所需要的要求:現在有一個公網地址211.147.75.196,做對應的靜態NAT,地址是10.10.8.2,需要將該地址的443端口和80端口開放出去
CLI配置
1、定義所需要的端口
set applications application f5-service protocol tcp#設置端口類型爲tcp
set applications application f5-service source-port 1-655353#設置端口源是1-65535,這個端口的名字叫f5-service
set applications application f5-service destination-port 80#設置目的端口是80,這個端口的名字叫f5-servic
set applications application f5-service-443 protocol tcp#設置端口類型爲tcp
set applications application f5-service-443 source-port 1-65535#設置端口源是1-65535,這個端口的名字叫f5-service-443
set applications application f5-service-443 destination-port 443#設置目的端口是443,這個端口的名字叫f5-service-443
2、定義所需要的地址
set security zones security-zone trust tcp-rst#該地址所在的區域是trust區域
set security zones security-zone trust address-book address F5-WEB 10.10.8.2/32#該地址的名字叫做F5-WEB,地址是10.10.8.2/32
3、做靜態NAT
從untrust的規則
set security nat static rule-set static-nat from zone untrust#來自untrust,名字叫做static-nat
set security nat static rule-set static-nat rule rule10 match destination-address 211.147.75.196/32匹配的目地地址是211.147.75.196/32
set security nat static rule-set static-nat rule rule10 then static-nat prefix 10.10.8.2/32#需要nat到的地址是10.10.8.2/32
set security nat proxy-arp interface ge-0/0/0.0 address 211.147.75.196/32#做一條pro-xy,端口選擇外網出口的端口ge-0/0/0.0,地址選擇要使用的公網地址
從trust的規則
set security nat static rule-set static-nat-trust from zone trust#來自untrust,名字叫做static-nat-trust
set security nat static rule-set static-nat-trust rule rule2-10 match destination-address 211.147.75.196/32#匹配的目標地址還是211.147.75.196/32
set security nat static rule-set static-nat-trust rule rule2-10 then static-nat prefix 10.10.8.2/32#要NAT的地址是10.10.8.2
4、定義策略,從trust-untrust
set security policies from-zone trust to-zone untrust policy trust-untrust match destination-address any#從trust到Untrust區域是完全訪問
5、定義策略,從untrust到trust
set security policies from-zone untrust to-zone trust policy F5 match source-address any#該策略名字叫做F5,匹配的源地址是any
set security policies from-zone untrust to-zone trust policy F5 match destination-address F5-WEB#匹配的目標地址是剛纔建立的F5-WEB地址
set security policies from-zone untrust to-zone trust policy F5 match application f5-service#匹配的服務端口是f5-service
set security policies from-zone untrust to-zone trust policy F5 match application f5-service-443#匹配的服務端口是f5-service-443
set security policies from-zone untrust to-zone trust policy F5 then permit策略的機制是允許
6、定義從trust到trust的策略
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any#該策略的名字是trust-to-trust,源地址是any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address F5-WEB#匹配的目標地址是剛纔建立的F5-WEB地址
set security policies from-zone trust to-zone trust policy trust-to-trust match application f5-service#匹配的服務端口是剛纔建立的f5-service
set security policies from-zone trust to-zone trust policy trust-to-trust match application f5-service-443#匹配的服務端口是剛纔建立的f5-service-443
圖形配置
1、點擊security-applications-Add,建立一個名字叫做f5-service-443的端口443,依次類推,建立一個名字叫做f5-service的端口80
2、點擊security-address book-add
3、NAT-static nat-add,這裏很關健,要建立一個從untrust的NAT,還要建立一個從trust的NAT,所建立的規則都是一樣的
建立untrust的NAT(選擇區域爲untrust,在下面添加rule
在次建立靜態NAT,這次區域選擇從trust,繼續在下面添加rule
4、點擊Security-policy-FW policyes-add,建立一條從trust到untrust的策略
5、點擊Security-policy-FW policyes-add,建立一條從untrust到trust的策略
6、點擊Security-policy-FW policyes-add,建立一條trust到trust的策略
