• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

f1000-ak115 sslvpn

2020-07-13提问
  • 0关注
  • 1收藏,1837浏览
粉丝:0人 关注:0人

问题描述:

连接上,但是不能访问其他在线ip段地址


配置如下

<H3C>dis cu
#
 version 7.1.064, Ess 9514P04
#
 sysname H3C
#
context Admin id 1
#
 telnet server enable
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
#
nat address-group 11
#
 dhcp enable
 dhcp server forbidden-ip 10.1.1.1 10.1.1.9
 dhcp server forbidden-ip 10.1.1.21 10.1.1.254
#
 password-recovery enable
#
vlan 1
#              
vlan 10
#
vlan 20
#
object-group ip address 内网审核
 0 network host address 10.1.1.101
#
object-group ip address 爬虫
 0 network range 10.1.1.200 10.1.1.210
#
object-group ip address 外网
#
object-group service 审核ssh
#
object-group service 数据库
 0 service tcp destination lt 14331
 10 service tcp destination lt 3307
 20 service tcp destination lt 3308
 30 service tcp destination lt 16380
 40 service tcp destination lt 1434
#
object-group service 应用
 0 service tcp destination lt 60002
 10 service tcp destination lt 60003
 20 service tcp destination lt 60005
 30 service tcp destination lt 60006
 40 service tcp destination lt 60007
 50 service tcp destination lt 5501
 60 service tcp destination lt 28081
 70 service tcp destination lt 22026
 80 service tcp destination lt 20001
 90 service tcp destination lt 5051
 100 service tcp destination lt 5001
 110 service tcp destination lt 40015
 120 service tcp destination lt 60008
 130 service tcp destination lt 60009
 140 service tcp destination lt 60010
 150 service tcp destination lt 51003
 160 service udp destination lt 1195
 170 service udp destination lt 11941
 180 service tcp destination lt 4431
#
object-group service 远程桌面
 0 service tcp destination lt 3390
#
dhcp server ip-pool vl10
 gateway-list 10.1.1.1
 network 10.1.1.0 mask 255.255.255.0
 dns-list 222.172.200.68 61.166.150.123
#
dhcp server ip-pool vl110
#
interface NULL0
#
interface Vlan-interface10
#
interface GigabitEthernet1/0/0
 port link-mode route
 combo enable copper
 ip address 192.168.0.1 255.255.255.0
 undo dhcp select server
#
interface GigabitEthernet1/0/1
 port link-mode route
 description GuideWan Interface
 combo enable copper
 ip address 1.1.1.66 255.255.255.252
 nat outbound 2000
 nat server protocol tcp global current-interface 5000 inside 10.1.1.100 5000
 nat server protocol tcp global current-interface 5050 inside 10.1.1.110 5050
 nat server protocol tcp global current-interface 5500 inside 10.1.1.201 5500
 nat server protocol tcp global current-interface 11011 inside 10.1.1.101 22
 nat server protocol tcp global current-interface 11022 inside 10.1.1.170 22
 nat server protocol tcp global current-interface 11023 inside 10.1.1.171 22
 nat server protocol tcp global current-interface 11433 inside 10.1.1.102 14330
 nat server protocol tcp global current-interface 11434 inside 10.1.1.120 1433
 nat server protocol tcp global current-interface 11435 inside 10.1.1.160 1433
 nat server protocol tcp global current-interface 16379 inside 10.1.1.110 16379
 nat server protocol tcp global current-interface 20000 inside 10.1.1.201 20000
 nat server protocol tcp global current-interface 21433 inside 10.1.1.210 14330
 nat server protocol tcp global current-interface 22022 inside 10.1.1.100 22
 nat server protocol tcp global current-interface 22025 inside 10.1.1.204 22
 nat server protocol tcp global current-interface 28080 inside 10.1.1.206 28080
 nat server protocol tcp global current-interface 32022 inside 10.1.1.110 22
 nat server protocol tcp global current-interface 33066 inside 10.1.1.111 3306
 nat server protocol tcp global current-interface 33077 inside 10.1.1.111 3307
 nat server protocol tcp global current-interface 33890 inside 10.1.1.150 3389
 nat server protocol tcp global current-interface 33899 inside 10.1.1.120 3389
 nat server protocol tcp global current-interface 40014 inside 10.1.1.110 40014
 nat server protocol tcp global current-interface 51001 inside 10.1.1.161 5000
 nat server protocol tcp global current-interface 51002 inside 10.1.1.101 5000
 nat server protocol tcp global current-interface 60001 inside 10.1.1.110 60001
 nat server protocol tcp global current-interface 60002 inside 10.1.1.110 60002
 nat server protocol tcp global current-interface 60003 inside 10.1.1.110 60003
 nat server protocol tcp global current-interface 60004 inside 10.1.1.110 60004
 nat server protocol tcp global current-interface 60005 inside 10.1.1.110 60005
 nat server protocol tcp global current-interface 60006 inside 10.1.1.110 60006
 nat server protocol tcp global current-interface 60007 inside 10.1.1.110 60007
 nat server protocol tcp global current-interface 60008 inside 10.1.1.110 60008
 nat server protocol tcp global current-interface 60009 inside 10.1.1.110 60009
 nat server protocol udp global current-interface 1194 inside 10.1.1.201 1194
 nat server protocol udp global current-interface 11940 inside 10.1.1.50 1194
 undo dhcp select server
#
interface GigabitEthernet1/0/2
 port link-mode route
 ip address 10.1.1.1 255.255.255.0
 dhcp server apply ip-pool vl10
#
interface GigabitEthernet1/0/3
 port link-mode route
 ip address 172.20.20.252 255.255.224.0
 undo dhcp select server
#
interface GigabitEthernet1/0/4
 port link-mode route
 undo dhcp select server
#
interface GigabitEthernet1/0/5
 port link-mode route
#
interface GigabitEthernet1/0/6
 port link-mode route
#
interface GigabitEthernet1/0/7
 port link-mode route
#
interface GigabitEthernet1/0/8
 port link-mode route
#
interface GigabitEthernet1/0/9
 port link-mode route
#
interface SSLVPN-AC1
 ip address 10.1.10.1 255.255.255.0
#
object-policy ip pass
 rule 0 pass   
#
security-zone name Local
#
security-zone name Trust
 import interface GigabitEthernet1/0/2
 import interface SSLVPN-AC1
#
security-zone name DMZ
 import interface GigabitEthernet1/0/3
#
security-zone name Untrust
 import interface GigabitEthernet1/0/1
#
security-zone name Management
 import interface GigabitEthernet1/0/0
#
 scheduler logfile size 16
#
line class aux
 user-role network-operator
#
line class console
 user-role network-admin
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-admin
#
line con 0
 authentication-mode scheme
 user-role network-admin
#
line vty 0 63
 authentication-mode scheme
 user-role network-admin
#
 ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 1.1.1.65
#
 undo info-center logbuffer
#
 ssh server enable
#
acl basic 2000
 rule 0 permit
#
acl advanced 3000
 rule 0 permit ip source 0.0.0.0 255.255.255.0
#
domain system
#
 aaa session-limit ftp 16
 aaa session-limit telnet 16
 aaa session-limit ssh 16
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#              
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group sslvpn
 authorization-attribute acl 2000
 authorization-attribute vlan 10
 authorization-attribute sslvpn-policy-group zyz
 identity-member user test1
#
user-group system
 identity-member user test2
#
local-user admin class manage
 password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
 service-type ssh telnet terminal http https
 authorization-attribute user-role level-3
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
#
local-user test1 class network
 password cipher $c$3$5dm1dcOjdETTNKWXO1ZWMvsASMwig1Qzpg==
 service-type lan-access
 service-type sslvpn
 authorization-attribute vlan 10
 authorization-attribute user-role network-operator
 authorization-attribute sslvpn-policy-group zyz
 identity-group sslvpn
#
local-user test2 class network
 password cipher $c$3$DquS8FsEg8s7HvaJtYTDj6X1TCY15qCf5g==
 service-type sslvpn
 group sslvpn
 authorization-attribute user-role network-operator
 identity-group system
#
pki domain sslvpndomain
 certificate request entity zs
 public-key rsa general name sslvpnrsa
 undo crl check enable
#
pki entity zs
 common-name 1.1.1.66
#
ssl server-policy sslvpncl
 pki-domain sslvpndomain
 ciphersuite rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha rsa_3des_ede_cbc_sha exp_rsa_rc4_md5 exp_rsa_rc2_md5 exp_rsa_des_cbc_sha dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha
 client-verify optional
#
 ip http port 8899
 ip http acl 2000
 ip http enable
 ip https port 4430
 ip https enable
 webui log enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
traffic-policy 
 rule name 爬虫 
  action qos profile 爬虫 
  source-address address-set 爬虫 
 profile name 爬虫
  bandwidth downstream guaranteed 5000 
  bandwidth downstream maximum 10000 
  bandwidth upstream guaranteed 500 
  bandwidth upstream maximum 1000 
  remark dscp default 
#
sslvpn ip address-pool sslvpnpool 10.1.10.10 10.1.10.254
#
sslvpn gateway sslvpngw
 ip address 1.1.1.66 port 4433
 service enable
#              
sslvpn context sslvpn
 gateway sslvpngw
 ip-tunnel interface SSLVPN-AC1
 ip-tunnel address-pool sslvpnpool mask 255.255.255.0
 ip-route-list lyb
  include 10.1.1.0 255.255.255.0
  include 10.1.10.0 255.255.255.0
 policy-group q
 policy-group zyz
  filter ip-tunnel acl 3000
  ip-tunnel access-route force-all
  ip-tunnel access-route ip-route-list lyb
 default-policy-group zyz
 service enable
#
uapp-control
#
security-policy ip
 rule 0 name GuideSecPolicy
  action pass
  counting enable
  source-zone Trust
  source-zone Local
  source-zone DMZ
  source-zone Untrust
  source-zone Management
  destination-zone Untrust
  destination-zone Local
  destination-zone Trust
  destination-zone DMZ
  destination-zone Management
 rule 1 name dmz
  action pass
  counting enable
  source-zone Trust
  source-zone DMZ
  source-zone Management
  source-zone Local
  destination-zone Trust
  destination-zone DMZ
  destination-zone Management
  destination-zone Local
 rule 2 name 审核
  action pass
  counting enable
  source-zone Untrust
  destination-zone Trust
  service ssh
 rule 3 name 数据库
  action pass
  counting enable
  source-zone Untrust
  destination-zone Trust
  service 数据库
 rule 4 name spc-cd
  action pass
  counting enable
  source-zone Untrust
  source-zone DMZ
  destination-zone Trust
  service 应用
 rule 5 name 临时
  action pass
  counting enable
  source-zone Untrust
  destination-zone Trust
  destination-zone vpn
  service 远程桌面
 rule 6 name te
  action pass
  counting enable
  source-zone Untrust
  destination-zone Local
#
return

最佳答案

粉丝:138人 关注:6人

您好,请知:

以下是SSL VPN的配置要点,请参考:

[SSL_VPN]acl advanced 3000

[SSL_VPN-acl-ipv4-adv-3000]rule 0 permit ip source any

[SSL_VPN-acl-ipv4-adv-3000]quit

 

[SSL_VPN]sslvpn ip address-pool weijianing 172.16.1.2 172.16.1.254

 

[SSL_VPN]int SSLVPN-AC 1

[SSL_VPN-SSLVPN-AC1]ip address 172.16.1.1 24

[SSL_VPN-SSLVPN-AC1]quit

 

[SSL_VPN]sslvpn gateway james

[SSL_VPN-sslvpn-gateway-james]ip address 192.168.200.200

[SSL_VPN-sslvpn-gateway-james]service enable

[SSL_VPN-sslvpn-gateway-james]quit

 

[SSL_VPN]sslvpn context james

[SSL_VPN-sslvpn-context-james]gateway james

[SSL_VPN-sslvpn-context-james]ip-tunnel address-pool weijianing mask 24

[SSL_VPN-sslvpn-context-james]ip-tunnel interface SSLVPN-AC 1

[SSL_VPN-sslvpn-context-james]ip-route-list james

[SSL_VPN-sslvpn-context-james-route-list-james]include 10.0.0.0 24

[SSL_VPN-sslvpn-context-james-route-list-james]quit

[SSL_VPN-sslvpn-context-james]policy-group ip

[SSL_VPN-sslvpn-context-james-policy-group-ip]filter ip-tunnel acl 3000

[SSL_VPN-sslvpn-context-james-policy-group-ip]ip-tunnel access-route ip-route-list james

[SSL_VPN-sslvpn-context-james-policy-group-ip]quit

[SSL_VPN-sslvpn-context-james]service enable

[SSL_VPN-sslvpn-context-james]quit


需注意下[SSL_VPN-sslvpn-context-james-route-list-james]include 10.0.0.0 24这条命令,相当于从SSL VPN网关配置路由的指向。确认已指向到位,同时内网也有路由指向到SSL VPN分配的IP地址段


以下是F1000-AK的用户手册连接,请参考:

https://www.h3c.com/cn/Service/Document_Software/Document_Center/IP_Security/FW_VPN/F1000-AK/  


以下是基于IP的SSL VPN的典型组网配置案例的连接,请参考:

https://zhiliao.h3c.com/theme/details/102210 

https://zhiliao.h3c.com/theme/details/102211 

暂无评论

0 个回答

该问题暂时没有网友解答

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明