Shulou(Shulou.com)06/01 Report--

1. Description of the scene:

The firewall to be debugged is in the computer room, so it is decided to debug it first so that it can be accessed by a springboard computer below the core exchange after remote debugging.

2. Topology diagram:

The topology is as follows: the external network accesses the jumping machine pointed to by arrow 2 through the direction of arrow 1, and then accesses the H3C firewall interconnected with Huawei 9306 through the jumping machine as shown in arrow 3 covered by logo, and the relevant ports and planning IP are shown in the figure.

The H3C SecPath F1000-S-AI version is as follows:

Comware Software, Version 5.20

Note: please ignore that the topology signs are all Cisco logos, just read them.

3. Configuration process:

1. Enable telnet:

Sys # enter the configuration view interface

System View: return to User View with Ctrl+Z.

[H3C] telnet server enable # enables telnet access

2. Configure the number of access connections and authentication method:

[H3C] user-interface vty 0 4 # enter vty view

[H3C-ui-vty0-4] authentication-mode scheme # configure authentication for user name and password access

[H3C-ui-vty0-4] quit # exits VTY view

3. Configure access users:

[H3C] local-user admin # enters the user configuration view (you can also create users)

[H3C-luser-admin] dis this # to view the user's current configuration, as follows

#

Local-user admin

Password cipher $Cobb 3 $owgVrLye7oqSE+DeOvQyxOUxl6eRFdNX

Authorization-attribute level 3

Service-type telnet

Service-type web

#

Return

[H3C-luser-admin] password sim (your password) # set password

[H3C-luser-admin] Command level used by authorization-attribute level 3 # configuration

[H3C-luser-admin] service-type telnet # configure the user to log in to telnet

[H3C-luser-admin] quit # exits user configuration mode

4. Configure access security domain:

There was a problem with the configuration in this place, that is, there was an error when adding the port allowed to pass. At first, I thought it was because the link was not enabled. The actual reason is discussed below.

[H3C] zone name trust # create a new security domain named trust

[H3C-zone-trust] import interface GigabitEthernet 0ram 0 # join the allowed port

Error: The interface has been added to another zone. # the result indicates that something is wrong

[H3C-zone-trust] dis this # checked the current configuration. No problem.

#

Zone name Trust id 2

Priority 85

Ip virtual-reassembly

#

Return

[H3C-zone-trust] quit # exit the security domain configuration view and configure the port interconnected with 9306 first.

5. Configure the management port:

Because it is only for temporary configuration, you can only modify the default management port, as follows:

[H3C] interface GigabitEthernet 0ram 0 # enters the default management port

[H3C-GigabitEthernet0/0] dis this # View current configuration

#

Interface GigabitEthernet0/0

Port link-mode route

Ip address 192.168.0.1 255.255.255.0

#

Return

[H3C-GigabitEthernet0/0] ip address 192.168.10.31 255.255.255.0 # modify IP to 9306 interconnected IP

[H3C-GigabitEthernet0/0] dis this # check to confirm that the modification is successful

#

Interface GigabitEthernet0/0

Port link-mode route

Ip address 192.168.10.31 255.255.255.0

#

Return

[H3C-GigabitEthernet0/0] quit # exits the port configuration view

6. Confirm that the link is working:

Go to 9306 to check the port connected to the firewall and find shutdown. Cancel shutdown. Look at the port of the firewall to indicate that the port of the interconnection has been opened, and the IP of the firewall's own ping management port has been through.

[H3C]

% Feb 21 08 GigabitEthernet0/0 link status is UP 57 15 37 14 2017 H3C IFNET/3/LINK_UPDOWN: GigabitEthernet0/0 link status is UP.

% Feb 21 08 Line protocol on the interface GigabitEthernet0/0 is UP 57 15 37 14 2017 H3C IFNET/5/LINEPROTO_UPDOWN: Line protocol on the interface GigabitEthernet0/0 is UP.

[H3C] ping 192.168.10.31

PING 192.168.10.31: 56 data bytes, press CTRL_C to break

Reply from 192.168.10.31: bytes=56 Sequence=0 ttl=255 time=1 ms

Reply from 192.168.10.31: bytes=56 Sequence=1 ttl=255 time=1 ms

Reply from 192.168.10.31: bytes=56 Sequence=2 ttl=255 time=1 ms

Reply from 192.168.10.31: bytes=56 Sequence=3 ttl=255 time=1 ms

Reply from 192.168.10.31: bytes=56 Sequence=4 ttl=255 time=1 ms

-192.168.10.31 ping statistics-

5 packet (s) transmitted

5 packet (s) received

0.005% packet loss

Round-trip min/avg/max = 1-1-1 ms

7. Continue to configure security domains and problem handling:

It is thought that it is enough to configure the security domain at this time and join the ports that are allowed to pass through, but it is still the above prompt when starting the configuration.

[H3C] zone name trust

[H3C-zone-trust] import interface GigabitEthernet 0/0

Error: The interface has been added to another zone.

Check the configuration and find that the security domain of Management has been configured with the through port.

[H3C] dis cur # commands for viewing all current configurations

Zone name Management id 0

Priority 100

Import interface GigabitEthernet0/0

Zone name Local id 1

Priority 100

Zone name Trust id 2

Priority 85

Zone name DMZ id 3

Priority 50

Zone name Untrust id 4

Priority 5

Enter the Management security domain and delete the configuration

[H3C-zone-trust] zone name Management # enters the security domain

[H3C-zone-Management] undo import interface GigabitEthernet 0ram 0 # removes the configuration for port 0ram 0

[H3C-zone-Management] dis this # check to confirm that the configuration has been deleted

#

Zone name Management id 0

Priority 100

Ip virtual-reassembly

#

Return

After deleting the above configuration, the port allowed to configure the new security domain is no longer prompted for error.

[H3C-zone-Management] zone name trust # enter the new security domain

[H3C-zone-trust] import interface GigabitEthernet 0ram 0 # add configuration

[H3C-zone-trust] quit # exits the security domain configuration

8. Add a default route configuration to 9306, and check whether 9306 is interconnected.

[H3C] ip route-static 0.0.0.0 0.0.0.0 192.168.10.254 # routing configuration added to 0306

[H3C] ping 192.168.10.254 # check to 9306 or not

PING 192.168.10.254: 56 data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

-192.168.10.254 ping statistics-

5 packet (s) transmitted

0 packet (s) received

100.005% packet loss

[H3C] interzone policy default by-priority # add an interdomain access policy

[H3C] ping 192.168.10.254 # Test access is still not available

PING 192.168.10.254: 56 data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

-192.168.10.254 ping statistics-

5 packet (s) transmitted

0 packet (s) received

100.005% packet loss

9. Check the interconnection port configuration to solve the problem:

Check the configuration of the interconnected port with 9306 and find that the port of 9306 is not configured to add vlan to the transparent vlan,9306, and it will work on the check.

[H3C] ping 192.168.10.254

PING 192.168.10.254: 56 data bytes, press CTRL_C to break

Reply from 192.168.10.254: bytes=56 Sequence=0 ttl=255 time=2 ms

Reply from 192.168.10.254: bytes=56 Sequence=1 ttl=255 time=6 ms

Reply from 192.168.10.254: bytes=56 Sequence=2 ttl=255 time=4 ms

Reply from 192.168.10.254: bytes=56 Sequence=3 ttl=255 time=3 ms

Reply from 192.168.10.254: bytes=56 Sequence=4 ttl=255 time=2 ms

-192.168.10.254 ping statistics-

5 packet (s) transmitted

5 packet (s) received

0.005% packet loss

Round-trip min/avg/max = 2-3-6 ms

10. Exit and save the configuration:

[H3C] quit # exits configuration view mode

Save # Save configuration

The current configuration will be written to the device. Are you sure? [Y/N]: y

Please input the file name (* .cfg) [flash0:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

Validating file. Please wait....

Configuration is saved to device successfully.

11. Remote telnet access confirms that the access is normal

CRT creates a telnet session to access the firewall, which is already accessible, and login is normal after entering a user name and password. Confirm that the configuration is complete.

Summary after implementation:

I am basically in a rookie state of the network equipment configuration, so this configuration actually took a bit of a detour to find the problem in time and solve the problem. Through this configuration, it is found that before configuring the network equipment, make an understanding of the existing configuration of the equipment, so that the structure is clear in mind, and the configuration can deal with the problem. At the same time, it is helpful to get twice the result with half the effort by using those commands to confirm the purpose to be achieved before configuration.

The article is the arrangement of the personal configuration process, if there are any inaccuracies, please point out.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.