vmware虚拟内网主机为winserver 2008rR。外网使用winxp系统。
目的,外网通过外网地址访问内网web服务。内网网段为192.168.1.0/24,服务器地址192.168.1.2/24
拓扑图
服务器和客户端与FW1连通
vmware上服务器网卡设置
vmware上客户端网卡设置
1、配置接口ip,将将接口加入到安全区域
2、先关闭默认安全策略
security-policy
default action permit
3、配置nat server策略
nat server web protocol tcp global 1.1.1.1 8080 inside 192.168.1.2 www
4,验证
从客户端可以正常访问内网服务器
查看防火墙会话信息
[FW1]display firewall session table verbose
Current Total Sessions : 3
tcp VPN: public --> public ID: c487f69eaaf823062a55c209793
Zone: untrust --> dmz TTL: 00:20:00 Left: 00:19:57
Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.2 MAC: 000c-2924-9304
<--packets: 2 bytes: 284 --> packets: 4 bytes: 455
1.1.1.2:1255 --> 1.1.1.1:8080[192.168.1.2:80] PolicyName: default
5,增加untrust到dmz的安全策略,恢复防火墙默认安全策略
security-policy
rule name untrust2dmz
source-zone untrust
destination-zone dmz
destination-address 192.168.1.2 32
service protocol tcp destination-port 80
action permit
6,查看会话表
[FW1]dis firewall session table verbose
Current Total Sessions : 2
netbios-name VPN: public --> public ID: c487f69eab02210aab55c209286
Zone: dmz --> dmz TTL: 00:02:00 Left: 00:01:59
Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.255 MAC: 0000-0000-0000
<--packets: 0 bytes: 0 --> packets: 953 bytes: 74,334
192.168.1.2:137 --> 192.168.1.255:137 PolicyName: ---
tcp VPN: public --> public ID: c487f69eaaf85f0fc8f5c209b41
Zone: untrust --> dmz TTL: 00:20:00 Left: 00:19:57
Interface: GigabitEthernet1/0/0 NextHop: 192.168.1.2 MAC: 000c-2924-9304
<--packets: 1 bytes: 48 --> packets: 2 bytes: 88
1.1.1.2:1264 --> 1.1.1.1:8080[192.168.1.2:80] PolicyName: untrust2dmz //匹配这个策略