内外网通过公网IP访问DMZ主机

需求：

 公司DMZ区域Web服务器对内外提供Web服务，要求必须内外网使用公网IP访问，这样做到内外网透明；

   准备：

   防火墙外网接口IP 2.2.2.2/29，内网接口IP 10.2.255.253/24，DMZ接口IP 10.1.100.1/24

   Web Server IP 10.1.100.87/24，映射公网IP 2.2.2.3

   交换机IP 10.2.255.254

   内网网段10.2.0.0/16

H3C防火墙配置如下

acl number 2000

 rule 2 permit source 10.2.0 0.0.255.255

#               

vlan 255

#

interface Vlan-interface255

 nat server protocol tcp global 2.2.2.3 22 inside 10.1.100.87 80

  ip address 10.2.255.253 255.255.255.0

#

interface GigabitEthernet0/2

 port link-mode route

 ip address 10.1.100.1 255.255.255.0

#

interface GigabitEthernet0/4

 port link-mode route

 description To Wan

 nat outbound static

 nat outbound 2000

 ip address 2.2.2.2 255.255.255.248

 undo dhcp select server global-pool

 ipsec policy ipsecpolicy1

#

#

zone name Local id 1

 priority 100

zone name Trust id 2

 priority 85

 import interface Vlan-interface255

zone name DMZ id 3

 priority 50

 import interface GigabitEthernet0/2

zone name Untrust id 4

 priority 5

 import interface GigabitEthernet0/4

转载于:https://blog.51cto.com/yanhuan/1878449