需求:172.16.1.10为内网邮件服务器,映射到外网192.168.1.237
配置如下
/***Static Nat 处配置***/
set security nat static rule-set SUTOT from zone untrust
set security nat static rule-set SUTOT rule U237-SRV10 match destination-address
192.168.1.237/32
set security nat static rule-set SUTOT rule U237-SRV10 then static-nat prefix 172.16.1.10/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.1.237/32
/***SRV10 地址配置***/
set security zones security-zone trust address-book address SRV10 172.16.1.10/32
/***策略配置***/
set security policies from-zone untrust to-zone trust policy U237-SRV10 match source-address any
set security policies from-zone untrust to-zone trust policy U237-SRV10 match destination-address
SRV10
set security policies from-zone untrust to-zone trust policy U237-SRV10 match application any
set security policies from-zone untrust to-zone trust policy U237-SRV10 then permit
注:当测试时发现不通,检查配置有无问题,如无问题 可把proxy-arp配置删除,把IP直接放入接口测试,测试成功后删除接口上面配置后可再次配置到proxy-arp上 如下图