• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

F1020防火墙配置sslvpn后导致内网其他电脑断网

2021-06-07提问
  • 0关注
  • 1收藏,1376浏览
zhiliao_QFwHs
zhiliao_QFwHs 零段
粉丝:0人 关注:2人

问题描述:

我的公网地址是222.92.222.34 然后想让客户能通过sslvpn客户端拨号的方式访问到我的内网服务器,我的内网服务器vlan为9网段地址段是 192.168.9.2-192.168.9.254   下面是我的配置,不知道哪里错了配置好了以后客户通过输入ip222.92.222.34无法访问,并且我的内网9网段下的其他电脑居然不能上网了。

            var FrameInfo = {};

  1. #
  2. version 7.1.064, Release 
  3. #
  4. sysname FW
  5. #
  6. context Admin id 1
  7. #
  8. ip vpn-instance nei
  9. #
  10. telnet server enable
  11. #
  12. irf mac-address persistent timer
  13. irf auto-update enable
  14. undo irf link-delay
  15. irf member 1 priority 1
  16. #
  17. security-zone intra-zone default permit
  18. #
  19. nat static outbound 192.168.9.161 222.92.222.34
  20. #
  21. dhcp enable
  22. #
  23. dns server 61.177.7.1
  24. dns server 223.5.5.5
  25. dns server 114.114.114.114
  26. dns server 61.177.7.1 vpn-instance nei
  27. dns server 223.5.5.5 vpn-instance nei
  28. dns server 114.114.114.114 vpn-instance nei
  29. ip host 22 222.92.222.34
  30. ip host 223 223.5.5.5
  31. ip host 61 61.177.7.1
  32. ip host 61 61.177.7.1 vpn-instance nei
  33. #
  34. password-recovery enable
  35. #
  36. vlan 1
  37. #
  38. object-group ip address MES系统服务器
  39. 0 network host address 192.168.4.132
  40. #
  41. object-group ip address SSLVPN
  42. 0 network host address 192.168.9.161
  43. #
  44. object-group ip address 公盘
  45. 0 network host address 192.168.5.26
  46. #
  47. object-group ip address 金蝶
  48. 0 network host address 192.168.4.132
  49. #
  50. object-group ip address 备份盘
  51. 0 network host address 192.168.5.88
  52. 10 network host address 192.168.5.125
  53. #
  54. object-group ip address scm系统
  55. 0 network host address 192.168.9.161
  56. #
  57. object-group service 3360端口
  58. 0 service tcp destination eq 3360
  59. 10 service tcp
  60. #
  61. object-group service 4433
  62. 0 service tcp destination eq 4433
  63. #
  64. object-group service 5000端口
  65. 0 service tcp destination eq 5001
  66. 10 service tcp destination eq 5000
  67. #
  68. object-group service 8001端口
  69. 0 service tcp destination eq 8001
  70. #
  71. object-group service 9001端口
  72. 0 service tcp destination eq 9001
  73. #
  74. object-group service 999端口
  75. 0 service tcp destination eq 999
  76. #
  77. dhcp server ip-pool 61
  78. #
  79. interface NULL0
  80. #
  81. interface GigabitEthernet1/0/0
  82. port link-mode route
  83. ip address 10.0.0.1 255.255.255.0
  84. #
  85. interface GigabitEthernet1/0/1
  86. port link-mode route
  87. #
  88. interface GigabitEthernet1/0/2
  89. port link-mode route
  90. ip address 222.92.222.34 255.255.255.248
  91. nat outbound
  92. nat outbound 2000
  93. nat server protocol tcp global 222.92.222.34 80 inside 192.168.5.88 80
  94. nat server protocol tcp global 222.92.222.34 389 inside 192.168.5.88 389
  95. nat server protocol tcp global 222.92.222.34 443 inside 192.168.5.88 443
  96. nat server protocol tcp global 222.92.222.34 514 inside 192.168.5.88 514
  97. nat server protocol tcp global 222.92.222.34 636 inside 192.168.5.88 636
  98. nat server protocol tcp global 222.92.222.34 873 inside 192.168.5.88 873
  99. nat server protocol tcp global 222.92.222.34 999 inside 192.168.9.161 999
  100. nat server protocol tcp global 222.92.222.34 1194 inside 192.168.5.88 1194
  101. nat server protocol tcp global 222.92.222.34 3360 inside 192.168.5.26 3360
  102. nat server protocol tcp global 222.92.222.34 3361 inside 192.168.5.26 3361
  103. nat server protocol tcp global 222.92.222.34 4433 inside 192.168.9.161 4433
  104. nat server protocol tcp global 222.92.222.34 5000 inside 192.168.5.88 5000
  105. nat server protocol tcp global 222.92.222.34 5001 inside 192.168.5.88 5001
  106. nat server protocol tcp global 222.92.222.34 6281 inside 192.168.5.88 6281
  107. nat server protocol tcp global 222.92.222.34 6690 inside 192.168.5.88 6690
  108. nat server protocol tcp global 222.92.222.34 8001 inside 192.168.4.132 8001
  109. nat server protocol tcp global 222.92.222.34 10022 inside 192.168.5.88 10022 reversible
  110. nat server protocol udp global 222.92.222.34 514 inside 192.168.5.88 514
  111. nat server protocol udp global 222.92.222.34 3360 inside 192.168.5.88 3360
  112. nat server protocol udp global 222.92.222.34 3361 inside 192.168.5.88 3361
  113. nat server protocol tcp global current-interface 9001 inside 192.168.4.132 9001
  114. nat static enable
  115. #
  116. interface GigabitEthernet1/0/3
  117. port link-mode route
  118. ip address 10.1.1.1 255.255.255.0
  119. #
  120. interface GigabitEthernet1/0/4
  121. port link-mode route
  122. #
  123. interface GigabitEthernet1/0/5
  124. port link-mode route
  125. ip address 3.3.3.1 255.255.255.0
  126. #
  127. interface GigabitEthernet1/0/6
  128. port link-mode route
  129. #
  130. interface GigabitEthernet1/0/7
  131. port link-mode route
  132. #
  133. interface GigabitEthernet1/0/8
  134. port link-mode route
  135. #
  136. interface GigabitEthernet1/0/9
  137. port link-mode route
  138. #
  139. interface GigabitEthernet1/0/10
  140. port link-mode route
  141. #
  142. interface GigabitEthernet1/0/11
  143. port link-mode route
  144. #
  145. interface GigabitEthernet1/0/12
  146. port link-mode route
  147. #
  148. interface GigabitEthernet1/0/13
  149. port link-mode route
  150. #
  151. interface GigabitEthernet1/0/14
  152. port link-mode route
  153. #
  154. interface GigabitEthernet1/0/15
  155. port link-mode route
  156. #
  157. interface GigabitEthernet1/0/16
  158. port link-mode route
  159. ip binding vpn-instance nei
  160. #
  161. interface GigabitEthernet1/0/17
  162. port link-mode route
  163. ip address 192.168.150.2 255.255.255.0
  164. nat hairpin enable
  165. #
  166. interface GigabitEthernet1/0/18
  167. port link-mode route
  168. #
  169. interface GigabitEthernet1/0/19
  170. port link-mode route
  171. #
  172. interface GigabitEthernet1/0/20
  173. port link-mode route
  174. #
  175. interface GigabitEthernet1/0/21
  176. port link-mode route
  177. #
  178. interface GigabitEthernet1/0/22
  179. port link-mode route
  180. #
  181. interface GigabitEthernet1/0/23
  182. port link-mode route
  183. #
  184. interface SSLVPN-AC1
  185. ip address 10.10.10.1 255.255.255.0
  186. #
  187. object-policy ip Local-Local
  188. rule 0 pass
  189. #
  190. object-policy ip SSLVPN-Trust
  191. rule 0 pass
  192. #
  193. object-policy ip Trust-Trust
  194. rule 0 pass
  195. #
  196. object-policy ip Trust-Untrust
  197. rule 0 pass
  198. #
  199. object-policy ip Untrust-Trust
  200. rule 5 pass destination-ip 公盘 service 3360端口
  201. rule 6 pass destination-ip 备份盘 service 5000端口
  202. rule 7 pass destination-ip 金蝶 service 8001端口
  203. rule 8 pass destination-ip scm系统 service 999端口
  204. rule 9 pass destination-ip MES系统服务器 service 9001端口
  205. rule 10 pass service 4433
  206. rule 11 pass source-ip SSLVPN destination-ip SSLVPN service 4433
  207. #
  208. object-policy ip Untrust-Untrust
  209. rule 0 pass
  210. #
  211. object-policy ip local-untrust
  212. rule 0 pass
  213. #
  214. security-zone name Local
  215. #
  216. security-zone name Trust
  217. import interface GigabitEthernet1/0/3
  218. import interface GigabitEthernet1/0/4
  219. import interface GigabitEthernet1/0/5
  220. import interface GigabitEthernet1/0/6
  221. import interface GigabitEthernet1/0/7
  222. import interface GigabitEthernet1/0/8
  223. import interface GigabitEthernet1/0/9
  224. import interface GigabitEthernet1/0/10
  225. import interface GigabitEthernet1/0/11
  226. import interface GigabitEthernet1/0/12
  227. import interface GigabitEthernet1/0/13
  228. import interface GigabitEthernet1/0/14
  229. import interface GigabitEthernet1/0/15
  230. import interface GigabitEthernet1/0/16
  231. import interface GigabitEthernet1/0/17
  232. import interface GigabitEthernet1/0/18
  233. import interface GigabitEthernet1/0/19
  234. import interface GigabitEthernet1/0/20
  235. import interface GigabitEthernet1/0/21
  236. import interface GigabitEthernet1/0/22
  237. import interface GigabitEthernet1/0/23
  238. import interface NULL0
  239. #
  240. security-zone name DMZ
  241. #
  242. security-zone name Untrust
  243. import interface GigabitEthernet1/0/1
  244. import interface GigabitEthernet1/0/2
  245. #
  246. security-zone name Management
  247. import interface GigabitEthernet1/0/0
  248. #
  249. security-zone name 111
  250. #
  251. security-zone name SSLVPN
  252. import interface SSLVPN-AC1
  253. #
  254. zone-pair security source Local destination Local
  255. object-policy apply ip Local-Local
  256. #
  257. zone-pair security source Local destination Trust
  258. packet-filter 2000
  259. #
  260. zone-pair security source Local destination Untrust
  261. object-policy apply ip local-untrust
  262. packet-filter 2000
  263. #
  264. zone-pair security source SSLVPN destination Trust
  265. object-policy apply ip SSLVPN-Trust
  266. #
  267. zone-pair security source Trust destination Local
  268. packet-filter 2000
  269. #
  270. zone-pair security source Trust destination Trust
  271. object-policy apply ip Trust-Trust
  272. #
  273. zone-pair security source Trust destination Untrust
  274. object-policy apply ip Trust-Untrust
  275. packet-filter 2000
  276. #
  277. zone-pair security source Untrust destination Trust
  278. object-policy apply ip Untrust-Trust
  279. #
  280. zone-pair security source Untrust destination Untrust
  281. object-policy apply ip Untrust-Untrust
  282. #
  283. scheduler logfile size 16
  284. #
  285. line class aux
  286. user-role network-operator
  287. #
  288. line class console
  289. user-role network-admin
  290. #
  291. line class vty
  292. user-role network-operator
  293. #
  294. line aux 0
  295. user-role network-admin
  296. #
  297. line con 0
  298. user-role network-admin
  299. #
  300. line vty 0
  301. authentication-mode scheme
  302. user-role network-admin
  303. set authentication password hash $h$6$OyWPIa5eNBbnmkwV$QOnzRGb6mqvVUxk3E6M8NMuMIj0AzjFEIWK7CwX225egey4UJ39fhKrS4pqOiO/ti5pCB58YvvESChUUBlVwdw==
  304. #
  305. line vty 1 63
  306. authentication-mode scheme
  307. user-role network-admin
  308. #
  309. ip route-static 0.0.0.0 0 222.92.222.33
  310. ip route-static 192.168.0.0 16 192.168.150.1
  311. #
  312. ssh server enable
  313. ssh server acl 2222
  314. #
  315. acl basic 2000
  316. rule 0 permit
  317. #
  318. acl basic 2222
  319. rule 0 permit source 192.168.0.0 0.0.255.255
  320. #
  321. acl advanced 3000
  322. rule 0 permit ip
  323. #
  324. acl advanced 3999
  325. rule 0 permit ip destination 192.168.9.0 0.0.0.255
  326. rule 5 permit ip destination 192.168.10.0 0.0.0.255
  327. #
  328. domain system
  329. #
  330. aaa session-limit ftp 16
  331. aaa session-limit telnet 16
  332. aaa session-limit ssh 16
  333. domain default enable system
  334. #
  335. role name level-0
  336. description Predefined level-0 role
  337. #
  338. role name level-1
  339. description Predefined level-1 role
  340. #
  341. role name level-2
  342. description Predefined level-2 role
  343. #
  344. role name level-3
  345. description Predefined level-3 role
  346. #
  347. role name level-4
  348. description Predefined level-4 role
  349. #
  350. role name level-5
  351. description Predefined level-5 role
  352. #
  353. role name level-6
  354. description Predefined level-6 role
  355. #
  356. role name level-7
  357. description Predefined level-7 role
  358. #
  359. role name level-8
  360. description Predefined level-8 role
  361. #
  362. role name level-9
  363. description Predefined level-9 role
  364. #
  365. role name level-10
  366. description Predefined level-10 role
  367. #
  368. role name level-11
  369. description Predefined level-11 role
  370. #
  371. role name level-12
  372. description Predefined level-12 role
  373. #
  374. role name level-13
  375. description Predefined level-13 role
  376. #
  377. role name level-14
  378. description Predefined level-14 role
  379. #
  380. user-group system
  381. #
  382. local-user admin class manage
  383. password hash $h$6$k/esgDteXQteQmDW$WnWQR04YU1pECr0K9RIu02WlEckA6Qx9PxD0V2z5pFKpBBUg0WOG+Ajbp4z4htMz8/bTp0ObWlbW4qHdMG7Wpg==
  384. service-type ssh telnet http https
  385. authorization-attribute user-role level-3
  386. authorization-attribute user-role network-admin
  387. authorization-attribute user-role network-operator
  388. #
  389. local-user liucheng class manage
  390. password hash $h$6$JKVw37NDJ3NzrGB4$EYBn3oyGi5kuq18YteVgYgrMdPOkFcahdUcjnA2ZB2dmc/nWQ/XihT4FoxgE2ZGiavLmjyXdc3F1WajEIVbTfw==
  391. access-limit 5
  392. service-type ftp
  393. service-type ssh telnet terminal http https
  394. authorization-attribute work-directory slot1#flash:
  395. authorization-attribute user-role context-admin
  396. authorization-attribute user-role network-admin
  397. authorization-attribute user-role network-operator
  398. #
  399. local-user tianyou01 class network
  400. password cipher $c$3$CgR1Rvsd/ixbdEH+1ipkjUcT4Qc5pMfvrn60ug==
  401. service-type sslvpn
  402. authorization-attribute user-role network-operator
  403. authorization-attribute sslvpn-policy-group SSLVPNZIYUAN
  404. #
  405. local-user user01 class network
  406. password cipher $c$3$kevYs1tbKhnt9jYC0SvAzMMIvJ2riDv7Og==
  407. service-type sslvpn
  408. authorization-attribute user-role network-operator
  409. authorization-attribute sslvpn-policy-group SSLVPNZIYUAN
  410. #
  411. ftp server enable
  412. #
  413. ip http enable
  414. ip https enable
  415. #
  416. sslvpn ip address-pool SSLPOOL 10.10.10.2 10.10.10.254
  417. #
  418. sslvpn gateway SSLVPNGW
  419. ip address 222.92.222.34 port 4433
  420. service enable
  421. #
  422. sslvpn context SSLVPN
  423. gateway SSLVPNGW
  424. ip-tunnel interface SSLVPN-AC1
  425. ip-tunnel address-pool SSLPOOL mask 255.255.255.0
  426. ip-tunnel dns-server primary 114.114.114.114
  427. ip-route-list NEIWANG
  428.   include 192.168.10.0 255.255.255.0
  429. policy-group SSLVPNZIYUAN
  430.   filter ip-tunnel 3999
  431.   ip-tunnel access-route ip-route-list NEIWANG
  432. service enable
  433. #
  434. ips policy default
  435. #
  436. anti-virus policy default
  437. #
  438. return 

组网及组网描述:


最佳答案

得闲饮茶013
得闲饮茶013 九段
粉丝:131人 关注:6人

您好,请知:

可参考如下SSL VPN IP接入的配置案例:

https://zhiliao.h3c.com/theme/details/102210 

SSL VPN拨号完成后导致内网无法上网,以下是排查要点,请参考:

1、SSL VPN使用的地址池网段和SSL VPN虚接口使用的IP网段不能跟内网网段冲突。

2、检查SSL VPN的策略是否有跟NAT转换的策略冲突。

3、进一步检查是否有安全策略的变动导致被拦截了。

 

暂无评论

1 个回答
按时间 按赞数
无名之辈
无名之辈 九段
粉丝:179人 关注:0人

您好,地址冲突了,SSL VPN网段不要使用192.168.0.0/16位的地址段

可参考使用172.16.9.0/24  或者10.10.9.0/24  

暂无评论

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +
网站相关
关于我们
服务条款
帮助中心
经验与权限
积分规则
联系我们
联系我们
建议反馈
常用链接
标杆的神器下载
关注我们
H3C官网
新华三服务公众号
安仔远程运维服务
新华三商城
内容许可
除特别说明外,用户内容均可采用知识共享署名-相同方式共享3.0中国大陆许可协议进行许可

Copyright©2024新华三集团保留一切权利 当前呈现版本 NO.1

本图标版权归新华三集团所有,仅限本社区使用,切勿用做商业目的,违者必究

浙ICP备09064986号-1   浙公网安备 33010802004416号

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明