防火墙sslvpn能够正常拨入但是无法访问内网资源,查看pc已有路由表下发,但是只能ping通192.168.123.254的网关无法ping通5.24.1.0网段地址,防火墙侧只能ping通192.168.123.254无法ping通192.168.123.1,具体如何实现访问内网资源,pc侧防火墙已关闭
interface Route-Aggregation1.403
description FOR-SSLVPN
ip address 116.148.180.126 255.255.255.252
vlan-type dot1q vid 403
#
interface M-GigabitEthernet0/0/0
ip binding vpn-instance CDN_MGMN
ip address 5.24.1.4 255.255.255.128
#
#
security-zone name Trust
import interface Route-Aggregation1.402
#
security-zone name DMZ
#
security-zone name Untrust
import interface Route-Aggregation1.401
import interface Route-Aggregation1.403
import interface SSLVPN-AC1
#
security-zone name Management
import interface M-GigabitEthernet0/0/0
import interface M-GigabitEthernet0/0/1
#
#
line vty 0 63
authentication-mode scheme
user-role network-admin
user-role network-operator
idle-timeout 60 0
#
line vty 64 1023
user-role network-operator
#
ip route-static 0.0.0.0 0 Route-Aggregation1.401 172.16.1.1
ip route-static 116.148.180.0 24 Route-Aggregation1.402 172.16.2.1
ip route-static vpn-instance CDN_MGMN 0.0.0.0 0 5.24.1.1
ipv6 route-static :: 0 Route-Aggregation1.401 FEC0::64
ipv6 route-static 2408:8640:24FF:13:: 64 Route-Aggregation1.402 FEC0::66
#
#
sslvpn ip address-pool SSLVPN-POOL 192.168.123.1 192.168.123.10
#
sslvpn gateway ssl_gatway
ip address 116.148.180.126 port 6443
service enable
#
sslvpn context sslvpn
gateway ssl_gatway domain domainip
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool SSLVPN-POOL mask 255.255.255.0
ip-tunnel dns-server primary 114.114.114.114
ip-tunnel dns-server secondary 8.8.8.8
web-access ip-client auto-activate
ip-route-list rlist
include 5.24.1.0 255.255.255.128
include 116.148.180.0 255.255.255.128
policy-group nbcdn-any
ip-tunnel access-route ip-route-list rlist
ip-tunnel address-pool SSLVPN-POOL mask 255.255.255.0
verify-code enable
log user-login enable
log resource-access enable
force-logout max-onlines enable
service enable
#
security-policy ip
rule 0 name ANY-Local
action pass
destination-zone Local
rule 1 name Local-ANY
action pass
source-zone Local
(0)
最佳答案
路由问题:
ip route-static vpn-instance CDN_MGMN 0.0.0.0 0 5.24.1.1
,这应该指向5.24.1.1网关,但并没有明确说明5.24.1.0网段的路由。VPN隧道配置:
sslvpn context sslvpn
部分,有一个 ip-tunnel address-pool SSLVPN-POOL mask 255.255.255.0
的配置,它指定了VPN客户端的IP池,但没有看到具体配置SSLVPN隧道的路由,这可能导致VPN客户端能获取IP地址,但流量没有正确地通过VPN隧道路由到目标网段。安全策略问题:
security-policy
的规则没有明确规定允许SSLVPN的流量通过。例如,rule 1 name Local-ANY
仅允许源是“Local”区域的流量通过,而没有针对SSLVPN客户端流量的策略。请确认防火墙有针对SSLVPN流量的规则。SSLVPN配置中的网络访问路由:
sslvpn context sslvpn
部分,您定义了 include 5.24.1.0 255.255.255.128
,这意味着VPN客户端访问5.24.1.0网段时应该经过该规则,但如果路由或访问控制未生效,可能会导致无法访问。(0)
安全策略全放一下试试
(0)
动不动就全any?
动不动就全any?
框式防火墙需要做引流的,
最简单的办法就是防火墙接内网的接口要配置NAT,把ssl地址转为内网地址
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明