vmware虛擬內網主機為winserver 2008rR。外網使用winxp系統。

目的，外網通過外網地址訪問內網web服務。內網網段為192.168.1.0/24,伺服器地址192.168.1.2/24

拓撲圖

伺服器和客戶端與FW1連通

vmware上伺服器網絡卡設定

vmware上客戶端網絡卡設定

1、配置介面ip,將將介面加入到安全區域

2、先關閉預設安全策略

security-policy
 default action permit

3、配置nat server策略

nat server web  protocol tcp global 1.1.1.1 8080 inside 192.168.1.2 www
 

4，驗證

從客戶端可以正常訪問內網伺服器

檢視防火牆會話資訊

[FW1]display firewall session table verbose 
 Current Total Sessions : 3
 tcp  VPN: public --> public  ID: c487f69eaaf823062a55c209793
 Zone: untrust --> dmz  TTL: 00:20:00  Left: 00:19:57
 Interface: GigabitEthernet1/0/0  NextHop: 192.168.1.2  MAC: 000c-2924-9304
 <--packets: 2 bytes: 284 --> packets: 4 bytes: 455
 1.1.1.2:1255 --> 1.1.1.1:8080[192.168.1.2:80] PolicyName: default
 

5，增加untrust到dmz的安全策略，恢復防火牆預設安全策略

security-policy
 rule name untrust2dmz
  source-zone untrust
  destination-zone dmz
  destination-address 192.168.1.2 32
  service protocol tcp destination-port 80
  action permit

6，檢視會話表

[FW1]dis firewall session table verbose 
 Current Total Sessions : 2
 netbios-name  VPN: public --> public  ID: c487f69eab02210aab55c209286
 Zone: dmz --> dmz  TTL: 00:02:00  Left: 00:01:59
 Interface: GigabitEthernet1/0/0  NextHop: 192.168.1.255  MAC: 0000-0000-0000
 <--packets: 0 bytes: 0 --> packets: 953 bytes: 74,334
 192.168.1.2:137 --> 192.168.1.255:137 PolicyName: ---

 tcp  VPN: public --> public  ID: c487f69eaaf85f0fc8f5c209b41
 Zone: untrust --> dmz  TTL: 00:20:00  Left: 00:19:57
 Interface: GigabitEthernet1/0/0  NextHop: 192.168.1.2  MAC: 000c-2924-9304
 <--packets: 1 bytes: 48 --> packets: 2 bytes: 88
 1.1.1.2:1264 --> 1.1.1.1:8080[192.168.1.2:80] PolicyName: untrust2dmz   //匹配這個策略