netscreen 外网访问VIP配置

1、编辑interface

Network > Interfaces (List)

	List 5102050100 per page
	List  ALL(5)Layer2(0)Layer3(3)Loopback(0)Physical(3)Tunnel(1)Unused(1)VSI(0) Interfaces	Loopback IFTunnel IFVSI IF

 

 

Name IP/Netmask Zone Type Link Configure serial 0.0.0.0/0 Null Unused down Edit   trust 172.2.1.254/24 Trust Layer3 up Edit   tunnel.1 unnumbered Untrust Tunnel ready Edit   untrust 58.2.24.246/32 Untrust Layer3 up Edit   vlan1 0.0.0.0/0 VLAN Layer3 down Edit

2、配置untrust

Network > Interfaces > Edit

 

	Interface: untrust (IP/Netmask: 58.2.24.246/32)	Back To Interface List
	Properties:  Basic    MIP     DIP     VIP     Track IP     Track IP Options

 

 

 

Interface Name untrust (mac 0010.db39.9051) As member of loopback group none Zone Name NullTrustUntrustMGTV1-TrustV1-UntrustVLAN        Obtain IP using PPPoE Noneuntrust Create new pppoe setting     Status: Connected        Static IP IP Address / Netmask  /       Manageable Manage IP (mac 0010.db39.9051) Interface Mode NAT Route         Service Options   Management Services  Web UI  Telnet  SSH  SNMP  SSL  Other Services  Ping  Ident-reset     WebAuth    IP  Traffic Bandwidth  Kbps

 

 

3、创建VIP

Network > Interface > Edit > VIP/VIP Services

Interface: untrust (IP/Netmask: 58.2.24.246/32)	Back To Interface List
	Properties:  Basic     MIP     DIP     VIP    Track IP     Track IP Options

 

 

VIP VIP Services IP Address Configure Virtual Port Service(Port) Server IP Status Configure 58.2.24.246 Edit In use 9080 was (9080) 172.2.1.110... OK Edit Remove

 

 

这是已配置好的VIP，先增加一个VIP，再增加VIP Services，外网端口9080,映射服务端口为was(9080)，映射内网主机为172.2.1.110

 

 

4、配置访问策略

 

From Untrust To Global, total policy: 1 ID Source Destination Service Action Options Configure Enable Move 5 Any VIP::1 ANY Edit Clone Remove

 

这是已配置好的访问策略policies，方向为Untrust 到Global

 

5、访问策略配置

 

Name (optional) Source Address New Address / Address Book Entry 172.25.1.110/9080AnyDial-Up VPNXM Destination Address New Address / Address Book Entry AnyDial-Up VPNVIP::1 Service wasANYAOLBGPDHCP-RelayDNSFINGERFTPFTP-GetFTP-PutGOPHERH.323HTTPHTTPSICMP Address MaskICMP-ANYICMP Dest UnreachableICMP Fragment NeededICMP Fragment ReassemblyICMP Host UnreachableICMP-INFOICMP Parameter ProblemICMP Port UnreachableICMP Protocol UnreachICMP RedirectICMP Redirect HostICMP Redirect TOS & HostICMP Redirect TOS & NetICMP Source QuenchICMP Source Route FailICMP Time ExceededICMP-TIMESTAMPIKEIMAPInternet Locator ServiceIRCL2TPLDAPMAILNetMeetingNFSNNTPNS GlobalNS Global PRONSMNTPOSPFPC-AnywherePINGPOP3PPTPReal MediaRIPRLOGINRSHSIPSNMPSQL*Net V1SQL*Net V2SSHSUN-RPCSYSLOGTALKTCP-ANYTELNETTFTPTRACEROUTEUDP-ANYUUCPVDO LiveWAISWINFRAMEX-WINDOWS Application NoneFTPRSHPORTMAPPERHTTPSMTPPOP3IMAPDNSTFTPH245Q931RASREALSIPSQLNETV2TALKVDOXINGIGNORE Action PermitDenyTunnel   Tunnel  VPN None2XM         Modify matching bidirectional VPN policy   L2TP None   Logging

6、服务端口定制custom，即上面的VIP：：1

Objects > Services > Custom

 

Name Transport Protocol and Parameters Timeout (min) Configure was TCP src port: 0-65535, dst port: 9080-9080 default[30] Edit In Use

 

详细配置：

Service Name
Service Timeout	Use protocol default Never Custom (minutes)
No. Transport protocol Source Port Destination Port ICMP Low High Low High Type Code 1 none TCP UDP ICMP other 2 none TCP UDP ICMP other 3 none TCP UDP ICMP other 4 none TCP UDP ICMP other 5 none TCP UDP ICMP other 6 none TCP UDP ICMP other 7 none TCP UDP ICMP other 8 none TCP UDP ICMP other