千家信息网

华为防火墙-适合CSSIP方向

发表于:2024-11-11 作者:千家信息网编辑
千家信息网最后更新 2024年11月11日,新版的OS初始console的用户名:admin,密码:Admin@123连接console进入设备:Copyright(C) 2010-2013 Huawei Technologies Co., L
千家信息网最后更新 2024年11月11日华为防火墙-适合CSSIP方向

新版的OS初始console的用户名:admin,密码:Admin@123
连接console进入设备:


  • Copyright(C) 2010-2013 Huawei Technologies Co., Ltd. *
  • All rights reserved *
  • Without the owner's prior written consent, *
  • no decompiling or reverse-engineering shall be allowed. *

User interface con0 is available

Please Press ENTER.
clock date 12:40:30 2016/02/24
system-view
12:32:52 2016/02/24
Enter system view, return user view with Ctrl+Z.
[SRG]sysn
[SRG]sysname toys
[toys]dis ip int b----------display ip interface brief
13:27:09 2016/02/24
*down: administratively down
(s): spoofing
Interface IP Address Physical Protocol Description
GigabitEthernet0/0/0 192.168.0.1 down down Huawei, SRG Seri
GigabitEthernet0/0/1 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/2 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/3 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/4 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/5 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/6 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/7 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/8 unassigned down down Huawei, SRG Seri
[toys]int Gi 0/0/1-----------interface GigabitEthernet0/0/1
13:28:28 2016/02/24
[toys-GigabitEthernet0/0/1]ip add 192.168.2.2 24----ip address 192.168.2.2 255.255.255.0
13:29:40 2016/02/24
[toys-GigabitEthernet0/0/1]des link-port-to-neiwang-------description link-port-to-neiwang
13:31:50 2016/02/24
[toys-GigabitEthernet0/0/1]q-----quit
13:32:38 2016/02/24
[toys]dis zo---------display zone
13:33:11 2016/02/24
local
priority is 100
#
trust
priority is 85
interface of the zone is (1):
GigabitEthernet0/0/0
#
untrust
priority is 5
interface of the zone is (0):
#
dmz
priority is 50
interface of the zone is (0):
#
[toys]fire zo trust-------------firewall zone trust
13:34:38 2016/02/24
[toys-zone-trust]add int gi 0/0/1-----add interface GigabitEthernet0/0/1
13:35:30 2016/02/24
[toys-zone-trust]dis fire packet-filter default all-----display firewall packet-filter default all查看包过滤默认情况
13:36:21 2016/02/24
Firewall default packet-filter action is:

packet-filter in public:
local -> trust :
inbound : default: permit; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> dmz :
inbound : default: deny; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
trust -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
trust -> dmz :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
dmz -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null

packet-filter between VFW:
[toys-zone-trust]q
13:43:02 2016/02/24
[toys]firewall packet-filter default permit interzone trust local---默认信任策略放行,不指明方向(缺省)默认进出双向
13:50:03 2016/02/24
Warning:Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Ar
e you sure you want to continue?[Y/N]y
[toys]q
13:57:26 2016/02/24
language-mode chinese
13:57:39 2016/02/24
Warning: The operation will change the language mode. Continue? [Y/N]: y
提示:改变到中文模式。

2018/2/5 13:57:42 toys %CMD/4/LAN_MODE(l): 当决定是否改变语言模式时,用户选择了Y。
system-view
14:02:12 2016/02/24
进入系统视图,键入Ctrl+Z退回到用户视图。
[toys]user-interface ?
INTEGER<0-363> 欲配置的第一个用户终端接口
aux 辅助用户终端接口
console 主用户终端接口
current 当前用户终端接口
maximum-vty vty用户最大数量
tty 异步用户终端接口
vty 虚拟用户终端接口

[toys]user-interface v
[toys]user-interface vty ?
INTEGER<0-4> 欲配置的第一个用户终端接口

[toys]user-interface vty 0 4
14:03:21 2016/02/24
[toys-ui-vty0-4]authentication-mode ?
aaa 利用AAA进行验证
password 利用用户终端接口的口令认证

[toys-ui-vty0-4]authentication-mode aaa
14:04:21 2016/02/24
[toys-ui-vty0-4]authentication-mode password ?
cipher 表示密码用密文显示

[toys-ui-vty0-4]authentication-mode password ci
[toys-ui-vty0-4]authentication-mode password cipher ?
STRING<8-16>/<32> 明文/密文密码字符串

[toys-ui-vty0-4]authentication-mode password cipher Toys123456
14:06:19 2016/02/24
[toys-ui-vty0-4]q
[toys]aaa
14:07:55 2016/02/24
[toys-aaa]local-user toy ?
access-limit 接入限制
acl-number 配置ACL号
ftp-directory 设置用户登陆的FTP目录
idle-cut 配置闲置切断
l2tp-ip 配置用户l2tp绑定ip
level 配置用户优先级
password 明文密码字符串
service-type 授权用户服务类型
state 设置用户的激活状态
valid-period 表示用户有效期
***-instance 指定一个×××实例

[toys-aaa]local-user toy pss
[toys-aaa]local-user toy pa
[toys-aaa]local-user toy password ?
cipher 表示密码用密文显示

[toys-aaa]local-user toy password ci
[toys-aaa]local-user toy password cipher Toys123456
14:08:31 2016/02/24
[toys-aaa]local-user toy ?
access-limit 接入限制
acl-number 配置ACL号
ftp-directory 设置用户登陆的FTP目录
idle-cut 配置闲置切断
l2tp-ip 配置用户l2tp绑定ip
level 配置用户优先级
password 明文密码字符串
service-type 授权用户服务类型
state 设置用户的激活状态
valid-period 表示用户有效期
***-instance 指定一个×××实例

[toys-aaa]local-user toy le
[toys-aaa]local-user toy level ?
INTEGER<0-15> 优先级值
audit 审计级别

[toys-aaa]local-user toy level 15
14:09:58 2016/02/24
[toys-aaa]q
[toys-aaa]local-user toy level 15
14:09:58 2016/02/24
[toys-aaa]q
14:11:17 2016/02/24
[toys]q
14:11:21 2016/02/24
save-------记得保存,避免配置都丢了
14:15:32 2016/02/24
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
2018-02-05 14:15:33 toys %CFM/4/SAVE(l): When deciding whether to save config
uration to the device, the user chose Y.
Do you want to synchronically save the configuration to the startup saved-config
uration file on peer device?[Y/N]:y
Now saving the current configuration to the device....
Info:The current configuration was saved to the device successfully.
system-view
14:16:39 2016/02/24
Enter system view, return user view with Ctrl+Z.
[toys]web-manager ?
config-guide Indicate the keyword of the HTTPD configuration guide
enable Enable Web server
security Indicate HTTP running over SSL
timeout Specify the web timeout of the Web server
user Specify the parameter of the web user

[toys]web-manager enable------配置web方式
14:19:32 2016/02/24
Web server has been enabled,please disable it first!
[toys]rsa local-key-pair ?
create Create new local public key pairs
destroy Destroy the local public key pairs

[toys]rsa local-key-pair c
[toys]rsa local-key-pair create ?

[toys]rsa local-key-pair create------设置ssh管理,创建本地RSA秘钥对
14:22:39 2016/02/24
The key name will be: toys_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 768]:
Generating keys...
..........++++++++
..........++++++++
............+++++++++
.......+++++++++

[toys]user-interface vty 0 4
14:24:21 2016/02/24
[toys-ui-vty0-4]pro
[toys-ui-vty0-4]protocol ?
inbound Incomming protocol

[toys-ui-vty0-4]protocol in
[toys-ui-vty0-4]protocol inbound ?
all All protocol
ssh SSH protocol
telnet Telnet protocol

[toys-ui-vty0-4]protocol inbound all ?

[toys-ui-vty0-4]protocol inbound all
14:24:51 2016/02/24
[toys]ssh ?
authentication-type Authentication type
client Set SSH client attribute
server Set the server attribute
user SSH user

[toys]ssh us
[toys]ssh user ?
STRING<1-64> The specified user name

[toys]ssh user toy ?
assign Set the key
authentication-type Authentication type
service-type Set service type
sftp-directory Set SFTP direcotry

[toys]ssh user toy su
[toys]ssh user toy au
[toys]ssh user toy authentication-type ?
all All authentication mode, either password or RSA
password Password authentication
password-rsa Both password and RSA authentication modes
rsa RSA authentication

[toys]ssh user toy authentication-type rsa ?

[toys]ssh user toy authentication-type rsa
14:26:29 2016/02/24
Info: Succeeded in adding a new SSH user.
[toys]q
14:27:07 2016/02/24
save
14:27:09 2016/02/24
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
2018-02-05 14:27:12 toys %CFM/4/SAVE(l): When deciding whether to save config
uration to the device, the user chose Y.
Do you want to synchronically save the configuration to the startup saved-config
uration file on peer device?[Y/N]:y
Now saving the current configuration to the device...
Info:The current configuration was saved to the device successfully.
清除配置恢复出厂设置
reset saved-configuration
14:28:04 2016/02/24
The action will delete the saved configuration in the device.

The configuration will be erased to reconfigure.

Are you sure?[Y/N]n

2018-02-05 14:28:09 toys %CFM/4/RST_CFG(l): When deciding whether to reset th
e saved configuration, the user chose N.
删除配置目录
dir ?
/all List all files
STRING<1-64> [drive][path][file name]
flash: Flash device name

dir /a
dir /all
14:28:58 2016/02/24
Directory of flash:/

0 -rw- 61 Feb 05 2018 14:27:16 private-data.txt
1 -rw- 2907 Feb 05 2018 14:27:17 vrpcfg.cfg

31248 KB total (31184 KB free)

dir ?
/all List all files
STRING<1-64> [drive][path][file name]
flash: Flash device name

dir fl
dir flash:?
flash:
dir flash:
14:29:19 2016/02/24
Directory of flash:/

0 -rw- 61 Feb 05 2018 14:27:16 private-data.txt
1 -rw- 2907 Feb 05 2018 14:27:17 vrpcfg.cfg

31248 KB total (31184 KB free)

del ?
/unreserved Delete a file permanently
STRING<1-64> [drive][path][file name]
flash: Flash device name

del fl
del flash:?
flash:
del vr
del vrpcfg.cfg ?

del vrpcfg.cfg
14:30:02 2016/02/24
Be Careful! Deleting the next startup config file will lose your configuration.

Delete flash:/vrpcfg.cfg?[Y/N]:n

2018-02-05 14:30:04 toys %VFS/4/DEL(l): When asked whether to delete the file
flash:/vrpcfg.cfg, the user entered N.
ftp开启
system-view
14:30:55 2016/02/24
Enter system view, return user view with Ctrl+Z.
[toys]ftp server enable
14:31:10 2016/02/24
Info:Start FTP server

[toys]dhcp enable
14:36:48 2016/02/24
Info:DHCP task has already started.
[toys][toys]int gi 0/0/1
14:37:14 2016/02/24
[toys-GigabitEthernet0/0/1]dhcp cli
[toys-GigabitEthernet0/0/1]dhcp client ?
enable DHCP Client enable
forbid DHCP Client forbid apply option
renew dhcp client renew

[toys-GigabitEthernet0/0/1]dhcp client rn
[toys-GigabitEthernet0/0/1]dhcp client en
[toys-GigabitEthernet0/0/1]dhcp client enable ?
track Specify track configuration

[toys-GigabitEthernet0/0/1]dhcp client enable
14:39:31 2016/02/24
Info: There are ip addresses in the interface , please delete them at first.
[toys]firewall zone untrust
14:47:02 2016/02/24
[toys-zone-untrust]add ?
interface Indicate the priority of the security zone
[toys-zone-untrust]add interface GigabitEthernet 0/0/2
14:47:24 2016/02/24
[toys-zone-untrust]q
14:48:05 2016/02/24
[toys]fir
[toys]firewall pa
[toys]firewall packet-filter de
[toys]firewall packet-filter default in
[toys]firewall packet-filter default int
[toys]firewall packet-filter default pe
[toys]firewall packet-filter default permit in
[toys]firewall packet-filter default permit interzone lo
[toys]firewall packet-filter default permit interzone local
[toys]firewall packet-filter default permit interzone local ?
dmz Indicate the DMZ
trust Indicate the Trust zone
untrust Indicate the Untrust zone
***-instance Indicate a ××× instance

[toys]firewall packet-filter default permit interzone local un
[toys]firewall packet-filter default permit interzone local untrust ?
direction Indicate the direction

[toys]firewall packet-filter default permit interzone local untrust
14:48:37 2016/02/24
Warning:Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Ar
e you sure you want to continue?[Y/N]y
[toys]dhcp server forbidden-ip 192.168.2.2 192.168.2.30-------DHCP
14:50:05 2016/02/24
[toys]dhcp server forbidden-ip ?
X.X.X.X Low IP address
[toys]dhcp server forbidden-ip 192.168.2.2 192.168.2.30
14:50:05 2016/02/24
[toys]dhc
[toys]dhcp se
[toys]dhcp server ip
[toys]dhcp server ip-pool ?
STRING<1-35> Global IP address pool name

[toys]dhcp server ip-pool 0
14:50:28 2016/02/24
[toys-dhcp-0]ne
[toys-dhcp-0]net
[toys-dhcp-0]netw
[toys-dhcp-0]network 192.168.2.1 m
[toys-dhcp-0]network 192.168.2.1 mask ?
INTEGER<0-32> Network mask length
X.X.X.X Network mask

[toys-dhcp-0]network 192.168.2.1 mask 255.255.255.0
14:50:56 2016/02/24
[toys-dhcp-0]gs
[toys-dhcp-0]ga
[toys-dhcp-0]gateway-list 192.168.2.1
14:51:07 2016/02/24
[toys-dhcp-0]dns
[toys-dhcp-0]dns-list 202.96.209.166 202.96.209.6
14:51:34 2016/02/24
[toys-dhcp-0]dom
[toys-dhcp-0]domain-name www.baidu.com
14:51:52 2016/02/24
[toys-dhcp-0]dh
[toys-dhcp-0]q
14:52:09 2016/02/24
[toys]interface Dialer ?
<0-1023> Dialer interface number

[toys]interface Dialer 1
14:54:03 2016/02/24
[toys-Dialer1]li
[toys-Dialer1]link-protocol ?
ppp Point-to-Point protocol

[toys-Dialer1]link-protocol ppp ?

[toys-Dialer1]link-protocol ppp
14:54:14 2016/02/24
[toys-Dialer1]ppp ?
accm Specify accm value
authentication-mode Specify PPP authentication-mode
chap Specify CHAP parameters
ipcp Specify IPCP parameters
lqc Specify the close and resume percent of link
pap Specify PAP parameters
peer Specify PPP peer
timer Specify timer

[toys-Dialer1]ppp pap
[toys-Dialer1]ppp pap ?
local-user Specify user name

[toys-Dialer1]ppp pap loc
[toys-Dialer1]ppp pap local-user toy ?
password Specify user password

[toys-Dialer1]ppp pap local-user toy pa
[toys-Dialer1]ppp pap local-user toy password ?
cipher Indicate the current password with cipher text

[toys-Dialer1]ppp pap local-user toy password ci
[toys-Dialer1]ppp pap local-user toy password cipher ?
STRING<1-16>/<32> The UNENCRYPTED/ENCRYPTED password string

[toys-Dialer1]ppp pap local-user toy password cipher Toy123456
[toys-Dialer1]ip address pp
[toys-Dialer1]ip address ppp-negotiate ?

[toys-Dialer1]ip address ppp-negotiate
14:57:20 2016/02/24
[toys-Dialer1]dialer ?
bundle Specify dialer bundle number
enable-circular Enable Circular DCC
listen-group Dialer listen group
number Dial number to next-hop
priority Specify priority for use in dialer rotary-group
queue-length Output queue during dial out
threshold Specify threshold
timer Specify timer configuration information
user Enable RS-DCC,specify the user name of remote

[toys-Dialer1]dialer us
[toys-Dialer1]dialer user ?
STRING<1-64> The user name of remote

[toys-Dialer1]dialer user toy
14:57:47 2016/02/24
[toys-Dialer1]dialer user ?
STRING<1-64> The user name of remote

[toys-Dialer1]dialer user toy
14:57:47 2016/02/24
[toys-Dialer1]di
[toys-Dialer1]dia
[toys-Dialer1]dialer b
[toys-Dialer1]dialer bundle ?
INTEGER<1-255> Bundle number

[toys-Dialer1]dialer bundle 1
14:58:08 2016/02/24
[toys-Dialer1]q
14:58:31 2016/02/24
[toys]display pppoe-?---------------PPPOE
pppoe-client pppoe-server
[toys]display pppoe-cl
[toys]display pppoe-client ?
session Indicate the PPPoE Client session information

[toys]display pppoe-client se
[toys]display pppoe-client session ?
packet Indicate Packet/Byte count information
summary Indicate session summary information

[toys]display pppoe-client session su
[toys]display pppoe-client session summary ?
dial-bundle-number Indicate the dialer bundle keyword

[toys]display pppoe-client session summary di
[toys]display pppoe-client session summary dial-bundle-number ?
INTEGER<1-255> Dialer bundle number

[toys]display pppoe-client session summary dial-bundle-number 1
14:59:42 2016/02/24
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
[toys]ip route-static ?
X.X.X.X Destination IP address
default-preference Preference-value for IPv4 static-routes
***-instance ×××-Instance route information

[toys]ip route-static 192.168.2.2 255.255.255.0 10.10.10.2------添加路由
15:03:43 2016/02/24
Info: The destination address and the mask do not match.
[toys]dis ip routing-table verbose ------------------查看路由
15:04:33 2016/02/24
Route Flags: R - relay, D - download to fib

Routing Table : Public
Destinations : 3 Routes : 3

Destination: 127.0.0.0/8
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 127.0.0.1 Neighbour: 0.0.0.0
State: Active NoAdv Age: 02h49m33s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
EntryFlags: 0x80000018 RefPriCnt: 1
RelayNextHop: 0.0.0.0 Interface: InLoopBack0
TunnelID: 0x0 Flags: D

Destination: 127.0.0.1/32
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 127.0.0.1 Neighbour: 0.0.0.0
State: Active NoAdv Age: 02h49m33s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
EntryFlags: 0x81000018 RefPriCnt: 1
RelayNextHop: 0.0.0.0 Interface: InLoopBack0
TunnelID: 0x0 Flags: D

Destination: 192.168.2.0/24
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 10.10.10.2 Neighbour: 0.0.0.0
State: Inactive Adv WaitQ Age: 00h00m55s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
EntryFlags: 0x312000 RefPriCnt: 2
RelayNextHop: 0.0.0.0 Interface:
TunnelID: 0x0 Flags: R
[toys]dis zone --------------查看安全区域
15:05:30 2016/02/24
local
priority is 100
#
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet0/0/1
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet0/0/2
#
dmz
priority is 50
interface of the zone is (0):
#
[toys]fil
[toys]fir
[toys]firewall zon
[toys]firewall zone n
[toys]firewall zone name dm
[toys]firewall zone name dmz3----------设置安全区域的安全级别
15:06:24 2016/02/24
[toys-zone-dmz3]set ?
priority Indicate the priority of the security zone

[toys-zone-dmz3]set p
[toys-zone-dmz3]set priority ?
INTEGER<1-100> Specify the priority of the security zone

[toys-zone-dmz3]set priority 80
15:06:46 2016/02/24
[toys-zone-dmz3]q
15:07:36 2016/02/24
[toys]acl 2000----------------设置acl
15:09:07 2016/02/24
[toys-acl-basic-2000]rule ?
INTEGER<0-4294967294> Specify ID of ACL rule
deny Indicate matched packet deny
permit Indicate matched packet permit

[toys-acl-basic-2000]rule 1 ?
deny Indicate matched packet deny
permit Indicate matched packet permit

[toys-acl-basic-2000]rule 1 pe
[toys-acl-basic-2000]rule 1 permit ?
description Specify rule description
logging Indicate log matched packet
source Indicate source address
time-range Indicate a special time

[toys-acl-basic-2000]rule 1 permit so
[toys-acl-basic-2000]rule 1 permit source ?
X.X.X.X Specify the source address
address-set Indicate the address set configuration information
any Indicate any source

[toys-acl-basic-2000]rule 1 permit source 192.168.2.2 ?
0 Wildcard bits : 0.0.0.0 ( a host )
X.X.X.X Indicate wildcard of source

[toys-acl-basic-2000]rule 1 permit source 192.168.2.2 0
15:10:12 2016/02/24
[toys-acl-basic-2000]q
15:10:15 2016/02/24
[toys]dis acl all
15:10:20 2016/02/24
Total nonempty acl number is 1

Basic ACL 2000, 1 rule,not binding with ***-instance
Acl's step is 5
rule 1 permit source 192.168.2.2 0 (0 times matched)
[toys]firewall interzone untrust t
[toys]firewall interzone untrust trust
15:12:18 2016/02/24
[toys-interzone-trust-untrust]q
15:13:30 2016/02/24
[toys]nat server global ?-----------地址nat
X.X.X.X Global IP address of server
interface Indicate the interface

[toys]nat server global 192.168.2.2 in
[toys]nat server global 192.168.2.2 inside ?
X.X.X.X Local IP address of server host

[toys]nat server global 192.168.2.2 inside 10.10.10.3
15:15:54 2016/02/24
[toys]q
save

0