Configure the NAT function on the firewall to allow the intranet servers to proactively access the Internet.
The destination address of packets from the Internet to the servers becomes the virtual IP address of the servers, 10.1.1.1 after they go through the firewall. Moreover, these packets match nat server, and the master server receives packets whose destination IP address is the virtual IP address. Therefore, the intranet can be accessed from the Internet.
When an intranet server accesses the Internet, the source IP addresses of the packets sent by the server is the physical IP address of the server, 10.1.1.2 or 10.1.1.3. These packets cannot match nat server. Therefore, the intranet servers cannot access the Internet.
For two intranet servers that implement dual-system hot backup (the source IP address of packets from the master server is the physical IP address of the master server), you can configure nat server to allow access from the Internet to the intranet and from the intranet to the Internet.