以下面的拓扑图为例来讲解华为防火墙HUSG6000v简单配置
HUSG6000的G0/0/0为管理口,G1/0/0划入untrust区,ip为10.10.10.1/24.
G1/0/4划入trust区,ip为10.10.40.1\24.
R2模拟为外网的一台电脑,ip为10.10.10.2/24.vIOS模拟为内网的路由器,ip为10.10.40.2/24.
需求,trust可以访问外网,R2可以远程telnet网管vIOS这台设备.
一.HUSG6000防火墙初始配置
先console进去配置对管理接口G0/0/0配置一个ip地址并开启管理服务:
默认密码为:admin
<USG6000V2>sys
<USG6000V2>system-view
Enter system view, return user view with Ctrl+Z.
[USG6000V2]int ?
Dialer Dialer interface
Eth-Trunk Ethernet-Trunk interface
GigabitEthernet GigabitEthernet interface
LoopBack LoopBack interface
NULL NULL interface
Nve Nve interface
Tunnel Tunnel interface
Vbdif Vbdif interface
Virtual-Template Virtual-Template interface
Virtual-if Virtual interface
Vlanif Vlan interface
[USG6000V2]int g0/0/0
[USG6000V2-GigabitEthernet0/0/0]ip add ?
X.X.X.X IP address
bootp-alloc IP address allocated by BOOTP
dhcp-alloc IP address allocated by DHCP
[USG6000V2-GigabitEthernet0/0/0]ip add 192.168.1.113 255.255.255.0
[USG6000V2-GigabitEthernet0/0/0]service-manage all
二.web界面进入,配置区域
默认用户名:admin,密码:Admin@123
三.配置pat转换
3.1配置源转换地址池
3.2配置源地址转换pat
四.配置服务器映射把vIOS的23端口映射出去,供外网访问
安全区域的解释
五.配置访问安全策略
5.1内网访问外的策略
5.2外网访问内网telnet的策略
六.分别配置R2和vIOS
6.1 R2配置
!
interface Ethernet0/0
ip address 10.10.10.2 255.255.255.0
duplex auto
!
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
6.2 vIOS配置telnet 服务
version 15.9#15.9版本配置vty远程时,要配置 transport input telnet这个命令
hostname vLOs
!
enable password cisco#用户模式进入特权模式密码
!
no ip domain lookup
!
interface GigabitEthernet0/0
ip address 10.10.40.2 255.255.255.0
duplex auto
speed auto
media-type rj45
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.10.40.1
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password cisco#线下密码
login#配置线下密码认证
transport input telnet#15.9版本必须配置这个命令
#也可以配置vty本地密码认证,如下
username cisco password cisco
enable password cisco
vty 0 4
login local
transport input telnet#15.9版本必须配置这个命令
七.测试
7.1连通性测试
r2和vIOS到防火墙的连通性
R2#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
vLOs#ping 10.10.40.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.40.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
vIOS能不能ping 通r2也就是内网能访问外网
vLOs#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/4 ms
vIOS能ping通r2时,防火墙策略情况
r2能不能远程网管vIOS
R2#telnet 10.10.10.80
Trying 10.10.10.80 ... Open
vLOs>ena
Password:
vLOs#
成功telnet 到vIOS
看防火墙上的策略情况
外网访问内网的telnet 服务命中一次.看详细的情况
会话表中也可以看到
[USG6000V2]display firewall session table
2023-03-29 09:23:57.400 +08:00
Telnet VPN: public --> public 10.10.10.2:48636 --> 10.10.10.80:23[10.10.40.2:23]
八. telnet远程网管设置不安全,改为ssh
vIOS上配置
!
hostname vLOs
!
!
no ip domain lookup
ip domain name cisco.com#ssh必段配置域名
!
username cisco privilege 15 password 0 cisco#配置登陆的用户名和密码,
本地认证的用户名和密码,并给15 的权限
!
interface GigabitEthernet0/0
ip address 10.10.40.2 255.255.255.0
duplex auto
speed auto
media-type rj45
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.10.40.1
ip ssh version 2
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login local#本地数据库认证
transport input ssh#只有ssh登陆
vLOs(config)#crypto key generate rsa
要选择1024的长度才能支持ssh2
防火墙 安全策略也要改为如下:
服务器映射也要改成tcp 22
测试看能访问不
R2#ssh -l cisco -v 2 10.10.10.80
*
Password:
vLOs#
成功访问
防火墙会话表
[USG6000V2]display firewall session table
2023-03-29 10:10:11.550 +08:00
SSH VPN: public --> public 10.10.10.2:13809 --> 10.10.10.80:22[10.10.40.2:22]