Initially, the router was used as the border in the experiment, and the router used NAT to access the two triple vlanifs on sw1. Later, the customer required to deploy SSL VPN on this topology, change the topology, let the firewall serve as the border device, bridge the virtual machine under sw1, and let the address of the virtual machine Communicate with the external network port address of firewall G1/0/2 (it doesn’t matter what protocol is used, the purpose is to get through)
SSL VPN configuration begins
1. Bridge virtual machines
In the virtual machine-->Edit-->Virtual Network Editor, modify the vm network port address required by the root question.
Click Change Settings, otherwise it cannot be modified
After clicking Change Configuration, there will be two network cards for VM0 and VM8 by default in the previous section. For the VM2 I added, click OK.
Click on the vm2 you just set, cancel the dhcp assigned address, set the address segment required by the question on the subnet, confirm, and restart the computer
After the restart is successful, open the ensp cloud and you will find the VM2 you just created. You should be able to add a network card without Baidu.
In the virtual machine, manually change the IP address to the required IP address. The gateway is vlanif10 of sw1.
Finally, the switch can be connected to the cloud.
2. Configure vlan and layer 3 vlan and routing on the switch
Before configuration, ping the firewall interface of the virtual machine. If it doesn't work - it's in vain - and then continue playing after it works.
3. Configure SSL
The key is, I must type this command manually, otherwise it will all be in vain. The interface is the outbound interface, and sslvpn is the name given.
The subsequent configuration is all through the web interface (firewall bridging web interface operation process - omitted)
This is the command above
Don’t pick this one – it’s a waste of time
Both are enabled,AnythingCreate an address segment for the user
Create a user. After you log in successfully for the first time, the experiment is turned off. It will be gone when you log in next time. You need to re-create the user.
|
Create a user. After you log in successfully for the first time, the experiment is turned off. It will be gone when you log in next time. You need to re-create the user.
|
Create a user. After you log in successfully for the first time, the experiment is turned off. It will be gone when you log in next time. You need to re-create the user.
Security policy, 2 types of traffic
1. Tunnel establishment: strategy for virtual machines to the local external network port address of the firewall
2. Business access: strategy for virtual machines to intranet servers or PCs
You need to install a Huawei SSL login software client in the virtual machine.
The scope of a login depends on whether you turn off ensp. If you turn off ensp, create a new user next time and log in with a new one, unless you don't shut down your computer for 24 hours.
If the user name, IP address and port are filled in correctly and the connection is successful, the four words "Debug Login Successful" will be displayed in the lower right corner, or you can view it in the firewall status.
Enter username password
This is in the firewall online user list. You can see the login user information this time. In this way, the SSL access requirement is realized.
Enable external network users to access the intranet through ssl
You can see the mapping relationship in the firewall session table
