Shulou(Shulou.com)06/01 Report--

Basic configuration of USG Firewall

Learning purpose

Master the method of logging into USG Firewall

Master the method of modifying firewall device name

Master the method of modifying the time and time zone of the firewall

Master the method of modifying firewall login slogan information

Master the method of changing firewall login password

Master the methods of viewing, saving, and deleting firewall configurations

Master the method of configuring vlan, address interface and testing basic connectivity on the firewall

Topological graph

Learning task

Step one. Log in to the default firewall and change the name of the firewall

Firewalls, like routers, have a Console interface. Use the console cable to connect the console interface to the computer's com port. You can connect to the firewall by using the HyperTerminal software that comes with the windows operating system.

The default configuration of the firewall includes a user name and password. The user name is admin and the password is Admin@123, so you need to enter the user name and password information when logging in, and you should be case-sensitive when entering.

The method of changing the name of the firewall is the same as changing the name of the router.

It should also be noted that because the firewall and the router also use the VRP platform operating system, the command level, command help, and so on, are the same as on the router.

Sys

13:47:28 2014-07-04

Enter system view, return user view withCtrl+Z.

[SRG] sysname FW

13:47:32 2014-07-04

Step two. Modify firewall time and time zone information

By default, the firewall does not define a time zone, and the time saved by the system may not match the actual time. Time and time zone information should be defined according to the actual situation. In the experiment, we define the time zone to the East eighth Zone, and define the standard time.

Clock timezone 1 add 08:00:00

13:50:57 2014-07-04

Dis clock

21:51:15 2014-07-03

2014-07-03 21:51:15

Thursday

Time Zone: 1 add 08:00:00

Clock datetime 13:53:442014/07/04

21:53:29 2014-07-03

Dis clock

13:54:04 2014-07-04

2014-07-04 13:54:04

Friday

Time Zone: 1 add 08:00:00

Step three. Modify firewall login banner information

By default, when you log in to the firewall, you will have the following slogan information after a successful login.

Please Press ENTER.

Login authentication

Username:admin

Password:*

NOTICE:This is a private communicationsystem.

Unauthorized access or use may lead to prosecution.

Firewall devices use this information to warn of unauthorized access.

In practice, the administrator can modify the default login banner information as needed. It can be divided into two types: prompt messages before login and prompt messages after successful login.

[FW] header login information ^

14:01:21 2014-07-04

Info: The banner text supports 220characters max, including the start and the en

D character.If you want to enter more thanthis, use banner file instead.

Input banner text, and quit with thecharacter'^':

Welcome to USG5500 ^

[FW] header shell information ^

14:02:54 2014-07-04

Info: The banner text supports 220characters max, including the start and the en

D character.If you want to enter more thanthis, use banner file instead.

Input banner text, and quit with thecharacter'^':

Welcome to USG5500

You are logining insystem Please do not delete system config Files ^

After the configuration is completed, by launching the system. Then log in again to see if it works.

Please Press ENTER.

Welcome to USG5500

Login authentication

Username:admin

Password:*

Welcome to USG5500

You are logining insystem Please do not delete system config files

NOTICE:This is a private communicationsystem.

Unauthorized access or use may lead to prosecution.

Note that the default NOTICE message generally exists and will not disappear or be replaced.

Step four. Modify the user name and password to log in to the firewall

The user name admin used by the firewall by default. Password Admin@123. It can be modified according to our needs. In the experiment, we created a new user with the level of level3. The user name is user1. Password: huawei@123. It should be noted that by default, the console interface login only allows admin login. Therefore, configure the login verification method of the console API to aaa to ensure that the newly created users are effective. In the configuration, you need to specify the scope of the user name of the configuration. In this experiment, select termianl to indicate the credentials used for login verification through the console port.

[FW] aaa

14:15:43 2014-07-04

[FW-aaa] local-user user1 pass

[FW-aaa] local-user user1 password cipherhuawei@123

14:16:08 2014-07-04

[FW-aaa] local-user user1 service-typeterminal

14:16:28 2014-07-04

[FW-aaa] local-user user1 level 3

14:16:38 2014-07-04

[FW-aaa] q

14:16:43 2014-07-04

[FW] user-interface console 0

14:16:57 2014-07-04

[FW-ui-console0] authentication-mode aaa

Log out of the system and test whether the new user name and password are valid.

Please Press ENTER.

Welcome to USG5500

Login authentication

Username:user1

Password:*

Welcome to USG5500

You are logining in system Please do notdelete system config files

NOTICE:This is a private communicationsystem.

Unauthorized access or use may lead to prosecution.

Step five. Master how to view, save, and delete configurations.

Use the command on the firewall to view the running and saved configurations. Use the display current-configuration command to view the running configuration and the displaysaved-configuration command to view the saved configuration.

Dis current-configuration

14:27:01 2014-07-04

#

Stp region-configuration

Region-name f0a7e2157008

Active region-configuration

#

Interface GigabitEthernet0/0/0

Alias GE0/MGMT

Ipaddress 192.168.0.1 255.255.255.0

Dhcpselect interface

Dhcpserver gateway-list 192.168.0.1

#

Interface GigabitEthernet0/0/1

#

Interface GigabitEthernet0/0/2

#

Interface GigabitEthernet0/0/3

#

Interface GigabitEthernet0/0/4

#

Interface GigabitEthernet0/0/5

#

Interface GigabitEthernet0/0/6

#

Interface GigabitEthernet0/0/7

#

Interface GigabitEthernet0/0/8

#

Interface NULL0

Alias NULL0

#

Firewall zone local

Setpriority 100

#

Firewall zone trust

Setpriority 85

Addinterface GigabitEthernet0/0/0

#

Firewall zone untrust

Setpriority 5

#

Firewall zone dmz

Setpriority 50

#

Aaa

Local-user admin password cipher%$%$s$] c% ^ XV6 (/ | BaQ$ [T X "G > 5% X% $)

Local-user admin service-type web terminaltelnet

Local-user admin level 15

Local-user user1 password cipher%$%$tY4Z: `xG0 / G! 1 ^ C) 2 [48 "% yp%$%$

Local-user user1 service-type terminal

Local-user user1 level 3

Authentication-scheme default

#

Authorization-scheme default

#

Accounting-scheme default

#

Domain default

#

#

Nqa-jitter tag-version 1

#

Header shell information "Welcome toUSG5500

You are logining in system Please do notdelete system config files "

Header login information "Welcome toUSG5500"

Banner enable

#

User-interface con 0

Authentication-mode aaa

User-interface vty 0 4

Authentication-mode none

Protocol inbound all

#

Slb

#

Right-manager server-group

#

Sysname FW

#

L2tpdomain suffix-separator @

#

Firewall packet-filter default permitinterzone local trust direction inbound

Firewall packet-filter default permitinterzone local trust direction outbound

Firewall packet-filter default permitinterzone local untrust direction outbound

Firewall packet-filter default permitinterzone local dmz direction outbound

#

Ipdf-unreachables enable

#

Firewall ipv6 session link-state check

Firewall ipv6 statistic system enable

#

Dnsresolve

#

Firewall statistic system enable

#

Pkiocsp response cache refresh interval 0

Pkiocsp response cache number 0

#

Undodns proxy

#

License-server domain lic.huawei.com

#

Web-manager enable

#

Return

Save the configuration and view the configuration information to be saved.

Sa

14:29:29 2014-07-04

The current configuration will be writtento the device.

Are you sure to continue? [Y/N] y

2014-07-04 14:29:31 FW% CFM/4/SAVE (l): When deciding whether to save configura

Tion to the device, the user chose Y.

Do you want to synchronically save theconfiguration to the startup saved-configu

Ration file on peer device? [Y/N]: y

Now saving the current configuration to thedevice...

Info:The current configuration was saved tothe device successfully.

Dis saved-configuration

14:27:48 2014-07-04

# CLI_VERSION=V300R001

# Last configuration was changed at2014/07/04 13:56:09 from console0

# * BEGIN****public****#

#

Interface GigabitEthernet0/0/0

Alias GE0/MGMT

Ipaddress 192.168.0.1 255.255.255.0

Dhcpselect interface

Dhcpserver gateway-list 192.168.0.1

#

Interface GigabitEthernet0/0/1

#

Interface GigabitEthernet0/0/2

#

Interface GigabitEthernet0/0/3

#

Interface GigabitEthernet0/0/4

#

Interface GigabitEthernet0/0/5

#

Interface GigabitEthernet0/0/6

#

Interface GigabitEthernet0/0/7

#

Interface GigabitEthernet0/0/8

#

Interface NULL0

Alias NULL0

#

Firewall zone local

Setpriority 100

#

Firewall zone trust

Setpriority 85

Addinterface GigabitEthernet0/0/0

#

Firewall zone untrust

Setpriority 5

#

Firewall zone dmz

Setpriority 50

#

Aaa

Local-user admin password cipher%$%$s$] c% ^ XV6 (/ | BaQ$ [T X "G > 5% X% $)

Local-user admin service-type web terminaltelnet

Local-useradmin level 15

Authentication-scheme default

#

Authorization-scheme default

#

Accounting-scheme default

#

Domain default

#

#

Nqa-jitter tag-version 1

#

Banner enable

#

User-interface con 0

Authentication-mode none

User-interface vty 0 4

Authentication-mode none

Protocol inbound all

#

Slb

#

Right-manager server-group

#

Sysname FW

#

L2tpdomain suffix-separator @

#

Firewall packet-filter default permitinterzone local trust direction inbound

Firewall packet-filter default permitinterzone local trust direction outbound

Firewall packet-filter default permitinterzone local untrust direction outbound

Firewall packet-filter default permitinterzone local dmz direction outbound

#

Ipdf-unreachables enable

#

Firewall ipv6 session link-state check

Firewall ipv6 statistic system enable

#

Dnsresolve

#

Firewall statistic system enable

#

Pkiocsp response cache refresh interval 0

Pkiocsp response cache number 0

#

Undodns proxy

#

License-server domain lic.huawei.com

#

Web-manager enable

#

Return

#-END----#

Use the delete Flash:/vrpcfg.zip command to delete the saved configuration.

Delete flash:/vrpcfg.cfg

14:31:42 2014-07-04

Be Careful! Deleting the next startupconfig file will lose your configuration.

Delete flash:/vrpcfg.cfg? [Y/N]: y

Deleting file flash:/vrpcfg.cfg...Done!

Step six. Configure interface addr

Configure G0AG0UniUniver 10.0.2.1Uniplex 24xG0UniUniUnix 10.0.1.1According to G0AG0UniUniver G0UniUniG0UniUniver 10.0.3.1Universe 24.

[FW] interface g0/0/2

16:12:58 2014-07-04

[FW-GigabitEthernet0/0/2] ip add 10.0.3.1 24

16:13:21 2014-07-04

[FW-GigabitEthernet0/0/2] interface g0/0/0

16:13:32 2014-07-04

[FW-GigabitEthernet0/0/0] undo ip add

16:14:02 2014-07-04

[FW-GigabitEthernet0/0/0] ip add 10.0.1.1 24

16:14:14 2014-07-04

[FW-GigabitEthernet0/0/0] interface g0/0/1

16:14:36 2014-07-04

[FW-GigabitEthernet0/0/1] ip add 10.0.2.1 24

16:14:50 2014-07-04

[FW-GigabitEthernet0/0/1] q

16:14:52 2014-07-04

[FW]

On switch S1, configure the interface G0OnOnOn21 to belong to vlan1, G0UniUniG22 to vlan2, G0UniUniG23 to the vlan3.vlanif interface configuration IP address 10.0.1.2Unique 24, vlanif2 interface configuration IP address 10.0.2.2IP 24, and the vlanif3 interface configuration IP address 10.0.3.2Uniq24.

[Huawei] sysname S1

[S1] vlan batch 2 3

[S1] interface g0/0/21

[S1-GigabitEthernet0/0/21] port link-typeaccess

[S1-GigabitEthernet0/0/21] port default vlan1

[S1-GigabitEthernet0/0/21] interface g0/0/22

[S1-GigabitEthernet0/0/22] port link-typeaccess

[S1-GigabitEthernet0/0/22] port default vlan2

[S1-GigabitEthernet0/0/22] interface g0/0/23

[S1-GigabitEthernet0/0/23] port link-typeaccess

[S1-GigabitEthernet0/0/23] port default vlan3

[S1-GigabitEthernet0/0/23] interface vlanif1

[S1-Vlanif1] ip add 10.0.1.2 24

[S1-Vlanif1] interface vlanif 2

[S1-Vlanif2] ip add 10.0.2.2 24

[S1-Vlanif2] interface vlanif 3

[S1-Vlanif3] ip add 10.0.3.2 24

Add G0swap 0, G0Accord 1, and G0Accord 2 to the trust area. Test the connectivity of the three ports (make sure these ports are not in the trust zone before adding them to the untrust zone)

[FW] firewall zone trust

16:39:40 2014-07-04

[FW-zone-trust] add interface g0/0/2

16:40:05 2014-07-04

[FW-zone-trust] add interface g0/0/3

16:41:59 2014-07-04

[FW-zone-trust] add interface g0/0/1

[FW-zone-trust] q

[S1] ping-c 1 10.0.1.1

PING 10.0.1.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.1.1: bytes=56 Sequence=1 ttl=255 time=50 ms

-10.0.1.1 ping statistics-

1packet (s) transmitted

1packet (s) received

0.005% packet loss

Round-trip min/avg/max = 50-50-50 ms

[S1] ping-c 1 10.0.2.1

PING 10.0.2.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.2.1: bytes=56 Sequence=1 ttl=255 time=50 ms

-10.0.2.1 ping statistics-

1packet (s) transmitted

1packet (s) received

0.005% packet loss

Round-trip min/avg/max = 50-50-50 ms

[S1] ping-c 1 10.0.3.1

PING 10.0.3.1: 56 data bytes,press CTRL_C to break

Reply from 10.0.3.1: bytes=56 Sequence=1 ttl=255 time=60 ms

-10.0.3.1 ping statistics-

1packet (s) transmitted

1packet (s) received

0.005% packet loss

Round-trip min/avg/max = 60-60-60 ms

Attachment: http://down.51cto.com/data/2364616

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.