sslvpn访问不了
- 0关注
- 0收藏,282浏览
问题描述:
dis cu
#
version 7.1.064, Ess 8560P1619
#
sysname SWPARK
#
clock timezone Beijing add 08:00:00
clock protocol ntp
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
ip pool l2tp1 172.16.90.10 172.16.90.254
#
dhcp enable
#
dns proxy enable
dns server 61.132.163.68
dns server 202.102.213.68
ip host ***.*** 192.168.200.30
ip host ***.*** 192.168.200.100
ip host ***.*** 192.168.66.56
ip host ***.*** 192.168.200.30
dns snooping log enable
dns snooping enable
#
password-recovery enable
#
vlan 1
#
vlan 10
#
vlan 20
description dev
#
vlan 90
#
object-group ip address appserver
0 network range 192.168.200.10 192.168.200.99
10 network host address 192.168.66.56
#
object-group ip address intranet
0 network subnet 192.168.0.0 255.255.0.0
#
object-group ip address l2tpaddr
0 network subnet 172.16.90.0 255.255.255.0
#
object-group service appport
0 service tcp destination range 8000 30000
#
dhcp server ip-pool vlan20dhcppool
gateway-list 192.168.66.1
network 192.168.66.0 mask 255.255.255.0
address range 192.168.66.100 192.168.66.254
dns-list 61.132.163.68 202.102.213.68
#
dhcp server ip-pool vlandhcppool
gateway-list 192.168.200.1
network 192.168.200.0 mask 255.255.255.0
address range 192.168.200.100 192.168.200.254
dns-list 61.132.163.68 202.102.213.68
#
interface Virtual-Template1
ppp authentication-mode chap
remote address pool l2tp1
ip address 172.16.90.1 255.255.255.0
#
interface NULL0
#
interface Vlan-interface10
ip address 192.168.200.1 255.255.255.0
#
interface Vlan-interface20
ip address 192.168.66.1 255.255.255.0
#
interface Vlan-interface90
ip address 192.168.90.1 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
description WAN
ip address 183.162.252.90 255.255.255.0
nat outbound 3888
nat server protocol tcp global 183.162.252.90 8090 inside 192.168.66.56 8090 rule scrm_1 description scrm_1
nat server protocol tcp global 183.162.252.90 8143 inside 192.168.200.50 8443 rule ▒▒վHTTPS description ▒▒վ▒˿▒
nat server protocol tcp global 183.162.252.90 8180 inside 192.168.200.50 8080 rule Web description ▒▒վ▒˿▒
nat server protocol tcp global 183.162.252.90 8800 inside 192.168.200.30 8800 rule ServerRule_3 description train big data
nat server protocol tcp global 183.162.252.90 9008 inside 192.168.200.10 9008 rule ServerRule_4 description crm web server
nat server protocol tcp global 183.162.252.90 9009 inside 192.168.200.10 9009 rule ServerRule_5 description crm api server
nat server protocol tcp global 183.162.252.90 9800 inside 192.168.200.30 9800 rule appserver description train web server
nat server protocol tcp global 183.163.252.90 18000 inside 192.168.90.10 18000 rule ServerRule_32 description dmz▒▒▒▒▒▒▒▒▒
manage ping inbound
manage ping outbound
ipsec apply policy swpark
gateway 183.162.252.1
#
interface GigabitEthernet1/0/2
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/5
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/6
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/7
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/8
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/9
port link-mode bridge
port access vlan 20
#
interface GigabitEthernet1/0/10
port link-mode bridge
port access vlan 10
#
interface GigabitEthernet1/0/11
port link-mode bridge
port access vlan 10
#
interface SSLVPN-AC1
ip address 19.46.10.1 255.255.255.0
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface10
import interface Vlan-interface20
import interface GigabitEthernet1/0/2 vlan 10
import interface GigabitEthernet1/0/4 vlan 10
import interface GigabitEthernet1/0/5 vlan 10
import interface GigabitEthernet1/0/6 vlan 10
import interface GigabitEthernet1/0/7 vlan 10
import interface GigabitEthernet1/0/8 vlan 10
import interface GigabitEthernet1/0/9 vlan 20
import interface GigabitEthernet1/0/10 vlan 10
import interface GigabitEthernet1/0/11 vlan 10
#
security-zone name DMZ
import interface Vlan-interface90
import interface GigabitEthernet1/0/3 vlan 90
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface SSLVPN-AC1
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name vpn
import interface Virtual-Template1
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
info-center loghost 127.0.0.1 port 3301 format default
info-center loghost locate-info with-sn
info-center source CFGLOG loghost level informational
#
customlog format dpi url-filter
customlog format dpi ips
customlog format dpi anti-virus
customlog format dpi reputation
customlog format dns
customlog timestamp localtime
customlog with-sn
#
snmp-agent
snmp-agent local-engineid 800063A280F4E9755896AA00000001
snmp-agent sys-info location Hefei software Park
snmp-agent sys-info version v3
#
performance-management
#
ssh server enable
#
arp ip-conflict log prompt
#
ntp-service enable
ntp-service source GigabitEthernet1/0/1
ntp-service unicast-peer 120.25.115.20 version 1
#
acl advanced 3001
rule 0 permit ip source 19.46.10.0 0.0.0.255 destination 192.168.200.0 0.0.0.255
#
acl advanced 3888
rule 0 deny ip source 192.168.200.0 0.0.0.255 destination 192.168.0.0 0.0.127.255
rule 5 permit ip
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
role name USER
description only_read
rule 1 permit read web-menu m_monitor/m_atklog/m_blacklistlog
rule 2 permit read web-menu m_monitor/m_atklog/m_singleatk
rule 3 permit read web-menu m_monitor/m_atklog/m_scanatk
rule 4 permit read web-menu m_monitor/m_atklog/m_floodatk
rule 5 permit read web-menu m_monitor/m_atklog/m_threatlog
rule 6 permit read web-menu m_monitor/m_atklog/m_urllog
rule 7 permit read web-menu m_monitor/m_atklog/m_filefilterlog
rule 8 permit read web-menu m_monitor/m_atklog/m_zonepairlog
rule 9 permit read web-menu m_monitor/m_auditlogs/m_auditimchatlog
rule 10 permit read web-menu m_monitor/m_auditlogs/m_auditcommunitylog
rule 11 permit read web-menu m_monitor/m_auditlogs/m_auditsearchenginelog
rule 12 permit read web-menu m_monitor/m_auditlogs/m_auditmaillog
rule 13 permit read web-menu m_monitor/m_auditlogs/m_auditfiletransferlog
rule 14 permit read web-menu m_monitor/m_auditlogs/m_auditrelaxstocklog
rule 15 permit read web-menu m_monitor/m_auditlogs/m_auditotherapplog
rule 16 permit read web-menu m_monitor/m_monitorlog/m_trafficlog
rule 17 permit read web-menu m_monitor/m_rank/m_trafficrank
rule 18 permit read web-menu m_monitor/m_rank/m_threadrank
rule 19 permit read web-menu m_monitor/m_rank/m_urlfilterrank
rule 20 permit read web-menu m_monitor/m_rank/m_ffilterrank
rule 21 permit read web-menu m_monitor/m_rank/m_securityaudit
rule 22 permit read web-menu m_monitor/m_rank/m_lb_linkreport
rule 23 permit read web-menu m_monitor/m_rank/m_lb_dnsproxyreport
rule 24 permit read web-menu m_monitor/m_trend/m_traffictrend
rule 25 permit read web-menu m_monitor/m_trend/m_threadtrend
rule 26 permit read web-menu m_monitor/m_trend/m_urlfiltertrend
rule 27 permit read web-menu m_monitor/m_trend/m_ffiltertrend
rule 28 permit read web-menu m_monitor/m_report
rule 29 permit read web-menu m_monitor/m_session
rule 30 permit read web-menu m_monitor/m_lbsessioninfo
rule 31 permit read web-menu m_monitor/m_userinfocenter
rule 32 permit read web-menu m_monitor/m_lb_dnscaches
rule 33 permit read web-menu m_monitor/m_online/m_ipv4user
rule 34 permit read web-menu m_monitor/m_online/m_ipv6user
rule 35 permit read web-menu m_policy/m_firewall/m_secpolicy
rule 36 permit read web-menu m_policy/m_firewall/m_redundancyrules
rule 37 permit read web-menu m_policy/m_firewall/m_targetpolicy
rule 38 permit read web-menu m_policy/m_firewall/m_appoptimited
rule 39 permit read web-menu m_policy/m_attackdefense/m_atkpolicy
rule 40 permit read web-menu m_policy/m_attackdefense/m_clientverifyprotectip
rule 41 permit read web-menu m_policy/m_attackdefense/m_blacklistmanual
rule 42 permit read web-menu m_policy/m_attackdefense/m_whitelistmanual
rule 43 permit read web-menu m_policy/m_attackdefense/m_clientverifyzone
rule 44 permit read web-menu m_policy/m_attackdefense/m_connlimitpolicies
rule 45 permit read web-menu m_policy/m_attackdefense/m_urpf
rule 46 permit read web-menu m_policy/m_attackdefense/m_iplimit
rule 47 permit read web-menu m_policy/m_threatintelligence/m_ipreputation
rule 48 permit read web-menu m_policy/m_nat/m_natglobalpolicy
rule 49 permit read web-menu m_policy/m_nat/m_natoutboundconfig
rule 50 permit read web-menu m_policy/m_nat/m_natserverconfig
rule 51 permit read web-menu m_policy/m_nat/m_natstaticchange
rule 52 permit read web-menu m_policy/m_nat/m_natoutbound444config
rule 53 permit read web-menu m_policy/m_nat/m_natoutboundstatic444config
rule 54 permit read web-menu m_policy/m_nat/m_natsettings
rule 55 permit read web-menu m_policy/m_nat66/m_nat66transprefix
rule 56 permit read web-menu m_policy/m_aft/m_aftaddrgrp
rule 57 permit read web-menu m_policy/m_aft/m_aftnat64
rule 58 permit read web-menu m_policy/m_aft/m_aftoutbound
rule 59 permit read web-menu m_policy/m_aft/m_aftset
rule 60 permit read web-menu m_policy/m_appaudit/m_auditpolicy
rule 61 permit read web-menu m_policy/m_appaudit/m_keywordgroups
rule 62 permit read web-menu m_policy/m_bandwidthmanagement/m_bandwidthpolicy
rule 63 permit read web-menu m_policy/m_bandwidthmanagement/m_bandwidthchannel
rule 64 permit read web-menu m_policy/m_bandwidthmanagement/m_interfacebandwidth
rule 65 permit read web-menu m_policy/m_loadbalance/m_lb_globalconfig
rule 66 permit read web-menu m_policy/m_loadbalance/m_lb_link
rule 67 permit read web-menu m_policy/m_netshare/m_netsharepolicy
rule 68 permit read web-menu m_policy/m_netshare/m_netsharestatus
rule 69 permit read web-menu m_policy/m_scd
rule 70 permit read web-menu m_policy/m_proxymanagement/m_proxypolicy
rule 71 permit read web-menu m_policy/m_proxymanagement/m_whitelisthostname
rule 72 permit read web-menu m_policy/m_proxymanagement/m_sslcertificate
rule 73 permit read web-menu m_resource/m_healthmonitor
rule 74 permit read web-menu m_resource/m_user/m_usercontrol
rule 75 permit read web-menu m_resource/m_user/m_authentication
rule 76 permit read web-menu m_resource/m_user/m_access
rule 77 permit read web-menu m_resource/m_dpi/m_ipscfg
rule 78 permit read web-menu m_resource/m_dpi/m_antiviruscfg
rule 79 permit read web-menu m_resource/m_dpi/m_dfltcfg
rule 80 permit read web-menu m_resource/m_dpi/m_ufltcfg
rule 81 permit read web-menu m_resource/m_dpi/m_ffltcfg
rule 82 permit read web-menu m_resource/m_dpi/m_apprecognition
rule 83 permit read web-menu m_resource/m_dpi/m_securityaction
rule 84 permit read web-menu m_resource/m_dpi/m_dpicfg
rule 85 permit read web-menu m_resource/m_objectgroup/m_ipv4objectgroup
rule 86 permit read web-menu m_resource/m_objectgroup/m_ipv6objectgroup
rule 87 permit read web-menu m_resource/m_objectgroup/m_macobjectgroup
rule 88 permit read web-menu m_resource/m_objectgroup/m_serviceobjectgroup
rule 89 permit read web-menu m_resource/m_objectgroup/m_timerange
rule 90 permit read web-menu m_resource/m_acl/m_ipv4acl
rule 91 permit read web-menu m_resource/m_acl/m_ipv6acl
rule 92 permit read web-menu m_resource/m_acl/m_macacl
rule 93 permit read web-menu m_resource/m_ssl/m_sslserver
rule 94 permit read web-menu m_resource/m_ssl/m_sslclient
rule 95 permit read web-menu m_resource/m_ssl/m_ssladvancesettiing
rule 96 permit read web-menu m_resource/m_publickey/m_publickeylocal
rule 97 permit read web-menu m_resource/m_publickey/m_publickeypeer
rule 98 permit read web-menu m_resource/m_pki_cert/m_pki
rule 99 permit read web-menu m_resource/m_pki_cert/m_certificatepolicy
rule 100 permit read web-menu m_resource/m_pki_cert/m_certificatesubject
rule 101 permit read web-menu m_network/m_vrf
rule 102 permit read web-menu m_network/m_if/m_interface
rule 103 permit read web-menu m_network/m_if/m_inlineall
rule 104 permit read web-menu m_network/m_if/m_collaborations
rule 105 permit read web-menu m_network/m_seczone
rule 106 permit read web-menu m_network/m_link/m_vlan
rule 107 permit read web-menu m_network/m_link/m_mac_sum
rule 108 permit read web-menu m_network/m_dns_sum/m_dnshosts
rule 109 permit read web-menu m_network/m_dns_sum/m_dns
rule 110 permit read web-menu m_network/m_dns_sum/m_ddns
rule 111 permit read web-menu m_network/m_dns_sum/m_dnsadvance
rule 112 permit read web-menu m_network/m_arp
rule 113 permit read web-menu m_network/m_nd
rule 114 permit read web-menu m_network/m_vpn/m_gre
rule 115 permit read web-menu m_network/m_vpn/m_ipsec
rule 116 permit read web-menu m_network/m_vpn/m_advpn
rule 117 permit read web-menu m_network/m_vpn/m_l2tp
rule 118 permit read web-menu m_network/m_sslvpn/m_sslvpn_context
rule 119 permit read web-menu m_network/m_sslvpn/m_sslvpn_gateway
rule 120 permit read web-menu m_network/m_sslvpn/m_sslvpn_ipv4addrpool
rule 121 permit read web-menu m_network/m_sslvpn/m_sslvpn_acif
rule 122 permit read web-menu m_network/m_sslvpn/m_sslvpn_globalconfig
rule 123 permit read web-menu m_network/m_sslvpn/m_sslvpn_tempmanagement
rule 124 permit read web-menu m_network/m_sslvpn/m_sslvpn_statistics
rule 125 permit read web-menu m_network/m_routing/m_routingtable
rule 126 permit read web-menu m_network/m_routing/m_staticrouting
rule 127 permit read web-menu m_network/m_routing/m_policyrouting
rule 128 permit read web-menu m_network/m_routing/m_ospf
rule 129 permit read web-menu m_network/m_routing/m_bgp
rule 130 permit read web-menu m_network/m_routing/m_rip
rule 131 permit read web-menu m_network/m_dhcp/m_dhcpservice
rule 132 permit read web-menu m_network/m_dhcp/m_dhcppool
rule 133 permit read web-menu m_network/m_ipservice/m_http
rule 134 permit read web-menu m_network/m_ipservice/m_ssh
rule 135 permit read web-menu m_network/m_ipservice/m_ntp
rule 136 permit read web-menu m_network/m_ipservice/m_ftp
rule 137 permit read web-menu m_network/m_ipservice/m_telnet
rule 138 permit read web-menu m_network/m_secaccess/m_macauth
rule 139 permit read web-menu m_network/m_secaccess/m_ipauth
rule 140 permit read web-menu m_device/m_diagnosis/m_ping
rule 141 permit read web-menu m_device/m_diagnosis/m_tracert
#
user-group l2tp_user
identity-member user hjvpn
#
user-group system
#
local-user admin class manage
password hash $h$6$2zvG5s1NWlVie8NF$GGTBs8y27eJL7hWdIx9F3KUXCgwyunDiReVzYK+moHpUkKBUwno8cFluNbe4CzniyrpdT52qLEGZ+2EKt0XIAw==
service-type ssh telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user guest class manage
password hash $h$6$msJbFfCQP0VgeSDr$Rp9rUn4VTpWJx6xC4WoiMWS21a1TEjAiJ9oIdlvnUw/vn+vfMnK00F7BsRxrfSo/MFP24TytoRFhrAvzHXsXSw==
service-type http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user user class manage
password hash $h$6$AflEmVHxFvIU+r7/$5tSzDJVGn8vX0sO9J5hI2yMSCHt8CEl1CVVBqZ+cocLV2SGjCwBZ/JvKKKgL+DrTqtl2BFPs0g04PEG0CwNNrw==
service-type telnet http https
authorization-attribute work-directory slot1#flash:
authorization-attribute user-role USER
#
local-user hjvpn class network
password cipher $c$3$PZU/Uziu7ihs2DE4wE1A7hESqe2FET82MiR1b4YChQ==
service-type ppp
group l2tp_user
authorization-attribute user-role network-operator
identity-group l2tp_user
#
local-user test class network
password cipher $c$3$G5NjTM3P6/qyE1vPauY/J50uOANXkskCuw==
service-type sslvpn
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group 1
#
ssl renegotiation disable
ssl version ssl3.0 disable
ssl version tls1.0 disable
#
ipsec logging negotiation enable
#
ipsec transform-set swpark_IPv4_10
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy-template swpark 10
transform-set swpark_IPv4_10
local-address 183.162.252.90
ike-profile swpark_IPv4_10
#
ipsec policy swpark 10 isakmp template swpark
#
l2tp-group 1 mode lns
allow l2tp virtual-template 1
undo tunnel authentication
#
l2tp enable
#
apr signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
ike logging negotiation enable
#
ike profile swpark_IPv4_10
keychain swpark_IPv4_10
dpd interval 60 retry 17 periodic
exchange-mode aggressive
local-identity fqdn ***.***
match remote identity address 0.0.0.0 0.0.0.0
match remote identity fqdn ***.***
match remote identity fqdn ***.***
match remote identity fqdn ***.***
match remote identity fqdn ***.***
match remote identity fqdn ***.***
match local address GigabitEthernet1/0/1
proposal 1
#
ike proposal 1
authentication-algorithm md5
#
ike keychain swpark_IPv4_10
match local address GigabitEthernet1/0/1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$c1nLLa7M9luIAtIjIxdXsNVT4DDxQ3YhGg==
#
netconf soap http enable
netconf soap https enable
restful http enable
restful https enable
#
ip http port 1080
ip https port 1443
ip http enable
ip https enable
#
blacklist global enable
#
url-filter policy url
cloud-query enable
https-filter enable
default-action permit logging
category Pre-3C action permit logging
category Pre-Abortion action permit logging
category Pre-AdultPlace action permit logging
category Pre-AdultSuppliers action permit logging
category Pre-Advertisement action permit logging
category Pre-Airplanes action permit logging
category Pre-Alcohol action permit logging
category Pre-Anime action permit logging
category Pre-Arts action permit logging
category Pre-Automobiles action permit logging
category Pre-Bank action permit logging
category Pre-BooksDownload action permit logging
category Pre-Botnet action permit logging
category Pre-Business action permit logging
category Pre-CharityAndPublicInterest action permit logging
category Pre-ChildAbuse action permit logging
category Pre-Clothes action permit logging
category Pre-Community action permit logging
category Pre-CriminalActivity action permit logging
category Pre-Cult action permit logging
category Pre-Discrimination action permit logging
category Pre-Divining action permit logging
category Pre-DomainAndIDCServices action permit logging
category Pre-Drugs action permit logging
category Pre-EcologyAndDevelopmentAndEnergy action permit logging
category Pre-EducationInformation action permit logging
category Pre-Email action permit logging
category Pre-EmigrationAndGoingAbroad action permit logging
category Pre-Entertainment action permit logging
category Pre-EnvironmentalProtection action permit logging
category Pre-ExpressageAndLogistics action permit logging
category Pre-FilmAndMusicDownload action permit logging
category Pre-Food action permit logging
category Pre-Forum action permit logging
category Pre-Gamble action permit logging
category Pre-Game action permit logging
category Pre-GeneralWebsite action permit logging
category Pre-GovernmentalDepartments action permit logging
category Pre-Greetingcards action permit logging
category Pre-GuideAndTravelNotes action permit logging
category Pre-Hacking action permit logging
category Pre-HealthCare action permit logging
category Pre-HigherEducation action permit logging
category Pre-HistoryAndCulture action permit logging
category Pre-Hobby action permit logging
category Pre-Homosexual action permit logging
category Pre-HouseholdDecoration action permit logging
category Pre-Housekeeping action permit logging
category Pre-HttpProxy action permit logging
category Pre-HumanRightsAndDemocracyIssue action permit logging
category Pre-IllegalSoftware action permit logging
category Pre-IndustryAndAgriculture action permit logging
category Pre-InformationSecurity action permit logging
category Pre-Insurance action permit logging
category Pre-Jewelry action permit logging
category Pre-Job action permit logging
category Pre-Laws action permit logging
category Pre-LearningResources action permit logging
category Pre-Lingerie action permit logging
category Pre-Literature action permit logging
category Pre-LiveShow action permit logging
category Pre-Lottery action permit logging
category Pre-Make-upAndCosmetics action permit logging
category Pre-MaliciousURL action permit logging
category Pre-ManageFinances action permit logging
category Pre-MarriageAndDating action permit logging
category Pre-MaterialAndFurniture action permit logging
category Pre-MedicalCare action permit logging
category Pre-Medicine action permit logging
category Pre-MentalHealth action permit logging
category Pre-MicroBlog action permit logging
category Pre-Military action permit logging
category Pre-MotorcyclesAndBicycles action permit logging
category Pre-Move action permit logging
category Pre-Music action permit logging
category Pre-NavigationWebsite action permit logging
category Pre-NetLoan action permit logging
category Pre-NetworkCommunication action permit logging
category Pre-News action permit logging
category Pre-Nudity action permit logging
category Pre-OnlineBroadcast action permit logging
category Pre-OnlineChat action permit logging
category Pre-OnlineMusic action permit logging
category Pre-OnlinePayment action permit logging
category Pre-OnlineShopping action permit logging
category Pre-OnlineStorage action permit logging
category Pre-OnlineVideo action permit logging
category Pre-OrdinaryPlace action permit logging
category Pre-Other action permit logging
category Pre-OtherAdult action permit logging
category Pre-OtherDownload action permit logging
category Pre-OtherFashion action permit logging
category Pre-OtherFinance action permit logging
category Pre-OthersLife action permit logging
category Pre-P2PApp action permit logging
category Pre-ParkedDomain action permit logging
category Pre-PersonalSites action permit logging
category Pre-PetAndAnimal action permit logging
category Pre-Phishing action permit logging
category Pre-PictureDownload action permit logging
category Pre-PictureShare action permit logging
category Pre-Politics action permit logging
category Pre-Pornography action permit logging
category Pre-PregnancyAndParenting action permit logging
category Pre-PreSchoolEducation action permit logging
category Pre-PrimaryAndMiddleEducation action permit logging
category Pre-PropertyDeveloper action permit logging
category Pre-RealEstateInformation action permit logging
category Pre-Religion action permit logging
category Pre-SchoolCheating action permit logging
category Pre-ScientificResearch action permit logging
category Pre-SearchEngineAndPortal action permit logging
category Pre-Service action permit logging
category Pre-SexualHealth action permit logging
category Pre-Ships action permit logging
category Pre-ShoppingGuide action permit logging
category Pre-SocialIssue action permit logging
category Pre-SoftwareDownload action permit logging
category Pre-SoftwareTechnologies action permit logging
category Pre-SoftwareUpdate action permit logging
category Pre-Spam action permit logging
category Pre-SpecialFieldOrganization action permit logging
category Pre-SpecialIndustries action permit logging
category Pre-Sports action permit logging
category Pre-Suicide action permit logging
category Pre-Tattoos action permit logging
category Pre-TeenagersAndChildren action permit logging
category Pre-Ticket action permit logging
category Pre-TicketAndHotel action permit logging
category Pre-Tobacco action permit logging
category Pre-Toys action permit logging
category Pre-TrainingInstitutions action permit logging
category Pre-TranslationBypass action permit logging
category Pre-TravelGuide action permit logging
category Pre-VehicleRent action permit logging
category Pre-VideoConference action permit logging
category Pre-Violence action permit logging
category Pre-VOIP action permit logging
category Pre-Vulgar action permit logging
category Pre-Weapons action permit logging
url-reputation enable
#
url-filter signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
ips signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
app-profile 0_IPv4
ips apply policy ips mode protect
anti-virus apply policy av mode protect
#
inspect logging parameter-profile av_logging_default_parameter
undo log syslog
#
inspect logging parameter-profile ips_logging_default_parameter
undo log syslog
log language chinese
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
undo authentication enable
#
sslvpn ip address-pool sslvpn-pool 19.46.10.2 19.46.10.254
#
sslvpn gateway wangguan
ip address 183.162.252.90 port 1205
service enable
#
sslvpn context sslvpn
gateway wangguan
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool sslvpn-pool mask 255.255.255.0
ip-route-list luyou
include 192.168.200.0 255.255.255.0
policy-group 1
filter ip-tunnel acl 3001
ip-tunnel access-route ip-route-list luyou
ip-tunnel address-pool sslvpn-pool mask 255.255.255.0
force-logout max-onlines enable
service enable
#
ip-reputation
global enable
#
security-policy ip
rule 4 name IPsec_swpark_10_20230616143103_IN
parent-group vpn
action pass
destination-zone Local
service ike
service nat-t-ipsec
service ipsec-ah
service ipsec-esp
rule 5 name l2tp
parent-group vpn
description l2tp
action pass
source-zone vpn
destination-zone Local
destination-zone Trust
source-ip l2tpaddr
destination-ip intranet
rule 6 name l2tpdial
parent-group vpn
action pass
source-zone Untrust
destination-zone Local
service l2tp
rule 0 name Security_policy_0
action pass
profile 0_IPv4
source-zone Local
source-zone Untrust
destination-zone Local
destination-zone Trust
source-ip-host 125.124.219.163
rule 3 name appserver
parent-group haojing
action pass
destination-zone Trust
destination-ip appserver
service appport
rule 2 name internet
parent-group haojing
action pass
source-zone Local
source-zone Trust
rule 8 name Intranet
parent-group haojing
action pass
source-ip intranet
destination-ip intranet
rule 7 name test
action pass
disable
group name vpn from IPsec_swpark_10_20230616143103_IN to l2tpdial
group name haojing from appserver to Intranet
#
dac log-collect service dpi reputation enable
#
ips policy ips
severity-level medium high critical
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus policy av
inspect smtp action block
inspect pop3 action block
cloud-query enable
#
anti-virus signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
anti-virus logging parameter-profile av_logging_default_parameter
#
url-reputation signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
domain-reputation
global enable
#
domain-reputation signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
ip-reputation signature auto-update
update schedule daily start-time 02:00:00 tingle 120
#
cloud-management server domain ***.***
#
return
组网及组网描述:
- 2025-08-01提问
- 举报
-
(0)
先进入你拨号成功的客户单
cmd中输入
Route print
看下访问你sslvpn资源段的路由是否已经生效
如果生效了就不是配置问题,去找对应资源服务器去,可能是他们没有写具体的回程路由
- 2025-08-01回答
- 评论(0)
- 举报
-
(0)
拨号有没有成功,有没有获取到地址?
- 2025-08-01回答
- 评论(1)
- 举报
-
(0)
SSL VPN连接后无法访问内部资源,以下是排查要点,请参考: 1、检查SSL VPN网关是否有将SSL VPN网段在路由内向内网发布。 2、检查SSL VPN的资源控制策略是否做了限制。 3、检查内部网络是否有去往SSL VPN网关的路由。
SSL VPN连接后无法访问内部资源,以下是排查要点,请参考: 1、检查SSL VPN网关是否有将SSL VPN网段在路由内向内网发布。 2、检查SSL VPN的资源控制策略是否做了限制。 3、检查内部网络是否有去往SSL VPN网关的路由。
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明