{"id":24553,"date":"2025-07-03T11:48:11","date_gmt":"2025-07-03T04:48:11","guid":{"rendered":"https:\/\/vacif.com\/?p=24251"},"modified":"2025-08-08T15:37:59","modified_gmt":"2025-08-08T08:37:59","slug":"huong-dan-cau-hinh-nat-dich-vu-iis-web-server-https-co-chung-chi-ca-chay-trong-lab-ao-eve-ra-internet-thong-qua-firewall-sophos","status":"publish","type":"post","link":"https:\/\/vacif.com\/en\/huong-dan-cau-hinh-nat-dich-vu-iis-web-server-https-co-chung-chi-ca-chay-trong-lab-ao-eve-ra-internet-thong-qua-firewall-sophos\/","title":{"rendered":"H\u01b0\u1edbng D\u1eabn C\u1ea5u H\u00ecnh NAT D\u1ecbch V\u1ee5 IIS Web Server HTTPS (C\u00f3 Ch\u1ee9ng Ch\u1ec9 CA) Ch\u1ea1y Trong Lab \u1ea2o Eve Ra Internet Th\u00f4ng Qua Firewall Sophos"},"content":{"rendered":"\n

I – T\u1ed5ng quan<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n

M\u1ee5c ti\u00eau c\u1ee7a b\u00e0i lab l\u00e0 c\u1ea5u h\u00ecnh NAT (Network Address Translation) <\/strong>tr\u00ean Sophos Firewall<\/strong> \u0111\u1ec3 cho ph\u00e9p m\u00e1y ch\u1ee7 web (Web Server) trong m\u00f4i tr\u01b0\u1eddng \u1ea3o EVE-NG<\/strong> c\u00f3 th\u1ec3 cung c\u1ea5p d\u1ecbch v\u1ee5 HTTPS c\u00f3 ch\u1ee9ng ch\u1ec9 CA ra Internet<\/strong>. Qua \u0111\u00f3, ng\u01b0\u1eddi d\u00f9ng b\u00ean ngo\u00e0i c\u00f3 th\u1ec3 truy c\u1eadp trang web n\u1ed9i b\u1ed9 qua \u0111\u1ecba ch\u1ec9 IP c\u00f4ng c\u1ed9ng c\u1ee7a firewall.<\/p>\n\n\n\n

II – T\u00ecnh hu\u1ed1ng c\u1ea5u h\u00ecnh<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n
    \n
  • Web Server n\u1eb1m trong m\u1ea1ng n\u1ed9i b\u1ed9 (LAN) c\u1ee7a m\u00f4 h\u00ecnh EVE-NG, ch\u1ec9 c\u00f3 IP n\u1ed9i b\u1ed9 (Private IP).<\/li>\n\n\n\n
  • Sophos Firewall \u0111\u01b0\u1ee3c c\u1ea5u h\u00ecnh l\u00e0m gateway gi\u1eefa m\u1ea1ng n\u1ed9i b\u1ed9 v\u00e0 Internet.<\/li>\n\n\n\n
  • C\u1ea7n c\u1ea5u h\u00ecnh NAT \u0111\u1ec3 \u00e1nh x\u1ea1 (map) c\u1ed5ng HTTP (80) v\u00e0 HTTPS (443) t\u1eeb IP c\u00f4ng c\u1ed9ng tr\u00ean Sophos v\u00e0 router \u0111\u1ebfn \u0111\u1ecba ch\u1ec9 IP n\u1ed9i b\u1ed9 c\u1ee7a Web Server.<\/li>\n<\/ul>\n\n\n\n

    III – M\u00f4 h\u00ecnh<\/span><\/h2><\/div><\/div><\/div>\n\n\n
    \n
    \"\"<\/figure>\n<\/div>\n\n\n

    IV- H\u01b0\u1edbng d\u1eabn c\u1ea5u h\u00ecnh<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n

    B\u01b0\u1edbc 1: C\u1ea5u h\u00ecnh Web Server<\/strong><\/span><\/h2><\/div><\/div><\/div>\n\n\n\n
      \n
    • C\u00e0i \u0111\u1eb7t d\u1ecbch v\u1ee5 HTTP\/HTTPS (Apache, Nginx\u2026).<\/li>\n\n\n\n
    • \u0110\u1ea3m b\u1ea3o Web Server c\u00f3 IP t\u0129nh v\u00e0 d\u1ecbch v\u1ee5 web ho\u1ea1t \u0111\u1ed9ng b\u00ecnh th\u01b0\u1eddng trong n\u1ed9i b\u1ed9.<\/li>\n<\/ul>\n\n\n
      \n
      \"\"<\/figure>\n<\/div>\n\n\n

      B\u01b0\u1edbc 2: C\u1ea5u h\u00ecnh giao di\u1ec7n Sophos<\/strong><\/span><\/h2><\/div><\/div><\/div>\n\n\n\n
        \n
      • V\u00e0o m\u1ee5c Rules and policies -> Add firewall rule.<\/li>\n<\/ul>\n\n\n
        \n
        \"\"<\/figure>\n<\/div>\n\n\n
          \n
        • \u1ede m\u1ee5c Source zones: <\/strong>Ch\u1ecdn WAN -> Source networks and devices: <\/strong>Ch\u1ecdn Any<\/strong><\/li>\n\n\n\n
        • Destination zones:<\/strong> Ch\u1ecdn LAN -> Destination networks: <\/strong>ch\u1ecdn IP<\/strong> c\u1ee7a router EVE<\/strong> -> Services:<\/strong> Ch\u1ecdn d\u1ecbch v\u1ee5 HTTP<\/strong> v\u00e0 HTTPS<\/strong><\/li>\n<\/ul>\n\n\n
          \n
          \"\"<\/figure>\n<\/div>\n\n\n

          B\u01b0\u1edbc 3: C\u1ea5u h\u00ecnh DNAT tr\u00ean Sophos Firewall<\/strong><\/strong><\/span><\/h2><\/div><\/div><\/div>\n\n\n\n
            \n
          • V\u00e0o Rules and Policies -> NAT Rules -> Add NAT rule<\/strong><\/li>\n\n\n\n
          • Original source: <\/strong>ch\u1ecdn Any<\/strong><\/li>\n\n\n\n
          • Original destination<\/strong>: Ch\u1ecdn port wan<\/strong><\/li>\n\n\n\n
          • Original service: <\/strong>Ch\u1ecdn d\u1ecbch v\u1ee5 HTTPS<\/strong><\/li>\n\n\n\n
          • Translated source (SNAT):<\/strong> Ch\u1ecdn Original<\/strong><\/li>\n\n\n\n
          • Translated destination (DNAT):<\/strong> Ch\u1ecdn IP c\u1ee7a route eve<\/strong> (10.10.10.23)<\/strong><\/li>\n\n\n\n
          • Translated service(PAT):<\/strong> Ch\u1ecdn d\u1ecbch v\u1ee5 HTTPS(443)<\/strong><\/li>\n\n\n\n
          • Inbound interface: <\/strong>Ch\u1ecdn Network l\u00e0 c\u1ed5ng wan<\/strong><\/li>\n\n\n\n
          • Outbound interface:<\/strong> Ch\u1ecdn any<\/strong><\/li>\n<\/ul>\n\n\n
            \n
            \"\"<\/figure>\n<\/div>\n\n
            \n
            \"\"<\/figure>\n<\/div>\n\n\n

            B\u01b0\u1edbc 4: C\u1ea5u h\u00ecnh tr\u00ean Modem Router<\/strong><\/strong><\/strong><\/span><\/h2><\/div><\/div><\/div>\n\n\n\n
              \n
            • \u0110\u0103ng nh\u1eadp v\u00e0o modem -> Internet -> Security -> Port Forwarding -> Create New Item<\/strong><\/li>\n\n\n\n
            • Name:<\/strong> \u0110\u1eb7t t\u00ean rule<\/li>\n\n\n\n
            • Protocol: <\/strong>ch\u1ecdn TCP<\/strong><\/li>\n\n\n\n
            • WAN connection: Auto<\/strong><\/li>\n\n\n\n
            • LAN Host:<\/strong> Ch\u1ecdn IP Wan t\u0129nh<\/strong> c\u1ea5p cho firewall<\/li>\n\n\n\n
            • WAN Port: 443<\/strong><\/li>\n\n\n\n
            • LAN Host Port: 443<\/strong><\/li>\n<\/ul>\n\n\n
              \n
              \"\"<\/figure>\n<\/div>\n\n
              \n
              \"\"<\/figure>\n<\/div>\n\n\n

              B\u01b0\u1edbc 5: Ki\u1ec3m tra<\/strong><\/strong><\/strong><\/strong><\/span><\/h2><\/div><\/div><\/div>\n\n\n\n
                \n
              • T\u1eeb m\u00e1y b\u00ean ngo\u00e0i ho\u1eb7c host th\u1eadt, truy c\u1eadp IP c\u00f4ng c\u1ed9ng c\u1ee7a firewall tr\u00ean tr\u00ecnh duy\u1ec7t.<\/li>\n\n\n\n
              • N\u1ebfu c\u1ea5u h\u00ecnh \u0111\u00fang, s\u1ebd truy c\u1eadp \u0111\u01b0\u1ee3c Web Server n\u1ed9i b\u1ed9 qua NAT.<\/li>\n<\/ul>\n\n\n
                \n
                \"\"<\/figure>\n<\/div>","protected":false},"excerpt":{"rendered":"

                M\u1ee5c ti\u00eau c\u1ee7a b\u00e0i lab l\u00e0 c\u1ea5u h\u00ecnh NAT (Network Address Translation) tr\u00ean Sophos Firewall \u0111\u1ec3 cho ph\u00e9p m\u00e1y ch\u1ee7 web (Web Server) trong m\u00f4i tr\u01b0\u1eddng \u1ea3o EVE-NG c\u00f3 th\u1ec3 cung c\u1ea5p d\u1ecbch v\u1ee5 HTTPS c\u00f3 ch\u1ee9ng ch\u1ec9 CA ra Internet. Qua \u0111\u00f3, ng\u01b0\u1eddi d\u00f9ng b\u00ean ngo\u00e0i c\u00f3 th\u1ec3 truy c\u1eadp trang web n\u1ed9i b\u1ed9 […]<\/p>\n","protected":false},"author":2,"featured_media":24293,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[617,70,618],"tags":[334],"class_list":["post-24553","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-case-study-thuc-te","category-firewall","category-huong-dan","tag-sophos-firewall","entry","has-media"],"_links":{"self":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/24553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/comments?post=24553"}],"version-history":[{"count":1,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/24553\/revisions"}],"predecessor-version":[{"id":25574,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/24553\/revisions\/25574"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media\/24293"}],"wp:attachment":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media?parent=24553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/categories?post=24553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/tags?post=24553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}