防火墙常见安全策略
基本指令:
指令 | 功能 | 备注 |
---|---|---|
service-manage ping permit | 使能某个接口能够ping | 进入指定接口下敲命令 |
web-manager security enable | 开启web管理功能 |
启用NAT转换(easy-ip):
[USG6000V1]nat-policy
[USG6000V1-policy-nat]rule name trust_untrust
[USG6000V1-policy-nat-rule-trust_untrust]source-zone trust
[USG6000V1-policy-nat-rule-trust_untrust]egress-interface g1/0/2
[USG6000V1-policy-nat-rule-trust_untrust]action nat easy-ip
再放行trust到untrust访问权限,配置访问外网的缺省路由
此时就可以正常访问外网服务了,当然读者需要ping的话还需要放行icmp协议
NAT,server,服务器映射
nat server nat_statit 0 zone untrust protocol tcp global 202.1.1.1 www inside 172.16.1.2 www
当然首先要放行untrust到dmz的流量;
指定接口开启Telnet服务:
[USG6000V1]int g0/0/0
[USG6000V1-GigabitEthernet0/0/0]service-manage telnet permit
[USG6000V1-GigabitEthernet0/0/0]q
[USG6000V1]user-interface vty 0 4
[USG6000V1-ui-vty0-4]protocol inbound all
[USG6000V1-ui-vty0-4]authentication-mode password
[USG6000V1-ui-vty0-4]set authentication password cipher asdf-1234
当然也可以选择3a认证模式
Telnet远程管理防火墙:
仅密码登录方式:
[USG6000V1]telnet server enable //启用telnet 服务功能
[USG6000V1]int g0/0/0 //指定telnet接口
[USG6000V1-GigabitEthernet0/0/0]service-manage telnet permit //使能接口telnet
[USG6000V1-GigabitEthernet0/0/0]q
[USG6000V1]user-interface vty 0 4 //设置运行接入的虚拟接口用户数
[USG6000V1-ui-vty0-4]protocol inbound all //允许所有协议,包括telnet
[USG6000V1-ui-vty0-4]authentication-mode password //认证选择仅密码认证
[USG6000V1-ui-vty0-4]set authentication password cipher abc-1234 //设置密码
用户名密码登录方式:
[USG6000V1]telnet server enable
[USG6000V1]aaa
[USG6000V1-aaa]manager-user admin
[USG6000V1-aaa-manager-user-admin]service-type telnet web terminal //admin 用户本身就要支持web和terminal,所以保留,admin用户的默认密码是Admin@123
[USG6000V1-aaa-manager-user-admin]q
[USG6000V1-aaa]q
[USG6000V1]user-interface vty 0 4
[USG6000V1-ui-vty0-4]authentication-mode aaa //认证模式为3a
[USG6000V1-ui-vty0-4]protocol inbound all
[USG6000V1-ui-vty0-4]q
[USG6000V1]int g0/0/0
[USG6000V1-GigabitEthernet0/0/0]service-manage telnet permit
或者读者可以不用admin用户,自建一个用户就可以:
创建远程用户登录方式
[USG6000V1]user-interface vty 0 4
[USG6000V1-ui-vty0-4]authentication-mode aaa
[USG6000V1-ui-vty0-4]protocol inbound telnet
创建远程用户
[USG6000V1]aaa
[USG6000V1-aaa]manager-user zhangsan
[USG6000V1-aaa-manager-user-huawei]password cipher zhangsan@123
[USG6000V1-aaa-manager-user-huawei]service-type telnet
[USG6000V1-aaa-manager-user-huawei]level 15
使用SSH登录方式:
[USG6000V1]rsa local-key-pair create
The key name will be: USG6000V1_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]:
Generating keys…
…+++++
…++
…++++
…++
[USG6000V1]int g0/0/0
[USG6000V1-GigabitEthernet0/0/0]service-manage ssh permit
[USG6000V1-GigabitEthernet0/0/0]q
[USG6000V1]user-interface vty 0 4
[USG6000V1-ui-vty0-4]authentication-mode aaa
[USG6000V1-ui-vty0-4]protocol inbound ssh
[USG6000V1-ui-vty0-4]q
[USG6000V1]aaa
[USG6000V1-aaa]manager-user zhangsan
[USG6000V1-aaa-manager-user-zhangsan]password cipher zhangsan@123
[USG6000V1-aaa-manager-user-zhangsan]service-type ssh
[USG6000V1-aaa-manager-user-zhangsan]level 15
[USG6000V1-aaa-manager-user-zhangsan]dis this
manager-user zhangsan
password cipher @%@%}q%xECLM@1uYQMaBB-M.R7%Ygzq1QPy::8:(0&npj~7R7(.@%@%
service-type ssh
level 15
return
[USG6000V1-aaa-manager-user-zhangsan]q
[USG6000V1-aaa]q
[USG6000V1]stelnet server enable
[USG6000V1]ssh user zhangsan
[USG6000V1]ssh user zhangsan authentication-type password
[USG6000V1]ssh user zhangsan service-type stelnet
==注意:ssh客户端第一次登录的时候要执行:
ssh client first-time enable //这条命令