![图片[1]-3.8 防火墙静态目的NAT-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片91.png)
1.防火墙目的NAT-静态1对1-A2A(address-to-address地址到地址)
1)FW1配置区域间策略
security-policy
rule name un_2_t
source-zone untrust
destination-zone trust
destination-address 192.168.1.201 32
destination-address 192.168.1.202 32
action permit
2)FW1配置NAT策略(不用配置目的区域,地址1对1)
rule name policy-dnat01
source-zone untrust
destination-address range 12.1.1.201 12.1.1.201
action destination-nat static address-to-address address 192.168.1.201
3)FW1配置静态默认路由
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
4)公网客户机访问私网服务器
![图片[2]-3.8 防火墙静态目的NAT-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片92-1024x508.png)
5)查看防火墙会话表
display firewall session table all
http VPN: public --> public 200.1.1.1:2052 --> 12.1.1.201:80[192.168.1.201:80]
6)FW1配置NAT策略(转换后的私有地址+端口)
nat-policy
rule name policy-dnat01
source-zone untrust
destination-address range 12.1.1.201 12.1.1.201
action destination-nat static address-to-address address 192.168.1.201 80
7)公网客户机访问私网服务器
![图片[3]-3.8 防火墙静态目的NAT-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片93-1024x508.png)
8)查看防火墙会话表(会话表中访问内网服务器的端口不变)
display firewall session table all
http VPN: public --> public 200.1.1.1:2060 --> 12.1.1.201:90[192.168.1.201:80]
9)防火墙配置NAT策略(静态绑定内网服务器192.168.1.202)
nat-policy
rule name policy-dnat02
source-zone untrust
destination-address range 12.1.1.202 12.1.1.202
action destination-nat static address-to-address address 192.168.1.202 80
2.防火墙目的NAT-静态1对1-P2P(端口到端口 port-to-port)
1)FW1配置NAT策略(不用配置目的区域)
nat-policy
rule name policy-dnat01
source-zone untrust
destination-address range 12.1.1.201 12.1.1.201
service protocol tcp destination-port 10080
action destination-nat static port-to-port address 192.168.1.201 80
2)公网客户机访问私网服务器
![图片[4]-3.8 防火墙静态目的NAT-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/09/图片94-1024x520.png)
3)查看防火墙会话表
display firewall session table all
http VPN: public --> public 200.1.1.1:2065 --> 12.1.1.201:10080[192.168.1.201:80]
3)FW1配置NAT策略(地址1对1,端口多对多)
nat-policy
rule name policy-dnat01
source-zone untrust
destination-address range 12.1.1.201 12.1.1.201
service protocol tcp destination-port 10080 to 10081
action destination-nat static port-to-port address 192.168.1.201 80 to 81
4)公网客户机访问私网服务器不同端口后查看防火墙会话表
tcp VPN: public --> public 200.1.1.1:2070 --> 12.1.1.201:10081[192.168.1.201:81]
http VPN: public --> public 200.1.1.1:2071 --> 12.1.1.201:10080[192.168.1.201:80]
display firewall session table all
3.防火墙目的NAT-静态地址多对多
#防火墙目的NAT-静态地址多对多不支持端口1对1和端口多对多
1)FW1接口配置
interface GigabitEthernet1/0/0
ip address 192.168.1.254 255.255.255.0
service-manage all permit
interface GigabitEthernet1/0/1
ip address 12.1.1.1 255.255.255.0
service-manage all permit
2)FW1区域配置
firewall zone trust
add interface GigabitEthernet1/0/0
firewall zone untrust
add interface GigabitEthernet1/0/1
3)FW1配置默认路由
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2
4)FW1配置区域策略
rule name un_2_t
source-zone untrust
destination-zone trust
destination-address 192.168.1.201 mask 255.255.255.255
destination-address 192.168.1.202 mask 255.255.255.255
action permit
5)FW1创建目的地址组
destination-nat address-group ag21 0
section 192.168.1.201 192.168.1.202
6)FW1创建NAT策略
nat-policy
rule name policy-dnat01
source-zone untrust
destination-address range 12.1.1.201 12.1.1.202
action destination-nat static address-to-address address-group ag21
7)公网客户机分别访问私网服务器,查看会话表
display firewall session table all
http VPN: public --> public 200.1.1.1:2056 --> 12.1.1.201:80[192.168.1.201:80]
[FW1]display firewall session table all
2023-07-29 01:56:55.240
Current Total Sessions : 1
http VPN: public --> public 200.1.1.1:2057 --> 12.1.1.202:80[192.168.1.202:80]
4.防火墙目的NAT-静态1对多 P2A(port-to-address端口到地址)
# 一个公有地址不同端口绑定不同私有地址相同端口
1)FW1创建地址组
destination-nat address-group ag21
section 192.168.1.201 192.168.1.202
2)FW1创建NAT策略
nat-policy
rule name policy-dnat01
source-zone untrust
destination-address range 12.1.1.201 12.1.1.201
service protocol tcp destination-port 10081 to 10082
action destination-nat static port-to-address address-group ag21 80
3)公网客户机访问公网地址(12.1.1.201的10081和10082),查看会话表
display firewall session table all
http VPN: public --> public 200.1.1.1:2059 --> 12.1.1.201:10082[192.168.1.202:80]
http VPN: public --> public 200.1.1.1:2058 --> 12.1.1.201:10081[192.168.1.201:80]
5.防火墙目的NAT-静态多对1-A2P(address-to-port 地址到端口)
#不同的公有地址的相同端口-映射到内网相同地址的不同端口
1)FW1创建NAT策略
nat-policy
rule name policy-dnat01
source-zone untrust
destination-address range 12.1.1.201 12.1.1.202
service protocol tcp destination-port 10080
action destination-nat static address-to-port address 192.168.1.201 80 to 81
2)公网客户机访问公网地址(12.1.1.201和的12.1.1.202的10080端口),查看会话表
display firewall session table all
tcp VPN: public --> public 200.1.1.1:2061 --> 12.1.1.202:10080[192.168.1.201:81]
http VPN: public --> public 200.1.1.1:2060 --> 12.1.1.201:10080[192.168.1.201:80]
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容