一、实验目的及拓扑
实验目的:用户采用SSL方式接入服务器,在防火墙进行相应的SSLvpn共享型配置,在防火墙后的内网中这只两台服务器对应两项业务
二、基础配置
(一)如图所示配置路由器接口地址(此处配置省略)
(二)FW1地址和区域配置需区分根系统、虚拟系统OA和虚拟系统RD
[FW1]vsys enable
[FW1]vsys name OA
[FW1]vsys name RD
[FW1-vsys-OA]assign interface g1/0/1
[FW1-vsys-RD]assign interface g1/0/2
3、切换到虚拟系统OA
[FW1]switch vsys OA
[FW1-OA-GigabitEthernet1/0/1]dis th
interface GigabitEthernet1/0/1
undo shutdown
ip binding vpn-instance OA
ip address 10.1.121.12 255.255.255.0
[FW1-OA]dis zone
vpn-instance OA local
priority is 100
interface of the zone is (0):
vpn-instance OA trust
priority is 85
interface of the zone is (1):
GigabitEthernet1/0/1
vpn-instance OA untrust
priority is 5
interface of the zone is (1):
Virtual-if1
vpn-instance OA dmz
priority is 50
interface of the zone is (0):
[FW1-OA-policy-security]dis th
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
4、切换到虚拟系统RD
[FW1]switch vsys RD
[FW1-RD]dis zone
vpn-instance RD local
priority is 100
interface of the zone is (0):
vpn-instance RD trust
priority is 85
interface of the zone is (1):
GigabitEthernet1/0/2
vpn-instance RD untrust
priority is 5
interface of the zone is (1):
Virtual-if2
vpn-instance RD dmz
priority is 50
interface of the zone is (0):
[FW1-RD-policy-security]dis th
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
5、在防火墙根系统测试两台服务器联通情况
[FW1]ping -vpn-instance OA 10.1.121.10
PING 10.1.121.10: 56 data bytes, press CTRL_C to break
Request time out
Reply from 10.1.121.10: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 10.1.121.10: bytes=56 Sequence=3 ttl=255 time=1 ms
[FW1]ping -vpn-instance RD 10.1.122.10
PING 10.1.122.10: 56 data bytes, press CTRL_C to break
Request time out
Reply from 10.1.122.10: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 10.1.122.10: bytes=56 Sequence=3 ttl=255 time=1 ms
三、详细配置
(一)设置共享型网关共享地址及共享域名
[FW1]v-gateway public-ip 155.1.121.12
[FW1]v-gateway public-domain www.qyw.com
[FW1]dis cu | in v-gate
2024-07-25 06:13:01.760
v-gateway public-ip 155.1.121.12
v-gateway public-domain www.qyw.com
v-gateway public ssl version tlsv11 tlsv12
v-gateway public ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha
v-gateway ssl_gw_oa public-ip public www.qyw.com/OA
v-gateway ssl_gw_oa alias SSL_GW_OA
v-gateway ssl_gw_oa
(二)切换至虚拟防火墙OA及防火墙RD新建共享型网关并对网络扩展进行相应属性配置
1、[FW1]switch vsys OA
[FW1-OA]v-gateway SSL_GW_OA public-ip public www.qyw.com/OA
v-gateway ssl_gw_oa public-ip public www.qyw.com/OA
v-gateway ssl_gw_oa alias SSL_GW_OA
#****BEGIN***ssl_gw_oa**1****#
v-gateway ssl_gw_oa
basic
ssl timeout 5
ssl lifecycle 1440
service
network-extension enable
network-extension keep-alive enable
network-extension keep-alive interval 120
network-extension netpool 192.168.0.1 192.168.0.10 255.255.255.0
netpool 192.168.0.1 default
network-extension mode manual
network-extension manual-route 10.1.121.0 255.255.255.0
security
policy-default-action permit vt-src-ip
certification cert-anonymous cert-field user-filter subject cn group-filter su
bject cn
certification cert-anonymous filter-policy permit-all
certification cert-challenge cert-field user-filter subject cn
certification user-cert-filter key-usage any
undo public-user enable
hostchecker
cachecleaner
vpndb
group /default
role
role default
role default condition all
#****END****#
2、[FW1]switch vsys RD
[FW1-RD]v-gateway SSL_GW_RD public-ip public www.qyw.com/RD
v-gateway ssl_gw_rd public-ip public www.qyw.com/RD
v-gateway ssl_gw_rd alias SSL_GW_RD
#****BEGIN***ssl_gw_rd**1****#
v-gateway ssl_gw_rd
basic
ssl timeout 5
ssl lifecycle 1440
service
network-extension enable
network-extension keep-alive enable
network-extension keep-alive interval 120
network-extension netpool 192.168.0.11 192.168.0.20 255.255.255.0
netpool 192.168.0.11 default
network-extension mode manual
network-extension manual-route 10.1.122.0 255.255.255.0
security
policy-default-action permit vt-src-ip
certification cert-anonymous cert-field user-filter subject cn group-filter su
bject cn
certification cert-anonymous filter-policy permit-all
certification cert-challenge cert-field user-filter subject cn
certification user-cert-filter key-usage any
undo public-user enable
hostchecker
cachecleaner
vpndb
group /default
role
role default
role default condition all
#****END****#
(三)设置安全策略
在根系统上设置
[FW1-policy-security]dis th
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol tcp destination-port 443
action permit
在虚拟系统OA上设置
[FW1-OA-policy-security]DIS TH
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 192.168.0.0 mask 255.255.255.0
destination-address 10.1.121.0 mask 255.255.255.0
action permit
在虚拟系统RD上设置
[FW1-RD-policy-security]dis th
2024-07-25 06:24:09.270
security-policy
rule name LOCAL_TO_ANY
source-zone local
action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 192.168.0.0 mask 255.255.255.0
destination-address 10.1.122.0 mask 255.255.255.0
action permit
(四)添加用户
四、结果验证
使用虚拟机登录共享型网关地址155.1.12.12
可以ping通内网
PS C:\Users\Administrator> ping 10.1.121.10
正在 Ping 10.1.121.10 具有 32 字节的数据:
来自 10.1.121.10 的回复: 字节=32 时间=6ms TTL=255
来自 10.1.121.10 的回复: 字节=32 时间=8ms TTL=255
可以ping通外网
PS C:\Users\Administrator> ping 150.1.1.1
正在 Ping 150.1.1.1 具有 32 字节的数据:
来自 150.1.1.1 的回复: 字节=32 时间=12ms TTL=255
来自 150.1.1.1 的回复: 字节=32 时间=14ms TTL=255
可以ping通直连网段
PS C:\Users\Administrator> ping 155.1.2.100
正在 Ping 155.1.2.100 具有 32 字节的数据:
来自 155.1.2.100 的回复: 字节=32 时间=9ms TTL=255
来自 155.1.2.100 的回复: 字节=32 时间=7ms TTL=255