SSL vpn远程接入防火墙共享型配置实验

一、实验目的及拓扑

实验目的：用户采用SSL方式接入服务器，在防火墙进行相应的SSLvpn共享型配置，在防火墙后的内网中这只两台服务器对应两项业务

二、基础配置

（一）如图所示配置路由器接口地址（此处配置省略）

（二）FW1地址和区域配置需区分根系统、虚拟系统OA和虚拟系统RD

FW1\]vsys enable \[FW1\]vsys name OA \[FW1\]vsys name RD \[FW1-vsys-OA\]assign interface g1/0/1 \[FW1-vsys-RD\]assign interface g1/0/2 3、切换到虚拟系统OA \[FW1\]switch vsys OA \[FW1-OA-GigabitEthernet1/0/1\]dis th # interface GigabitEthernet1/0/1 undo shutdown ip binding vpn-instance OA ip address 10.1.121.12 255.255.255.0 # \[FW1-OA\]dis zone vpn-instance OA local priority is 100 interface of the zone is (0): # vpn-instance OA trust priority is 85 interface of the zone is (1): GigabitEthernet1/0/1 # vpn-instance OA untrust priority is 5 interface of the zone is (1): Virtual-if1 # vpn-instance OA dmz priority is 50 interface of the zone is (0): # \[FW1-OA-policy-security\]dis th # security-policy rule name LOCAL_TO_ANY source-zone local action permit # 4、切换到虚拟系统RD \[FW1\]switch vsys RD \[FW1-RD\]dis zone vpn-instance RD local priority is 100 interface of the zone is (0): # vpn-instance RD trust priority is 85 interface of the zone is (1): GigabitEthernet1/0/2 # vpn-instance RD untrust priority is 5 interface of the zone is (1): Virtual-if2 # vpn-instance RD dmz priority is 50 interface of the zone is (0): # \[FW1-RD-policy-security\]dis th # security-policy rule name LOCAL_TO_ANY source-zone local action permit # 5、在防火墙根系统测试两台服务器联通情况 \[FW1\]ping -vpn-instance OA 10.1.121.10 PING 10.1.121.10: 56 data bytes, press CTRL_C to break Request time out Reply from 10.1.121.10: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.1.121.10: bytes=56 Sequence=3 ttl=255 time=1 ms \[FW1\]ping -vpn-instance RD 10.1.122.10 PING 10.1.122.10: 56 data bytes, press CTRL_C to break Request time out Reply from 10.1.122.10: bytes=56 Sequence=2 ttl=255 time=1 ms Reply from 10.1.122.10: bytes=56 Sequence=3 ttl=255 time=1 ms 三、详细配置 （一）设置共享型网关共享地址及共享域名 \[FW1\]v-gateway public-ip 155.1.121.12 \[FW1\]v-gateway public-domain www.qyw.com \[FW1\]dis cu \| in v-gate 2024-07-25 06:13:01.760 v-gateway public-ip 155.1.121.12 v-gateway public-domain www.qyw.com v-gateway public ssl version tlsv11 tlsv12 v-gateway public ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha v-gateway ssl_gw_oa public-ip public www.qyw.com/OA v-gateway ssl_gw_oa alias SSL_GW_OA v-gateway ssl_gw_oa （二）切换至虚拟防火墙OA及防火墙RD新建共享型网关并对网络扩展进行相应属性配置 1、\[FW1\]switch vsys OA \[FW1-OA\]v-gateway SSL_GW_OA public-ip public www.qyw.com/OA  # v-gateway ssl_gw_oa public-ip public www.qyw.com/OA v-gateway ssl_gw_oa alias SSL_GW_OA # #\*\*\*\*BEGIN\*\*\*ssl_gw_oa\*\*1\*\*\*\*# v-gateway ssl_gw_oa basic ssl timeout 5 ssl lifecycle 1440 service network-extension enable network-extension keep-alive enable network-extension keep-alive interval 120 network-extension netpool 192.168.0.1 192.168.0.10 255.255.255.0 netpool 192.168.0.1 default network-extension mode manual network-extension manual-route 10.1.121.0 255.255.255.0 security policy-default-action permit vt-src-ip certification cert-anonymous cert-field user-filter subject cn group-filter su bject cn certification cert-anonymous filter-policy permit-all certification cert-challenge cert-field user-filter subject cn certification user-cert-filter key-usage any undo public-user enable hostchecker cachecleaner vpndb group /default role role default role default condition all #\*\*\*\*END\*\*\*\*# 2、\[FW1\]switch vsys RD \[FW1-RD\]v-gateway SSL_GW_RD public-ip public www.qyw.com/RD  # v-gateway ssl_gw_rd public-ip public www.qyw.com/RD v-gateway ssl_gw_rd alias SSL_GW_RD # #\*\*\*\*BEGIN\*\*\*ssl_gw_rd\*\*1\*\*\*\*# v-gateway ssl_gw_rd basic ssl timeout 5 ssl lifecycle 1440 service network-extension enable network-extension keep-alive enable network-extension keep-alive interval 120 network-extension netpool 192.168.0.11 192.168.0.20 255.255.255.0 netpool 192.168.0.11 default network-extension mode manual network-extension manual-route 10.1.122.0 255.255.255.0 security policy-default-action permit vt-src-ip certification cert-anonymous cert-field user-filter subject cn group-filter su bject cn certification cert-anonymous filter-policy permit-all certification cert-challenge cert-field user-filter subject cn certification user-cert-filter key-usage any undo public-user enable hostchecker cachecleaner vpndb group /default role role default role default condition all #\*\*\*\*END\*\*\*\*# （三）设置安全策略 在根系统上设置 \[FW1-policy-security\]dis th # security-policy rule name LOCAL_TO_ANY source-zone local action permit rule name OUT_TO_LOCAL source-zone untrust destination-zone local service protocol tcp destination-port 443 action permit # 在虚拟系统OA上设置 \[FW1-OA-policy-security\]DIS TH # security-policy rule name LOCAL_TO_ANY source-zone local action permit rule name OUT_TO_IN source-zone untrust destination-zone trust source-address 192.168.0.0 mask 255.255.255.0 destination-address 10.1.121.0 mask 255.255.255.0 action permit # 在虚拟系统RD上设置 \[FW1-RD-policy-security\]dis th 2024-07-25 06:24:09.270 # security-policy rule name LOCAL_TO_ANY source-zone local action permit rule name OUT_TO_IN source-zone untrust destination-zone trust source-address 192.168.0.0 mask 255.255.255.0 destination-address 10.1.122.0 mask 255.255.255.0 action permit # （四）添加用户  四、结果验证 使用虚拟机登录共享型网关地址155.1.12.12  可以ping通内网 PS C:\\Users\\Administrator\> ping 10.1.121.10 正在 Ping 10.1.121.10 具有 32 字节的数据: 来自 10.1.121.10 的回复: 字节=32 时间=6ms TTL=255 来自 10.1.121.10 的回复: 字节=32 时间=8ms TTL=255 可以ping通外网 PS C:\\Users\\Administrator\> ping 150.1.1.1 正在 Ping 150.1.1.1 具有 32 字节的数据: 来自 150.1.1.1 的回复: 字节=32 时间=12ms TTL=255 来自 150.1.1.1 的回复: 字节=32 时间=14ms TTL=255 可以ping通直连网段 PS C:\\Users\\Administrator\> ping 155.1.2.100 正在 Ping 155.1.2.100 具有 32 字节的数据: 来自 155.1.2.100 的回复: 字节=32 时间=9ms TTL=255 来自 155.1.2.100 的回复: 字节=32 时间=7ms TTL=255