型号:F100-C-G
版本:version 5.20, Release 5142P02
需求:L2TP登录后获取权限不同及访问内网资源不同
用户L2TP连接后访问到内网资源不同
1、通过在ppp用户中下发acl控制测试不能限制住
2、测试通过用户拨号时带上不同认证域后获取特定IP,利用安全策略实现对资源的访问控制
domain default enable system
domain test authentication ppp local
authorization ppp none
accounting ppp none
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 2 172.16.1.2 172.16.1.100
domain system
authentication ppp local
authorization ppp none
accounting ppp none
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 172.16.1.200
l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 0
interface Virtual-Template0
ppp authentication-mode chap
ppp ipcp dns 192.168.0.250
remote address pool 2
ip address 172.16.1.1 255.255.255.0
zone name test id 20
priority 10 import
interface Virtual-Template0
object network range fuwuqi
range 192.168.0.252 192.168.0.252
object network range putong
range 172.16.1.2 172.16.1.100
object network range test
range 172.16.1.200 172.16.1.200
interzone source test destination Trust
rule 0 permit source-ip test destination-ip fuwuqi
service any_service
rule enable
rule 1 permit source-ip putong destination-ip any_address
service any_service
rule enable
注意:用户登录后不带域则进入默认system域获取固定172.16.1.200,此时只能访问服务器192.168.0.252;若用户登录@test可以访问所有资源。