1.防火墙源nat配置
配置相应安全区域
[FW1]firewall zone trust
[FW1-zone-trust]add interface g1/0/1
[FW1]firewall zone untrust
[FW1-zone-untrust]add interface g1/0/4
[FW1]firewall zone dmz
[FW1-zone-dmz]add interface g1/0/0
配置trust区域和untrust区域间的转发策略
[FW1-policy-security]rule name policy_sec
[FW1-policy-security-rule-policy_sec]source-zone trust
[FW1-policy-security-rule-policy_sec]destination-zone untrust
[FW1-policy-security-rule-policy_sec]action permit
配置nat地址池和地址
[FW1]nat address-group natpool
[FW1-address-group-natpool]section 2.2.2.2 2.2.2.5
配置nat策略
[FW1]nat-policy
[FW1-policy-nat]rule name source_nat
[FW1-policy-nat-rule-source_nat]destination-zone untrust
[FW1-policy-nat-rule-source_nat]source-zone trust
[FW1-policy-nat-rule-source_nat]action source-nat address-group natpool
从PC1 ping PC2验证
查看nat转换情况
2.配置NAT server的源NAT转换
[FW1]security-policy
[FW1-policy-security]rule name biderectinal_nat
[FW1-policy-security-rule-bidectinal_nat]source-zone untrust
[FW1-policy-security-rule-bidectinal_nat]destination-zone dmz
[FW1-policy-security-rule-bidectinal_nat]action permit
[FW1-policy-security-rule-bidectinal_nat]service ftp
配置NAT server
[FW1]nat server ftpserver protocol tcp global 40.1.1.2 ftp inside 10.1.1.100 ftp
配置NAT地址池
[FW1]nat address-group natpool2
[FW1-address-group-natpool2]section 10.1.1.10 10.1.1.20
在DMZ和untrust域间应用NAT ALG功能,是服务器可以正常对外提供FTP服务(默认以经全局开启,可以省略)
[FW1]firewall interzone dmz untrust
[FW1-interzone-dmz-untrust]detect ftp
配置DMZ和untrust域间NAT策略、源地址范围、并绑定地址池2绑定
[FW1]nat-policy
[FW1-policy-nat]rule name biderectional_nat
[FW1-policy-nat-rule-biderectional_nat]destination-zone dmz
[FW1-policy-nat-rule-biderectional_nat]source-zone untrust
[FW1-policy-nat-rule-biderectional_nat]source-address 40.1.1.0 24
[FW1-policy-nat-rule-biderectional_nat]action source-nat address-group natpool2
查看nat server对应情况