全局nat里面可以做映射吗，不是在接口下做

2.13.3  外网用户通过外网地址访问内网服务器配置举例

1. 组网需求

某公司内部对外提供Web、FTP和SMTP服务，而且提供两台Web服务器。公司内部网址为10.110.0.0/16。其中，内部FTP服务器地址为10.110.10.3/16，内部Web服务器1的IP地址为10.110.10.1/16，内部Web服务器2的IP地址为10.110.10.2/16，内部SMTP服务器IP地址为10.110.10.4/16。公司拥有202.38.1.1至202.38.1.3三个公网IP地址。需要实现如下功能：

·     外部的主机可以访问内部的服务器。

·     选用202.38.1.1作为公司对外提供服务的IP地址，Web服务器2对外采用8080端口。

2. 组网图

图2-5 外网用户通过外网地址访问内网服务器配置组网图

‌

3. 配置步骤

(1)     配置接口IP地址

# 根据组网图中规划的信息，配置各接口的IP地址，具体配置步骤如下。

<Device> system-view

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] ip address 10.110.10.10 16

[Device-GigabitEthernet1/0/1] quit

请参考以上步骤配置其他接口的IP地址，具体配置步骤略。

(2)     将接口加入安全域

# 请根据组网图中规划的信息，将接口加入对应的安全域，具体配置步骤如下。

[Device] security-zone name trust

[Device-security-zone-Trust] import interface gigabitethernet 1/0/1

[Device-security-zone-Trust] quit

[Device] security-zone name untrust

[Device-security-zone-Untrust] import interface gigabitethernet 1/0/2

[Device-security-zone-Untrust] quit

(3)     配置安全策略

# 配置名称为untrust-trust的安全策略，保证Untrust安全域中的Host可以访问Trust安全域中的Server，具体配置步骤如下。

[Device] security-policy ip

[Device-security-policy-ip] rule name untrust-trust

[Device-security-policy-ip-1-untrust-trust] source-zone untrust

[Device-security-policy-ip-1-untrust-trust] destination-zone trust

[Device-security-policy-ip-1-untrust-trust] destination-ip-host 10.110.10.1

[Device-security-policy-ip-1-untrust-trust] destination-ip-host 10.110.10.2

[Device-security-policy-ip-1-untrust-trust] destination-ip-host 10.110.10.3

[Device-security-policy-ip-1-untrust-trust] destination-ip-host 10.110.10.4

[Device-security-policy-ip-1-untrust-trust] action pass

[Device-security-policy-ip-1-untrust-trust] quit

[Device-security-policy-ip] quit

(4)     配置NAT功能

# 配置服务对象组，提供FTP、Web和SMTP服务。

[Device] object-group service service1

[Device-obj-grp-service-service1] service tcp destination eq 21

[Device-obj-grp-service-service1] quit

[Device] object-group service service2

[Device-obj-grp-service-service2] service tcp destination eq 80

[Device-obj-grp-service-service2] quit

[Device] object-group service service3

[Device-obj-grp-service-service3] service tcp destination eq 8080

[Device-obj-grp-service-service3] quit

[Device] object-group service service4

[Device-obj-grp-service-service4] service tcp destination eq 25

[Device-obj-grp-service-service4] quit

# 配置全局NAT规则，允许外网主机访问内网服务器。

[Device] nat global-policy

[Device-nat-global-policy] rule name rule1

[Device-nat-global-policy-rule-rule1] destination-ip host 202.38.1.1

[Device-nat-global-policy-rule-rule1] source-zone untrust

[Device-nat-global-policy-rule-rule1] service service1

[Device-nat-global-policy-rule-rule1] action dnat ip-address 10.110.10.3 local-port 21

[Device-nat-global-policy-rule-rule1] quit

[Device-nat-global-policy] rule name rule2

[Device-nat-global-policy-rule-rule2] destination-ip host 202.38.1.1

[Device-nat-global-policy-rule-rule2] source-zone untrust

[Device-nat-global-policy-rule-rule2] service service2

[Device-nat-global-policy-rule-rule2] action dnat ip-address 10.110.10.1 local-port 80

[Device-nat-global-policy-rule-rule2] quit

[Device-nat-global-policy] rule name rule3

[Device-nat-global-policy-rule-rule3] destination-ip host 202.38.1.1

[Device-nat-global-policy-rule-rule3] source-zone untrust

[Device-nat-global-policy-rule-rule3] service service3

[Device-nat-global-policy-rule-rule3] action dnat ip-address 10.110.10.2 local-port 80

[Device-nat-global-policy-rule-rule3] quit

[Device-nat-global-policy] rule name rule4

[Device-nat-global-policy-rule-rule4] destination-ip host 202.38.1.1

[Device-nat-global-policy-rule-rule4] source-zone untrust

[Device-nat-global-policy-rule-rule4] service service4

[Device-nat-global-policy-rule-rule4] action dnat ip-address 10.110.10.4 local-port 25

[Device-nat-global-policy-rule-rule4] quit

[Device-nat-global-policy] quit