1.使用eNSP拓扑图搭建以下拓扑图,并按如下要求规划IP地址(其中X为自己学号的后两位)
2.通过Console口登陆
(1)通过Console口登录USG防火墙
配置USG的设置名称和时间等
3.启动SSH服务
启用SSH服务创建SSH管理员账号生成本地密钥对(4)配置VTY用户界面
(5)配置SSH登陆接口
(6)在路由器上SSH登陆防火墙测试配置是否成功,测试结果截图
4.通过WEB方式登陆设备
Note:缺省情况下,设备的GE0/0/0的IP地址是192.168.0.1,并开启HTTPS管理。用户可以通过用户名admin,密码Admin@123登录。
(1)配置管理PC的IP地址为192.168.0.10/24。
(2)管理PC通过浏览器访问https://192.168.0.1:8443,输入用户名admin,密码Admin@123,检查是否可以登录设备。如果成功登录则表示配置成功,否则请检查配置。
(3)修改缺省管理员账号的密码后,单击“确定”,进入Web界面。
防火墙管理配置详细步骤
1.使用eNSP拓扑图搭建以下拓扑图,并按如下要求规划IP地址(其中X为自己学号的后两位)
2.Console口配置
(1)通过Console口登录USG防火墙
(2)配置USG的设置名称和时间等
<USG6000V1>system
[USG6000V1]sysname yinsl_USG
[yinsl_USG]quit
<yinsl_USG>clock timezone UTC add 8
<yinsl_USG>clock datetime 17:26:00 -3-9
<yinsl_USG>display clock
-03-09 17:26:07+08:00
Saturday
Time Zone(UTC) : UTC+08:00
3.启动SSH服务
a.在接口上启用SSH服务并加入Trust安全区域
[yinsl_USG]interface GigabitEthernet 1/0/0 //配置SSH登陆接口
[yinsl_USG-GigabitEthernet1/0/0]ip address 10.0.0.1 24
[yinsl_USG-GigabitEthernet1/0/0]service-manage enable
[yinsl_USG-GigabitEthernet1/0/0]service-manage ssh permit
[yinsl_USG-GigabitEthernet1/0/0]quit
[yinsl_USG]firewall zone trust
[yinsl_USG-zone-trust]add interface g 1/0/0
[yinsl_USG-zone-trust]quit
b.配置验证方式位AAA
[yinsl_USG]user-interface vty 0 4 [yinsl_USG-ui-vty0-4]authentication-mode aaa
[yinsl_USG-ui-vty0-4]user privilege level 15
[yinsl_USG-ui-vty0-4]protocol inbound ssh
[yinsl_USG-ui-vty0-4]quit
c.创建SSH管理员账号
[yinsl_USG]aaa //创建SSH管理员账号:yinsl + huawei@123
[yinsl_USG-aaa]manager-user yinsl
[yinsl_USG-aaa-manager-user-yinsl]service-type ssh
[yinsl_USG-aaa-manager-user-yinsl]password
Enter Password:
Confirm Password:
[yinsl_USG-aaa-manager-user-yinsl]quit
[FW-aaa] bind manager-user yslrole system-admin
[FW-aaa] quit
d.生产本地密钥对并启用SSH服务
[yinsl_USG]rsa local-key-pair create //生成本地密钥对
[yinsl_USG]stelnet server enable //启用SSH服务
e.配置SSH用户
[yinsl_USG]ssh user yinsl
[yinsl_USG]ssh user yinsl authentication-type password
[yinsl_USG]ssh user yinsl service-type stelnet
在路由器上SSH登陆防火墙,测试配置是否成功。测试结果截图
[Router]interface GigabitEthernet 0/0/0
[Router-GigabitEthernet0/0/0]ip address 10.0.0.10 24
[Router-GigabitEthernet0/0/0]quit
[Router]ssh client first-time enable
[Router]stelnet 10.0.0.1
Please input the username:yinsl
Trying 10.0.0.1 ...
Press CTRL+K to abort
Connected to 10.0.0.1 ...
The server is not authenticated. Continue to access it? (y/n)[n]:y
Save the server's public key? (y/n)[n]:y
The server's public key will be saved with the name 10.0.0.1. Please wait...
Enter password:
*************************************************************************
* Copyright (C) - Huawei Technologies Co., Ltd. *
* All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
*************************************************************************
Info: The max number of VTY users is 10, and the number
of current VTY users on line is 3.
The current login time is -03-09 20:38:42+08:00.
<yinsl_USG>sys
Enter system view, return user view with Ctrl+Z.
