内网用户通过公网IP地址访问内部服务器(华为DNS-MAP应用案例)

 
 
 
 
 
网络拓扑:

 
客户需求:
1.  使用 AR28 作为 NAT 设备作 easy nat 实现内网对公网的访问
2 .内部服务器能够被外网以域名方式访问,域名已注册,能被公网 dns 服务器正确解析为 61.*.*.93
3.  内网用户也能象外网用户一样通过域名访问内网服务器
解决方法及原理:
针对用户的这种需求,我们现在终于有了可以实现的版本,那就是 v3.4-0108 。在该版本下提供了一种内网用户通过外网域名访问内网服务器的方法- dns map nat dns-map 命令实现了对由外网发往内网的 DNS 应答报文作网络地址转换的同时,替换报文内容中 A 类应答的 IP 地址。也就是在替换 dns response 报文 IP 头中的目的地址的同时,也替换了报文内容中域名和 IP 地址映射关系。如下图:
 
easy nat nat server 的配置都和原来 easy nat nat server 相同。
该功能的实现是对原有 DNS ALG 的补充和修改。 DNS ALG 模块的处理流程:内网 DNS 服务器发向其上级 DNS 服务器的 DNS 回应报文中的地址,使用 nat server 命令中设置的 DNS 映射地址替换原有 DNS 回应报文中的地址。
配置 dns-map 后的处理流程:对外网 DNS server 发向内网 PC DNS 回应报文中,如果该报文中包含的域名是使用 dns-map 命令中定义的,那么替换该报文中的公网地址为使用 nat server 命令映射的私网地址。
参考配置
#                                                                              
 sysname AR28-40                                                                
#
 nat dns-map www.zjb.org.cn 61. × . × .94 80 tcp
 nat dns-map ftp.zjb.org.cn 61. × . × .94 21 tcp
 nat dns-map smtp.zjb.org.cn 61. × . × .94 25 tcp
 nat dns-map pop.zjb.org.cn 61. × . × .94 110 tcp
#                                                                               
radius scheme system                                                           
#                                                                              
domain system                                                                   
#                                                                              
local-user admin                                                               
 password cipher .]@USE=B,53Q=^Q`MAF4<1!!                                       
 service-type telnet terminal                                                  
 level 3                                                                       
 service-type ftp                                                               
#                                                                              
acl number 3000                                                                
 rule 0 permit ip source 192.168.0.100 0.0.0.255                                    
 rule 1 permit ip source 192.168.100.0 0.0.0.255                                   
#                                                                              
interface Aux0                                                                 
 async mode flow                                                               
#                                                                              
interface Ethernet1/0                                                          
 ip address 192.168.254.253 255.255.255.252                                    
#                                                                              
interface Ethernet1/1                                                          
 ip address 61. × . × .94 255.255.255.252                                        
 nat outbound 3000                                                             
 nat server protocol tcp global 61. × . × .94 www inside 192.168.100.10 www         
 nat server protocol tcp global 61. × . × .94 smtp inside 192.168.100.10 smtp       
 nat server protocol tcp global 61. × . × .94 pop3 inside 192.168.100.10 pop3       
 nat server protocol tcp global 61. × . × .94 4899 inside 192.168.100.10 4899       
 nat server protocol tcp global 61. × . × .94 8080 inside 192.168.100.10 8080       
 nat server protocol tcp global 61. × . × .94 ftp inside 192.3.1.111 ftp         
 nat server protocol tcp global 61. × . × .94 domain inside 192.168.100.10 domain   
 nat server protocol udp global 61. × . × .94 dns inside 192.168.100.10 dns         
#                                                                              
interface NULL0                                                                
#                                                                              
 ip route-static 0.0.0.0 0.0.0.0 61.130.5.93 preference 60                     
 ip route-static 192.0.0.0 255.0.0.0 192.254.254.254 preference 60             
#                                                                              
user-interface con 0                                                           
user-interface aux 0                                                           
user-interface vty 0 4                                                         
 user privilege level 3                                                        
 set authentication password simple huaweiar28                                 
#                                                                              
return                                                                          
                                                            

你可能感兴趣的:(华为,公网ip,内网,内部服务器,DNS-MAP)