H3C 双出口，主备出口，策略路由 SSVPN配合微软AD域认证简单配置

normanhere

于 2024-09-18 13:36:42 发布

阅读量865

点赞数 8

文章标签：网络

本文链接：https://blog.csdn.net/normanhere/article/details/142330691

版权

#H3C 防火墙目前购买均自带100个SSLVPN授权，管理口有1个是GE1/0/0 或者是MGMT口，通过https://192.168.0.1 默认账号是admin/admin ；
#以下配置案例，为双出口，策略路由加主备路由模式+SSLVPN配合微软AD域认证为例
sysname H3C_FW
#使用NTP时间
clock timezone Beijing add 08:00:00
clock protocol ntp
#电信出口1 PAT公网IP地址
nat address-group 1 name 1
address 122.227.1.1 122.227.1.1
#移动出口1 PAT IP地址池，这里采用光猫路由模式
nat address-group 2 name 2
address 192.168.1.100 192.168.1.100
#开启NAT日志
nat log enable
nat log flow-begin
nat log flow-end
#开启DNS代理
dns proxy enable
dns server 114.114.114.114
dns server 223.5.5.5
dns server 223.6.6.6
#创建3个地址组对象，1个匹配互联网
object-group ip address internet
0 network subnet 0.0.0.0 0.0.0.0
#1匹配内网网段
object-group ip address VLAN10
0 network subnet 192.168.10.0 255.255.255.0
#匹配内网网段
object-group ip address VLAN80
0 network subnet 192.168.80.0 255.255.255.0
#创建SSLVPN服务端口，避免设置为80 8080 443 等知名端口
object-group service SSLVPN
0 service tcp destination eq 65534
#创建策略路由，关联健康检查,VLAN10 策略路由走移动拨号，并调用健康检测，链路故障后，走电信专线
policy-based-route 1 permit node 1
if-match acl name vlan10
apply next-hop 192.168.1.1 direct track 1
#创建健康检查组1 移动连通性探测
nqa template icmp 1
destination ip 223.5.5.5
next-hop ip 192.168.1.1
out interface GigabitEthernet1/0/2
reaction trigger probe-pass 10
reaction trigger probe-fail 10
#带外管理口，不要做修改
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#电信专线
interface GigabitEthernet1/0/1
port link-mode route
description 电信专线
combo enable copper
undo jumboframe enable
ip address 122.227.1.1 255.255.255.252
manage ping inbound
manage ping outbound
#移动拨号线路
interface GigabitEthernet1/0/2
port link-mode route
description 移动拨号
undo jumboframe enable
ip address 192.168.1.100 255.255.255.0
#内网互联口，调用PBR
interface GigabitEthernet1/0/3
port link-mode route
description 内网互联口
ip address 10.137.221.1 255.255.255.0
manage https inbound
manage https outbound
manage ping inbound
manage ping outbound
ip policy-based-route 1
#创建SSVPN网关接口
interface SSLVPN-AC1
ip address 10.0.1.254 255.255.255.0
manage ping inbound
manage ping outbound
#将接口划到安全区域
#内网口
security-zone name Trust
import interface GigabitEthernet1/0/3
#这边不用DMZ
security-zone name DMZ
#外网2个口
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface GigabitEthernet1/0/2
#带外管理口
security-zone name Management
import interface GigabitEthernet1/0/0
#SSLVPN安全域口
security-zone name sslvpn
import interface SSLVPN-AC1
#写静态路由，包括默认路由和回程路由，其中主用电信专线链路，备用移动拨号链路；备用链路跑VLAN10,主用链路跑其他流量
ip route-static 0.0.0.0 0 122.227.139.169
ip route-static 0.0.0.0 0 192.168.1.1 preference 61
ip route-static 192.168.10.0 24 10.137.221.2
ip route-static 192.168.80.0 24 10.137.221.2
#配置日志服务器
info-center loghost 192.168.80.253
#配置NTP服务器IP
ntp-service enable
ntp-service unicast-peer 120.25.115.20 version 1
#SSLVPN调用地址对象
acl advanced name vlan80
rule 0 permit ip source 192.168.80.0 255.255.0.0
#创建LDAP服务器方案
ldap server svpn
login-dn cn=administrator,cn=users,dc=xx,dc=com
search-base-dn dc=xx,dc=com
ip 192.168.80.80
login-password cipher xxxxxxxxxxxxxxxxxxxxxxxxxxxx
user-parameters user-name-attribute samaccountname
#这几句必须命令行输入，图形化无法配置
ldap scheme svpn
authentication-server svpn
authorization-server svpn
#这几句必须命令行输入，图形化无法配置
domain svpn
authorization-attribute user-group svpn
authentication sslvpn ldap-scheme svpn
authorization sslvpn ldap-scheme svpn
accounting sslvpn none

user-group svpn
authorization-attribute sslvpn-policy-group 1
#创建SNAT
nat policy
rule name SNAT
description 1
source-ip VLAN10
source-ip VLAN80
outbound-interface GigabitEthernet1/0/1
action address-group 1
rule name 2
description 2
source-ip VLAN10
source-ip VLAN80
outbound-interface GigabitEthernet1/0/2
action address-group 2
#创建sslvpn客户端地址池，注意需要和sslvpn网关同一个网段
sslvpn ip address-pool 1 10.0.1.1 10.0.1.100
#创建sslvpn接入网关和端口
sslvpn gateway 1
ip address 122.227.1.1 port 65534
service enable
#创建SSLVPN授权关联地址
sslvpn context 1
gateway 1
ip-tunnel interface SSLVPN-AC1
ip-tunnel address-pool 1 mask 255.255.255.0
ip-tunnel dns-server primary 223.5.5.5
ip-tunnel dns-server secondary 223.6.6.6
ip-tunnel wins-server primary 192.168.80.80
ip-tunnel wins-server secondary 192.168.80.81
ip-route-list VLAN80
include 192.168.80.0 255.255.255.0
policy-group vlan80
ip-tunnel access-route ip-route-list VLAN80
aaa domain svpn
log user-login enable
session-connections 640
max-onlines 320
service enable
#一个小时间隔从AD域导入用户到本地
user-identity user-account auto-import policy 1
#本地用户导入策略
user-identity user-import-policy 1
ldap-scheme svpn
#创建安全策略，放行trust,local到所有，放行untrust到local 65534,放行SSLVPN到所有，最后拒绝所有。
security-policy ip
rule 5 name trust_local_to_any
action pass
logging enable
counting enable
source-zone Trust
source-zone Local
rule 6 name untrust_to_local
action pass
logging enable
counting enable
source-zone Untrust
destination-zone Local
service SSLVPN
rule 7 name sslvpn
action pass
logging enable
counting enable
source-zone sslvpn
rule 4 name test
logging enable
counting enable
#保存退出
return