对于不需要做NAT的网段(比如IPSec×××),需要先关闭这些地址的NAT(如果没有则跳过)
成都创新互联公司专业为企业提供大理州网站建设、大理州做网站、大理州网站设计、大理州网站制作等企业网站建设、网页设计与制作、大理州企业网站模板建站服务,十余年大理州做网站经验,不只是建网站,更提供有价值的思路和整体网络服务。
set security nat source rule-set trust-untrust rule no-nat match source-address 192.168.0.0/16
set security nat source rule-set trust-untrust rule no-nat match destination-address 10.10.0.0/24
set security nat source rule-set trust-untrust rule no-nat then source-nat off
对于需要上网或者所有的网段(做地址转换的网段),做source-nat
首先定义一个地址池(要转换的公网地址):
set security nat source pool natpool1 address 112.48.20.11/32 to 112.48.20.15/32
set security nat source pool natpool2 address 112.48.20.21/32 to 112.48.20.30/32
配置NAT规则匹配源、目、转换地址池
set security nat source rule-set trust-untrust from zone trust
set security nat source rule-set trust-untrust to zone untrust
//匹配特定的地址进行转换(没有特定可省略)
set security nat source rule-set trust-untrust rule nat1 match source-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat1 match destination-address 183.253.58.253/32
set security nat source rule-set trust-untrust rule nat1 then source-nat pool natpool1
//默认所有的源、目地址进行转换
set security nat source rule-set trust-untrust rule nat2 match source-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat2 match destination-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat2 then source-nat pool natpool2
如果NAT地址池有多个地址,除了接口地址,那么其它地址需要做proxy-arp
set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.11/32 to 112.48.20.15/32
set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.21/32 to 112.48.20.30/32
做完这些就可以了? NO! NO! NO!防火墙域间策略不能忘
//首先定义两个地址池,并加入到地址组NET中
set security zones security-zone trust address-book address192.168.100.0 192.168.100.0/24
set security zones security-zone trust address-book address192.168.200.0 192.168.200.0/24
set security zones security-zone trust address-book address-setNET address192.168.100.0
set security zones security-zone trust address-book address-setNET address192.168.200.0
//将地址组匹配到trust到untrust的策略中,并放行
set security policies from-zone trust to-zone untrust policy1 match source-addressNET
set security policies from-zone trust to-zone untrust policy1 match destination-address any
set security policies from-zone trust to-zone untrust policy1 match application any
set security policies from-zone trust to-zone untrust policy1 then permit
到此,这192.168.100.0和192.168.200.0就可以通过NAT上网了
部分服务器需要映射到公网去,怎么做呢?那么往下看:
//首先创建要映射的服务器地址池(包括IP地址和端口)
set security nat destination pool1 address 192.168.168.168/32
set security nat destination pool1 address port 443
//创建Destination NAT规则要映射的服务器地址池(包括IP地址和端口)
set security nat destination rule-set desnat from zoneuntrust
set security nat destination rule-set desnatto zone trust
set security nat destination rule-set desnat ruleserver1 match source-address 0.0.0.0/0
//匹配访问112.48.20.2的4430端口转换到内网服务器的443端口
set security nat destination rule-set desnat ruleserver1 match destination-address 112.48.20.2/32
set security nat destination rule-set desnat ruleserver1 match destination-port4430
set security nat destination rule-set desnat ruleserver1 then destination-nat pool 1
还有必不可少的防火墙域间策略
//创建内网服务器地址组及端口
set security zones security-zone trust address-book addressserver1 192.168.168.168/32
set applications application Service_4430 term Service_4430 protocol tcp
set applications application Service_4430 term Service_4430 source-port 0-65535
set applications application Service_4430 term Service_4430 destination-port4430-4430
//创建untrust到trust的策略,目前地址匹配内网服务器地址及端口
set security policies from-zone untrust to-zone trust policy1 match source-address any
set security policies from-zone untrust to-zone trust policy1 match destination-addressserver1
set security policies from-zone untrust to-zone trust policy1 match application Service_4430
set security policies from-zone untrust to-zone trust policy1 then permit
至此,外网就可以使用http://112.48.20.2:4430/访问内网的服务器了
还有一个问题,此时内网的用户却不能使用这个公网地址访问内部的服务器,这个需要在NAT上再做一个内部的地址转换,如下:
//创建一个源地址映射的地址池(内部服务器映射的地址)
set security nat source pool sorpool4 address 112.48.20.2/32
//创建trust到trust的策略如下
set security nat source rule-set trust-trust from zone trust
set security nat source rule-set trust-trust to zone trust
set security nat source rule-set trust-trust ruleserver1 match source-address 0.0.0.0/0
set security nat source rule-set trust-trust ruleserver1 match destination-address192.168.168.168/32
set security nat source rule-set trust-trust rule server1 match destination-port443
set security nat source rule-set trust-trust rule server1 then source-nat pool sorpool4
至此,内网也可以通过公网地址访问内部服务器了!!!
如有雷同,纯属巧合,欢迎指正!