一、组网拓扑:

二、组网需求:

   要求内部用户访问内部服务器时,可通过外网映射的地址访问服务器(WWWFTP等)。

三、配置实例如下:

<Quidway>dis cur

#

 sysname Quidway

#

 firewall packet-filter enable

 firewall packet-filter default permit

#

 undo insulate

#

 undo connection-limit enable

 connection-limit default deny

 connection-limit default amount upper-limit 50 lower-limit 20

#

 firewall statistic system enable

#

radius scheme system

#

domain system

#

acl number 2000

 rule 0 permit source 172.16.0.0 0.0.255.255

#

interface Aux0                           

 async mode flow

#

interface Ethernet0/0

 ip address 172.16.2.1 255.255.255.0

nat server protocol tcp global 10.153.49.212 www inside 172.16.1.2 www

#

interface Ethernet1/0

 ip address 10.153.49.193 255.255.252.0

 nat outbound 2000

 nat server protocol tcp global 10.153.49.212 www inside 172.16.1.2 www

#

interface Ethernet1/1

#

interface Ethernet1/2

 ip address 172.16.1.1 255.255.255.0

#

interface NULL0

#

firewall zone local

 set priority 100

#

firewall zone trust

 add interface Ethernet0/0

 set priority 85

#                                        

firewall zone untrust

 add interface Ethernet1/0

 set priority 5

#

firewall zone DMZ

 add interface Ethernet1/2

 set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

ip route-static 0.0.0.0 0.0.0.0 10.153.48.1 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

 authentication-mode none                

#

return

<Quidway>

 

四、说明:

 1.映射地址可以是出口的接口地址。

 2.服务器可以在“TRUST”区域中。

 3.目前在SecPath防火墙上,暂时还没有办法使内网用户通过域名、外网IP、私网地址同时能访问内网服务器。