The user requires that extranet users can only access the www port of the intranet PC (192.168.0.1). The following is configured:
nat server protocol tcp global 184.108.40.206www inside 192.168.0.1 www
rule 0 permit tcp destination 192.168.0.1 0 destination-port eq www
rule 1 deny ip
firewall interzone trust untrust
packet-filter 3000 inbound
The test result shows that extranet users can access any port of the intranet PC.
Check the configuration. The configuration is correct.
Normally, address mapping is performed on the device. To restrict the access, you need to directly write the private address after mapping in the ACL. Check the ACL. The rule is not matched. Change the address in the ACL rule to the public address before NAT. The problem is solved.
1. The configuration is incorrect.
2. The intranet server is faulty.
3. The version is incorrect.
On USG2200 V1R1, the device first matches the ACL and then performs NAT. Therefore, if the address in the ACL is the private address after NAT, the ACL rule cannot be matched or take effect. Change the address in the ACL rule to the public address.
Modifications are made in USG2200 V1R2 and later versions. The device first performs NAT and then matches the ACL. In this case, the ACL takes effect only after the private address after NAT is restricted.