F1000配置SSL VPN,不能访问内网
- 0关注
- 0收藏,38浏览
问题描述:
F1000配置SSL VPN完成,使用inode可以登陆连接并获取到分配的指定地址,但是不能访问内网地址,一般是什么原因?
相关配置如下:
version 7.1.064, Release 8560P1628
#
object-group service SSLVPN
0 service tcp destination eq 4433
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 58.222.225.90 255.255.255.252
ip last-hop hold
nat outbound counting
nat server protocol tcp global current-interface 30080 inside 192.168.220.14 30080 rule ServerRule_4 counting
manage ping inbound
ipsec apply policy IPSEC_TO_SHANGHAI
gateway 58.222.225.89
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 192.168.10.1 255.255.255.0
nat hairpin enable
manage http inbound
manage http outbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
manage telnet inbound
manage telnet outbound
#
interface GigabitEthernet1/0/5
port link-mode route
ip address 192.168.205.1 255.255.255.0
manage http inbound
manage http outbound
manage ping inbound
manage ping outbound
manage ssh inbound
manage ssh outbound
#
interface GigabitEthernet1/0/6
port link-mode route
ip address 58.222.74.2 255.255.255.252
nat outbound counting
nat server protocol tcp global current-interface 5558 inside 192.168.121.251 5558 rule ServerRule_5 counting
nat server protocol tcp global current-interface 5580 inside 192.168.121.251 5580 rule ServerRule_6 counting
manage ping inbound
#
interface GigabitEthernet1/0/7
port link-mode route
ip address 192.168.100.1 255.255.255.0
nat hairpin enable
manage ping inbound
#
interface SSLVPN-AC1
ip address 10.10.10.1 255.255.255.0
manage ping inbound
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/3
import interface GigabitEthernet1/0/5
import interface GigabitEthernet1/0/7
import interface GigabitEthernet1/0/8
import interface Vlan-interface10
import interface GigabitEthernet1/0/4 vlan 10
import interface GigabitEthernet1/0/9 vlan 10
import interface GigabitEthernet1/0/10 vlan 10
import interface GigabitEthernet1/0/11 vlan 10
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/2
import interface GigabitEthernet1/0/6
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
security-zone name SSLVPN
import interface SSLVPN-AC1
#
scheduler logfile size 16
#
ip route-static 0.0.0.0 0 GigabitEthernet1/0/2 58.222.225.89
ip route-static 0.0.0.0 0 58.222.74.1
ip route-static 172.16.0.0 24 58.222.225.89
ip route-static 192.168.0.0 16 192.168.100.254
ip route-static 192.168.1.0 24 GigabitEthernet1/0/3 192.168.10.100
ip route-static 192.168.100.0 24 GigabitEthernet1/0/3 192.168.10.100
ip route-static 192.168.120.0 23 GigabitEthernet1/0/3 192.168.10.100
ip route-static 192.168.120.0 23 192.168.100.254
ip route-static 192.168.120.0 24 GigabitEthernet1/0/3 192.168.10.100
ip route-static 192.168.121.0 24 GigabitEthernet1/0/3 192.168.10.100
ip route-static 192.168.200.0 23 192.168.100.254
ip route-static 192.168.200.0 24 GigabitEthernet1/0/3 192.168.10.100
ip route-static 192.168.201.0 24 192.168.100.254
ip route-static 192.168.220.0 24 GigabitEthernet1/0/3 192.168.10.100
ip route-static 192.168.220.0 24 192.168.100.254
#
acl advanced 3999
rule 0 permit ip
#
acl advanced name IPsec_IPSEC_TO_SHANGHAI_IPv4_10
rule 0 permit ip source 192.168.200.0 0.0.0.255 destination 192.168.112.0 0.0.0.255
rule 1 permit ip source 192.168.121.0 0.0.0.255 destination 192.168.112.0 0.0.0.255
#
local-user sslvpn class network
password cipher $c$3$BrNcIyDXiD7I+ih6ZKFZPqIQWcQRANWdScfYHNw=
service-type sslvpn
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group SSLVPN资源组
#
ipsec logging negotiation enable
#
ipsec transform-set IPSEC_TO_SHANGHAI_IPv4_10
esp encryption-algorithm aes-cbc-128
esp authentication-algorithm sha1
#
ipsec policy IPSEC_TO_SHANGHAI 10 isakmp
transform-set IPSEC_TO_SHANGHAI_IPv4_10
security acl name IPsec_IPSEC_TO_SHANGHAI_IPv4_10
local-address 58.222.225.90
remote-address HUAWEI
ike-profile IPSEC_TO_SHANGHAI_IPv4_10
sa trigger-mode auto
#
apr signature auto-update
update schedule daily start-time 00:00:00 tingle 120
#
ike logging negotiation enable
#
ike profile IPSEC_TO_SHANGHAI_IPv4_10
keychain IPSEC_TO_SHANGHAI_IPv4_10
exchange-mode aggressive
local-identity fqdn H3C
match remote identity fqdn HUAWEI
match local address GigabitEthernet1/0/2
proposal 10
#
ike proposal 10
encryption-algorithm aes-cbc-128
dh group14
#
ike keychain IPSEC_TO_SHANGHAI_IPv4_10
match local address GigabitEthernet1/0/2
pre-shared-key hostname HUAWEI key cipher $c$3$sQKwdSHMoIhY7ebAYErdi4TQKuDw+pr2RTRFGIkUUA==
#
sslvpn ip address-pool SSLVPN地址池 10.10.10.2 10.10.10.100
#
sslvpn gateway SSLVPNGW
ip address 58.222.225.90 port 4433
service enable
#
sslvpn context SSL
gateway SSLVPNGW
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool SSLVPN地址池 mask 255.255.255.0
ip-tunnel dns-server primary 114.114.114.114
ip-tunnel dns-server secondary 218.2.135.1
ip-route-list 访问内网
include 192.168.100.0 255.255.255.0
include 192.168.120.0 255.255.254.0
include 192.168.200.0 255.255.254.0
policy-group SSLVPN资源组
filter ip-tunnel acl 3999
ip-tunnel access-route ip-route-list 访问内网
force-logout max-onlines enable
service enable
#
security-policy ip
rule 11 name any-any
action pass
rule 12 name Untrust-Local
action pass
source-zone Untrust
destination-zone Local
service SSLVPN
rule 13 name SSLVPN-Trust
action pass
source-zone SSLVPN
destination-zone Trust
rule 10 name 58.222.74.2
action pass
logging enable
profile 10_IPv4
source-zone Untrust
destination-zone Local
destination-zone Trust
destination-ip-host 58.222.74.2
service-port tcp destination eq 5558
service-port tcp destination eq 5580
rule 8 name 1
action pass
service-port tcp destination eq 30080
rule 0 name local-cloud
action pass
counting enable
profile 0_IPv4
source-zone Local
destination-zone Trust
destination-zone Untrust
rule 1 name trust-untrust
action pass
counting enable
profile 1_IPv4
source-zone Trust
destination-zone Untrust
rule 2 name untrust-trust-deny
disable
counting enable
source-zone Untrust
destination-zone Trust
service GaoWei
rule 3 name untrust-trust-permit
action pass
counting enable
profile 3_IPv4
source-zone Untrust
destination-zone Trust
rule 7 name trust-trust
action pass
counting enable
profile 7_IPv4
source-zone Trust
destination-zone Trust
rule 4 name untrust-local-deny
counting enable
source-zone Untrust
destination-zone Local
rule 5 name trust-local
action pass
counting enable
profile 5_IPv4
source-zone Trust
destination-zone Local
rule 6 name any-any-deny
counting enable
#
F1000-AI SSLVPN 获取 10.10.10.X 地址但无法访问内网排查 & 整改
一、故障核心原因梳理(从配置抓 3 个关键点)
安全策略放行没问题:SSLVPN→Trust 已放通(rule13 source-zone SSLVPN destination-zone Trust pass)
路由两层问题:①内网回程无 10.10.10.0/24 路由;②防火墙缺 SSLVPN 网段明细路由
内网终端无指向 10.10.10.0 的回程路由(最高发)
客户端地址:10.10.10.2~100(SSLVPN-AC1:10.10.10.1/24,归属 SSLVPN 安全域)
要访问内网段:192.168.100.0/24、192.168.120.0/23、192.168.200.0/23
二、第一步:防火墙添加 SSLVPN 网段静态路由(必配)
防火墙本身不知道去往 10.10.10.0 的出接口,添加明细:
plaintext
system-view
# 指向SSLVPN隧道接口
ip route-static 10.10.10.0 255.255.255.0 SSLVPN-AC1
保存save force。
三、第二步:内网三层设备加回程路由(90% 现场卡在这里)
内网核心 / 三层交换机上添加静态路由:
plaintext
目的:10.10.10.0 255.255.255.0
下一跳:192.168.10.1(F1000 G1/0/3内网口IP)
原理:内网服务器收到 VPN 客户端报文后,回包不知道 10.10.10.0 怎么走,丢包无法互通。
四、第三步:核对 SSLVPN 配置(当前配置基本无误)
plaintext
sslvpn context SSL
ip-route-list 访问内网
include 192.168.100.0 255.255.255.0
include 192.168.120.0 255.255.254.0
include 192.168.200.0 255.255.254.0
ip-route-list 作用:客户端 iNode 自动下发访问路由,客户端路由正常,不用改。
policy-group 绑定 acl3999 全放通,权限没问题。
五、第四步:可选排查 NAT 干扰(SSLVPN 访问内网禁止源 NAT)
内网口 G1/0/3 配置了nat hairpin enable,新增不做 NAT 规则:
plaintext
nat address-group no-nat
section 0 10.10.10.0 10.10.10.255
acl advanced 4000
rule permit ip source 10.10.10.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
nat outbound no-nat acl 4000 interface GigabitEthernet 1/0/3
作用:VPN 访问内网不转换成防火墙内网口地址,避免回程异常。
六、快速排错测试命令
防火墙本机测试:
plaintext
ping 192.168.100.X
防火墙能通内网 → 故障在内网回程路由;
防火墙 ping 不通内网 → 防火墙路由 / 域策略问题。
客户端 cmd:route print,确认三条内网路由已自动下发。
七、最简整改总结
F1000 添加:ip route-static 10.10.10.0 255.255.255.0 SSLVPN-AC1
内网核心加回程:10.10.10.0/24 下一跳192.168.10.1
配置完重连 iNode 即可正常访问内网。
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论