F1000-AK9210 SSLvpn
- 0关注
- 0收藏,102浏览
问题描述:
SSLvpn 参照https://www.h3c.com/cn/d_202207/1653042_30005_0.htm,配置后客户端可以ping 通内网接口ip,其他内网资源访问不了。怀疑视频资源有少描述的地方导致配置不全。请帮忙看一下。
组网及组网描述:
#
version 7.1.064, Ess 9560P1602
#
sysname H3C
#
clock protocol none
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat log enable
nat log flow-active 120
nat log flow-begin
nat log flow-end
nat dns-map domain 183.203.213.54 protocol tcp ip 183.203.213.54 port 2280
nat log alarm
#
password-recovery enable
#
vlan 1
#
vlan 200
#
object-group ip address 公司OA服务器
security-zone DMZ
0 network host address 192.168.100.1
10 network host address 192.168.0.241
20 network host address 192.168.100.2
30 network subnet 192.168.100.0 255.255.255.0
#
object-group ip address 公司地址段
security-zone Trust
10 network group-object 公司OA服务器
20 network subnet 192.168.0.0 255.255.255.0
#
object-group ip address 内网资源
security-zone Trust
0 network subnet 192.168.0.0 255.255.255.0
#
object-group ip address 外网地址
security-zone Untrust
0 network host address 183.203.213.54
#
object-group service OA服务端口
0 service tcp destination eq 18080
10 service tcp destination eq 8999
20 service tcp destination range 30001 30002
30 service tcp destination eq 5222
40 service tcp destination eq 7070
50 service tcp destination eq 9090
60 service tcp destination eq 9081
70 service tcp destination eq 1443
80 service tcp destination eq 2280
90 service tcp source eq 3306 destination eq 3306
100 service tcp source eq 4806 destination eq 4806
110 service tcp source eq 48060 destination eq 48060
120 service tcp source eq 6381 destination eq 6381
130 service tcp source eq 8095 destination eq 8095
140 service tcp source eq 9443 destination eq 9443
#
object-group service 高危端口
0 service tcp source eq 135 destination eq 135
10 service udp source eq 135 destination eq 135
20 service tcp source range 137 139 destination range 137 139
30 service udp source range 137 139 destination range 137 139
40 service tcp source eq 445 destination eq 445
50 service udp source eq 445 destination eq 445
60 service tcp source eq 1434 destination eq 1434
70 service udp source eq 1434 destination eq 1434
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface NULL0
#
interface Vlan-interface200
ip address 192.168.100.254 255.255.255.0
nat hairpin enable
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.240 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 183.203.213.54 255.255.255.248
ip last-hop hold
nat outbound
nat server protocol tcp global 183.203.213.54 1443 inside 192.168.100.2 1443 rule ServerRule_9 counting
nat server protocol tcp global 183.203.213.54 2280 inside 192.168.100.23 2280 rule ServerRule_2 counting
nat server protocol tcp global 183.203.213.54 5222 inside 192.168.100.21 5222 rule ServerRule_5 counting
nat server protocol tcp global 183.203.213.54 7070 inside 192.168.100.21 7070 rule ServerRule_3 counting
nat server protocol tcp global 183.203.213.54 8099 inside 192.168.100.20 8099 rule ServerRule_8 counting
nat server protocol tcp global 183.203.213.54 8999 inside 192.168.100.21 8999 rule ServerRule_6 counting
nat server protocol tcp global 183.203.213.54 9081 inside 192.168.100.19 9081 rule ServerRule_20 counting
nat server protocol tcp global 183.203.213.54 9090 inside 192.168.100.21 9090 rule ServerRule_4 disable counting
nat server protocol tcp global 183.203.213.54 15432 inside 192.168.100.25 15432 rule ServerRule_22 counting
nat server protocol tcp global 183.203.213.54 18080 inside 192.168.100.19 18080 rule ServerRule_12 counting
nat server protocol tcp global 183.203.213.54 18082 inside 192.168.100.24 22 rule ServerRule_16 disable counting
nat server protocol tcp global 183.203.213.54 18083 inside 192.168.100.24 18083 rule ServerRule_19 counting
nat server protocol tcp global 183.203.213.54 18084 inside 192.168.100.24 1883 rule ServerRule_18 counting
nat server protocol tcp global 183.203.213.54 18085 inside 192.168.100.25 22 rule ServerRule_21 counting
nat server protocol tcp global 183.203.213.54 30001 inside 192.168.100.19 30001 rule ServerRule_14 counting
nat server protocol tcp global 183.203.213.54 30002 inside 192.168.100.19 30002 rule ServerRule_15 counting
nat server protocol tcp global current-interface 1543 inside 192.168.100.2 1443 rule ServerRule_13 disable
gateway 183.203.213.49
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
manage ping inbound
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/3
port link-mode bridge
port access vlan 200
packet-filter 3000 inbound
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 200
packet-filter 3000 inbound
#
interface GigabitEthernet1/0/5
port link-mode bridge
port access vlan 200
#
interface SSLVPN-AC1
ip address 10.10.10.1 255.255.255.0
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/2
import interface Vlan-interface200
import interface GigabitEthernet1/0/3 vlan 200
import interface GigabitEthernet1/0/4 vlan 200
#
security-zone name DMZ
import interface GigabitEthernet1/0/5 vlan 200
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface SSLVPN-AC1
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name LAN
import interface GigabitEthernet1/0/6
import interface GigabitEthernet1/0/7
import interface GigabitEthernet1/0/8
import interface GigabitEthernet1/0/9
import interface GigabitEthernet1/0/10
import interface GigabitEthernet1/0/11
#
security-zone name WAN
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 183.203.213.49
ip route-static 10.20.20.0 24 192.168.0.240
ip route-static 192.168.0.0 24 10.20.20.1
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
customlog format nat cmcc
#
performance-management
#
ssh server enable
ssh server acl 2010
#
arp ip-conflict log prompt
#
acl number 2000
rule 0 permit source 192.168.1.0 0.0.0.255
rule 5 permit source 192.168.100.1 0
rule 10 permit source 192.168.100.2 0
rule 15 permit source 192.168.100.0 0.0.0.255
#
acl basic 2010
rule 0 permit source 192.168.0.23 0
rule 1 permit source 192.168.0.24 0
rule 5 permit source 192.168.0.59 0
rule 10 permit source 192.168.0.66 0
rule 11 permit source 192.168.0.158 0
#
acl number 3000
rule 0 deny tcp destination-port eq 135
rule 5 deny tcp source-port eq 135
rule 10 deny udp destination-port eq 135
rule 15 deny udp source-port eq 135
rule 20 deny tcp destination-port eq 139
rule 25 deny tcp destination-port eq 445
rule 30 deny tcp source-port eq 139
rule 35 deny tcp source-port eq 445
rule 40 deny udp destination-port eq netbios-ssn
rule 45 deny udp destination-port eq 445
rule 50 deny udp source-port eq netbios-ssn
rule 55 deny udp source-port eq 445
#
acl advanced 3003
rule 0 permit ip
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$c7SD0jCsHnM3jb51$LS5JJxPRy1dcDPdRfrAC7Ca7smkRXKkSw/GpATsXezGjtAUWmwxuJzS1mT1juvAm4m/LEflhK1pgx0E7yyUQTg==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user lijiankai class network
password cipher $c$3$L23oU5TjonGVdN3TrJtxp4aMabCORM4knSkZGA==
access-limit 10
service-type sslvpn
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group ResourceGroup
#
ssl renegotiation disable
ssl version ssl3.0 disable
ssl version tls1.0 disable
#
ipsec logging negotiation enable
#
ike logging negotiation enable
#
ip https port 31944
ip https acl 2010
ip https enable
#
blacklist global enable
#
app-profile 3_IPv4
ips apply policy ips mode protect
data-filter apply policy default
url-filter apply policy default
file-filter apply policy default
anti-virus apply policy av mode protect
apt apply policy default
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
inspect capture parameter-profile ips_capture_default_parameter
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect redirect parameter-profile av_redirect_default_parameter
#
inspect redirect parameter-profile ips_redirect_default_parameter
#
inspect redirect parameter-profile url_redirect_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
undo authentication enable
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
sslvpn ip address-pool ippool 10.10.10.10 10.10.10.254
#
sslvpn gateway SSLVPNGateway
ip address 183.203.213.54 port 2000
service enable
#
sslvpn context SSLVPNContext
gateway SSLVPNGateway
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool ippool mask 255.255.255.0
ip-route-list rtlist
include 192.168.0.0 255.255.255.0
policy-group ResourceGroup
filter ip-tunnel acl 3003
ip-tunnel access-route ip-route-list rtlist
ip-tunnel address-pool ippool mask 255.255.255.0
force-logout max-onlines enable
service enable
#
security-policy ip
rule 3 name 外网访问公司OA服务器
action pass
logging enable
profile 3_IPv4
source-zone Untrust
destination-zone Trust
rule 5 name 内访外
action pass
logging enable
source-zone Trust
destination-zone Untrust
rule 6 name VPN安全策略
action pass
source-zone Management
destination-zone Trust
destination-zone Untrust
destination-zone Local
rule 7 name VPN安全策略2
action pass
source-zone Untrust
destination-zone Local
destination-zone Management
destination-zone Trust
rule 8 name VPN安全策略3
action pass
source-zone Trust
destination-zone Local
destination-zone Untrust
destination-zone Management
rule 9 name VPN安全策略4
action pass
source-zone Local
destination-zone Untrust
destination-zone Trust
destination-zone Management
rule 1 name 全拒绝
action pass
#
ips policy ips
status enabled disabled
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus policy av
#
anti-virus logging parameter-profile av_logging_default_parameter
#
cloud-management server domain opstunnel-seccloud.h3c.com
#
return
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论