我的 LAN 上有一个 L2TP 服务器,我想从 WAN 访问它,并且在这两个网络之间有一个瞻博网络 SRX。我在这篇文章中取得了一些成功: https ://forums.juniper.net/t5/SRX-Services-Gateway/Destination-NAT-Port-Forwarding-Passthrough-for-VPN/td-p/264271
但是,虽然这允许我通过端口 1723 连接到 PPTP 服务器,但我无法从本地网络外部访问 L2TP。这些是我的配置的相关部分,其中 111.111.111.111 是不信任区域中接口的公共部分。:
目的地国家:
destination {
pool pptp-pool {
address 192.168.2.48/32 port 1723;
}
pool p500 {
address 192.168.2.48/32 port 500;
}
pool p4500 {
address 192.168.2.48/32 port 4500;
}
pool p1701 {
address 192.168.2.48/32 port 1701;
}
rule-set l2tp-vpn {
from interface ge-0/0/6.0;
rule r500 {
match {
destination-address 111.111.111.111/32;
destination-port {
500;
}
}
then {
destination-nat {
pool {
p500;
}
}
}
}
rule r1701 {
match {
destination-address 111.111.111.111/32;
destination-port {
1701;
}
}
then {
destination-nat {
pool {
p1701;
}
}
}
}
rule 4500 {
match {
destination-address 111.111.111.111/32;
destination-port {
4500;
}
}
then {
destination-nat {
pool {
p4500;
}
}
}
}
rule r1723 {
match {
destination-address 111.111.111.111/32;
destination-port {
1723;
}
}
then {
destination-nat {
pool {
pptp-pool;
}
}
}
}
}
}
安全政策:
from-zone untrust to-zone trust {
policy vpn-access {
match {
source-address any;
destination-address pd-nas;
application any;
}
then {
permit;
}
}
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
source-identity any;
}
then {
deny;
}
}
}
}
来自信任区域的通讯录
security-zone trust {
address-book {
address pd-nas 192.168.2.48/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
为什么这个设置只适用于 PPTP 服务?我需要一些额外的设置来启用转发到 L2TP 服务器吗?