H3C f1000-s Firewall basic configuration and Telnet login!

First, the scene description:

Ready to debug the firewall in the room, due to the site configuration is more troublesome, so decided to first debug to be able to pass the core exchange below a springboard machine can be accessed after remote debugging.

Second, topology diagram:

The topology is as follows: The outer network is accessed through the direction of the Arrow 1 to the Springboard machine pointed to by Arrow 2, and then as shown in the logo covered by Arrow 3 in the connection with Huawei 9306 through the springboard access to the connected H3C firewall, related ports, planning IP.

The H3C Secpath F1000-s-ai version is as follows:

Comware Software, Version 5.20

　　Note: Please ignore the topology flag is the Cisco flag, can understand.

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/8D/DA/wKioL1itDJmwhrw3AABKTI2rvPo174.png-wh_500x0-wm_ 3-wmp_4-s_702203787.png "title=" Qq20170222115134.png "alt=" Wkiol1itdjmwhrw3aabkti2rvpo174.png-wh_50 "/>

Third, the configuration process:

1. Turn on Telnet to enable:

#进入配置视图界面;

System View:return to User View with Ctrl + Z.

[h3c]telnet server Enable #开启telnet访问;

2. Configure the number of access connections and authentication methods:

[h3c]user-interface vty 0 4 #进入vty视图;

[H3c-ui-vty0-4]authentication-mode scheme #配置认证方式为用户名, password access ;

[H3c-ui-vty0-4]quit #退出VTY视图;

3. Configure Access users:

[H3c]local-user admin #进入用户配置视图 (user can also be created);

[H3c-luser-admin]dis This #查看用户当前配置, as follows ;

#

Local-user Admin

Password cipher $c $3$OWGVRLYE7OQSE+DEOVQYXOUXL6ERFDNX

Authorization-attribute Level 3

Service-type Telnet

Service-type Web

#

Return

[H3c-luser-admin]password Sim (your password) #设置密码;

[H3c-luser-admin]authorization-attribute Level 3 #配置使用的命令级别;

[H3c-luser-admin]service-type telnet #配置用户为telnet登录方式;

[H3c-luser-admin]quit #退出用户配置模式;

4. Configure Access Security Domain:

Configuration of this place a bit of a problem, is to join the allowed port when the prompt error, began to think that the link is not enabled problem result is not, the actual reason is described below.

[H3c]zone name Trust #新建安全域名字为trust;

[H3c-zone-trust]import interface gigabitethernet 0/0 #加入允许的端口;

Error:the interface have been added to another zone. #结果提示出错了;

[H3c-zone-trust]dis this #查看了一下当前配置没问题;

#

Zone name Trust ID 2

Priority 85

IP virtual-reassembly

#

Return

[H3c-zone-trust]quit #退出安全域配置视图, first to configure the port with 9306 interconnect;

5. Configuration Management port:

Because only temporary configuration is used, only the default management port can be modified and configured as follows:

[H3c]interface gigabitethernet 0/0 #进入默认管理端口;

[H3c-gigabitethernet0/0]dis this #查看当前配置;

#

Interface gigabitethernet0/0

Port Link-mode Route

IP address 192.168.0.1 255.255.255.0

#

Return

[H3c-gigabitethernet0/0]ip address 192.168.10.31 255.255.255.0 #修改IP为9306互联的IP;

[H3c-gigabitethernet0/0]dis this #查看确认修改成功;

#

Interface gigabitethernet0/0

Port Link-mode Route

IP address 192.168.10.31 255.255.255.0

#

Return

[H3c-gigabitethernet0/0]quit #退出端口配置视图;

6. Confirm Link Normal:

Go to 9306 on check with firewall interconnect port found shutdown, cancel shutdown, look at the firewall port prompt interconnection port has been turned on, the firewall itself ping management port IP has been through.

[H3C]

%feb 08:57:37:922 h3c ifnet/3/link_updown:gigabitethernet0/0 LINK status is up.

%feb 08:57:37:923 h3c ifnet/5/lineproto_updown:line protocol on the interface gigabitethernet0/0 are up.

[H3c]ping 192.168.10.31

PING 192.168.10.31:56 Data bytes, press Ctrl_c to break

Reply from 192.168.10.31:bytes=56 sequence=0 ttl=255 time=1 ms

Reply from 192.168.10.31:bytes=56 sequence=1 ttl=255 time=1 ms

Reply from 192.168.10.31:bytes=56 sequence=2 ttl=255 time=1 ms

Reply from 192.168.10.31:bytes=56 sequence=3 ttl=255 time=1 ms

Reply from 192.168.10.31:bytes=56 sequence=4 ttl=255 time=1 ms

---192.168.10.31 ping statistics---

5 packet (s) transmitted

5 packet (s) received

0.00% Packet Loss

Round-trip Min/avg/max = 1/1/1 ms

7, continue to configure the security domain and problem handling:

Think this time to configure the security domain, to join the allowed port is already available, but still prompt the above to start the configuration when prompted;

[H3c]zone Name Trust

[H3c-zone-trust]import Interface Gigabitethernet 0/0

Error:the interface have been added to another zone.

Check the configuration to see that the Management security Domain has been configured with the port that is passed;

[H3c]dis cur #查看当前所有配置的命令;

Zone name Management ID 0

Priority 100

Import Interface gigabitethernet0/0

Zone name Local ID 1

Priority 100

Zone name Trust ID 2

Priority 85

Zone name DMZ ID 3

Priority 50

Zone name untrust ID 4

Priority 5

Enter the management security domain and delete the configuration;

[H3c-zone-trust]zone name Management #进入到安全域;

[H3c-zone-management]undo Import interface gigabitethernet 0/0 #删除有关0/0-port configuration;

[H3c-zone-management]dis this #查看确认配置已经删除;

#

Zone name Management ID 0

Priority 100

IP virtual-reassembly

#

Return

After removing the above configuration, configure the new security domain to allow the port to pass without prompting for errors.

[H3c-zone-management]zone name Trust #进入新建安全域;

[H3c-zone-trust]import interface gigabitethernet 0/0 #添加配置;

[H3c-zone-trust]quit #退出安全域配置;

8, add a to 9306 of the default routing configuration, and check whether 9306 has been interworking;

[H3c]ip route-static 0.0.0.0 0.0.0.0 192.168.10.254 #添加到0306的路由配置;

[h3c]ping 192.168.10.254 #检查到9306还是不通;

PING 192.168.10.254:56 Data bytes, press Ctrl_c to break

Request Time Out

Request Time Out

Request Time Out

Request Time Out

Request Time Out

---192.168.10.254 ping statistics---

5 packet (s) transmitted

0 packet (s) received

100.00% Packet Loss

[H3c]interzone Policy default by-priority #添加一条域间访问策略;

[H3c]ping 192.168.10.254 #测试访问还是不通;

PING 192.168.10.254:56 Data bytes, press Ctrl_c to break

Request Time Out

Request Time Out

Request Time Out

Request Time Out

Request Time Out

---192.168.10.254 ping statistics---

5 packet (s) transmitted

0 packet (s) received

100.00% Packet Loss

9. Check the interconnection port configuration to resolve the problem:

Check the configuration with the 9306 interconnect port to find that the port of 9306 is not configured for vlan,9306 on the port to add a VLAN on the ports, and the check will pass.

[H3c]ping 192.168.10.254

PING 192.168.10.254:56 Data bytes, press Ctrl_c to break

Reply from 192.168.10.254:bytes=56 sequence=0 ttl=255 time=2 ms

Reply from 192.168.10.254:bytes=56 sequence=1 ttl=255 time=6 ms

Reply from 192.168.10.254:bytes=56 sequence=2 ttl=255 time=4 ms

Reply from 192.168.10.254:bytes=56 sequence=3 ttl=255 time=3 ms

Reply from 192.168.10.254:bytes=56 sequence=4 ttl=255 time=2 ms

---192.168.10.254 ping statistics---

5 packet (s) transmitted

5 packet (s) received

0.00% Packet Loss

Round-trip Min/avg/max = 2/3/6 ms

10. Exit the Save configuration:

[H3c]quit #退出配置视图模式;

#保存配置;

The current configuration is written to the device. Is you sure? [Y/n]:y

Please input the file name (*.CFG) [flash0:/startup.cfg]

(to leave the existing filename unchanged, press the ENTER key):

Validating file. Please wait ....

Configuration is saved to device successfully.

11, remote Telnet access to confirm access to normal;

The CRT creates a Telnet session that accesses the firewall, is already accessible, and is logged in as normal after entering the user name and password. Confirm that the configuration is complete.

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M01/8D/DA/wKioL1itG4TTEeEpAAAlNk3I-dc302.png-wh_500x0-wm_ 3-wmp_4-s_3054280000.png "title=" 666666.png "alt=" Wkiol1itg4tteeepaaalnk3i-dc302.png-wh_50 "/>

After the implementation of the summary:

　　I am basically in the small white state of network equipment configuration, so this configuration actually went a little detour in time to find the problem and solve the problem. This configuration found that before the configuration of network equipment, for the existing configuration of the device to do an understanding, so that the heart of the structure clear, configured to address the problem. At the same time, it is helpful to use those commands to verify the purpose of the configuration before configuration.

This article is for the arrangement of the personal configuration process, if there are any shortcomings, please point out.

This article is from the "Rong book" blog, please be sure to keep this source http://rongshu.blog.51cto.com/681368/1900182

H3C f1000-s Firewall basic configuration and Telnet login!