防火墙l2tp使用本地用户配置案例
一 组网说明

如上图,防火墙作为出口安全设备,对外配置NAT实现内网用户访问互联网,对内提供l2tp服务器拨入,允许外部用户拨入l2tp后再访问内网服务器资源
二 防火墙L2TP配置
sysname FW1000
#
acl advanced 3000 //配置nat acl
rule 0 permit ip
#
interface GigabitEthernet1/0/4 //防火墙连接互联网接口配置NAT
port link-mode route
ip address x.142.88.98 255.255.255.240
nat outbound 3000
manage https inbound
manage ping inbound
gateway x.142.88.97
#
ip pool aaa x.153.207.2 x.153.207.10 //配置l2tp vpn地址池
ip pool aaa gateway x.153.207.1
#
l2tp enable //使能l2tp
#
l2tp-group 1 mode lns //配置l2tp group
allow l2tp virtual-template 1
undo tunnel authentication
tunnel name lns
#
domain l2tp//配置l2tp domain
authentication portal local
#
interface Virtual-Template1 //配置l2tp VT接口
ppp authentication-mode chap domain l2tp
ppp ipcp dns 114.114.114.114
remote address pool aaa
ip address x.153.207.1 255.255.255.0
#
security-zone name VPN //配置l2tp接口加入到安全域
import interface Virtual-Template1
#
local-user renyq class network //配置l2tp本地用户
password simple 123
service-type ppp
authorization-attribute user-role network-operator
#
nat global-policy //配置nat策略
rule name GlobalPolicyRule_3
source-zone Trust
destination-zone Untrust
source-ip subnet x.153.151.248 29
action snat easy-ip
#
security-policy ip//配置访问控制策略
rule 7 name l2tp
action pass
logging enable
counting enable
profile 7_IPv4
source-zone Untrust
destination-zone Local
service l2tp
#
三 L2TP状态查看
<FW1000>
Domain: l2tp
State: Active
Portal authentication scheme: Local
Default authentication scheme: Local
Default authorization scheme: Local
Default accounting scheme: Local
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out action: Offline
Service type: HSI
Session time: Exclude idle time
NAS-ID: N/A
DHCPv6-follow-IPv6CP timeout: 60 seconds
Authorization attributes:
Idle cut: Disabled
Session timeout: Disabled
IGMP access limit: 4
MLD access limit: 4
openEuler 是由开放原子开源基金会孵化的全场景开源操作系统项目,面向数字基础设施四大核心场景(服务器、云计算、边缘计算、嵌入式),全面支持 ARM、x86、RISC-V、loongArch、PowerPC、SW-64 等多样性计算架构
更多推荐


所有评论(0)