需求:
公司DMZ区域Web服务器对内外提供Web服务,要求必须内外网使用公网IP访问,这样做到内外网透明;
准备:
防火墙外网接口IP 2.2.2.2/29,内网接口IP 10.2.255.253/24,DMZ接口IP 10.1.100.1/24
Web Server IP 10.1.100.87/24,映射公网IP 2.2.2.3
交换机IP 10.2.255.254
内网网段10.2.0.0/16
H3C防火墙配置如下
acl number 2000
rule 2 permit source 10.2.0 0.0.255.255
#
vlan 255
#
interface Vlan-interface255
nat server protocol tcp global 2.2.2.3 22 inside 10.1.100.87 80
ip address 10.2.255.253 255.255.255.0
#
interface GigabitEthernet0/2
port link-mode route
ip address 10.1.100.1 255.255.255.0
#
interface GigabitEthernet0/4
port link-mode route
description To Wan
nat outbound static
nat outbound 2000
ip address 2.2.2.2 255.255.255.248
undo dhcp select server global-pool
ipsec policy ipsecpolicy1
#
#
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
import interface Vlan-interface255
zone name DMZ id 3
priority 50
import interface GigabitEthernet0/2
zone name Untrust id 4
priority 5
import interface GigabitEthernet0/4
转载于:https://blog.51cto.com/yanhuan/1878449