華為防火墻-適合CSSIP方向

新版的OS初始console的用戶名：admin，密碼：Admin@123
連接console進入設備：

• Copyright(C) 2010-2013 Huawei Technologies Co., Ltd. *
• All rights reserved *
• Without the owner's prior written consent, *
• no decompiling or reverse-engineering shall be allowed. *

  ---

User interface con0 is available

Please Press ENTER.
<SRG>clock date 12:40:30 2016/02/24
<SRG>system-view
12:32:52 2016/02/24
Enter system view, return user view with Ctrl+Z.
[SRG]sysn
[SRG]sysname toys
[toys]dis ip int b----------display ip interface brief
13:27:09 2016/02/24
*down: administratively down
(s): spoofing
Interface IP Address Physical Protocol Description
GigabitEthernet0/0/0 192.168.0.1 down down Huawei, SRG Seri
GigabitEthernet0/0/1 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/2 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/3 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/4 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/5 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/6 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/7 unassigned down down Huawei, SRG Seri
GigabitEthernet0/0/8 unassigned down down Huawei, SRG Seri
[toys]int Gi 0/0/1-----------interface GigabitEthernet0/0/1
13:28:28 2016/02/24
[toys-GigabitEthernet0/0/1]ip add 192.168.2.2 24----ip address 192.168.2.2 255.255.255.0
13:29:40 2016/02/24
[toys-GigabitEthernet0/0/1]des link-port-to-neiwang-------description link-port-to-neiwang
13:31:50 2016/02/24
[toys-GigabitEthernet0/0/1]q-----quit
13:32:38 2016/02/24
[toys]dis zo---------display zone
13:33:11 2016/02/24
local
priority is 100
#
trust
priority is 85
interface of the zone is (1):
GigabitEthernet0/0/0
#
untrust
priority is 5
interface of the zone is (0):
#
dmz
priority is 50
interface of the zone is (0):
#
[toys]fire zo trust-------------firewall zone trust
13:34:38 2016/02/24
[toys-zone-trust]add int gi 0/0/1-----add interface GigabitEthernet0/0/1
13:35:30 2016/02/24
[toys-zone-trust]dis fire packet-filter default all-----display firewall packet-filter default all查看包過濾默認情況
13:36:21 2016/02/24
Firewall default packet-filter action is:

packet-filter in public:
local -> trust :
inbound : default: permit; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
local -> dmz :
inbound : default: deny; || IPv6-acl: null
outbound : default: permit; || IPv6-acl: null
trust -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
trust -> dmz :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null
dmz -> untrust :
inbound : default: deny; || IPv6-acl: null
outbound : default: deny; || IPv6-acl: null

packet-filter between VFW:
[toys-zone-trust]q
13:43:02 2016/02/24
[toys]firewall packet-filter default permit interzone trust local---默認信任策略放行，不指明方向（缺?。┠J進出雙向
13:50:03 2016/02/24
Warning:Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Ar
e you sure you want to continue?[Y/N]y
[toys]q
13:57:26 2016/02/24
<toys>language-mode chinese
13:57:39 2016/02/24
Warning: The operation will change the language mode. Continue? [Y/N]: y
提示：改變到中文模式。
<toys>
2018/2/5 13:57:42 toys %%01CMD/4/LAN_MODE(l): 當決定是否改變語言模式時，用戶選擇了Y。
<toys>system-view
14:02:12 2016/02/24
進入系統(tǒng)視圖，鍵入Ctrl+Z退回到用戶視圖。
[toys]user-interface ?
INTEGER<0-363> 欲配置的第一個用戶終端接口
aux 輔助用戶終端接口
console 主用戶終端接口
current 當前用戶終端接口
maximum-vty vty用戶最大數量
tty 異步用戶終端接口
vty 虛擬用戶終端接口

[toys]user-interface v
[toys]user-interface vty ?
INTEGER<0-4> 欲配置的第一個用戶終端接口

[toys]user-interface vty 0 4
14:03:21 2016/02/24
[toys-ui-vty0-4]authentication-mode ?
aaa 利用AAA進行驗證
password 利用用戶終端接口的口令認證

[toys-ui-vty0-4]authentication-mode aaa
14:04:21 2016/02/24
[toys-ui-vty0-4]authentication-mode password ?
cipher 表示密碼用密文顯示

[toys-ui-vty0-4]authentication-mode password ci
[toys-ui-vty0-4]authentication-mode password cipher ?
STRING<8-16>/<32> 明文/密文密碼字符串

[toys-ui-vty0-4]authentication-mode password cipher Toys123456
14:06:19 2016/02/24
[toys-ui-vty0-4]q
[toys]aaa
14:07:55 2016/02/24
[toys-aaa]local-user toy ?
access-limit 接入限制
acl-number 配置ACL號
ftp-directory 設置用戶登陸的FTP目錄
idle-cut 配置閑置切斷
l2tp-ip 配置用戶l2tp綁定ip
level 配置用戶優(yōu)先級
password 明文密碼字符串
service-type 授權用戶服務類型
state 設置用戶的激活狀態(tài)
valid-period 表示用戶有效期
***-instance 指定一個×××實例

[toys-aaa]local-user toy pss
[toys-aaa]local-user toy pa
[toys-aaa]local-user toy password ?
cipher 表示密碼用密文顯示

[toys-aaa]local-user toy password ci
[toys-aaa]local-user toy password cipher Toys123456
14:08:31 2016/02/24
[toys-aaa]local-user toy ?
access-limit 接入限制
acl-number 配置ACL號
ftp-directory 設置用戶登陸的FTP目錄
idle-cut 配置閑置切斷
l2tp-ip 配置用戶l2tp綁定ip
level 配置用戶優(yōu)先級
password 明文密碼字符串
service-type 授權用戶服務類型
state 設置用戶的激活狀態(tài)
valid-period 表示用戶有效期
***-instance 指定一個×××實例

[toys-aaa]local-user toy le
[toys-aaa]local-user toy level ?
INTEGER<0-15> 優(yōu)先級值
audit 審計級別

[toys-aaa]local-user toy level 15
14:09:58 2016/02/24
[toys-aaa]q
[toys-aaa]local-user toy level 15
14:09:58 2016/02/24
[toys-aaa]q
14:11:17 2016/02/24
[toys]q
14:11:21 2016/02/24
<toys>save-------記得保存，避免配置都丟了
14:15:32 2016/02/24
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
2018-02-05 14:15:33 toys %%01CFM/4/SAVE(l): When deciding whether to save config
uration to the device, the user chose Y.
Do you want to synchronically save the configuration to the startup saved-config
uration file on peer device?[Y/N]:y
Now saving the current configuration to the device....
Info:The current configuration was saved to the device successfully.
<toys>system-view
14:16:39 2016/02/24
Enter system view, return user view with Ctrl+Z.
[toys]web-manager ?
config-guide Indicate the keyword of the HTTPD configuration guide
enable Enable Web server
security Indicate HTTP running over SSL
timeout Specify the web timeout of the Web server
user Specify the parameter of the web user

[toys]web-manager enable------配置web方式
14:19:32 2016/02/24
Web server has been enabled,please disable it first!
[toys]rsa local-key-pair ?
create Create new local public key pairs
destroy Destroy the local public key pairs

[toys]rsa local-key-pair c
[toys]rsa local-key-pair create ?
<cr>

[toys]rsa local-key-pair create------設置ssh管理，創(chuàng)建本地RSA秘鑰對
14:22:39 2016/02/24
The key name will be: toys_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 768]:
Generating keys...
..........++++++++
..........++++++++
............+++++++++
.......+++++++++

[toys]user-interface vty 0 4
14:24:21 2016/02/24
[toys-ui-vty0-4]pro
[toys-ui-vty0-4]protocol ?
inbound Incomming protocol

[toys-ui-vty0-4]protocol in
[toys-ui-vty0-4]protocol inbound ?
all All protocol
ssh SSH protocol
telnet Telnet protocol

[toys-ui-vty0-4]protocol inbound all ?
<cr>

[toys-ui-vty0-4]protocol inbound all
14:24:51 2016/02/24
[toys]ssh ?
authentication-type Authentication type
client Set SSH client attribute
server Set the server attribute
user SSH user

[toys]ssh us
[toys]ssh user ?
STRING<1-64> The specified user name

[toys]ssh user toy ?
assign Set the key
authentication-type Authentication type
service-type Set service type
sftp-directory Set SFTP direcotry
<cr>

[toys]ssh user toy su
[toys]ssh user toy au
[toys]ssh user toy authentication-type ?
all All authentication mode, either password or RSA
password Password authentication
password-rsa Both password and RSA authentication modes
rsa RSA authentication

[toys]ssh user toy authentication-type rsa ?
<cr>

[toys]ssh user toy authentication-type rsa
14:26:29 2016/02/24
Info: Succeeded in adding a new SSH user.
[toys]q
14:27:07 2016/02/24
<toys>save
14:27:09 2016/02/24
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
2018-02-05 14:27:12 toys %%01CFM/4/SAVE(l): When deciding whether to save config
uration to the device, the user chose Y.
Do you want to synchronically save the configuration to the startup saved-config
uration file on peer device?[Y/N]:y
Now saving the current configuration to the device...
Info:The current configuration was saved to the device successfully.
清除配置恢復出廠設置
<toys>reset saved-configuration
14:28:04 2016/02/24
The action will delete the saved configuration in the device.

The configuration will be erased to reconfigure.

Are you sure?[Y/N]n
<toys>
2018-02-05 14:28:09 toys %%01CFM/4/RST_CFG(l): When deciding whether to reset th
e saved configuration, the user chose N.
刪除配置目錄
<toys>dir ?
/all List all files
STRING<1-64> [drive][path][file name]
flash: Flash device name
<cr>

<toys>dir /a
<toys>dir /all
14:28:58 2016/02/24
Directory of flash:/

0 -rw- 61 Feb 05 2018 14:27:16 private-data.txt
1 -rw- 2907 Feb 05 2018 14:27:17 vrpcfg.cfg

31248 KB total (31184 KB free)

<toys>dir ?
/all List all files
STRING<1-64> [drive][path][file name]
flash: Flash device name
<cr>

<toys>dir fl
<toys>dir flash:?
flash:
<toys>dir flash:
14:29:19 2016/02/24
Directory of flash:/

0 -rw- 61 Feb 05 2018 14:27:16 private-data.txt
1 -rw- 2907 Feb 05 2018 14:27:17 vrpcfg.cfg

31248 KB total (31184 KB free)

<toys>del ?
/unreserved Delete a file permanently
STRING<1-64> [drive][path][file name]
flash: Flash device name

<toys>del fl
<toys>del flash:?
flash:
<toys>del vr
<toys>del vrpcfg.cfg ?
<cr>

<toys>del vrpcfg.cfg
14:30:02 2016/02/24
Be Careful! Deleting the next startup config file will lose your configuration.

Delete flash:/vrpcfg.cfg?[Y/N]:n
<toys>
2018-02-05 14:30:04 toys %%01VFS/4/DEL(l): When asked whether to delete the file
flash:/vrpcfg.cfg, the user entered N.
ftp開啟
<toys>system-view
14:30:55 2016/02/24
Enter system view, return user view with Ctrl+Z.
[toys]ftp server enable
14:31:10 2016/02/24
Info:Start FTP server

[toys]dhcp enable
14:36:48 2016/02/24
Info:DHCP task has already started.
[toys][toys]int gi 0/0/1
14:37:14 2016/02/24
[toys-GigabitEthernet0/0/1]dhcp cli
[toys-GigabitEthernet0/0/1]dhcp client ?
enable DHCP Client enable
forbid DHCP Client forbid apply option
renew dhcp client renew

[toys-GigabitEthernet0/0/1]dhcp client rn
[toys-GigabitEthernet0/0/1]dhcp client en
[toys-GigabitEthernet0/0/1]dhcp client enable ?
track Specify track configuration
<cr>

[toys-GigabitEthernet0/0/1]dhcp client enable
14:39:31 2016/02/24
Info: There are ip addresses in the interface , please delete them at first.
[toys]firewall zone untrust
14:47:02 2016/02/24
[toys-zone-untrust]add ?
interface Indicate the priority of the security zone
[toys-zone-untrust]add interface GigabitEthernet 0/0/2
14:47:24 2016/02/24
[toys-zone-untrust]q
14:48:05 2016/02/24
[toys]fir
[toys]firewall pa
[toys]firewall packet-filter de
[toys]firewall packet-filter default in
[toys]firewall packet-filter default int
[toys]firewall packet-filter default pe
[toys]firewall packet-filter default permit in
[toys]firewall packet-filter default permit interzone lo
[toys]firewall packet-filter default permit interzone local
[toys]firewall packet-filter default permit interzone local ?
dmz Indicate the DMZ
trust Indicate the Trust zone
untrust Indicate the Untrust zone
***-instance Indicate a ××× instance

[toys]firewall packet-filter default permit interzone local un
[toys]firewall packet-filter default permit interzone local untrust ?
direction Indicate the direction
<cr>

[toys]firewall packet-filter default permit interzone local untrust
14:48:37 2016/02/24
Warning:Setting the default packet filtering to permit poses security risks. You
are advised to configure the security policy based on the actual data flows. Ar
e you sure you want to continue?[Y/N]y
[toys]dhcp server forbidden-ip 192.168.2.2 192.168.2.30-------DHCP
14:50:05 2016/02/24
[toys]dhcp server forbidden-ip ?
X.X.X.X Low IP address
[toys]dhcp server forbidden-ip 192.168.2.2 192.168.2.30
14:50:05 2016/02/24
[toys]dhc
[toys]dhcp se
[toys]dhcp server ip
[toys]dhcp server ip-pool ?
STRING<1-35> Global IP address pool name

[toys]dhcp server ip-pool 0
14:50:28 2016/02/24
[toys-dhcp-0]ne
[toys-dhcp-0]net
[toys-dhcp-0]netw
[toys-dhcp-0]network 192.168.2.1 m
[toys-dhcp-0]network 192.168.2.1 mask ?
INTEGER<0-32> Network mask length
X.X.X.X Network mask

[toys-dhcp-0]network 192.168.2.1 mask 255.255.255.0
14:50:56 2016/02/24
[toys-dhcp-0]gs
[toys-dhcp-0]ga
[toys-dhcp-0]gateway-list 192.168.2.1
14:51:07 2016/02/24
[toys-dhcp-0]dns
[toys-dhcp-0]dns-list 202.96.209.166 202.96.209.6
14:51:34 2016/02/24
[toys-dhcp-0]dom
[toys-dhcp-0]domain-name www.baidu.com
14:51:52 2016/02/24
[toys-dhcp-0]dh
[toys-dhcp-0]q
14:52:09 2016/02/24
[toys]interface Dialer ?
<0-1023> Dialer interface number

[toys]interface Dialer 1
14:54:03 2016/02/24
[toys-Dialer1]li
[toys-Dialer1]link-protocol ?
ppp Point-to-Point protocol

[toys-Dialer1]link-protocol ppp ?
<cr>

[toys-Dialer1]link-protocol ppp
14:54:14 2016/02/24
[toys-Dialer1]ppp ?
accm Specify accm value
authentication-mode Specify PPP authentication-mode
chap Specify CHAP parameters
ipcp Specify IPCP parameters
lqc Specify the close and resume percent of link
pap Specify PAP parameters
peer Specify PPP peer
timer Specify timer

[toys-Dialer1]ppp pap
[toys-Dialer1]ppp pap ?
local-user Specify user name

[toys-Dialer1]ppp pap loc
[toys-Dialer1]ppp pap local-user toy ?
password Specify user password

[toys-Dialer1]ppp pap local-user toy pa
[toys-Dialer1]ppp pap local-user toy password ?
cipher Indicate the current password with cipher text

[toys-Dialer1]ppp pap local-user toy password ci
[toys-Dialer1]ppp pap local-user toy password cipher ?
STRING<1-16>/<32> The UNENCRYPTED/ENCRYPTED password string

[toys-Dialer1]ppp pap local-user toy password cipher Toy123456
[toys-Dialer1]ip address pp
[toys-Dialer1]ip address ppp-negotiate ?
<cr>

[toys-Dialer1]ip address ppp-negotiate
14:57:20 2016/02/24
[toys-Dialer1]dialer ?
bundle Specify dialer bundle number
enable-circular Enable Circular DCC
listen-group Dialer listen group
number Dial number to next-hop
priority Specify priority for use in dialer rotary-group
queue-length Output queue during dial out
threshold Specify threshold
timer Specify timer configuration information
user Enable RS-DCC,specify the user name of remote

[toys-Dialer1]dialer us
[toys-Dialer1]dialer user ?
STRING<1-64> The user name of remote

[toys-Dialer1]dialer user toy
14:57:47 2016/02/24
[toys-Dialer1]dialer user ?
STRING<1-64> The user name of remote

[toys-Dialer1]dialer user toy
14:57:47 2016/02/24
[toys-Dialer1]di
[toys-Dialer1]dia
[toys-Dialer1]dialer b
[toys-Dialer1]dialer bundle ?
INTEGER<1-255> Bundle number

[toys-Dialer1]dialer bundle 1
14:58:08 2016/02/24
[toys-Dialer1]q
14:58:31 2016/02/24
[toys]display pppoe-?---------------PPPOE
pppoe-client pppoe-server
[toys]display pppoe-cl
[toys]display pppoe-client ?
session Indicate the PPPoE Client session information

[toys]display pppoe-client se
[toys]display pppoe-client session ?
packet Indicate Packet/Byte count information
summary Indicate session summary information

[toys]display pppoe-client session su
[toys]display pppoe-client session summary ?
dial-bundle-number Indicate the dialer bundle keyword
<cr>

[toys]display pppoe-client session summary di
[toys]display pppoe-client session summary dial-bundle-number ?
INTEGER<1-255> Dialer bundle number

[toys]display pppoe-client session summary dial-bundle-number 1
14:59:42 2016/02/24
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
[toys]ip route-static ?
X.X.X.X Destination IP address
default-preference Preference-value for IPv4 static-routes
***-instance ×××-Instance route information

[toys]ip route-static 192.168.2.2 255.255.255.0 10.10.10.2------添加路由
15:03:43 2016/02/24
Info: The destination address and the mask do not match.
[toys]dis ip routing-table verbose ------------------查看路由
15:04:33 2016/02/24
Route Flags: R - relay, D - download to fib

Routing Table : Public
Destinations : 3 Routes : 3

Destination: 127.0.0.0/8
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 127.0.0.1 Neighbour: 0.0.0.0
State: Active NoAdv Age: 02h49m33s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
EntryFlags: 0x80000018 RefPriCnt: 1
RelayNextHop: 0.0.0.0 Interface: InLoopBack0
TunnelID: 0x0 Flags: D

Destination: 127.0.0.1/32
Protocol: Direct Process ID: 0
Preference: 0 Cost: 0
NextHop: 127.0.0.1 Neighbour: 0.0.0.0
State: Active NoAdv Age: 02h49m33s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
EntryFlags: 0x81000018 RefPriCnt: 1
RelayNextHop: 0.0.0.0 Interface: InLoopBack0
TunnelID: 0x0 Flags: D

Destination: 192.168.2.0/24
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 10.10.10.2 Neighbour: 0.0.0.0
State: Inactive Adv WaitQ Age: 00h00m55s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
EntryFlags: 0x312000 RefPriCnt: 2
RelayNextHop: 0.0.0.0 Interface:
TunnelID: 0x0 Flags: R
[toys]dis zone --------------查看安全區(qū)域
15:05:30 2016/02/24
local
priority is 100
#
trust
priority is 85
interface of the zone is (2):
GigabitEthernet0/0/0
GigabitEthernet0/0/1
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet0/0/2
#
dmz
priority is 50
interface of the zone is (0):
#
[toys]fil
[toys]fir
[toys]firewall zon
[toys]firewall zone n
[toys]firewall zone name dm
[toys]firewall zone name dmz3----------設置安全區(qū)域的安全級別
15:06:24 2016/02/24
[toys-zone-dmz3]set ?
priority Indicate the priority of the security zone

[toys-zone-dmz3]set p
[toys-zone-dmz3]set priority ?
INTEGER<1-100> Specify the priority of the security zone

[toys-zone-dmz3]set priority 80
15:06:46 2016/02/24
[toys-zone-dmz3]q
15:07:36 2016/02/24
[toys]acl 2000----------------設置acl
15:09:07 2016/02/24
[toys-acl-basic-2000]rule ?
INTEGER<0-4294967294> Specify ID of ACL rule
deny Indicate matched packet deny
permit Indicate matched packet permit

[toys-acl-basic-2000]rule 1 ?
deny Indicate matched packet deny
permit Indicate matched packet permit

[toys-acl-basic-2000]rule 1 pe
[toys-acl-basic-2000]rule 1 permit ?
description Specify rule description
logging Indicate log matched packet
source Indicate source address
time-range Indicate a special time
<cr>

[toys-acl-basic-2000]rule 1 permit so
[toys-acl-basic-2000]rule 1 permit source ?
X.X.X.X Specify the source address
address-set Indicate the address set configuration information
any Indicate any source

[toys-acl-basic-2000]rule 1 permit source 192.168.2.2 ?
0 Wildcard bits : 0.0.0.0 ( a host )
X.X.X.X Indicate wildcard of source

[toys-acl-basic-2000]rule 1 permit source 192.168.2.2 0
15:10:12 2016/02/24
[toys-acl-basic-2000]q
15:10:15 2016/02/24
[toys]dis acl all
15:10:20 2016/02/24
Total nonempty acl number is 1

Basic ACL 2000, 1 rule,not binding with ***-instance
Acl's step is 5
rule 1 permit source 192.168.2.2 0 (0 times matched)
[toys]firewall interzone untrust t
[toys]firewall interzone untrust trust
15:12:18 2016/02/24
[toys-interzone-trust-untrust]q
15:13:30 2016/02/24
[toys]nat server global ?-----------地址nat
X.X.X.X Global IP address of server
interface Indicate the interface

[toys]nat server global 192.168.2.2 in
[toys]nat server global 192.168.2.2 inside ?
X.X.X.X Local IP address of server host

[toys]nat server global 192.168.2.2 inside 10.10.10.3
15:15:54 2016/02/24
[toys]q
<toy>save