需求:企业总部部署山石防火墙做为互联网出口网关,内部服务器(10.1.1.0/24)为员工提供远程办公服务;
为提升信息系统安全级别,远程办公人员需使用SSL VPN访问内部服务器。
防火墙关键配置:
fwa# show configuration
aaa-server “itbj.net” type local
user “ssluser1“
password “123456“
exit
user-group “inherit“
member user “ssluser1“
exit
exit
zone “untrust”
type wan
exit
zone “sslvpn“
vrouter “trust-vr”
exit
hostname “fwa”
scvpn pool “sslpool“
address 10.1.88.1 10.1.88.100 netmask 255.255.255.0
exit
tunnel scvpn “inherittimes“
ssl-protocol any
pool “sslpool“
split-tunnel-route 10.1.88.0/24
split-tunnel-route 10.1.1.0/24
aaa-server “itbj.net“
interface ethernet0/1
exit
interface ethernet0/0
zone “trust”
ip address 10.1.1.254 255.255.255.0
manage ssh
manage ping
manage snmp
exit
interface ethernet0/1
zone “untrust”
ip address 20.0.0.1 255.255.255.0
manage ping
exit
interface tunnel30
zone “sslvpn“
ip address 10.1.88.254 255.255.255.252
manage ping
tunnel scvpn “inherittimes“
reverse-route prefer
exit
ip vrouter “trust-vr”
snatrule id 1 from “10.1.1.0/24” to “Any” service “Any” eif ethernet0/1 trans-to eif-ip mode dynamicport
ip route 0.0.0.0/0 20.0.0.100
exit
rule id 1
action permit
src-zone “trust”
dst-zone “untrust”
src-addr “Any”
dst-addr “Any”
service “Any”
exit
rule id 31
action permit
src-zone “sslvpn“
dst-zone “trust”
src-addr “Any”
dst-ip 10.1.1.0/24
service “Any”
user-group “itbj.net” “inherit“
exit
End使用、验证
一、安装SCVPN客户端
1、web浏览器地址栏输入https://20.0.0.1:4433 ,访问ssl vpn网关用户认证登录页面,输入用户名、密码后点击登录按钮;
2、登录成功后点击下载按钮,web页面将重定向至hillstone(山石)官网自动执行下载;
3、下载完成后执行SCVPN客户端安装。
二、开打SCVPN客户程序,输入SSL VPN网关地址,端口号默认为4433, 输入用户名、密码后点击登录
三、测试验证
使用ping 和 tracert 验证至总部内网服务器连通性和路径
在总部防火墙上使用 show scvpn client inherittimes 查看SSL VPN用户登录状态信息
