前言
静态端口映射:就是在NAT网关上开放一个固定的端口,然后设定此端口收到的数据要转发给内网哪个IP和端口,不管有没有连接,这个映射关系都会一直存在。
内网IP:192.168.2.100/32
内网端口:8000
外网IP:114.114.114.114/32
外网端口:8000
服务端口
#端口协议为tcp,也可改为udp,根据需求而定
set applications application 8000-tcp protocol tcp
#端口范围0-65535
set applications application 8000-tcp source-port 0-65535
#配置端口8000,并命名为8000-tcp
set applications application 8000-tcp destination-port 8000
#如需端口协议为udp,则以下命令
set applications application 8000-udp protocol udp
如内外网端口不一致,则需新建两个不同的服务端口池。
内网映射端口
#映射的内网地址和端口
set security nat destination pool NAT-POOL-8000 address 192.168.2.100/32
set security nat destination pool NAT-POOL-8000 address port 8000
外网映射端口
公网端口不一定必须与内网端口一致,如需修改公网端口,则需在服务端口里新建端口。
#配置第一个端口时需要添加,其它端口不需要在配置
set security nat destination rule-set test-DES-NAT from zone untrust
#源地址0.0.0.0/0 -
set security nat destination rule-set test-DES-NAT rule test-NAT-8000 match source-address 0.0.0.0/0
#公网IP
set security nat destination rule-set test-DES-NAT rule test-NAT-8000 match destination-address 114.114.114.114/32
#公网端口
set security nat destination rule-set test-DES-NAT rule test-NAT-8000 match destination-port 8000
#引用NAT-POOL-8000
set security nat destination rule-set test-DES-NAT rule test-NAT-8000 then destination-nat pool NAT-POOL-8000
映射策略
set security policies from-zone untrust to-zone trust policy test-100-DES-NAT-PERMIT match source-address any
set security policies from-zone untrust to-zone trust policy test-100-DES-NAT-PERMIT match destination-address test_100_8000
set security policies from-zone untrust to-zone trust policy test-100-DES-NAT-PERMIT match application 8000-tcp
set security zones security-zone trust address-book address test_100_8000 192.168.2.100/32
会话日志
#以下配置,再配置同IP的多端口的情况下只需要配置一次即可
set security policies from-zone untrust to-zone trust policy test-100-DES-NAT-PERMIT then permit
set security policies from-zone untrust to-zone trust policy test-100-DES-NAT-PERMIT then log session-init
set security policies from-zone untrust to-zone trust policy test-100-DES-NAT-PERMIT then log session-close