CN105991442A - Message forwarding method and device - Google Patents
Message forwarding method and device Download PDFInfo
- Publication number
- CN105991442A CN105991442A CN201510221087.XA CN201510221087A CN105991442A CN 105991442 A CN105991442 A CN 105991442A CN 201510221087 A CN201510221087 A CN 201510221087A CN 105991442 A CN105991442 A CN 105991442A
- Authority
- CN
- China
- Prior art keywords
- message
- outer net
- address
- port
- net client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 230000008878 coupling Effects 0.000 claims description 5
- 238000010168 coupling process Methods 0.000 claims description 5
- 238000005859 coupling reaction Methods 0.000 claims description 5
- 238000005538 encapsulation Methods 0.000 claims description 4
- 206010022000 influenza Diseases 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 230000032683 aging Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 241000208340 Araliaceae Species 0.000 description 1
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 1
- 235000003140 Panax quinquefolius Nutrition 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000010420 art technique Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 235000008434 ginseng Nutrition 0.000 description 1
- 238000005304 joining Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a message forwarding method and a message forwarding device. The method is applied to a firewall directly connected with an inner network server and includes the following steps that: when first messages sent by inner network VPN equipment are received, external network client IP addresses in the first messages and ports on the inner network VPN equipment and/or the firewall which are used for transmitting the first messages are determined; the determined external network client IP addresses are matched with the ports, so that matching relations can be generated; when a second message sent by an inner network server is received, a port matched with an external network client IP address in the second message is searched in the matching relations; and the second message is forwarded to corresponding inner network VPN equipment through the port which is found in the matching relations. With the message forwarding method and the message forwarding device provided by the embodiments of the invention adopted, the effective access of the inner network server to an external network client can be realized.
Description
Technical field
The present invention relates to network communication technology field, particularly relate to a kind of message forwarding method and device.
Background technology
Along with the development of the network communications technology, increasing company uses VPN (Virtual Private
Network, VPN (virtual private network)) technology, set up the Intranet that server resource is provided to company personnel, with
This realizes the secure access to intra-company's data of the outer net client.Take in outer net client is to Intranet
When the visit capacity of business device resource is the biggest, if Intranet provides only a VPN device to process these access request,
Then possibly cannot complete the process to all access request, the therefore the commonly provided multiple VPN device of Intranet,
And use application delivery gateway that the access request of outer net client is balancedly distributed to the plurality of VPN to set
For processing.Wherein, the external address of the plurality of Intranet VPN device all can use application delivery net
IP (Internet Protocol, the procotol) address closed.
In order to realize the management of intranet server external net client, it is desirable to intranet server can be to each
Outer net client correctly accesses.Wherein, intranet server request access outer net client time,
Need first to send message to Intranet VPN device.Intranet VPN device, after receiving this message, needs
This message is carried out Reseal, so that the destination address of the message after Reseal points to and Intranet service
The IP address of outer net VPN device corresponding to outer net client that device request accesses.
But, the outer net VPN device connected due to each outer net client may be different, and not exist
All Intranet VPN device that Intranet provides all are preserved the outer net client accessed with intranet server request
The IP address of the outer net VPN device that end is corresponding, therefore the second message is only just sent to by intranet server
True Intranet VPN device, outside the second message that intranet server is sent by guarantee is correctly transmitted to
Net client, thus ensure the access of intranet server external net client.As can be seen here, prior art
In, intranet server there may be the problem that cannot effectively access outer net client.
Summary of the invention
The present invention provides a kind of message forwarding method and device, cannot effectively access solving intranet server
The problem of outer net client.
First aspect according to embodiments of the present invention, it is provided that a kind of message forwarding method, described method is applied
On the fire wall direct-connected with intranet server, including:
When receiving the first message that Intranet VPN device sends, determine the outer net in described first message
It is used on client ip address and described Intranet VPN device and/or on described fire wall transmitting described
The port of one message;
The described outer net client ip address determined is mated with port, generates matching relationship;
When receiving the second message that described intranet server sends, find out from described matching relationship
With the outer net client ip address appropriate ports in described second message;
By the port found out, described second message is transmitted to the Intranet VPN device of correspondence, so that
Described Intranet VPN device is after carrying out Reseal to described second message, by second after Reseal
Message be transmitted to correspondence outer net VPN device, then by described outer net VPN device to described Reseal after
The second message decapsulate, and will decapsulation after the second message be transmitted to correspondence outer net client.
Second aspect according to embodiments of the present invention, it is provided that a kind of apparatus for forwarding message, described device is applied
On the fire wall direct-connected with intranet server, including:
Determine unit, for when receiving the first message that Intranet VPN device sends, determine described the
On outer net client ip address in one message and described Intranet VPN device and/or on described fire wall
For transmitting the port of described first message;
Signal generating unit, for being mated with port by the described outer net client ip address determined, generates
Matching relationship;
Search unit, for when receiving the second message that described intranet server sends, from described
Join the outer net client ip address appropriate ports found out in relation with described second message;
Retransmission unit, for by the port found out, being transmitted to the Intranet of correspondence by described second message
VPN device, so that described Intranet VPN device is after carrying out Reseal to described second message, will weight
The second message after new encapsulation is transmitted to the outer net VPN device of correspondence, then by described outer net VPN device pair
The second message after described Reseal decapsulates, and will decapsulation after the second message be transmitted to right
The outer net client answered.
In the embodiment of the present invention, first fire wall by receiving the first report that Intranet VPN device sends
Wen Shi, determines in the outer net client ip address in this first message and Intranet VPN device and/or prevents
For transmitting the port of this first message on wall with flues, then by the outer net client ip address determined and port
Mate, generate matching relationship, fire wall can be made to receive the Secondary Report that intranet server sends
Wen Hou, finds out the end mated with the outer net client ip address in this second message from this matching relationship
Mouthful, and by the port found out, this second message is transmitted to the Intranet VPN device of correspondence.So far,
Second message can be sent to correct Intranet VPN device by fire wall by intranet server, thus can
To realize effective access of intranet server external net client.
Accompanying drawing explanation
Fig. 1 is that the application embodiment of the present invention realizes the application scenarios schematic diagram that message forwards;
Fig. 2 is an embodiment flow chart of message forwarding method of the present invention;
Fig. 3 is another embodiment flow chart of message forwarding method of the present invention;
Fig. 4 is a kind of hardware structure diagram of message forwarding controller place of the present invention equipment;
Fig. 5 is an embodiment block diagram of apparatus for forwarding message of the present invention.
Detailed description of the invention
For the technical scheme making those skilled in the art be more fully understood that in the embodiment of the present invention, and make
The above-mentioned purpose of the embodiment of the present invention, feature and advantage can become apparent from understandable, the most right
In the embodiment of the present invention, technical scheme is described in further detail.
See Fig. 1, realize, for the application embodiment of the present invention, the application scenarios schematic diagram that message forwards.Fig. 1
In, outer net client can be specially mobile phone, PC (Personal Computer, personal computer) etc.,
Intranet VPN device and outer net VPN device can be all gateway and router etc..Outer net client is accessing
During intranet server, first the first message can be sent to outer net VPN device, the source of this first message
Address is outer net client ip address, and destination address is intranet server IP address.Outer net VPN device
After receiving this first message, first this first message can be carried out Reseal, so that again sealing
The IP address that source address is outer net VPN device of the first message after dress, destination address is application delivery net
The IP address closed, and the first message after this Reseal can also include outer net client ip address
With intranet server IP address, then by outer net, the first message after Reseal is sent to application and hands over
Pay gateway.After the application delivery gateway the first message after receiving this Reseal, can be according to each
The loading condition of Intranet VPN device, is sent to the first message after this Reseal in one of them
Net VPN device.After the VPN device of Intranet the first message after receiving this Reseal, can be first
First this first message is decapsulated, so that the source address of the first message after Xie Fengzhuan is outer net client
End IP address, destination address is intranet server IP address, then by fire wall by after decapsulation
First message is sent to intranet server.
Intranet server, when accessing outer net client, can first pass through fire wall and be sent by the second message
To Intranet VPN device, the source address of this second message is intranet server IP address, and destination address is outward
Net client ip address.Intranet VPN device after receiving this second message, can first to this second
Message carries out Reseal, so that the source address of the second message after Reseal is application delivery gateway
IP address (i.e. the IP address of Intranet VPN device), destination address is to access with intranet server request
The IP address of outer net VPN device corresponding to outer net client, and in the second message after this Reseal
Outer net client ip address and intranet server IP address can also be included, then by application delivery net
Close the outer net VPN device that the second message after Reseal is sent to correspondence.Outer net VPN device is connecing
After receiving this second message, can first this second message be decapsulated, so that after Xie Fengzhuan
The source address of two messages is intranet server IP address, and destination address is outer net client ip address, so
After will decapsulation after the second message be sent to correspondence outer net client.
Owing to Intranet VPN device is after receiving the second message, it is necessary first to this second message to be carried out weight
New encapsulation, so that the destination address of the second message after Reseal is to access with intranet server request
The outer net VPN device IP address that outer net client is corresponding, but, what the most not Intranet provided owns
VPN device is all preserved the outer net VPN corresponding with the outer net client that intranet server request accesses set
Standby IP address, therefore the second message is only sent to correct Intranet VPN device by intranet server,
The second message that intranet server is sent by guarantee is correctly transmitted to outer net client, thus ensures
The access of intranet server external net client.
In the embodiment of the present invention, first fire wall by receiving the first report that Intranet VPN device sends
Wen Shi, determines in the outer net client ip address in this first message and Intranet VPN device and/or prevents
For transmitting the port of this first message on wall with flues, then by the outer net client ip address determined and port
Mate, generate matching relationship, fire wall can be made to receive the Secondary Report that intranet server sends
Wen Hou, finds out the end mated with the outer net client ip address in this second message from this matching relationship
Mouthful, and by the port found out, this second message is transmitted to the Intranet VPN device of correspondence.So far,
Second message can be sent to correct Intranet VPN device by fire wall by intranet server, thus can
To realize effective access of intranet server external net client.
See Fig. 2, for an embodiment flow chart of message forwarding method of the present invention, this embodiment from
The direct-connected fire wall side of intranet server is described, and comprises the following steps:
Step 201, when receive Intranet VPN device send the first message time, determine this first message
In outer net client ip address and this Intranet VPN device on and/or this fire wall on be used for transmitting this
The port of the first message.
In the present embodiment, first outer net client, when accessing intranet server, can set to outer net VPN
Preparation send the first message.Outer net VPN device, can be to this first message after receiving this first message
Carry out Reseal and the first message after Reseal is sent to application delivery gateway, so that application is handed over
After paying the gateway the first message after receiving this Reseal, can be according to each Intranet VPN device
Loading condition, is sent to one of them Intranet VPN device by the first message after this encapsulation.
After the Intranet VPN device the first message after receiving Reseal, can be first to this first report
Literary composition decapsulates, and then the first message after decapsulation is sent to the fire prevention direct-connected with intranet server
Wall.The first message sent to outer net VPN device due to the first message after decapsulation and outer net client
Identical, all include outer net client ip address and intranet server IP address, therefore fire wall is receiving
After the first message of decapsulation, it may be determined that the IP address of the outer net client in this first message and
It is used for transmitting the port of this first message in this Intranet VPN device and/or on this fire wall.Wherein, when only
Having in Intranet VPN device when the port sending this first message immobilizes, fire wall can the most really
For sending the port of this first message in this Intranet VPN device fixed;When being used for receiving on only fire wall
When the port of this first message immobilizes, fire wall can only determine on this fire wall for receive this
The port of one message;When the most solid for transmitting the port of this first message in Intranet VPN device and fire wall
When determining constant, fire wall can determine in this Intranet VPN device respectively for sending the end of this first message
For receiving the port of this first message on mouth and this fire wall.
Step 202, the outer net client ip address determined is mated with port, generate matching relationship.
In the present embodiment, fire wall can first determine whether the outer net client whether existing in this locality Yu determining
The matching relationship that IP address is corresponding.If the outer net client ip address existed in fire wall and determine is corresponding
Matching relationship, then determine whether that the port determined is the most identical with the port in this matching relationship, if
Identical, this matching relationship is not updated, otherwise, the port in this matching relationship is updated to really
Fixed port, thus realize the renewal to this matching relationship.If it addition, fire wall not existing and determines
Matching relationship corresponding to outer net client ip address, then to the outer net client ip address determined and end
Mouth mates, and generates matching relationship.Along with the change of loading condition in Intranet VPN device, for right
Mutual message between outer net client and intranet server carry out the Intranet VPN device that forwards it may happen that
Change, consequently, it is possible to cause on Intranet VPN device and/or fire wall for transmitting the port of this mutual message
Change.It addition, As time goes on, Intranet VPN device may cause because of unstable properties
The outer net VPN device IP address preserved is lost.In sum, the present embodiment is by carrying out matching relationship
Update, may further ensure that the second message is sent to correct Intranet by fire wall by intranet server
VPN device, such that it is able to be further ensured that the access of intranet server external net client.
It addition, fire wall can receive the outer net client ip including that this determines with statistical distance next time
(the first message and intranet server that i.e. outer net client sends to intranet server are outside for the message of address
The second message that net client sends) duration, then judge that this duration counted is whether more than presetting
Time, the most then matching relationship corresponding for the outer net client ip address determined with this is removed, otherwise,
Circulation performs this step.The present embodiment is by no longer receiving outer net client and Intranet in Preset Time
During mutual message between server, remove the matching relationship corresponding with this outer net client ip address, can
With the space in release fire wall, thus provide the utilization ratio of fire wall.
In order to the online hours of external net client-access intranet server are controlled, manager can be right
The time threshold allowing each outer net client online access intranet server is configured, as outer net client
When the duration of end online access intranet server exceedes the time threshold of this setting, force this outer net client
Roll off the production line.In this case, the ageing time of matching relationship can be configured, when this by fire wall
When joining the time threshold that the ageing time of relation exceedes this setting, this matching relationship is removed.
Specifically, owing to fire wall is receiving the first message that Intranet VPN device sends, and this is determined
After outer net client ip address in first message, only when the outer netter not existed in fire wall Yu determine
During matching relationship corresponding to end IP address, family, just the outer net client ip address determined is carried out with port
Coupling, generates matching relationship, it can be seen that, corresponding with the outer net client ip address determined when generating
During matching relationship, corresponding outer net client is just reached the standard grade.Now, fire wall can open timing, and sentences
Whether the duration of disconnected timing exceedes the time threshold allowing outer net client online access intranet server, if
It is then matching relationship corresponding for the outer net client ip address determined with this to be removed, thus can discharge
Space in fire wall, thus the utilization ratio of fire wall is provided.
Step 203, when receive intranet server send the second message time, look into from this matching relationship
Find out and the outer net client ip address appropriate ports in this second message.
In the present embodiment, first intranet server, when accessing outer net client, can send to fire wall
Second message, the source address of this second message is intranet server IP address, and destination address is outer net client
End IP address.Fire wall, after receiving the second message that intranet server sends, can close from this coupling
System finds out and the outer net client ip address appropriate ports in this second message.
Step 204, by the port that finds out, Intranet VPN that this second message is transmitted to correspondence sets
It is standby, so that this Intranet VPN device is after carrying out Reseal to this second message, after Reseal
Second message be transmitted to correspondence outer net VPN device, then by this outer net VPN device to this Reseal after
The second message decapsulate, and will decapsulation after the second message be transmitted to correspondence outer net client.
In the present embodiment, owing to when connecting Intranet VPN device with fire wall, at least side equipment uses solid
Fixed end mouth is attached, and therefore intranet server can be sent by fire wall by the port found out
Second message is transmitted to correct Intranet VPN device, preserves with interior in this correct Intranet VPN device
The IP address of outer net VPN device corresponding to outer net client that network server request accesses.
Intranet VPN device after receiving the second message that intranet server sends, can first to this
Two messages carry out Reseal, are then sent by the second message after Reseal by application delivery gateway
Give corresponding outer net VPN device.After the outer net VPN device the second message after receiving Reseal,
First this second message can be decapsulated, then the second message after decapsulation is sent to correspondence
Outer net client.
As seen from the above-described embodiment, first fire wall by receiving the first of Intranet VPN device transmission
During message, determine in the outer net client ip address in this first message and Intranet VPN device and/or
For transmitting the port of this first message on fire wall, then by the outer net client ip address determined and end
Mouth mates, and generates matching relationship, and fire wall can be made to receive the second of intranet server transmission
After message, find out from this matching relationship and mate with the outer net client ip address in this second message
Port, and by the port found out, this second message is transmitted to the Intranet VPN device of correspondence.Extremely
This, the second message can be sent to correct Intranet VPN device by fire wall by intranet server, from
And effective access of intranet server external net client can be realized.
Seeing Fig. 3, for another embodiment flow chart of message forwarding method of the present invention, this embodiment is led to
That crosses between outer net client and intranet server is mutual, and the message describing the embodiment of the present invention in detail turns
The process of sending out:
Step 301, outer net client send the first message to outer net VPN device.
Step 302, outer net VPN device carry out Reseal to the first message, so that after Reseal
The source address of the first message is the IP address of outer net VPN device, and destination address is application delivery gateway
The first message behind IP address, and this Reseal can include outer net client ip address and Intranet
Server ip address.
The first message after Reseal is sent out by step 303, outer net VPN device by application delivery gateway
Give Intranet VPN device.
First message is decapsulated by step 304, Intranet VPN device, so that first after Xie Fengzhuan
The source address of message is outer net client ip address, and destination address is intranet server IP address.
The first message after decapsulation is sent to fire wall by step 305, Intranet VPN device.
Step 306, fire wall create the session corresponding with the outer net client ip address in this first message,
This session can include five-tuple information, i.e. outer net client ip address, intranet server IP address,
In Intranet VPN for send on the port of this first message, fire wall for receive this message port and
Host-host protocol.
Step 307, intranet server send the second message to fire wall.
Step 308, fire wall, according to the outer net client ip address in this second message, determine correspondence
Session.
The session information that step 309, fire wall determine according to this, is transmitted to correspondence by this second message
Intranet VPN device.So far, the second message is transmitted to correct Intranet by fire wall by intranet server
VPN device.
Step 310, Intranet VPN device carry out Reseal to this second message, so that after Reseal
The IP address that source address is application delivery gateway of the second message, destination address is outer net VPN device
The second message behind IP address, and this Reseal can include outer net client ip address and Intranet
Server ip address.
The second message after Reseal is sent out by step 311, Intranet VPN device by application delivery gateway
Give the outer net VPN device of correspondence.
This second message is decapsulated by step 312, outer net VPN device, so that after Xie Fengzhuan
The source address of two messages is intranet server IP address, and destination address is outer net client ip address.
The second message after decapsulation is sent to the outer net client of correspondence by step 313, outer net VPN device
End.
As seen from the above-described embodiment, first fire wall by receiving the first of Intranet VPN device transmission
During message, determine in the outer net client ip address in this first message and Intranet VPN device and/or
For transmitting the port of this first message on fire wall, then by the outer net client ip address determined and end
Mouth mates, and generates matching relationship, and fire wall can be made to receive the second of intranet server transmission
After message, find out from this matching relationship and mate with the outer net client ip address in this second message
Port, and by the port found out, this second message is transmitted to the Intranet VPN device of correspondence.Extremely
This, the second message can be sent to correct Intranet VPN device by fire wall by intranet server, from
And effective access of intranet server external net client can be realized.
Corresponding with aforementioned message forwarding method embodiment, present invention also offers the reality of apparatus for forwarding message
Execute example.
The embodiment of apparatus for forwarding message of the present invention can be applied respectively in the fire prevention direct-connected with intranet server
On wall.Device embodiment can be realized by software, it is also possible to by hardware or the side of software and hardware combining
Formula realizes.As a example by implemented in software, as the device on a logical meaning, it is by its place equipment
Processor read internal memory runs by computer program instructions corresponding in nonvolatile memory and formed
's.For hardware view, as shown in Figure 4, for the one of apparatus for forwarding message place of the present invention equipment
Hardware structure diagram, in addition to the processor shown in Fig. 4, network interface, memorizer, fills in embodiment
The equipment putting place generally can also include other hardware, such as the forwarding chip etc. of responsible process message;
This equipment from the point of view of from hardware configuration, it is also possible that distributed equipment, potentially includes multiple interface card, with
Just the extension of Message processing is carried out at hardware view.
Seeing Fig. 5, for an embodiment block diagram of apparatus for forwarding message of the present invention, described device is applied
For the fire wall direct-connected with intranet server, described device includes:
Determine unit 510, for when receiving the first message that Intranet VPN device sends, determining institute
State in the outer net client ip address in the first message and described Intranet VPN device and/or described fire prevention
For transmitting the port of described first message on wall;
Signal generating unit 520, for the described outer net client ip address determined is mated with port,
Generate matching relationship;
Search unit 530, for when receiving the second message that described intranet server sends, from institute
State the outer net client ip address appropriate ports found out in matching relationship with described second message;
Retransmission unit 540, for by the port found out, being transmitted to correspondence by described second message
Intranet VPN device, so that described Intranet VPN device is after carrying out Reseal to described second message,
The second message after Reseal is transmitted to the outer net VPN device of correspondence, then is set by described outer net VPN
Standby the second message after described Reseal is decapsulated, and the second message after decapsulation is forwarded
Give corresponding outer net client.
In an optional implementation, described device also includes:
Judging unit 550, for the outer net client ip address in determining described first message and institute
State in Intranet VPN device and/or on described fire wall after the port transmitting described first message, sentence
Whether disconnected described fire wall exists the matching relationship corresponding with the described outer net client ip address determined;
Updating block 560, if exist and the described outer net client ip determined ground in described fire wall
The matching relationship that location is corresponding, then judge the described port determined whether with the port phase in described matching relationship
With, if differing, then the port in described matching relationship is updated to the described port determined;
Described signal generating unit 520, if specifically for not existing in described fire wall and the described outer net determined
The matching relationship that client ip address is corresponding, then by the described outer net client ip address determined and port
Mate, generate matching relationship.
In another optional implementation, described device also includes:
Timing unit 570, for the outer net client ip address in determining described first message and institute
State in Intranet VPN device and/or on described fire wall after the port transmitting described first message, system
Meter distance receives the duration of the message including the described outer net client ip address determined next time;
Clearing cell 580, whether the duration being used for counting described in judging exceedes Preset Time, if so,
Then the matching relationship corresponding with the described outer net client ip address determined is removed.
In another optional implementation,
Timing unit 570, for the described outer net client ip address determined is being mated with port,
After generating matching relationship, open timing;
Clearing cell 580, for judging whether the duration of timing exceedes permission outer net client online access
The time threshold of intranet server, the most then by corresponding with the described outer net client ip address determined
Matching relationship is removed.
In said apparatus, the function of unit and the process that realizes of effect specifically refer in said method corresponding
Step realize process, do not repeat them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part ginseng
See that the part of embodiment of the method illustrates.Device embodiment described above is only schematically,
The wherein said unit illustrated as separating component can be or may not be physically separate, makees
The parts shown for unit can be or may not be physical location, i.e. may be located at a place,
Or can also be distributed on multiple NE.Can select according to the actual needs part therein or
The whole module of person realizes the purpose of the present invention program.Those of ordinary skill in the art are not paying creativeness
In the case of work, i.e. it is appreciated that and implements.
As seen from the above-described embodiment, first fire wall by receiving the first of Intranet VPN device transmission
During message, determine in the outer net client ip address in this first message and Intranet VPN device and/or
For transmitting the port of this first message on fire wall, then by the outer net client ip address determined and end
Mouth mates, and generates matching relationship, and fire wall can be made to receive the second of intranet server transmission
After message, find out from this matching relationship and mate with the outer net client ip address in this second message
Port, and by the port found out, this second message is transmitted to the Intranet VPN device of correspondence.Extremely
This, the second message can be sent to correct Intranet VPN device by fire wall by intranet server, from
And effective access of intranet server external net client can be realized.
Those skilled in the art, after considering description and putting into practice invention disclosed herein, will readily occur to this
Other embodiment of invention.The application is intended to any modification, purposes or the adaptability of the present invention
Change, these modification, purposes or adaptations are followed the general principle of the present invention and include this
Bright undocumented common knowledge in the art or conventional techniques means.Description and embodiments only by
Being considered as exemplary, true scope and spirit of the invention are pointed out by claim below.
It should be appreciated that the invention is not limited in described above and illustrated in the accompanying drawings accurately
Structure, and various modifications and changes can carried out without departing from the scope.The scope of the present invention is only by institute
Attached claim limits.
Claims (8)
1. a message forwarding method, described method is applied on the fire wall direct-connected with intranet server,
It is characterized in that, including:
When receiving the first message that Intranet VPN (virtual private network) VPN device sends, determine described first
On outer net client network Protocol IP address in message and described Intranet VPN device and/or described anti-
For transmitting the port of described first message on wall with flues;
The described outer net client ip address determined is mated with port, generates matching relationship;
When receiving the second message that described intranet server sends, find out from described matching relationship
With the outer net client ip address appropriate ports in described second message;
By the port found out, described second message is transmitted to the Intranet VPN device of correspondence, so that
Described Intranet VPN device is after carrying out Reseal to described second message, by second after Reseal
Message be transmitted to correspondence outer net VPN device, then by described outer net VPN device to described Reseal after
The second message decapsulate, and will decapsulation after the second message be transmitted to correspondence outer net client.
Method the most according to claim 1, it is characterised in that in determining described first message
It is used for transmitting institute on outer net client ip address and described Intranet VPN device and/or on described fire wall
After stating the port of the first message, described method also includes:
Judge whether described fire wall exists corresponding with the described outer net client ip address determined
Join relation;
If described fire wall exists the matching relationship corresponding with the described outer net client ip address determined,
Then judging that the described port determined is the most identical with the port in described matching relationship, if differing, then will
Port in described matching relationship is updated to the described port determined;
Described the described outer net client ip address determined is mated with port, generate matching relationship bag
Include: close if described fire wall does not exist the coupling corresponding with the described outer net client ip address determined
System, then mate the described outer net client ip address determined with port, generates matching relationship.
Method the most according to claim 1, it is characterised in that in determining described first message
It is used for transmitting institute on outer net client ip address and described Intranet VPN device and/or on described fire wall
After stating the port of the first message, described method also includes:
Statistical distance receive next time include the described outer net client ip address determined message time
Long;
Whether the duration counted described in judgement exceedes Preset Time, the most then by with described determine outside
The matching relationship that net client ip address is corresponding is removed.
Method the most according to claim 2, it is characterised in that by the described outer net client determined
End IP address is mated with port, and after generating matching relationship, described method also includes:
Open timing;
Judge whether the duration of timing exceedes the time threshold allowing outer net client online access intranet server
Value, the most then remove the matching relationship corresponding with the described outer net client ip address determined.
5. an apparatus for forwarding message, described device is applied on the fire wall direct-connected with intranet server,
It is characterized in that, including:
Determine unit, for when receiving the first message that Intranet VPN device sends, determine described the
On outer net client ip address in one message and described Intranet VPN device and/or on described fire wall
For transmitting the port of described first message;
Signal generating unit, for being mated with port by the described outer net client ip address determined, generates
Matching relationship;
Search unit, for when receiving the second message that described intranet server sends, from described
Join the outer net client ip address appropriate ports found out in relation with described second message;
Retransmission unit, for by the port found out, being transmitted to the Intranet of correspondence by described second message
VPN device, so that described Intranet VPN device is after carrying out Reseal to described second message, will weight
The second message after new encapsulation is transmitted to the outer net VPN device of correspondence, then by described outer net VPN device pair
The second message after described Reseal decapsulates, and will decapsulation after the second message be transmitted to right
The outer net client answered.
Device the most according to claim 5, it is characterised in that described device also includes:
Judging unit, in determining described first message outer net client ip address and described in
In net VPN device and/or on described fire wall after transmitting the port of described first message, it is judged that institute
State and whether fire wall exists the matching relationship corresponding with the described outer net client ip address determined;
Updating block, if exist and the described outer net client ip address pair determined in described fire wall
The matching relationship answered, then judge that the described port determined is the most identical with the port in described matching relationship,
If differing, then the port in described matching relationship is updated to the described port determined;
Described signal generating unit, if specifically for not existing in described fire wall and the described outer net client determined
The matching relationship that end IP address is corresponding, then carried out the described outer net client ip address determined with port
Coupling, generates matching relationship.
Device the most according to claim 5, it is characterised in that described device also includes:
Timing unit, in determining described first message outer net client ip address and described in
In net VPN device and/or on described fire wall after transmitting the port of described first message, add up away from
From the duration receiving the message including the described outer net client ip address determined next time;
Clearing cell, whether the duration being used for counting described in judging exceedes Preset Time, the most then will
The matching relationship corresponding with the described outer net client ip address determined is removed.
Device the most according to claim 6, it is characterised in that described device also includes:
Timing unit, for the described outer net client ip address determined is being mated with port, raw
After becoming matching relationship, open timing;
Clearing cell, for judging whether the duration of timing exceedes permission outer net client online access Intranet
The time threshold of server, the most then by the coupling corresponding with the described outer net client ip address determined
Relation is removed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510221087.XA CN105991442B (en) | 2015-04-30 | 2015-04-30 | Message forwarding method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510221087.XA CN105991442B (en) | 2015-04-30 | 2015-04-30 | Message forwarding method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105991442A true CN105991442A (en) | 2016-10-05 |
| CN105991442B CN105991442B (en) | 2019-10-11 |
Family
ID=57039585
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510221087.XA Active CN105991442B (en) | 2015-04-30 | 2015-04-30 | Message forwarding method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105991442B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107040429A (en) * | 2017-03-13 | 2017-08-11 | 上海斐讯数据通信技术有限公司 | A kind of method of testing and system of port forwarding performance |
| CN107547509A (en) * | 2017-06-27 | 2018-01-05 | 新华三技术有限公司 | A kind of message forwarding method and device |
| CN107800603A (en) * | 2017-07-31 | 2018-03-13 | 北京上和瑞科技有限公司 | Intranet user accesses the method and storage medium of headend equipment based on VPN |
| CN112272133A (en) * | 2020-10-22 | 2021-01-26 | 珠海市魅族科技有限公司 | Network sharing method, apparatus, electronic device, and computer-readable storage medium |
| CN113179295A (en) * | 2021-04-02 | 2021-07-27 | 杭州迪普科技股份有限公司 | Message processing method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1697396A (en) * | 2004-05-10 | 2005-11-16 | 华为技术有限公司 | Method of Realizing Local Virtual Private Network Based on Firewall |
| KR100683049B1 (en) * | 2005-12-15 | 2007-02-15 | 주식회사 비트텔 | How to connect office equipment in firewall using virtual private network |
| CN101594301A (en) * | 2009-06-23 | 2009-12-02 | 杭州华三通信技术有限公司 | A message processing method and device |
| US7739497B1 (en) * | 2001-03-21 | 2010-06-15 | Verizon Corporate Services Group Inc. | Method and apparatus for anonymous IP datagram exchange using dynamic network address translation |
| CN101778045A (en) * | 2010-01-27 | 2010-07-14 | 成都市华为赛门铁克科技有限公司 | Message transmission method, device and network system |
| CN102710507A (en) * | 2012-05-17 | 2012-10-03 | 杭州华三通信技术有限公司 | Method and network equipment for achieving consistency of message forwarding paths |
-
2015
- 2015-04-30 CN CN201510221087.XA patent/CN105991442B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7739497B1 (en) * | 2001-03-21 | 2010-06-15 | Verizon Corporate Services Group Inc. | Method and apparatus for anonymous IP datagram exchange using dynamic network address translation |
| CN1697396A (en) * | 2004-05-10 | 2005-11-16 | 华为技术有限公司 | Method of Realizing Local Virtual Private Network Based on Firewall |
| KR100683049B1 (en) * | 2005-12-15 | 2007-02-15 | 주식회사 비트텔 | How to connect office equipment in firewall using virtual private network |
| CN101594301A (en) * | 2009-06-23 | 2009-12-02 | 杭州华三通信技术有限公司 | A message processing method and device |
| CN101778045A (en) * | 2010-01-27 | 2010-07-14 | 成都市华为赛门铁克科技有限公司 | Message transmission method, device and network system |
| CN102710507A (en) * | 2012-05-17 | 2012-10-03 | 杭州华三通信技术有限公司 | Method and network equipment for achieving consistency of message forwarding paths |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107040429A (en) * | 2017-03-13 | 2017-08-11 | 上海斐讯数据通信技术有限公司 | A kind of method of testing and system of port forwarding performance |
| CN107547509A (en) * | 2017-06-27 | 2018-01-05 | 新华三技术有限公司 | A kind of message forwarding method and device |
| CN107547509B (en) * | 2017-06-27 | 2020-10-13 | 新华三技术有限公司 | Message forwarding method and device |
| CN107800603A (en) * | 2017-07-31 | 2018-03-13 | 北京上和瑞科技有限公司 | Intranet user accesses the method and storage medium of headend equipment based on VPN |
| CN107800603B (en) * | 2017-07-31 | 2018-11-09 | 北京上和瑞科技有限公司 | Intranet user accesses the method and storage medium of headend equipment based on VPN |
| CN112272133A (en) * | 2020-10-22 | 2021-01-26 | 珠海市魅族科技有限公司 | Network sharing method, apparatus, electronic device, and computer-readable storage medium |
| CN112272133B (en) * | 2020-10-22 | 2024-12-17 | 珠海市魅族科技有限公司 | Network sharing method, device, electronic equipment and computer readable storage medium |
| CN113179295A (en) * | 2021-04-02 | 2021-07-27 | 杭州迪普科技股份有限公司 | Message processing method and device |
| CN113179295B (en) * | 2021-04-02 | 2022-11-01 | 杭州迪普科技股份有限公司 | Message processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105991442B (en) | 2019-10-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105991442A (en) | Message forwarding method and device | |
| EP3720075B1 (en) | Data transmission method and virtual switch | |
| US8625448B2 (en) | Method and system for validating network traffic classification in a blade server | |
| US20210312472A1 (en) | Method and system for prediction of smart contract violation using dynamic state space creation | |
| KR101472685B1 (en) | Network connection gateway, a network isolation method and a computer network system using such a gateway | |
| CN105939239A (en) | Data transmission method and device of virtual network interface card | |
| CN103618646A (en) | Method for detecting network performance, packet loss probability and time delay and network fringe node equipment | |
| CN101834783A (en) | Method and device for forwarding messages and network equipment | |
| CN107135167A (en) | Data transmission method, data transmission device and server | |
| CN107332886A (en) | Method of data synchronization, device, system, electronic equipment and readable storage medium storing program for executing | |
| CN111277602A (en) | Network data packet identification processing method and device, electronic equipment and storage medium | |
| CN106101297B (en) | A kind of message answer method and device | |
| US7519004B1 (en) | Loopback testing of a network interface device from a user-space software layer | |
| CN105939267A (en) | Out-of-band management method and device | |
| CN104301449A (en) | Method and device for modifying IP address | |
| TWI735633B (en) | Data transmission method, equipment, device and system | |
| CN105991627A (en) | Data connection establishing method and device | |
| AU2015301504B2 (en) | End point secured network | |
| CN105991348B (en) | TCP connection method for closing and device | |
| CN104184729A (en) | Message processing method and device | |
| CN107634971A (en) | A kind of method and device for detecting flood attack | |
| CN105791458B (en) | Address configuration method and device | |
| CN112751946B (en) | Tunnel establishment method, device, equipment and computer readable storage medium | |
| CN105939396A (en) | Message modification method and device | |
| CN105187358B (en) | The network terminal and network terminal interconnection resources distribution method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |