Shulou(Shulou.com)06/01 Report--

Blog outline:

Introduction of several management modes of Huawei firewall equipment II. Configuration of various management modes

1. Manage through Telnet

2. Manage through web

3. Management through SSH. I. introduction of several management methods of Huawei firewall equipment

Since the concept of AAA is involved in the configuration and management of firewall equipment, let's simply write a brief introduction to AAA.

AAA is composed of three parts: Authentication, Authorization and Accounting. It is a server program that can handle user access requests. The main purpose is to manage users' access to the network server and provide services for users with access rights. Where:

Verify which users can access the network server. Authorization: what services and permissions are available to users with access rights.

Bookkeeping: how to audit users who are using network resources.

AAA server usually works with network access control, gateway server, database and user information directory. If you want to access network resources, you must first authenticate users, so that you can access network resources. The process of authentication is to verify the legitimacy of the user's identity; after the authentication is completed, the user can be authorized to access the network resources, and the user can access the network resources for billing management.

The AAA authentication methods of network devices can be divided into two categories: local authentication and remote authentication. Local authentication creates and verifies the user name and password locally, while remote authentication is completed through the AAA server owned by each manufacturer, which requires the device to be associated with the AAA server.

Huawei firewall allows users to configure locally and remotely, and all of the following configurations will be authenticated with local configurations.

The common management methods of Huawei firewall are:

Manage through Console: it belongs to out-of-band management and does not consume bandwidth. It is suitable for the first configuration of new devices. When configuring for the first time, one or more of the following management methods will be configured. Next time, you can configure a direct remote connection instead of using Console connection. Management through Telnet: it belongs to in-band management, with simple configuration, low security and low resource consumption, which is mainly suitable for scenarios with low security and poor device performance. Because all data is transmitted in clear text during configuration, it is only used in the intranet environment. Through web management: belongs to in-band management, can be based on graphical management, suitable for novice configuration devices (but also familiar with its working principle). Through SSH management, it belongs to in-band management, the configuration is more complex, and the resource occupation is also high, but it is gratified that the security is extremely high, which is mainly suitable for scenarios with high security requirements, such as remote management of corporate network equipment through the Internet. II. Configuration of various management methods

For Console management, just connect to the console line and connect to the client using hyperterminal. For specific operations, please ask Baidu, which will not be written here.

1. Manage the configuration through Telnet

There is nothing to say about this network environment. I use eNSP here to pull a firewall and connect to the host. The connection to the host is mainly for verification. If you need to verify the effect on the eNSP, you need to import the system to the firewall on the simulator. I use the firewall of USG6000 here, and you can download the firewall system file I provided.

The firewall is configured as follows:

The firewall of USG6000, the interface with the lowest default number (usually G0UniPax 0) has been configured with some related configurations and IP addresses for remote management, so there are a lot of configurations that can be omitted, but in order to write down the required configuration completely, I do not use its G0Unipp0 interface, but use other new interfaces that are not configured.

As follows:

Start the configuration:

Sys [USG6000V1] in g1/0/0 [USG6000V1-GigabitEthernet1/0/0] ip add 192.168.1.254 24 [USG6000V1-GigabitEthernet1/0/0] quit[USG6000V1] telnet server enable [USG6000V1] in g1/0/0 [USG6000V1-GigabitEthernet1/0/0] service-manage enable [USG6000V1-GigabitEthernet1 / 0/0] service-manage telnet permit [USG6000V1-GigabitEthernet1/0/0] quit[USG6000V1] firewall zone trust [USG6000V1-zone-trust] add in g1/0/0 [USG6000V1-GigabitEthernet1/0/0] quit[USG6000V1] security-policy [USG6000V1-policy-security] rule name allow_telnet [USG6000V1-policy-security-rule-allow_telnet] source-zone trust [USG6000V1-policy-security-rule- Allow_telnet] destination-zone local [USG6000V1-policy-security-rule-allow_telnet] action permit [USG6000V1] user-interface vty0 4 [USG6000V1-ui-vty0-4] authentication-mode aaa [USG6000V1-ui-vty0-4] protocol inbound telnet [USG6000V1-ui-vty0-4] quit [USG6000V1] aaa [USG6000V1-aaa] manager-user lv [ USG6000V1-aaa-manager-user-lv] password Enter Password: Confirm Password: [USG6000V1-aaa-manager-user-lv] service-type telnet [USG6000V1-aaa-manager-user-lv] level 3 [USG6000V1-aaa-manager-user-lv] quit [USG6000V1-aaa] quit

After the above configuration, you can use hyperterminal software such as Xshell to connect to the firewall. You can connect using the Telnet command, as follows:

[C:\ ~] $telnet 192.168.1.254 Connecting to 192.168.1.254:23...Connection established.To escape to local shell, press' Ctrl+Alt+] '.Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.Login authenticationUsername:lv Password: The password needs to be changed. Change now? [Y/N]: y Please enter old password: Please enter new password: Please confirm new password:

With regard to the management level, as mentioned in the previous blog post, "0" is the visit level and nothing can be done; "1" is the monitoring level and can view the relevant configuration; "2" is the configuration level and some parameters can be configured; "3-15" is the management level with maximum permissions.

2. Configure web to log in to the firewall configuration

Note: the following configuration is configured on a brand new firewall, which has no configuration by default, and the firewall configured with Telnet has been removed.

Start the configuration:

Sys [USG6000V1] in g1/0/0 [USG6000V1-GigabitEthernet1/0/0] ip add 192.168.1.254 24 [USG6000V1-GigabitEthernet1/0/0] service-manage https permit [USG6000V1-GigabitEthernet1/0/0] service-manage http permit [USG6000V1] firewall zone trust [USG6000V1-zone-trust] add in g1/0/0 [USG6000V1-zone-trust] quit [USG6000V1 ] security-policy [USG6000V1-policy-security] rule name allow_web [USG6000V1-policy-security-rule-allow_web] source-zone trust [USG6000V1-policy-security-rule-allow_web] destination-zone local [USG6000V1-policy-security-rule-allow_web] action permit [USG6000V1-policy-security-rule-allow_web] quit [USG6000V1-policy-security] quit[USG6000V1] web-manager security enable [USG6000V1] aaa [USG6000V1-aaa] manager-user jian [USG6000V1-aaa-manager-user-jian] password Enter Password: Confirm Password: [USG6000V1-aaa-manager-user-jian] level 3 [USG6000V1-aaa-manager-user-jian] quit [USG6000V1-aaa] quit

After the above configuration, you can now use web access test. The firewall opens https port 8443 by default. Use client access test. After the above configuration, you should use https://192.168.1.254:8443 for access (it is recommended to use Google browser, which may be due to the eNSP simulator. If the web page cannot be loaded, refresh it several times more):

According to the prompt, enter the corresponding password and change the password (the user must change the password when logging in for the first time):

After changing the new password, log in with the user name and the new password:

After logging in, you can see the following administrative interface (refresh it several times if you can't load it out):

Configuring the web mode to manage the device is now complete.

3. Configure SSH to log in to the device

Compared with Telnet, SSH is more secure, so it is generally not recommended to log in to the device using Telnet, but to log in to the device through ssh. Here is to configure the SSH login device (Note: all the configuration of the firewall is gone, now it is time to start the configuration again):

Start the configuration:

Sys [USG6000V1] in g1/0/0 [USG6000V1-GigabitEthernet1/0/0] ip add 192.168.1.254 24 [USG6000V1-GigabitEthernet1/0/0] service-manage enable [USG6000V1-GigabitEthernet1/0/0] service-manage ssh permit [USG6000V1-GigabitEthernet1/0/0] quit[USG6000V1] firewall zone trust [USG6000V1-zone- Trust] add in g1/0/0 [USG6000V1-zone-trust] quit[USG6000V1] security-policy [USG6000V1-policy-security] rule name allow_ssh [USG6000V1-policy-security-rule-allow_ssh] source-zone trust [USG6000V1-policy-security-rule-allow_ssh] destination-zone local [USG6000V1-policy-security-rule-allow_ssh] action permit [USG6000V1-policy-security-rule-allow_ssh] quit [USG6000V1-policy- Security [USG6000 V1] rsa local-key-pair create The key name will be: USG6000V1_HostThe range of public key size is (512-2048). NOTES: If the key modulus is greater than 512 It will take a few minutes.Input the bits in the modulus [default = 2048]: Generating keys.+....++....++++.++ [USG6000V1] user-interface vty0 4 [USG6000V1-ui-vty0-4] authentication-mode aaa [USG6000V1-ui-vty0-4] Protocol inbound ssh [USG6000V1-ui-vty0-4] que [USG6000V1] ssh user zhao [USG6000V1] ssh user zhao authentication-type password [USG6000V1] ssh user zhao service-type stelnet [USG6000V1] aaa [USG6000V1-aaa] manager-user zhao [USG6000V1-aaa-manager-user-zhao] password Enter Password: Confirm Password: [USG6000V1-aaa-manager-user-zhao] service-type ssh [USG6000V1-aaa-manager-user-zhao] level 3 [USG6000V1-aaa-manager-user-zhao] quit [USG6000V1-aaa] quit[USG6000V1] stelnet server enable

Now that the configuration is complete, you can start using Xshell connections.

Execute the command "ssh 192.168.1.254" to connect, the rest of the operation look at the picture, do not explain.

Write at the end:

In fact, after you read it carefully, it should not be difficult to find that the configuration of each way of management is not complicated, and it is the same in many places (I basically copy the notes of the first two ways of management, just make some changes, so, don't disrelish me for tedious work, because I think it is more convenient for some novices to refer to this document. )

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.