路由器vpn配置

建议配置sslvpn，需要做NAT的。

参考：

一、配置SSL VPN网关

#
sslvpn gateway SSLVPNGW //创建sslvpn网关，名称为SSLVPNGW
ip address 123.124.129.194 port 4433 //SLVPN网关IP地址为防火墙出口IP，端口号修改为4433
service enable //使能sslvpn
quit
#
interface SSLVPN-AC 1 //创建SSL VPN AC接口1
ip address 10.15.248.254 255.255.255.0 //配置接口IP为10.15.248.254/24
quit
#
sslvpn ip address-pool SSLPOOL 10.15.248.1 10.15.248.253 //创建地址池，指定IP地址范围为10.15.248.1——10.15.248.253
#
acl advanced 3999 //创建SSL VPN用户访问的内网资源10.15.0.0/16网段
rule permit ip destination 10.15.0.0 0.0.255.255
quit
#

二、配置SSL VPN实例

#
sslvpn context SSLVPN //创建SSL VPN访问实例“SSLVPN”
gateway SSLVPNGW //引用SSL VPN网关“SSLVPNGW”
ip-tunnel interface SSLVPN-AC1 //引用SSL VPN接口
ip-tunnel address-pool SSLPOOL mask 255.255.255.0 //引用SSL VPN地址池，掩码
ip-tunnel dns-server primary 202.106.0.20 //设置客户端dns服务器
ip-route-list NEIWANG //创建路由列表“NEIWANG”
include 10.15.0.0 255.255.0.0 //添加路由表项10.15.0.0/24
quit
policy-group SSLVPNZIYUAN //创建SSL VPN策略组“SSLVONZIYUAN”
filter ip-tunnel acl 3999 //配置ACL限制，只有通过ACL检测的报文才可以访问IP资源
ip-tunnel access-route ip-route-list NEIWANG //引用路由列表“NEIWANG”
quit
service enable //使能sslvpn策略组
quit
#

三、新建SSL VPN用户，关联SSLVPN资源组

#
local-user user1 class network //创建SSL VPN用户，指定服务类型，关联SSL VPN资源组
password simple user1
service-type sslvpn
authorization-attribute sslvpn-policy-group SSLVPNZIYUAN
quit
#

四、将SSL VPN端口加入安全域，放通对应安全策略

#
security-zone name SSLVPN
import interface SSLVPN-AC1
quit
#
object-group service 4433
service tcp destination eq 4433
quit
#
security-policy ip
rule 5 name Untrust-Local
action pass
source-zone Untrust
destination-zone Local
service 4433
quit
rule 10 name SSLVPN-Trust
action pass
source-zone SSLVPN
destination-zone Trust
quit
#

五、保存save force

六、验证display sslvpn session verbose