華為防火牆ensp vmware 虛擬機器連線實驗natserver
阿新 • • 發佈:2019-01-06
vmware虛擬內網主機為winserver 2008rR。外網使用winxp系統。
目的,外網通過外網地址訪問內網web服務。內網網段為192.168.1.0/24,伺服器地址192.168.1.2/24
拓撲圖
伺服器和客戶端與FW1連通
vmware上伺服器網絡卡設定
vmware上客戶端網絡卡設定
1、配置介面ip,將將介面加入到安全區域
2、先關閉預設安全策略
security-policy
default action permit
3、配置nat server策略
nat server web protocol tcp global 1.1.1.1 8080 inside 192.168.1.2 www
4,驗證
從客戶端可以正常訪問內網伺服器
檢視防火牆會話資訊
[FW1]display firewall session table verbose Current Total Sessions : 3 tcp VPN: public --> public ID: c487f69eaaf823062a55c209793 Zone: untrust --> dmz TTL: 00:20:00 Left: 00:19:57 Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.2 MAC: 000c-2924-9304 <--packets: 2 bytes: 284 --> packets: 4 bytes: 455 1.1.1.2:1255 --> 1.1.1.1:8080[192.168.1.2:80] PolicyName: default
5,增加untrust到dmz的安全策略,恢復防火牆預設安全策略
security-policy
rule name untrust2dmz
source-zone untrust
destination-zone dmz
destination-address 192.168.1.2 32
service protocol tcp destination-port 80
action permit
6,檢視會話表
[FW1]dis firewall session table verbose Current Total Sessions : 2 netbios-name VPN: public --> public ID: c487f69eab02210aab55c209286 Zone: dmz --> dmz TTL: 00:02:00 Left: 00:01:59 Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.255 MAC: 0000-0000-0000 <--packets: 0 bytes: 0 --> packets: 953 bytes: 74,334 192.168.1.2:137 --> 192.168.1.255:137 PolicyName: --- tcp VPN: public --> public ID: c487f69eaaf85f0fc8f5c209b41 Zone: untrust --> dmz TTL: 00:20:00 Left: 00:19:57 Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.2 MAC: 000c-2924-9304 <--packets: 1 bytes: 48 --> packets: 2 bytes: 88 1.1.1.2:1264 --> 1.1.1.1:8080[192.168.1.2:80] PolicyName: untrust2dmz //匹配這個策略