As shown in figure, a USG is deployed in the export of an enterprise, whose internal user belongs to the Trust region and connects the USG through the interface GE0/0/2. The FTP server belongs to the DMZ area, provides FTP server for external and internal network, through the interface GE0/0/1 connects the USG. The interface GE0/0/3 of USG connects with Internet, which belongs to the Untrust area.
Firewall starts NAT function. The relevant configuration is as follows:
[sysname-interzone-trust-untrust] nat outbound 2000 address-group 1
[sysname] nat server global 18.104.22.168 inside 192.168.2.2
Among them, the 22.214.171.124 is the public network IP address of FTP server.
After the configuration has been completed, the users in Trust region can’t access to the private network address 192.168.2.2 of FTP server, can only access to its public network address 126.96.36.199.