组网:公网终端-----Internet-------F1070------内网资源(55.55.55.0/24)
现场可以成功拨入SSLVPN,公网终端也能获取路由,但就是无法ping通内网资源
现场主要配置如下:
acl advanced 3010
rule 0 permit ip source 10.1.1.0 0.0.128.0 destination 55.55.55.0 0.0.0.255
sslvpn ip address-pool 1 10.1.1.2 10.1.1.10
sslvpn gateway ldap1
ip address 172.31.0.67 port 3000
service enable
sslvpn context ldap1
gateway ldap1
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool 1 mask 255.255.255.0
ip-tunnel dns-server pimary 114.114.114.114
ip-tunnel web-resource auto-push
ip-route-list test include 55.55.55.0 255.255.255.0
policy-group ldap1
filter ip-tunnel acl 3010
ip-tunnel access-route ip-route-list test
aaa domain ldap1
service enable
终端访问内网的时候,debug sslvpn error,发现有如下报错:
<H3C>*Nov 10 22:06:50:279 2021 H3C SSLVPNK/7/SSLVPN_ERROR: IPAC: IP access not authorized. Peer address is 10.1.1.2.
进一步发现配置,发现SSLVPN 实例引用的授权ACL 3010的源地址的反掩码不连续,即 source 10.1.1.0 0.0.128.0
更改acl 3010反掩码为连续掩码
acl advanced 3010 rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 55.55.55.0 0.0.0.255
更改之后,公网终端拨入SSLVPN之后可以成功访问内网资源
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作