防火墙内网用户通过公网域名或公网IP访问内部服务器
温馨提示:这篇文章已超过631天没有更新,请注意相关的内容是否还可用!
一、组网需求:
要求内部用户访问内部服务器时,可通过运营商提供的域名访问内部服务器(WWW,FTP等)。假设内部WWW、FTP服务器域名地址分别是:、ftp.fuwu.com
二、配置实例如下:
dis cur
#
sysname Quidway
#
firewall packet-filter enable
firewall packet-filter default permit
#
undo insulate
#
undo connection-limit enable
connection-limit default deny
connection-limit default amount upper-limit 50 lower-limit 20
#
nat dns-map 10.153.49.212 80 tcp
nat dns-map ftp.fuwu.com 10.153.49.212 21 tcp
#
firewall statistic system enable
#
radius scheme system
#
domain system
#
acl number 2000
rule 0 permit source 172.16.0.0 0.0.255.255
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 172.16.2.1 255.255.255.0
#
interface Ethernet1/0
ip address 10.153.49.193 255.255.252.0
nat outbound 2000
nat server protocol tcp global 10.153.49.212 www inside 172.16.1.2 www
#
interface Ethernet1/1
#
interface Ethernet1/2
ip address 172.16.1.1 255.255.255.0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
set priority 85
#
firewall zone untrust
add interface Ethernet1/0
set priority 5
#
firewall zone DMZ
add interface Ethernet1/2
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
ip route-static 0.0.0.0 0.0.0.0 10.153.48.1 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode none
#
return
三、说明:
1.使用域名访问服务器后公网ip访问内网服务器,就不可再用公网IP地址去访问服务器。
2.公网上一定得有真真的域名(这个域是运营商提供的公网ip访问内网服务器,公网用户是可以通过这个域名访问内部服务器的)。
3.目前在SecPath防火墙上,暂时还没有办法使内网用户通过域名、外网IP、私网地址同时能访问内网服务器。