华为usg防火墙基本配置命令都有哪些
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了华为usg防火墙基本配置命令都有哪些相关的知识,希望对你有一定的参考价值。
步骤一.登陆缺省配置的防火墙并修改防火墙的名称防火墙和路由器一样,有一个Console接口。使用console线缆将console接口和计算机的com口连接在一块。使用windows操作系统自带的超级终端软件,即可连接到防火墙。
防火墙的缺省配置中,包括了用户名和密码。其中用户名为admin、密码Admin@123,所以登录时需要输入用户名和密码信息,输入时注意区分大小写。
修改防火墙的名称的方法与修改路由器名称的方法一致。
另外需要注意的是,由于防火墙和路由器同样使用了VRP平台操作系统,所以在命令级别、命令帮助等,与路由器上相应操作相同。
<SRG>sys
13:47:28 2014/07/04
Enter system view, return user view withCtrl+Z.
[SRG]sysname FW
13:47:32 2014/07/04
步骤二.修改防火墙的时间和时区信息
默认情况下防火墙没有定义时区,系统保存的时间和实际时间可能不符。使用时应该根据实际的情况定义时间和时区信息。实验中我们将时区定义到东八区,并定义标准时间。
<FW>clock timezone 1 add 08:00:00
13:50:57 2014/07/04
<FW>dis clock
21:51:15 2014/07/03
2014-07-03 21:51:15
Thursday
Time Zone : 1 add 08:00:00
<FW>clock datetime 13:53:442014/07/04
21:53:29 2014/07/03
<FW>dis clock
13:54:04 2014/07/04
2014-07-04 13:54:04
Friday
Time Zone : 1 add 08:00:00
步骤三。修改防火墙登录标语信息
默认情况下,在登陆防火墙,登陆成功后有如下的标语信息。
Please Press ENTER.
Login authentication
Username:admin
Password:*********
NOTICE:This is a private communicationsystem.
Unauthorized access or use may lead to prosecution.
防火墙设备以此信息警告非授权的访问。
实际使用中,管理员可以根据需要修改默认的登陆标语信息。分为登录前提示信息和登陆成功后提示信息两种。
[FW]header login information ^
14:01:21 2014/07/04
Info: The banner text supports 220characters max, including the start and the en
d character.If you want to enter more thanthis, use banner file instead.
Input banner text, and quit with thecharacter '^':
Welcome to USG5500^
[FW]header shell information ^
14:02:54 2014/07/04
Info: The banner text supports 220characters max, including the start and the en
d character.If you want to enter more thanthis, use banner file instead.
Input banner text, and quit with thecharacter '^':
Welcome to USG5500
You are logining insystem Please do not delete system config files^
配置完成后,通过推出系统。然后重新登录,可以查看是否生效。
Please Press ENTER.
Welcome to USG5500
Login authentication
Username:admin
Password:*********
Welcome to USG5500
You are logining insystem Please do not delete system config files
NOTICE:This is a private communicationsystem.
Unauthorized access or use may lead to prosecution.
注意,默认达到NOTICE信息一般都会存在,不会消失或被代替。
步骤四.修改登陆防火墙的用户名和密码
防火墙默认使用的用户名admin。密码Admin@123。可以根据我们的需求进行修改。试验中我们新建一个用户,级别为level3.用户名为user1.密码:huawei@123.需要说明的是,默认情况下console接口登陆仅允许admin登陆。所以配置console接口登陆验证方式为aaa,才能确保新建的用户生效。在配置中,需要指定该配置的用户名的使用范围,本次实验中选择termianl,表示使用于通过console口登陆验证的凭据。
[FW]aaa
14:15:43 2014/07/04
[FW-aaa]local-user user1 pass
[FW-aaa]local-user user1 password cipherhuawei@123
14:16:08 2014/07/04
[FW-aaa]local-user user1 service-typeterminal
14:16:28 2014/07/04
[FW-aaa]local-user user1 level 3
14:16:38 2014/07/04
[FW-aaa]q
14:16:43 2014/07/04
[FW]user-interface console 0
14:16:57 2014/07/04
[FW-ui-console0]authentication-mode aaa
退出系统,测试新用户名和密码是否生效。
Please Press ENTER.
Welcome to USG5500
Login authentication
Username:user1
Password:**********
Welcome to USG5500
You are logining in system Please do notdelete system config files
NOTICE:This is a private communicationsystem.
Unauthorized access or use may lead to prosecution.
<FW>
步骤五.掌握查看、保存、和删除配置的方法。
在防火墙上使用命令查看运行的配置和已经保存的配置。其中使用display current-configuration命令查看运行配置,使用displaysaved-configuration命令查看已经保存的配置。
<FW>dis current-configuration
14:27:01 2014/07/04
#
stp region-configuration
region-name f0a7e2157008
active region-configuration
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ipaddress 192.168.0.1 255.255.255.0
dhcpselect interface
dhcpserver gateway-list 192.168.0.1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
setpriority 100
#
firewall zone trust
setpriority 85
addinterface GigabitEthernet0/0/0
#
firewall zone untrust
setpriority 5
#
firewall zone dmz
setpriority 50
#
aaa
local-user admin password cipher%$%$s$]c%^XV6(/|BaQ$[T;X"G>5%$%$
local-user admin service-type web terminaltelnet
local-user admin level 15
local-user user1 password cipher%$%$tY4Z:`xG0/G!1^C)2[48"%yp%$%$
local-user user1 service-type terminal
local-user user1 level 3
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
header shell information "Welcome toUSG5500
You are logining in system Please do notdelete system config files"
header login information "Welcome toUSG5500"
banner enable
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname FW
#
l2tpdomain suffix-separator @
#
firewall packet-filter default permitinterzone local trust direction inbound
firewall packet-filter default permitinterzone local trust direction outbound
firewall packet-filter default permitinterzone local untrust direction outbound
firewall packet-filter default permitinterzone local dmz direction outbound
#
ipdf-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dnsresolve
#
firewall statistic system enable
#
pkiocsp response cache refresh interval 0
pkiocsp response cache number 0
#
undodns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
return
保存配置,并查看以保存的配置信息。
<FW> sa
14:29:29 2014/07/04
The current configuration will be writtento the device.
Are you sure to continue?[Y/N]y
2014-07-04 14:29:31 FW %%01CFM/4/SAVE(l):When deciding whether to save configura
tion to the device, the user chose Y.
Do you want to synchronically save theconfiguration to the startup saved-configu
ration file on peer device?[Y/N]:y
Now saving the current configuration to thedevice...
Info:The current configuration was saved tothe device successfully.
<FW>dis saved-configuration
14:27:48 2014/07/04
# CLI_VERSION=V300R001
# Last configuration was changed at2014/07/04 13:56:09 from console0
#*****BEGIN****public****#
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ipaddress 192.168.0.1 255.255.255.0
dhcpselect interface
dhcpserver gateway-list 192.168.0.1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
setpriority 100
#
firewall zone trust
setpriority 85
addinterface GigabitEthernet0/0/0
#
firewall zone untrust
setpriority 5
#
firewall zone dmz
setpriority 50
#
aaa
local-user admin password cipher%$%$s$]c%^XV6(/|BaQ$[T;X"G>5%$%$
local-user admin service-type web terminaltelnet
local-useradmin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1
#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname FW
#
l2tpdomain suffix-separator @
#
firewall packet-filter default permitinterzone local trust direction inbound
firewall packet-filter default permitinterzone local trust direction outbound
firewall packet-filter default permitinterzone local untrust direction outbound
firewall packet-filter default permitinterzone local dmz direction outbound
#
ipdf-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dnsresolve
#
firewall statistic system enable
#
pkiocsp response cache refresh interval 0
pkiocsp response cache number 0
#
undodns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
return
#-----END----#
使用delete Flash:/vrpcfg.zip命令删除保存的配置。
步骤六.配置接口地址
配置G0/0/1:10.0.2.1/24;G0/0/0:10.0.1.1/24;G0/0/2:10.0.3.1/24.
[FW] interface g0/0/2
16:12:58 2014/07/04
[FW-GigabitEthernet0/0/2]ip add 10.0.3.1 24
16:13:21 2014/07/04
[FW-GigabitEthernet0/0/2]interface g0/0/0
16:13:32 2014/07/04
[FW-GigabitEthernet0/0/0]undo ip add
16:14:02 2014/07/04
[FW-GigabitEthernet0/0/0]ip add 10.0.1.1 24
16:14:14 2014/07/04
[FW-GigabitEthernet0/0/0]interface g0/0/1
16:14:36 2014/07/04
[FW-GigabitEthernet0/0/1]ip add 10.0.2.1 24
16:14:50 2014/07/04
[FW-GigabitEthernet0/0/1]q
16:14:52 2014/07/04
[FW]
在交换机S1上配置接口G0/0/21属于vlan1、G0/0/22属于vlan2、G0/0/23属于vlan3.vlanif接口配置IP地址10.0.1.2/24、vlanif2接口配置IP地址10.0.2.2/24、vlanif3接口配置IP地址10.0.3.2/24。
[Huawei]sysname S1
[S1]vlan batch 2 3
[S1]interface g0/0/21
[S1-GigabitEthernet0/0/21]port link-typeaccess
[S1-GigabitEthernet0/0/21]port default vlan1
[S1-GigabitEthernet0/0/21]interface g0/0/22
[S1-GigabitEthernet0/0/22]port link-typeaccess
[S1-GigabitEthernet0/0/22]port default vlan2
[S1-GigabitEthernet0/0/22]interface g0/0/23
[S1-GigabitEthernet0/0/23]port link-typeaccess
[S1-GigabitEthernet0/0/23]port default vlan3
[S1-GigabitEthernet0/0/23]interface vlanif1
[S1-Vlanif1]ip add 10.0.1.2 24
[S1-Vlanif1]interface vlanif 2
[S1-Vlanif2]ip add 10.0.2.2 24
[S1-Vlanif2]interface vlanif 3
[S1-Vlanif3]ip add 10.0.3.2 24
将G0/0/0、G0/0/1、G0/0/2添加到trust区。在测试三口的连通性(在添加到trust区以前先确认这些端口不在untrust区)
[FW]firewall zone trust
16:39:40 2014/07/04
[FW-zone-trust]add interface g0/0/2
16:40:05 2014/07/04
[FW-zone-trust]add interface g0/0/3
16:41:59 2014/07/04
[FW-zone-trust]add interface g0/0/1
[FW-zone-trust]q
[S1]ping -c 1 10.0.1.1
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=50 ms
---10.0.1.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/50/50 ms
[S1]ping -c 1 10.0.2.1
PING 10.0.2.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.2.1: bytes=56 Sequence=1 ttl=255 time=50 ms
---10.0.2.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/50/50 ms
[S1]ping -c 1 10.0.3.1
PING 10.0.3.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=255 time=60 ms
---10.0.3.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/60/60 ms 参考技术A
华为usg防火墙基本配置命令:
登陆USG防火墙。
修改防火墙设备名。
对防火墙的时间、时区进行修改。
修改防火墙登陆标语信息。
修改防火墙登陆密码。
查看、保存和删除防火墙配置。
在防火墙上配置vlan、地址接口、测试基本连通性。
登陆缺省配置的防火墙并修改防火墙的名称:
防火墙和路由器一样,有一个Console接口。使用console线缆将console接口和计算机的com口连接在一块。使用windows操作系统自带的超级终端软件,即可连接到防火墙。
防火墙的缺省配置中,包括了用户名和密码。其中用户名为admin、密码Admin@123,所以登录时需要输入用户名和密码信息,输入时注意区分大小写。
修改防火墙的名称的方法与修改路由器名称的方法一致。
另外需要注意的是,由于防火墙和路由器同样使用了VRP平台操作系统,所以在命令级别、命令帮助等,与路由器上相应操作相同。
华为USG防火墙NAT配置
实验拓扑
实验环境
FW1模拟公司的出口防火墙,R1和R2模拟公司内网设备,R1在trust区域、R2在dmz区域。R3模拟运营商网络。
实验需求
对R1的loopback 0 接口做动态NAT转换
对R1的G0/0/0接口做静态PAT转换
对R2的loopback 0 接口做静态NAT转换
对R2的G0/0/0接口做静态端口映射
网络地址规划
R1 G0/0/0 IP:11.0.0.2/24
R1 loopback 0 IP:192.168.10.1/24
R2 loopback 0 IP:192.168.20.1/24
R2 G0/0/0 IP:12.0.0.2/24
R3 G0/0/0 IP:13.0.0.2/24
FW1 G0/0/0 IP:11.0.0.1/24
FW1 G0/0/1 IP:12.0.0.1/24
FW1 G0/0/2 IP:13.0.0.1/24
设备配置
--------------以下为一些基础配置---------
R1配置
[Huawei]sy R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 11.0.0.2 24
[R1-GigabitEthernet0/0/0]q
[R1]int loo 0
[R1-LoopBack0]ip add 192.168.10.1 24
[R1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1
R2配置
[Huawei]sy R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 12.0.0.2 24
[R2-GigabitEthernet0/0/0]int loo 0
[R2-LoopBack0] ip add 192.168.20.1 24
[R2]ip route-s 0.0.0.0 0.0.0.0 12.0.0.1
R3配置
[Huawei]sy R3
[R3-GigabitEthernet0/0/0]ip add 13.0.0.2 24
-----------------防火墙配置------------------------------
[SRG]int g0/0/0
[SRG-GigabitEthernet0/0/0]ip add 11.0.0.1 24
[SRG-GigabitEthernet0/0/0]int g0/0/1
[SRG-GigabitEthernet0/0/1]ip add 12.0.0.1 24
[SRG-GigabitEthernet0/0/1]int g0/0/2
[SRG-GigabitEthernet0/0/2]ip add 13.0.0.1 24
[SRG-GigabitEthernet0/0/2]q
[SRG]firewall zone trust //进入trust区域
[SRG-zone-trust]add interface g0/0/0 //将接口加入trust区域
[SRG-zone-trust]q
[SRG]firewall zone untrust
[SRG-zone-untrust]add int g0/0/2
[SRG-zone-untrust]q
[SRG]firewall zone dmz
[SRG-zone-dmz]add int g0/0/1
[SRG-zone-dmz]q
[SRG]ip route-static 192.168.20.0 24 12.0.0.2
[SRG]ip route-static 192.168.10.0 24 11.0.0.2
----------------动态NAT配置--------------------------
[SRG]nat address-group 1 200.200.200.100200.200.200.200
//创建一个NAT地址池
[SRG]nat-policy interzone trust untrust outbound
//进入trust到untrust出方向的NAT策略视图
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1 //创建一个策略
[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255
//配置源IP
[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat
//配置动作为源IP进行NAT
[SRG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1 no-pat
//关联NAT地址池,华为默认是经行地址复用的所以要no-pat
[SRG-nat-policy-interzone-trust-untrust-outbound-1]quit
[SRG-nat-policy-interzone-trust-untrust-outbound]quit
[SRG]policy interzone trust untrust outbound
//进入trust到untrust的出方向策略视图
[SRG-policy-interzone-trust-untrust-outbound]policy 1 //创建一个策略
[SRG-policy-interzone-trust-untrust-outbound-1]policy service service-set icmp
[SRG-policy-interzone-trust-untrust-outbound-1]action permit
//允许所有trust到untrust的icmp流量
在R3上做到200.200.200.0/24的路由
[R3]ip route-static 200.200.200.0 24 13.0.0.1
在R1上ping R3,并在R3上抓包验证是否转换
通过抓包发现地址经过了NAT转换,是从地址池中拿的地址
--------------------静态PAT的配置----------------------------
[SRG]nat-policy interzone trust untrust outbound
//进入trust到untrust区域的出方向的NAT策略视图
[SRG-nat-policy-interzone-trust-untrust-outbound]policy 2 // 创建一个策略
[SRG-nat-policy-interzone-trust-untrust-outbound-2]policy source 11.0.0.0 0.0.0.255
//配置源地址
[SRG-nat-policy-interzone-trust-untrust-outbound-2]action source-nat
//配置动作为源地址NAT
[SRG-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet 0/0/2
//配置转换要使用的端口地址为G0/0/2
R1 ping R3,并在R3上抓包验证
通过抓包发现地址经过了NAT的转换,转换用的地址FW1 G0/0/0接口
---------------------静态NAT配置-----------------------------
[SRG]nat server global 111.111.111.111 inside 192.168.20.1
//配置将内网的192.168.20.1 地址映射到111.111.111.111地址
[SRG]policy interzone dmz untrust outbound
//进入dmz到untrust的出方向策略视图
[SRG-policy-interzone-dmz-untrust-outbound]policy 1 //创建一个策略
[SRG-policy-interzone-dmz-untrust-outbound-1]policy service service-set icmp
//服务为ICMP协议
[SRG-policy-interzone-dmz-untrust-outbound-1]action permit //配置为允许所有
在R3配置到111.111.111.111/32的路由
[R3]ip route-static111.111.111.111 32 13.0.0.1
R2 ping R3,并在R3抓包验证
通过抓包发现地址经过了NAT转换
----------------------配置静态端口映射----------------------------
在R2上开启telnet功能
[R2]user-interface vty 0 4
[R2-ui-vty0-4]set authentication password cipher abc123
FW1配置
[SRG]nat server protocol tcp global interface g0/0/2 telnet inside 12.0.0.2 telnet
//配置PAT,将全局地址为接口G0/0/2的telnet(23)映射到内网的12.0.0.2的telnet上
[SRG]policy interzone dmz untrust inbound
//进入untrust到dmz的inbound方向策略视图
[SRG-policy-interzone-dmz-untrust-inbound]policy 1 //创建一个策略
[SRG-policy-interzone-dmz-untrust-inbound-1]policy service service-set telnet
//配置策略服务为telnet
[SRG-policy-interzone-dmz-untrust-inbound-1]policy destination 12.0.0.2 0
//配置目标地址为12.0.0.2
[SRG-policy-interzone-dmz-untrust-inbound-1]action permit //配置允许所有
//以上策略为允许任意源访问目标为12.0.0.2的telnet
在R3 telnetFW1的G0/0/2接口
以上是关于华为usg防火墙基本配置命令都有哪些的主要内容,如果未能解决你的问题,请参考以下文章