CN105991442B - Message forwarding method and device - Google Patents
Message forwarding method and device Download PDFInfo
- Publication number
- CN105991442B CN105991442B CN201510221087.XA CN201510221087A CN105991442B CN 105991442 B CN105991442 B CN 105991442B CN 201510221087 A CN201510221087 A CN 201510221087A CN 105991442 B CN105991442 B CN 105991442B
- Authority
- CN
- China
- Prior art keywords
- message
- outer net
- address
- intranet
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of message forwarding method and device, the method is applied on the firewall direct-connected with intranet server, it include: to determine the port that the first message is used for transmission on outer net client ip address and Intranet VPN device in the first message and/or on firewall when receiving the first message of Intranet VPN device transmission;Determining outer net client ip address is matched with port, generates matching relationship;When receiving the second message of intranet server transmission, from being found out in matching relationship and the outer net client ip address appropriate ports in the second message;By searching for the port gone out, the second message is transmitted to corresponding Intranet VPN device.Effective access of the external net client of intranet server may be implemented in middle embodiment through the invention.
Description
Technical field
The present invention relates to network communication technology field more particularly to a kind of message forwarding methods and device.
Background technique
With the development of network communication technology, more and more companies using VPN (Virtual Private Network,
Virtual Private Network) technology, it establishes to company personnel and the Intranet of server resource is provided, realize the outer net client to public affairs with this
Take charge of the secure access of internal data.When amount of access of the outer net client to server resource in Intranet is too big, if Intranet only mentions
These access requests are handled for a VPN device, then may be unable to complete the processing to all access requests, therefore interior Netcom
Often provide multiple VPN devices, and it is more using application delivery gateway the access request of outer net client balancedly to be distributed to this
A VPN device is handled.Wherein, the external address of multiple Intranet VPN device can use the IP of application delivery gateway
(Internet Protocol, network protocol) address.
In order to realize the management of the external net client of intranet server, it is desirable that intranet server can be to each outer net client
End is correctly accessed.Wherein, intranet server needs first when requesting access to outer net client to Intranet VPN device
Send message.Intranet VPN device needs to Reseal the message, so that after Resealing after receiving the message
The destination address of message be directed toward the IP of corresponding with the outer net client that intranet server requests access to outer net VPN device
Location.
However, the outer net VPN device due to the connection of each outer net client may be different, and not provided in Intranet
The corresponding outer net VPN device of the outer net client requested access to intranet server is all preserved in all Intranet VPN devices
IP address, therefore the second message is only sent to correct Intranet VPN device by intranet server, just be can guarantee and is serviced Intranet
The second message that device is sent correctly is transmitted to outer net client, to guarantee the access of the external net client of intranet server.
It can be seen that in the prior art, there may be can not effectively access outer net client to intranet server.
Summary of the invention
The present invention provides a kind of message forwarding method and device, can not effectively access outer net client to solve intranet server
The problem of end.
According to a first aspect of the embodiments of the present invention, a kind of message forwarding method is provided, the method apply with Intranet
On the direct-connected firewall of server, comprising:
When receiving the first message of Intranet VPN device transmission, the outer net client ip in first message is determined
The port of first message is used for transmission on address and the Intranet VPN device and/or on the firewall;
The outer net client ip address of the determination is matched with port, generates matching relationship;
When receiving the second message that the intranet server is sent, found out from the matching relationship and described the
Outer net client ip address appropriate ports in two messages;
By searching for the port gone out, second message is transmitted to corresponding Intranet VPN device, so that the Intranet
For VPN device after Resealing to second message, the second message after Resealing is transmitted to corresponding outer net
VPN device, then the second message after described Reseal is decapsulated by the outer net VPN device, and will be after decapsulation
The second message be transmitted to corresponding outer net client.
According to a second aspect of the embodiments of the present invention, a kind of apparatus for forwarding message is provided, described device apply with Intranet
On the direct-connected firewall of server, comprising:
Determination unit, for determining in first message when receiving the first message of Intranet VPN device transmission
First message is used for transmission on outer net client ip address and the Intranet VPN device and/or on the firewall
Port;
Generation unit generates matching relationship for matching the outer net client ip address of the determination with port;
Searching unit, for when receiving the second message that the intranet server is sent, from the matching relationship
It finds out and the outer net client ip address appropriate ports in second message;
Retransmission unit, for by searching for the port gone out, second message to be transmitted to corresponding Intranet VPN device,
So that second message forwarding of the Intranet VPN device after being Resealed to second message, after Resealing
The second message after described Reseal is decapsulated to corresponding outer net VPN device, then by the outer net VPN device,
And the second message after decapsulation is transmitted to corresponding outer net client.
In the embodiment of the present invention, firewall by when receiving the first message of Intranet VPN device transmission, determining first
First report is used for transmission on outer net client ip address and Intranet VPN device in first message and/or on firewall
The port of text, then matches determining outer net client ip address with port, generates matching relationship, can make firewall
After the second message for receiving intranet server transmission, from being found out in the matching relationship and the outer netter in second message
Family end IP address appropriate ports, and by searching for the port gone out, which is transmitted to corresponding Intranet VPN device.
So far, the second message can be sent to correct Intranet VPN device by firewall by intranet server, in realizing
Effective access of the external net client of network server.
Detailed description of the invention
Fig. 1 is the application scenarios schematic diagram that message forwarding is realized using the embodiment of the present invention;
Fig. 2 is one embodiment flow chart of message forwarding method of the present invention;
Fig. 3 is another embodiment flow chart of message forwarding method of the present invention;
Fig. 4 is a kind of hardware structure diagram of equipment where message forwarding controller of the present invention;
Fig. 5 is one embodiment block diagram of apparatus for forwarding message of the present invention.
Specific embodiment
Technical solution in embodiment in order to enable those skilled in the art to better understand the present invention, and make of the invention real
The above objects, features, and advantages for applying example can be more obvious and easy to understand, with reference to the accompanying drawing to technical side in the embodiment of the present invention
Case is described in further detail.
Referring to Fig. 1, the application scenarios schematic diagram of message forwarding is realized for the application embodiment of the present invention.In Fig. 1, outer net client
End can be specially mobile phone, PC (Personal Computer, personal computer) etc., Intranet VPN device and outer net VPN device
It all can be gateway and router etc..First message can be sent to by outer net client first when accessing intranet server
Outer net VPN device, the source address of first message are outer net client ip address, and destination address is intranet server IP address.
Outer net VPN device can first Reseal first message, after receiving first message so as to Reseal
The source address of the first message afterwards is the IP address of outer net VPN device, and destination address is the IP address of application delivery gateway, and should
It can also include outer net client ip address and intranet server IP address in the first message after Resealing, then by outer
The first message after net will Reseal is sent to application delivery gateway.Application delivery gateway is after receiving this and Resealing
, can be according to the loading condition of each Intranet VPN device after first message, the first message after this is Resealed is sent to it
In an Intranet VPN device.The VPN device of Intranet, can be right first after the first message after receiving this and Resealing
First message is decapsulated, so that the source address of the first message after decapsulation is outer net client ip address, destination
Location is intranet server IP address, and the first message after decapsulation is then sent to intranet server by firewall.
Second message can be sent to Intranet by firewall first when accessing outer net client by intranet server
VPN device, the source address of second message are intranet server IP address, and destination address is outer net client ip address.Intranet
VPN device can first Reseal second message, after receiving second message so that after Resealing
The source address of second message be application delivery gateway IP address (i.e. the IP address of Intranet VPN device), destination address be with it is interior
The IP address of the corresponding outer net VPN device of the outer net client that network server requests access to, and second report after Resealing
It can also include outer net client ip address and intranet server IP address in text, then will be sealed again by application delivery gateway
The second message after dress is sent to corresponding outer net VPN device.Outer net VPN device, can be first after receiving second message
First second message is decapsulated, so that the source address of the second message after decapsulation is intranet server IP address, mesh
Address be outer net client ip address, the second message after decapsulation is then sent to corresponding outer net client.
Since Intranet VPN device is after receiving the second message, it is necessary first to second message is Resealed, with
Make the destination address of the second message after Resealing outer net corresponding with the outer net client that intranet server requests access to
VPN device IP address requests to visit however, all preserving in all VPN devices that usually not Intranet provides with intranet server
The IP address of the corresponding outer net VPN device of the outer net client asked, therefore the second message is only sent to just by intranet server
True Intranet VPN device just can guarantee that the second message for sending intranet server is correctly transmitted to outer net client, thus
Guarantee the access of the external net client of intranet server.
In the embodiment of the present invention, firewall by when receiving the first message of Intranet VPN device transmission, determining first
First report is used for transmission on outer net client ip address and Intranet VPN device in first message and/or on firewall
The port of text, then matches determining outer net client ip address with port, generates matching relationship, can make firewall
After the second message for receiving intranet server transmission, from being found out in the matching relationship and the outer netter in second message
Family end IP address appropriate ports, and by searching for the port gone out, which is transmitted to corresponding Intranet VPN device.
So far, the second message can be sent to correct Intranet VPN device by firewall by intranet server, in realizing
Effective access of the external net client of network server.
Referring to fig. 2, be message forwarding method of the present invention one embodiment flow chart, the embodiment from intranet server
Direct-connected firewall side is described, comprising the following steps:
Step 201, when receive Intranet VPN device transmission the first message when, determine the outer netter in first message
The port of first message is used for transmission in family end IP address and the Intranet VPN device and/or on the firewall.
In the present embodiment, outer net client can send first to outer net VPN device first when accessing intranet server
Message.Outer net VPN device can be Resealed and will be Resealed to first message after receiving first message
The first message afterwards is sent to application delivery gateway, so that first message of the application delivery gateway after receiving this and Resealing
Afterwards, the first message after the encapsulation can be sent to by one of Intranet according to the loading condition of each Intranet VPN device
VPN device.
Intranet VPN device can first solve first message after receiving the first message after Resealing
Encapsulation, is then sent to the firewall direct-connected with intranet server for the first message after decapsulation.Due to the after decapsulation
One message is identical as the first message that outer net client is sent to outer net VPN device, includes outer net client ip address and interior
Network server IP address, therefore firewall can determine outer in first message after receiving the first message of decapsulation
The port of first message is used for transmission in the IP address of net client and the Intranet VPN device and/or on the firewall.Its
In, when immobilizing in only Intranet VPN device for sending the port of first message, firewall can only determine that this is interior
For sending the port of first message in net VPN device;When solid for receiving the port of first message on only firewall
When fixed constant, firewall can only be determined on the firewall for receiving the port of first message;When Intranet VPN device and prevent
When being used for transmission the port of first message on wall with flues and immobilizing, firewall can be determined respectively in the Intranet VPN device
For receiving the port of first message on port and the firewall for sending first message.
Step 202 matches determining outer net client ip address with port, generates matching relationship.
In the present embodiment, firewall can first determine whether locally whether there is and determining outer net client ip address pair
The matching relationship answered.If there is matching relationship corresponding with determining outer net client ip address in firewall, further sentence
Whether disconnected determining port is identical as the port in the matching relationship, if they are the same, is not then updated to the matching relationship, no
Then, the port in the matching relationship is updated to determining port, to realize the update to the matching relationship.In addition, if anti-
Matching relationship corresponding with determining outer net client ip address is not present in wall with flues, then to determining outer net client ip address
It is matched with port, generates matching relationship.With the variation of loading condition in Intranet VPN device, it to be used for external net client
The Intranet VPN device that mutual message between intranet server is forwarded may change, so as to lead to Intranet
The port that the mutual message is used for transmission in VPN device and/or firewall changes.In addition, over time, Intranet
VPN device may cause the outer net VPN device IP address saved to be lost because performance is unstable.In conclusion the present embodiment is logical
It crosses and matching relationship is updated, may further ensure that the second message is sent to correctly by intranet server by firewall
Intranet VPN device, so as to be further ensured that the access of the external net client of intranet server.
In addition, firewall can receive next time the message of the outer net client ip address including the determination with statistical distance
(i.e. the second report of outer net client the first message sent to intranet server and the outside net client transmission of intranet server
Text) duration, then judge whether the duration counted is greater than preset time, if so, by the outer net client with the determination
The corresponding matching relationship of IP address is held to remove, otherwise, circulation executes this step.The present embodiment by no longer connecing within a preset time
When receiving the mutual message between outer net client and intranet server, matching corresponding with the outer net client ip address is removed
Relationship can discharge the space in firewall, to provide the utilization efficiency of firewall.
In order to which the online hours of external net client access intranet server are controlled, administrator can be each to allowing
The time threshold of outer net client online access intranet server is configured, when outer net client online access intranet server
Duration be more than the setting time threshold when, force the outer net client offline.In this case, firewall can to
Ageing time with relationship is configured, when the ageing time of the matching relationship is more than the time threshold of the setting, by this
It is removed with relationship.
Specifically, it since firewall is in the first message for receiving the transmission of Intranet VPN device, and determines in first message
Outer net client ip address after, only when in firewall be not present matching corresponding with determining outer net client ip address pass
When being, just determining outer net client ip address is matched with port, generate matching relationship, it can be seen that, when generate with
When the corresponding matching relationship of determining outer net client ip address, corresponding outer net client is just online.At this point, firewall can be with
Timing is opened, and judges whether the duration of timing is more than the time threshold for allowing outer net client online access intranet server,
If so, matching relationship corresponding with the outer net client ip address of the determination is removed, it is possible thereby to discharge in firewall
Space, to provide the utilization efficiency of firewall.
Step 203, when receiving the second message of intranet server transmission, found out from the matching relationship with this
Outer net client ip address appropriate ports in two messages.
In the present embodiment, intranet server can send the second message to firewall first when accessing outer net client,
The source address of second message is intranet server IP address, and destination address is outer net client ip address.Firewall is receiving
After the second message sent to intranet server, it can be found out from the matching relationship and the outer net client in second message
Hold IP address appropriate ports.
Step 204, by searching for go out port, which is transmitted to corresponding Intranet VPN device, so that this is interior
For net VPN device after Resealing to second message, the second message after Resealing is transmitted to corresponding outer net
VPN device, then the second message after this is Resealed is decapsulated by the outer net VPN device, and by after decapsulation
Two messages are transmitted to corresponding outer net client.
In the present embodiment, due to connect Intranet VPN device and when firewall at least side equipment using fixed port into
Row connection, therefore the second message that intranet server is sent can be transmitted to correctly by firewall by searching for the port gone out
It is corresponding to preserve the outer net client requested access to intranet server in the correct Intranet VPN device for Intranet VPN device
The IP address of outer net VPN device.
Intranet VPN device receive intranet server transmission the second message after, can first to second message into
Row Reseals, and is then sent to corresponding outer net VPN device by the second message after application delivery gateway will Reseal.
Outer net VPN device can first decapsulate second message, then after receiving the second message after Resealing
The second message after decapsulation is sent to corresponding outer net client.
As seen from the above-described embodiment, firewall passes through first when receiving the first message of Intranet VPN device transmission, really
Be used for transmission on outer net client ip address and Intranet VPN device in fixed first message and/or on firewall this first
Then the port of message matches determining outer net client ip address with port, generate matching relationship, can make to prevent fires
Wall is after the second message for receiving intranet server transmission, from finding out in the matching relationship and the outer net in second message
Client ip address appropriate ports, and by searching for the port gone out, which is transmitted to corresponding Intranet VPN and is set
It is standby.So far, the second message can be sent to correct Intranet VPN device by firewall by intranet server, so as to reality
Effective access of the existing external net client of intranet server.
It is another embodiment flow chart of message forwarding method of the present invention referring to Fig. 3, which passes through outer net client
Interaction between end and intranet server, is described in detail the message repeating process of the embodiment of the present invention:
Step 301, outer net client send the first message to outer net VPN device.
Step 302, outer net VPN device Reseal the first message, so that the first message after Resealing
Source address is the IP address of outer net VPN device, and destination address is the IP address of application delivery gateway, and this Reseal after the
It may include outer net client ip address and intranet server IP address in one message.
Step 303, outer net VPN device are sent to Intranet by the first message after application delivery gateway will Reseal
VPN device.
Step 304, Intranet VPN device decapsulate the first message, so that the source of the first message after decapsulation
Location is outer net client ip address, and destination address is intranet server IP address.
The first message after decapsulation is sent to firewall by step 305, Intranet VPN device.
Step 306, firewall create corresponding with the outer net client ip address in first message session, in the session
May include five-tuple information, i.e. outer net client ip address, intranet server IP address, on Intranet VPN for send this
For receiving port and the transport protocol of the message on the port of one message, firewall.
Step 307, intranet server send the second message to firewall.
Step 308, firewall determine corresponding session according to the outer net client ip address in second message.
Second message is transmitted to corresponding Intranet VPN and set by step 309, firewall according to the session information of the determination
It is standby.So far, the second message is transmitted to correct Intranet VPN device by firewall by intranet server.
Step 310, Intranet VPN device Reseal second message, so that the second message after Resealing
Source address be application delivery gateway IP address, destination address is the IP address of outer net VPN device, and after this is Resealed
It may include outer net client ip address and intranet server IP address in second message.
Step 311, Intranet VPN device by application delivery gateway will Reseal after the second message be sent to it is corresponding
Outer net VPN device.
Step 312, outer net VPN device decapsulate second message, so that the source of the second message after decapsulation
Address is intranet server IP address, and destination address is outer net client ip address.
The second message after decapsulation is sent to corresponding outer net client by step 313, outer net VPN device.
As seen from the above-described embodiment, firewall passes through first when receiving the first message of Intranet VPN device transmission, really
Be used for transmission on outer net client ip address and Intranet VPN device in fixed first message and/or on firewall this first
Then the port of message matches determining outer net client ip address with port, generate matching relationship, can make to prevent fires
Wall is after the second message for receiving intranet server transmission, from finding out in the matching relationship and the outer net in second message
Client ip address appropriate ports, and by searching for the port gone out, which is transmitted to corresponding Intranet VPN and is set
It is standby.So far, the second message can be sent to correct Intranet VPN device by firewall by intranet server, so as to reality
Effective access of the existing external net client of intranet server.
Corresponding with aforementioned message forwarding method embodiment, the present invention also provides the embodiments of apparatus for forwarding message.
The embodiment of apparatus for forwarding message of the present invention can be applied respectively on the firewall direct-connected with intranet server.Dress
Setting embodiment can also be realized by software realization by way of hardware or software and hardware combining.It is implemented in software to be
Example, as the device on a logical meaning, being will be corresponding in nonvolatile memory by the processor of equipment where it
Computer program instructions are read into memory what operation was formed.For hardware view, as shown in figure 4, turning for message of the present invention
A kind of hardware structure diagram of equipment where transmitting apparatus, other than processor shown in Fig. 4, network interface, memory, embodiment
Equipment where middle device can also include usually other hardware, such as be responsible for the forwarding chip of processing message;From hardware knot
The equipment is also possible to be distributed equipment from structure, may include multiple interface cards, to carry out message in hardware view
The extension of processing.
It is one embodiment block diagram of apparatus for forwarding message of the present invention referring to Fig. 5, described device, which is applied, to be used for and Intranet
On the direct-connected firewall of server, described device includes:
Determination unit 510, for determining first message when receiving the first message of Intranet VPN device transmission
In outer net client ip address and the Intranet VPN device on and/or the firewall on be used for transmission it is described first report
The port of text;
Generation unit 520 generates matching and closes for matching the outer net client ip address of the determination with port
System;
Searching unit 530, for when receiving the second message that the intranet server is sent, from the matching relationship
In find out and the outer net client ip address appropriate ports in second message;
Retransmission unit 540, for second message being transmitted to corresponding Intranet VPN and is set by searching for the port gone out
It is standby, so that the Intranet VPN device, after Resealing to second message, the second message after Resealing turns
Corresponding outer net VPN device is issued, then the second message after described Reseal is unsealed by the outer net VPN device
Dress, and the second message after decapsulation is transmitted to corresponding outer net client.
In an optional implementation, described device further include:
Judging unit 550, for determining outer net client ip address and the Intranet VPN in first message
It is used for transmission in equipment and/or on the firewall after the port of first message, judges whether deposit in the firewall
In matching relationship corresponding with the outer net client ip address of the determination;
Updating unit 560, if corresponding with the outer net client ip address of the determination for existing in the firewall
Matching relationship then judges whether the port of the determination is identical as the port in the matching relationship, will be described if not identical
Port in matching relationship is updated to the port of the determination;
The generation unit 520, if specifically for there is no the outer net client ips with the determination in the firewall
The corresponding matching relationship in address then matches the outer net client ip address of the determination with port, generates matching relationship.
In another optional implementation, described device further include:
Timing unit 570, for determining outer net client ip address and the Intranet VPN in first message
It is used for transmission in equipment and/or on the firewall after the port of first message, statistical distance receives packet next time
Include the duration of the message of the outer net client ip address of the determination;
Clearing cell 580, for judging whether the duration counted is more than preset time, if so, will with it is described
The corresponding matching relationship of determining outer net client ip address is removed.
In another optional implementation,
Timing unit 570 generates matching for matching by the outer net client ip address of the determination with port
After relationship, timing is opened;
Clearing cell 580, for judging whether the duration of timing is more than to allow the Intranet service of outer net client online access
The time threshold of device, if so, matching relationship corresponding with the outer net client ip address of the determination is removed.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize the present invention program.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
As seen from the above-described embodiment, firewall passes through first when receiving the first message of Intranet VPN device transmission, really
Be used for transmission on outer net client ip address and Intranet VPN device in fixed first message and/or on firewall this first
Then the port of message matches determining outer net client ip address with port, generate matching relationship, can make to prevent fires
Wall is after the second message for receiving intranet server transmission, from finding out in the matching relationship and the outer net in second message
Client ip address appropriate ports, and by searching for the port gone out, which is transmitted to corresponding Intranet VPN and is set
It is standby.So far, the second message can be sent to correct Intranet VPN device by firewall by intranet server, so as to reality
Effective access of the existing external net client of intranet server.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to of the invention its
Its embodiment.This application is intended to cover any variations, uses, or adaptations of the invention, these modifications, purposes or
Person's adaptive change follows general principle of the invention and including the undocumented common knowledge in the art of the present invention
Or conventional techniques.The description and examples are only to be considered as illustrative, and true scope and spirit of the invention are by following
Claim is pointed out.
It should be understood that the present invention is not limited to the precise structure already described above and shown in the accompanying drawings, and
And various modifications and changes may be made without departing from the scope thereof.The scope of the present invention is limited only by the attached claims.
Claims (8)
1. a kind of message forwarding method, the method is applied on the firewall direct-connected with intranet server, which is characterized in that packet
It includes:
When receiving the first message of Intranet Virtual Private Network VPN device transmission, the outer net in first message is determined
First report is used for transmission on client network Protocol IP address and the Intranet VPN device and/or on the firewall
The port of text;
The outer net client ip address of the determination is matched with port, generates matching relationship;
When receiving the second message that the intranet server is sent, found out from the matching relationship and second report
Outer net client ip address appropriate ports in text;
By searching for the port gone out, second message is transmitted to corresponding Intranet VPN device, so that the Intranet VPN is set
For after Resealing to second message, the second message after Resealing is transmitted to corresponding outer net VPN and sets
It is standby, then the second message after described Reseal is decapsulated by the outer net VPN device, and by second after decapsulation
Message is transmitted to corresponding outer net client.
2. the method according to claim 1, wherein with determining the outer net client ip in first message
It is used for transmission after the port of first message on location and the Intranet VPN device and/or on the firewall, the side
Method further include:
Judge in the firewall with the presence or absence of matching relationship corresponding with the outer net client ip address of the determination;
If there is matching relationship corresponding with the outer net client ip address of the determination in the firewall, judge described true
Whether fixed port is identical as the port in the matching relationship, if not identical, the port in the matching relationship is updated
For the port of the determination;
It is described to match the outer net client ip address of the determination with port, if it includes: described anti-for generating matching relationship
Matching relationship corresponding with the outer net client ip address of the determination is not present in wall with flues, then by the outer net client of the determination
End IP address is matched with port, generates matching relationship.
3. the method according to claim 1, wherein with determining the outer net client ip in first message
It is used for transmission after the port of first message on location and the Intranet VPN device and/or on the firewall, the side
Method further include:
Statistical distance receives the duration of the message of the outer net client ip address including the determination next time;
Whether the duration counted described in judgement is more than preset time, if so, by the outer net client ip with the determination
The corresponding matching relationship in location is removed.
4. according to the method described in claim 2, it is characterized in that, by the outer net client ip address of the determination and port
It is matched, after generating matching relationship, the method also includes:
Open timing;
Whether the duration for judging timing is more than the time threshold for allowing outer net client online access intranet server, if so,
Matching relationship corresponding with the outer net client ip address of the determination is removed.
5. a kind of apparatus for forwarding message, described device is applied on the firewall direct-connected with intranet server, which is characterized in that packet
It includes:
Determination unit, for determining the outer net in first message when receiving the first message of Intranet VPN device transmission
The port of first message is used for transmission on client ip address and the Intranet VPN device and/or on the firewall;
Generation unit generates matching relationship for matching the outer net client ip address of the determination with port;
Searching unit, for being searched from the matching relationship when receiving the second message that the intranet server is sent
Out with the outer net client ip address appropriate ports in second message;
Retransmission unit, for by searching for the port gone out, second message to be transmitted to corresponding Intranet VPN device, so that
After Resealing to second message, the second message after Resealing is transmitted to pair the Intranet VPN device
The outer net VPN device answered, then the second message after described Reseal is decapsulated by the outer net VPN device, and will
The second message after decapsulation is transmitted to corresponding outer net client.
6. device according to claim 5, which is characterized in that described device further include:
Judging unit, for determining outer net client ip address and the Intranet VPN device in first message
And/or be used for transmission on the firewall after the port of first message, judge to whether there is and institute in the firewall
State the determining corresponding matching relationship of outer net client ip address;
Updating unit, if being closed for there is matching corresponding with the outer net client ip address of the determination in the firewall
System, then judge whether the port of the determination is identical as the port in the matching relationship, if not identical, the matching is closed
Port in system is updated to the port of the determination;
The generation unit, if specifically for there is no corresponding with the outer net client ip address of the determination in the firewall
Matching relationship, then the outer net client ip address of the determination is matched with port, generate matching relationship.
7. device according to claim 5, which is characterized in that described device further include:
Timing unit, for determining outer net client ip address and the Intranet VPN device in first message
And/or be used for transmission on the firewall after the port of first message, statistical distance is received next time including described
The duration of the message of determining outer net client ip address;
Clearing cell, for judging whether the duration counted is more than preset time, if so, by outer with the determination
The corresponding matching relationship of net client ip address is removed.
8. device according to claim 6, which is characterized in that described device further include:
Timing unit, for being matched by the outer net client ip address of the determination with port, generate matching relationship it
Afterwards, timing is opened;
Clearing cell, for judging whether the duration of timing is more than the time for allowing outer net client online access intranet server
Threshold value, if so, matching relationship corresponding with the outer net client ip address of the determination is removed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510221087.XA CN105991442B (en) | 2015-04-30 | 2015-04-30 | Message forwarding method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510221087.XA CN105991442B (en) | 2015-04-30 | 2015-04-30 | Message forwarding method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105991442A CN105991442A (en) | 2016-10-05 |
CN105991442B true CN105991442B (en) | 2019-10-11 |
Family
ID=57039585
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510221087.XA Active CN105991442B (en) | 2015-04-30 | 2015-04-30 | Message forwarding method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105991442B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107040429A (en) * | 2017-03-13 | 2017-08-11 | 上海斐讯数据通信技术有限公司 | A kind of method of testing and system of port forwarding performance |
CN107547509B (en) * | 2017-06-27 | 2020-10-13 | 新华三技术有限公司 | Message forwarding method and device |
CN107800603B (en) * | 2017-07-31 | 2018-11-09 | 北京上和瑞科技有限公司 | Intranet user accesses the method and storage medium of headend equipment based on VPN |
CN113179295B (en) * | 2021-04-02 | 2022-11-01 | 杭州迪普科技股份有限公司 | Message processing method and device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1697396A (en) * | 2004-05-10 | 2005-11-16 | 华为技术有限公司 | Method for realizing local virtual private network based on firewall |
KR100683049B1 (en) * | 2005-12-15 | 2007-02-15 | 주식회사 비트텔 | Method for connecting business equipment inside firewall by using virtual private network |
CN101594301A (en) * | 2009-06-23 | 2009-12-02 | 杭州华三通信技术有限公司 | A kind of message processing method and device |
US7739497B1 (en) * | 2001-03-21 | 2010-06-15 | Verizon Corporate Services Group Inc. | Method and apparatus for anonymous IP datagram exchange using dynamic network address translation |
CN101778045A (en) * | 2010-01-27 | 2010-07-14 | 成都市华为赛门铁克科技有限公司 | Message transmission method, device and network system |
CN102710507A (en) * | 2012-05-17 | 2012-10-03 | 杭州华三通信技术有限公司 | Method and network equipment for achieving consistency of message forwarding paths |
-
2015
- 2015-04-30 CN CN201510221087.XA patent/CN105991442B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7739497B1 (en) * | 2001-03-21 | 2010-06-15 | Verizon Corporate Services Group Inc. | Method and apparatus for anonymous IP datagram exchange using dynamic network address translation |
CN1697396A (en) * | 2004-05-10 | 2005-11-16 | 华为技术有限公司 | Method for realizing local virtual private network based on firewall |
KR100683049B1 (en) * | 2005-12-15 | 2007-02-15 | 주식회사 비트텔 | Method for connecting business equipment inside firewall by using virtual private network |
CN101594301A (en) * | 2009-06-23 | 2009-12-02 | 杭州华三通信技术有限公司 | A kind of message processing method and device |
CN101778045A (en) * | 2010-01-27 | 2010-07-14 | 成都市华为赛门铁克科技有限公司 | Message transmission method, device and network system |
CN102710507A (en) * | 2012-05-17 | 2012-10-03 | 杭州华三通信技术有限公司 | Method and network equipment for achieving consistency of message forwarding paths |
Also Published As
Publication number | Publication date |
---|---|
CN105991442A (en) | 2016-10-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107948076B (en) | Method and device for forwarding message | |
US9762508B2 (en) | Relay optimization using software defined networking | |
US10110556B2 (en) | Methods, systems, and computer readable media for initiating and executing performance tests of a private network and/or components thereof | |
US9917928B2 (en) | Network address translation | |
JP2018139448A5 (en) | ||
EP3125502A1 (en) | Method for providing access to a web server | |
CN105991442B (en) | Message forwarding method and device | |
JP2018528679A (en) | Device and method for establishing a connection in a load balancing system | |
US10212126B2 (en) | System for mediating connection | |
US20210312472A1 (en) | Method and system for prediction of smart contract violation using dynamic state space creation | |
US10104002B2 (en) | Method and system for network address re-use in network address translation | |
US20160234113A1 (en) | Methods, systems, and computer readable media for identifying network locations associated with endpoints | |
CN110392066A (en) | A kind of method and apparatus of access service | |
US20200213233A1 (en) | Balancing load | |
US9473451B2 (en) | Methods, systems, and computer readable media for providing mapping information associated with port control protocol (PCP) in a test environment | |
CN105991755B (en) | Service message distribution method and device | |
CN106656615A (en) | Message processing method and apparatus based on TRACERT command | |
CN106411742B (en) | A kind of method and apparatus of message transmissions | |
CN109413224A (en) | Message forwarding method and device | |
US9686175B2 (en) | Methods, systems, and computer readable media for testing network devices using simulated application traffic | |
WO2017131765A1 (en) | Verifying a service function chain | |
Tahir et al. | A novel DDoS floods detection and testing approaches for network traffic based on linux techniques | |
CN105991353A (en) | Fault location method and device | |
CN104184729A (en) | Message processing method and device | |
CN110351159B (en) | Cross-intranet network performance testing method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |