本帖最后由 Jeff. 于 2012-7-10 14:54 编辑
解决方案:
问题描述:
在实现Destination NAT的时候,如果需要从内网访问映射后的公网地址,默认会有一些问题,在内网可以ping 通映射地址,但是不能访问服务;
问题分析:
[edit security]
set zones security-zone trust address-book address server-2 192.168.1.200/32
[edit security policies from-zone untrust to-zone trust]
set policy server-access match source-address any destination-address server-2 application any
set policy server-access then permit
[edit security nat destination]
set pool dst-nat-pool-2 address 192.168.1.200 port 8000
set rule-set rs1 from zone untrust
set rule-set rs1 rule r2 match destination-address 1.1.1.101
set rule-set rs1 rule r2 match destination-port 80
set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2
[edit security nat]
set proxy-arp interface ge-0/0/2.0 address 1.1.1.101
一般的我们如上配置完设备后,外网用户便可以访问映射地址了,但是如果内网用户访问会有问题,不能通过1.1.1.101访问服务;
原因是内部地址访问1.1.1.101的时候,防火墙不做地址转换,将内网地址路由给目的服务器,服务器会看到这个地址,回包的时候直接把数据包回给这个内网地址,TCP形成一个半连接,故服务不能访问。
解决办法:
来自信任区域的访问也做一次destination nat,需要添加以下命令;
[edit security nat destination]
set rule-set rs1 from zone trust
set rule-set rs1 rule r2 match destination-address 1.1.1.101
set rule-set rs1 rule r2 match destination-port 80
set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-2
希望能解决你的问题。
|