F5000 SSLVPN

nat address-group 100 name Internet-IP

 address 219.149.155.102 219.149.155.103

#

vlan 1000

 description To_Internet

#

vlan 1001

 description To_H3c

#

 

object-group ip address Internet-IP_204

 0 network host address 100.155.123.204

 10 network host address 219.149.155.102

#

#

object-group ip address SSLVPN-AC1

  security-zone Untrust

 0 network subnet 192.168.255.0 255.255.255.0

#

object-group service VPN-PORT-65535

 0 service tcp destination range 65535 65535

#

interface NULL0

#

interface Vlan-interface1000

 description To_Internet

 ip address 100.155.123.204 255.255.255.0

 ip address 219.149.155.101 255.255.255.192 sub

 nat outbound

 nat outbound 2000 address-group 100

#

interface Vlan-interface1001

 description To_H3c

 ip address 172.18.1.254 255.255.255.224

#

#

interface SSLVPN-AC1

 ip address 192.168.255.254 255.255.255.0

#

interface vSys-interface1

#

security-zone name Local

#

security-zone name Trust

 import interface Vlan-interface1001

 import interface Ten-GigabitEthernet1/2/1/4 vlan 1001

 import interface Ten-GigabitEthernet1/2/1/7 vlan 1001

#

security-zone name DMZ

#

security-zone name Untrust

 import interface SSLVPN-AC1

 import interface Vlan-interface1000

 import interface Ten-GigabitEthernet1/2/1/7 vlan 1000

#

security-zone name Management

 import interface M-GigabitEthernet1/0/0/0

#

 scheduler logfile size 16

#

 ip route-static 0.0.0.0 0 Vlan-interface1000 100.155.123.1

 ip route-static 0.0.0.0 0 Vlan-interface1000 219.149.155.65

 

acl basic 2000

 description To_Internet

 rule 0 permit source 172.0.0.0 0.255.255.255

#

acl advanced 3001

 rule 0 permit ip

 

local-user Manager_1 class network

 password cipher $c$3$OQR/lz0SK3g/pZsOJ0iWHIh2r3jXKMej

 service-type sslvpn

 authorization-attribute user-role network-operator

 authorization-attribute sslvpn-policy-group Manager_1

#

sslvpn ip address-pool sslvpn 192.168.255.1 192.168.255.250

#

sslvpn gateway GW_1

 ip address 219.149.155.102 port 65535

 service enable

#

#

sslvpn context sslvpn_1

 gateway GW_1

 ip-tunnel interface SSLVPN-AC1

 ip-tunnel address-pool sslvpn mask 255.255.255.0

 ip-tunnel dns-server primary 114.114.114.114

 ip-tunnel dns-server secondary 8.8.8.8

 ip-route-list Manager_1

  include 172.0.0.0 255.0.0.0

 policy-group Manager_1

  filter ip-tunnel acl 3001

  ip-tunnel access-route ip-route-list Manager_1

 log user-login enable

 log resource-access enable

 session-connections 1000

 service enable

#

 rule 0 name Lan_to_Internet

  action pass

  logging enable

  counting enable

  source-zone Trust

  destination-zone Untrust

  source-ip Lan-IP

 rule 1 name Permit_VPN

  action pass

  logging enable

  counting enable

  source-zone Untrust

  destination-zone Local

  destination-ip Internet-IP_204

  service VPN-PORT-65535

 rule 2 name VPN_To_Lan

  action pass

  logging enable

  counting enable

  source-zone Untrust

  destination-zone Trust

  source-ip SSLVPN-AC1

  destination-ip Lan-IP

 rule 3 name VPN-IP_To_FW

  action pass

  logging enable

  counting enable

  source-zone Untrust

  destination-zone Local

  source-ip SSLVPN-AC1

  destination-ip FW-Lan_IP

  destination-ip Internet-IP_204

 rule 20 name Deny_Any_to_Any

  logging enable

  counting enable

#

客户端连接报查询ssl vpn网关参数失败