sslvpn不通網關
- 0關注
- 0收藏,574瀏覽
問題描述:
inode可以連接vpn,但是ping不通下發的網關。也ping不通需要訪問的地址。路由也沒問題啊
組網及組網描述:
display current-configuration
#
version 7.1.064, Release 8860P41
#
sysname H3C FW
#
clock timezone Beijing add 08:00:00
clock protocol none
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
isis 1
#
ip pool l2tp1 10.0.0.2 10.0.0.200
#
dhcp enable
#
dns server 8.8.8.8
dns server 114.114.114.114
dns server 221.131.143.69
ip host hlw.local 10.0.10.5
#
password-recovery enable
#
vlan 1
#
object-group ip address 10.0.0.0/16
security-zone Trust
0 network subnet 10.0.0.0 255.255.255.0
#
object-group ip address 192.168.0.0/16
0 network subnet 192.168.0.0 255.255.0.0
#
object-group ip address 192.168.30.0/24
0 network subnet 192.168.30.0 255.255.255.0
#
object-group ip address 173.16.1.0/24
0 network subnet 173.16.1.0 255.255.255.0
#
object-group service sslvpn
0 service tcp
#
object-group service ssvpn2
0 service tcp destination eq 4433
#
interface Virtual-Template1
ppp authentication-mode chap
remote address pool l2tp1
ip address 10.0.0.1 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet1/0/0
port link-mode route
ip address 192.168.30.3 255.255.255.0
manage https inbound
manage ping inbound
manage telnet inbound
#
interface GigabitEthernet1/0/1
port link-mode route
description GuideWan Interface
ip address 36.151.98.170 255.255.255.252
dns server 221.131.143.69
ip last-hop hold
nat outbound 3888
manage http inbound
manage https inbound
manage ping inbound
gateway 36.151.98.169
#
interface GigabitEthernet1/0/2
port link-mode route
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/12
port link-mode route
#
interface GigabitEthernet1/0/13
port link-mode route
#
interface GigabitEthernet1/0/14
port link-mode route
description GuideLan Interface
ip address 192.168.22.1 255.255.255.0
undo dhcp select server
#
interface GigabitEthernet1/0/15
port link-mode route
ip address dhcp-alloc
manage https inbound
manage ping inbound
#
interface GigabitEthernet1/0/16
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/17
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/18
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/19
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/20
port link-mode route
#
interface GigabitEthernet1/0/21
port link-mode route
#
interface GigabitEthernet1/0/22
port link-mode route
#
interface GigabitEthernet1/0/23
port link-mode route
#
interface GigabitEthernet1/0/24
port link-mode route
ip address 192.168.188.2 255.255.255.0
manage https inbound
manage ping inbound
manage ssh inbound
manage telnet inbound
#
interface GigabitEthernet1/0/25
port link-mode route
#
interface M-GigabitEthernet1/0/0
ip address 192.168.0.1 255.255.255.0
#
interface Ten-GigabitEthernet1/0/26
port link-mode route
#
interface Ten-GigabitEthernet1/0/27
port link-mode route
#
interface SSLVPN-AC2
ip address 172.16.254.1 255.255.255.0
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
import interface GigabitEthernet1/0/14
import interface GigabitEthernet1/0/24
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
import interface Virtual-Template1
#
security-zone name Management
import interface M-GigabitEthernet1/0/0
#
security-zone name sslvpn
import interface SSLVPN-AC2
#
scheduler logfile size 16
#
line class console
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 36.151.98.169
ip route-static 10.0.0.0 16 GigabitEthernet1/0/0 192.168.30.2
ip route-static 173.16.1.0 24 GigabitEthernet1/0/24 192.168.30.2
ip route-static 192.168.0.0 16 GigabitEthernet1/0/0 192.168.30.2
#
info-center loghost secops.h3c.com port 20514
#
customlog format dpi url-filter
customlog format dpi ips
customlog format dpi anti-virus
customlog format dpi reputation
customlog host secops.h3c.com port 20514 export dpi ips anti-virus reputation
customlog timestamp localtime
#
performance-management
#
ssh server enable
#
acl advanced 3888
rule 0 permit ip
#
acl advanced 3999
rule 0 permit ip source 173.16.0.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
#
undo password-control blacklist all-line
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$WmR/twtGPDH0F92o$sOD156C6zzUoxAhFL2/8kwGGcIWVdibZNedU9uqBNqGEG7eGow4CAEZuYlVH1wPnq0vBAzXUyUzgvo/L4gX4+Q==
service-type ssh telnet terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user test1 class network
password cipher $c$3$haLW3FXFv7sJzn+OxxNUEMYVTaMUeaAScw==
service-type ppp
authorization-attribute user-role network-operator
#
local-user user1 class network
password cipher $c$3$E2pdmOR2BOIuNFPXBIEdT2j6MSBKEvp70Q==
service-type sslvpn
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group sslvpn
#
ssl server-policy hlw
ciphersuite dhe_rsa_aes_256_cbc_sha rsa_aes_256_cbc_sha dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha256 rsa_aes_256_cbc_sha256 dhe_rsa_aes_128_cbc_sha256 dhe_rsa_aes_256_cbc_sha256 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_128_gcm_sha256
ciphersuite ecdhe_rsa_aes_256_gcm_sha384 ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_256_cbc_sha384 ecdhe_ecdsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_256_gcm_sha384 ecc_sm2_sm1_sm3 ecc_sm2_sm4_sm3 ecdhe_sm2_sm1_sm3 ecdhe_sm2_sm4_sm3 rsa_sm1_sha rsa_sm1_sm3
ciphersuite rsa_sm4_sha rsa_sm4_sm3 rsa_aes_128_gcm_sha256 rsa_aes_256_gcm_sha384 tls_aes_128_gcm_sha256 tls_aes_256_gcm_sha384 tls_chacha20_poly1305_sha256 tls_aes_128_ccm_sha256 tls_aes_128_ccm_8_sha256
certificate-chain-sending enable
version ssl3.0 disable
version tls1.0 disable
#
ipsec logging negotiation enable
#
l2tp-group 1 mode lns
allow l2tp virtual-template 1
undo tunnel authentication
#
l2tp enable
#
ike logging negotiation enable
#
ip https enable
#
blacklist global enable
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
loadbalance isp file flash:/lbispinfo_v1.5.tp
#
sslvpn ip address-pool sslvpn72.16.254.2 172.16.254.254
#
sslvpn gateway sslvpn
ip address 36.151.98.170 port 4433
service enable
#
sslvpn context ssl
gateway sslvpn
ip-tunnel interface SSLVPN-AC2
ip-tunnel address-pool sslvpnask 255.255.255.0
ip-tunnel dns-server primary 114.114.114.114
ip-tunnel dns-server secondary 218.2.135.1
ip-route-list
include 10.0.10.0 255.255.255.0
include 10.0.100.0 255.255.255.0
include 192.168.30.0 255.255.255.0
policy-group sslvpn
filter ip-tunnel acl 3888
ip-tunnel access-route ip-route-list
force-logout max-onlines enable
service enable
#
security-policy ip
rule 7 name untrust-local
action pass
counting enable
source-zone Untrust
destination-zone Local
service ssvpn2
rule 4 name GuideSecPolicy
action pass
counting enable
source-zone Trust
source-zone Untrust
source-zone Local
destination-zone Untrust
destination-zone DMZ
destination-zone Trust
destination-zone Local
rule 6 name sslvpn-trust
action pass
logging enable
counting enable
source-zone sslvpn
destination-zone Trust
#
return
<H3C FW> %Jan 1 01:43:44:507 2025 H3C FW SSHS/6/SSHS_LOG: -COntext=1; Authentication failed for root from 60.199.135.34 port 37117 because of invalid username or wrong password .
- 2024-12-31提問
- 舉報
-
(0)
親~登錄後才可以操作哦!
確定你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作
舉報
×
侵犯我的權益
×
侵犯了我企業的權益
×
- 1. 您舉報的內容是什麼?(請在郵件中列出您舉報的內容和鏈接地址)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
- 3. 是哪家企業?(營業執照,單位登記證明等證件)
- 4. 您與該企業的關係是?(您是企業法人或被授權人,需提供企業委托授權書)
抄襲了我的內容
×
原文鏈接或出處
誹謗我
×
- 1. 您舉報的內容以及侵犯了您什麼權益?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
對根叔社區有害的內容
×
不規範轉載
×
舉報說明
暫無評論