H3C V7防火墙配置SSL VPN IP资源典型案例

H3C V7防火墙配置SSL VPN IP资源典型案例

引用

CSDN

1.

https://m.blog.csdn.net/m0_68265458/article/details/137679758

SSL VPN（Secure Sockets Layer Virtual Private Network）是一种基于SSL协议的虚拟专用网络技术，它允许用户通过互联网安全地访问企业内部网络资源。SSL VPN具有部署简单、使用方便、安全性高等特点，广泛应用于远程办公、移动办公等场景。本文将详细介绍如何在H3C V7防火墙上配置SSL VPN，以实现对外网PC访问内网资源的支持。

1.配置需求

V7防火墙设备作为出口设备，外网PC通过inode软件拨SSLVPN，认证成功后可以访问内网192.168.10.0网段的资源。

2.组网图

3.配置步骤

3.1防火墙上网配置

H3C-防火墙外网使用固定IP地址方式上网配置方法(华三）_华三防火墙配置远程管理ip-CSDN博客

3.2配置SSL VPN网关

[FW]sslvpn gateway sslvpngw #填写外网接口地址，端口号修改为4433，使能网关  
[FW-sslvpn-gateway-sslvpngw]ip add 222.1.1.100 port 4433  
[FW-sslvpn-gateway-sslvpngw]service enable  
[FW]int SSLVPN-AC 1 #创建SSLL VPN AC接口  
[FW-SSLVPN-AC1]ip add 10.10.10.1 24  
[FW]sslvpn ip address-pool sslpool 10.10.10.2 10.10.10.254 #创建地址池  
[FW]acl ad 3999 #允许SSL VPN用户访问内网资源  
[FW-acl-ipv4-adv-3999]rule permit ip destination 192.168.10.0 0.0.0.255  

3.3配置SSL VPN实例

[FW]sslvpn context sslvpn #创建SSL VPN访问实例，引用网关、接口、地址池  
[FW-sslvpn-context-sslvpn]gateway sslvpngw  
[FW-sslvpn-context-sslvpn]ip-tunnel interface SSLVPN-AC 1  
[FW-sslvpn-context-sslvpn]ip-tunnel address-pool sslpool mask 255.255.255.0  
[FW-sslvpn-context-sslvpn]ip-tunnel dns-server primary 114.114.114.114  
[FW-sslvpn-context-sslvpn]ip-route-list neiwang #创建路由列表，添加路由表项  
[FW-sslvpn-context-sslvpn-route-list-neiwang]include 192.168.10.1 24  
[FW-sslvpn-context-sslvpn]policy-group sslvpnziyuan #创建SSL VPN策略组  
[FW-sslvpn-context-sslvpn-policy-group-sslvpnziyuan]filter ip-tunnel acl 3999  
[FW-sslvpn-context-sslvpn-policy-group-sslvpnziyuan]ip-tunnel access-route ip-ro  
ute-list neiwang #只有通过ACL检测的报文才可以访问IP资源  
[FW-sslvpn-context-sslvpn]service enable  

3.4新建SSL VPN用户，关联SSL VPN资源组

[FW]local-user user1 class network  
[FW-luser-network-user1]password simple 123456  
[FW-luser-network-user1]service-type sslvpn  
[FW-luser-network-user1]authorization-attribute sslvpn-policy-group sslvpnziyuan  

3.5将SSL VPN端口加入安全域，放通对应安全策略

[FW]security-zone name sslvpn #新建安全域，端口加入  
[FW-security-zone-sslvpn]import interface SSLVPN-AC 1  
[FW]object-group service 4433 #创建服务对象组，匹配SSL VPN端  
[FW-obj-grp-service-4433]service tcp destination eq 4433  
[FW]security-policy ip  
[FW-security-policy-ip]rule 5 name untrust-local #配置安全策略放通untrust到local域  
[FW-security-policy-ip-5-untrust-local]action pass  
[FW-security-policy-ip-5-untrust-local]source-zone untrust  
[FW-security-policy-ip-5-untrust-local]destination-zone local  
[FW-security-policy-ip-5-untrust-local]service 4433  
[FW-security-policy-ip]rule 10 name sslvpn-trust #配置安全策略放通SSL-VPN到trust  
[FW-security-policy-ip-10-sslvpn-trust]action pass  
[FW-security-policy-ip-10-sslvpn-trust]source-zone sslvpn  
[FW-security-policy-ip-10-sslvpn-trust]destination-zone trust