H3C 20-20路由接了H3C F100-S 的 防火墙 想做个 内网端口映射

h3c f100 s \u9632\u706b\u5899\u63a5h3c msr20\u8def\u7531\u5668 \u63a5\u4e3b\u673a\uff0c\u4e3b\u673a\u4e0d\u80fdping\u901a\u5916\u7f51\u7f51\u7ba1

\u4f60\u7528\u8def\u7531PING\u4e2a172.10.11.1 \u4f60\u770b\u901a\u4e0d

\u9632\u706b\u5899\u63a5\u53e3\u8bbe\u7f6etrunk\uff1f\u4e0d\u80fd\u628a\u3002\u4f60\u8fd9\u6837\u505a\u662f\u9519\u8bef\u7684\uff0c\u9996\u5148\u5982\u679c\u4f60\u7684IP\u5730\u5740\u662f\u56fa\u5b9aIP\u5730\u5740\u7684\u8bdd\uff0c\u628a\u5916\u7f51\u7684\u7aef\u53e3IP\u914d\u7f6e\u6210\u4f60\u7684\u5916\u7f51\u56fa\u5b9aIP\u5730\u5740\uff0c\u5185\u7f51\u7684\u5730\u5740\u505a\u4e00\u4e2a\u5185\u7f51\u7684\u7f51\u5173\uff0c\u6bd4\u5982192.168.0.1/24\u90a3\u4e48\u4f60\u7684PC\u5c31\u5e94\u8be5\u540c\u6837\u662f192.168.0\u7f51\u6bb5\u7684\u4efb\u610f\u4e00\u4e2a\u5730\u5740\u3002\u7136\u540e\u8bbe\u7f6eACL \u5141\u8bb8\u6240\u6709IP\u5730\u5740\u901a\u8fc7\uff0c\u5728\u5916\u7f51\u63a5\u53e3\u4e0b\u8bbe\u7f6eNAT\u5730\u5740\u8f6c\u6362\uff0c\u628a\u4f60\u7684\u5185\u7f51\u5730\u5740\u8f6c\u6362\u6210\u5916\u7f51\u51fa\u53bb\u3002\u628a\u5916\u7f51\u63a5\u53e3\u653e\u5230untrust\u533a\u57df\uff0c\u5185\u7f51\u653e\u5230trust\u533a\u57df\u3002\u5168\u5c40\u6a21\u5f0f\u4e0b\u5141\u8bb8\u6240\u6709\u5305\u901a\u8fc7\uff0c\u5e76\u4e14\u8bbe\u7f6e\u4e00\u6761\u9759\u6001\u8def\u7531\u3002
\u53d8\u6210\u811a\u672c\u7684\u8bdd\u8bf7\u770b\u4f8b\uff1a
\u5185\u7f51------------(e0/0)-Secpath100c-(e1/0)------------internet
192.168.1.1/24 202.10.1.194/24

sys
System View: return to User View with Ctrl+Z.
[h3c]firewall packet default permit
[h3c]int e0/0
[h3c-Ethernet0/0]ip add 192.168.1.1 255.255.255.0
[h3c-Ethernet0/0]int e1/0
[h3c-Ethernet1/0]ip add 202.10.1.194 255.255.255.0
[h3c]fire zone untrust
[h3c-zone-untrust]add int e1/0
[h3c-zone-untrust]fire zone trust
[h3c-zone-trust]add int e0/0
[h3c-zone-trust]quit
[h3c]acl num 2000
[h3c-acl-basic-2000]rule per source 192.168.0.0 0.0.255.255
[h3c-acl-basic-2000]rule deny
[h3c]int e1/0
[h3c-Ethernet1/0]nat outbound 2000
[h3c]ip route-static 0.0.0.0 0.0.0.0 202.10.1.193 preference 60
\u5982\u679c\u4f60\u4e0a\u7f51\u662fAD\u62e8\u53f7\uff0c\u8bf7\u770b\u4f8b\uff1a
\u5185\u7f51------------(e0/0)-Secpath100c-(e0/1)-----ADSLMODEM-------internet
192.168.1.1/24
sys
System View: return to User View with Ctrl+Z.
[h3c]firewall packet default permit
[h3c]int e0/0
[h3c-Ethernet0/0]ip add 192.168.1.1 255.255.255.0
[h3c-Ethernet0/0]quit
[h3c]fire zone untrust
[h3c-zone-untrust]add int e0/1
[h3c-zone-untrust]fire zone trust
[h3c-zone-trust]add int e0/0
[h3c-zone-trust]quit
[h3c]acl num 2000
[h3c-acl-basic-2000]rule per source 192.168.1.0 0.0.0.255
[h3c-acl-basic-2000]rule deny
[h3c]int e0/1
[h3c-Ethernet0/1]nat outbound 2000

# \u914d\u7f6eDialer\u63a5\u53e3

[h3c] dialer-rule 1 ip permit
[h3c] interface dialer 1
[h3c-Dialer1]dialer user myadsl
[h3c-Dialer1] dialer-group 1
[h3c-Dialer1] dialer bundle 1
[h3cDialer1] ip address ppp-negotiate
[h3c-Dialer1] ppp pap local-user huawei password cipher 123456
[Quidway-Dialer1]nat outbound 2000
# \u914d\u7f6ePPPoE\u4f1a\u8bdd

[h3c] interface ethernet 0/1
[h3c-Ethernet0/1] pppoe-client dial-bundle-number 1

[h3c]fire zone untrust
[h3c-zone-untrust]add int dial 1
[h3c-zone-untrust]quit

[h3c]ip route-static 0.0.0.0 0.0.0.0 dialer 1 preference 60
[h3c]quit
save

肯定是要在路由器上做端口映射，因为路由器做的就是数据转发工作；

但接了防火墙之后，还应当在防火墙中开放相应的端口。
防火墙做的是过滤工作。

一般在防火墙上做

都是在你连接外网的第一个设备上做。应该是MSR2020。防火墙挂在MSR2020下边吧。

扩展阅读：h3c交换机路由器配置教程 ... route命令查看路由表 ... h3c 策略路由配置 ... h3c magic r365g ... h3c交换机配置命令大全 ... h3c路由器是杂牌吗 ... h3c 多台交换机堆叠 ... h3c r200路由器固件 ... h3c 交换机查看路由表 ...