netscreen 外网访问VIP配置

1、编辑interface

Network > Interfaces (List)

	List 5102050100 per page
	List ALL(5)Layer2(0)Layer3(3)Loopback(0)Physical(3)Tunnel(1)Unused(1)VSI(0) Interfaces	Loopback IFTunnel IFVSI IF

Name IP/Netmask Zone Type Link Configure serial 0.0.0.0/0 Null Unused down Edit trust 172.2.1.254/24 Trust Layer3 up Edit tunnel.1 unnumbered Untrust Tunnel ready Edit untrust 58.2.24.246/32 Untrust Layer3 up Edit vlan1 0.0.0.0/0 VLAN Layer3 down Edit

2、配置untrust

Network > Interfaces > Edit

	Interface:untrust(IP/Netmask:58.2.24.246/32)	Back To Interface List
	Properties:Basic MIP DIP VIP Track IP Track IP Options

Interface Name untrust (mac 0010.db39.9051) As member of loopback group none Zone Name NullTrustUntrustMGTV1-TrustV1-UntrustVLAN Obtain IP using PPPoE Noneuntrust Create new pppoe setting Status:Connected Static IP IP Address / Netmask / Manageable Manage IP (mac 0010.db39.9051) Interface Mode NAT Route Service Options Management Services Web UI Telnet SSH SNMP SSL Other Services Ping Ident-reset WebAuth IP Traffic Bandwidth Kbps

3、创建VIP

Network > Interface > Edit > VIP/VIP Services

Interface:untrust(IP/Netmask:58.2.24.246/32)	Back To Interface List
	Properties:Basic MIP DIP VIP Track IP Track IP Options

VIP VIP Services IP Address Configure Virtual Port Service(Port) Server IP Status Configure 58.2.24.246 Edit In use 9080 was (9080) 172.2.1.110... OK Edit Remove

这是已配置好的VIP，先增加一个VIP，再增加VIP Services，外网端口9080,映射服务端口为was(9080)，映射内网主机为172.2.1.110

4、配置访问策略

<!-- script language="javascript" src="acl.js" --><!-- /script -->

From Untrust To Global, total policy: 1 ID Source Destination Service Action Options Configure Enable Move 5 Any VIP::1 ANY Edit Clone Remove

这是已配置好的访问策略policies，方向为Untrust 到Global

5、访问策略配置

Name (optional) Source Address New Address / Address Book Entry 172.25.1.110/9080AnyDial-Up VPNXM Destination Address New Address / Address Book Entry AnyDial-Up VPNVIP::1 Service wasANYAOLBGPDHCP-RelayDNSFINGERFTPFTP-GetFTP-PutGOPHERH.323HTTPHTTPSICMP Address MaskICMP-ANYICMP Dest UnreachableICMP Fragment NeededICMP Fragment ReassemblyICMP Host UnreachableICMP-INFOICMP Parameter ProblemICMP Port UnreachableICMP Protocol UnreachICMP RedirectICMP Redirect HostICMP Redirect TOS & HostICMP Redirect TOS & NetICMP Source QuenchICMP Source Route FailICMP Time ExceededICMP-TIMESTAMPIKEIMAPInternet Locator ServiceIRCL2TPLDAPMAILNetMeetingNFSNNTPNS GlobalNS Global PRONSMNTPOSPFPC-AnywherePINGPOP3PPTPReal MediaRIPRLOGINRSHSIPSNMPSQL*Net V1SQL*Net V2SSHSUN-RPCSYSLOGTALKTCP-ANYTELNETTFTPTRACEROUTEUDP-ANYUUCPVDO LiveWAISWINFRAMEX-WINDOWS Application NoneFTPRSHPORTMAPPERHTTPSMTPPOP3IMAPDNSTFTPH245Q931RASREALSIPSQLNETV2TALKVDOXINGIGNORE Action PermitDenyTunnel Tunnel VPN None2XM Modify matching bidirectional VPN policy L2TP None Logging

6、服务端口定制custom，即上面的VIP：：1

Objects > Services > Custom

Name Transport Protocol and Parameters Timeout (min) Configure was TCP src port: 0-65535, dst port: 9080-9080 default[30] Edit In Use

详细配置：

Service Name
Service Timeout	Use protocol default Never Custom (minutes)
No. Transport protocol Source Port Destination Port ICMP Low High Low High Type Code 1 none TCP UDP ICMP other 2 none TCP UDP ICMP other 3 none TCP UDP ICMP other 4 none TCP UDP ICMP other 5 none TCP UDP ICMP other 6 none TCP UDP ICMP other 7 none TCP UDP ICMP other 8 none TCP UDP ICMP other