3.8 防火墙静态目的NAT

图片[1]-3.8 防火墙静态目的NAT-大赛人网

1.防火墙目的NAT-静态1对1-A2A(address-to-address地址到地址)

1)FW1配置区域间策略
security-policy
 rule name un_2_t
  source-zone untrust
  destination-zone trust
  destination-address 192.168.1.201 32
  destination-address 192.168.1.202 32
  action permit

2)FW1配置NAT策略(不用配置目的区域,地址1对1)
rule name policy-dnat01
  source-zone untrust
  destination-address range 12.1.1.201 12.1.1.201
  action destination-nat static address-to-address address 192.168.1.201

3)FW1配置静态默认路由
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2

4)公网客户机访问私网服务器
图片[2]-3.8 防火墙静态目的NAT-大赛人网
5)查看防火墙会话表
display firewall session table all
http  VPN: public --> public  200.1.1.1:2052 --> 12.1.1.201:80[192.168.1.201:80]

6)FW1配置NAT策略(转换后的私有地址+端口)
nat-policy
 rule name policy-dnat01
  source-zone untrust
  destination-address range 12.1.1.201 12.1.1.201
  action destination-nat static address-to-address address 192.168.1.201 80

7)公网客户机访问私网服务器
图片[3]-3.8 防火墙静态目的NAT-大赛人网
8)查看防火墙会话表(会话表中访问内网服务器的端口不变)
display firewall session table all
 http  VPN: public --> public  200.1.1.1:2060 --> 12.1.1.201:90[192.168.1.201:80]

9)防火墙配置NAT策略(静态绑定内网服务器192.168.1.202)
nat-policy
rule name policy-dnat02
  source-zone untrust
  destination-address range 12.1.1.202 12.1.1.202
  action destination-nat static address-to-address address 192.168.1.202 80

2.防火墙目的NAT-静态1对1-P2P(端口到端口 port-to-port)

1)FW1配置NAT策略(不用配置目的区域)
nat-policy
 rule name policy-dnat01
  source-zone untrust
  destination-address range 12.1.1.201 12.1.1.201
  service protocol tcp destination-port 10080
  action destination-nat static port-to-port address 192.168.1.201 80

2)公网客户机访问私网服务器
图片[4]-3.8 防火墙静态目的NAT-大赛人网
3)查看防火墙会话表
display firewall session table all
http  VPN: public --> public  200.1.1.1:2065 --> 12.1.1.201:10080[192.168.1.201:80]

3)FW1配置NAT策略(地址1对1,端口多对多)
nat-policy
 rule name policy-dnat01
  source-zone untrust
  destination-address range 12.1.1.201 12.1.1.201
  service protocol tcp destination-port 10080 to 10081
  action destination-nat static port-to-port address 192.168.1.201 80 to 81

4)公网客户机访问私网服务器不同端口后查看防火墙会话表
 tcp  VPN: public --> public  200.1.1.1:2070 --> 12.1.1.201:10081[192.168.1.201:81]
 http  VPN: public --> public  200.1.1.1:2071 --> 12.1.1.201:10080[192.168.1.201:80]
display firewall session table all

3.防火墙目的NAT-静态地址多对多

#防火墙目的NAT-静态地址多对多不支持端口1对1和端口多对多
1)FW1接口配置
interface GigabitEthernet1/0/0
 ip address 192.168.1.254 255.255.255.0
service-manage all permit 

interface GigabitEthernet1/0/1
 ip address 12.1.1.1 255.255.255.0
service-manage all permit 

2)FW1区域配置
firewall zone trust
 add interface GigabitEthernet1/0/0

firewall zone untrust
 add interface GigabitEthernet1/0/1

3)FW1配置默认路由
ip route-static 0.0.0.0 0.0.0.0 12.1.1.2 

4)FW1配置区域策略
 rule name un_2_t
  source-zone untrust
  destination-zone trust
  destination-address 192.168.1.201 mask 255.255.255.255
  destination-address 192.168.1.202 mask 255.255.255.255
  action permit

5)FW1创建目的地址组
destination-nat address-group ag21 0
 section 192.168.1.201 192.168.1.202

6)FW1创建NAT策略
nat-policy
 rule name policy-dnat01
  source-zone untrust
  destination-address range 12.1.1.201 12.1.1.202
  action destination-nat static address-to-address address-group ag21

7)公网客户机分别访问私网服务器,查看会话表
display firewall session table all

 http  VPN: public --> public  200.1.1.1:2056 --> 12.1.1.201:80[192.168.1.201:80]
[FW1]display firewall session table all
2023-07-29 01:56:55.240 
 Current Total Sessions : 1
 http  VPN: public --> public  200.1.1.1:2057 --> 12.1.1.202:80[192.168.1.202:80]

4.防火墙目的NAT-静态1对多 P2A(port-to-address端口到地址)

# 一个公有地址不同端口绑定不同私有地址相同端口
1)FW1创建地址组
destination-nat address-group ag21 
 section 192.168.1.201 192.168.1.202

2)FW1创建NAT策略
nat-policy
 rule name policy-dnat01
  source-zone untrust
  destination-address range 12.1.1.201 12.1.1.201
  service protocol tcp destination-port 10081 to 10082
  action destination-nat static port-to-address address-group ag21 80

3)公网客户机访问公网地址(12.1.1.201的10081和10082),查看会话表
display firewall session table all
 http  VPN: public --> public  200.1.1.1:2059 --> 12.1.1.201:10082[192.168.1.202:80]
 http  VPN: public --> public  200.1.1.1:2058 --> 12.1.1.201:10081[192.168.1.201:80]

5.防火墙目的NAT-静态多对1-A2P(address-to-port 地址到端口)

#不同的公有地址的相同端口-映射到内网相同地址的不同端口
1)FW1创建NAT策略
nat-policy
 rule name policy-dnat01
  source-zone untrust
  destination-address range 12.1.1.201 12.1.1.202
  service protocol tcp destination-port 10080
  action destination-nat static address-to-port address 192.168.1.201 80 to 81

2)公网客户机访问公网地址(12.1.1.201和的12.1.1.202的10080端口),查看会话表
display firewall session table all
 tcp  VPN: public --> public  200.1.1.1:2061 --> 12.1.1.202:10080[192.168.1.201:81]
 http  VPN: public --> public  200.1.1.1:2060 --> 12.1.1.201:10080[192.168.1.201:80]
© 版权声明
THE END
喜欢就支持一下吧
点赞9 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

    请登录后查看评论内容