所需要的要求:现在有一个公网地址 211.147.75.196,做对应的静态NAT,地址是10.10.8.2,需要将该地址的443端口和80端口开放出去
CLI配置
1、定义所需要的端口
set applications application f5-service protocol tcp#设置端口类型为 tcp
set applications application f5-service source-port 1-655353#设置端口源是 1-65535,这个端口的名字叫f5-service
set applications application f5-service destination-port 80#设置目的端口是 80,这个端口的名字叫f5-servic
set applications application f5-service-443 protocol tcp#设置端口类型为 tcp
set applications application f5-service-443 source-port 1-65535#设置端口源是 1-65535,这个端口的名字叫f5-service-443
set applications application f5-service-443 destination-port 443#设置目的端口是 443,这个端口的名字叫f5-service-443
2、定义所需要的地址
set security zones security-zone trust tcp-rst#该地址所在的区域是 trust区域
set security zones security-zone trust address-book address F5-WEB 10.10.8.2/32#该地址的名字叫做 F5-WEB,地址是10.10.8.2/32
3、做静态 NAT
从 untrust的规则
set security nat static rule-set static-nat from zone untrust#来自 untrust,名字叫做static-nat
set security nat static rule-set static-nat rule rule10 match destination-address 211.147.75.196/32匹配的目地地址是 211.147.75.196/32
set security nat static rule-set static-nat rule rule10 then static-nat prefix 10.10.8.2/32#需要 nat到的地址是10.10.8.2/32
set security nat proxy-arp interface ge-0/0/0.0 address 211.147.75.196/32#做一条 pro-xy,端口选择外网出口的端口ge-0/0/0.0,地址选择要使用的公网地址
 
从 trust的规则
set security nat static rule-set static-nat-trust from zone trust#来自 untrust,名字叫做static-nat-trust
set security nat static rule-set static-nat-trust rule rule2-10 match destination-address 211.147.75.196/32#匹配的目标地址还是 211.147.75.196/32
set security nat static rule-set static-nat-trust rule rule2-10 then static-nat prefix 10.10.8.2/32#要 NAT的地址是10.10.8.2
4、定义策略,从 trust-untrust
set security policies from-zone trust to-zone untrust policy trust-untrust match destination-address any#从 trust到Untrust区域是完全访问
5、定义策略,从 untrust到trust
set security policies from-zone untrust to-zone trust policy F5 match source-address any#该策略名字叫做 F5,匹配的源地址是any
set security policies from-zone untrust to-zone trust policy F5 match destination-address F5-WEB#匹配的目标地址是刚才建立的 F5-WEB地址
 
set security policies from-zone untrust to-zone trust policy F5 match application f5-service#匹配的服务端口是 f5-service
set security policies from-zone untrust to-zone trust policy F5 match application f5-service-443#匹配的服务端口是 f5-service-443
set security policies from-zone untrust to-zone trust policy F5 then permit策略的机制是允许
6、定义从 trust到trust的策略
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any#该策略的名字是 trust-to-trust,源地址是any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address F5-WEB#匹配的目标地址是刚才建立的 F5-WEB地址
set security policies from-zone trust to-zone trust policy trust-to-trust match application f5-service#匹配的服务端口是刚才建立的 f5-service
set security policies from-zone trust to-zone trust policy trust-to-trust match application f5-service-443#匹配的服务端口是刚才建立的 f5-service-443
 
图形配置
1、点击 security-applications-Add,建立一个名字叫做f5-service-443的端口443,依次类推,建立一个名字叫做f5-service的端口80
 

2、点击 security-address book-add
 

3、 NAT-static nat-add,这里很关健,要建立一个从untrust的NAT,还要建立一个从trust的NAT,所建立的规则都是一样的
建立 untrust的NAT(选择区域为untrust,在下面添加rule
 

在次建立静态 NAT,这次区域选择从trust,继续在下面添加rule
 

 

 

4、点击 Security-policy-FW policyes-add,建立一条从trust到untrust的策略
 

5、点击 Security-policy-FW policyes-add,建立一条从untrust到trust的策略
 

6、点击 Security-policy-FW policyes-add,建立一条trust到trust的策略