FTP服务器处于DMZ安全区域,所在的网段为10.1.1.0/24,能够被外部用户访问。外部网络处于Untrust安全区域。
需求如下:
FTP服务器的内部IP地址为10.1.1.2,对外公布的地址为200.1.1.10,对外使用的端口号为缺省值。
FTP服务器上不需要配置到公网IP地址的路由。
图1 Inbound方向的NAT配置组网图
[USG5300] interface GigabitEthernet 0/0/0
[USG5300-GigabitEthernet0/0/0] ip address 10.1.1.1 24
[USG5300] interface GigabitEthernet 0/0/1
[USG5300-GigabitEthernet0/0/1] ip address 200.1.1.1 24
[USG5300] firewall zone dmz
[USG5300-zone-dmz] add interface GigabitEthernet 0/0/0
[USG5300] firewall zone untrust
[USG5300-zone-untrust] add interface GigabitEthernet 0/0/1
[USG5300] nat server global 200.1.1.10 inside 10.1.1.2
[USG5300] nat address-group 1 10.1.1.5 10.1.1.50
[USG5300] policy interzone dmz untrust inbound
[USG5300-policy-interzone-dmz-untrust-inbound] policy 1
[USG5300-policy-interzone-dmz-untrust-inbound-1] policy source 200.1.1.0 0.0.0.255
[USG5300-policy-interzone-dmz-untrust-inbound-1] action permit
[USG5300] nat-policy interzone dmz untrust inbound
[USG5300-nat-policy-interzone-dmz-untrust-inbound] policy 1
[USG5300-nat-policy-interzone-dmz-untrust-inbound-1] policy source 200.1.1.0 0.0.0.255
[USG5300-nat-policy-interzone-dmz-untrust-inbound-1] action source-nat
[USG5300-nat-policy-interzone-dmz-untrust-inbound-1] address-group 1
[USG5300] firewall interzone dmz untrust
[USG5300-interzone-dmz-untrust] detect ftp
[USG5300-interzone-dmz-untrust] quit