您好,登录后才能下订单哦!
密码登录
登录注册
点击 登录注册 即表示同意《亿速云用户服务条款》
对于不需要做NAT的网段(比如IPSec×××),需要先关闭这些地址的NAT(如果没有则跳过)
set security nat source rule-set trust-untrust rule no-nat match source-address 192.168.0.0/16
set security nat source rule-set trust-untrust rule no-nat match destination-address 10.10.0.0/24
set security nat source rule-set trust-untrust rule no-nat then source-nat off
对于需要上网或者所有的网段(做地址转换的网段),做source-nat
首先定义一个地址池(要转换的公网地址):
set security nat source pool natpool1 address 112.48.20.11/32 to 112.48.20.15/32
set security nat source pool natpool2 address 112.48.20.21/32 to 112.48.20.30/32
配置NAT规则匹配源、目、转换地址池
set security nat source rule-set trust-untrust from zone trust
set security nat source rule-set trust-untrust to zone untrust
//匹配特定的地址进行转换(没有特定可省略)
set security nat source rule-set trust-untrust rule nat1 match source-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat1 match destination-address 183.253.58.253/32
set security nat source rule-set trust-untrust rule nat1 then source-nat pool natpool1
//默认所有的源、目地址进行转换
set security nat source rule-set trust-untrust rule nat2 match source-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat2 match destination-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat2 then source-nat pool natpool2
如果NAT地址池有多个地址,除了接口地址,那么其它地址需要做proxy-arp
set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.11/32 to 112.48.20.15/32
set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.21/32 to 112.48.20.30/32
做完这些就可以了? NO! NO! NO!防火墙域间策略不能忘
//首先定义两个地址池,并加入到地址组NET中
set security zones security-zone trust address-book address 192.168.100.0 192.168.100.0/24
set security zones security-zone trust address-book address 192.168.200.0 192.168.200.0/24
set security zones security-zone trust address-book address-set NET address 192.168.100.0
set security zones security-zone trust address-book address-set NET address 192.168.200.0
//将地址组匹配到trust到untrust的策略中,并放行
set security policies from-zone trust to-zone untrust policy 1 match source-address NET
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
到此,这192.168.100.0和192.168.200.0就可以通过NAT上网了
部分服务器需要映射到公网去,怎么做呢?那么往下看:
//首先创建要映射的服务器地址池(包括IP地址和端口)
set security nat destination pool 1 address 192.168.168.168/32
set security nat destination pool 1 address port 443
//创建Destination NAT规则要映射的服务器地址池(包括IP地址和端口)
set security nat destination rule-set desnat from zone untrust
set security nat destination rule-set desnat to zone trust
set security nat destination rule-set desnat rule server1 match source-address 0.0.0.0/0
//匹配访问112.48.20.2的4430端口转换到内网服务器的443端口
set security nat destination rule-set desnat rule server1 match destination-address 112.48.20.2/32
set security nat destination rule-set desnat rule server1 match destination-port 4430
set security nat destination rule-set desnat rule server1 then destination-nat pool 1
还有必不可少的防火墙域间策略
//创建内网服务器地址组及端口
set security zones security-zone trust address-book address server1 192.168.168.168/32
set applications application Service_4430 term Service_4430 protocol tcp
set applications application Service_4430 term Service_4430 source-port 0-65535
set applications application Service_4430 term Service_4430 destination-port 4430-4430
//创建untrust到trust的策略,目前地址匹配内网服务器地址及端口
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address server1
set security policies from-zone untrust to-zone trust policy 1 match application Service_4430
set security policies from-zone untrust to-zone trust policy 1 then permit
至此,外网就可以使用http://112.48.20.2:4430/访问内网的服务器了
还有一个问题,此时内网的用户却不能使用这个公网地址访问内部的服务器,这个需要在NAT上再做一个内部的地址转换,如下:
//创建一个源地址映射的地址池(内部服务器映射的地址)
set security nat source pool sorpool4 address 112.48.20.2/32
//创建trust到trust的策略如下
set security nat source rule-set trust-trust from zone trust
set security nat source rule-set trust-trust to zone trust
set security nat source rule-set trust-trust rule server1 match source-address 0.0.0.0/0
set security nat source rule-set trust-trust rule server1 match destination-address 192.168.168.168/32
set security nat source rule-set trust-trust rule server1 match destination-port 443
set security nat source rule-set trust-trust rule server1 then source-nat pool sorpool4
至此,内网也可以通过公网地址访问内部服务器了!!!
如有雷同,纯属巧合,欢迎指正!
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。