■IX2015のNAPTでsshのポート転送をしてみる。
sshはSRX100Hの管理IPを使う。
IX2015を触ってみた。
http://labunix.hateblo.jp/entry/20160310/1457620532
■まずはicmpを有効にする。
ip access-list management permit icmp src any dest any
Router(config)# show ip access-list management
IPv4 access list management - 3 entries, 23 hits, 113 refs
Codes: p - Permit, d - Deny
p 172.16.16.88/32 > any
tcp, sport any, dport any, tos any, 0 hits
p 172.16.16.88/32 > any
udp, sport any, dport any, tos any, 1 hits
p any > any
icmp, tos any, 22 hits
Router(config)# ping 172.16.16.88 count 1
PING 172.16.16.254 > 172.16.16.88 56 data bytes
64 bytes from 172.16.16.88: icmp_seq=0. time=0.268 ms
--- 172.16.16.88 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0.268/0.268/0.268
■Fa0/1.0 -> Fa0/0.0 の方向で設定。
普通逆だろうけど気にしない。
Router(config)# show ip address
Interface FastEthernet0/0.0 is up, line protocol is up
Internet address is 10.26.7.2/8
Broadcast address is 255.255.255.255
Address determined by config
Interface FastEthernet0/1.0 is up, line protocol is up
Internet address is 172.16.16.254/24
Broadcast address is 255.255.255.255
Address determined by config
Interface Null0.0 is up, line protocol is up
Interface is unnumbered.
■NAPTの設定はマニュアルを参考に。
設定事例集
http://jpn.nec.com/univerge/ix/Manual/
ip route default 172.16.16.88
ip ufs-cache enable
interface FastEthernet0/1.0
ip napt enable
ip napt service ssh 10.26.7.3 none tcp 22
exit
write memory
■ルーティングの確認
IP Routing Table - 3 entries, 2044 frees
Codes: C - Connected, S - Static, R - RIP, O - OSPF, IA - OSPF inter area
E1 - OSPF external type 1, E2 - OSPF external type 2, B - BGP
* - Candidate default, s - Summary
Timers: Age
S* 0.0.0.0/0 [1/1] is directly connected, FastEthernet0/1.0, 0:57:51
via 172.16.16.88, FastEthernet0/1.0, 0:57:51
C 10.0.0.0/8 [0/1] is directly connected, FastEthernet0/0.0, 1:17:14
172.16.0.0/16 is subnetted, 1 subnets
C 172.16.16.0/24 [0/1] is directly connected, FastEthernet0/1.0, 1:23:23
■UFSキャッシュの確認
IPv4 UFS Cache - 0 entries, 4096 frees, 74 flybys, 0 overflows
Codes: * - L3 cache, f - Filter, n - NAT/NAPT, s - IPsec, v - SIP Filter,
q - QoS
■NAPT変換テーブルの確認
Interface: FastEthernet0/1.0
NAPT Cache - 4 entry, 4092 free, 6 peak, 6 create, 0 overflow
Codes: A - ALG, S - Static, Service
Prot Inside Address:Port Outside Address:Port Dest Address:Port Time
S tcp 10.26.7.3:22 172.16.16.254:22 172.16.16.88:53797 396
S tcp 10.26.7.3:22 172.16.16.254:22 172.16.16.88:53804 429
S tcp 10.26.7.3:22 172.16.16.254:22 172.16.16.88:53805 429
S tcp 10.26.7.3:22 172.16.16.254:22 172.16.16.88:53807 502
...
NAPT Service - 1 entries
Prot Address:Port Service Port OutPkt InPkt
tcp 10.26.7.3:22 22 53 82
■SRXのsshを設定する。
configure
set system login user labunix class super-user
set system login user labunix authentication plain-text-password
commit and-quit
configure
set interfaces vlan unit 0 family inet address 10.26.7.3/24
set routing-options static route 0.0.0.0/0 next-hop 10.26.7.2
commit and-quit
> show configuration | display set | match "vlan|routing"
set system services web-management http interface vlan.0
set system services web-management https interface vlan.0
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 10.26.7.3/24
set routing-options static route 0.0.0.0/0 next-hop 10.26.7.2
set security zones security-zone trust interfaces vlan.0
set security zones security-zone vlan-trust host-inbound-traffic system-services all
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
$ ssh 172.16.16.254
Warning: Permanently added '172.16.16.254' (ECDSA) to the list of known hosts.
Password:
--- JUNOS 12.1X46-D40.2 built 2015-09-26 02:25:28 UTC
labunix>
labunix> exit
Connection to 172.16.16.254 closed.
labunix@ibm-amddebian:~$ ssh 172.16.16.254
Password:
--- JUNOS 12.1X46-D40.2 built 2015-09-26 02:25:28 UTC
labunix> show interfaces vlan.0 terse
Interface Admin Link Proto Local Remote
vlan.0 up up inet 10.26.7.3/24