目的NAT是指对报文中的目的地址和端口进行转换。
通过目的NAT技术将公网IP地址转换成私网IP地址,使公网用户可以利用私网地址访问内部Server。转换过程如图1所示。
当外网用户访问内部Server时,FW的处理过程如下:
- 当外网用户访问内网Server的报文到达FW时,FW将报文的目的IP地址由公网地址转换为私网地址。
- 当回程报文返回至FW时,FW再将报文的源地址由私网地址转换为公网地址。
根据转换后的目的地址是否固定,目的NAT分为静态目的NAT和动态目的NAT。
实验拓补图
实验步骤
1.配置IP地址和加入区域
[FW]interface GigabitEthernet 1/0/1
[FW-GigabitEthernet1/0/1]ip address 1.1.1.1 24
[FW-GigabitEthernet1/0/1]interface GigabitEthernet 1/0/0
[FW-GigabitEthernet1/0/0]ip address 10.2.0.1 24
[FW] firewall zone untrust
[FW-zone-untrust]add interface GigabitEthernet 1/0/1
[FW-zone-untrust] firewall zone dmz
[FW-zone-dmz]add interface GigabitEthernet 1/0/0
[r1]interface GigabitEthernet 0/0/1
[r1-GigabitEthernet0/0/1]ip address 1.1.1.254 24
[r1-GigabitEthernet0/0/1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]ip address 172.16.1.254 24
配置安全策略,允许外部网络用户访问内部服务器。
[FW] security-policy
[FW-policy-security] rule name bdqn
[FW-policy-security-rule-policy1] source-zone untrust
[FW-policy-security-rule-policy1] destination-zone dmz
[FW-policy-security-rule-policy1] destination-address 10.2.0.0 24
[FW-policy-security-rule-policy1] action permit
配置目的NAT地址池
[FW] destination-nat address-group huan
[FW-dnat-address-group-addressgroup1] section 10.2.0.7 10.2.0.7
配置NAT策略
[FW] nat-policy
[FW-policy-nat] rule name huan
[FW-policy-nat-rule-policy_nat1] source-zone untrust
[FW-policy-nat-rule-policy_nat1] destination-address 1.1.10.10 32
[FW-policy-nat-rule-policy_nat1] service protocol tcp destination-port 2000 to 2001
[FW-policy-nat-rule-policy_nat1] action destination-nat static port-to-port address-group addressgroup1 80 to 81
配置报文目的地址的黑洞路由,以防路由环路
[FW] ip route-static 1.1.10.10 255.255.255.255 NULL0
开启FTP协议的NAT ALG功能
[FW] firewall interzone dmz untrust
[FW-interzone-dmz-untrust] detect ftp
配置缺省路由
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.254
配置去公网的路由
[r1]ip route-static 1.1.10.10 255.255.255.255 1.1.1.1