防火墙双向NAT,服务器二层部署,无需配置网关提供服务

上张贴CrossGrave发表回复

环境介绍:Server1作为服务器提供ftp和http服务,对外服务,AR1作为公网设备,Client1作为公网用户访问Server1提供的服务。
在防火墙上做双向NAT部署,使服务器只需要配置基本的地址无需配置网关即可提供对外服务。虽然不知道在现网有什么作用。

防火墙配置:

!Software Version V500R005C10SPC300
#
sysname FW
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.0.0.1 255.255.255.252
service-manage ping permit
#
interface GigabitEthernet1/0/6
undo shutdown
ip address 192.168.10.254 255.255.255.0
service-manage ping permit
#
firewall interzone trust untrust
detect ftp
#
firewall detect ftp
#
nat address-group SNAT_Server 0 //配置源NAT的地址池,这里用一个空地址
mode pat
section 0 192.168.10.100 192.168.10.100
#
#
security-policy
rule name Trust_Untrust
source-zone trust
destination-zone untrust
action permit
rule name Untrust_Trust_Server
source-zone untrust
destination-zone trust
destination-address 192.168.10.1 mask 255.255.255.255
action permit
#
nat-policy
rule name Server_DNAT&SNAT
source-zone untrust
destination-address 100.0.0.1 mask 255.255.255.255
service ftp
service http
action source-nat address-group SNAT_Server
action destination-nat address 192.168.10.1
#
!Software Version V500R005C10SPC300 # sysname FW # interface GigabitEthernet1/0/0 undo shutdown ip address 100.0.0.1 255.255.255.252 service-manage ping permit # interface GigabitEthernet1/0/6 undo shutdown ip address 192.168.10.254 255.255.255.0 service-manage ping permit # firewall interzone trust untrust detect ftp # firewall detect ftp # nat address-group SNAT_Server 0 //配置源NAT的地址池,这里用一个空地址 mode pat section 0 192.168.10.100 192.168.10.100 # # security-policy rule name Trust_Untrust source-zone trust destination-zone untrust action permit rule name Untrust_Trust_Server source-zone untrust destination-zone trust destination-address 192.168.10.1 mask 255.255.255.255 action permit # nat-policy rule name Server_DNAT&SNAT source-zone untrust destination-address 100.0.0.1 mask 255.255.255.255 service ftp service http action source-nat address-group SNAT_Server action destination-nat address 192.168.10.1 #
!Software Version V500R005C10SPC300
#
sysname FW
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 100.0.0.1 255.255.255.252
 service-manage ping permit
#
interface GigabitEthernet1/0/6
 undo shutdown
 ip address 192.168.10.254 255.255.255.0
 service-manage ping permit
#
firewall interzone trust untrust
 detect ftp
#
firewall detect ftp
#
nat address-group SNAT_Server 0  //配置源NAT的地址池,这里用一个空地址
 mode pat
 section 0 192.168.10.100 192.168.10.100
#
#
security-policy
 rule name Trust_Untrust
  source-zone trust
  destination-zone untrust                
  action permit
 rule name Untrust_Trust_Server
  source-zone untrust
  destination-zone trust
  destination-address 192.168.10.1 mask 255.255.255.255
  action permit
#
nat-policy
 rule name Server_DNAT&SNAT
  source-zone untrust
  destination-address 100.0.0.1 mask 255.255.255.255
  service ftp
  service http
  action source-nat address-group SNAT_Server
  action destination-nat address 192.168.10.1 
#
抓包结果

也不知道现网有没有人用这个场景的,hedex中偶然看到的。

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据