基本指令:
指令功能备注service-manage ping permit使能某个接口能够ping进入指定接口下敲命令web-manager security enable开启web管理功能启用NAT转换(easy-ip):
[USG6000V1]nat-policy [USG6000V1-policy-nat]rule name trust_untrust [USG6000V1-policy-nat-rule-trust_untrust]source-zone trust [USG6000V1-policy-nat-rule-trust_untrust]egress-interface g1/0/2 [USG6000V1-policy-nat-rule-trust_untrust]action nat easy-ip 再放行trust到untrust访问权限,配置访问外网的缺省路由 此时就可以正常访问外网服务了,当然读者需要ping的话还需要放行icmp协议
NAT,server,服务器映射
nat server nat_statit 0 zone untrust protocol tcp global 202.1.1.1 www inside 172.16.1.2 www 当然首先要放行untrust到dmz的流量; 指定接口开启Telnet服务: [USG6000V1]int g0/0/0 [USG6000V1-GigabitEthernet0/0/0]service-manage telnet permit [USG6000V1-GigabitEthernet0/0/0]q [USG6000V1]user-interface vty 0 4 [USG6000V1-ui-vty0-4]protocol inbound all [USG6000V1-ui-vty0-4]authentication-mode password [USG6000V1-ui-vty0-4]set authentication password cipher asdf-1234 当然也可以选择3a认证模式
Telnet远程管理防火墙: 仅密码登录方式:
[USG6000V1]telnet server enable //启用telnet 服务功能 [USG6000V1]int g0/0/0 //指定telnet接口 [USG6000V1-GigabitEthernet0/0/0]service-manage telnet permit //使能接口telnet [USG6000V1-GigabitEthernet0/0/0]q [USG6000V1]user-interface vty 0 4 //设置运行接入的虚拟接口用户数 [USG6000V1-ui-vty0-4]protocol inbound all //允许所有协议,包括telnet [USG6000V1-ui-vty0-4]authentication-mode password //认证选择仅密码认证 [USG6000V1-ui-vty0-4]set authentication password cipher abc-1234 //设置密码
用户名密码登录方式:
[USG6000V1]telnet server enable [USG6000V1]aaa [USG6000V1-aaa]manager-user admin [USG6000V1-aaa-manager-user-admin]service-type telnet web terminal //admin 用户本身就要支持web和terminal,所以保留,admin用户的默认密码是Admin@123 [USG6000V1-aaa-manager-user-admin]q [USG6000V1-aaa]q [USG6000V1]user-interface vty 0 4 [USG6000V1-ui-vty0-4]authentication-mode aaa //认证模式为3a [USG6000V1-ui-vty0-4]protocol inbound all [USG6000V1-ui-vty0-4]q [USG6000V1]int g0/0/0 [USG6000V1-GigabitEthernet0/0/0]service-manage telnet permit
或者读者可以不用admin用户,自建一个用户就可以:
创建远程用户登录方式 [USG6000V1]user-interface vty 0 4 [USG6000V1-ui-vty0-4]authentication-mode aaa [USG6000V1-ui-vty0-4]protocol inbound telnet 创建远程用户 [USG6000V1]aaa [USG6000V1-aaa]manager-user zhangsan [USG6000V1-aaa-manager-user-huawei]password cipher zhangsan@123 [USG6000V1-aaa-manager-user-huawei]service-type telnet [USG6000V1-aaa-manager-user-huawei]level 15
使用SSH登录方式:
[USG6000V1]rsa local-key-pair create The key name will be: USG6000V1_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, it will take a few minutes. Input the bits in the modulus[default = 2048]: Generating keys… …+++++ …++ …++++ …++ [USG6000V1]int g0/0/0 [USG6000V1-GigabitEthernet0/0/0]service-manage ssh permit [USG6000V1-GigabitEthernet0/0/0]q [USG6000V1]user-interface vty 0 4 [USG6000V1-ui-vty0-4]authentication-mode aaa [USG6000V1-ui-vty0-4]protocol inbound ssh [USG6000V1-ui-vty0-4]q [USG6000V1]aaa [USG6000V1-aaa]manager-user zhangsan [USG6000V1-aaa-manager-user-zhangsan]password cipher zhangsan@123 [USG6000V1-aaa-manager-user-zhangsan]service-type ssh [USG6000V1-aaa-manager-user-zhangsan]level 15 [USG6000V1-aaa-manager-user-zhangsan]dis this manager-user zhangsan password cipher @%@%}q%xECLM@1uYQMaBB-M.R7%Ygzq1QPy::8:(0&npj~7R7(.@%@% service-type ssh level 15 return [USG6000V1-aaa-manager-user-zhangsan]q [USG6000V1-aaa]q [USG6000V1]stelnet server enable [USG6000V1]ssh user zhangsan [USG6000V1]ssh user zhangsan authentication-type password [USG6000V1]ssh user zhangsan service-type stelnet ==注意:ssh客户端第一次登录的时候要执行: ssh client first-time enable //这条命令
