \u043f\u0440\u0430\u0432\u0438\u043b<\/strong> Destination NAT:<\/strong><\/p>\n

set security nat destination rule-set dst-nat from interface fe-0\/0\/0.0<\/span> # \u043d\u0443 \u0438\u043b\u0438 from zone untrust<\/span>
\nset security nat destination rule-set dst-nat rule HTTP match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule HTTP match destination-port 80
\nset security nat destination rule-set dst-nat rule HTTP then destination-nat pool HTTP
\nset security nat destination rule-set dst-nat rule HTTPs match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule HTTPs match destination-port 443
\nset security nat destination rule-set dst-nat rule HTTPs then destination-nat pool HTTPS
\nset security nat destination rule-set dst-nat rule SMTP match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule SMTP match destination-port 25
\nset security nat destination rule-set dst-nat rule SMTP then destination-nat pool SMTP
\nset security nat destination rule-set dst-nat rule POP3S match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule POP3S match destination-port 995
\nset security nat destination rule-set dst-nat rule POP3S then destination-nat pool POP3S
\nset security nat destination rule-set dst-nat rule POP3 match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule POP3 match destination-port 110
\nset security nat destination rule-set dst-nat rule POP3 then destination-nat pool POP3
\nset security nat destination rule-set dst-nat rule IMAP match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule IMAP match destination-port 143
\nset security nat destination rule-set dst-nat rule IMAP then destination-nat pool IMAP
\nset security nat destination rule-set dst-nat rule IMAPS match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule IMAPS match destination-port 993
\nset security nat destination rule-set dst-nat rule IMAPS then destination-nat pool IMAPS
\nset security nat destination rule-set dst-nat rule NTP match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule NTP match destination-port 123
\nset security nat destination rule-set dst-nat rule NTP then destination-nat pool NTP
\nset security nat destination rule-set dst-nat rule SMTPs match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule SMTPs match destination-port 465
\nset security nat destination rule-set dst-nat rule SMTPs then destination-nat pool SMTPs
\nset security nat destination rule-set dst-nat rule SMTPS match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule SMTPS match destination-port 587
\nset security nat destination rule-set dst-nat rule SMTPS then destination-nat pool SMTPS<\/p>\n

\u0421\u043e\u0437\u0434\u0430\u0435\u043c NAT \u0434\u043b\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u0430<\/strong><\/p>\n

set security nat source rule-set DMZ-to-untrust from zone DMZ
\nset security nat source rule-set DMZ-to-untrust to zone untrust
\nset security nat source rule-set DMZ-to-untrust rule SNAT-DMZ-untrust match source-address 192.168.1.0\/24
\nset security nat source rule-set DMZ-to-untrust rule SNAT-DMZ-untrust match destination-address 0.0.0.0\/0
\nset security nat source rule-set DMZ-to-untrust rule SNAT-DMZ-untrust then source-nat interface<\/p>\n

\u0421\u043e\u0437\u0434\u0430\u0435\u043c \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0443 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0441\u0435\u0440\u0432\u0435\u0440\u0443.<\/strong><\/p>\n

set security address-book global address DMZ-Server 192.168.1.200\/32
\n<\/strong><\/p>\n

set security policies from-zone untrust to-zone DMZ policy untrust-to-DMZ match source-address any
\nset security policies from-zone untrust to-zone DMZ policy untrust-to-DMZ match destination-address DMZ-Server
\nset security policies from-zone untrust to-zone DMZ policy untrust-to-DMZ match application any
\nset security policies from-zone untrust to-zone DMZ policy untrust-to-DMZ then permit<\/p>\n

set security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust match source-address any
\nset security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust match destination-address any
\nset security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust match application any
\nset security policies from-zone DMZ to-zone untrust policy DMZ-to-untrust then permit<\/p>\n

set security zones security-zone DMZ description «DMZ zone»
\nset security zones security-zone DMZ host-inbound-traffic system-services all
\nset security zones security-zone DMZ host-inbound-traffic protocols all
\nset security zones security-zone DMZ interfaces vlan.1<\/p>\n

 <\/p>\n

\u0421\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u043d\u0430 \u044d\u0442\u043e\u043c \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 \u0437\u0430\u043a\u043e\u043d\u0447\u0435\u043d\u0430. \u0416\u043c\u0435\u043c <\/strong>commit <\/strong>\u0438 \u043d\u0430\u0441\u043b\u0430\u0436\u0434\u0430\u0435\u043c\u0441\u044f \ud83d\ude42<\/strong><\/p>\n

\n

\u0412\u0442\u043e\u0440\u043e\u0439 \u0432\u0430\u0440\u0438\u0430\u043d\u0442 (\u0443\u043f\u0440\u043e\u0449\u0435\u043d\u043d\u044b\u0439) «\u043f\u0440\u043e\u0431\u0440\u043e\u0441\u0430» \u043f\u043e\u0440\u0442\u043e\u0432 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440 \u0432 trust \u0437\u043e\u043d\u0435.  \u0414\u043e\u043f\u0443\u0441\u0442\u0438\u043c \u0443 \u043d\u0430\u0441 \u043e\u0434\u0438\u043d VLAN \u0441 \u043f\u043e\u0440\u0442\u0430 fe-0\/0\/1 \u0438 \u0434\u043e fe-0\/0\/7, \u043f\u0440\u0438 \u044d\u0442\u043e\u043c \u043f\u043e\u0440\u0442 WAN — fe-0\/0\/0 (\u043a\u0430\u043a \u043d\u0430 \u0440\u0438\u0441\u0443\u043d\u043a\u0435)<\/p>\n

\u041d\u0443\u0436\u043d\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0438\u0437\u0432\u043d\u0435 \u043f\u043e \u0434\u0432\u0443\u043c \u043f\u043e\u0440\u0442\u0430\u043c 80 \u0438 443.<\/p>\n

set security nat destination pool HTTP address 192.168.1.200\/32
\nset security nat destination pool HTTP address port 80
\nset security nat destination pool HTTPS address 192.168.1.200\/32
\nset security nat destination pool HTTPS address port 443<\/p>\n

set security nat destination rule-set dst-nat from zone untrust
\nset security nat destination rule-set dst-nat rule HTTP match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule HTTP match destination-port 80
\nset security nat destination rule-set dst-nat rule HTTP then destination-nat pool HTTP
\nset security nat destination rule-set dst-nat rule HTTPs match destination-address 1.1.1.200\/32
\nset security nat destination rule-set dst-nat rule HTTPs match destination-port 443
\nset security nat destination rule-set dst-nat rule HTTPs then destination-nat pool HTTPS<\/p>\n

set security zones security-zone trust address-book address server 192.168.1.200\/32<\/p>\n

set security policies from-zone untrust to-zone trust policy untrust-to-trust2 match source-address any
\nset security policies from-zone untrust to-zone trust policy untrust-to-trust2 match destination-address server
\nset security policies from-zone untrust to-zone trust policy untrust-to-trust2 match application https
\nset security policies from-zone untrust to-zone trust policy untrust-to-trust2 match application http
\nset security policies from-zone untrust to-zone trust policy untrust-to-trust2 then permit<\/p>\n

set applications application http protocol tcp
\nset applications application http destination-port 80
\nset applications application https protocol tcp
\nset applications application https destination-port 443<\/p>\n

\u0412\u0441\u0435, «\u043f\u0440\u043e\u0431\u0440\u043e\u0441» \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442.<\/p>\n","protected":false},"excerpt":{"rendered":"

\u0418\u0442\u0430\u043a, \u0438\u043c\u0435\u0435\u043c \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0439 \u0438 Web \u0441\u0435\u0440\u0432\u0435\u0440 \u0437\u0430 «\u0440\u043e\u0443\u0442\u0435\u0440\u043e\u043c». \u041d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043d\u0430\u043b\u0430\u0434\u0438\u0442\u044c \u0435\u0433\u043e \u0440\u0430\u0431\u043e\u0442\u0443 \u0437\u0430 NAT. \u0421\u0435\u0440\u0432\u0435\u0440 \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d \u0432 \u043f\u043e\u0440\u0442 fe-0\/0\/7 ,\u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0447\u043b\u0435\u043d\u043e\u043c  vlan.1 (\u0437\u043e\u043d\u0430 DMZ) \u0414\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u0441\u0434\u0435\u043b\u0430\u0435\u043c «\u043f\u0440\u043e\u0431\u0440\u043e\u0441» \u043f\u043e\u0440\u0442\u043e\u0432 \u00ab\u0441\u043d\u0430\u0440\u0443\u0436\u0438\u00bb, \u043f\u0440\u0438 \u044d\u0442\u043e\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0435 \u043d\u043e\u043c\u0435\u0440\u0430 \u043f\u043e\u0440\u0442\u043e\u0432 (\u0442.\u0435. \u0442\u0440\u0430\u043d\u0441\u043b\u044f\u0446\u0438\u044f \u043f\u043e\u0440\u0442 \u0432 \u043f\u043e\u0440\u0442). \u0421\u043f\u0435\u0440\u0432\u0430 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0430\u0434\u0440\u0435\u0441\u043d\u0443\u044e \u0437\u0430\u043f\u0438\u0441\u044c (pool) set security nat destination pool HTTP address […]<\/p>\n","protected":false},"author":1,"featured_media":882,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-356","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-juniper-srx"],"_links":{"self":[{"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=\/wp\/v2\/posts\/356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=356"}],"version-history":[{"count":14,"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=\/wp\/v2\/posts\/356\/revisions"}],"predecessor-version":[{"id":926,"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=\/wp\/v2\/posts\/356\/revisions\/926"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=\/wp\/v2\/media\/882"}],"wp:attachment":[{"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vassiliev.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}