This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>
Issue DescriptionCustomer requirements is to give SSL VPN access their employ and other supplier. They would like to create a network extension different for type of user:
-
Employ need to reach internal network A e B
-
Supplier need to reach internal network B
Solution
First we need to follow this
configuration example . And we need to add some other configurations to achieve
customer’s need.
First way:
1, customer need to add a
authentication policy for the network extent IP pool.
2, for the network extension, please add
network A and B in the accessible private network segment list.
3, in the security policy, please add a
policy deny the access to network A with other supplier.
Second way
1, create the group and users in the
domain.
2, create the SSL VPN with web.
3, Binding ip pool (start with 10.1.1.1)
with group1 (for employ). And binding another pool to the group for other
supplier.
<sysname> system-view
[sysname] v-gateway abc -into the ssl
vpn gateway
[sysname-abc] service
[sysname-abc-service] network-extension netpool 10.1.1.1
10.1.1.10 255.255.255.0 -create the ip pool for group1
[sysname-abc-service] quit
[sysname-abc] vpndb
[sysname-abc-vpndb] group /default/group1
-add the group to v-gateway
[sysname-abc-vpndb] group /default/group1 network-extension
netpool 10.1.1.1 -binding the ip pool with
group
[sysname-abc-vpndb]
display group -
[sysname-abc-vpndb]
display user
[sysname-abc-vpndb]
display group /default/group1 - Displays detailed information about a user group, including
whether the user group is bound to a virtual IP address segment.
4, create a security policy
deny the ip pool ( which is binding the group with supplier ) access to network
A.
Source zone: ip pool,
destination zone: network
A. Action: deny
END
Author : t00210480
Document ID: EKB1001445570
Fault Type :
Copyright © 2019 Huawei Technologies Co., Ltd. All rights reserved.
