SSL vpn远程接入防火墙共享型配置实验

一、实验目的及拓扑

实验目的:用户采用SSL方式接入服务器,在防火墙进行相应的SSLvpn共享型配置,在防火墙后的内网中这只两台服务器对应两项业务

二、基础配置

(一)如图所示配置路由器接口地址(此处配置省略)

(二)FW1地址和区域配置需区分根系统、虚拟系统OA和虚拟系统RD

FW1vsys enable

FW1vsys name OA

FW1vsys name RD

FW1-vsys-OAassign interface g1/0/1

FW1-vsys-RDassign interface g1/0/2

3、切换到虚拟系统OA

FW1switch vsys OA

FW1-OA-GigabitEthernet1/0/1dis th

interface GigabitEthernet1/0/1

undo shutdown

ip binding vpn-instance OA

ip address 10.1.121.12 255.255.255.0

FW1-OAdis zone

vpn-instance OA local

priority is 100

interface of the zone is (0):

vpn-instance OA trust

priority is 85

interface of the zone is (1):

GigabitEthernet1/0/1

vpn-instance OA untrust

priority is 5

interface of the zone is (1):
Virtual-if1

vpn-instance OA dmz

priority is 50

interface of the zone is (0):

FW1-OA-policy-securitydis th

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit

4、切换到虚拟系统RD

FW1switch vsys RD

FW1-RDdis zone

vpn-instance RD local

priority is 100

interface of the zone is (0):

vpn-instance RD trust

priority is 85

interface of the zone is (1):
GigabitEthernet1/0/2

vpn-instance RD untrust

priority is 5

interface of the zone is (1):
Virtual-if2

vpn-instance RD dmz

priority is 50

interface of the zone is (0):

FW1-RD-policy-securitydis th

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit

5、在防火墙根系统测试两台服务器联通情况

FW1ping -vpn-instance OA 10.1.121.10

PING 10.1.121.10: 56 data bytes, press CTRL_C to break

Request time out

Reply from 10.1.121.10: bytes=56 Sequence=2 ttl=255 time=1 ms

Reply from 10.1.121.10: bytes=56 Sequence=3 ttl=255 time=1 ms

FW1ping -vpn-instance RD 10.1.122.10

PING 10.1.122.10: 56 data bytes, press CTRL_C to break

Request time out

Reply from 10.1.122.10: bytes=56 Sequence=2 ttl=255 time=1 ms

Reply from 10.1.122.10: bytes=56 Sequence=3 ttl=255 time=1 ms

三、详细配置

(一)设置共享型网关共享地址及共享域名

FW1v-gateway public-ip 155.1.121.12

FW1v-gateway public-domain www.qyw.com

FW1dis cu | in v-gate

2024-07-25 06:13:01.760
v-gateway public-ip 155.1.121.12
v-gateway public-domain www.qyw.com

v-gateway public ssl version tlsv11 tlsv12

v-gateway public ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha

v-gateway ssl_gw_oa public-ip public www.qyw.com/OA

v-gateway ssl_gw_oa alias SSL_GW_OA

v-gateway ssl_gw_oa

(二)切换至虚拟防火墙OA及防火墙RD新建共享型网关并对网络扩展进行相应属性配置

1、FW1switch vsys OA

FW1-OAv-gateway SSL_GW_OA public-ip public www.qyw.com/OA

v-gateway ssl_gw_oa public-ip public www.qyw.com/OA
v-gateway ssl_gw_oa alias SSL_GW_OA

#****BEGIN***ssl_gw_oa**1****#

v-gateway ssl_gw_oa

basic

ssl timeout 5

ssl lifecycle 1440

service
network-extension enable
network-extension keep-alive enable
network-extension keep-alive interval 120
network-extension netpool 192.168.0.1 192.168.0.10 255.255.255.0

netpool 192.168.0.1 default
network-extension mode manual
network-extension manual-route 10.1.121.0 255.255.255.0

security

policy-default-action permit vt-src-ip

certification cert-anonymous cert-field user-filter subject cn group-filter su

bject cn

certification cert-anonymous filter-policy permit-all

certification cert-challenge cert-field user-filter subject cn

certification user-cert-filter key-usage any

undo public-user enable

hostchecker

cachecleaner

vpndb

group /default

role

role default

role default condition all

#****END****#

2、FW1switch vsys RD

FW1-RDv-gateway SSL_GW_RD public-ip public www.qyw.com/RD

v-gateway ssl_gw_rd public-ip public www.qyw.com/RD
v-gateway ssl_gw_rd alias SSL_GW_RD

#****BEGIN***ssl_gw_rd**1****#

v-gateway ssl_gw_rd

basic

ssl timeout 5

ssl lifecycle 1440

service
network-extension enable

network-extension keep-alive enable

network-extension keep-alive interval 120
network-extension netpool 192.168.0.11 192.168.0.20 255.255.255.0

netpool 192.168.0.11 default
network-extension mode manual
network-extension manual-route 10.1.122.0 255.255.255.0

security

policy-default-action permit vt-src-ip

certification cert-anonymous cert-field user-filter subject cn group-filter su

bject cn

certification cert-anonymous filter-policy permit-all

certification cert-challenge cert-field user-filter subject cn

certification user-cert-filter key-usage any

undo public-user enable

hostchecker

cachecleaner

vpndb

group /default

role

role default

role default condition all

#****END****#

(三)设置安全策略

在根系统上设置

FW1-policy-securitydis th

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit
rule name OUT_TO_LOCAL
source-zone untrust
destination-zone local
service protocol tcp destination-port 443
action permit

在虚拟系统OA上设置

FW1-OA-policy-securityDIS TH

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 192.168.0.0 mask 255.255.255.0
destination-address 10.1.121.0 mask 255.255.255.0
action permit

在虚拟系统RD上设置

FW1-RD-policy-securitydis th

2024-07-25 06:24:09.270

security-policy

rule name LOCAL_TO_ANY

source-zone local

action permit
rule name OUT_TO_IN
source-zone untrust
destination-zone trust
source-address 192.168.0.0 mask 255.255.255.0
destination-address 10.1.122.0 mask 255.255.255.0
action permit

(四)添加用户

四、结果验证

使用虚拟机登录共享型网关地址155.1.12.12

可以ping通内网

PS C:\Users\Administrator> ping 10.1.121.10

正在 Ping 10.1.121.10 具有 32 字节的数据:

来自 10.1.121.10 的回复: 字节=32 时间=6ms TTL=255

来自 10.1.121.10 的回复: 字节=32 时间=8ms TTL=255

可以ping通外网

PS C:\Users\Administrator> ping 150.1.1.1

正在 Ping 150.1.1.1 具有 32 字节的数据:

来自 150.1.1.1 的回复: 字节=32 时间=12ms TTL=255

来自 150.1.1.1 的回复: 字节=32 时间=14ms TTL=255

可以ping通直连网段

PS C:\Users\Administrator> ping 155.1.2.100

正在 Ping 155.1.2.100 具有 32 字节的数据:

来自 155.1.2.100 的回复: 字节=32 时间=9ms TTL=255

来自 155.1.2.100 的回复: 字节=32 时间=7ms TTL=255

相关推荐
Piko6143 小时前
H3C IRF2 堆叠实战:打造高可靠核心交换网络
运维·网络·笔记
茯苓gao5 小时前
嵌入式开发笔记:CANopen相关移位运算与通信协议术语详解
网络·嵌入式硬件·学习·信息与通信
万联WANFLOW5 小时前
SD-WAN 控制平面高可用怎么做?SDWAN 控制器挂了,全网会发生什么
运维·网络·分布式·架构
酱学编程6 小时前
【从零到一实现一个 AI Agent 框架 · 第四篇】04. 任务规划:拆解复杂目标 -
服务器·网络·数据库·人工智能
被克制了7 小时前
安全协议设计与分析(2)
网络安全·密码学·安全协议
风行南方7 小时前
密码学之分组密码
网络·密码学
艾莉丝努力练剑8 小时前
OpenCode AI 编程:Ubuntu 24.04 环境安装与使用指南
linux·服务器·网络·人工智能·tcp/ip·ubuntu
崇山峻岭之间8 小时前
Keil5输出hex转换为bin的设置
linux·运维·服务器
谷雪_6589 小时前
Linux 网络命名空间:从内核原理到企业级容器网络架构全景实战
linux·网络·架构
liulilittle9 小时前
KCC 拥塞控制算法缺陷修复记录(26/07/05)
网络·tcp/ip·计算机网络·c·信息与通信·tcp·通信