• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

SecPath F1030 SSLVPN 无法访问内网资源

2024-06-15提问
  • 0关注
  • 0收藏,443浏览
粉丝:0人 关注:0人

问题描述:

客户端VPN拨入成功,但无法访问内网资源。

VPN GW 10.91.5.254

VPN POOL 10.91.5.10 - 10.91.5.200

 

dis cu

#

 version 7.1.064, Release 9323P2302

#

 sysname x

#

 clock timezone Beijing add 08:00:00

#

context Admin id 1

#

ip vpn-instance guest

#

 telnet server enable

 telnet server port 2323

#

 irf mac-address persistent timer

 irf auto-update enable

 undo irf link-delay

 irf member 1 priority 1

#

 archive configuration location flash:/archive filename-prefix x

#

 port-mapping application DMZ-DEV????????? port 22

 port-mapping application DMZ-DEV????????? port 10101

 port-mapping application DMZ-DEV????????? port 10102

 port-mapping application DMZ-DEV????????? port 10103

 port-mapping application DMZ-DEV????????? port 10104

 port-mapping application DMZ-DEV????????? port 7800

 port-mapping application DMZ-DEV????????? port 8111

 port-mapping application DMZ-DEV????????? port 8282

 port-mapping application DMZ-DEV????????? port 8383

 port-mapping application DMZ-DEV????????? port 29094

 port-mapping application 13539 port 13539

 port-mapping application 3389 port 3389

#

track 1 nqa entry admin xagxwancu reaction 1

#

track 2 nqa entry admin szpswancu reaction 1

#

ospf 1 router-id 10.91.0.27

 import-route direct

 import-route static

 area 0.0.0.0

  network 10.91.0.27 0.0.0.0

  network 10.91.0.152 0.0.0.3

#

 dialer-group 1 rule ip permit

 dialer-group 2 rule ip permit

#

nat address-group 1

 address xx x

#

nat address-group 2

 address x x

#

 nat alg h323

 nat alg ils

 nat alg mgcp

 nat alg nbt

 nat alg rsh

 nat alg sccp

 nat alg sip

 nat alg sqlnet

 nat alg tftp

 nat alg xdmcp

#

 dhcp enable

#

 dns server 1.1.1.1

 dns server 114.114.114.114

 dns server 61.139.2.69

#

 lldp global enable

#

 password-recovery enable

#

vlan 1

#

object-group ip address 10.0.0.0

 0 network subnet 10.0.0.0 255.255.0.0

#

object-group ip address x

 security-zone CM

#

object-group ip address x

 security-zone Trust

 0 network subnet 192.168.200.0 255.255.254.0

#

object-group ip address x

 0 network subnet 10.91.20.0 255.255.254.0

#

object-group ip address DHCP

 description 192.168.200.0/23

 security-zone Trust

 0 network subnet 192.168.200.0 255.255.254.0

#

object-group ip address DMZ

 description DMZ

 security-zone DMZ

 0 network subnet 10.91.12.0 255.255.255.0

#

object-group ip address Guest

 security-zone Guest

 0 network subnet 192.168.200.0 255.255.254.0

#

object-group ip address Internal_10_172

 0 network subnet 10.0.0.0 255.0.0.0

 10 network subnet 172.16.0.0 255.240.0.0

#

object-group ip address internet

 security-zone CM

 0 network host address x

#

 

#

object-group ip address OA

 security-zone CM

 0 network subnet 10.9.12.0 255.255.255.0

#

object-group ip address sslvpngw

 security-zone Local

 0 network host address 1x

#

object-group ip address to_dmz

 20 network host address x

 30 network host address 10.91.22.81

#

object-group service TCP/UDP

 0 service tcp

 10 service udp

#

dhcp server ip-pool 100

 vpn-instance guest

 gateway-list 192.168.201.254

 network 192.168.200.0 mask 255.255.254.0

 dns-list 114.114.114.114

 expired day 0 hour 2

#

dhcp server ip-pool E113

 vpn-instance guest

 gateway-list 192.168.203.254

 network 192.168.202.0 mask 255.255.254.0

 dns-list 223.5.5.5 114.114.114.114

#

policy-based-route pbr_dmz_internet permit node 5

 if-match acl 3600

 apply next-hop 183.222.11.1

 apply continue

#

nqa entry admin szpswancu

 type icmp-echo

  destination ip x

  frequency 1000

  history-record enable

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

nqa entry admin xagxwancu

 type icmp-echo

  description sccd_to_xagx

  destination x

  frequency 1000

  reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only

#

 nqa schedule admin szpswancu start-time now lifetime forever

 nqa schedule admin xagxwancu start-time now lifetime forever

#

interface NULL0

#

interface LoopBack0

 ip address 10.91.0.27 255.255.255.255

#

interface GigabitEthernet1/0/0

 port link-mode route

 description Connect_SCCD-C#-108-E552C-63.74

 ip address 192.168.0.1 255.255.255.0

#

interface GigabitEthernet1/0/1

 port link-mode route

 dhcp server apply ip-pool 4000

#

interface GigabitEthernet1/0/2

 port link-mode route

 ip last-hop hold

#

interface GigabitEthernet1/0/3

 port link-mode route

 description Connect_internet_to_guest

 ip binding vpn-instance guest

 ip address 183.xxx 255.255.255.128

 ip last-hop hold

 nat outbound address-group 1 vpn-instance guest

#

interface GigabitEthernet1/0/4

 port link-mode route

 shutdown

#

interface GigabitEthernet1/0/5

 port link-mode route

 description Connect_SCCD_tunnel_XAGX_SCCD-IDC-A02-internet-S5130

 ip address x 255.255.255.128

 nat outbound 2501 address-group 2

 nat outbound 2500 address-group 2 disable

 nat server protocol tcp global current-interface 22 inside 10.91.12.11 22 description DMZ_S12.11_22

 nat server protocol tcp global current-interface 1521 inside 10.91.12.12 1521 description DMZ_S12.12_1521

 nat server protocol tcp global current-interface 7800 inside 10.91.12.11 7800 description DMZ_S12.11_7800

 nat server protocol tcp global current-interface 8111 inside 10.91.12.11 8111 description DMZ_S12.11_8111

 nat server protocol tcp global current-interface 8282 inside 10.91.12.11 8282 description DMZ_S12.11_8282

 nat server protocol tcp global current-interface 8383 inside 10.91.12.11 8383 description DMZ_S12.11_8383

 nat server protocol tcp global current-interface 10101 10104 inside 10.91.12.11 10101 10104 description DMZ_S12.11_10101_10104

 nat server protocol tcp global current-interface 29094 inside 10.91.12.11 29094 description DMZ_S12.11_29094

#

interface GigabitEthernet1/0/6

 port link-mode route

#

interface GigabitEthernet1/0/7

 port link-mode route

#

interface GigabitEthernet1/0/8

 port link-mode route

 description DMZ-OPC

 ip address 10.91.12.254 255.255.255.0

 ip policy-based-route pbr_dmz_internet

#

interface GigabitEthernet1/0/9

 port link-mode route

#

interface GigabitEthernet1/0/10

 port link-mode route

#

interface GigabitEthernet1/0/11

 port link-mode route

#

interface GigabitEthernet1/0/12

 port link-mode route

 description Connect_guest-to-internet

 ip binding vpn-instance guest

 ip address 192.168.201.254 255.255.254.0

#

interface GigabitEthernet1/0/13

 port link-mode route

 description x

 ip binding vpn-instance guest

#

interface GigabitEthernet1/0/13.4001

 description Connect_E113-to-internet

 ip binding vpn-instance guest

 ip address 192.168.203.254 255.255.254.0

 vlan-type dot1q vid 4001

#

interface GigabitEthernet1/0/13.4002

 description Connect_IT_Yunwei

 ip binding vpn-instance guest

 ip address 10.91.0.246 255.255.255.252

 vlan-type dot1q vid 4002

#

interface GigabitEthernet1/0/14

 port link-mode route

#

interface GigabitEthernet1/0/15

 port link-mode route

 description x

 bandwidth 30000

 ip address x 255.255.255.252

#

interface GigabitEthernet1/0/16

 port link-mode route

#

interface GigabitEthernet1/0/17

 port link-mode route

#

interface GigabitEthernet1/0/18

 port link-mode route

#

interface GigabitEthernet1/0/19

 port link-mode route

#

interface GigabitEthernet1/0/20

 port link-mode route

#

interface GigabitEthernet1/0/21

 port link-mode route

#

interface GigabitEthernet1/0/22

 port link-mode route

 description Fw_to_Croe

 ip address 10.91.0.154 255.255.255.252

 ospf network-type p2p

#

interface GigabitEthernet1/0/23

 port link-mode route

#

interface Tunnel1 mode gre

 description Connect-XAGXwancu

 mtu 1476

 bandwidth 102400

 ip address x 255.255.255.252

 tcp mss 1436

 source x

 destination x

 keepalive 10 3

#

interface Tunnel100 mode gre

 description Connect-x

 mtu 1476

 shutdown

 bandwidth 50000

 ip address x 255.255.255.252

 tcp mss 1436

 source 183.222.11.7

 destination 222.179.42.107

 keepalive 10 3

#

interface Tunnel101 mode gre

 description Connect-CU-x

 mtu 1400

 bandwidth 50000

 ip address 1x 255.255.255.252

 tcp mss 1360

 source x

 destination x

 keepalive 10 3

#

interface SSLVPN-AC1

 ip binding vpn-instance guest

 ip address 10.91.5.254 255.255.255.0

#

security-zone name Local

#

security-zone name Trust

 import interface GigabitEthernet1/0/22

#

security-zone name DMZ

 import interface GigabitEthernet1/0/8

#

security-zone name Untrust

#

security-zone name Management

 import interface GigabitEthernet1/0/0

#

security-zone name CM

 import interface GigabitEthernet1/0/5

 import interface GigabitEthernet1/0/15

 import interface Tunnel1

 import interface Tunnel100

 import interface Tunnel101

#

security-zone name Guest

 import interface GigabitEthernet1/0/12

 import interface GigabitEthernet1/0/13.4001

#

security-zone name Internet

 import interface GigabitEthernet1/0/3

#

security-zone name ITMGT

 import interface GigabitEthernet1/0/13.4002

#

security-zone name SSLVPN

 import interface SSLVPN-AC1

#

zone-pair security source Local destination Trust

 packet-filter 3000

#

zone-pair security source Local destination Untrust

 packet-filter 3000

#

zone-pair security source Trust destination Local

 packet-filter 3000

#

zone-pair security source Trust destination Untrust

 packet-filter 3000

#

zone-pair security source Untrust destination Local

 packet-filter 3000

#

zone-pair security source Untrust destination Trust

 packet-filter 3100

#

 scheduler logfile size 16

#

line class aux

 user-role network-operator

#

line class console

 authentication-mode scheme

 user-role network-admin

#

line class vty

 user-role network-operator

#

line aux 0

 user-role network-admin

#

line con 0

 user-role network-admin

#

line vty 0 5

 authentication-mode scheme

 user-role network-admin

 idle-timeout 15 0

#

line vty 6 63

 authentication-mode scheme

 user-role network-admin

#

 ip route-static 0.0.0.0 0 172.31.200.2

 ip route-static 0.0.0.0 0 172.16.62.34

 ip route-static 10.0.0.0 8 172.21.255.61 track 1 preference 200 description sccd_gre_xagx

 ip route-static 10.0.0.0 8 172.16.91.1 track 2 description sccd_otn_szps

 ip route-static 10.62.144.86 32 172.31.200.2

 ip route-static 10.62.240.1 32 172.31.200.2 preference 70

 ip route-static 10.62.240.1 32 172.16.62.34

 ip route-static 10.62.250.1 32 172.31.200.2

 ip route-static 10.91.0.0 16 10.91.0.153

 ip route-static 20.189.79.72 32 GigabitEthernet1/0/5 183.222.11.1

 ip route-static 120.25.115.20 32 GigabitEthernet1/0/5 183.222.11.1

 ip route-static 172.21.255.60 30 GigabitEthernet1/0/5 183.222.11.1

 ip route-static 192.168.100.0 24 172.21.255.61 preference 200

 ip route-static 192.168.100.0 24 172.16.91.1 track 2 description sccd_otn_szps

 ip route-static 192.168.102.0 24 172.21.255.61 preference 200

 ip route-static 192.168.102.0 24 172.16.91.1 track 2 description sccd_otn_szps

 ip route-static 221.5.140.3 32 183.222.11.1

 ip route-static 222.90.69.94 32 GigabitEthernet1/0/5 183.222.11.1

 ip route-static 222.179.42.107 32 183.222.11.1

 ip route-static vpn-instance guest 0.0.0.0 0 GigabitEthernet1/0/3 183.222.11.1

 ip route-static vpn-instance guest 10.91.20.168 32 10.91.0.245

#

 

 ssh server enable

 ssh server compatible-ssh1x enable

 ssh server port 2222

#

 time-range ??Ч 07:00 to 23:59 daily

 time-range ??Ч from 08:30 4/28/2024 to 23:43 4/28/2034

#

 

#

acl advanced 3899

 rule 0 permit ip vpn-instance guest

#

acl advanced 3999

 rule 0 permit ip vpn-instance guest counting

 rule 5 permit icmp vpn-instance guest counting

#

domain system

#

 aaa session-limit ftp 16

 aaa session-limit telnet 16

 aaa session-limit ssh 16

 domain default enable system

#

role name level-0

 description Predefined level-0 role

#

role name level-1

 description Predefined level-1 role

#

role name level-2

 description Predefined level-2 role

#

role name level-3

 description Predefined level-3 role

#

role name level-4

 description Predefined level-4 role

#

role name level-5

 description Predefined level-5 role

#

role name level-6

 description Predefined level-6 role

#

role name level-7

 description Predefined level-7 role

#

role name level-8

 description Predefined level-8 role

#

role name level-9

 description Predefined level-9 role

#

role name level-10

 description Predefined level-10 role

#

role name level-11

 description Predefined level-11 role

#

role name level-12

 description Predefined level-12 role

#

role name level-13

 description Predefined level-13 role

#

role name level-14

 description Predefined level-14 role

#

user-group system

 identity-member user lindong

 

#

local-user lindong class network

 password cipher $c$3$Zb7Pf6E9SgVYm9Iy5XeEIRfJ9LON+XrySOnQpV0=

 service-type sslvpn

 authorization-attribute acl 3999

 authorization-attribute user-role network-operator

 authorization-attribute sslvpn-policy-group vpngroup

 identity-group system

#

pki domain pkidomain

 certificate request entity certssl

 public-key rsa general name sslvpnrsa length 2048

 undo crl check enable

#

pki entity certssl

 common-name 183.222.11.50

 country it

 locality it

 organization-unit it

 organization it

 state it

#

ssl server-policy 2

 pki-domain pkidomain

#

ssl client-policy 2

 pki-domain pkidomain

 prefer-cipher dhe_rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha rsa_3des_ede_cbc_sha exp_rsa_des_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha exp_rsa_rc4_md5 exp_rsa_rc2_md5

 undo server-verify enable

#

 session statistics enable

 session state-machine mode loose

#

ipsec policy Dial 20 isakmp

#

ike proposal 60

 encryption-algorithm aes-cbc-128

 dh group14

 authentication-algorithm sha256

#

ike keychain vpn

#

 ip http enable

 ip https port 8081

 ip https enable

 web idle-timeout 15

 webui log enable

#

url-filter policy forbidden-url

 default-action block-source parameter-profile url_block_default_parameter

 category ???? action drop logging

 add blacklist 1 host regex beamofthemoon.*com uri regex beamofthemoon.*com

#

url-filter category ???? severity 1000

 rule 1 host text www.baidu.com uri text www.baidu.com

#

app-profile 6_IPv4

 url-filter apply policy forbidden-url

#

inspect block-source parameter-profile ips_block_default_parameter

#

inspect block-source parameter-profile url_block_default_parameter

#

 

sslvpn ip address-pool sslvpnpool 10.91.5.10 10.91.5.200

#

sslvpn gateway sslvpngw

 vpn-instance guest

 ip address 183.222.11.50 port 13539

 ssl server-policy 2

 service enable

#

sslvpn context ctxip

 vpn-instance guest

 ssl client-policy 2

 gateway sslvpngw domain wancu

 ip-tunnel interface SSLVPN-AC1

 ip-tunnel address-pool sslvpnpool mask 255.255.255.0

 ip-tunnel dns-server primary 10.3.3.6

 ip-tunnel dns-server secondary 10.46.3.6

 port-forward-item 1.1.1.1_3389

  local-port 3389 local-name 1.1.1.1 remote-server 10.91.20.168 remote-port 3389 description 1683389

 port-forward 1

  resources port-forward-item 1.1.1.1_3389

 ip-route-list dcwancu

  include 10.91.0.0 255.255.0.0

 policy-group vpngroup

  filter ip-tunnel acl 3999

  ip-tunnel access-route ip-route-list dcwancu

 default-policy-group vpngroup

 aaa domain system

 log user-login enable

 max-onlines 1

 force-logout max-onlines enable

 service enable

#

uapp-control

 policy name ?????? audit

  source-address ipv4 10.0.0.0

  source-address ipv4 wancu-guest

  destination-address ipv4 10.0.0.0

  destination-address ipv4 wancu-guest

  source-zone DMZ

  source-zone Local

  source-zone Trust

  destination-zone Untrust

  service TCP/UDP

  rule 1 any behavior any bhcontent any keyword include any action permit audit-logging

#

security-policy ip

 rule 14 name IPForbidden_2

  counting enable

  vrf guest

  source-zone Local

  source-zone Trust

  source-zone DMZ

  source-zone Untrust

  source-zone Management

  source-zone CM

  source-zone Guest

  source-zone Internet

  destination-zone Local

  destination-zone Trust

  destination-zone DMZ

  destination-zone Untrust

  destination-zone Management

  destination-zone CM

  destination-zone Guest

  destination-zone Internet

  destination-ip IPForbidden

  destination-ip IPForbidden_20240604

 rule 13 name IPForbidden

  counting enable

  source-zone Local

  source-zone Trust

  source-zone DMZ

  source-zone Untrust

  source-zone Management

  source-zone CM

  source-zone Guest

  source-zone Internet

  destination-zone Local

  destination-zone Trust

  destination-zone DMZ

  destination-zone Untrust

  destination-zone Management

  destination-zone CM

  destination-zone Guest

  destination-zone Internet

  destination-ip IPForbidden

  destination-ip IPForbidden_20240604

 rule 0 name VPN_CDHG_to_XAGX

  action pass

  counting enable

  source-zone Local

  source-zone Trust

  destination-zone CM

 rule 1 name VPN_XAGX_to_CDHG

  action pass

  counting enable

  source-zone CM

  destination-zone Local

  destination-zone Trust

 rule 2 name trust_to_Local

  action pass

  counting enable

  source-zone Trust

  source-zone Local

  destination-zone Local

  destination-zone Trust

 rule 5 name permit_guest-to-local

  action pass

  logging enable

  counting enable

  vrf guest

  source-zone guest

  source-zone Local

  destination-zone guest

  destination-zone Local

 rule 6 name permit

  action pass

  counting enable

  profile 6_IPv4

  vrf guest

  source-zone Guest

  destination-zone Internet

 rule 9 name deny_dmz_to_cm

  logging enable

  counting enable

  source-zone DMZ

  destination-zone CM

  destination-ip Internal_10_172

 rule 11 name allow_dmz_to_internet

  description need nat policy enable

  action pass

  counting enable

  source-zone DMZ

  destination-zone CM

 rule 10 name allow_cm_to_dmz

  action pass

  counting enable

  source-zone Trust

  source-zone CM

  destination-zone DMZ

  source-ip to_dmz

 rule 12 name allow_dmz_to_dmz

  action pass

  counting enable

  source-zone DMZ

  source-zone Local

  destination-zone DMZ

  destination-zone Local

 rule 15 name sslvpn_internet

  action pass

  counting enable

  vrf guest

  source-zone Internet

  destination-zone Local

  destination-ip sslvpngw

  service TCP/UDP

  service ping

  application 13539

 rule 18 name testvpn

  action pass

  counting enable

  vrf guest

  source-zone SSLVPN

  destination-zone ITMGT

  destination-zone Local

 rule 19 name testbvpn2

  action pass

  counting enable

  vrf guest

  source-zone ITMGT

  destination-zone SSLVPN

  destination-zone Local

#

ips block-source parameter-profile ips_block_default_parameter

#

return

 

组网及组网描述:

最佳答案

已采纳
粉丝:2人 关注:1人

客户端成功拨入后,客户端查看路由表是否有内网路由获取到,防火墙上可以抓包查看是否有对应转化后发给服务器的报文,并查看访问内网服务器资源是否对应有做acl限制访问

暂无评论

2 个回答
zhiliao_TBGXjc 知了小白
粉丝:0人 关注:0人

路由表有获取到



暂无评论

粉丝:146人 关注:1人

安全策略放行了吗


暂无评论

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明