IX2015のNAPTでsshのポート転送をしてみる。

■IX2015のNAPTでsshのポート転送をしてみる。
　sshはSRX100Hの管理IPを使う。

　IX2015を触ってみた。
　http://labunix.hateblo.jp/entry/20160310/1457620532

■まずはicmpを有効にする。

ip access-list management permit icmp src any dest any

Router(config)# show ip access-list management
IPv4 access list management - 3 entries, 23 hits, 113 refs
Codes: p - Permit, d - Deny
p  172.16.16.88/32 > any
     tcp, sport any, dport any, tos any, 0 hits
p  172.16.16.88/32 > any
     udp, sport any, dport any, tos any, 1 hits
p  any > any
     icmp, tos any, 22 hits

Router(config)# ping 172.16.16.88 count 1
PING 172.16.16.254 > 172.16.16.88 56 data bytes
64 bytes from 172.16.16.88: icmp_seq=0. time=0.268 ms

--- 172.16.16.88 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip (ms)  min/avg/max = 0.268/0.268/0.268

■Fa0/1.0 -> Fa0/0.0 の方向で設定。
　普通逆だろうけど気にしない。

Router(config)# show ip address 
Interface FastEthernet0/0.0 is up, line protocol is up
  Internet address is 10.26.7.2/8
  Broadcast address is 255.255.255.255
  Address determined by config
Interface FastEthernet0/1.0 is up, line protocol is up
  Internet address is 172.16.16.254/24
  Broadcast address is 255.255.255.255
  Address determined by config
Interface Null0.0 is up, line protocol is up
  Interface is unnumbered.

■NAPTの設定はマニュアルを参考に。

　設定事例集
　http://jpn.nec.com/univerge/ix/Manual/

ip route default 172.16.16.88
ip ufs-cache enable
interface FastEthernet0/1.0
  ip napt enable
  ip napt service ssh 10.26.7.3 none tcp 22	
exit
write memory

■ルーティングの確認

# show ip route 
IP Routing Table - 3 entries, 2044 frees
Codes: C - Connected, S - Static, R - RIP, O - OSPF, IA - OSPF inter area
       E1 - OSPF external type 1, E2 - OSPF external type 2, B - BGP
       * - Candidate default, s - Summary
Timers: Age
S*   0.0.0.0/0 [1/1] is directly connected, FastEthernet0/1.0, 0:57:51
                     via 172.16.16.88, FastEthernet0/1.0, 0:57:51
C    10.0.0.0/8 [0/1] is directly connected, FastEthernet0/0.0, 1:17:14
     172.16.0.0/16 is subnetted, 1 subnets
C      172.16.16.0/24 [0/1] is directly connected, FastEthernet0/1.0, 1:23:23

■UFSキャッシュの確認

# show ip ufs-cache 
IPv4 UFS Cache - 0 entries, 4096 frees, 74 flybys, 0 overflows
Codes: * - L3 cache, f - Filter, n - NAT/NAPT, s - IPsec, v - SIP Filter,
       q - QoS

■NAPT変換テーブルの確認

# show ip napt translation 
Interface: FastEthernet0/1.0
NAPT Cache - 4 entry, 4092 free, 6 peak, 6 create, 0 overflow
Codes: A - ALG, S - Static, Service
  Prot Inside Address:Port   Outside Address:Port  Dest Address:Port     Time
S tcp  10.26.7.3:22          172.16.16.254:22      172.16.16.88:53797    396   
S tcp  10.26.7.3:22          172.16.16.254:22      172.16.16.88:53804    429   
S tcp  10.26.7.3:22          172.16.16.254:22      172.16.16.88:53805    429   
S tcp  10.26.7.3:22          172.16.16.254:22      172.16.16.88:53807    502   

# show ip napt statistics
...
NAPT Service - 1 entries
Prot Address:Port          Service Port   OutPkt    InPkt
tcp  10.26.7.3:22          22                 53       82

■SRXのsshを設定する。

configure
set system login user labunix class super-user
set system login user labunix authentication plain-text-password
commit and-quit

configure
set interfaces vlan unit 0 family inet address 10.26.7.3/24
set routing-options static route 0.0.0.0/0 next-hop 10.26.7.2
commit and-quit

> show configuration | display set | match "vlan|routing"
set system services web-management http interface vlan.0
set system services web-management https interface vlan.0
set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 10.26.7.3/24
set routing-options static route 0.0.0.0/0 next-hop 10.26.7.2
set security zones security-zone trust interfaces vlan.0
set security zones security-zone vlan-trust host-inbound-traffic system-services all
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

$ ssh 172.16.16.254
Warning: Permanently added '172.16.16.254' (ECDSA) to the list of known hosts.
Password:
--- JUNOS 12.1X46-D40.2 built 2015-09-26 02:25:28 UTC

labunix> 

labunix> exit 

Connection to 172.16.16.254 closed.
labunix@ibm-amddebian:~$ ssh 172.16.16.254
Password:
--- JUNOS 12.1X46-D40.2 built 2015-09-26 02:25:28 UTC
labunix> show interfaces vlan.0 terse 
Interface               Admin Link Proto    Local                 Remote
vlan.0                  up    up   inet     10.26.7.3/24