V7防火墙sslvpn--ip资源

V7平台防火墙sslvpn配置案例功能需求F100-A-G2作为作为SSLVPN总部，内网的出接口设备是一台nat设备，采用本地认证，外网pc通过inode拨入，实现通过ip资源的访问内网pc的远程功能，组网信息及描述配置步骤F100-A-G2上SSLVPN相关配置1创建pki域#上传本地和ca证书#配置PKI域zhou#导入CA证书2003_server.cer和本地证书2003_local.pfx[f100-A-G2]pkiimportdomainzhoupemcafilename2003_server.cerThetrustedCA'sfingerprintis:MD5fingerprint:7EFC890E3E04543F940AE5FFC79AEAD9SHA1fingerprint:AD8F99DCCBBE768E69CEC10B8C901A2751BCFBA5Isthefingerprintcorrect?(Y/N):y[f100-A-G2]pkiimportdomainzhoup12localfilename2003_local.pfxPleaseinputthepassword:Thedevicealreadyhasakeypair.Ifyouchoosetocontinue,theexistingkeypairwillbeoverwrittenifitisusedforthesamepurpose.Thelocalcertificates,ifany,willalsobeoverwritten.Continue?[Y/N]:y#导入之后生成证书2配置SSL服务器端策略ssl3创建sslvpn网关#配置SSLVPN网关qiqi的IP地址为192.168.16.233，端口号为4433，并引用SSL服务器端策略zhou4创建ssl虚拟接口SSLVPNAC#创建地址池qiqi，指定IP地址范围为4.4.4.10-4.4.4.200#创建SSLVPNAC接口1，配置接口的IP地址为4.4.4.1interfaceSSLVPN-AC1ipaddress4.4.4.1255.255.255.05配置sslvpn访问实例#配置SSLVPN访问实例qiqi引用SSLVPN网关qiqi#创建路由列表qiqi，并添加路由表项6.6.6.6/24，配置SSLVPN访问实例qiqi引用SSLVPNAC接口16配置资源组引用ip资源#创建SSLVPN策略组qiqi，并引用ip资源qiqi#开启SSLVPN访问实例qiqi#还需在命令行配置放通ip资源acladvanced3333rule0permitipsslvpncontextqiqipolicy-groupqiqifilterip-tunnel3333serviceenable7创建本地验证使用的用户名和密码#创建SSLVPN本地用户local-userqiqiclassnetworkpasswordsim123456service-typesslvpnauthorization-attributeuser-rolenetwork-adminauthorization-attributesslvpn-policy-groupqiqi8防火墙上安全策略相关配置#此实例中是把在使用的接口包括SLVPN-AC1都加入Trust区域，并且放通同域间能访问的规则9路由配置静态默认路由指向nat设备10nat设备配置NAT设备上映射SSLVPN对外的地址及端口，映射：内网的ip和端口为192.168.16.2334433映射后的公网和端口为10.88.18.23443311验证使用映射出去的ip10.88.18.34:4433测试连接成功后，看到客户端虚拟网卡已经获得由SSLvpn下发的4.4.4.10的ip，也获得去网6.6.6.0/24网断的路由SSLVPN客户端能ping通防火墙上vlan2ip6.6.66防火墙内网接口的电脑ip6.6.6.6.1也能打开内网电脑6.6.6.1的远程服务器配置关键点及注意事项1、SSLVPN-AC1接口也需要加入安全域，然后放通策略2、6.6.6.1的电脑的网关要指向防火墙，要有去网外网的路由3、老版本默认分配资源就允许访问，新版本修改为默认禁止了，所以要明确配允许策略，否则只能让客户端虚拟网卡获得ip而不能访问内网的服务acladvanced3333rule0permitipsslvpncontextqiqipolicy-groupqiqifilterip-tunnel3333serviceenable4、每次修改了sslvpn配置时都需要手工开启sslvpn实例和ssl网关，是的sslvpn重新生效5、本地认证时使用的用户名的服务类型必须得是sslvpn类型，和sslvpn中的资源进行绑定6、使用ip资源时目前只能使用inode客户端拨号使用配置命令：（web登入的命令不在这范围内）1安全域及域间策略security-zonenameTrustimportinterfaceGigabitEthernet1/0/1importinterfaceSSLVPN-AC1importinterfaceVlan-interface2importinterfaceGigabitEthernet1/0/13vlan2security-zoneintra-zonedefaultpermitacladvanced3333rule0permitipzone-pairsecuritysourceAnydestinationAnypacket-filter33332接口和路由配置interfaceVlan-interface2ipaddress6.6.6.6255.255.255.0interfaceGigabitEthernet1/0/13portlink-modebridgeportaccessvlan2interfaceGigabitEthernet1/0/1portlink-moderouteipaddress192.168.16.233255.255.255.0interfaceSSLVPN-AC1ipaddress4.4.4.1255.255.255.0iproute-static0.0.0.00192.168.16.2543SSLvpn配置验证的用户名和密码local-userqiqiclassnetworkpasswordsim123456service-typesslvpnauthorization-attributeuser-rolenetwork-adminauthorization-attributesslvpn-policy-groupqiqiPKI域（防火墙已经有本地和ca服务器证书，已经导入生成证书）pkidomainzhoupublic-keyrsageneralname1undocrlcheckenablesslvpn服务器策略sslserver-policyzhoupki-domainzhou给客户端下发ip的地址池sslvpnipaddress-poolqiqi4.4.4.104.4.4.200ssl网关sslvpngatewayqiqiipaddress192.168.16.233port4433sslserver-policyzhouserviceenablessl实例sslvpncontextqiqigatewayqiqiip-tunnelinterfaceSSLVPN-AC1ip-tunneladdress-poolqiqimask255.255.255.0ip-route-listqiqiinclude6.6.6.0255.255.255.0policy-groupqiqi（ssl资源）filterip-tunnel3333ip-tunnelaccess-routeip-route-listqiqiaaadomainsystemserviceenable