一 组网说明
如上图,防火墙作为出口安全设备,对外配置NAT实现内网用户访问互联网,对内提供l2tp服务器拨入,允许外部用户拨入l2tp后再访问内网服务器资源
二 防火墙L2TP配置
sysname FW1000
acl advanced 3000 //配置nat acl
rule 0 permit ip
interface GigabitEthernet1/0/4 //防火墙连接互联网接口配置NAT
port link-mode route
ip address x.142.88.98 255.255.255.240
nat outbound 3000
manage https inbound
manage ping inbound
gateway x.142.88.97
ip pool aaa x.153.207.2 x.153.207.10 //配置l2tp vpn地址池
ip pool aaa gateway x.153.207.1
l2tp enable //使能l2tp
l2tp-group 1 mode lns //配置l2tp group
allow l2tp virtual-template 1
undo tunnel authentication
tunnel name lns
domain l2tp//配置l2tp domain
authentication portal local
interface Virtual-Template1 //配置l2tp VT接口
ppp authentication-mode chap domain l2tp
ppp ipcp dns 114.114.114.114
remote address pool aaa
ip address x.153.207.1 255.255.255.0
security-zone name VPN //配置l2tp接口加入到安全域
import interface Virtual-Template1
local-user renyq class network //配置l2tp本地用户
password simple 123
service-type ppp
authorization-attribute user-role network-operator
nat global-policy //配置nat策略
rule name GlobalPolicyRule_3
source-zone Trust
destination-zone Untrust
source-ip subnet x.153.151.248 29
action snat easy-ip
security-policy ip//配置访问控制策略
rule 7 name l2tp
action pass
logging enable
counting enable
profile 7_IPv4
source-zone Untrust
destination-zone Local
service l2tp
三L2TP状态查看
<FW1000>
Domain: l2tp
State: Active
Portal authentication scheme: Local
Default authentication scheme: Local
Default authorization scheme: Local
Default accounting scheme: Local
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out action: Offline
Service type: HSI
Session time: Exclude idle time
NAS-ID: N/A
DHCPv6-follow-IPv6CP timeout: 60 seconds
Authorization attributes:
Idle cut: Disabled
Session timeout: Disabled
IGMP access limit: 4
MLD access limit: 4