需求场景 外部互联网访问内部 服务器
小企业办公环境使用飞塔防火墙做为出口网关接入互联网;内部服务器使用私有地址10.1.1.1, 服务器开放远程桌面服务(3389)端口;
为使维护人员从外部互联网可远程桌面至内部服务器,需将内部服务器10.1.1.1的3389口对互联网进行映射,地址映射为运营商分配公网地址20.0.0.10;
为提升信息安全级别,将知名3389端口对外映射为自己义端口8389。
关键配置如下:
fwa #show
config system global
set hostname “fwa”
end
config system interface
edit “port1”
set ip 10.1.1.254 255.255.255.0
set allowaccess ping https telnet
next
edit “port2”
set ip 20.0.0.1 255.255.255.0
set allowaccess ping https snmp http telnet fgfm
next
end
config firewall address
edit “inuser”
set subnet 10.1.1.0 255.255.255.0
next
end
config firewall ippool
edit “snat_pool”
set startip 20.0.0.2
set endip 20.0.0.2
next
end
config firewall vip
edit “rdp8389“
set extip 20.0.0.10
set extintf “port2”
set portforward enable
set mappedip 10.1.1.1
set extport 8389
set mappedport 3389
next
end
config firewall policy
edit 10
set srcintf “port1”
set dstintf “port2”
set srcaddr “inuser”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set nat enable
set ippool enable
set poolname “snat_pool”
next
edit 11
set srcintf “port2”
set dstintf “port1”
set srcaddr “all”
set dstaddr “rdp8389“
set action accept
set schedule “always”
set service “ALL”
next
end
config router static
edit 10
set device “port2”
set gateway 20.0.0.100
next
end
验证:通过外部互联网设备PC或路由器使用telnet 20.0.0.10 8389 命令测试
防火墙fwa使用get system session list 命令查看端口映射转换项