This section describes how to configure server mapping (NAT server).
Parameter |
Description |
|---|---|
Name |
Name of a server mapping policy. |
Zone |
If the zone is specified, it indicates that users in this security zone can access the internal server through specified IP addresses. |
Public IP Address |
Start and end public IP addresses that define an IP address range. Each private address of an intranet server is mapped to a single public address. Therefore, the number of public addresses in the IP address range must be equal to the number of intranet servers. |
Private IP Address |
Start and end private addresses that define an IP address range. If only one intranet server is available, the end address does not need to be specified. |
Specify protocol |
|
Protocol |
Protocol that the server uses to provide services for external users. |
Public Port |
Port number provided by the server for external users. This parameter is available if Protocol is set to TCP, UDP, or SCTP. |
Private Port |
Internal port number used by the server. This parameter is available if Protocol is set to TCP, UDP, or SCTP. |
Allow server to use public IP address for Internet access |
If this option is not selected, the device generates only forward server map entries. When the server proactively accesses the Internet, the device fails to translate the server private address to a public IP address. Therefore, the server cannot initiate connections to the Internet. If this option is selected, the device generates return server map entries, and the server can use public IP addresses to access the Internet proactively. Regarding security, enable this function only when an intranet server accesses the Internet. |
Configure black hole route |
If this option is selected, a black-hole route to the public IP address is automatically delivered to prevent routing loops. If a dynamic routing protocol, such as OSPF, is configured to import static routes, the public IP address can be advertised by the dynamic routing protocol. Then, the packet is circularly forwarded between the FW and router, causing a routing loop. If the NAT Server global address and the WAN interface address are in different networks, a black-hole route is required. If they are in the same network, a black-hole route is recommended. If the NAT Server global address and the WAN interface address are consistent, no routing loop will occur, and therefore no black-hole route can be configured. |
Add Security Policy |
The link to [Add Security Policy] is provided on the web UI. You can click the link to access the Add Security Policy page and rapidly create a security policy based on the configured data flows to permit the traffic. In addition, the Add Security Policy page support Switch Source and Destination and OK and Copy for configuring security policies for forward and return traffic. For details, see Configuring a Security Policy Using the Web UI. |
After configuring static mapping, you can perform the following procedures to check the IP connectivity to the intranet server:
Click Diagnose in Status and click OK in the dialog box that is displayed. The FW then use the ping command to check whether the intranet server is reachable. If Connected is displayed, the intranet server is reachable. If Not connected is displayed, the intranet server is unreachable. In this case, check whether the link between the FW and intranet server is normal or check whether the intranet server runs properly.
NAT ALG and ASPF are configured on the same interface.
When services are normal, an Internet user can access an intranet server by using its public address. On the FW, choose . Check for an entry in which a public address is used as the destination address and is mapped to the private address of the intranet server. If such an entry exists, the server mapping configuration is successful. If such an entry does not exist, modify the configuration and try again.