一、组网拓扑:

clip_image003

二、组网需求:

要求内部用户访问内部服务器时,可通过外网映射的地址访问服务器(WWW,FTP等)。

三、配置实例如下:

<Quidway>dis cur

#

sysname Quidway

#

firewall packet-filter enable

firewall packet-filter default permit

#

undo insulate

#

undo connection-limit enable

connection-limit default deny

connection-limit default amount upper-limit 50 lower-limit 20

#

firewall statistic system enable

#

radius scheme system

#

domain system

#

acl number 2000

rule 0 permit source 172.16.0.0 0.0.255.255

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 172.16.2.1 255.255.255.0

nat server protocol tcp global 10.153.49.212 www inside 172.16.1.2 www

#

interface Ethernet1/0

ip address 10.153.49.193 255.255.252.0

nat outbound 2000

nat server protocol tcp global 10.153.49.212 www inside 172.16.1.2 www

#

interface Ethernet1/1

#

interface Ethernet1/2

ip address 172.16.1.1 255.255.255.0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

set priority 85

#

firewall zone untrust

add interface Ethernet1/0

set priority 5

#

firewall zone DMZ

add interface Ethernet1/2

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

ip route-static 0.0.0.0 0.0.0.0 10.153.48.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode none

#

return

<Quidway>

四、说明:

1.映射地址可以是出口的接口地址。

2.服务器可以在“TRUST”区域中。

3.目前在SecPath防火墙上,暂时还没有办法使内网用户通过域名、外网IP、私网地址同时能访问内网服务器。