Web: Example for Enabling Remote Users to Access Enterprise Telnet Servers Through Port Forwarding

Networking Requirements

As shown in Figure 1, a remote user is a network administrator and needs to remotely access the Telnet server on the enterprise intranet for work.

Local authentication is used to authenticate remote users (user group: group1). The authentication domain is default. Authenticated users can access the enterprise intranet. After a user logs in to the virtual gateway, port forwarding is automatically enabled.

Figure 1 Networking diagram of port forwarding

Procedure

1. Configure interfaces.
   1. Choose Network > Interface.
   2. Click of GigabitEthernet 0/0/1 and set parameters as follows:

      Zone	untrust
      IPv4
      IP address	1.1.1.1/24

   3. Click OK.
   4. Repeat the preceding steps to set the parameters for GigabitEthernet 0/0/2.

      Zone	trust
      IPv4
      IP address	10.2.0.1/24

2. Configure user objects and authentication.
   1. Choose Object > User > default and set parameters as follows:

      User user0001 belongs to user group /default/group1. Authentication Type is local authentication, and Password is Password@123. Before creating user user0001, you need to create group /default/group1 so that you have a group to reference when creating a user.

      

   2. Click Apply.
3. Configure the SSL VPN gateway.
   1. Choose Network > SSL VPN > SSL VPN.
   2. Click Add and set parameters as follows:

      

   3. Click Next.
4. Configure the SSL version, cipher suite, session timeout duration, and session lifecycle. You can use the default values and click Next.
5. Select Port Forwarding and click Next.
6. Configure port forwarding.
   1. Select Automatic Enabling. In Port Forwarding Resource List, click Add and configure port forwarding resources as follows.

      

   2. Click OK.
   3. Click Next.
7. Configure SSL VPN role authorization/users.
   1. Click Add in List of Authorized Roles and set the role authorization parameters as follows. After the configuration is completed, click OK.

      

   2. Return to the Role Authorization/User configuration page, and click Finish.
8. Configure a security policy to allow employees on the move to access Telnet servers at the Headquarters.
   1. Configure an Internet-to-FW security policy to allow employees on the move to access the SSL VPN gateway.
      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add to configure security policy policy01 and set parameters as follows:

         Name	policy01
         Source Zone	untrust
         Destination Zone	local
         Destination Address/Region	1.1.1.1/24
         Service	https NOTE: If the HTTPS port number is changed, use the new port number when creating the security policy.
         Action	Permit

      3. Click OK.
   2. Configure a FW-to-intranet security policy to allow employees on the move to access resources at the Headquarters.
      1. Choose Policy > Security Policy > Security Policy.
      2. Click Add to configure security policy policy02 and set parameters as follows:

         Name	policy02
         Source Zone	local
         Destination Zone	trust
         Destination Address/Region	10.2.0.0/24
         Action	Permit

      3. Click OK.

Verifying the Configuration

1. Enter https://1.1.1.1:443 in the address bar of Internet Explorer to access the SSL VPN login page.

   Install the control as prompted upon the first login.

2. In the login window, enter the user name and password, and then click Login.

   After the login succeeds, click Start under Port Forwarding. Then you can access the corresponding port forwarding resources.

   

Configuration Script

# 
aaa 
 authentication-scheme default      
 authorization-scheme default 
 domain default  
  service-type ssl-vpn        
  internet-access mode password     
  reference user current-domain     
# 
interface GigabitEthernet 0/0/1
 ip address 1.1.1.1 255.255.255.0 
# 
interface GigabitEthernet 0/0/2 
 ip address 10.2.0.1 255.255.255.0  
# 
firewall zone trust           
 set priority 85 
 add interface GigabitEthernet 0/0/2 
# 
firewall zone untrust         
 set priority 5  
 add interface GigabitEthernet 0/0/1 
# 
v-gateway gateway authentication-domain default 
# 
#****BEGIN***gateway**1****#  
v-gateway gateway 
 basic 
  ssl version tlsv11 tlsv12 
  ssl timeout 5 
  ssl lifecycle 1440 
  ssl ciphersuit custom aes256-sha aes128-sha 
 service 
  port-forwarding enable 
  port-forwarding resource Telnet-Server host-ip 10.2.0.2 23  
 security 
  policy-default-action permit vt-src-ip 
  certification cert-anonymous cert-field user-filter subject cn group-filter subject cn 
  certification cert-anonymous filter-policy permit-all 
  certification cert-challenge cert-field user-filter subject cn 
  certification user-cert-filter key-usage any 
  undo public-user enable 
 hostchecker 
 cachecleaner 
 vpndb 
  group /default 
  group /default/group1 
 role 
 role default 
  role default condition all 
 role role 
  role role condition all 
  role role port-forwarding enable 
  role role port-forwarding resource Telnet-Server 
#****END****# 
# 
security-policy 
 rule name policy01 
  source-zone untrust 
  destination-zone local 
  destination-address 1.1.1.0 mask 255.255.255.0 
  service https 
  action permit 
 rule name policy02 
  source-zone local 
  destination-zone trust 
  destination-address 10.2.0.0 mask 255.255.255.0 
  action permit 
# 
# The following configurations are saved in the database and are not displayed in the configuration file.  user-manage user user0001 domain default 
 password %$%$j@p.U.0bwNQv9nE#tf]G-+"v%$%$ 
  parent-group /default/group1 
 v-gateway gateway 
  role 
 role role group /default/group1