1.配置需求
V7防火墙设备作为出口设备,外网PC通过inode软件拨SSLVPN,认证成功后可以访问内网192.168.10.0网段的资源。
2.组网图
3.配置步骤
3.1防火墙上网配置
3.2配置SSL VPN网关
[FW]sslvpn gateway sslvpngw #填写外网接口地址,端口号修改为4433,使能网关
[FW-sslvpn-gateway-sslvpngw]ip add 222.1.1.100 port 4433
[FW-sslvpn-gateway-sslvpngw]service enable
[FW]int SSLVPN-AC 1 #创建SSLL VPN AC接口[FW-SSLVPN-AC1]ip add 10.10.10.1 24
[FW]sslvpn ip address-pool sslpool 10.10.10.2 10.10.10.254 #创建地址池
[FW]acl ad 3999 #允许SSL VPN用户访问内网资源
[FW-acl-ipv4-adv-3999]rule permit ip destination 192.168.10.0 0.0.0.255
3.3配置SSL VPN实例
[FW]sslvpn context sslvpn #创建SSL VPN访问实例,引用网关、接口、地址池
[FW-sslvpn-context-sslvpn]gateway sslvpngw
[FW-sslvpn-context-sslvpn]ip-tunnel interface SSLVPN-AC 1
[FW-sslvpn-context-sslvpn]ip-tunnel address-pool sslpool mask 255.255.255.0
[FW-sslvpn-context-sslvpn]ip-tunnel dns-server primary 114.114.114.114
[FW-sslvpn-context-sslvpn]ip-route-list neiwang #创建路由列表,添加路由表项
[FW-sslvpn-context-sslvpn-route-list-neiwang]include 192.168.10.1 24
[FW-sslvpn-context-sslvpn]policy-group sslvpnziyuan #创建SSL VPN策略组
[FW-sslvpn-context-sslvpn-policy-group-sslvpnziyuan]filter ip-tunnel acl 3999
[FW-sslvpn-context-sslvpn-policy-group-sslvpnziyuan]ip-tunnel access-route ip-ro
ute-list neiwang #只有通过ACL检测的报文才可以访问IP资源
[FW-sslvpn-context-sslvpn]service enable
3.4新建SSL VPN用户,关联SSL VPN资源组
[FW]local-user user1 class network
[FW-luser-network-user1]password simple 123456
[FW-luser-network-user1]service-type sslvpn
[FW-luser-network-user1]authorization-attribute sslvpn-policy-group sslvpnziyuan
3.5将SSL VPN端口加入安全域,放通对应安全策略
[FW]security-zone name sslvpn #新建安全域,端口加入
[FW-security-zone-sslvpn]import interface SSLVPN-AC 1
[FW]object-group service 4433 #创建服务对象组,匹配SSL VPN端
[FW-obj-grp-service-4433]service tcp destination eq 4433
[FW]security-policy ip
[FW-security-policy-ip]rule 5 name untrust-local #配置安全策略放通untrust到local域
[FW-security-policy-ip-5-untrust-local]action pass
[FW-security-policy-ip-5-untrust-local]source-zone untrust
[FW-security-policy-ip-5-untrust-local]destination-zone local
[FW-security-policy-ip-5-untrust-local]service 4433
[FW-security-policy-ip]rule 10 name sslvpn-trust #配置安全策略放通SSL-VPN到trust
[FW-security-policy-ip-10-sslvpn-trust]action pass
[FW-security-policy-ip-10-sslvpn-trust]source-zone sslvpn
[FW-security-policy-ip-10-sslvpn-trust]destination-zone trust