场景说明:防火墙作为企业网关,外网PC通过SSL VPN访问公司内部资源
防火墙配置:

建议创建组来区分具体权限,这样管理方便。
这里我修改了虚拟网关的端口为1443,客户端通过地址:1443的方式访问SSL网关。关于证书认证方式:华为叫做证书米明和证书挑战。
证书匿名:只认证证书的正确性即可访问VPN
证书挑战:认证证书的正确性的时候又需要进行用户名和口令的认证
设置资源管理方式,这里设置的是访问某个子网的全量资源,也就是网络扩展方式,对应其他VPN的NC方式。
这里授权给用户组即可,组内用户自动会被赋予该组的权限
防火墙配置CLI:
#
sysname FW
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.110.50 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.0.0.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 192.168.100.1 255.255.255.252
service-manage ping permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/4
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
#
api
#
ip route-static 192.168.10.0 255.255.255.0 192.168.100.2
ip route-static 192.168.20.0 255.255.255.0 192.168.100.2
#
v-gateway public ssl version tlsv11 tlsv12
v-gateway public ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha
v-gateway ssl_gateway interface GigabitEthernet1/0/0 port 1443 private
v-gateway ssl_gateway alias SSL_Gateway
#
#
user-interface con 0
authentication-mode password
set authentication password cipher $1c$uMM_BG!%M:$Q+N<0jBRb0!o)C)'@Hj6ASlG%9-a7&9Q"cK!~ig&$
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
#****BEGIN***ssl_gateway**1****#
v-gateway ssl_gateway //创建虚拟网关
basic
ssl version tlsv11 tlsv12
ssl timeout 10
ssl lifecycle 1440
ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha
service
port-forwarding enable
port-forwarding auto-start enable
port-forwarding resource VC host-ip 192.168.10.1 443
port-forwarding resource VC-5480 host-ip 192.168.10.1 5480
network-extension enable
network-extension keep-alive enable
network-extension keep-alive interval 120
network-extension netpool 10.0.0.1 10.0.0.253 255.255.255.0
netpool 10.0.0.1 default
network-extension mode manual
network-extension manual-route 192.168.20.0 255.255.255.0
network-extension manual-route 192.168.10.0 255.255.255.0
security
policy-default-action permit vt-src-ip
certification cert-anonymous cert-field user-filter subject cn group-filter subject cn
certification cert-anonymous filter-policy permit-all
certification cert-challenge cert-field user-filter subject cn
certification user-cert-filter key-usage any
undo public-user enable
hostchecker
cachecleaner
role
role default
role default condition all
role default network-extension enable
role default port-forwarding enable
#****END****#
#
right-manager server-group
#
security-policy
rule name Untrust_Local_SSL-VPN //设置SSL-VPN访问虚拟网关的策略
source-zone untrust
destination-zone local
destination-address 100.0.0.1 mask 255.255.255.255
service TCP_1443
action permit
rule name Untrust_Trust_SSL-VPN //设置SSL-VPN客户端访问内网资源的策略,源地址为虚拟地址
source-zone untrust
destination-zone trust
source-address 10.0.0.0 mask 255.255.255.0
destination-address 192.168.10.0 mask 255.255.255.0
destination-address 192.168.20.0 mask 255.255.255.0
action permit
#
return
#
sysname FW
#
interface GigabitEthernet0/0/0
undo shutdown
ip binding vpn-instance default
ip address 192.168.110.50 255.255.255.0
service-manage http permit
service-manage https permit
service-manage ping permit
#
interface GigabitEthernet1/0/0
undo shutdown
ip address 100.0.0.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet1/0/4
undo shutdown
ip address 192.168.100.1 255.255.255.252
service-manage ping permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet1/0/4
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
#
firewall zone dmz
set priority 50
#
api
#
ip route-static 192.168.10.0 255.255.255.0 192.168.100.2
ip route-static 192.168.20.0 255.255.255.0 192.168.100.2
#
v-gateway public ssl version tlsv11 tlsv12
v-gateway public ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha
v-gateway ssl_gateway interface GigabitEthernet1/0/0 port 1443 private
v-gateway ssl_gateway alias SSL_Gateway
#
#
user-interface con 0
authentication-mode password
set authentication password cipher $1c$uMM_BG!%M:$Q+N<0jBRb0!o)C)'@Hj6ASlG%9-a7&9Q"cK!~ig&$
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
user-interface vty 16 20
#
pki realm default
#
sa
#
location
#
multi-linkif
mode proportion-of-weight
#
#****BEGIN***ssl_gateway**1****#
v-gateway ssl_gateway //创建虚拟网关
basic
ssl version tlsv11 tlsv12
ssl timeout 10
ssl lifecycle 1440
ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha
service
port-forwarding enable
port-forwarding auto-start enable
port-forwarding resource VC host-ip 192.168.10.1 443
port-forwarding resource VC-5480 host-ip 192.168.10.1 5480
network-extension enable
network-extension keep-alive enable
network-extension keep-alive interval 120
network-extension netpool 10.0.0.1 10.0.0.253 255.255.255.0
netpool 10.0.0.1 default
network-extension mode manual
network-extension manual-route 192.168.20.0 255.255.255.0
network-extension manual-route 192.168.10.0 255.255.255.0
security
policy-default-action permit vt-src-ip
certification cert-anonymous cert-field user-filter subject cn group-filter subject cn
certification cert-anonymous filter-policy permit-all
certification cert-challenge cert-field user-filter subject cn
certification user-cert-filter key-usage any
undo public-user enable
hostchecker
cachecleaner
role
role default
role default condition all
role default network-extension enable
role default port-forwarding enable
#****END****#
#
right-manager server-group
#
security-policy
rule name Untrust_Local_SSL-VPN //设置SSL-VPN访问虚拟网关的策略
source-zone untrust
destination-zone local
destination-address 100.0.0.1 mask 255.255.255.255
service TCP_1443
action permit
rule name Untrust_Trust_SSL-VPN //设置SSL-VPN客户端访问内网资源的策略,源地址为虚拟地址
source-zone untrust
destination-zone trust
source-address 10.0.0.0 mask 255.255.255.0
destination-address 192.168.10.0 mask 255.255.255.0
destination-address 192.168.20.0 mask 255.255.255.0
action permit
#
return
# sysname FW # interface GigabitEthernet0/0/0 undo shutdown ip binding vpn-instance default ip address 192.168.110.50 255.255.255.0 service-manage http permit service-manage https permit service-manage ping permit # interface GigabitEthernet1/0/0 undo shutdown ip address 100.0.0.1 255.255.255.0 service-manage ping permit # interface GigabitEthernet1/0/4 undo shutdown ip address 192.168.100.1 255.255.255.252 service-manage ping permit # firewall zone trust set priority 85 add interface GigabitEthernet0/0/0 add interface GigabitEthernet1/0/4 # firewall zone untrust set priority 5 add interface GigabitEthernet1/0/0 # firewall zone dmz set priority 50 # api # ip route-static 192.168.10.0 255.255.255.0 192.168.100.2 ip route-static 192.168.20.0 255.255.255.0 192.168.100.2 # v-gateway public ssl version tlsv11 tlsv12 v-gateway public ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha v-gateway ssl_gateway interface GigabitEthernet1/0/0 port 1443 private v-gateway ssl_gateway alias SSL_Gateway # # user-interface con 0 authentication-mode password set authentication password cipher $1c$uMM_BG!%M:$Q+N<0jBRb0!o)C)'@Hj6ASlG%9-a7&9Q"cK!~ig&$ user-interface vty 0 4 authentication-mode aaa protocol inbound ssh user-interface vty 16 20 # pki realm default # sa # location # multi-linkif mode proportion-of-weight # #****BEGIN***ssl_gateway**1****# v-gateway ssl_gateway //创建虚拟网关 basic ssl version tlsv11 tlsv12 ssl timeout 10 ssl lifecycle 1440 ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha service port-forwarding enable port-forwarding auto-start enable port-forwarding resource VC host-ip 192.168.10.1 443 port-forwarding resource VC-5480 host-ip 192.168.10.1 5480 network-extension enable network-extension keep-alive enable network-extension keep-alive interval 120 network-extension netpool 10.0.0.1 10.0.0.253 255.255.255.0 netpool 10.0.0.1 default network-extension mode manual network-extension manual-route 192.168.20.0 255.255.255.0 network-extension manual-route 192.168.10.0 255.255.255.0 security policy-default-action permit vt-src-ip certification cert-anonymous cert-field user-filter subject cn group-filter subject cn certification cert-anonymous filter-policy permit-all certification cert-challenge cert-field user-filter subject cn certification user-cert-filter key-usage any undo public-user enable hostchecker cachecleaner role role default role default condition all role default network-extension enable role default port-forwarding enable #****END****# # right-manager server-group # security-policy rule name Untrust_Local_SSL-VPN //设置SSL-VPN访问虚拟网关的策略 source-zone untrust destination-zone local destination-address 100.0.0.1 mask 255.255.255.255 service TCP_1443 action permit rule name Untrust_Trust_SSL-VPN //设置SSL-VPN客户端访问内网资源的策略,源地址为虚拟地址 source-zone untrust destination-zone trust source-address 10.0.0.0 mask 255.255.255.0 destination-address 192.168.10.0 mask 255.255.255.0 destination-address 192.168.20.0 mask 255.255.255.0 action permit # return
实验结果:

