环境介绍:Server1作为服务器提供ftp和http服务,对外服务,AR1作为公网设备,Client1作为公网用户访问Server1提供的服务。
在防火墙上做双向NAT部署,使服务器只需要配置基本的地址无需配置网关即可提供对外服务。虽然不知道在现网有什么作用。
防火墙配置:
!Software Version V500R005C10SPC300 # sysname FW # interface GigabitEthernet1/0/0 undo shutdown ip address 100.0.0.1 255.255.255.252 service-manage ping permit # interface GigabitEthernet1/0/6 undo shutdown ip address 192.168.10.254 255.255.255.0 service-manage ping permit # firewall interzone trust untrust detect ftp # firewall detect ftp # nat address-group SNAT_Server 0 //配置源NAT的地址池,这里用一个空地址 mode pat section 0 192.168.10.100 192.168.10.100 # # security-policy rule name Trust_Untrust source-zone trust destination-zone untrust action permit rule name Untrust_Trust_Server source-zone untrust destination-zone trust destination-address 192.168.10.1 mask 255.255.255.255 action permit # nat-policy rule name Server_DNAT&SNAT source-zone untrust destination-address 100.0.0.1 mask 255.255.255.255 service ftp service http action source-nat address-group SNAT_Server action destination-nat address 192.168.10.1 #
也不知道现网有没有人用这个场景的,hedex中偶然看到的。