上图为公司的网络拓扑图,图中的UTM产品为戴尔的SonicWALL TZ 215。公司希望外网能访问192.168.1.253这台机器的web,通过NAT映射可满足,具体的步骤如下:
创建地址对象(Address Object)
⑴、选择Network->Address Objects
⑵、点击Add按钮,为服务器添加一个局域网私有地址:
Name: Webster Private
Zone Assignment: LAN Type: Host
IP Address: 192.168.1.151
⑶、点击OK完成添加地址对象
创建服务(Service Object)
⑴、选择Network->Services
⑵、点击Add按钮,为服务器添加一个端口:
Name: HTTP 8000
Protocol: TCP(6)
Port Range: 8000 - 8000
Sub Type: None
⑶、点击Add按钮完成配置
注:系统内置了FTP、HTTP、HTTPS、SSH、Telnet等常用端口,无须创建。
创建NAT策略(NAT Policy)
⑴、选择Network->NAT Policies
⑵、点击Add按钮,进行相关配置:
Original Source: Any
Translated Source: Original
Original Destination: WAN Primary IP
Translated Destination: Webster Private
Original Service: HTTP 8000
Translated Service: Original
Inbound Interface: X1
Outbound Interface: Any
⑶、点击Add按钮完成配置
修改防火墙HTTP/HTTPS/SSH管理端口
防火墙设备使用了80、443端口作为WEB管理,所以你如果准备做80/443端口映射,需要修改系统的管理端口避免冲突。
⑴、选择System->Administration
⑵、修改Web Management Settings的HTTP Port、HTTPS Port
创建环回NAT策略(Loopback)
假如想要从另一个内网的zone通过公有IP地址1.1.1.1访问服务器,可以添加一条Loopback Policy:
Original Source: Firewalled Subnets
Translated Source: WAN Primary IP
Original Destination: WAN Primary IP
Translated Destination: Webster Private
Original Service: HTTP 8000
Translated Service: Original
Inbound Interface: X0
Outbound Interface: Any
Comment: Loopback policy
创建访问策略(Access Rule)
⑴、选择Firewall->Access Rules
⑵、在View style区域选择WAN到LAN的access rules
⑶、点击Add按钮,创建一条访问规则
Action: Allow
From Zone: WAN
To Zone: LAN
Service: HTTP 8000
Source: Any
Destination: ALL X1 Management IP
Users Allowed: All
Schedule: Always on
√ Enable Logging
√ Allow Fragmented Packets
⑷、点击OK完成配置
经过6个步骤后,访问http://121.8.135.226:8000,SonicWALL设备会将请求转发到192.168.1.253的8000端口。同理,如果想将请求转发到内网的8080端口,配置NAT策略时在Translated Service输入HTTP 8080即可。
Original Service: HTTP 8000
Translated Service: HTTP 8080
来源:oschina
链接:https://my.oschina.net/u/937910/blog/195185