溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
一、場景說明:
準備調試的防火墻在機房,由于現場配置比較麻煩,所以決定先調測到可以通過核心交換下面的一臺跳板機可以訪問后在遠程調試。
二、拓撲圖:
拓撲如下:外網通過箭頭1的方向訪問到箭頭2所指向的跳板機,然后如logo覆蓋的箭頭3所示在通過跳板機訪問與華為9306的互聯的H3C防火墻,相關端口、規劃IP如圖所示。
H3C SecPath F1000-S-AI版本如下:
Comware Software, Version 5.20
注:請忽略拓撲標志都是思科標志,看懂即可。
三、配置過程:
1、開啟telnet使能:
<H3C>sys #進入配置視圖界面;
System View: return to User View with Ctrl+Z.
[H3C]telnet server enable #開啟telnet訪問;
2、配置訪問連接數和認證方式:
[H3C]user-interface vty 0 4 #進入vty視圖;
[H3C-ui-vty0-4]authentication-mode scheme #配置認證方式為用戶名、密碼訪問;
[H3C-ui-vty0-4]quit #退出VTY視圖;
3、配置訪問用戶:
[H3C]local-user admin #進入用戶配置視圖(也可以創建用戶);
[H3C-luser-admin]dis this #查看用戶當前配置,如下;
#
local-user admin
password cipher $c$3$owgVrLye7oqSE+DeOvQyxOUxl6eRFdNX
authorization-attribute level 3
service-type telnet
service-type web
#
return
[H3C-luser-admin]password sim (your password) #設置密碼;
[H3C-luser-admin]authorization-attribute level 3 #配置使用的命令級別;
[H3C-luser-admin]service-type telnet #配置用戶為telnet登錄方式;
[H3C-luser-admin]quit #退出用戶配置模式;
4、配置訪問安全域:
配置的時候這個地方出了點問題,就是加入允許通過的端口時提示錯誤了,開始以為是鏈路沒有啟用的問題結果不是,實際原因下面有講到。
[H3C]zone name trust #新建安全域名字為trust;
[H3C-zone-trust]import interface GigabitEthernet 0/0 #加入允許的端口;
Error: The interface has been added to another zone. #結果提示出錯了;
[H3C-zone-trust]dis this #查看了一下當前配置沒問題;
#
zone name Trust id 2
priority 85
ip virtual-reassembly
#
return
[H3C-zone-trust]quit #退出安全域配置視圖,先去配置與9306互聯的端口;
5、配置管理端口:
因為只是臨時配置使用,所以只修改默認的管理端口即可,配置如下:
[H3C]interface GigabitEthernet 0/0 #進入默認管理端口;
[H3C-GigabitEthernet0/0]dis this #查看當前配置;
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
return
[H3C-GigabitEthernet0/0]ip address 192.168.10.31 255.255.255.0 #修改IP為9306互聯的IP;
[H3C-GigabitEthernet0/0]dis this #查看確認修改成功;
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.10.31 255.255.255.0
#
return
[H3C-GigabitEthernet0/0]quit #退出端口配置視圖;
6、確認鏈路正常:
去9306上檢查與防火墻互聯的端口發現shutdown了,取消shutdown,在看防火墻的端口提示互聯的端口已經開啟了,防火墻自己ping管理端口的IP已經通了。
[H3C]
%Feb 21 08:57:37:922 2017 H3C IFNET/3/LINK_UPDOWN: GigabitEthernet0/0 link status is UP.
%Feb 21 08:57:37:923 2017 H3C IFNET/5/LINEPROTO_UPDOWN: Line protocol on the interface GigabitEthernet0/0 is UP.
[H3C]ping 192.168.10.31
PING 192.168.10.31: 56 data bytes, press CTRL_C to break
Reply from 192.168.10.31: bytes=56 Sequence=0 ttl=255 time=1 ms
Reply from 192.168.10.31: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 192.168.10.31: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 192.168.10.31: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 192.168.10.31: bytes=56 Sequence=4 ttl=255 time=1 ms
--- 192.168.10.31 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
7、繼續配置安全域及問題處理:
以為這個時候配置安全域,加入允許通過的端口已經可以了,但是還是提示上面開始配置時的提示;
[H3C]zone name trust
[H3C-zone-trust]import interface GigabitEthernet 0/0
Error: The interface has been added to another zone.
檢查配置發現Management的安全域已經配置了通過的端口;
[H3C]dis cur #查看當前所有配置的命令;
zone name Management id 0
priority 100
import interface GigabitEthernet0/0
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
zone name DMZ id 3
priority 50
zone name Untrust id 4
priority 5
進入Management安全域,將配置刪掉;
[H3C-zone-trust]zone name Management #進入到安全域;
[H3C-zone-Management]undo import interface GigabitEthernet 0/0 #刪除有關0/0端口的配置;
[H3C-zone-Management]dis this #查看確認配置已經刪除;
#
zone name Management id 0
priority 100
ip virtual-reassembly
#
return
刪除上面的配置后,配置新的安全域允許通過的端口不在提示錯誤了。
[H3C-zone-Management]zone name trust #進入新建安全域;
[H3C-zone-trust]import interface GigabitEthernet 0/0 #添加配置;
[H3C-zone-trust]quit #退出安全域配置;
8、添加一條到9306的默認路由配置,并檢查到9306是否已經互通;
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.10.254 #添加到0306的路由配置;
[H3C]ping 192.168.10.254 #檢查到9306還是不通;
PING 192.168.10.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.10.254 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[H3C]interzone policy default by-priority #添加一條域間訪問策略;
[H3C]ping 192.168.10.254 #測試訪問還是不通;
PING 192.168.10.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.10.254 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
9、檢查互聯端口配置解決問題:
檢查一下與9306互聯端口的配置發現9306的端口沒有配置透傳的vlan,9306上給端口添加上vlan,在檢查就通了。
[H3C]ping 192.168.10.254
PING 192.168.10.254: 56 data bytes, press CTRL_C to break
Reply from 192.168.10.254: bytes=56 Sequence=0 ttl=255 time=2 ms
Reply from 192.168.10.254: bytes=56 Sequence=1 ttl=255 time=6 ms
Reply from 192.168.10.254: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 192.168.10.254: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 192.168.10.254: bytes=56 Sequence=4 ttl=255 time=2 ms
--- 192.168.10.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/3/6 ms
10、退出保存配置:
[H3C]quit #退出配置視圖模式;
<H3C>save #保存配置;
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash0:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait....
Configuration is saved to device successfully.
11、遠程telnet訪問確認訪問正常;
CRT創建一個telnet會話訪問該防火墻,已經可以訪問,輸入用戶名、密碼后登錄也正常。確認配置完成。
實現后的總結:
本人對網絡設備配置基本處于小白狀態,所以本次配置其實走了一點彎路好在及時發現問題并解決了問題。通過本次配置發現在配置網絡設備之前,對于設備現有的配置做一個了解,做到心中架構清晰,配置起來才能針對問題處理。同時在配置之前確認要實現的目的使用那些命令,有助于在配置過程中事半功倍。
文章為個人配置過程的整理,如有不正之處,敬請指出。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
