华为usg防火墙基本配置命令都有哪些

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了华为usg防火墙基本配置命令都有哪些相关的知识,希望对你有一定的参考价值。

步骤一.登陆缺省配置的防火墙并修改防火墙的名称
防火墙和路由器一样,有一个Console接口。使用console线缆将console接口和计算机的com口连接在一块。使用windows操作系统自带的超级终端软件,即可连接到防火墙。
防火墙的缺省配置中,包括了用户名和密码。其中用户名为admin、密码Admin@123,所以登录时需要输入用户名和密码信息,输入时注意区分大小写。
修改防火墙的名称的方法与修改路由器名称的方法一致。
另外需要注意的是,由于防火墙和路由器同样使用了VRP平台操作系统,所以在命令级别、命令帮助等,与路由器上相应操作相同。
<SRG>sys
13:47:28 2014/07/04
Enter system view, return user view withCtrl+Z.
[SRG]sysname FW
13:47:32 2014/07/04
步骤二.修改防火墙的时间和时区信息
默认情况下防火墙没有定义时区,系统保存的时间和实际时间可能不符。使用时应该根据实际的情况定义时间和时区信息。实验中我们将时区定义到东八区,并定义标准时间。
<FW>clock timezone 1 add 08:00:00
13:50:57 2014/07/04
<FW>dis clock
21:51:15 2014/07/03
2014-07-03 21:51:15
Thursday
Time Zone : 1 add 08:00:00
<FW>clock datetime 13:53:442014/07/04
21:53:29 2014/07/03
<FW>dis clock
13:54:04 2014/07/04
2014-07-04 13:54:04
Friday
Time Zone : 1 add 08:00:00
步骤三。修改防火墙登录标语信息
默认情况下,在登陆防火墙,登陆成功后有如下的标语信息。
Please Press ENTER.

Login authentication

Username:admin
Password:*********
NOTICE:This is a private communicationsystem.
Unauthorized access or use may lead to prosecution.
防火墙设备以此信息警告非授权的访问。
实际使用中,管理员可以根据需要修改默认的登陆标语信息。分为登录前提示信息和登陆成功后提示信息两种。
[FW]header login information ^
14:01:21 2014/07/04
Info: The banner text supports 220characters max, including the start and the en
d character.If you want to enter more thanthis, use banner file instead.
Input banner text, and quit with thecharacter '^':
Welcome to USG5500^
[FW]header shell information ^
14:02:54 2014/07/04
Info: The banner text supports 220characters max, including the start and the en
d character.If you want to enter more thanthis, use banner file instead.
Input banner text, and quit with thecharacter '^':
Welcome to USG5500
You are logining insystem Please do not delete system config files^
配置完成后,通过推出系统。然后重新登录,可以查看是否生效。
Please Press ENTER.

Welcome to USG5500

Login authentication

Username:admin
Password:*********
Welcome to USG5500
You are logining insystem Please do not delete system config files
NOTICE:This is a private communicationsystem.
Unauthorized access or use may lead to prosecution.
注意,默认达到NOTICE信息一般都会存在,不会消失或被代替。
步骤四.修改登陆防火墙的用户名和密码
防火墙默认使用的用户名admin。密码Admin@123。可以根据我们的需求进行修改。试验中我们新建一个用户,级别为level3.用户名为user1.密码:huawei@123.需要说明的是,默认情况下console接口登陆仅允许admin登陆。所以配置console接口登陆验证方式为aaa,才能确保新建的用户生效。在配置中,需要指定该配置的用户名的使用范围,本次实验中选择termianl,表示使用于通过console口登陆验证的凭据。
[FW]aaa
14:15:43 2014/07/04
[FW-aaa]local-user user1 pass
[FW-aaa]local-user user1 password cipherhuawei@123
14:16:08 2014/07/04
[FW-aaa]local-user user1 service-typeterminal
14:16:28 2014/07/04
[FW-aaa]local-user user1 level 3
14:16:38 2014/07/04
[FW-aaa]q
14:16:43 2014/07/04
[FW]user-interface console 0
14:16:57 2014/07/04
[FW-ui-console0]authentication-mode aaa
退出系统,测试新用户名和密码是否生效。
Please Press ENTER.

Welcome to USG5500

Login authentication

Username:user1
Password:**********
Welcome to USG5500
You are logining in system Please do notdelete system config files
NOTICE:This is a private communicationsystem.
Unauthorized access or use may lead to prosecution.
<FW>
步骤五.掌握查看、保存、和删除配置的方法。
在防火墙上使用命令查看运行的配置和已经保存的配置。其中使用display current-configuration命令查看运行配置,使用displaysaved-configuration命令查看已经保存的配置。
<FW>dis current-configuration
14:27:01 2014/07/04
#
stp region-configuration
region-name f0a7e2157008
active region-configuration
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ipaddress 192.168.0.1 255.255.255.0
dhcpselect interface
dhcpserver gateway-list 192.168.0.1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
setpriority 100
#
firewall zone trust
setpriority 85
addinterface GigabitEthernet0/0/0
#
firewall zone untrust
setpriority 5
#
firewall zone dmz
setpriority 50
#
aaa
local-user admin password cipher%$%$s$]c%^XV6(/|BaQ$[T;X"G>5%$%$
local-user admin service-type web terminaltelnet
local-user admin level 15
local-user user1 password cipher%$%$tY4Z:`xG0/G!1^C)2[48"%yp%$%$
local-user user1 service-type terminal
local-user user1 level 3
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1

#
header shell information "Welcome toUSG5500
You are logining in system Please do notdelete system config files"
header login information "Welcome toUSG5500"
banner enable
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname FW
#
l2tpdomain suffix-separator @
#
firewall packet-filter default permitinterzone local trust direction inbound
firewall packet-filter default permitinterzone local trust direction outbound
firewall packet-filter default permitinterzone local untrust direction outbound

firewall packet-filter default permitinterzone local dmz direction outbound
#
ipdf-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dnsresolve
#
firewall statistic system enable
#
pkiocsp response cache refresh interval 0
pkiocsp response cache number 0
#
undodns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
return
保存配置,并查看以保存的配置信息。
<FW> sa
14:29:29 2014/07/04
The current configuration will be writtento the device.
Are you sure to continue?[Y/N]y
2014-07-04 14:29:31 FW %%01CFM/4/SAVE(l):When deciding whether to save configura
tion to the device, the user chose Y.
Do you want to synchronically save theconfiguration to the startup saved-configu
ration file on peer device?[Y/N]:y
Now saving the current configuration to thedevice...
Info:The current configuration was saved tothe device successfully.

<FW>dis saved-configuration
14:27:48 2014/07/04
# CLI_VERSION=V300R001

# Last configuration was changed at2014/07/04 13:56:09 from console0
#*****BEGIN****public****#
#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ipaddress 192.168.0.1 255.255.255.0
dhcpselect interface
dhcpserver gateway-list 192.168.0.1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface NULL0
alias NULL0
#
firewall zone local
setpriority 100
#
firewall zone trust
setpriority 85
addinterface GigabitEthernet0/0/0
#
firewall zone untrust
setpriority 5
#
firewall zone dmz
setpriority 50
#
aaa
local-user admin password cipher%$%$s$]c%^XV6(/|BaQ$[T;X"G>5%$%$
local-user admin service-type web terminaltelnet
local-useradmin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
nqa-jitter tag-version 1

#
banner enable
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode none
protocol inbound all
#
slb
#
right-manager server-group
#
sysname FW
#
l2tpdomain suffix-separator @
#
firewall packet-filter default permitinterzone local trust direction inbound
firewall packet-filter default permitinterzone local trust direction outbound
firewall packet-filter default permitinterzone local untrust direction outbound

firewall packet-filter default permitinterzone local dmz direction outbound
#
ipdf-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dnsresolve
#
firewall statistic system enable
#
pkiocsp response cache refresh interval 0
pkiocsp response cache number 0
#
undodns proxy
#
license-server domain lic.huawei.com
#
web-manager enable
#
return
#-----END----#
使用delete Flash:/vrpcfg.zip命令删除保存的配置。
步骤六.配置接口地址
配置G0/0/1:10.0.2.1/24;G0/0/0:10.0.1.1/24;G0/0/2:10.0.3.1/24.
[FW] interface g0/0/2
16:12:58 2014/07/04
[FW-GigabitEthernet0/0/2]ip add 10.0.3.1 24
16:13:21 2014/07/04
[FW-GigabitEthernet0/0/2]interface g0/0/0
16:13:32 2014/07/04
[FW-GigabitEthernet0/0/0]undo ip add
16:14:02 2014/07/04
[FW-GigabitEthernet0/0/0]ip add 10.0.1.1 24
16:14:14 2014/07/04
[FW-GigabitEthernet0/0/0]interface g0/0/1
16:14:36 2014/07/04
[FW-GigabitEthernet0/0/1]ip add 10.0.2.1 24
16:14:50 2014/07/04
[FW-GigabitEthernet0/0/1]q
16:14:52 2014/07/04
[FW]
在交换机S1上配置接口G0/0/21属于vlan1、G0/0/22属于vlan2、G0/0/23属于vlan3.vlanif接口配置IP地址10.0.1.2/24、vlanif2接口配置IP地址10.0.2.2/24、vlanif3接口配置IP地址10.0.3.2/24。
[Huawei]sysname S1
[S1]vlan batch 2 3
[S1]interface g0/0/21
[S1-GigabitEthernet0/0/21]port link-typeaccess
[S1-GigabitEthernet0/0/21]port default vlan1
[S1-GigabitEthernet0/0/21]interface g0/0/22
[S1-GigabitEthernet0/0/22]port link-typeaccess
[S1-GigabitEthernet0/0/22]port default vlan2
[S1-GigabitEthernet0/0/22]interface g0/0/23
[S1-GigabitEthernet0/0/23]port link-typeaccess
[S1-GigabitEthernet0/0/23]port default vlan3
[S1-GigabitEthernet0/0/23]interface vlanif1
[S1-Vlanif1]ip add 10.0.1.2 24
[S1-Vlanif1]interface vlanif 2
[S1-Vlanif2]ip add 10.0.2.2 24
[S1-Vlanif2]interface vlanif 3
[S1-Vlanif3]ip add 10.0.3.2 24
将G0/0/0、G0/0/1、G0/0/2添加到trust区。在测试三口的连通性(在添加到trust区以前先确认这些端口不在untrust区)
[FW]firewall zone trust
16:39:40 2014/07/04
[FW-zone-trust]add interface g0/0/2
16:40:05 2014/07/04
[FW-zone-trust]add interface g0/0/3
16:41:59 2014/07/04
[FW-zone-trust]add interface g0/0/1
[FW-zone-trust]q
[S1]ping -c 1 10.0.1.1
PING 10.0.1.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=50 ms
---10.0.1.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/50/50 ms
[S1]ping -c 1 10.0.2.1
PING 10.0.2.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.2.1: bytes=56 Sequence=1 ttl=255 time=50 ms
---10.0.2.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 50/50/50 ms
[S1]ping -c 1 10.0.3.1
PING 10.0.3.1: 56 data bytes,press CTRL_C to break
Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=255 time=60 ms
---10.0.3.1 ping statistics ---
1packet(s) transmitted
1packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/60/60 ms
参考技术A

华为usg防火墙基本配置命令:

    登陆USG防火墙。

    修改防火墙设备名。

    对防火墙的时间、时区进行修改。

    修改防火墙登陆标语信息。

    修改防火墙登陆密码。

    查看、保存和删除防火墙配置。

    在防火墙上配置vlan、地址接口、测试基本连通性。

登陆缺省配置的防火墙并修改防火墙的名称:

    防火墙和路由器一样,有一个Console接口。使用console线缆将console接口和计算机的com口连接在一块。使用windows操作系统自带的超级终端软件,即可连接到防火墙。

    防火墙的缺省配置中,包括了用户名和密码。其中用户名为admin、密码Admin@123,所以登录时需要输入用户名和密码信息,输入时注意区分大小写。

    修改防火墙的名称的方法与修改路由器名称的方法一致。

    另外需要注意的是,由于防火墙和路由器同样使用了VRP平台操作系统,所以在命令级别、命令帮助等,与路由器上相应操作相同。

华为USG防火墙NAT配置

实验拓扑

技术分享

实验环境


FW1模拟公司的出口防火墙,R1R2模拟公司内网设备,R1trust区域、R2dmz区域。R3模拟运营商网络。


实验需求


R1loopback 0 接口做动态NAT转换

R1G0/0/0接口做静态PAT转换

R2loopback 0 接口做静态NAT转换

R2G0/0/0接口做静态端口映射


网络地址规划

 

R1  G0/0/0  IP11.0.0.2/24

R1 loopback 0 IP192.168.10.1/24

R2 loopback 0 IP192.168.20.1/24

R2  G0/0/0  IP12.0.0.2/24

R3  G0/0/0  IP13.0.0.2/24

FW1 G0/0/0  IP11.0.0.1/24

FW1 G0/0/1  IP12.0.0.1/24

FW1 G0/0/2  IP13.0.0.1/24


设备配置

 

--------------以下为一些基础配置---------

R1配置

[Huawei]sy R1

[R1]int g0/0/0

[R1-GigabitEthernet0/0/0]ip add 11.0.0.2 24

[R1-GigabitEthernet0/0/0]q

[R1]int loo 0

[R1-LoopBack0]ip add 192.168.10.1 24

[R1]ip route-static 0.0.0.0 0.0.0.0 11.0.0.1

 

R2配置

[Huawei]sy R2

[R2]int g0/0/0

[R2-GigabitEthernet0/0/0]ip add 12.0.0.2 24

[R2-GigabitEthernet0/0/0]int loo 0

[R2-LoopBack0] ip add 192.168.20.1 24

[R2]ip route-s 0.0.0.0 0.0.0.0 12.0.0.1

 

R3配置

[Huawei]sy R3

[R3-GigabitEthernet0/0/0]ip add 13.0.0.2 24


-----------------防火墙配置------------------------------

 

[SRG]int g0/0/0

[SRG-GigabitEthernet0/0/0]ip add 11.0.0.1 24

[SRG-GigabitEthernet0/0/0]int g0/0/1

[SRG-GigabitEthernet0/0/1]ip add 12.0.0.1 24

[SRG-GigabitEthernet0/0/1]int g0/0/2

[SRG-GigabitEthernet0/0/2]ip add 13.0.0.1 24

[SRG-GigabitEthernet0/0/2]q

[SRG]firewall zone trust             //进入trust区域

[SRG-zone-trust]add interface g0/0/0    //将接口加入trust区域

[SRG-zone-trust]q

[SRG]firewall zone untrust

[SRG-zone-untrust]add int g0/0/2

[SRG-zone-untrust]q

[SRG]firewall zone dmz

[SRG-zone-dmz]add int g0/0/1

[SRG-zone-dmz]q

[SRG]ip route-static 192.168.20.0 24 12.0.0.2

[SRG]ip route-static 192.168.10.0 24 11.0.0.2

----------------动态NAT配置--------------------------

[SRG]nat address-group 1 200.200.200.100200.200.200.200

//创建一个NAT地址池

[SRG]nat-policy interzone trust untrust outbound

//进入trustuntrust出方向的NAT策略视图

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 1   //创建一个策略

[SRG-nat-policy-interzone-trust-untrust-outbound-1]policy source 192.168.10.0 0.0.0.255

//配置源IP

[SRG-nat-policy-interzone-trust-untrust-outbound-1]action source-nat

//配置动作为源IP进行NAT

[SRG-nat-policy-interzone-trust-untrust-outbound-1]address-group 1 no-pat

//关联NAT地址池,华为默认是经行地址复用的所以要no-pat

[SRG-nat-policy-interzone-trust-untrust-outbound-1]quit

[SRG-nat-policy-interzone-trust-untrust-outbound]quit

[SRG]policy interzone trust untrust outbound

//进入trustuntrust的出方向策略视图

[SRG-policy-interzone-trust-untrust-outbound]policy 1       //创建一个策略

[SRG-policy-interzone-trust-untrust-outbound-1]policy service service-set icmp

[SRG-policy-interzone-trust-untrust-outbound-1]action permit

//允许所有trustuntrusticmp流量

R3上做到200.200.200.0/24的路由

[R3]ip route-static 200.200.200.0 24 13.0.0.1

 

R1ping R3,并在R3上抓包验证是否转换

技术分享

通过抓包发现地址经过了NAT转换,是从地址池中拿的地址


--------------------静态PAT的配置----------------------------

 

[SRG]nat-policy interzone trust untrust outbound

//进入trustuntrust区域的出方向的NAT策略视图

[SRG-nat-policy-interzone-trust-untrust-outbound]policy 2      // 创建一个策略

[SRG-nat-policy-interzone-trust-untrust-outbound-2]policy source 11.0.0.0 0.0.0.255

//配置源地址

[SRG-nat-policy-interzone-trust-untrust-outbound-2]action source-nat

//配置动作为源地址NAT

[SRG-nat-policy-interzone-trust-untrust-outbound-2]easy-ip GigabitEthernet 0/0/2

//配置转换要使用的端口地址为G0/0/2

 

R1 ping R3,并在R3上抓包验证

技术分享

通过抓包发现地址经过了NAT的转换,转换用的地址FW1 G0/0/0接口


---------------------静态NAT配置-----------------------------

[SRG]nat server global 111.111.111.111 inside 192.168.20.1

//配置将内网的192.168.20.1 地址映射到111.111.111.111地址

[SRG]policy interzone dmz untrust outbound

//进入dmzuntrust的出方向策略视图

[SRG-policy-interzone-dmz-untrust-outbound]policy 1   //创建一个策略

[SRG-policy-interzone-dmz-untrust-outbound-1]policy service service-set icmp

//服务为ICMP协议

[SRG-policy-interzone-dmz-untrust-outbound-1]action permit   //配置为允许所有

 

R3配置到111.111.111.111/32的路由

[R3]ip route-static111.111.111.111 32 13.0.0.1

 

 

R2 ping R3,并在R3抓包验证

技术分享

通过抓包发现地址经过了NAT转换


----------------------配置静态端口映射----------------------------

 

R2上开启telnet功能

[R2]user-interface vty 0 4

[R2-ui-vty0-4]set authentication password cipher abc123

 

FW1配置

[SRG]nat server protocol tcp global interface g0/0/2 telnet inside 12.0.0.2 telnet 

//配置PAT,将全局地址为接口G0/0/2telnet23)映射到内网的12.0.0.2telnet

[SRG]policy interzone dmz untrust inbound

//进入untrustdmzinbound方向策略视图

[SRG-policy-interzone-dmz-untrust-inbound]policy 1    //创建一个策略

[SRG-policy-interzone-dmz-untrust-inbound-1]policy service service-set telnet

//配置策略服务为telnet

[SRG-policy-interzone-dmz-untrust-inbound-1]policy destination 12.0.0.2 0

//配置目标地址为12.0.0.2

[SRG-policy-interzone-dmz-untrust-inbound-1]action permit      //配置允许所有

 

//以上策略为允许任意源访问目标为12.0.0.2telnet

 

 

R3 telnetFW1G0/0/2接口

技术分享


以上是关于华为usg防火墙基本配置命令都有哪些的主要内容,如果未能解决你的问题,请参考以下文章

华为USG6000V防火墙视图化配置

饿了吗!来点营养的-华为USG6000V防火墙超详细配置

华为usg6300web透明模式配置

如何配置华为usg6320防火墙指定Ip访问指定端口?

华为USG2200防火墙配置问题

华为USG6000硬件防火墙设置问题