需求:

 公司DMZ区域Web服务器对内外提供Web服务,要求必须内外网使用公网IP访问,这样做到内外网透明;


内外网通过公网IP访问DMZ主机_第1张图片


   准备:

   防火墙外网接口IP 2.2.2.2/29,内网接口IP 10.2.255.253/24,DMZ接口IP 10.1.100.1/24

   Web Server IP 10.1.100.87/24,映射公网IP 2.2.2.3

   交换机IP 10.2.255.254

   内网网段10.2.0.0/16

H3C防火墙配置如下

acl number 2000

 rule 2 permit source 10.2.0 0.0.255.255

#               


vlan 255

#


interface Vlan-interface255

 nat server protocol tcp global 2.2.2.3 22 inside 10.1.100.87 80

  ip address 10.2.255.253 255.255.255.0

#

interface GigabitEthernet0/2

 port link-mode route

 ip address 10.1.100.1 255.255.255.0

#

interface GigabitEthernet0/4

 port link-mode route

 description To Wan

 nat outbound static

 nat outbound 2000

 ip address 2.2.2.2 255.255.255.248

 undo dhcp select server global-pool

 ipsec policy ipsecpolicy1

#

#

zone name Local id 1

 priority 100

zone name Trust id 2

 priority 85

 import interface Vlan-interface255

zone name DMZ id 3

 priority 50

 import interface GigabitEthernet0/2

zone name Untrust id 4

 priority 5

 import interface GigabitEthernet0/4