闲鱼淘的 200-300左右可以买,原本专线国家要求的是必须上安全设备,好像是1000一台,好多都买了没装,流出来的。
连接方式:光猫-防火墙拨号-终端设备
最终差不多这样
相关授权(防病毒,入侵检测啥的)还可以用两年多,美滋滋。
相关策略
第一条内网到外网,上网使用
第二条外网访问SSLVPN
第三条SSLVPN接入后访问内网资源(NAS、虚拟机等内网服务)
第四条拒绝其他所有连接
贴一下配置:
<CX-FHQ>dis cu
#
version 7.1.064, Release 8460P1619
#
sysname CX-FHQ
#
clock timezone Beijing add 08:00:00
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
dialer-group 1 rule ip permit
#
dhcp enable
#
password-recovery enable
#
vlan 1
#
vlan 10
#
object-group ip address Internet
security-zone Trust
0 network host address 10.1.1.1
#
dhcp server ip-pool vlan10
gateway-list 10.1.1.254
network 10.1.1.0 mask 255.255.255.0
dns-list 223.5.5.5 114.114.114.114
static-bind ip-address 10.1.1.1 mask 255.255.255.0 hardware-address MAC地址 description ROUTE 固定IP给路由器
static-bind ip-address 10.1.1.253 mask 255.255.255.0 hardware-address MAC地址 description NAS 固定IP给NAS
#
controller Cellular1/0/0
#
controller Cellular1/0/1
#
interface Dialer0
mtu 1492
ppp chap password si 拨号密码
ppp chap user 拨号账号
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user 拨号账号 password si 拨号密码
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
nat server protocol tcp global current-interface 6443 inside 10.1.1.254 6443 rule ServerRule_7 映射SSLVPN端口
#
interface NULL0
#
interface Vlan-interface10
ip address 10.1.1.254 255.255.255.0
dhcp server apply ip-pool vlan10
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode route
#
interface GigabitEthernet1/0/3
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
description Internet
pppoe-client dial-bundle-number 0
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode bridge
description ROUTE
port access vlan 10
#
interface SSLVPN-AC10
ip address 10.100.1.254 255.255.255.0
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface10
#
security-zone name DMZ
#
security-zone name Untrust
import interface Dialer0
import interface GigabitEthernet1/0/4
#
security-zone name Management
#
security-zone name SSLVPN
import interface SSLVPN-AC10
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-operator
protocol inbound ssh
#
line vty 5 63
user-role network-operator
#
ip route-static 0.0.0.0 0 Dialer0
#
info-center loghost 127.0.0.1 port 3301 format default
info-center source CFGLOG loghost level informational
#
performance-management
#
ssh server enable
#
ntp-service enable
ntp-service unicast-server time1.cloud.tencent.com
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user 管理员账户 class manage
password si 管理员密码
service-type ssh terminal http https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user SSLVPN用户名 class network
password si 密码
service-type sslvpn
authorization-attribute vlan 10
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group NW-SERVER
#
ssl renegotiation disable
ssl version ssl3.0 disable
ssl version tls1.0 disable
#
nat global-policy
rule name GlobalPolicyRule_1
description GuideNat
source-zone Trust
destination-zone Untrust
action snat easy-ip
#
apr signature auto-update
update schedule weekly sun start-time 02:20:00 tingle 120
#
ip http enable
ip https enable
#
blacklist global enable
#
url-filter signature auto-update
update schedule weekly sun start-time 02:30:00 tingle 120
#
ips signature auto-update
update schedule weekly sun start-time 02:00:00 tingle 120
#
app-profile 2_IPv4
ips apply policy default mode protect
data-filter apply policy default
url-filter apply policy default
file-filter apply policy default
anti-virus apply policy default mode protect
apt apply policy default
#
app-profile 3_IPv4
ips apply policy default mode protect
data-filter apply policy default
url-filter apply policy default
file-filter apply policy default
anti-virus apply policy default mode protect
apt apply policy default
#
app-profile 4_IPv4
ips apply policy default mode protect
data-filter apply policy default
url-filter apply policy default
file-filter apply policy default
anti-virus apply policy default mode protect
apt apply policy default
#
inspect logging parameter-profile av_logging_default_parameter
#
inspect logging parameter-profile ips_logging_default_parameter
#
inspect logging parameter-profile url_logging_default_parameter
#
inspect email parameter-profile mailsetting_default_parameter
undo authentication enable
#
traffic-policy
rule 1 name GuideAVCPolicy
action qos profile guideavcprofile1
source-zone Trust
destination-zone DMZ
destination-zone Untrust
profile name guideavcprofile1
bandwidth downstream guaranteed 1000000
bandwidth downstream maximum 1000000
#
sslvpn ip address-pool SLLVPN_IP 10.100.1.1 10.100.1.253 SSLVPN接入地址池
#
sslvpn gateway SSL_GATWAY
ip address 0.0.0.0 port 6443
service enable
#
sslvpn context NW
gateway SSL_GATWAY
ip-tunnel interface SSLVPN-AC10
ip-tunnel address-pool SLLVPN_IP mask 255.255.255.0
ip-tunnel dns-server primary 223.5.5.5
ip-tunnel dns-server secondary 114.114.114.114
login-message chinese 残浔-SSL VPN
login-message english Welcome to CANXUN SSL VPN
title chinese 残浔-SSL VPN
title english CANXUN-SSL VPN
notify-message login-page chinese 禁止爆破!
ip-route-list NW-SERVER
include 10.1.1.0 255.255.255.0
policy-group NW-SERVER
ip-tunnel access-route 10.1.1.0 255.255.255.0
session-connections 0
force-logout max-onlines enable
service enable
#
security-policy ip
rule 2 name To-Internet
action pass
profile 2_IPv4
source-zone Local
source-zone Trust
source-zone SSLVPN
destination-zone Untrust
rule 3 name To-NW
action pass
profile 3_IPv4
source-zone Untrust
destination-zone Local
destination-zone Trust
service-port tcp destination eq SSLVPN接入端口
rule 4 name Local
action pass
profile 4_IPv4
source-zone Trust
source-zone Local
source-zone SSLVPN
destination-zone Local
destination-zone Trust
destination-zone SSLVPN
rule 0 name Deny-ALL
#
ips logging parameter-profile ips_logging_default_parameter
#
anti-virus signature auto-update
update schedule weekly sun start-time 02:10:00 tingle 120
#
anti-virus logging parameter-profile av_logging_default_parameter
#
url-reputation signature auto-update
update schedule weekly sun start-time 02:40:00 tingle 120
#
domain-reputation signature auto-update
update schedule weekly sun start-time 02:50:00 tingle 120
#
ip-reputation signature auto-update
update schedule weekly sun start-time 03:00:00 tingle 120
#
return
羡慕家里大到能放机柜的。
@oheng 还没买机柜==