SecPath F1030 SSLVPN 无法访问内网资源
- 0关注
- 0收藏,262浏览
问题描述:
客户端VPN拨入成功,但无法访问内网资源。
VPN GW 10.91.5.254
VPN POOL 10.91.5.10 - 10.91.5.200
dis cu
#
version 7.1.064, Release 9323P2302
#
sysname x
#
clock timezone Beijing add 08:00:00
#
context Admin id 1
#
ip vpn-instance guest
#
telnet server enable
telnet server port 2323
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
archive configuration location flash:/archive filename-prefix x
#
port-mapping application DMZ-DEV????????? port 22
port-mapping application DMZ-DEV????????? port 10101
port-mapping application DMZ-DEV????????? port 10102
port-mapping application DMZ-DEV????????? port 10103
port-mapping application DMZ-DEV????????? port 10104
port-mapping application DMZ-DEV????????? port 7800
port-mapping application DMZ-DEV????????? port 8111
port-mapping application DMZ-DEV????????? port 8282
port-mapping application DMZ-DEV????????? port 8383
port-mapping application DMZ-DEV????????? port 29094
port-mapping application 13539 port 13539
port-mapping application 3389 port 3389
#
track 1 nqa entry admin xagxwancu reaction 1
#
track 2 nqa entry admin szpswancu reaction 1
#
ospf 1 router-id 10.91.0.27
import-route direct
import-route static
area 0.0.0.0
network 10.91.0.27 0.0.0.0
network 10.91.0.152 0.0.0.3
#
dialer-group 1 rule ip permit
dialer-group 2 rule ip permit
#
nat address-group 1
address xx x
#
nat address-group 2
address x x
#
nat alg h323
nat alg ils
nat alg mgcp
nat alg nbt
nat alg rsh
nat alg sccp
nat alg sip
nat alg sqlnet
nat alg tftp
nat alg xdmcp
#
dhcp enable
#
dns server 1.1.1.1
dns server 114.114.114.114
dns server 61.139.2.69
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
object-group ip address 10.0.0.0
0 network subnet 10.0.0.0 255.255.0.0
#
object-group ip address x
security-zone CM
#
object-group ip address x
security-zone Trust
0 network subnet 192.168.200.0 255.255.254.0
#
object-group ip address x
0 network subnet 10.91.20.0 255.255.254.0
#
object-group ip address DHCP
description 192.168.200.0/23
security-zone Trust
0 network subnet 192.168.200.0 255.255.254.0
#
object-group ip address DMZ
description DMZ
security-zone DMZ
0 network subnet 10.91.12.0 255.255.255.0
#
object-group ip address Guest
security-zone Guest
0 network subnet 192.168.200.0 255.255.254.0
#
object-group ip address Internal_10_172
0 network subnet 10.0.0.0 255.0.0.0
10 network subnet 172.16.0.0 255.240.0.0
#
object-group ip address internet
security-zone CM
0 network host address x
#
#
object-group ip address OA
security-zone CM
0 network subnet 10.9.12.0 255.255.255.0
#
object-group ip address sslvpngw
security-zone Local
0 network host address 1x
#
object-group ip address to_dmz
20 network host address x
30 network host address 10.91.22.81
#
object-group service TCP/UDP
0 service tcp
10 service udp
#
dhcp server ip-pool 100
vpn-instance guest
gateway-list 192.168.201.254
network 192.168.200.0 mask 255.255.254.0
dns-list 114.114.114.114
expired day 0 hour 2
#
dhcp server ip-pool E113
vpn-instance guest
gateway-list 192.168.203.254
network 192.168.202.0 mask 255.255.254.0
dns-list 223.5.5.5 114.114.114.114
#
policy-based-route pbr_dmz_internet permit node 5
if-match acl 3600
apply next-hop 183.222.11.1
apply continue
#
nqa entry admin szpswancu
type icmp-echo
destination ip x
frequency 1000
history-record enable
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa entry admin xagxwancu
type icmp-echo
description sccd_to_xagx
destination x
frequency 1000
reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only
#
nqa schedule admin szpswancu start-time now lifetime forever
nqa schedule admin xagxwancu start-time now lifetime forever
#
interface NULL0
#
interface LoopBack0
ip address 10.91.0.27 255.255.255.255
#
interface GigabitEthernet1/0/0
port link-mode route
description Connect_SCCD-C#-108-E552C-63.74
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
dhcp server apply ip-pool 4000
#
interface GigabitEthernet1/0/2
port link-mode route
ip last-hop hold
#
interface GigabitEthernet1/0/3
port link-mode route
description Connect_internet_to_guest
ip binding vpn-instance guest
ip address 183.xxx 255.255.255.128
ip last-hop hold
nat outbound address-group 1 vpn-instance guest
#
interface GigabitEthernet1/0/4
port link-mode route
shutdown
#
interface GigabitEthernet1/0/5
port link-mode route
description Connect_SCCD_tunnel_XAGX_SCCD-IDC-A02-internet-S5130
ip address x 255.255.255.128
nat outbound 2501 address-group 2
nat outbound 2500 address-group 2 disable
nat server protocol tcp global current-interface 22 inside 10.91.12.11 22 description DMZ_S12.11_22
nat server protocol tcp global current-interface 1521 inside 10.91.12.12 1521 description DMZ_S12.12_1521
nat server protocol tcp global current-interface 7800 inside 10.91.12.11 7800 description DMZ_S12.11_7800
nat server protocol tcp global current-interface 8111 inside 10.91.12.11 8111 description DMZ_S12.11_8111
nat server protocol tcp global current-interface 8282 inside 10.91.12.11 8282 description DMZ_S12.11_8282
nat server protocol tcp global current-interface 8383 inside 10.91.12.11 8383 description DMZ_S12.11_8383
nat server protocol tcp global current-interface 10101 10104 inside 10.91.12.11 10101 10104 description DMZ_S12.11_10101_10104
nat server protocol tcp global current-interface 29094 inside 10.91.12.11 29094 description DMZ_S12.11_29094
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
description DMZ-OPC
ip address 10.91.12.254 255.255.255.0
ip policy-based-route pbr_dmz_internet
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
description Connect_guest-to-internet
ip binding vpn-instance guest
ip address 192.168.201.254 255.255.254.0
#
interface GigabitEthernet1/0/13
port link-mode route
description x
ip binding vpn-instance guest
#
interface GigabitEthernet1/0/13.4001
description Connect_E113-to-internet
ip binding vpn-instance guest
ip address 192.168.203.254 255.255.254.0
vlan-type dot1q vid 4001
#
interface GigabitEthernet1/0/13.4002
description Connect_IT_Yunwei
ip binding vpn-instance guest
ip address 10.91.0.246 255.255.255.252
vlan-type dot1q vid 4002
#
interface GigabitEthernet1/0/14
port link-mode route
#
interface GigabitEthernet1/0/15
port link-mode route
description x
bandwidth 30000
ip address x 255.255.255.252
#
interface GigabitEthernet1/0/16
port link-mode route
#
interface GigabitEthernet1/0/17
port link-mode route
#
interface GigabitEthernet1/0/18
port link-mode route
#
interface GigabitEthernet1/0/19
port link-mode route
#
interface GigabitEthernet1/0/20
port link-mode route
#
interface GigabitEthernet1/0/21
port link-mode route
#
interface GigabitEthernet1/0/22
port link-mode route
description Fw_to_Croe
ip address 10.91.0.154 255.255.255.252
ospf network-type p2p
#
interface GigabitEthernet1/0/23
port link-mode route
#
interface Tunnel1 mode gre
description Connect-XAGXwancu
mtu 1476
bandwidth 102400
ip address x 255.255.255.252
tcp mss 1436
source x
destination x
keepalive 10 3
#
interface Tunnel100 mode gre
description Connect-x
mtu 1476
shutdown
bandwidth 50000
ip address x 255.255.255.252
tcp mss 1436
source 183.222.11.7
destination 222.179.42.107
keepalive 10 3
#
interface Tunnel101 mode gre
description Connect-CU-x
mtu 1400
bandwidth 50000
ip address 1x 255.255.255.252
tcp mss 1360
source x
destination x
keepalive 10 3
#
interface SSLVPN-AC1
ip binding vpn-instance guest
ip address 10.91.5.254 255.255.255.0
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/22
#
security-zone name DMZ
import interface GigabitEthernet1/0/8
#
security-zone name Untrust
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name CM
import interface GigabitEthernet1/0/5
import interface GigabitEthernet1/0/15
import interface Tunnel1
import interface Tunnel100
import interface Tunnel101
#
security-zone name Guest
import interface GigabitEthernet1/0/12
import interface GigabitEthernet1/0/13.4001
#
security-zone name Internet
import interface GigabitEthernet1/0/3
#
security-zone name ITMGT
import interface GigabitEthernet1/0/13.4002
#
security-zone name SSLVPN
import interface SSLVPN-AC1
#
zone-pair security source Local destination Trust
packet-filter 3000
#
zone-pair security source Local destination Untrust
packet-filter 3000
#
zone-pair security source Trust destination Local
packet-filter 3000
#
zone-pair security source Trust destination Untrust
packet-filter 3000
#
zone-pair security source Untrust destination Local
packet-filter 3000
#
zone-pair security source Untrust destination Trust
packet-filter 3100
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 5
authentication-mode scheme
user-role network-admin
idle-timeout 15 0
#
line vty 6 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 172.31.200.2
ip route-static 0.0.0.0 0 172.16.62.34
ip route-static 10.0.0.0 8 172.21.255.61 track 1 preference 200 description sccd_gre_xagx
ip route-static 10.0.0.0 8 172.16.91.1 track 2 description sccd_otn_szps
ip route-static 10.62.144.86 32 172.31.200.2
ip route-static 10.62.240.1 32 172.31.200.2 preference 70
ip route-static 10.62.240.1 32 172.16.62.34
ip route-static 10.62.250.1 32 172.31.200.2
ip route-static 10.91.0.0 16 10.91.0.153
ip route-static 20.189.79.72 32 GigabitEthernet1/0/5 183.222.11.1
ip route-static 120.25.115.20 32 GigabitEthernet1/0/5 183.222.11.1
ip route-static 172.21.255.60 30 GigabitEthernet1/0/5 183.222.11.1
ip route-static 192.168.100.0 24 172.21.255.61 preference 200
ip route-static 192.168.100.0 24 172.16.91.1 track 2 description sccd_otn_szps
ip route-static 192.168.102.0 24 172.21.255.61 preference 200
ip route-static 192.168.102.0 24 172.16.91.1 track 2 description sccd_otn_szps
ip route-static 221.5.140.3 32 183.222.11.1
ip route-static 222.90.69.94 32 GigabitEthernet1/0/5 183.222.11.1
ip route-static 222.179.42.107 32 183.222.11.1
ip route-static vpn-instance guest 0.0.0.0 0 GigabitEthernet1/0/3 183.222.11.1
ip route-static vpn-instance guest 10.91.20.168 32 10.91.0.245
#
ssh server enable
ssh server compatible-ssh1x enable
ssh server port 2222
#
time-range ??Ч 07:00 to 23:59 daily
time-range ??Ч from 08:30 4/28/2024 to 23:43 4/28/2034
#
#
acl advanced 3899
rule 0 permit ip vpn-instance guest
#
acl advanced 3999
rule 0 permit ip vpn-instance guest counting
rule 5 permit icmp vpn-instance guest counting
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
identity-member user lindong
#
local-user lindong class network
password cipher $c$3$Zb7Pf6E9SgVYm9Iy5XeEIRfJ9LON+XrySOnQpV0=
service-type sslvpn
authorization-attribute acl 3999
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group vpngroup
identity-group system
#
pki domain pkidomain
certificate request entity certssl
public-key rsa general name sslvpnrsa length 2048
undo crl check enable
#
pki entity certssl
common-name 183.222.11.50
country it
locality it
organization-unit it
organization it
state it
#
ssl server-policy 2
pki-domain pkidomain
#
ssl client-policy 2
pki-domain pkidomain
prefer-cipher dhe_rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha rsa_3des_ede_cbc_sha exp_rsa_des_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha exp_rsa_rc4_md5 exp_rsa_rc2_md5
undo server-verify enable
#
session statistics enable
session state-machine mode loose
#
ipsec policy Dial 20 isakmp
#
ike proposal 60
encryption-algorithm aes-cbc-128
dh group14
authentication-algorithm sha256
#
ike keychain vpn
#
ip http enable
ip https port 8081
ip https enable
web idle-timeout 15
webui log enable
#
url-filter policy forbidden-url
default-action block-source parameter-profile url_block_default_parameter
category ???? action drop logging
add blacklist 1 host regex beamofthemoon.*com uri regex beamofthemoon.*com
#
url-filter category ???? severity 1000
rule 1 host text www.baidu.com uri text www.baidu.com
#
app-profile 6_IPv4
url-filter apply policy forbidden-url
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
sslvpn ip address-pool sslvpnpool 10.91.5.10 10.91.5.200
#
sslvpn gateway sslvpngw
vpn-instance guest
ip address 183.222.11.50 port 13539
ssl server-policy 2
service enable
#
sslvpn context ctxip
vpn-instance guest
ssl client-policy 2
gateway sslvpngw domain wancu
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool sslvpnpool mask 255.255.255.0
ip-tunnel dns-server primary 10.3.3.6
ip-tunnel dns-server secondary 10.46.3.6
port-forward-item 1.1.1.1_3389
local-port 3389 local-name 1.1.1.1 remote-server 10.91.20.168 remote-port 3389 description 1683389
port-forward 1
resources port-forward-item 1.1.1.1_3389
ip-route-list dcwancu
include 10.91.0.0 255.255.0.0
policy-group vpngroup
filter ip-tunnel acl 3999
ip-tunnel access-route ip-route-list dcwancu
default-policy-group vpngroup
aaa domain system
log user-login enable
max-onlines 1
force-logout max-onlines enable
service enable
#
uapp-control
policy name ?????? audit
source-address ipv4 10.0.0.0
source-address ipv4 wancu-guest
destination-address ipv4 10.0.0.0
destination-address ipv4 wancu-guest
source-zone DMZ
source-zone Local
source-zone Trust
destination-zone Untrust
service TCP/UDP
rule 1 any behavior any bhcontent any keyword include any action permit audit-logging
#
security-policy ip
rule 14 name IPForbidden_2
counting enable
vrf guest
source-zone Local
source-zone Trust
source-zone DMZ
source-zone Untrust
source-zone Management
source-zone CM
source-zone Guest
source-zone Internet
destination-zone Local
destination-zone Trust
destination-zone DMZ
destination-zone Untrust
destination-zone Management
destination-zone CM
destination-zone Guest
destination-zone Internet
destination-ip IPForbidden
destination-ip IPForbidden_20240604
rule 13 name IPForbidden
counting enable
source-zone Local
source-zone Trust
source-zone DMZ
source-zone Untrust
source-zone Management
source-zone CM
source-zone Guest
source-zone Internet
destination-zone Local
destination-zone Trust
destination-zone DMZ
destination-zone Untrust
destination-zone Management
destination-zone CM
destination-zone Guest
destination-zone Internet
destination-ip IPForbidden
destination-ip IPForbidden_20240604
rule 0 name VPN_CDHG_to_XAGX
action pass
counting enable
source-zone Local
source-zone Trust
destination-zone CM
rule 1 name VPN_XAGX_to_CDHG
action pass
counting enable
source-zone CM
destination-zone Local
destination-zone Trust
rule 2 name trust_to_Local
action pass
counting enable
source-zone Trust
source-zone Local
destination-zone Local
destination-zone Trust
rule 5 name permit_guest-to-local
action pass
logging enable
counting enable
vrf guest
source-zone guest
source-zone Local
destination-zone guest
destination-zone Local
rule 6 name permit
action pass
counting enable
profile 6_IPv4
vrf guest
source-zone Guest
destination-zone Internet
rule 9 name deny_dmz_to_cm
logging enable
counting enable
source-zone DMZ
destination-zone CM
destination-ip Internal_10_172
rule 11 name allow_dmz_to_internet
description need nat policy enable
action pass
counting enable
source-zone DMZ
destination-zone CM
rule 10 name allow_cm_to_dmz
action pass
counting enable
source-zone Trust
source-zone CM
destination-zone DMZ
source-ip to_dmz
rule 12 name allow_dmz_to_dmz
action pass
counting enable
source-zone DMZ
source-zone Local
destination-zone DMZ
destination-zone Local
rule 15 name sslvpn_internet
action pass
counting enable
vrf guest
source-zone Internet
destination-zone Local
destination-ip sslvpngw
service TCP/UDP
service ping
application 13539
rule 18 name testvpn
action pass
counting enable
vrf guest
source-zone SSLVPN
destination-zone ITMGT
destination-zone Local
rule 19 name testbvpn2
action pass
counting enable
vrf guest
source-zone ITMGT
destination-zone SSLVPN
destination-zone Local
#
ips block-source parameter-profile ips_block_default_parameter
#
return
组网及组网描述:
最佳答案
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论