示例图
一.实验目的
1.配置公网用户通过
NAPT和
NAT Server访问内部服务器
二.注意事项
1.NAT Server功能要配置正确
2.由于提供
FTP服务,要开启
NAT ALG功能
三.简单配置
FW1
sysname
FW1
#
interface GigabitEthernet1/0/1
ip address
1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address
10.2.0.1 255.255.255.0
#
firewall zone local
set priority
100
#
firewall zone trust
set priority
85
#
firewall zone untrust
set priority
5
add
interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority
50
add
interface GigabitEthernet1/0/2
#
firewall interzone dmz untrust
detect ftp
#
ip route
-static 0.0.0.0 0.0.0.0 1.1.1.254
#
firewall detect ftp
#
nat server policy_HTTP protocol tcp global
1.1.1.10 8080 inside
10.2.0.2 www unr
-route
nat server policy_ftp protocol tcp global
1.1.1.10 inside
10.2.0.3 unr
-route
#
nat address
-group addressgroup1
0
mode pat
route enable
section
0 10.2.0.10 10.2.0.15
#
security
-policy
rule name policy1
source
-zone untrust
destination
-zone dmz
destination
-address
10.2.0.0 mask
255.255.255.0
action permit
#
nat
-policy
rule name policy_nat1
source
-zone untrust
destination
-zone dmz
destination
-address range
10.2.0.2 10.2.0.3
service ftp
service http
action source
-nat address
-group addressgroup1
#
return
AR1
sysname
AR1
#
interface GigabitEthernet0/0/0
ip address
1.1.1.254 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address
2.2.2.1 255.255.255.0
#
ip route
-static 0.0.0.0 0.0.0.0 1.1.1.1
#
return
