涓€銆佺粍缃戦渶姹�
鏌愰泦鍥㈠叕鍙告湁涓や釜瀛愬叕鍙革紝涓や釜瀛愬叕鍙镐娇鐢ㄧ殑閮芥槸wall 1600涓嬩竴浠i槻鐏�澧�(鍗崇畝绉癗GFW锛夛紝瀹冧滑涔嬮棿浣跨敤RSA绛惧悕鐨勮瘉涔︽柟寮忔潵寤虹珛SSL VPN闅ч亾锛屽疄鐜颁袱鍦板眬鍩熺綉涔嬮棿鐨勪簰鐩歌�块棶銆傚叾涓瑼瀛愬叕鍙哥殑1600SC1璁惧�囨槸浠ユ梺璺�妯″紡涓叉帴鍦ㄥ綋鍓嶇殑缃戠粶涓�锛孊瀛愬叕鍙哥殑1600SC2璁惧�囨槸浣滀负鏁翠釜缃戠粶鐨勫嚭鍙f潵浣跨敤銆傝�︾粏鐨勬嫇鎵戝拰IP鍦板潃瑙勫垝濡備笅鍥炬墍绀恒€�
浜屻€佺綉缁滄嫇鎵�
1600SC1–浣跨敤GE4鍙o細192.168.3.2
1600SC2–鍐呯綉鍙�GE3锛�192.168.6.1 锛� 澶栫綉鎺ュ彛GE1锛�172.18.10.108
涓夈€侀厤缃�瑕佺偣
鍦ㄩ厤缃甋SL缃戝叧鍔熻兘涔嬪墠锛屽厛纭�淇濅袱绔�缃戠粶閮芥槸鍙�姝e父涓婄綉鐨勶紝鏈�妗堜緥鏄�鍦ㄤ袱绔�閮戒互璁剧疆濂戒簡鍩烘湰鐨勪笂缃戝姛鑳藉悗鍋氱殑閰嶇疆銆�
绠€瑕佽�存槑CA鏍硅瘉涔﹀拰涓ょ��璁惧�囩殑鏈�鍦拌�惧�囪瘉涔︾殑鐢熸垚锛歂GFW鍏峰�囦竴涓�灏忓瀷鐨凜A绠$悊涓�蹇冪殑鍔熻兘锛屽彲浠ヤ负鑷�宸辨垨鍏跺畠NGFW璁惧�囬�佸彂CA鏍硅瘉涔﹀拰鐢ㄦ埛璁惧�囪瘉涔︼紝鏈�妗堜緥涓�鎴戜滑閫夋嫨鍏朵腑涓€鍙�1600SC锛堟爣鍙蜂负1600SC1锛変负瀹冭嚜宸卞拰鍙﹀�栦竴鍙�1600SC锛堟爣鍙蜂负1600SC2)棰佸彂璇佷功銆�
閰嶇疆鐨勫熀鏈�姝ラ�ゅ�備笅锛�
1銆侀厤缃瓻G1000C鐨勫熀鏈�涓婄綉鍔熻兘
a銆侀厤缃�鍐呯綉鎺ュ彛
b銆侀厤缃�澶栫綉鎺ュ彛
c銆侀厤缃甆AT鍦板潃杞�鎹�
d銆侀厤缃�榛樿�よ矾鐢卞拰闈欐€佽矾鐢�
e銆侀厤缃�涓嶴SL VPN鐩稿叧鐨勭��鍙f槧灏勶紙鐐瑰�圭偣绫诲瀷鐨凷SL VPN鐩稿叧鐨勭��鍙f槸TCP 40443锛�
2銆侀厤缃甋3750浜ゆ崲鏈�
a銆佹柊澧瀡lan
b銆佹妸鎺ュ彛鍒掑垎鍒扮浉鍏硋lan
c銆佺粰vlan閰嶇疆缃戝叧IP鍦板潃
d銆侀厤缃�榛樿�よ矾鐢卞拰闈欐€佽矾鐢�
閰嶇疆璁块棶B瀛愬叕鍙稿唴缃戠殑璺�鐢憋紝涓嬩竴璺矷P涓� 1600SC1鐨凣E4鍙g殑IP
3銆佺櫥褰曞埌1600SC1鐨凜A涓�蹇冿紝涓�1600SC1鍜�1600SC2鐢熸垚CA鏍硅瘉涔﹀拰鐢ㄦ埛璇佷功
a銆佸湪“璧勬簮绠$悊>CA涓�蹇�>鏍笴A閰嶇疆绠$悊”涓�锛屼粠1600SC1閲屽�煎嚭CA鏍硅瘉涔︼紙閫夋嫨瀵煎嚭PEM鏍煎紡绫诲瀷鐨勮瘉涔︼級
b銆佸湪“璧勬簮绠$悊>CA涓�蹇�>鐢ㄦ埛璇佷功绠$悊“涓�锛屼负1600SC1鍜�1600SC2鐢熸垚鐢ㄦ埛璇佷功
鐢熸垚璇佷功璇锋眰 ,鐒跺悗绛惧彂璇佷功骞朵笅杞借瘉涔﹀埌鏈�鍦�
c銆佸垎鍒�杩涘叆涓ゅ彴璁惧�囩殑”VPN>鏈�鍦拌瘉涔�“閰嶇疆椤逛腑锛屾妸涔嬪墠鐢熸垚鐨凜A鏍硅瘉涔﹀拰鐢ㄦ埛璇佷功鍒嗗埆瀵煎叆缁欎袱鍙伴槻鐏�澧欙紝鎻愪緵缁橲SL VPN浣跨敤锛堜互涓婄敓鎴愮殑CA鏍硅瘉涔﹀拰鐢ㄦ埛璇佷功涔熷彲 浠ョ敤浜嶪PSEC VPN涓�锛�
缁�1600SC1瀵煎叆CA鏍硅瘉涔﹀拰鐢ㄦ埛璇佷功
缁�1600SC2瀵煎叆CA鏍硅瘉涔﹀拰鐢ㄦ埛璇佷功
4銆侀厤缃�1600SC1鐨凷SL锛堟梺璺�妯″紡锛�
a銆佺紪杈慡SL缃戝叧
璁よ瘉鏂瑰紡锛歊SA绛惧悕 绠楁硶锛歛ll
b銆侀厤缃�瀹夊叏绛栫暐锛堜笌SSL 鐩稿叧鐨勫畨鍏ㄧ瓥鐣ュ缓璁�璋冩暣鍒板叾瀹冪瓥鐣ョ殑鍓嶉潰锛屼互鍏嶉毀閬撴祦閲忓尮閰嶉敊璇�锛�
绫诲瀷閫夋嫨“SITE TO SITE" 锛屽嬀閫�“姝e悜璁块棶”鍜�“鍙嶅悜璁块棶”
鐢变簬鏃佽矾妯″紡涓嬶紝鎵€鏈夎繘鍑�1600SC1鐨勬暟鎹�娴侀兘鏄�浠庡悓涓€涓�鎺ュ彛鍑哄叆锛屾墍浠ラ厤缃�鐨勫畨鍏ㄧ瓥鐣ョ浉鍏崇殑婧愭帴鍙e拰鐩�鐨勬帴鍙i兘鏄�鍚屼竴涓�鎺ュ彛銆�
5銆侀厤缃�1600SC2鐨凷SL锛堝嚭鍙h矾鐢辨ā寮忥級
a銆佺紪杈慡SL缃戝叧
璁よ瘉鏂瑰紡锛歊SA绛惧悕 绠楁硶锛歛ll
b銆侀厤缃�瀹夊叏绛栫暐锛堜笌SSL 鐩稿叧鐨勫畨鍏ㄧ瓥鐣ュ缓璁�璋冩暣鍒板叾瀹冪瓥鐣ョ殑鍓嶉潰锛屼互鍏嶉毀閬撴祦閲忓尮閰嶉敊璇�锛�
绫诲瀷閫夋嫨“SITE TO SITE" 锛屽嬀閫�“姝e悜璁块棶”鍜�“鍙嶅悜璁块棶
鍥涖€佹搷浣滄��楠�
1銆侀厤缃瓻G1000C鐨勫熀鏈�涓婄綉鍔熻兘
a銆侀厤缃�鍐呯綉鎺ュ彛
interface GigabitEthernet 0/3
ip nat inside
ip address 192.168.2.2 255.255.255.0
b銆侀厤缃�澶栫綉鎺ュ彛
interface GigabitEthernet 0/4
ip nat outside
ip address 192.168.33.228 255.255.255.0
c銆侀厤缃甆AT鍦板潃杞�鎹�
ip access-list standard 1
10 permit any
ip nat pool nat_pool prefix-length 24
address 192.168.33.228 192.168.33.228 match interface GigabitEthernet 0/4
d銆侀厤缃�榛樿�よ矾鐢卞拰闈欐€佽矾鐢�
ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/4 192.168.33.1 //閰嶇疆榛樿�よ矾鐢�
ip route 192.168.1.0 255.255.255.0 192.168.2.3 //閰嶇疆鍘诲線鍐呯綉鐨勫洖鎸囪矾鐢�
e銆侀厤缃�涓嶴SL VPN鐩稿叧鐨勭��鍙f槧灏勶紙鐐瑰�圭偣绫诲瀷鐨凷SL VPN鐩稿叧鐨勭��鍙f槸TCP 40443锛�
ip nat inside source static tcp 192.168.3.2 40443 192.168.33.228 40443 //TCP 40443绔�鍙f槸鐐瑰�圭偣SSL VPN鐨勯毀閬撳崗鍟嗙��鍙�
2銆侀厤缃甋3750浜ゆ崲鏈�
a銆佹柊澧瀡lan
vlan 3
vlan 10
b銆佹妸鎺ュ彛鍒掑垎鍒扮浉鍏硋lan
int gi0/7
switchport access vlan 10
int gi0/14
switchport access vlan 3
c銆佺粰vlan閰嶇疆缃戝叧IP鍦板潃
int vlan 3
ip address 192.168.3.1 255.255.255.0
int vlan 10
ip address 192.168.1.1 255.255.255.0
d銆侀厤缃�榛樿�よ矾鐢卞拰闈欐€佽矾鐢�
ip route 0.0.0.0 0.0.0.0 192.168.2.2 //閰嶇疆璁块棶浜掕仈缃戠殑榛樿�よ矾鐢�
ip route 192.168.6.0 255.255.255.0 192.168.3.2 //閰嶇疆璁块棶B瀛愬叕鍙稿唴缃戠殑璺�鐢憋紝涓嬩竴璺矷P涓� 1600SC1鐨凣E4鎺ュ彛鐨処P
3銆佺櫥褰曞埌1600SC1鐨凜A涓�蹇冿紝涓�1600SC1鍜�1600SC2鐢熸垚CA鏍硅瘉涔﹀拰鐢ㄦ埛璇佷功
a銆佸湪“璧勬簮绠$悊>CA涓�蹇�>鏍笴A閰嶇疆绠$悊”涓�锛屼粠1600SC1閲屽�煎嚭CA鏍硅瘉涔︼紝淇濆瓨鍦ㄦ湰鍦扮數鑴戠殑鏌愪釜鏂囦欢澶归噷
b銆佸湪“璧勬簮绠$悊>CA涓�蹇�>鐢ㄦ埛璇佷功绠$悊“涓�锛屼负1600SC1鍜�1600SC2鐢熸垚CA鏍硅瘉涔﹀拰鐢ㄦ埛璇佷功
鍒嗗埆涓�1600SC1鍜�1600SC2鐢熸垚璇佷功璇锋眰
绛惧彂璇佷功
鍚岀悊锛屼负1600SC2鍋氱浉鍚岀殑鎿嶄綔
鏈€鍚庯紝鎶�1600SC1鍜�1600SC2鐨勮瘉涔︿笅杞藉埌鏈�鍦帮紝寤鸿��鏀剧疆鍦ㄤ笌CA鏍硅瘉涔﹀悓涓€涓�鏂囦欢澶归噷
鏈€缁堟€诲叡鏂囦欢澶归噷鏈変互涓嬩笁涓�鏂囦欢
c銆佸垎鍒�杩涘叆涓ゅ彴璁惧�囩殑”VPN>鏈�鍦拌瘉涔�“閰嶇疆椤逛腑锛屾妸涔嬪墠鐢熸垚鐨凜A鏍硅瘉涔﹀拰鐢ㄦ埛璇佷功鍒嗗埆瀵煎叆缁欎袱鍙伴槻鐏�澧欙紝鎻愪緵缁橲SL VPN浣跨敤锛堜互涓婄敓鎴愮殑CA鏍硅瘉涔﹀拰鐢ㄦ埛璇佷功涔熷彲浠ョ敤浜嶪PSEC VPN涓�锛�
浠ヤ笅鎿嶄綔鏄�缁�1600SC1瀵煎叆CA鏍硅瘉涔︼紙濡傛灉鍘熸湰宸茬粡瀛樺湪鏈塁A鏍硅瘉涔︼紝闇€瑕佹妸鏃х殑鍒犻櫎锛屾墠鑳藉�煎叆鏂扮殑锛�
浠ヤ笅鏄�涓�1600SC1瀵煎叆鏈�鍦拌瘉涔�
绫讳技鐨勶紝涓�1600SC2瀵煎叆CA鏍硅瘉涔﹀拰鏈�鍦扮敤鎴疯瘉涔︼紝杩欓噷涓嶅啀閲嶅�嶈禈杩�
———————————————————————————————————————-
4銆侀厤缃�1600SC1锛堟梺璺�妯″紡锛�
a銆侀厤缃�鎺ュ彛IP鍙婇粯璁ょ綉鍏�
b銆佺紪杈慡SL缃戝叧
瀵圭��缃戝叧鍦板潃锛�1600SC2鐨勫�栫綉鎺ュ彛IP鍦板潃
璁よ瘉鏂瑰紡閫夋嫨RSA绛惧悕锛岀畻娉曢€夋嫨all锛堜篃鍙�浠ユ寚瀹氬叾瀹冧换鎰忎竴绉嶏紝鍙�瑕佷袱杈逛竴鑷村嵆鍙�锛�
c銆侀厤缃�瀹夊叏绛栫暐
鏈�鍦扮綉娈碉細1600SC1鐨勫唴缃戠綉娈�
瀵圭��6缃戞�碉細1600SC2鐨勫唴缃戠綉娈�
閫夋嫨“SITE TO SITE“锛屽苟鍕鹃€�”姝e悜璁块棶“鍜�”鍙嶅悜璁块棶“
鏌ョ湅璁剧疆濂界殑绛栫暐锛屽洜涓洪粯璁ょ瓥鐣ユ槸涓嶅惎鐢ㄧ殑锛屾墍浠ヨ�佷娇閰嶇疆鐢熸晥锛屽繀椤诲嬀閫�“鍚�鐢�”锛屽悓鏃惰�佽�板緱鎶婂畠璋冩暣鍒板叾瀹冭�勫垯鐨勫墠闈�锛屽悓鏃惰�佹妸鍕鹃€�“鍚�鐢�”鐨勬寜閽�锛屽惁鍒欑瓥鐣ヤ笉鐢熸晥
5銆侀厤缃�1600SC2锛堝嚭鍙h矾鐢辨ā寮忥級
a銆侀厤缃�鍩烘湰鐨勪笂缃戝姛鑳斤紝鍏堜繚璇佸唴缃戠敤鎴疯兘姝e父涓婄綉
姝ゅ�勫彧鏄剧ず鎺ュ彛IP鐨勮�剧疆锛屽叾浣欑殑璁剧疆璇峰弬鑰� “璺�鐢辨ā寮忎笂缃戦厤缃�>鍗曠嚎璺�涓婄綉閰嶇疆>闈欐€佸湴鍧€鐜�澧�”
b銆佺紪杈慡SL缃戝叧
瀵圭��缃戝叧鍦板潃锛�1600SC1鐨勫�栫綉鎺ュ彛IP鍦板潃
璁よ瘉鏂瑰紡閫夋嫨RSA绛惧悕锛岀畻娉曢€夋嫨all锛堜篃鍙�浠ユ寚瀹氬叾瀹冧换鎰忎竴绉嶏紝鍙�瑕佷袱杈逛竴鑷村嵆鍙�锛�
c銆侀厤缃�瀹夊叏绛栫暐
鏈�鍦扮綉娈碉細1600SC2鐨勫唴缃戠綉娈�
瀵圭��6缃戞�碉細1600SC1鐨勫唴缃戠綉娈�
閫夋嫨“SITE TO SITE“锛屽苟鍕鹃€�”姝e悜璁块棶“鍜�”鍙嶅悜璁块棶“
閰嶇疆瀹屼互涓婄殑瀹夊叏绛栫暐鍚庯紝瑕佽�板緱鎶婂畠璋冩暣鍒板叾瀹冭�勫垯鐨勫墠闈�锛屽悓鏃惰�佹妸鍕鹃€�“鍚�鐢�”鐨勬寜閽�锛屽惁鍒欑瓥鐣ヤ笉鐢熸晥
浜斻€侀獙璇佹晥鏋�
1銆佷粠1600SC1鐨勫唴缃戜富鍔ㄥ幓娴嬭瘯ping 1600SC2鐨勫唴缃戠敤鎴蜂富鏈猴紝浠ユ�ゆ潵瑙﹀彂SSL VPN闅ч亾鐨勫崗鍟�
鍦∟GFW_A涓婄‘瀹歋SL VPN鏄�鍚﹀崗鍟嗘垚鍔�
2銆佽繘涓€姝ユ祴璇曪紝浠�1600SC2鐨勫唴缃戜富鍔ㄥ幓娴嬭瘯ping 1600SC1鐨勫唴缃戠敤鎴蜂富鏈�
鍦∟GFW_B涓婄‘瀹歋SL VPN鏄�鍚﹀崗鍟嗘垚鍔�
原文链接:https://www.ruijie.com.cn/fw/wt/17382/