1、编辑interface
Network > Interfaces (List)
| List 5102050100 per page | | | |
---|
| List ALL(5)Layer2(0)Layer3(3)Loopback(0)Physical(3)Tunnel(1)Unused(1)VSI(0) Interfaces | Loopback IFTunnel IFVSI IF | |
---|
|
Name | IP/Netmask | Zone | Type | Link | Configure |
---|
serial | 0.0.0.0/0 | Null | Unused | down | Edit | | trust | 172.2.1.254/24 | Trust | Layer3 | up | Edit | | tunnel.1 | unnumbered | Untrust | Tunnel | ready | Edit | | untrust | 58.2.24.246/32 | Untrust | Layer3 | up | Edit | | vlan1 | 0.0.0.0/0 | VLAN | Layer3 | down | Edit | |
| |
2、配置untrust
Network > Interfaces > Edit
|
Interface Name | untrust (mac 0010.db39.9051) |
---|
As member of loopback group | none |
---|
Zone Name | NullTrustUntrustMGTV1-TrustV1-UntrustVLAN |
---|
| Obtain IP using PPPoE | Noneuntrust | Create new pppoe setting |
---|
| | Status:Connected |
---|
Static IP |
---|
IP Address / Netmask | / Manageable |
---|
Manage IP | (mac 0010.db39.9051) |
---|
| Interface Mode | NAT Route |
---|
| Service Options | |
---|
Management Services |
Web UI | Telnet | SSH | SNMP | SSL |
|
---|
Other Services |
|
---|
| WebAuth | IP |
---|
| Traffic Bandwidth | Kbps |
---|
|
3、创建VIP
Network > Interface > Edit > VIP/VIP Services
|
VIP | VIP Services |
---|
IP Address | Configure | Virtual Port | Service(Port) | Server IP | Status | Configure |
---|
58.2.24.246 | Edit | In use | 9080 | was (9080) | 172.2.1.110... | OK | Edit | Remove |
| |
这是已配置好的VIP,先增加一个VIP,再增加VIP Services,外网端口9080,映射服务端口为was(9080),映射内网主机为172.2.1.110
4、配置访问策略
<!-- script language="javascript" src="acl.js" --><!-- /script -->
|
|
|
|
|
|
|
|
|
|
---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| From Untrust To Global, total policy: 1 | ID | Source | Destination | Service | Action | Options | Configure | Enable | Move |
---|
5 | Any | VIP::1 | ANY | | | Edit | Clone | Remove | | |
| |
这是已配置好的访问策略policies,方向为Untrust 到Global
5、访问策略配置
Name (optional) | |
---|
Source Address | New Address / Address Book Entry 172.25.1.110/9080AnyDial-Up VPNXM |
---|
Destination Address | New Address / Address Book Entry AnyDial-Up VPNVIP::1 |
---|
Service | wasANYAOLBGPDHCP-RelayDNSFINGERFTPFTP-GetFTP-PutGOPHERH.323HTTPHTTPSICMP Address MaskICMP-ANYICMP Dest UnreachableICMP Fragment NeededICMP Fragment ReassemblyICMP Host UnreachableICMP-INFOICMP Parameter ProblemICMP Port UnreachableICMP Protocol UnreachICMP RedirectICMP Redirect HostICMP Redirect TOS & HostICMP Redirect TOS & NetICMP Source QuenchICMP Source Route FailICMP Time ExceededICMP-TIMESTAMPIKEIMAPInternet Locator ServiceIRCL2TPLDAPMAILNetMeetingNFSNNTPNS GlobalNS Global PRONSMNTPOSPFPC-AnywherePINGPOP3PPTPReal MediaRIPRLOGINRSHSIPSNMPSQL*Net V1SQL*Net V2SSHSUN-RPCSYSLOGTALKTCP-ANYTELNETTFTPTRACEROUTEUDP-ANYUUCPVDO LiveWAISWINFRAMEX-WINDOWS |
---|
Application | NoneFTPRSHPORTMAPPERHTTPSMTPPOP3IMAPDNSTFTPH245Q931RASREALSIPSQLNETV2TALKVDOXINGIGNORE |
---|
| Action | PermitDenyTunnel |
---|
Tunnel | VPN None2XM |
---|
| Modify matching bidirectional VPN policy |
---|
| L2TP None |
---|
Logging | |
---|
| | |
---|
| |
6、服务端口定制custom,即上面的VIP::1
Objects > Services > Custom
|
Name | Transport Protocol and Parameters | Timeout (min) | Configure |
---|
was | TCP src port: 0-65535, dst port: 9080-9080 | default[30] | Edit | In Use |
| |
详细配置:
Service Name | |
---|
Service Timeout | Use protocol default Never Custom (minutes) |
---|
No. | Transport protocol | Source Port | Destination Port | ICMP |
---|
Low | High | Low | High | Type | Code |
---|
1 | none TCP UDP ICMP other | | | | | | | 2 | none TCP UDP ICMP other | | | | | | | 3 | none TCP UDP ICMP other | | | | | | | 4 | none TCP UDP ICMP other | | | | | | | 5 | none TCP UDP ICMP other | | | | | | | 6 | none TCP UDP ICMP other | | | | | | | 7 | none TCP UDP ICMP other | | | | | | | 8 | none TCP UDP ICMP other | | | | | | |
|
|
| |
---|