SecPath F1020防火墙SSLvpn配置

<cdsl-FW2>dis cu

#

 version 7.1.064, Release 9323P13

#

 sysname cdsl-FW2

#

context Admin id 1

#

 telnet server enable

#

 irf mac-address persistent timer

 irf auto-update enable

 undo irf link-delay

 irf member 1 priority 1

#

 nat log enable

 nat log flow-active 120

 nat log flow-begin

 nat log flow-end

 nat log port-block-assign

#

 dns server 114.114.114.114

#

 password-recovery enable

#              

vlan 1

#

object-group ip address 11

 0 network subnet 0.0.0.0 255.255.255.0

#

object-group ip address 192.168.10.0

 description 

 

 security-zone Trust

 0 network subnet 192.168.10.0 255.255.255.0

#

object-group ip address 192.168.10.61

 0 network host address 192.168.10.61

#

object-group ip address gongwnag

 0 network host address 218.75.157.94

#

object-group ip address :218.75.130.211

 0 network host address 218.75.130.211

#

object-group ip address 

 

 0 network subnet 218.75.157.88 255.255.255.248

#

object-group ip address 

 

 0 network host address 172.16.116.78

 10 network host address 172.16.116.105

#

object-group service 4433

 0 service tcp destination eq 4433

#

object-group service 8000

 0 service tcp destination eq 8000

#

interface NULL0

#

interface GigabitEthernet1/0/0

 port link-mode route

 ip address 192.168.0.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-mode route

 description acg

#

interface GigabitEthernet1/0/2

 port link-mode route

 description waiwang

 ip address 111.22.113.194 255.255.255.224

 ip last-hop hold

 nat outbound

 nat server protocol tcp global 111.22.113.194 8002 inside 192.168.10.88 8000 disable

 nat server protocol tcp global 111.22.113.194 10800 inside 192.168.10.61 10800 disable

 nat server protocol tcp global 111.22.113.194 23333 inside 192.168.10.233 3389 disable

 nat server protocol tcp global 111.22.113.194 27080 inside 192.168.10.88 554 disable

 nat server protocol tcp global 111.22.113.194 27090 inside 192.168.10.88 80 disable

 nat server protocol tcp global 111.22.113.194 33333 inside 172.16.116.200 13389 disable

 nat server protocol tcp global 111.22.113.194 41433 inside 193.168.10.220 1433 disable

 nat server protocol tcp global 111.22.113.194 50000 inside 192.168.10.234 5000 disable

#

interface GigabitEthernet1/0/3

 port link-mode route

#

interface GigabitEthernet1/0/4

 port link-mode route

#

interface GigabitEthernet1/0/5

 port link-mode route

#

interface GigabitEthernet1/0/6

 port link-mode route

 description ·-1

 ip last-hop hold

 nat outbound

#

interface GigabitEthernet1/0/7

 port link-mode route

 description ·-1

 speed 1000 

 ip address 218.75.130.211 255.255.255.224

 ip last-hop hold

 nat outbound

#

interface GigabitEthernet1/0/8

 port link-mode route

#

interface GigabitEthernet1/0/9

 port link-mode route

#

interface GigabitEthernet1/0/10

 port link-mode route

#

interface GigabitEthernet1/0/11

 port link-mode route

 description dianxin hulianwang

 ip address dhcp-alloc

 nat outbound

#

interface GigabitEthernet1/0/12

 port link-mode route

 undo dhcp select server

#

interface GigabitEthernet1/0/13

 port link-mode route

#

interface GigabitEthernet1/0/14

 port link-mode route

#

interface GigabitEthernet1/0/15

 port link-mode route

 description to 

 

 mtu 1400

 ip address 218.75.157.94 255.255.255.248

 dns server 59.51.78.210

 ip last-hop hold

 nat outbound

#

interface GigabitEthernet1/0/16

 port link-mode route

#

interface GigabitEthernet1/0/17

 port link-mode route

 ip address 192.168.100.3 255.255.255.0

 nat hairpin enable

#

interface GigabitEthernet1/0/18

 port link-mode route

#

interface GigabitEthernet1/0/19

 port link-mode route

#

interface GigabitEthernet1/0/20

 port link-mode route

#

interface GigabitEthernet1/0/21

 port link-mode route

#

interface GigabitEthernet1/0/22

 port link-mode route

#

interface GigabitEthernet1/0/23

 port link-mode route

#

interface SSLVPN-AC1

 ip address 10.10.10.1 255.255.255.0

#

object-policy ip 1

 rule 0 pass

#

security-zone name Local

#

security-zone name Trust

 import interface GigabitEthernet1/0/17

#

security-zone name DMZ

#

security-zone name Untrust

 import interface GigabitEthernet1/0/2

 import interface GigabitEthernet1/0/6

 import interface GigabitEthernet1/0/7

 import interface GigabitEthernet1/0/11

#

security-zone name Management

 import interface GigabitEthernet1/0/0

#

security-zone name SSLVPN

 import interface SSLVPN-AC1

#

security-zone name test

#

zone-pair security source Trust destination Local

 object-policy apply ip 1

#

zone-pair security source Trust destination Untrust

 object-policy apply ip 1

#

 scheduler logfile size 16

#

line class aux

 user-role network-operator

#

line class console

 authentication-mode scheme

 user-role network-admin

#

line class vty

 user-role network-operator

#

line aux 0

 user-role network-admin

#

line con 0

 user-role network-admin

#

line vty 0 63

 authentication-mode scheme

 user-role network-admin

#

 ip route-static 0.0.0.0 0 111.22.113.193 preference 70

 ip route-static 0.0.0.0 0 218.75.130.193 preference 50

 ip route-static 10.43.0.0 16 192.168.100.1

 ip route-static 172.16.104.0 23 192.168.100.1

 ip route-static 172.16.106.0 24 192.168.100.1

 ip route-static 172.16.108.0 23 192.168.100.1

 ip route-static 172.16.112.0 23 192.168.100.1

 ip route-static 172.16.116.0 23 192.168.100.1

 ip route-static 172.16.118.0 23 192.168.100.1

 ip route-static 172.16.120.0 23 192.168.100.1

 ip route-static 192.168.10.0 24 192.168.100.1

#              

 undo info-center enable

#

 ssh server enable

#

acl advanced 3001

 rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 10.43.0.0 0.0.255.255

 rule 5 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.104.0 0.0.1.255

 rule 10 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.108.0 0.0.1.255

 rule 15 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.112.0 0.0.1.255

 rule 20 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.116.0 0.0.1.255

 rule 25 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.118.0 0.0.1.255

 rule 30 permit ip source 192.168.10.0 0.0.0.255 destination 172.16.120.0 0.0.1.255

#

acl advanced 3999

 rule 0 permit ip destination 192.168.100.0 0.0.0.255

#

domain system

#

 aaa session-limit ftp 16

 aaa session-limit telnet 16

 aaa session-limit ssh 16

 domain default enable system

#              

role name level-0

 description Predefined level-0 role

#

role name level-1

 description Predefined level-1 role

#

role name level-2

 description Predefined level-2 role

#

role name level-3

 description Predefined level-3 role

#

role name level-4

 description Predefined level-4 role

#

role name level-5

 description Predefined level-5 role

#

role name level-6

 description Predefined level-6 role

#

role name level-7

 description Predefined level-7 role

#

role name level-8

 description Predefined level-8 role

#

role name level-9

 description Predefined level-9 role

#

role name level-10

 description Predefined level-10 role

#

role name level-11

 description Predefined level-11 role

#

role name level-12

 description Predefined level-12 role

#

role name level-13

 description Predefined level-13 role

#

role name level-14

 description Predefined level-14 role

#

user-group system

#

local-user admin class manage

 password hash $h$6$e3zZgR35rnfDlI/W$Bl7e5tVKRV5dAnhfXeak8l45drxSIWOET1CGTSFSfP1P+F5RUVYtO8O4HMfV1KI3WcBfx7+VpqveVFceoAFtPQ==

 service-type ssh telnet terminal https

 authorization-attribute user-role level-3

 authorization-attribute user-role network-admin

 authorization-attribute user-role network-operator

#

local-user cdslj class network

 password cipher $c$3$HNKIlf5ZOZrsl8ejKygQcIqON2c2vI+RDAHpGVMF9G1sNw==

 service-type sslvpn

 authorization-attribute user-role network-operator

 authorization-attribute sslvpn-policy-group SSLVPNZIYUAN

#

 session aging-time state tcp-est 7200

 session statistics enable

 session top-statistics enable

#

 ip https port 11443

 ip https enable

 web idle-timeout 30

 webui log enable

#              

 blacklist logging enable

#

app-profile 0_IPv4

 ips apply policy default mode protect

 anti-virus apply policy default mode protect

#

app-profile 1_IPv4

 ips apply policy default mode protect

 anti-virus apply policy default mode protect

#

app-profile 2_IPv4

 ips apply policy default mode protect

 anti-virus apply policy default mode protect

#

inspect block-source parameter-profile ips_block_default_parameter

#

inspect block-source parameter-profile url_block_default_parameter

#

inspect capture parameter-profile ips_capture_default_parameter

#

inspect logging parameter-profile av_logging_default_parameter

#

inspect logging parameter-profile ips_logging_default_parameter

#

inspect logging parameter-profile url_logging_default_parameter

#

inspect redirect parameter-profile av_redirect_default_parameter

#

inspect redirect parameter-profile ips_redirect_default_parameter

#

inspect redirect parameter-profile url_redirect_default_parameter

#

sslvpn ip address-pool SSLPOOL 10.10.10.2 10.10.10.254

#

sslvpn gateway SSLVPNGW

 ip address 111.22.113.194 port 4433

 service enable

#

sslvpn context SSLVPN

 gateway SSLVPNGW

 ip-tunnel interface SSLVPN-AC1

 ip-tunnel address-pool SSLPOOL mask 255.255.255.0

 ip-tunnel dns-server primary 114.114.114.114

 ip-route-list NEIWANG

  include 172.16.100.0 255.255.255.0

  include 192.168.100.0 255.255.255.0

 policy-group SSLVPNZIYUAN

  filter ip-tunnel acl 3999

  ip-tunnel access-route ip-route-list NEIWANG

 service enable

#

uapp-control

#

security-policy ip

 rule 3 name 

 

  logging enable

  counting enable

  source-zone Trust

  destination-zone Untrust

  source-ip 

 

  destination-ip 

 

  destination-ip gongwnag

  destination-ip 11

 rule 0 name GuideSecPolicy

  action pass

  logging enable

  counting enable

  profile 0_IPv4

  source-zone Trust

  destination-zone Untrust

  destination-zone DMZ

  destination-zone local

 rule 1 name 33

  action pass

  logging enable

  counting enable

  profile 1_IPv4

  source-zone Untrust

  destination-zone Trust

  destination-zone Local

 rule 2 name 11

  action pass

  logging enable

  counting enable

  profile 2_IPv4

  source-zone Trust

  destination-zone Trust

 rule 5 name Untrst-Local

  action pass

  logging enable

  counting enable

  source-zone Untrust

  destination-zone Local

  service 4433

 rule 10 name SSLVPN-Trust

  action pass

  logging enable

  counting enable

  source-zone SSLVPN

  destination-zone Trust

#

return

<cdsl-FW2>