SSL vpn远程接入防火墙共享型配置实验

一、实验目的及拓扑

实验目的：用户采用SSL方式接入服务器，在防火墙进行相应的SSLvpn共享型配置，在防火墙后的内网中这只两台服务器对应两项业务

二、基础配置

（一）如图所示配置路由器接口地址（此处配置省略）

（二）FW1地址和区域配置需区分根系统、虚拟系统OA和虚拟系统RD

[FW1]vsys enable

[FW1]vsys name OA

[FW1]vsys name RD

[FW1-vsys-OA]assign interface g1/0/1

[FW1-vsys-RD]assign interface g1/0/2

3、切换到虚拟系统OA

[FW1]switch vsys OA

[FW1-OA-GigabitEthernet1/0/1]dis th

interface GigabitEthernet1/0/1

undo shutdown

ip binding vpn-instance OA

ip address 10.1.121.12 255.255.255.0

[FW1-OA]dis zone

vpn-instance OA local

priority is 100

interface of the zone is (0):

vpn-instance OA trust

priority is 85

interface of the zone is (1):

GigabitEthernet1/0/1

vpn-instance OA untrust

priority is 5

interface of the zone is (1):
Virtual-if1

vpn-instance OA dmz

priority is 50

interface of the zone is (0):

[FW1-OA-policy-security]dis th

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit

4、切换到虚拟系统RD

[FW1]switch vsys RD

[FW1-RD]dis zone

vpn-instance RD local

priority is 100

interface of the zone is (0):

vpn-instance RD trust

priority is 85

interface of the zone is (1):
GigabitEthernet1/0/2

vpn-instance RD untrust

priority is 5

interface of the zone is (1):
Virtual-if2

vpn-instance RD dmz

priority is 50

interface of the zone is (0):

[FW1-RD-policy-security]dis th

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit

5、在防火墙根系统测试两台服务器联通情况

[FW1]ping -vpn-instance OA 10.1.121.10

PING 10.1.121.10: 56 data bytes, press CTRL_C to break

Request time out

Reply from 10.1.121.10: bytes=56 Sequence=2 ttl=255 time=1 ms

Reply from 10.1.121.10: bytes=56 Sequence=3 ttl=255 time=1 ms

[FW1]ping -vpn-instance RD 10.1.122.10

PING 10.1.122.10: 56 data bytes, press CTRL_C to break

Request time out

Reply from 10.1.122.10: bytes=56 Sequence=2 ttl=255 time=1 ms

Reply from 10.1.122.10: bytes=56 Sequence=3 ttl=255 time=1 ms

三、详细配置

（一）设置共享型网关共享地址及共享域名

[FW1]v-gateway public-ip 155.1.121.12

[FW1]v-gateway public-domain www.qyw.com

[FW1]dis cu | in v-gate

2024-07-25 06:13:01.760
v-gateway public-ip 155.1.121.12
v-gateway public-domain www.qyw.com

v-gateway public ssl version tlsv11 tlsv12

v-gateway public ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha

v-gateway ssl_gw_oa public-ip public www.qyw.com/OA

v-gateway ssl_gw_oa alias SSL_GW_OA

v-gateway ssl_gw_oa

（二）切换至虚拟防火墙OA及防火墙RD新建共享型网关并对网络扩展进行相应属性配置

1、[FW1]switch vsys OA

[FW1-OA]v-gateway SSL_GW_OA public-ip public www.qyw.com/OA

v-gateway ssl_gw_oa public-ip public www.qyw.com/OA
v-gateway ssl_gw_oa alias SSL_GW_OA

#****BEGIN***ssl_gw_oa**1****#

v-gateway ssl_gw_oa

basic

ssl timeout 5

ssl lifecycle 1440

service
network-extension enable
network-extension keep-alive enable
network-extension keep-alive interval 120
network-extension netpool 192.168.0.1 192.168.0.10 255.255.255.0

netpool 192.168.0.1 default
network-extension mode manual
network-extension manual-route 10.1.121.0 255.255.255.0

security

policy-default-action permit vt-src-ip

certification cert-anonymous cert-field user-filter subject cn group-filter su

bject cn

certification cert-anonymous filter-policy permit-all

certification cert-challenge cert-field user-filter subject cn

certification user-cert-filter key-usage any

undo public-user enable

hostchecker

cachecleaner

vpndb

group /default

role

role default

role default condition all

#****END****#

2、[FW1]switch vsys RD

[FW1-RD]v-gateway SSL_GW_RD public-ip public www.qyw.com/RD

v-gateway ssl_gw_rd public-ip public www.qyw.com/RD
v-gateway ssl_gw_rd alias SSL_GW_RD

#****BEGIN***ssl_gw_rd**1****#

v-gateway ssl_gw_rd

basic

ssl timeout 5

ssl lifecycle 1440

service
network-extension enable

network-extension keep-alive enable

network-extension keep-alive interval 120
network-extension netpool 192.168.0.11 192.168.0.20 255.255.255.0

netpool 192.168.0.11 default
network-extension mode manual
network-extension manual-route 10.1.122.0 255.255.255.0

security

policy-default-action permit vt-src-ip

certification cert-anonymous cert-field user-filter subject cn group-filter su

bject cn

certification cert-anonymous filter-policy permit-all

certification cert-challenge cert-field user-filter subject cn

certification user-cert-filter key-usage any

undo public-user enable

hostchecker

cachecleaner

vpndb

group /default

role

role default

role default condition all

#****END****#

（三）设置安全策略

在根系统上设置

[FW1-policy-security]dis th

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol tcp destination-port 443
action permit

在虚拟系统OA上设置

[FW1-OA-policy-security]DIS TH

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 192.168.0.0 mask 255.255.255.0
destination-address 10.1.121.0 mask 255.255.255.0
action permit

在虚拟系统RD上设置

[FW1-RD-policy-security]dis th

2024-07-25 06:24:09.270

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 192.168.0.0 mask 255.255.255.0
destination-address 10.1.122.0 mask 255.255.255.0
action permit

（四）添加用户

四、结果验证

使用虚拟机登录共享型网关地址155.1.12.12

可以ping通内网

PS C:\Users\Administrator> ping 10.1.121.10

正在 Ping 10.1.121.10 具有 32 字节的数据:

来自 10.1.121.10 的回复: 字节=32 时间=6ms TTL=255

来自 10.1.121.10 的回复: 字节=32 时间=8ms TTL=255

可以ping通外网

PS C:\Users\Administrator> ping 150.1.1.1

正在 Ping 150.1.1.1 具有 32 字节的数据:

来自 150.1.1.1 的回复: 字节=32 时间=12ms TTL=255

来自 150.1.1.1 的回复: 字节=32 时间=14ms TTL=255

可以ping通直连网段

PS C:\Users\Administrator> ping 155.1.2.100

正在 Ping 155.1.2.100 具有 32 字节的数据:

来自 155.1.2.100 的回复: 字节=32 时间=9ms TTL=255

来自 155.1.2.100 的回复: 字节=32 时间=7ms TTL=255