如圖,PC1是企業內網用戶,要經過防火牆NAT方式( 1.1.1.105-1.1.1.106 )訪問Internet,Server是企業的FTP服務器,經過靜態NAT方式供外網用戶訪問,對外的地址是1.1.1.100。FW1是企業邊界防火牆,充當路由和保護企業安全的責任。AR一、AR2是外網路由器。html
PC1是Trust區域、Server是DMZ區域,AR一、AR2是Untrust區域。安全
首先,防火牆上新建一個Nat Pool,供內網用戶以NAT方式訪問外網服務器
而後在配置Nat策略tcp
而後再防火牆上配置一個策略,使得trust區域能夠訪問untrust區域ide
配置默認路由,指向AR1spa
最後再設置到達Nat Pool的靜態路由,指向一個空接口,防止路由黑洞3d
先配置服務器對外靜態映射code
在防火牆上配置一個策略,使得untrust區域能訪問DMZ區域router
接着在配置一個nat pool地址池,目的是做爲外網用戶訪問內網服務器後nat的內網地址server
在配置一個nat策略。注意,這個nat策略和內網nat外網有所不一樣!!!
最後再配置一個到達服務器對外地址的靜態路由,防止路由黑洞
至此,配置完成!!
如下是配置
PC>ipconfig IPv4 address......................: 10.1.1.1 Subnet mask.......................: 255.255.255.0 Gateway...........................: 10.1.1.254 Physical address..................: 54-89-98-6C-7F-9E
PC>ipconfig IPv4 address......................: 10.1.2.1 Subnet mask.......................: 255.255.255.0 Gateway...........................: 10.1.2.254 Physical address..................: 54-89-98-30-75-F0
[FW1]display current-configuration # ip address-set FTP_Server type object address 0 10.1.2.0 mask 24 # interface GigabitEthernet1/0/0 undo shutdown ip address 10.1.2.254 255.255.255.0 # interface GigabitEthernet1/0/1 undo shutdown ip address 10.1.1.254 255.255.255.0 # interface GigabitEthernet1/0/2 undo shutdown ip address 1.1.1.1 255.255.255.0 service-manage ping permit # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/2 # firewall zone dmz set priority 50 add interface GigabitEthernet1/0/0 # ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/2 1.1.1.2 ip route-static 1.1.1.100 255.255.255.255 NULL0 ip route-static 1.1.1.105 255.255.255.255 NULL0 ip route-static 1.1.1.106 255.255.255.255 NULL0 # nat server FTP 0 zone untrust protocol tcp global 1.1.1.100 ftp inside 10.1.2.1 //靜態映射 ftp no-reverse # nat address-group "nat pool" 0 //內網nat地址池 mode pat section 0 1.1.1.105 1.1.1.106 # nat address-group "dmz pool" 1 //外網訪問ftp服務器的內網地址池 mode pat section 0 10.1.2.100 10.1.2.100 # security-policy //安全策略 rule name Internet source-zone trust destination-zone untrust action permit rule name Ftp source-zone untrust destination-zone dmz service ftp action permit #
[AR1]display current-configuration # interface GigabitEthernet0/0/0 ip address 1.1.1.2 255.255.255.0 # interface GigabitEthernet0/0/1 ip address 12.1.1.1 255.255.255.0 # ospf 100 router-id 11.1.1.1 import-route direct area 0.0.0.0 network 12.1.1.1 0.0.0.0 #
[AR2]display current-configuration # interface GigabitEthernet0/0/1 ip address 12.1.1.2 255.255.255.0 # interface GigabitEthernet0/0/2 # ospf 100 router-id 22.2.2.2 area 0.0.0.0 network 12.1.1.2 0.0.0.0 #