网络拓扑:

 
客户需求:

1.  使用AR28作为NAT设备作easy nat实现内网对公网的访问
2.内部服务器能够被外网以域名方式访问,域名已注册,能被公网dns服务器正确解析为61.*.*.93
3.  内网用户也能象外网用户一样通过域名访问内网服务器
解决方法及原理:

针对用户的这种需求,我们现在终于有了可以实现的版本,那就是v3.4-0108。在该版本下提供了一种内网用户通过外网域名访问内网服务器的方法-dns mapnat dns-map命令实现了对由外网发往内网的DNS应答报文作网络地址转换的同时,替换报文内容中A类应答的IP地址。也就是在替换dns response报文IP头中的目的地址的同时,也替换了报文内容中域名和IP地址映射关系。如下图:
 
easy nat nat server的配置都和原来easy natnat server相同。
该功能的实现是对原有DNS ALG的补充和修改。DNS ALG模块的处理流程:内网DNS服务器发向其上级DNS服务器的DNS回应报文中的地址,使用nat server命令中设置的DNS映射地址替换原有DNS回应报文中的地址。
配置dns-map后的处理流程:对外网DNS server发向内网PCDNS回应报文中,如果该报文中包含的域名是使用dns-map命令中定义的,那么替换该报文中的公网地址为使用nat server命令映射的私网地址。
参考配置
#                                                                              
 sysname AR28-40                                                                
#

 nat dns-map www.zjb.org.cn 61.×.×.94 80 tcp

 nat dns-map ftp.zjb.org.cn 61.×.×.94 21 tcp

 nat dns-map smtp.zjb.org.cn 61.×.×.94 25 tcp

 nat dns-map pop.zjb.org.cn 61.×.×.94 110 tcp

#                                                                               
radius scheme system                                                           
#                                                                              
domain system                                                                   
#                                                                              
local-user admin                                                               
 password cipher .]@USE=B,53Q=^Q`MAF4<1!!                                       
 service-type telnet terminal                                                  
 level 3                                                                       
 service-type ftp                                                               
#                                                                              
acl number 3000                                                                
 rule 0 permit ip source 192.168.0.100 0.0.0.255                                    
 rule 1 permit ip source 192.168.100.0 0.0.0.255                                   
#                                                                              
interface Aux0                                                                 
 async mode flow                                                               
#                                                                              
interface Ethernet1/0                                                          
 ip address 192.168.254.253 255.255.255.252                                    
#                                                                              
interface Ethernet1/1                                                          
 ip address 61.×.×.94 255.255.255.252                                        
 nat outbound 3000                                                             
 nat server protocol tcp global 61.×.×.94 www inside 192.168.100.10 www         
 nat server protocol tcp global 61.×.×.94 smtp inside 192.168.100.10 smtp       
 nat server protocol tcp global 61.×.×.94 pop3 inside 192.168.100.10 pop3       
 nat server protocol tcp global 61.×.×.94 4899 inside 192.168.100.10 4899       
 nat server protocol tcp global 61.×.×.94 8080 inside 192.168.100.10 8080       
 nat server protocol tcp global 61.×.×.94 ftp inside 192.3.1.111 ftp         
 nat server protocol tcp global 61.×.×.94 domain inside 192.168.100.10 domain   
 nat server protocol udp global 61.×.×.94 dns inside 192.168.100.10 dns         
#                                                                              
interface NULL0                                                                
#                                                                              
 ip route-static 0.0.0.0 0.0.0.0 61.130.5.93 preference 60                     
 ip route-static 192.0.0.0 255.0.0.0 192.254.254.254 preference 60             
#                                                                              
user-interface con 0                                                           
user-interface aux 0                                                           
user-interface vty 0 4                                                         
 user privilege level 3                                                        
 set authentication password simple huaweiar28                                 
#                                                                              
return