netscreen 外网访问VIP配置

1、编辑interface

Network > Interfaces (List)

	List 5102050100 per page
	List  ALL(5)Layer2(0)Layer3(3)Loopback(0)Physical(3)Tunnel(1)Unused(1)VSI(0) Interfaces	Loopback IFTunnel IFVSI IF

 

 

Name	IP/Netmask	Zone	Type	Link	Configure
serial	0.0.0.0/0	Null	Unused	down	Edit
trust	172.2.1.254/24	Trust	Layer3	up	Edit
tunnel.1	unnumbered	Untrust	Tunnel	ready	Edit
untrust	58.2.24.246/32	Untrust	Layer3	up	Edit
vlan1	0.0.0.0/0	VLAN	Layer3	down	Edit

2、配置untrust

Network > Interfaces > Edit

 

	Interface: untrust (IP/Netmask: 58.2.24.246/32)	Back To Interface List
	Properties:  Basic    MIP     DIP     VIP     Track IP     Track IP Options

 

 

 

Interface Name	untrust (mac 0010.db39.9051)
As member of loopback group	none

Zone Name	NullTrustUntrustMGTV1-TrustV1-UntrustVLAN

---

       Obtain IP using PPPoE

Noneuntrust

Create new pppoe setting

Status: Connected

       Static IP

IP Address / Netmask

 /       Manageable

Manage IP

(mac 0010.db39.9051)

---

Interface Mode

NAT Route

---

        Service Options

Management Services

Web UI	Telnet	SSH
SNMP	SSL

Other Services

Ping

Ident-reset

---

WebAuth

   IP 

---

Traffic Bandwidth

 Kbps

 

 

3、创建VIP

Network > Interface > Edit > VIP/VIP Services

Interface: untrust (IP/Netmask: 58.2.24.246/32)	Back To Interface List
	Properties:  Basic     MIP     DIP     VIP    Track IP     Track IP Options

 

 

VIP			VIP Services
IP Address	Configure		Virtual Port	Service(Port)	Server IP	Status	Configure
58.2.24.246	Edit	In use	9080	was (9080)	172.2.1.110...	OK	Edit	Remove

 

 

这是已配置好的VIP，先增加一个VIP，再增加VIP Services，外网端口9080,映射服务端口为was(9080)，映射内网主机为172.2.1.110

 

 

4、配置访问策略

 

From Untrust To Global, total policy: 1
ID	Source	Destination	Service	Action	Options	Configure			Enable	Move
5	Any	VIP::1	ANY			Edit	Clone	Remove

 

这是已配置好的访问策略policies，方向为Untrust 到Global

 

5、访问策略配置

 

Name (optional)
Source Address	New Address / Address Book Entry 172.25.1.110/9080AnyDial-Up VPNXM
Destination Address	New Address / Address Book Entry AnyDial-Up VPNVIP::1
Service	wasANYAOLBGPDHCP-RelayDNSFINGERFTPFTP-GetFTP-PutGOPHERH.323HTTPHTTPSICMP Address MaskICMP-ANYICMP Dest UnreachableICMP Fragment NeededICMP Fragment ReassemblyICMP Host UnreachableICMP-INFOICMP Parameter ProblemICMP Port UnreachableICMP Protocol UnreachICMP RedirectICMP Redirect HostICMP Redirect TOS & HostICMP Redirect TOS & NetICMP Source QuenchICMP Source Route FailICMP Time ExceededICMP-TIMESTAMPIKEIMAPInternet Locator ServiceIRCL2TPLDAPMAILNetMeetingNFSNNTPNS GlobalNS Global PRONSMNTPOSPFPC-AnywherePINGPOP3PPTPReal MediaRIPRLOGINRSHSIPSNMPSQL*Net V1SQL*Net V2SSHSUN-RPCSYSLOGTALKTCP-ANYTELNETTFTPTRACEROUTEUDP-ANYUUCPVDO LiveWAISWINFRAMEX-WINDOWS
Application	NoneFTPRSHPORTMAPPERHTTPSMTPPOP3IMAPDNSTFTPH245Q931RASREALSIPSQLNETV2TALKVDOXINGIGNORE
Action	PermitDenyTunnel
Tunnel	VPN None2XM
	Modify matching bidirectional VPN policy
	L2TP None
Logging

6、服务端口定制custom，即上面的VIP：：1

Objects > Services > Custom

 

Name	Transport Protocol and Parameters	Timeout (min)	Configure
was	TCP src port: 0-65535, dst port: 9080-9080	default[30]	Edit	In Use

 

详细配置：

Service Name

Service Timeout

Use protocol default
Never
Custom (minutes)

No.	Transport protocol	Source Port		Destination Port		ICMP
		Low	High	Low	High	Type	Code
1	none TCP UDP ICMP other
2	none TCP UDP ICMP other
3	none TCP UDP ICMP other
4	none TCP UDP ICMP other
5	none TCP UDP ICMP other
6	none TCP UDP ICMP other
7	none TCP UDP ICMP other
8	none TCP UDP ICMP other

---