一、Source NAT
對於不需要做NAT的網段(比如IPSec×××),需要先關閉這些地址的NAT(如果沒有則跳過)
set security nat source rule-set trust-untrust rule no-nat match source-address 192.168.0.0/16
set security nat source rule-set trust-untrust rule no-nat match destination-address 10.10.0.0/24
set security nat source rule-set trust-untrust rule no-nat then source-nat off
對於需要上網或者所有的網段(做地址轉換的網段),做source-nat
首先定義一個地址池(要轉換的公網地址):
set security nat source pool natpool1 address 112.48.20.11/32 to 112.48.20.15/32
set security nat source pool natpool2 address 112.48.20.21/32 to 112.48.20.30/32
配置NAT規則匹配源、目、轉換地址池
set security nat source rule-set trust-untrust from zone trust
set security nat source rule-set trust-untrust to zone untrust
//匹配特定的地址進行轉換(沒有特定可省略)
set security nat source rule-set trust-untrust rule nat1 match source-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat1 match destination-address 183.253.58.253/32
set security nat source rule-set trust-untrust rule nat1 then source-nat pool natpool1
//默認所有的源、目地址進行轉換
set security nat source rule-set trust-untrust rule nat2 match source-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat2 match destination-address 0.0.0.0/0
set security nat source rule-set trust-untrust rule nat2 then source-nat pool natpool2
如果NAT地址池有多個地址,除了接口地址,那麼其它地址需要做proxy-arp
set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.11/32 to 112.48.20.15/32
set security nat proxy-arp interface ge-0/0/0.0 address 112.48.20.21/32 to 112.48.20.30/32
做完這些就可以了? NO! NO! NO!防火牆域間策略不能忘
//首先定義兩個地址池,並加入到地址組NET中
set security zones security-zone trust address-book address 192.168.100.0 192.168.100.0/24
set security zones security-zone trust address-book address 192.168.200.0 192.168.200.0/24
set security zones security-zone trust address-book address-set NET address 192.168.100.0
set security zones security-zone trust address-book address-set NET address 192.168.200.0
//將地址組匹配到trust到untrust的策略中,並放行
set security policies from-zone trust to-zone untrust policy 1 match source-address NET
set security policies from-zone trust to-zone untrust policy 1 match destination-address any
set security policies from-zone trust to-zone untrust policy 1 match application any
set security policies from-zone trust to-zone untrust policy 1 then permit
到此,這192.168.100.0和192.168.200.0就可以通過NAT上網了
二、Destination NAT
部分服務器需要映射到公網去,怎麼做呢?那麼往下看:
//首先創建要映射的服務器地址池(包括IP地址和端口)
set security nat destination pool 1 address 192.168.168.168/32
set security nat destination pool 1 address port 443
//創建Destination NAT規則要映射的服務器地址池(包括IP地址和端口)
set security nat destination rule-set desnat from zone untrust
set security nat destination rule-set desnat to zone trust
set security nat destination rule-set desnat rule server1 match source-address 0.0.0.0/0
//匹配訪問112.48.20.2的4430端口轉換到內網服務器的443端口
set security nat destination rule-set desnat rule server1 match destination-address 112.48.20.2/32
set security nat destination rule-set desnat rule server1 match destination-port 4430
set security nat destination rule-set desnat rule server1 then destination-nat pool 1
還有必不可少的防火牆域間策略
//創建內網服務器地址組及端口
set security zones security-zone trust address-book address server1 192.168.168.168/32
set applications application Service_4430 term Service_4430 protocol tcp
set applications application Service_4430 term Service_4430 source-port 0-65535
set applications application Service_4430 term Service_4430 destination-port 4430-4430
//創建untrust到trust的策略,目前地址匹配內網服務器地址及端口
set security policies from-zone untrust to-zone trust policy 1 match source-address any
set security policies from-zone untrust to-zone trust policy 1 match destination-address server1
set security policies from-zone untrust to-zone trust policy 1 match application Service_4430
set security policies from-zone untrust to-zone trust policy 1 then permit
至此,外網就可以使用http://112.48.20.2:4430/訪問內網的服務器了
還有一個問題,此時內網的用戶卻不能使用這個公網地址訪問內部的服務器,這個需要在NAT上再做一個內部的地址轉換,如下:
//創建一個源地址映射的地址池(內部服務器映射的地址)
set security nat source pool sorpool4 address 112.48.20.2/32
//創建trust到trust的策略如下
set security nat source rule-set trust-trust from zone trust
set security nat source rule-set trust-trust to zone trust
set security nat source rule-set trust-trust rule server1 match source-address 0.0.0.0/0
set security nat source rule-set trust-trust rule server1 match destination-address 192.168.168.168/32
set security nat source rule-set trust-trust rule server1 match destination-port 443
set security nat source rule-set trust-trust rule server1 then source-nat pool sorpool4
至此,內網也可以通過公網地址訪問內部服務器了!!!
如有雷同,純屬巧合,歡迎指正!