华为防火墙-适合CSSIP方向

华为防火墙-适合CSSIP方向

新版的OS初始console的用户名：admin，密码：Admin@123连接console进入设备：

Copyright(C) 2010-2013 Huawei Technologies Co., Ltd. * All rights reserved * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. *

User interface con0 is available

Please Press ENTER.clock date 12:40:30 2016/02/24system-view 12:32:52 2016/02/24Enter system view, return user view with Ctrl+Z.[SRG]sysn [SRG]sysname toys[toys]dis ip int b----------display ip interface brief 13:27:09 2016/02/24*down: administratively down(s): spoofingInterface IP Address Physical Protocol Description GigabitEthernet0/0/0 192.168.0.1 down down Huawei, SRG SeriGigabitEthernet0/0/1 unassigned down down Huawei, SRG SeriGigabitEthernet0/0/2 unassigned down down Huawei, SRG SeriGigabitEthernet0/0/3 unassigned down down Huawei, SRG SeriGigabitEthernet0/0/4 unassigned down down Huawei, SRG SeriGigabitEthernet0/0/5 unassigned down down Huawei, SRG SeriGigabitEthernet0/0/6 unassigned down down Huawei, SRG SeriGigabitEthernet0/0/7 unassigned down down Huawei, SRG SeriGigabitEthernet0/0/8 unassigned down down Huawei, SRG Seri[toys]int Gi 0/0/1-----------interface GigabitEthernet0/0/113:28:28 2016/02/24[toys-GigabitEthernet0/0/1]ip add 192.168.2.2 24----ip address 192.168.2.2 255.255.255.013:29:40 2016/02/24[toys-GigabitEthernet0/0/1]des link-port-to-neiwang-------description link-port-to-neiwang13:31:50 2016/02/24[toys-GigabitEthernet0/0/1]q-----quit13:32:38 2016/02/24[toys]dis zo---------display zone13:33:11 2016/02/24localpriority is 100#trustpriority is 85interface of the zone is (1):GigabitEthernet0/0/0#untrustpriority is 5interface of the zone is (0):#dmzpriority is 50interface of the zone is (0):#[toys]fire zo trust-------------firewall zone trust13:34:38 2016/02/24[toys-zone-trust]add int gi 0/0/1-----add interface GigabitEthernet0/0/113:35:30 2016/02/24[toys-zone-trust]dis fire packet-filter default all-----display firewall packet-filter default all查看包过滤默认情况13:36:21 2016/02/24Firewall default packet-filter action is:

packet-filter in public:local -> trust : inbound : default: permit; || IPv6-acl: nulloutbound : default: permit; || IPv6-acl: nulllocal -> untrust : inbound : default: deny; || IPv6-acl: nulloutbound : default: permit; || IPv6-acl: nulllocal -> dmz : inbound : default: deny; || IPv6-acl: nulloutbound : default: permit; || IPv6-acl: nulltrust -> untrust : inbound : default: deny; || IPv6-acl: nulloutbound : default: deny; || IPv6-acl: nulltrust -> dmz : inbound : default: deny; || IPv6-acl: nulloutbound : default: deny; || IPv6-acl: nulldmz -> untrust : inbound : default: deny; || IPv6-acl: nulloutbound : default: deny; || IPv6-acl: null

packet-filter between VFW:[toys-zone-trust]q13:43:02 2016/02/24[toys]firewall packet-filter default permit interzone trust local---默认信任策略放行，不指明方向（缺省）默认进出双向13:50:03 2016/02/24Warning:Setting the default packet filtering to permit poses security risks. Youare advised to configure the security policy based on the actual data flows. Are you sure you want to continue?[Y/N]y[toys]q13:57:26 2016/02/24language-mode chinese 13:57:39 2016/02/24Warning: The operation will change the language mode. Continue? [Y/N]: y提示：改变到中文模式。2018/2/5 13:57:42 toys %%01CMD/4/LAN_MODE(l): 当决定是否改变语言模式时，用户选择了Y。system-view 14:02:12 2016/02/24进入系统视图，键入Ctrl+Z退回到用户视图。[toys]user-interface ?INTEGER<0-363> 欲配置的第一个用户终端接口 aux 辅助用户终端接口 console 主用户终端接口 current 当前用户终端接口 maximum-vty vty用户最大数量 tty 异步用户终端接口 vty 虚拟用户终端接口

[toys]user-interface v [toys]user-interface vty ?INTEGER<0-4> 欲配置的第一个用户终端接口

[toys]user-interface vty 0 414:03:21 2016/02/24[toys-ui-vty0-4]authentication-mode ?aaa 利用AAA进行验证 password 利用用户终端接口的口令认证

[toys-ui-vty0-4]authentication-mode aaa 14:04:21 2016/02/24[toys-ui-vty0-4]authentication-mode password ?cipher 表示密码用密文显示

[toys-ui-vty0-4]authentication-mode password ci [toys-ui-vty0-4]authentication-mode password cipher ?STRING<8-16>/<32> 明文/密文密码字符串

[toys-ui-vty0-4]authentication-mode password cipher Toys12345614:06:19 2016/02/24[toys-ui-vty0-4]q[toys]aaa14:07:55 2016/02/24[toys-aaa]local-user toy ?access-limit 接入限制acl-number 配置ACL号ftp-directory 设置用户登陆的FTP目录idle-cut 配置闲置切断l2tp-ip 配置用户l2tp绑定iplevel 配置用户优先级password 明文密码字符串service-type 授权用户服务类型state 设置用户的激活状态valid-period 表示用户有效期vpn-instance 指定一个×××实例

[toys-aaa]local-user toy pss [toys-aaa]local-user toy pa [toys-aaa]local-user toy password ?cipher 表示密码用密文显示

[toys-aaa]local-user toy password ci [toys-aaa]local-user toy password cipher Toys12345614:08:31 2016/02/24[toys-aaa]local-user toy ?access-limit 接入限制acl-number 配置ACL号ftp-directory 设置用户登陆的FTP目录idle-cut 配置闲置切断l2tp-ip 配置用户l2tp绑定iplevel 配置用户优先级password 明文密码字符串service-type 授权用户服务类型state 设置用户的激活状态valid-period 表示用户有效期vpn-instance 指定一个×××实例

[toys-aaa]local-user toy le [toys-aaa]local-user toy level ?INTEGER<0-15> 优先级值audit 审计级别

[toys-aaa]local-user toy level 1514:09:58 2016/02/24[toys-aaa]q[toys-aaa]local-user toy level 1514:09:58 2016/02/24[toys-aaa]q14:11:17 2016/02/24[toys]q14:11:21 2016/02/24save-------记得保存，避免配置都丢了14:15:32 2016/02/24The current configuration will be written to the device.Are you sure to continue?[Y/N]y2018-02-05 14:15:33 toys %%01CFM/4/SAVE(l): When deciding whether to save configuration to the device, the user chose Y.Do you want to synchronically save the configuration to the startup saved-configuration file on peer device?[Y/N]:yNow saving the current configuration to the device....Info:The current configuration was saved to the device successfully.system-view 14:16:39 2016/02/24Enter system view, return user view with Ctrl+Z.[toys]web-manager ?config-guide Indicate the keyword of the HTTPD configuration guideenable Enable Web serversecurity Indicate HTTP running over SSLtimeout Specify the web timeout of the Web server user Specify the parameter of the web user

[toys]web-manager enable------配置web方式14:19:32 2016/02/24Web server has been enabled,please disable it first![toys]rsa local-key-pair ?create Create new local public key pairsdestroy Destroy the local public key pairs

[toys]rsa local-key-pair c [toys]rsa local-key-pair create ?

[toys]rsa local-key-pair create------设置ssh管理，创建本地RSA秘钥对14:22:39 2016/02/24The key name will be: toys_HostThe range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512,It will take a few minutes.Input the bits in the modulus[default = 768]:Generating keys.............++++++++..........++++++++............+++++++++.......+++++++++

[toys]user-interface vty 0 414:24:21 2016/02/24[toys-ui-vty0-4]pro [toys-ui-vty0-4]protocol ?inbound Incomming protocol

[toys-ui-vty0-4]protocol in [toys-ui-vty0-4]protocol inbound ?all All protocol ssh SSH protocol telnet Telnet protocol

[toys-ui-vty0-4]protocol inbound all ?

[toys-ui-vty0-4]protocol inbound all 14:24:51 2016/02/24[toys]ssh ?authentication-type Authentication typeclient Set SSH client attributeserver Set the server attributeuser SSH user

[toys]ssh us [toys]ssh user ?STRING<1-64> The specified user name

[toys]ssh user toy ?assign Set the keyauthentication-type Authentication typeservice-type Set service type sftp-directory Set SFTP direcotry

[toys]ssh user toy su [toys]ssh user toy au [toys]ssh user toy authentication-type ?all All authentication mode, either password or RSApassword Password authenticationpassword-rsa Both password and RSA authentication modesrsa RSA authentication

[toys]ssh user toy authentication-type rsa ?

[toys]ssh user toy authentication-type rsa14:26:29 2016/02/24Info: Succeeded in adding a new SSH user.[toys]q14:27:07 2016/02/24save14:27:09 2016/02/24The current configuration will be written to the device.Are you sure to continue?[Y/N]y2018-02-05 14:27:12 toys %%01CFM/4/SAVE(l): When deciding whether to save configuration to the device, the user chose Y.Do you want to synchronically save the configuration to the startup saved-configuration file on peer device?[Y/N]:yNow saving the current configuration to the device...Info:The current configuration was saved to the device successfully.清除配置恢复出厂设置reset saved-configuration14:28:04 2016/02/24The action will delete the saved configuration in the device.

The configuration will be erased to reconfigure.

Are you sure?[Y/N]n2018-02-05 14:28:09 toys %%01CFM/4/RST_CFG(l): When deciding whether to reset the saved configuration, the user chose N.删除配置目录dir ?/all List all files STRING<1-64> [drive][path][file name]flash: Flash device name

dir /a dir /all 14:28:58 2016/02/24Directory of flash:/

0 -rw- 61 Feb 05 2018 14:27:16 private-data.txt1 -rw- 2907 Feb 05 2018 14:27:17 vrpcfg.cfg

31248 KB total (31184 KB free)

dir ?/all List all files STRING<1-64> [drive][path][file name]flash: Flash device name

dir fl dir flash:?flash: dir flash:14:29:19 2016/02/24Directory of flash:/

0 -rw- 61 Feb 05 2018 14:27:16 private-data.txt1 -rw- 2907 Feb 05 2018 14:27:17 vrpcfg.cfg

31248 KB total (31184 KB free)

del ?/unreserved Delete a file permanentlySTRING<1-64> [drive][path][file name]flash: Flash device name

del fl del flash:?flash: del vr del vrpcfg.cfg ?

del vrpcfg.cfg14:30:02 2016/02/24Be Careful! Deleting the next startup config file will lose your configuration.

Delete flash:/vrpcfg.cfg?[Y/N]:n2018-02-05 14:30:04 toys %%01VFS/4/DEL(l): When asked whether to delete the fileflash:/vrpcfg.cfg, the user entered N.ftp开启system-view 14:30:55 2016/02/24Enter system view, return user view with Ctrl+Z.[toys]ftp server enable 14:31:10 2016/02/24Info:Start FTP server

[toys]dhcp enable 14:36:48 2016/02/24Info:DHCP task has already started.[toys][toys]int gi 0/0/114:37:14 2016/02/24[toys-GigabitEthernet0/0/1]dhcp cli [toys-GigabitEthernet0/0/1]dhcp client ?enable DHCP Client enableforbid DHCP Client forbid apply optionrenew dhcp client renew

[toys-GigabitEthernet0/0/1]dhcp client rn [toys-GigabitEthernet0/0/1]dhcp client en [toys-GigabitEthernet0/0/1]dhcp client enable ?track Specify track configuration

[toys-GigabitEthernet0/0/1]dhcp client enable14:39:31 2016/02/24Info: There are ip addresses in the interface , please delete them at first.[toys]firewall zone untrust14:47:02 2016/02/24[toys-zone-untrust]add ?interface Indicate the priority of the security zone [toys-zone-untrust]add interface GigabitEthernet 0/0/214:47:24 2016/02/24[toys-zone-untrust]q14:48:05 2016/02/24[toys]fir [toys]firewall pa [toys]firewall packet-filter de [toys]firewall packet-filter default in [toys]firewall packet-filter default int [toys]firewall packet-filter default pe [toys]firewall packet-filter default permit in [toys]firewall packet-filter default permit interzone lo [toys]firewall packet-filter default permit interzone local [toys]firewall packet-filter default permit interzone local ?dmz Indicate the DMZtrust Indicate the Trust zoneuntrust Indicate the Untrust zonevpn-instance Indicate a ××× instance

[toys]firewall packet-filter default permit interzone local un [toys]firewall packet-filter default permit interzone local untrust ?direction Indicate the direction

[toys]firewall packet-filter default permit interzone local untrust 14:48:37 2016/02/24Warning:Setting the default packet filtering to permit poses security risks. Youare advised to configure the security policy based on the actual data flows. Are you sure you want to continue?[Y/N]y[toys]dhcp server forbidden-ip 192.168.2.2 192.168.2.30-------DHCP14:50:05 2016/02/24[toys]dhcp server forbidden-ip ?X.X.X.X Low IP address [toys]dhcp server forbidden-ip 192.168.2.2 192.168.2.3014:50:05 2016/02/24[toys]dhc [toys]dhcp se [toys]dhcp server ip [toys]dhcp server ip-pool ?STRING<1-35> Global IP address pool name

[toys]dhcp server ip-pool 014:50:28 2016/02/24[toys-dhcp-0]ne [toys-dhcp-0]net [toys-dhcp-0]netw [toys-dhcp-0]network 192.168.2.1 m [toys-dhcp-0]network 192.168.2.1 mask ?INTEGER<0-32> Network mask lengthX.X.X.X Network mask

[toys-dhcp-0]network 192.168.2.1 mask 255.255.255.014:50:56 2016/02/24[toys-dhcp-0]gs [toys-dhcp-0]ga [toys-dhcp-0]gateway-list 192.168.2.114:51:07 2016/02/24[toys-dhcp-0]dns [toys-dhcp-0]dns-list 202.96.209.166 202.96.209.614:51:34 2016/02/24[toys-dhcp-0]dom [toys-dhcp-0]domain-name baidu.com14:51:52 2016/02/24[toys-dhcp-0]dh [toys-dhcp-0]q14:52:09 2016/02/24[toys]interface Dialer ?<0-1023> Dialer interface number

[toys]interface Dialer 114:54:03 2016/02/24[toys-Dialer1]li [toys-Dialer1]link-protocol ?ppp Point-to-Point protocol

[toys-Dialer1]link-protocol ppp ?

[toys-Dialer1]link-protocol ppp14:54:14 2016/02/24[toys-Dialer1]ppp ?accm Specify accm value authentication-mode Specify PPP authentication-modechap Specify CHAP parameters ipcp Specify IPCP parameterslqc Specify the close and resume percent of linkpap Specify PAP parameterspeer Specify PPP peertimer Specify timer

[toys-Dialer1]ppp pap [toys-Dialer1]ppp pap ?local-user Specify user name

[toys-Dialer1]ppp pap loc [toys-Dialer1]ppp pap local-user toy ?password Specify user password

[toys-Dialer1]ppp pap local-user toy pa [toys-Dialer1]ppp pap local-user toy password ?cipher Indicate the current password with cipher text

[toys-Dialer1]ppp pap local-user toy password ci [toys-Dialer1]ppp pap local-user toy password cipher ?STRING<1-16>/<32> The UNENCRYPTED/ENCRYPTED password string

[toys-Dialer1]ppp pap local-user toy password cipher Toy123456[toys-Dialer1]ip address pp [toys-Dialer1]ip address ppp-negotiate ?

[toys-Dialer1]ip address ppp-negotiate 14:57:20 2016/02/24[toys-Dialer1]dialer ?bundle Specify dialer bundle numberenable-circular Enable Circular DCClisten-group Dialer listen groupnumber Dial number to next-hoppriority Specify priority for use in dialer rotary-groupqueue-length Output queue during dial outthreshold Specify thresholdtimer Specify timer configuration informationuser Enable RS-DCC,specify the user name of remote

[toys-Dialer1]dialer us [toys-Dialer1]dialer user ?STRING<1-64> The user name of remote

[toys-Dialer1]dialer user toy14:57:47 2016/02/24[toys-Dialer1]dialer user ?STRING<1-64> The user name of remote

[toys-Dialer1]dialer user toy14:57:47 2016/02/24[toys-Dialer1]di [toys-Dialer1]dia [toys-Dialer1]dialer b [toys-Dialer1]dialer bundle ?INTEGER<1-255> Bundle number

[toys-Dialer1]dialer bundle 114:58:08 2016/02/24[toys-Dialer1]q14:58:31 2016/02/24[toys]display pppoe-?---------------PPPOEpppoe-client pppoe-server [toys]display pppoe-cl [toys]display pppoe-client ?session Indicate the PPPoE Client session information

[toys]display pppoe-client se [toys]display pppoe-client session ?packet Indicate Packet/Byte count informationsummary Indicate session summary information

[toys]display pppoe-client session su [toys]display pppoe-client session summary ?dial-bundle-number Indicate the dialer bundle keyword

[toys]display pppoe-client session summary di [toys]display pppoe-client session summary dial-bundle-number ?INTEGER<1-255> Dialer bundle number

[toys]display pppoe-client session summary dial-bundle-number 114:59:42 2016/02/24PPPoE Client Session:ID Bundle Dialer Intf Client-MAC Server-MAC State[toys]ip route-static ?X.X.X.X Destination IP address default-preference Preference-value for IPv4 static-routesvpn-instance ×××-Instance route information

[toys]ip route-static 192.168.2.2 255.255.255.0 10.10.10.2------添加路由15:03:43 2016/02/24Info: The destination address and the mask do not match.[toys]dis ip routing-table verbose ------------------查看路由15:04:33 2016/02/24Route Flags: R - relay, D - download to fib

Routing Table : PublicDestinations : 3 Routes : 3

Destination: 127.0.0.0/8Protocol: Direct Process ID: 0Preference: 0 Cost: 0NextHop: 127.0.0.1 Neighbour: 0.0.0.0State: Active NoAdv Age: 02h39m33sTag: 0 Priority: 0Label: NULL QoSInfo: 0x0EntryFlags: 0x80000018 RefPriCnt: 1RelayNextHop: 0.0.0.0 Interface: InLoopBack0TunnelID: 0x0 Flags: D

Destination: 127.0.0.1/32Protocol: Direct Process ID: 0Preference: 0 Cost: 0NextHop: 127.0.0.1 Neighbour: 0.0.0.0State: Active NoAdv Age: 02h39m33sTag: 0 Priority: 0Label: NULL QoSInfo: 0x0EntryFlags: 0x81000018 RefPriCnt: 1RelayNextHop: 0.0.0.0 Interface: InLoopBack0TunnelID: 0x0 Flags: D

Destination: 192.168.2.0/24Protocol: Static Process ID: 0Preference: 60 Cost: 0NextHop: 10.10.10.2 Neighbour: 0.0.0.0State: Inactive Adv WaitQ Age: 00h00m55sTag: 0 Priority: 0Label: NULL QoSInfo: 0x0EntryFlags: 0x312000 RefPriCnt: 2RelayNextHop: 0.0.0.0 Interface: TunnelID: 0x0 Flags: R [toys]dis zone --------------查看安全区域15:05:30 2016/02/24localpriority is 100#trustpriority is 85interface of the zone is (2):GigabitEthernet0/0/0GigabitEthernet0/0/1#untrustpriority is 5interface of the zone is (1):GigabitEthernet0/0/2#dmzpriority is 50interface of the zone is (0):#[toys]fil [toys]fir [toys]firewall zon [toys]firewall zone n [toys]firewall zone name dm [toys]firewall zone name dmz3----------设置安全区域的安全级别15:06:24 2016/02/24[toys-zone-dmz3]set ?priority Indicate the priority of the security zone

[toys-zone-dmz3]set p [toys-zone-dmz3]set priority ?INTEGER<1-100> Specify the priority of the security zone

[toys-zone-dmz3]set priority 8015:06:46 2016/02/24[toys-zone-dmz3]q15:07:36 2016/02/24[toys]acl 2000----------------设置acl15:09:07 2016/02/24[toys-acl-basic-2000]rule ?INTEGER<0-4294967294> Specify ID of ACL ruledeny Indicate matched packet denypermit Indicate matched packet permit

[toys-acl-basic-2000]rule 1 ?deny Indicate matched packet denypermit Indicate matched packet permit

[toys-acl-basic-2000]rule 1 pe [toys-acl-basic-2000]rule 1 permit ?description Specify rule descriptionlogging Indicate log matched packetsource Indicate source addresstime-range Indicate a special time

[toys-acl-basic-2000]rule 1 permit so [toys-acl-basic-2000]rule 1 permit source ?X.X.X.X Specify the source addressaddress-set Indicate the address set configuration informationany Indicate any source

[toys-acl-basic-2000]rule 1 permit source 192.168.2.2 ?0 Wildcard bits : 0.0.0.0 ( a host )X.X.X.X Indicate wildcard of source

[toys-acl-basic-2000]rule 1 permit source 192.168.2.2 015:10:12 2016/02/24[toys-acl-basic-2000]q15:10:15 2016/02/24[toys]dis acl all15:10:20 2016/02/24Total nonempty acl number is 1

Basic ACL 2000, 1 rule,not binding with vpn-instanceAcl's step is 5rule 1 permit source 192.168.2.2 0 (0 times matched) [toys]firewall interzone untrust t [toys]firewall interzone untrust trust 15:12:18 2016/02/24[toys-interzone-trust-untrust]q15:13:30 2016/02/24[toys]nat server global ?-----------地址natX.X.X.X Global IP address of serverinterface Indicate the interface

[toys]nat server global 192.168.2.2 in [toys]nat server global 192.168.2.2 inside ?X.X.X.X Local IP address of server host

[toys]nat server global 192.168.2.2 inside 10.10.10.315:15:54 2016/02/24[toys]qsave

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。