问
f1000-ak115 sslvpn
2020-07-13提问
- 0关注
- 1收藏,1087浏览
问题描述:
连接上,但是不能访问其他在线ip段地址
配置如下
<H3C>dis cu
#
version 7.1.064, Ess 9514P04
#
sysname H3C
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat address-group 11
#
dhcp enable
dhcp server forbidden-ip 10.1.1.1 10.1.1.9
dhcp server forbidden-ip 10.1.1.21 10.1.1.254
#
password-recovery enable
#
vlan 1
#
vlan 10
#
vlan 20
#
object-group ip address 内网审核
0 network host address 10.1.1.101
#
object-group ip address 爬虫
0 network range 10.1.1.200 10.1.1.210
#
object-group ip address 外网
#
object-group service 审核ssh
#
object-group service 数据库
0 service tcp destination lt 14331
10 service tcp destination lt 3307
20 service tcp destination lt 3308
30 service tcp destination lt 16380
40 service tcp destination lt 1434
#
object-group service 应用
0 service tcp destination lt 60002
10 service tcp destination lt 60003
20 service tcp destination lt 60005
30 service tcp destination lt 60006
40 service tcp destination lt 60007
50 service tcp destination lt 5501
60 service tcp destination lt 28081
70 service tcp destination lt 22026
80 service tcp destination lt 20001
90 service tcp destination lt 5051
100 service tcp destination lt 5001
110 service tcp destination lt 40015
120 service tcp destination lt 60008
130 service tcp destination lt 60009
140 service tcp destination lt 60010
150 service tcp destination lt 51003
160 service udp destination lt 1195
170 service udp destination lt 11941
180 service tcp destination lt 4431
#
object-group service 远程桌面
0 service tcp destination lt 3390
#
dhcp server ip-pool vl10
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
dns-list 222.172.200.68 61.166.150.123
#
dhcp server ip-pool vl110
#
interface NULL0
#
interface Vlan-interface10
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
undo dhcp select server
#
interface GigabitEthernet1/0/1
port link-mode route
description GuideWan Interface
combo enable copper
ip address 1.1.1.66 255.255.255.252
nat outbound 2000
nat server protocol tcp global current-interface 5000 inside 10.1.1.100 5000
nat server protocol tcp global current-interface 5050 inside 10.1.1.110 5050
nat server protocol tcp global current-interface 5500 inside 10.1.1.201 5500
nat server protocol tcp global current-interface 11011 inside 10.1.1.101 22
nat server protocol tcp global current-interface 11022 inside 10.1.1.170 22
nat server protocol tcp global current-interface 11023 inside 10.1.1.171 22
nat server protocol tcp global current-interface 11433 inside 10.1.1.102 14330
nat server protocol tcp global current-interface 11434 inside 10.1.1.120 1433
nat server protocol tcp global current-interface 11435 inside 10.1.1.160 1433
nat server protocol tcp global current-interface 16379 inside 10.1.1.110 16379
nat server protocol tcp global current-interface 20000 inside 10.1.1.201 20000
nat server protocol tcp global current-interface 21433 inside 10.1.1.210 14330
nat server protocol tcp global current-interface 22022 inside 10.1.1.100 22
nat server protocol tcp global current-interface 22025 inside 10.1.1.204 22
nat server protocol tcp global current-interface 28080 inside 10.1.1.206 28080
nat server protocol tcp global current-interface 32022 inside 10.1.1.110 22
nat server protocol tcp global current-interface 33066 inside 10.1.1.111 3306
nat server protocol tcp global current-interface 33077 inside 10.1.1.111 3307
nat server protocol tcp global current-interface 33890 inside 10.1.1.150 3389
nat server protocol tcp global current-interface 33899 inside 10.1.1.120 3389
nat server protocol tcp global current-interface 40014 inside 10.1.1.110 40014
nat server protocol tcp global current-interface 51001 inside 10.1.1.161 5000
nat server protocol tcp global current-interface 51002 inside 10.1.1.101 5000
nat server protocol tcp global current-interface 60001 inside 10.1.1.110 60001
nat server protocol tcp global current-interface 60002 inside 10.1.1.110 60002
nat server protocol tcp global current-interface 60003 inside 10.1.1.110 60003
nat server protocol tcp global current-interface 60004 inside 10.1.1.110 60004
nat server protocol tcp global current-interface 60005 inside 10.1.1.110 60005
nat server protocol tcp global current-interface 60006 inside 10.1.1.110 60006
nat server protocol tcp global current-interface 60007 inside 10.1.1.110 60007
nat server protocol tcp global current-interface 60008 inside 10.1.1.110 60008
nat server protocol tcp global current-interface 60009 inside 10.1.1.110 60009
nat server protocol udp global current-interface 1194 inside 10.1.1.201 1194
nat server protocol udp global current-interface 11940 inside 10.1.1.50 1194
undo dhcp select server
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 10.1.1.1 255.255.255.0
dhcp server apply ip-pool vl10
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 172.20.20.252 255.255.224.0
undo dhcp select server
#
interface GigabitEthernet1/0/4
port link-mode route
undo dhcp select server
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface SSLVPN-AC1
ip address 10.1.10.1 255.255.255.0
#
object-policy ip pass
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/2
import interface SSLVPN-AC1
#
security-zone name DMZ
import interface GigabitEthernet1/0/3
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/0
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 1.1.1.65
#
undo info-center logbuffer
#
ssh server enable
#
acl basic 2000
rule 0 permit
#
acl advanced 3000
rule 0 permit ip source 0.0.0.0 255.255.255.0
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group sslvpn
authorization-attribute acl 2000
authorization-attribute vlan 10
authorization-attribute sslvpn-policy-group zyz
identity-member user test1
#
user-group system
identity-member user test2
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type ssh telnet terminal http https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user test1 class network
password cipher $c$3$5dm1dcOjdETTNKWXO1ZWMvsASMwig1Qzpg==
service-type lan-access
service-type sslvpn
authorization-attribute vlan 10
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group zyz
identity-group sslvpn
#
local-user test2 class network
password cipher $c$3$DquS8FsEg8s7HvaJtYTDj6X1TCY15qCf5g==
service-type sslvpn
group sslvpn
authorization-attribute user-role network-operator
identity-group system
#
pki domain sslvpndomain
certificate request entity zs
public-key rsa general name sslvpnrsa
undo crl check enable
#
pki entity zs
common-name 1.1.1.66
#
ssl server-policy sslvpncl
pki-domain sslvpndomain
ciphersuite rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha rsa_3des_ede_cbc_sha exp_rsa_rc4_md5 exp_rsa_rc2_md5 exp_rsa_des_cbc_sha dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha
client-verify optional
#
ip http port 8899
ip http acl 2000
ip http enable
ip https port 4430
ip https enable
webui log enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
traffic-policy
rule name 爬虫
action qos profile 爬虫
source-address address-set 爬虫
profile name 爬虫
bandwidth downstream guaranteed 5000
bandwidth downstream maximum 10000
bandwidth upstream guaranteed 500
bandwidth upstream maximum 1000
remark dscp default
#
sslvpn ip address-pool sslvpnpool 10.1.10.10 10.1.10.254
#
sslvpn gateway sslvpngw
ip address 1.1.1.66 port 4433
service enable
#
sslvpn context sslvpn
gateway sslvpngw
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool sslvpnpool mask 255.255.255.0
ip-route-list lyb
include 10.1.1.0 255.255.255.0
include 10.1.10.0 255.255.255.0
policy-group q
policy-group zyz
filter ip-tunnel acl 3000
ip-tunnel access-route force-all
ip-tunnel access-route ip-route-list lyb
default-policy-group zyz
service enable
#
uapp-control
#
security-policy ip
rule 0 name GuideSecPolicy
action pass
counting enable
source-zone Trust
source-zone Local
source-zone DMZ
source-zone Untrust
source-zone Management
destination-zone Untrust
destination-zone Local
destination-zone Trust
destination-zone DMZ
destination-zone Management
rule 1 name dmz
action pass
counting enable
source-zone Trust
source-zone DMZ
source-zone Management
source-zone Local
destination-zone Trust
destination-zone DMZ
destination-zone Management
destination-zone Local
rule 2 name 审核
action pass
counting enable
source-zone Untrust
destination-zone Trust
service ssh
rule 3 name 数据库
action pass
counting enable
source-zone Untrust
destination-zone Trust
service 数据库
rule 4 name spc-cd
action pass
counting enable
source-zone Untrust
source-zone DMZ
destination-zone Trust
service 应用
rule 5 name 临时
action pass
counting enable
source-zone Untrust
destination-zone Trust
destination-zone vpn
service 远程桌面
rule 6 name te
action pass
counting enable
source-zone Untrust
destination-zone Local
#
return
- 2020-07-13提问
- 举报
-
(0)
最佳答案
您好,请知:
以下是SSL VPN的配置要点,请参考:
[SSL_VPN]acl advanced 3000
[SSL_VPN-acl-ipv4-adv-3000]rule 0 permit ip source any
[SSL_VPN-acl-ipv4-adv-3000]quit
[SSL_VPN]sslvpn ip address-pool weijianing 172.16.1.2 172.16.1.254
[SSL_VPN]int SSLVPN-AC 1
[SSL_VPN-SSLVPN-AC1]ip address 172.16.1.1 24
[SSL_VPN-SSLVPN-AC1]quit
[SSL_VPN]sslvpn gateway james
[SSL_VPN-sslvpn-gateway-james]ip address 192.168.200.200
[SSL_VPN-sslvpn-gateway-james]service enable
[SSL_VPN-sslvpn-gateway-james]quit
[SSL_VPN]sslvpn context james
[SSL_VPN-sslvpn-context-james]gateway james
[SSL_VPN-sslvpn-context-james]ip-tunnel address-pool weijianing mask 24
[SSL_VPN-sslvpn-context-james]ip-tunnel interface SSLVPN-AC 1
[SSL_VPN-sslvpn-context-james]ip-route-list james
[SSL_VPN-sslvpn-context-james-route-list-james]include 10.0.0.0 24
[SSL_VPN-sslvpn-context-james-route-list-james]quit
[SSL_VPN-sslvpn-context-james]policy-group ip
[SSL_VPN-sslvpn-context-james-policy-group-ip]filter ip-tunnel acl 3000
[SSL_VPN-sslvpn-context-james-policy-group-ip]ip-tunnel access-route ip-route-list james
[SSL_VPN-sslvpn-context-james-policy-group-ip]quit
[SSL_VPN-sslvpn-context-james]service enable
[SSL_VPN-sslvpn-context-james]quit
需注意下[SSL_VPN-sslvpn-context-james-route-list-james]include 10.0.0.0 24这条命令,相当于从SSL VPN网关配置路由的指向。确认已指向到位,同时内网也有路由指向到SSL VPN分配的IP地址段
以下是F1000-AK的用户手册连接,请参考:
https://www.h3c.com/cn/Service/Document_Software/Document_Center/IP_Security/FW_VPN/F1000-AK/
以下是基于IP的SSL VPN的典型组网配置案例的连接,请参考:
- 2020-07-13回答
- 评论(0)
- 举报
-
(0)
➤
✖
亲~登录后才可以操作哦!
确定
✖
✖
你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
✖
举报
×
侵犯我的权益
>
对根叔社区有害的内容
>
辱骂、歧视、挑衅等(不友善)
侵犯我的权益
×
侵犯了我企业的权益
>
抄袭了我的内容
>
诽谤我
>
辱骂、歧视、挑衅等(不友善)
骚扰我
侵犯了我企业的权益
×
您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
抄袭了我的内容
×
原文链接或出处
诽谤我
×
您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。
对根叔社区有害的内容
×
垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载
>
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票
不规范转载
×
举报说明
暂无评论