• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

SSLVPN搭建好了不能连内网

2021-06-08提问
  • 0关注
  • 1收藏,1679浏览
zhiliao_QFwHs
zhiliao_QFwHs 零段
粉丝:0人 关注:2人

问题描述:

sslvpn搭建好了,官网下载了inode然后用inode管理工具配置了客户端,客户端也能成功连接并分配IP地址,但是问题来了所有的vlan都不能访问,内网也不能访问都ping不通,下面是我的配置请各位前辈再帮我看看。

               var FrameInfo = {};

  1. #
  2. version 7.1.064, Release 9313P15
  3. #
  4. sysname FW
  5. #
  6. context Admin id 1
  7. #
  8. ip vpn-instance nei
  9. #
  10. telnet server enable
  11. #
  12. irf mac-address persistent timer
  13. irf auto-update enable
  14. undo irf link-delay
  15. irf member 1 priority 1
  16. #
  17. security-zone intra-zone default permit
  18. #
  19. dhcp enable
  20. #
  21. dns server 61.177.7.1
  22. dns server 223.5.5.5
  23. dns server 114.114.114.114
  24. dns server 61.177.7.1 vpn-instance nei
  25. dns server 223.5.5.5 vpn-instance nei
  26. dns server 114.114.114.114 vpn-instance nei
  27. ip host 22 222.92.222.34
  28. ip host 223 223.5.5.5
  29. ip host 61 61.177.7.1
  30. ip host 61 61.177.7.1 vpn-instance nei
  31. #
  32. password-recovery enable
  33. #
  34. vlan 1
  35. #
  36. object-group ip address 系统服务器
  37. 0 network host address 192.168.4.132
  38. #
  39. object-group ip address 公盘
  40. 0 network host address 192.168.5.26
  41. #
  42. object-group ip address 金蝶
  43. 0 network host address 192.168.4.132
  44. #
  45. object-group ip address 备份盘
  46. 0 network host address 192.168.5.88
  47. 10 network host address 192.168.5.125
  48. #
  49. object-group ip address scm系统
  50. 0 network host address 192.168.9.161
  51. #
  52. object-group service 3360端口
  53. 0 service tcp destination eq 3360
  54. 10 service tcp
  55. #
  56. object-group service 4433
  57. 0 service tcp destination eq 4433
  58. #
  59. object-group service 5000端口
  60. 0 service tcp destination eq 5001
  61. 10 service tcp destination eq 5000
  62. #
  63. object-group service 8001端口
  64. 0 service tcp destination eq 8001
  65. #
  66. object-group service 9001端口
  67. 0 service tcp destination eq 9001
  68. #
  69. object-group service 999端口
  70. 0 service tcp destination eq 999
  71. #
  72. dhcp server ip-pool 61
  73. #
  74. interface NULL0
  75. #
  76. interface GigabitEthernet1/0/0
  77. port link-mode route
  78. ip address 10.0.0.1 255.255.255.0
  79. #
  80. interface GigabitEthernet1/0/1
  81. port link-mode route
  82. #
  83. interface GigabitEthernet1/0/2
  84. port link-mode route
  85. ip address 222.92.222.34 255.255.255.248
  86. nat outbound
  87. nat outbound 2000
  88. nat server protocol tcp global 222.92.222.34 80 inside 192.168.5.88 80
  89. nat server protocol tcp global 222.92.222.34 389 inside 192.168.5.88 389
  90. nat server protocol tcp global 222.92.222.34 443 inside 192.168.5.88 443
  91. nat server protocol tcp global 222.92.222.34 514 inside 192.168.5.88 514
  92. nat server protocol tcp global 222.92.222.34 636 inside 192.168.5.88 636
  93. nat server protocol tcp global 222.92.222.34 873 inside 192.168.5.88 873
  94. nat server protocol tcp global 222.92.222.34 999 inside 192.168.9.161 999
  95. nat server protocol tcp global 222.92.222.34 1194 inside 192.168.5.88 1194
  96. nat server protocol tcp global 222.92.222.34 3360 inside 192.168.5.26 3360
  97. nat server protocol tcp global 222.92.222.34 3361 inside 192.168.5.26 3361
  98. nat server protocol tcp global 222.92.222.34 5000 inside 192.168.5.88 5000
  99. nat server protocol tcp global 222.92.222.34 5001 inside 192.168.5.88 5001
  100. nat server protocol tcp global 222.92.222.34 6281 inside 192.168.5.88 6281
  101. nat server protocol tcp global 222.92.222.34 6690 inside 192.168.5.88 6690
  102. nat server protocol tcp global 222.92.222.34 8001 inside 192.168.4.132 8001
  103. nat server protocol tcp global 222.92.222.34 10022 inside 192.168.5.88 10022 reversible
  104. nat server protocol udp global 222.92.222.34 514 inside 192.168.5.88 514
  105. nat server protocol udp global 222.92.222.34 3360 inside 192.168.5.88 3360
  106. nat server protocol udp global 222.92.222.34 3361 inside 192.168.5.88 3361
  107. nat server protocol tcp global current-interface 9001 inside 192.168.4.132 9001
  108. nat static enable
  109. #
  110. interface GigabitEthernet1/0/3
  111. port link-mode route
  112. ip address 10.1.1.1 255.255.255.0
  113. #
  114. interface GigabitEthernet1/0/4
  115. port link-mode route
  116. #
  117. interface GigabitEthernet1/0/5
  118. port link-mode route
  119. ip address 3.3.3.1 255.255.255.0
  120. #
  121. interface GigabitEthernet1/0/6
  122. port link-mode route
  123. #
  124. interface GigabitEthernet1/0/7
  125. port link-mode route
  126. #
  127. interface GigabitEthernet1/0/8
  128. port link-mode route
  129. #
  130. interface GigabitEthernet1/0/9
  131. port link-mode route
  132. #
  133. interface GigabitEthernet1/0/10
  134. port link-mode route
  135. #
  136. interface GigabitEthernet1/0/11
  137. port link-mode route
  138. #
  139. interface GigabitEthernet1/0/12
  140. port link-mode route
  141. #
  142. interface GigabitEthernet1/0/13
  143. port link-mode route
  144. #
  145. interface GigabitEthernet1/0/14
  146. port link-mode route
  147. #
  148. interface GigabitEthernet1/0/15
  149. port link-mode route
  150. #
  151. interface GigabitEthernet1/0/16
  152. port link-mode route
  153. ip binding vpn-instance nei
  154. #
  155. interface GigabitEthernet1/0/17
  156. port link-mode route
  157. ip address 192.168.150.2 255.255.255.0
  158. nat hairpin enable
  159. #
  160. interface GigabitEthernet1/0/18
  161. port link-mode route
  162. #
  163. interface GigabitEthernet1/0/19
  164. port link-mode route
  165. #
  166. interface GigabitEthernet1/0/20
  167. port link-mode route
  168. #
  169. interface GigabitEthernet1/0/21
  170. port link-mode route
  171. #
  172. interface GigabitEthernet1/0/22
  173. port link-mode route
  174. #
  175. interface GigabitEthernet1/0/23
  176. port link-mode route
  177. #
  178. interface SSLVPN-AC1
  179. ip address 10.10.10.1 255.255.255.0
  180. #
  181. object-policy ip Local-Local
  182. rule 0 pass
  183. #
  184. object-policy ip SSLVPN-Local
  185. rule 0 pass
  186. #
  187. object-policy ip SSLVPN-Trust
  188. rule 0 pass
  189. #
  190. object-policy ip Trust-Trust
  191. rule 0 pass
  192. #
  193. object-policy ip Trust-Untrust
  194. rule 0 pass
  195. #
  196. object-policy ip Untrust-Local
  197. rule 0 pass service 4433
  198. #
  199. object-policy ip Untrust-Trust
  200. rule 5 pass destination-ip 公盘 service 3360端口
  201. rule 6 pass destination-ip 备份盘 service 5000端口
  202. rule 7 pass destination-ip 金蝶 service 8001端口
  203. rule 8 pass destination-ip scm系统 service 999端口
  204. rule 9 pass destination-ip 系统服务器 service 9001端口
  205. rule 10 pass
  206. #
  207. object-policy ip local-untrust
  208. rule 0 pass
  209. #
  210. security-zone name Local
  211. #
  212. security-zone name Trust
  213. import interface GigabitEthernet1/0/3
  214. import interface GigabitEthernet1/0/4
  215. import interface GigabitEthernet1/0/5
  216. import interface GigabitEthernet1/0/6
  217. import interface GigabitEthernet1/0/7
  218. import interface GigabitEthernet1/0/8
  219. import interface GigabitEthernet1/0/9
  220. import interface GigabitEthernet1/0/10
  221. import interface GigabitEthernet1/0/11
  222. import interface GigabitEthernet1/0/12
  223. import interface GigabitEthernet1/0/13
  224. import interface GigabitEthernet1/0/14
  225. import interface GigabitEthernet1/0/15
  226. import interface GigabitEthernet1/0/16
  227. import interface GigabitEthernet1/0/17
  228. import interface GigabitEthernet1/0/18
  229. import interface GigabitEthernet1/0/19
  230. import interface GigabitEthernet1/0/20
  231. import interface GigabitEthernet1/0/21
  232. import interface GigabitEthernet1/0/22
  233. import interface GigabitEthernet1/0/23
  234. import interface NULL0
  235. #
  236. security-zone name DMZ
  237. #
  238. security-zone name Untrust
  239. import interface GigabitEthernet1/0/1
  240. import interface GigabitEthernet1/0/2
  241. #
  242. security-zone name Management
  243. import interface GigabitEthernet1/0/0
  244. #
  245. security-zone name 111
  246. #
  247. security-zone name SSLVPN
  248. import interface SSLVPN-AC1
  249. #
  250. security-zone name SSLVPNANQUANYU
  251. #
  252. zone-pair security source Local destination Local
  253. object-policy apply ip Local-Local
  254. #
  255. zone-pair security source Local destination Trust
  256. packet-filter 2000
  257. #
  258. zone-pair security source Local destination Untrust
  259. object-policy apply ip local-untrust
  260. packet-filter 2000
  261. #
  262. zone-pair security source SSLVPN destination Local
  263. object-policy apply ip SSLVPN-Local
  264. #
  265. zone-pair security source SSLVPN destination Trust
  266. object-policy apply ip SSLVPN-Trust
  267. #
  268. zone-pair security source Trust destination Local
  269. packet-filter 2000
  270. #
  271. zone-pair security source Trust destination Trust
  272. object-policy apply ip Trust-Trust
  273. #
  274. zone-pair security source Trust destination Untrust
  275. object-policy apply ip Trust-Untrust
  276. packet-filter 2000
  277. #
  278. zone-pair security source Untrust destination Local
  279. object-policy apply ip Untrust-Local
  280. #
  281. zone-pair security source Untrust destination Trust
  282. object-policy apply ip Untrust-Trust
  283. #
  284. scheduler logfile size 16
  285. #
  286. line class aux
  287. user-role network-operator
  288. #
  289. line class console
  290. user-role network-admin
  291. #
  292. line class vty
  293. user-role network-operator
  294. #
  295. line aux 0
  296. user-role network-admin
  297. #
  298. line con 0
  299. user-role network-admin
  300. #
  301. line vty 0
  302. authentication-mode scheme
  303. user-role network-admin
  304. set authentication password hash $h$6$OyWPIa5eNBbnmkwV$QOnzRGb6mqvVUxk3E6M8NMuMIj0AzjFEIWK7CwX225egey4UJ39fhKrS4pqOiO/ti5pCB58YvvESChUUBlVwdw==
  305. #
  306. line vty 1 63
  307. authentication-mode scheme
  308. user-role network-admin
  309. #
  310. ip route-static 0.0.0.0 0 222.92.222.33
  311. ip route-static 192.168.0.0 16 192.168.150.1
  312. #
  313. info-center loghost 1.1.1.1
  314. #
  315. ssh server enable
  316. ssh server acl 2222
  317. #
  318. acl basic 2000
  319. rule 0 permit
  320. #
  321. acl basic 2222
  322. rule 0 permit source 192.168.0.0 0.0.255.255
  323. #
  324. acl advanced 3600
  325. rule 10000 permit ip
  326. #
  327. acl advanced 3999
  328. rule 0 permit ip destination 10.10.10.0 0.0.0.255
  329. #
  330. domain system
  331. #
  332. aaa session-limit ftp 16
  333. aaa session-limit telnet 16
  334. aaa session-limit ssh 16
  335. domain default enable system
  336. #
  337. role name level-0
  338. description Predefined level-0 role
  339. #
  340. role name level-1
  341. description Predefined level-1 role
  342. #
  343. role name level-2
  344. description Predefined level-2 role
  345. #
  346. role name level-3
  347. description Predefined level-3 role
  348. #
  349. role name level-4
  350. description Predefined level-4 role
  351. #
  352. role name level-5
  353. description Predefined level-5 role
  354. #
  355. role name level-6
  356. description Predefined level-6 role
  357. #
  358. role name level-7
  359. description Predefined level-7 role
  360. #
  361. role name level-8
  362. description Predefined level-8 role
  363. #
  364. role name level-9
  365. description Predefined level-9 role
  366. #
  367. role name level-10
  368. description Predefined level-10 role
  369. #
  370. role name level-11
  371. description Predefined level-11 role
  372. #
  373. role name level-12
  374. description Predefined level-12 role
  375. #
  376. role name level-13
  377. description Predefined level-13 role
  378. #
  379. role name level-14
  380. description Predefined level-14 role
  381. #
  382. user-group system
  383. #
  384. local-user admin class manage
  385. password hash $h$6$k/esgDteXQteQmDW$WnWQR04YU1pECr0K9RIu02WlEckA6Qx9PxD0V2z5pFKpBBUg0WOG+Ajbp4z4htMz8/bTp0ObWlbW4qHdMG7Wpg==
  386. service-type ssh telnet http https
  387. authorization-attribute user-role level-3
  388. authorization-attribute user-role network-admin
  389. authorization-attribute user-role network-operator
  390. #
  391. local-user liucheng class manage
  392. password hash $h$6$JKVw37NDJ3NzrGB4$EYBn3oyGi5kuq18YteVgYgrMdPOkFcahdUcjnA2ZB2dmc/nWQ/XihT4FoxgE2ZGiavLmjyXdc3F1WajEIVbTfw==
  393. access-limit 5
  394. service-type ftp
  395. service-type ssh telnet terminal http https
  396. authorization-attribute work-directory slot1#flash:
  397. authorization-attribute user-role context-admin
  398. authorization-attribute user-role network-admin
  399. authorization-attribute user-role network-operator
  400. #
  401. local-user tianyou001 class network
  402. password cipher $c$3$Hg7GC2ABvCmht0s44PSSxKllPaxd5y3MdvsgiHg=
  403. service-type sslvpn
  404. authorization-attribute user-role network-operator
  405. authorization-attribute sslvpn-policy-group tianyou001
  406. #
  407. local-user tianyou01 class network
  408. password cipher $c$3$U/DZ7zeRirq2ylle++syEUwVK+TGeifvuA9+/w==
  409. service-type sslvpn
  410. authorization-attribute user-role network-operator
  411. authorization-attribute sslvpn-policy-group SSLVPNZIYUAN
  412. #
  413. ftp server enable
  414. #
  415. ip http enable
  416. ip https enable
  417. #
  418. sslvpn ip address-pool SSLPOOL 172.168.9.2 172.168.9.15
  419. #
  420. sslvpn gateway SSLVPN
  421. ip address 222.92.222.34 port 4433
  422. service enable
  423. #
  424. sslvpn context SSLVPN
  425. gateway SSLVPN
  426. ip-tunnel interface SSLVPN-AC1
  427. ip-tunnel address-pool SSLPOOL mask 255.255.255.0
  428. ip-tunnel dns-server primary 114.114.114.114
  429. ip-route-list NEIWNAG
  430.   include 10.10.10.0 255.255.255.0
  431. policy-group SSLVPNZIYUAN
  432.   filter ip-tunnel 3999
  433.   ip-tunnel access-route ip-route-list NEIWNAG
  434. service enable
  435. #
  436. ips policy default
  437. #
  438. anti-virus policy default
  439. #
  440. return 

组网及组网描述:


最佳答案

李云龙的意大利炮
李云龙的意大利炮 九段
粉丝:96人 关注:1人

10.10.10.1和内网路由冲突


将SSLVPN-AC1的接口地址配置成172.168.9.1


另外下发的路由表也有问题,看你路由表应该是访问192.168.0.0

ip route-static 0.0.0.0 0 222.92.222.33

ip route-static 192.168.0.0 16 192.168.150.1


所以

ip-route-list NEIWNAG

 include 10.10.10.0 255.255.255.0

这个位置也需要修改成需要访问的资源 相对应的acl3999也需要修改,别的没啥问题了、



修改好了 在防火墙上可以ping -a AC1的地址 内网地址  可以ping通就没问题。。


暂无评论

3 个回答
按时间 按赞数
无名之辈
无名之辈 九段
粉丝:249人 关注:0人

您好,写的

  1.   include 10.10.10.0 255.255.255.0但是
  2. 没有10.10.10.0的路由,只看到ip route-static 192.168.0.0 16 192.168.150.1
  3. 如果内网是192.168.0.0网段,那么需要  include 192.168.0.0 255.255.0.0

暂无评论

zhiliao_OXTgk
zhiliao_OXTgk 七段
粉丝:6人 关注:1人

您好:

interface SSLVPN-AC1

ip address 10.10.10.1 255.255.255.0

sslvpn的接口地址为10.10.10.1,但是sslvpn的网段却是172.168.9.2 172.168.9.15,建议修改为一致;另外下发的是到10.10.10.0网段的路由,sslvpn接口地址修改后试一下

暂无评论

得闲饮茶013
得闲饮茶013 九段
粉丝:135人 关注:6人

您好,请知:

untrust、trust、local域分别作为源,放通到SSLVPN域看下

检查内网设备是否有学习到SSL VPN网段的路由。


暂无评论

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +
网站相关
关于我们
服务条款
帮助中心
经验与权限
积分规则
联系我们
联系我们
建议反馈
常用链接
标杆的神器下载
关注我们
H3C官网
新华三服务公众号
安仔远程运维服务
新华三商城
内容许可
除特别说明外,用户内容均可采用知识共享署名-相同方式共享3.0中国大陆许可协议进行许可

Copyright©2024新华三集团保留一切权利 当前呈现版本 NO.1

本图标版权归新华三集团所有,仅限本社区使用,切勿用做商业目的,违者必究

浙ICP备09064986号-1   浙公网安备 33010802004416号

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明