您好,登錄后才能下訂單哦!
一、場景說明:
準(zhǔn)備調(diào)試的防火墻在機(jī)房,由于現(xiàn)場配置比較麻煩,所以決定先調(diào)測到可以通過核心交換下面的一臺跳板機(jī)可以訪問后在遠(yuǎn)程調(diào)試。
二、拓?fù)鋱D:
拓?fù)淙缦拢和饩W(wǎng)通過箭頭1的方向訪問到箭頭2所指向的跳板機(jī),然后如logo覆蓋的箭頭3所示在通過跳板機(jī)訪問與華為9306的互聯(lián)的H3C防火墻,相關(guān)端口、規(guī)劃IP如圖所示。
H3C SecPath F1000-S-AI版本如下:
Comware Software, Version 5.20
注:請忽略拓?fù)錁?biāo)志都是思科標(biāo)志,看懂即可。
三、配置過程:
1、開啟telnet使能:
<H3C>sys #進(jìn)入配置視圖界面;
System View: return to User View with Ctrl+Z.
[H3C]telnet server enable #開啟telnet訪問;
2、配置訪問連接數(shù)和認(rèn)證方式:
[H3C]user-interface vty 0 4 #進(jìn)入vty視圖;
[H3C-ui-vty0-4]authentication-mode scheme #配置認(rèn)證方式為用戶名、密碼訪問;
[H3C-ui-vty0-4]quit #退出VTY視圖;
3、配置訪問用戶:
[H3C]local-user admin #進(jìn)入用戶配置視圖(也可以創(chuàng)建用戶);
[H3C-luser-admin]dis this #查看用戶當(dāng)前配置,如下;
#
local-user admin
password cipher $c$3$owgVrLye7oqSE+DeOvQyxOUxl6eRFdNX
authorization-attribute level 3
service-type telnet
service-type web
#
return
[H3C-luser-admin]password sim (your password) #設(shè)置密碼;
[H3C-luser-admin]authorization-attribute level 3 #配置使用的命令級別;
[H3C-luser-admin]service-type telnet #配置用戶為telnet登錄方式;
[H3C-luser-admin]quit #退出用戶配置模式;
4、配置訪問安全域:
配置的時候這個地方出了點(diǎn)問題,就是加入允許通過的端口時提示錯誤了,開始以為是鏈路沒有啟用的問題結(jié)果不是,實(shí)際原因下面有講到。
[H3C]zone name trust #新建安全域名字為trust;
[H3C-zone-trust]import interface GigabitEthernet 0/0 #加入允許的端口;
Error: The interface has been added to another zone. #結(jié)果提示出錯了;
[H3C-zone-trust]dis this #查看了一下當(dāng)前配置沒問題;
#
zone name Trust id 2
priority 85
ip virtual-reassembly
#
return
[H3C-zone-trust]quit #退出安全域配置視圖,先去配置與9306互聯(lián)的端口;
5、配置管理端口:
因?yàn)橹皇桥R時配置使用,所以只修改默認(rèn)的管理端口即可,配置如下:
[H3C]interface GigabitEthernet 0/0 #進(jìn)入默認(rèn)管理端口;
[H3C-GigabitEthernet0/0]dis this #查看當(dāng)前配置;
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
return
[H3C-GigabitEthernet0/0]ip address 192.168.10.31 255.255.255.0 #修改IP為9306互聯(lián)的IP;
[H3C-GigabitEthernet0/0]dis this #查看確認(rèn)修改成功;
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.10.31 255.255.255.0
#
return
[H3C-GigabitEthernet0/0]quit #退出端口配置視圖;
6、確認(rèn)鏈路正常:
去9306上檢查與防火墻互聯(lián)的端口發(fā)現(xiàn)shutdown了,取消shutdown,在看防火墻的端口提示互聯(lián)的端口已經(jīng)開啟了,防火墻自己ping管理端口的IP已經(jīng)通了。
[H3C]
%Feb 21 08:57:37:922 2017 H3C IFNET/3/LINK_UPDOWN: GigabitEthernet0/0 link status is UP.
%Feb 21 08:57:37:923 2017 H3C IFNET/5/LINEPROTO_UPDOWN: Line protocol on the interface GigabitEthernet0/0 is UP.
[H3C]ping 192.168.10.31
PING 192.168.10.31: 56 data bytes, press CTRL_C to break
Reply from 192.168.10.31: bytes=56 Sequence=0 ttl=255 time=1 ms
Reply from 192.168.10.31: bytes=56 Sequence=1 ttl=255 time=1 ms
Reply from 192.168.10.31: bytes=56 Sequence=2 ttl=255 time=1 ms
Reply from 192.168.10.31: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 192.168.10.31: bytes=56 Sequence=4 ttl=255 time=1 ms
--- 192.168.10.31 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/1/1 ms
7、繼續(xù)配置安全域及問題處理:
以為這個時候配置安全域,加入允許通過的端口已經(jīng)可以了,但是還是提示上面開始配置時的提示;
[H3C]zone name trust
[H3C-zone-trust]import interface GigabitEthernet 0/0
Error: The interface has been added to another zone.
檢查配置發(fā)現(xiàn)Management的安全域已經(jīng)配置了通過的端口;
[H3C]dis cur #查看當(dāng)前所有配置的命令;
zone name Management id 0
priority 100
import interface GigabitEthernet0/0
zone name Local id 1
priority 100
zone name Trust id 2
priority 85
zone name DMZ id 3
priority 50
zone name Untrust id 4
priority 5
進(jìn)入Management安全域,將配置刪掉;
[H3C-zone-trust]zone name Management #進(jìn)入到安全域;
[H3C-zone-Management]undo import interface GigabitEthernet 0/0 #刪除有關(guān)0/0端口的配置;
[H3C-zone-Management]dis this #查看確認(rèn)配置已經(jīng)刪除;
#
zone name Management id 0
priority 100
ip virtual-reassembly
#
return
刪除上面的配置后,配置新的安全域允許通過的端口不在提示錯誤了。
[H3C-zone-Management]zone name trust #進(jìn)入新建安全域;
[H3C-zone-trust]import interface GigabitEthernet 0/0 #添加配置;
[H3C-zone-trust]quit #退出安全域配置;
8、添加一條到9306的默認(rèn)路由配置,并檢查到9306是否已經(jīng)互通;
[H3C]ip route-static 0.0.0.0 0.0.0.0 192.168.10.254 #添加到0306的路由配置;
[H3C]ping 192.168.10.254 #檢查到9306還是不通;
PING 192.168.10.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.10.254 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
[H3C]interzone policy default by-priority #添加一條域間訪問策略;
[H3C]ping 192.168.10.254 #測試訪問還是不通;
PING 192.168.10.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 192.168.10.254 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
9、檢查互聯(lián)端口配置解決問題:
檢查一下與9306互聯(lián)端口的配置發(fā)現(xiàn)9306的端口沒有配置透傳的vlan,9306上給端口添加上vlan,在檢查就通了。
[H3C]ping 192.168.10.254
PING 192.168.10.254: 56 data bytes, press CTRL_C to break
Reply from 192.168.10.254: bytes=56 Sequence=0 ttl=255 time=2 ms
Reply from 192.168.10.254: bytes=56 Sequence=1 ttl=255 time=6 ms
Reply from 192.168.10.254: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 192.168.10.254: bytes=56 Sequence=3 ttl=255 time=3 ms
Reply from 192.168.10.254: bytes=56 Sequence=4 ttl=255 time=2 ms
--- 192.168.10.254 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/3/6 ms
10、退出保存配置:
[H3C]quit #退出配置視圖模式;
<H3C>save #保存配置;
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash0:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait....
Configuration is saved to device successfully.
11、遠(yuǎn)程telnet訪問確認(rèn)訪問正常;
CRT創(chuàng)建一個telnet會話訪問該防火墻,已經(jīng)可以訪問,輸入用戶名、密碼后登錄也正常。確認(rèn)配置完成。
實(shí)現(xiàn)后的總結(jié):
本人對網(wǎng)絡(luò)設(shè)備配置基本處于小白狀態(tài),所以本次配置其實(shí)走了一點(diǎn)彎路好在及時發(fā)現(xiàn)問題并解決了問題。通過本次配置發(fā)現(xiàn)在配置網(wǎng)絡(luò)設(shè)備之前,對于設(shè)備現(xiàn)有的配置做一個了解,做到心中架構(gòu)清晰,配置起來才能針對問題處理。同時在配置之前確認(rèn)要實(shí)現(xiàn)的目的使用那些命令,有助于在配置過程中事半功倍。
文章為個人配置過程的整理,如有不正之處,敬請指出。
免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進(jìn)行舉報,并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。