H3C SecPath F100系列防火墙配置教程
H3C SECPATH F100-C 防火墙 安装手册(V1.03)
H3C SecPath F100-C防火墙安装手册杭州华三通信技术有限公司资料版本:T1-08044M-20070430-C-1.03声明Copyright ©2006-2007 杭州华三通信技术有限公司及其许可者版权所有,保留一切权利。
未经本公司书面许可,任何单位和个人不得擅自摘抄、复制本书内容的部分或全部,并不得以任何形式传播。
H3C、、Aolynk、、H3Care、、TOP G、、IRF、NetPilot、Neocean、NeoVTL、SecPro、SecPoint、SecEngine、SecPath、Comware、Secware、Storware、NQA、VVG、V2G、V n G、PSPT、XGbus、N-Bus、TiGem、InnoVision、HUASAN、华三均为杭州华三通信技术有限公司的商标。
对于本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。
除非另有约定,本手册仅作为使用指导,本手册中的所有陈述、信息和建议不构成任何明示或暗示的担保。
如需要获取最新手册,请登录。
技术支持用户支持邮箱:customer_service@技术支持热线电话:800-810-0504(固话拨打)400-810-0504(手机、固话均可拨打)网址:前言相关手册手册名称用途《H3C SecPath系列安全产品操作手册》 该手册介绍了H3C SecPath系列安全网关/防火墙的功能特性、工作原理和配置及操作指导。
《H3C SecPath系列安全产品命令手册》该手册介绍了H3C SecPath系列安全网关/防火墙所涉及的配置和操作命令。
包括命令名、完整命令行、参数、操作视图、使用指导和操作举例。
《H3C SecPath系列安全产品 Web配置手册》指导用户通过Web方式对H3C SecPath系列防火墙进行配置操作。
本书简介本手册各章节内容如下:z第1章产品介绍。
介绍H3C SecPath F100-C防火墙的特点及其应用。
H3C防火墙配置详解
H3C SecPath F100-A-G2 防火墙的透明模式和访问控制。
注意:安全域要在安全策略中执行。
URL 和其他访问控制的策略都需要在安全策略中去执 行。
安全策略逐条检索,匹配执行,不匹配执行下一条,直到匹配到最后,还没有的则丢弃。
配置的步骤如下:一、首先连接防火墙开启WEB 命令为: yssecurity-zone name Trustimport interface GigabitEthernet1/0/0 import interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/0 port link-mode routeip address 100.0.0.1 255.255.255.0 acl advanced 3333 rule 0 permit ipzone-pair security source Trust destination local packet-filter 3333zone-pair security source local destination Trust packet-filter 3333local-user admin class manage password hash adminservice-type telnet terminal http https authorization-attribute user-role level-3authorization-attribute user-role network-admin ip http enable ip https enable详情:将接口划入到域中,例如将G1/0/2、G1/0/3 口变成二层口,并加入到="$=域中□mt1巨加 1出1*T1部世上田口 D 目的电北同声 IES1应用 1 SrfliS 1时向率1卡志^slwsjz I 氏为1倜由=ArvMy 0日n 乎any sn/any- 开启 音 - □ Tmsi rnjtf [心•伊内部址 any 目的 a ❿ 孙-开启 e - 4 a□ Trust Tiufl 1 AfF芷有勘F访问1翻5 anyiW开启 E -□ Irusit Unlruat-any耐 any 3N 呻开启 舌-□ urenjKFruM0 ftHF any;3叮a 值a*-开售 3 -二、进入WEB ,将接口改为二层模式,在将二层模式的接口划到Trust 安全域中。
设置H3C SecPath F100 系列防火墙的web访问
设置H3C SecPath F100 系列防火墙的web访问最近集团下属酒店退回一台H3C SecPath F100-S防火墙,自我学习巩固的同时,给大家带来几篇教程,欢迎大家的拍砖。
今天给大家带来的是如何实现通过Web方式访问和配置路由器。
和H3C之前的产品不同,H3C在SecPath F100系列防火墙产品中增加了更加人性化的WEB方式配置界面,用户可以通过WEB方式来访问防火墙并通过图形化界面来配置各种参数,这点改进大大降低了防火墙设置的门槛,让用户可以更快的上手。
下面我们就来看看如何通过WEB方式配置SecPath F100-S防火墙,当然默认情况下WEB方式是关闭的。
第一步:建立与防火墙之间的连接,我们采用console方式进行配置,将防火墙自带console线的RJ45端插入防火墙“console”端口,另一头连接到电脑串口。
在电脑上启动“超级终端”,我们选用默认值:9600/8/无/1/无,然后点击确定。
第一步:建立与防火墙之间的连接,我们采用console方式进行配置,将防火墙自带console 线的RJ45端插入防火墙“console”端口,另一头连接到电脑串口。
在电脑上启动“超级终端”,我们选用默认值:9600/8/无/1/无,然后点击确定。
第二步:插电启动防火墙,我们就会在超级终端界面上清楚的看到防火墙的全部启动过程。
按回车键,进入防火墙命令行配置模式第三步:输入“system-view”命令,进入高级管理模式,我们首先查看一下防火墙默认的配置信息第四步:下面开始配置:启动防火墙的HTTP服务,默认情况下是开启的,我们不用操作。
命令:undo ip http shutdown在防火墙中新建相应的用户,授于用户telnet的权限,管理权限设为最高的3级。
local-user admin (新建用户admin)password simple admin (设置密码为明文的admin)service-type telnet (仅当登录用户具有telnet的服务类型时,才允许登录http服务器,且不同级别的用户在web界面中的可配置选项不同)level3 (权限级别设为最高的3级)给允许提供web访问的接口设置IP地址,我们将eth0/0端口的IP地址配置为192.168.1.1 255.255.255.0,这个IP地址就是web方式登录时键入到浏览器地址栏里面的地址将接口添加到信任区域,同时配置防火墙的默认策略为允许数据通过Zone trustAdd interface Ethernet 0/0QuitPacket-filter default permit第五步:设置计算机的IP地址与要登录防火墙的IP地址在同一网段,在浏览器中输入http://192.168.1.1就看到了防火墙web管理的登录界面。
H3C SecPath F100系列防火墙配置教程
H3C SecPath F100系列防火墙配置教程初始化配置〈H3C〉system-view开启防火墙功能[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit分配端口区域[H3C] firewall zone untrust[H3C-zone-trust] add interface GigabitEthernet0/0[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/1工作模式firewall mode transparent 透明传输firewall mode route 路由模式http 服务器使能HTTP 服务器 undo ip http shutdown关闭HTTP 服务器 ip http shutdown添加WEB用户[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3开启防范功能firewall defend all 打开所有防范切换为中文模式 language-mode chinese设置防火墙的名称 sysname sysname配置防火墙系统IP 地址 firewall system-ip system-ip-address [ address-mask ] 设置标准时间 clock datetime time date设置所在的时区 clock timezone time-zone-name { add | minus } time取消时区设置 undo clock timezone配置切换用户级别的口令 super password [ level user-level ] { simple | cipher } password取消配置的口令 undo super password [ level user-level ]缺缺省情况下,若不指定级别,则设置的为切换到3 级的密码。
H3C SecPath F100-C-SI防火墙 Web配置指导-5PW100-安全配置
目录1访问控制 ············································································································································ 1-11.1 概述 ··················································································································································· 1-11.2 配置访问控制····································································································································· 1-11.3 访问控制典型配置举例 ······················································································································ 1-3 2网站过滤 ············································································································································ 2-12.1 概述 ··················································································································································· 2-12.2 网站过滤典型配置举例 ······················································································································ 2-23 MAC地址过滤 ···································································································································· 3-13.1 概述 ··················································································································································· 3-13.2 配置MAC地址过滤····························································································································· 3-13.2.1 配置MAC地址过滤类型··········································································································· 3-13.2.2 配置要过滤的MAC地址··········································································································· 3-23.3 MAC地址过滤典型配置举例 ·············································································································· 3-3 4攻击防范 ············································································································································ 4-14.1 概述 ··················································································································································· 4-14.1.1 黑名单功能······························································································································ 4-14.1.2 入侵检测功能 ·························································································································· 4-14.2 配置黑名单 ········································································································································ 4-34.2.1 配置概述 ································································································································· 4-34.2.2 启用黑名单过滤功能 ··············································································································· 4-44.2.3 手动新建黑名单表项 ··············································································································· 4-44.2.4 查看黑名单······························································································································ 4-54.3 配置入侵检测····································································································································· 4-54.4 攻击防范典型配置举例 ······················································································································ 4-64.4.1 攻击防范典型配置举例 ··········································································································· 4-6 5应用控制 ············································································································································ 5-15.1 概述 ··················································································································································· 5-15.2 配置应用控制····································································································································· 5-15.2.1 配置概述 ································································································································· 5-15.2.2 加载应用程序 ·························································································································· 5-15.2.3 配置自定义应用程序 ··············································································································· 5-25.2.4 使能应用控制 ·························································································································· 5-35.3 应用控制典型配置举例 ······················································································································ 5-41 访问控制1.1 概述访问控制是指通过设置时间段、局域网内计算机的IP地址、端口范围和数据包协议类型,禁止符合指定条件的数据包通过,来限制局域网内的计算机对Internet的访问。
F100防火墙PPPOE配置举例
利用ADSL Modem将局域网接入Internet1. 组网需求局域网内的计算机通过SecPathA访问Internet,SecPathA通过ADSL Modem采用永久在线的方式接入DSLAM。
ADSL帐户的用户名为adsluser,密码为123456。
SecPathB作为PPPoE Server通过Eth2/0/0接口连接至DSLAM,提供RADIUS认证、计费功能。
在SecPathA上使能PPPoE Client功能,局域网内的主机不用安装PPPoE客户端软件即可访问Internet。
2. 组网图图3-3 利用ADSL将局域网接入Internet3. 配置步骤(1)配置SecPathA# 配置Dialer接口。
[H3C] dialer-rule 1 ip permit[H3C] interface dialer 1[H3C-Dialer1] dialer user secpathb[H3C-Dialer1] dialer-group 1[H3C-Dialer1] dialer bundle 1[H3C-Dialer1] ip address ppp-negotiate[H3C-Dialer1] ppp pap local-user adsluser password cipher 123456# 配置PPPoE会话。
[H3C] interface ethernet 2/0/0[H3C-Ethernet2/0/0] pppoe-client dial-bundle-number 1# 配置局域网接口及缺省路由。
[H3C] interface ethernet 0/0/0[H3C-Ethernet0/0/0] ip address 192.168.1.1 255.255.255.0[H3C-Ethernet0/0/0] quit[H3C] ip route-static 0.0.0.0 0 dialer 1如果局域网内计算机使用的IP地址为私有地址,就还需要在防火墙上配置NAT (Network Address Translation,网络地址转换)。
H3C SecPath F100系列防火墙配置教程
H3C SecPath F100系列防火墙配置教程初始化配置〈H3C〉system-view开启防火墙功能[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit分配端口区域[H3C] firewall zone untrust[H3C-zone-trust] add interface GigabitEthernet0/0[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/1工作模式firewall mode transparent 透明传输firewall mode route 路由模式http 服务器使能HTTP 服务器 undo ip http shutdown关闭HTTP 服务器 ip http shutdown添加WEB用户[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3开启防范功能firewall defend all 打开所有防范切换为中文模式 language-mode chinese设置防火墙的名称 sysname sysname配置防火墙系统IP 地址 firewall system-ip system-ip-address [ address-mask ] 设置标准时间 clock datetime time date设置所在的时区 clock timezone time-zone-name { add | minus } time取消时区设置 undo clock timezone配置切换用户级别的口令 super password [ level user-level ] { simple | cipher } password取消配置的口令 undo super password [ level user-level ]缺缺省情况下,若不指定级别,则设置的为切换到3 级的密码。
H3C SecPath F100系列防火墙01-入门配置指导-基本配置
• 配置 NAT 静态转换
nat static local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ]
• 使配置在接口上生效
nat outbound static
nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] [ no-pat ] ] [ track vrrp virtual-router-id ]
目录
1 基本配置 ············································································································································ 1-1 1.1 概述 ···················································································································································1-1 1.2 通过Web方式进行设备基本配置 ·······································································································1-1 1.3 通过命令行方式进行设备基本配置 ····································································································1-8 1.4 业务配置说明·····································································································································1-9
H3C SecPath F100-C-EI 防火墙说明书
目录第1章产品介绍...............................................................................1-11.1 简介....................................................................................1-11.2 外观....................................................................................1-21.2.1 前面板......................................................................1-21.2.2 后面板......................................................................1-21.3 规格....................................................................................1-31.4 指示灯................................................................................1-31.5 固定接口.............................................................................1-41.5.1 配置口......................................................................1-41.5.2 以太网口..................................................................1-5第2章安装前准备工作....................................................................2-12.1 安装场所要求......................................................................2-12.1.1 温度/湿度要求..........................................................2-12.1.2 洁净度要求...............................................................2-12.1.3 防静电要求...............................................................2-22.1.4 电磁环境要求...........................................................2-42.1.5 防雷击要求...............................................................2-42.1.6 检查安装台...............................................................2-52.1.7 机柜安装要求...........................................................2-52.2 安全注意事项......................................................................2-52.2.1 安全标志..................................................................2-52.2.2 通用安全建议...........................................................2-62.2.3 用电安全..................................................................2-62.3 安装工具、仪表和设备.......................................................2-6第3章防火墙的安装.......................................................................3-13.1 防火墙安装流程..................................................................3-13.2 安装防火墙到指定位置.......................................................3-13.2.1 安装防火墙到工作台................................................3-23.2.2 安装防火墙到机柜....................................................3-23.3 连接保护地线......................................................................3-43.4 连接电源线.........................................................................3-53.5 连接接口电缆......................................................................3-73.5.1 连接配置口电缆.......................................................3-73.5.2 连接以太网电缆.......................................................3-83.6 安装后的检查......................................................................3-8第4章防火墙的启动与配置............................................................4-14.1 搭建配置环境......................................................................4-14.1.1 连接防火墙到配置终端............................................4-14.1.2 设置配置终端的参数................................................4-14.2 防火墙上电.........................................................................4-44.2.1 上电前检查...............................................................4-44.2.2 防火墙上电...............................................................4-54.2.3 上电后检查/操作......................................................4-54.3 启动过程.............................................................................4-54.4 防火墙配置的基本思路.......................................................4-64.5 命令行接口.........................................................................4-74.5.1 命令行接口的特点....................................................4-74.5.2 命令行接口...............................................................4-7第5章防火墙的软件维护................................................................5-15.1 Boot菜单.............................................................................5-15.1.1 防火墙的Boot菜单....................................................5-25.1.2 防火墙的Boot ROM子菜单......................................5-35.2 利用XModem协议完成应用程序和Boot ROM程序升级.........5-45.2.1 应用程序的升级.......................................................5-45.2.2 Boot ROM程序的升级..............................................5-75.2.3 Boot ROM程序扩展段的升级...................................5-85.3 通过TFTP完成应用程序的升级..........................................5-85.4 利用FTP完成程序/文件的上传下载..................................5-125.5 应用程序及配置文件的维护..............................................5-165.5.1 显示所有文件.........................................................5-165.5.2 删除文件................................................................5-175.6 Boot ROM程序扩展段的备份及恢复.................................5-185.6.1 在FLASH中备份Boot ROM程序的扩展段..............5-185.6.2 从FLASH中恢复Boot ROM程序扩展段..................5-185.7 口令丢失的处理................................................................5-195.7.1 用户口令丢失.........................................................5-195.7.2 Boot ROM口令丢失...............................................5-20第6章安装故障处理.......................................................................6-16.1 电源系统问题故障处理.......................................................6-16.2 配置系统故障处理..............................................................6-1插图目录图1-1 F100-C-EI防火墙前面板.................................................1-2图1-2 F100-C-EI防火墙后面板.................................................1-2图1-3 配置口电缆示意图..........................................................1-5图1-4 以太网电缆示意图..........................................................1-6图2-1 佩戴防静电手腕示意图...................................................2-4图3-1 防火墙安装流程..............................................................3-1图3-2 挂耳结构图.....................................................................3-2图3-3 安装左、右前挂耳到防火墙的两侧.................................3-3图3-4 固定防火墙到机架..........................................................3-3图3-5 连接保护地接地端子到防火墙........................................3-4图3-6 连接保护地线到接地排...................................................3-5图3-7 连接交流电源线..............................................................3-6图3-8 连接配置口电缆..............................................................3-7图4-1 新建连接........................................................................4-1图4-2 本地配置连接端口设置...................................................4-2图4-3 串口参数设置.................................................................4-2图4-4 超级终端窗口.................................................................4-3图4-5 终端类型设置.................................................................4-4图5-1 断开终端连接.................................................................5-5图5-2 修改波特率.....................................................................5-5图5-3 [发送文件]对话框............................................................5-6图5-4 正在发送文件界面..........................................................5-6图5-5 搭建TFTP升级环境........................................................5-9图5-6 搭建FTP升级环境........................................................5-12表格目录表1-1 F100-C-EI防火墙规格....................................................1-3表1-2 F100-C-EI指示灯含义....................................................1-3表1-3 配置口属性.....................................................................1-4表1-4 以太网口属性.................................................................1-5表2-1 机房温度/湿度要求.........................................................2-1表2-2 机房灰尘含量限值..........................................................2-2表2-3 机房有害气体限值..........................................................2-2第1章产品介绍1.1 简介H3C SecPath F100-C-EI防火墙设备(以下简称F100-C-EI)是H3C公司面向家庭办公、小型办公室(Small Office Home Office,SOHO)开发的新一代专业防火墙产品。
H3C_SecPath_F100系列防火墙_安装指导-6PW102-附录
• Ethernet_II • Ethernet_SNAP • 10Mbps 自适应:半双工/全双工自动协商 • 100Mbps 自适应:半双工/全双工自动协商 • 1000Mbps 自适应:全双工自动协商
支持速率和协商模式
MDI(Media Dependent Interface)是以太网的介质有关接口的缩写,一般网卡上的以太网接口多 为此类型;另一种为交叉的介质有关接口,缩写为 MDIX,常用于 HUB 或 LAN Switch。
重量(满配)
• F100-M-G/F100-A-G:5.5kg • F100-E-G:5.9kg
A.2 存储器规格
表A-2 存储器规格
项目 Flash 32MB DDR2 SDRAM 内存类型及容量 说明
• F100-C-G/F100-S-G:512MB • F100-M-G/F100-A-G/F100-E-G:1GB
A.7 扩展槽位规格
表A-7 扩展槽位规格
项目 说明
• F100-C-G/F100-S-G:1 个,支持 2GE 接口模块
扩展槽位及支持的接口 模块
• F100-M-G/F100-A-G:1 个,支持 NSQ1GT2UA0 和 NSQ1GP4U0 两种接口模块 • F100-E-G:2 个,支持 NSQ1GT2UA0 和 NSQ1GP4U0 两种接口模块
附录B 指示灯介绍 ·································································································································B-1
B.1 指示灯介绍 ······································································································································· B-1
H3C SecPath F100-C-EI 防火墙说明书
目录第1章产品介绍...............................................................................1-11.1 简介....................................................................................1-11.2 外观....................................................................................1-21.2.1 前面板......................................................................1-21.2.2 后面板......................................................................1-21.3 规格....................................................................................1-31.4 指示灯................................................................................1-31.5 固定接口.............................................................................1-41.5.1 配置口......................................................................1-41.5.2 以太网口..................................................................1-5第2章安装前准备工作....................................................................2-12.1 安装场所要求......................................................................2-12.1.1 温度/湿度要求..........................................................2-12.1.2 洁净度要求...............................................................2-12.1.3 防静电要求...............................................................2-22.1.4 电磁环境要求...........................................................2-42.1.5 防雷击要求...............................................................2-42.1.6 检查安装台...............................................................2-52.1.7 机柜安装要求...........................................................2-52.2 安全注意事项......................................................................2-52.2.1 安全标志..................................................................2-52.2.2 通用安全建议...........................................................2-62.2.3 用电安全..................................................................2-62.3 安装工具、仪表和设备.......................................................2-6第3章防火墙的安装.......................................................................3-13.1 防火墙安装流程..................................................................3-13.2 安装防火墙到指定位置.......................................................3-13.2.1 安装防火墙到工作台................................................3-23.2.2 安装防火墙到机柜....................................................3-23.3 连接保护地线......................................................................3-43.4 连接电源线.........................................................................3-53.5 连接接口电缆......................................................................3-73.5.1 连接配置口电缆.......................................................3-73.5.2 连接以太网电缆.......................................................3-83.6 安装后的检查......................................................................3-8第4章防火墙的启动与配置............................................................4-14.1 搭建配置环境......................................................................4-14.1.1 连接防火墙到配置终端............................................4-14.1.2 设置配置终端的参数................................................4-14.2 防火墙上电.........................................................................4-44.2.1 上电前检查...............................................................4-44.2.2 防火墙上电...............................................................4-54.2.3 上电后检查/操作......................................................4-54.3 启动过程.............................................................................4-54.4 防火墙配置的基本思路.......................................................4-64.5 命令行接口.........................................................................4-74.5.1 命令行接口的特点....................................................4-74.5.2 命令行接口...............................................................4-7第5章防火墙的软件维护................................................................5-15.1 Boot菜单.............................................................................5-15.1.1 防火墙的Boot菜单....................................................5-25.1.2 防火墙的Boot ROM子菜单......................................5-35.2 利用XModem协议完成应用程序和Boot ROM程序升级.........5-45.2.1 应用程序的升级.......................................................5-45.2.2 Boot ROM程序的升级..............................................5-75.2.3 Boot ROM程序扩展段的升级...................................5-85.3 通过TFTP完成应用程序的升级..........................................5-85.4 利用FTP完成程序/文件的上传下载..................................5-125.5 应用程序及配置文件的维护..............................................5-165.5.1 显示所有文件.........................................................5-165.5.2 删除文件................................................................5-175.6 Boot ROM程序扩展段的备份及恢复.................................5-185.6.1 在FLASH中备份Boot ROM程序的扩展段..............5-185.6.2 从FLASH中恢复Boot ROM程序扩展段..................5-185.7 口令丢失的处理................................................................5-195.7.1 用户口令丢失.........................................................5-195.7.2 Boot ROM口令丢失...............................................5-20第6章安装故障处理.......................................................................6-16.1 电源系统问题故障处理.......................................................6-16.2 配置系统故障处理..............................................................6-1插图目录图1-1 F100-C-EI防火墙前面板.................................................1-2图1-2 F100-C-EI防火墙后面板.................................................1-2图1-3 配置口电缆示意图..........................................................1-5图1-4 以太网电缆示意图..........................................................1-6图2-1 佩戴防静电手腕示意图...................................................2-4图3-1 防火墙安装流程..............................................................3-1图3-2 挂耳结构图.....................................................................3-2图3-3 安装左、右前挂耳到防火墙的两侧.................................3-3图3-4 固定防火墙到机架..........................................................3-3图3-5 连接保护地接地端子到防火墙........................................3-4图3-6 连接保护地线到接地排...................................................3-5图3-7 连接交流电源线..............................................................3-6图3-8 连接配置口电缆..............................................................3-7图4-1 新建连接........................................................................4-1图4-2 本地配置连接端口设置...................................................4-2图4-3 串口参数设置.................................................................4-2图4-4 超级终端窗口.................................................................4-3图4-5 终端类型设置.................................................................4-4图5-1 断开终端连接.................................................................5-5图5-2 修改波特率.....................................................................5-5图5-3 [发送文件]对话框............................................................5-6图5-4 正在发送文件界面..........................................................5-6图5-5 搭建TFTP升级环境........................................................5-9图5-6 搭建FTP升级环境........................................................5-12表格目录表1-1 F100-C-EI防火墙规格....................................................1-3表1-2 F100-C-EI指示灯含义....................................................1-3表1-3 配置口属性.....................................................................1-4表1-4 以太网口属性.................................................................1-5表2-1 机房温度/湿度要求.........................................................2-1表2-2 机房灰尘含量限值..........................................................2-2表2-3 机房有害气体限值..........................................................2-2第1章产品介绍1.1 简介H3C SecPath F100-C-EI防火墙设备(以下简称F100-C-EI)是H3C公司面向家庭办公、小型办公室(Small Office Home Office,SOHO)开发的新一代专业防火墙产品。
H3C F100防火墙配置实例
H3C F100防火墙配置实例要求:内网192.168.88.1外网192.168.33.1开启DHCP 通过地址转换内网电脑上网下面是我的H3C F100的硬件和软件版本H3C Comware SoftwareComware software, Version 3.40, Release 5102P02 Copyright (c) 2004-2009 Hangzhou H3C Technologies Co., Ltd.All rights reserved.Without theowner's prior written consent, no decompiling nor reverse-engineering shall be allowed.H3C SecPath F100-C-EI uptime is 0 week, 0 day, 0 hour,7 minutesCPU type: Mips IDT RC32365 150MHz64M bytes SDRAM Memory8M bytes Flash MemoryPcb Version:2.0Logic Version:1.0BootROM Version:1.17[SLOT 0] 5FE (Hardware)2.0, (Driver)2.0,(Cpld)1.0[SLOT 1] 1SE (Hardware)1.0, (Driver)1.0,(Cpld)1.01.打开防火墙包过滤firewall packet-filter enablefirewall packet-filter default permit2.添加接口至信任区(内网)和非信任区(外网)firewall zone trustadd interface Ethernet0/0firewall zone untrustadd interface Ethernet0/43.添加内网接口地址interface Ethernet0/0ip address 192.168.88.1 255.255.255.0 4.添加外网接口地址并添加默认路由interface Ethernet0/4ip address 192.168.33.99 255.255.255.0ip route-static 0.0.0.0 0.0.0.0 192.168.33.1 5.设置DHCP地址池并启用DHCP功能dhcp enabledhcp server ip-pool pool1network 192.168.88.0 mask 255.255.255.0gateway-list 192.168.88.1dns-list 222.85.85.856.设置内网的ACLacl number 2001rule 0 permit source 192.168.88.0 0.0.0.2557.设置NAT地址池nat address-group 1 192.168.33.99 192.168.33.998.在外网接口下开始地址转换interface Ethernet0/4nat outbound 2001 address-group 1 no-pat。
配置H3C SecPath f100-c防火墙纪实
配置H3C SecPath f100-c防火墙纪实
有人请我去给设置上网,免费的奥,本人很好的,乐于助人呢。
本来以为是个四口的小路由,三分钟就可以了,没有想到我错了,去了一看好大一个防火墙,而且要使用console口进行初始配置,一下子命令都忘干净了。
我灰溜溜的回去查资料了,打个电话找找专家,拨开乌云见太阳了。
原来如此简单,只因自己平时用工不到,学习不精所致。
拿到一手配置材料,高高兴兴就去了,自信是做事的根本。
给他们精彩的上了一堂课,围观者都瞪大了眼睛,说是英文的不懂。
让我快点,不要耽误工作了。
哎,没有懂得人,只有我自己孤芳自赏了。
下面给我大家分享一下,f100的adsl拨号共享上网的具体配置文件,和网络连接图解如图1,很多还是很有参考价值的,尤其争对那些初级的网络爱好者,大家一起学习进步。
希望大家有什么高超的建议和意见都跟帖,我会认真细致的进行分析处理。
我也做个榜样,把每天生活中重要的事件记录下来,供所有爱好网络技术,爱好学习的朋友一个参考。
学无止境。
H3C SecPath F100-E 防火墙 安装手册
目录第1章产品介绍.....................................................................................................................1-11.1 简介....................................................................................................................................1-11.2 硬件特性.............................................................................................................................1-21.2.1 外观.........................................................................................................................1-21.2.2 系统说明..................................................................................................................1-21.2.3 指示灯含义..............................................................................................................1-31.2.4 固定接口属性...........................................................................................................1-41.2.5 MIM多功能接口模块................................................................................................1-5第2章安装前的准备工作.......................................................................................................2-12.1 安装场所要求.....................................................................................................................2-12.1.1 温度/湿度要求..........................................................................................................2-12.1.2 洁净度要求..............................................................................................................2-12.1.3 防静电要求..............................................................................................................2-22.1.4 电磁环境要求...........................................................................................................2-22.1.5 防雷击要求..............................................................................................................2-32.1.6 检查安装台..............................................................................................................2-32.2 安全注意事项.....................................................................................................................2-32.3 检查防火墙及其附件..........................................................................................................2-42.4 安装工具、仪表和设备.......................................................................................................2-4第3章防火墙的安装..............................................................................................................3-13.1 安装流程.............................................................................................................................3-13.2 安装到指定位置..................................................................................................................3-23.2.1 安装到工作台上.......................................................................................................3-23.2.2 安装到机柜中...........................................................................................................3-23.3 安装通用接口模块..............................................................................................................3-33.4 连接保护地线.....................................................................................................................3-33.5 连接到配置终端..................................................................................................................3-43.6 连接到以太网口..................................................................................................................3-53.7 连接电源线.........................................................................................................................3-63.8 安装后的检查.....................................................................................................................3-7第4章防火墙的启动与配置....................................................................................................4-14.1 启动....................................................................................................................................4-14.1.1 搭建配置环境...........................................................................................................4-14.1.2 上电.........................................................................................................................4-34.1.3 启动过程..................................................................................................................4-44.2 配置基础.............................................................................................................................4-54.2.1 基本配置步骤...........................................................................................................4-54.2.2 命令行接口的特点....................................................................................................4-5第5章防火墙的软件维护.......................................................................................................5-15.1 Boot菜单............................................................................................................................5-15.2 利用XModem协议完成应用程序和Boot ROM程序升级.....................................................5-35.3 Boot ROM程序扩展段的备份及恢复..................................................................................5-55.4 通过TFTP完成应用程序的升级..........................................................................................5-65.5 利用FTP完成程序/文件的上传下载....................................................................................5-85.6 修改Boot ROM口令..........................................................................................................5-115.7 口令丢失的处理................................................................................................................5-13第6章防火墙的硬件维护.......................................................................................................6-16.1 准备工具.............................................................................................................................6-16.2 打开防火墙机箱盖..............................................................................................................6-16.3 更换DDR SDRAM..............................................................................................................6-26.3.1 内存条在主板上的位置............................................................................................6-46.3.2 拆卸内存条..............................................................................................................6-46.3.3 安装内存条..............................................................................................................6-56.4 合上防火墙机箱盖..............................................................................................................6-56.5 MIM多功能接口模块的更换................................................................................................6-6第7章安装故障处理..............................................................................................................7-17.1 电源系统问题故障处理.......................................................................................................7-17.2 配置系统故障处理..............................................................................................................7-17.3 应用软件升级故障处理.......................................................................................................7-2第8章 MIM多功能接口模块....................................................................................................8-18.1 MIM多功能接口模块的种类................................................................................................8-18.2 MIM多功能接口模块的安装与拆卸.....................................................................................8-18.3 MIM接口模块的故障处理...................................................................................................8-38.4 1FE/2FE/4FE接口模块.......................................................................................................8-38.4.1 简介.........................................................................................................................8-38.4.2 接口模块外观...........................................................................................................8-38.4.3 接口属性..................................................................................................................8-58.4.4 面板及接口指示灯....................................................................................................8-58.4.5 接口连接电缆...........................................................................................................8-68.4.6 接口电缆的连接.......................................................................................................8-78.5 1GBE/2GBE模块................................................................................................................8-88.5.1 模块简介..................................................................................................................8-88.5.2 模块外观..................................................................................................................8-88.5.3 模块接口属性...........................................................................................................8-98.5.4 模块接口指示灯.......................................................................................................8-98.5.5 模块接口连接电缆..................................................................................................8-108.5.6 模块接口电缆的连接..............................................................................................8-11 8.6 1GEF/2GEF模块..............................................................................................................8-118.6.1 模块简介................................................................................................................8-118.6.2 模块外观................................................................................................................8-118.6.3 模块接口属性.........................................................................................................8-128.6.4 模块接口指示灯.....................................................................................................8-138.6.5 模块接口连接光纤..................................................................................................8-138.6.6 模块接口光缆的连接..............................................................................................8-14 8.7 SSL模块...........................................................................................................................8-148.7.1 模块简介................................................................................................................8-148.7.2 模块外观................................................................................................................8-158.7.3 模块属性................................................................................................................8-158.7.4 模块运行指示灯.....................................................................................................8-158.7.5 模块故障排除.........................................................................................................8-16插图目录图1-1 H3C SecPath F100-S防火墙前面板示意图..........................................................1-2图1-2 H3C SecPath F100-S防火墙后面板示意图..........................................................1-2图1-3 H3C SecPath F100-E防火墙前面板示意图..........................................................1-2图1-4 H3C SecPath F100-E防火墙后面板示意图..........................................................1-2图3-1 防火墙的安装流程................................................................................................3-1图3-2 H3C SecPath F100-E防火墙机柜安装示意图.......................................................3-3图3-3 防火墙保护地接地端子示意图..............................................................................3-4图3-4 配置口电缆示意图................................................................................................3-4图3-5 以太网电缆示意图................................................................................................3-5图3-6 双交流电源防火墙电源插座部分的外观................................................................3-6图4-1 通过Console口进行本地配置示意图.....................................................................4-1图4-2 新建连接..............................................................................................................4-2图4-3 本地配置连接端口设置.........................................................................................4-2图4-4 串口参数设置.......................................................................................................4-3图5-1 [发送文件]对话框..................................................................................................5-4图5-2 正在发送文件界面................................................................................................5-4图5-3 搭建FTP本地上传/下载环境.................................................................................5-8图5-4 搭建FTP远程上传/下载环境.................................................................................5-9图6-1 打开机箱盖示意图................................................................................................6-2图6-2 内存条维护流程....................................................................................................6-3图6-3 内存条在主板上的位置示意图..............................................................................6-4图6-4 内存条拆装示意图................................................................................................6-5图6-5 合上机箱盖示意图................................................................................................6-6图8-1 MIM多功能接口模块安装示意图1........................................................................8-2图8-2 MIM多功能接口模块安装示意图2........................................................................8-2图8-3 1FE接口模块外观.................................................................................................8-4图8-4 2FE接口模块外观.................................................................................................8-4图8-5 4FE接口模块外观.................................................................................................8-4图8-6 1FE接口模块面板.................................................................................................8-5图8-7 2FE接口模块面板.................................................................................................8-5图8-8 4FE接口模块面板.................................................................................................8-5图8-9 以太网电缆...........................................................................................................8-6图8-10 5类双绞线示例图...............................................................................................8-6图8-11 1GBE模块外观...................................................................................................8-8图8-12 2GBE模块外观...................................................................................................8-9图8-13 1GBE模块面板...................................................................................................8-9图8-14 2GBE模块面板...................................................................................................8-9图8-15 以太网电缆.......................................................................................................8-10图8-16 5类双绞线示例图.............................................................................................8-10图8-17 1GEF模块外观.................................................................................................8-12图8-18 2GEF模块外观.................................................................................................8-12图8-19 1GEF模块面板.................................................................................................8-13图8-20 2GEF模块面板.................................................................................................8-13图8-21 SSL模块外观....................................................................................................8-15图8-22 SSL模块面板....................................................................................................8-15表格目录表1-1 H3C SecPath F100-S防火墙的系统说明表..........................................................1-2表1-2 H3C SecPath F100-E防火墙的系统说明表..........................................................1-3表1-3 防火墙前面板指示灯含义.....................................................................................1-4表1-4 防火墙前面板指示灯含义.....................................................................................1-4表1-5 配置口属性...........................................................................................................1-4表1-6 备份口属性...........................................................................................................1-5表1-7 以太网电接口属性................................................................................................1-5表2-1 机房温度/湿度要求...............................................................................................2-1表2-2 机房灰尘含量限值................................................................................................2-1表2-3 机房有害气体限值................................................................................................2-2表3-1 H3C SecPath F100-S防火墙外形尺寸.................................................................3-2表3-2 H3C SecPath F100-E防火墙外形尺寸.................................................................3-2表6-1 防火墙内存配置说明表.........................................................................................6-4表8-1 1FE/2FE/4FE模块接口属性..................................................................................8-5表8-2 1FE/2FE/4FE接口模块指示灯含义.......................................................................8-6表8-3 标准(直通)网线连接关系表..............................................................................8-6表8-4 交叉网线连接关系表.............................................................................................8-7表8-5 1GBE模块接口属性..............................................................................................8-9表8-6 1GBE模块指示灯含义........................................................................................8-10表8-7 1GEF/2GEF模块接口属性..................................................................................8-12表8-8 1GEF模块指示灯含义........................................................................................8-13表8-9 SSL模块属性......................................................................................................8-15表8-10 SSL模块指示灯含义.........................................................................................8-15第1章产品介绍1.1 简介H3C SecPath系列防火墙设备(以下简称防火墙)是面向企业用户开发的新一代专业防火墙设备,既可以作为中小型企业的出口防火墙设备,也可以作为大中型企业的内部防火墙设备。
h3csecpath防火墙设备使用手册v1.0
H3C设备使用手册H3C SecPath F100-C防火墙安装手册1、设备介绍H3C SecPath F100-C/ SecPath 10F防火墙(塑料外壳)提供4个10/100M自适应FE LAN 口和1个10M 半双工WAN以太网接口。
前面板外观图如下:1 以太网口指示灯LAN3 5 广域网口指示灯WAN2 以太网口指示灯LAN2 6 系统运行指示灯SYS3 以太网口指示灯LAN1 7 电源指示灯PWR4 以太网口指示灯LAN0H3C SecPath F100-C/ SecPath 10F(塑料外壳)防火墙后面板:1 电源开关 6 以太网口2(LAN2)2 电源输入插座 7 以太网口3(LAN3)3 配置口(CONSOLE ) 8 接地端子4 以太网口0(LAN0) 9 广域网口(WAN )5 以太网口1(LAN1)H3C SecPath F100-C II (铁盒外壳)的外观:(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)1 以太网口指示灯(黄色) 6 以太网口(WAN )2 以太网口指示灯(绿色) 7 以太网口(LAN3) 3系统运行指示灯(SYS )8 以太网口(LAN2)4 电源指示灯(PWR)9 以太网口(LAN1)5 配置口(CONSOLE)10 以太网口(LAN0)(1)(2)1 交流电源输入插座2 接地端子2、登陆设备使用超级终端方式:如下图所示,将配置电缆(即console线)一端与防火墙的配置口相连,DB9一端与微机的串口相连。
设置配置终端的参数第一步:打开配置终端,建立新的连接。
第二步:设置终端参数。
确定后键入<Enter>后屏幕出现(若没有设置登录验证):<h3c>该提示符表明防火墙已经进入用户视图,可以对防火墙进行配置了。
四、H3C SecPath F100-C防火墙配置手册下面是H3C F100-C/ SecPath 10F(一代产品为塑料盒)配置容:1、配置容一览表●保存/删除原有配置●配置接口●配置DHCP服务器●配置BIMS管理●配置静态路由●配置SSH访问●配置用户和密码●配置虚拟线路终端●查看检查配置●配置测试●回退操作2、配置保存为了确保保险集团站点式VPN迁移的顺利实施,首先需要将设备的原有配置进行备份,具体操作如下:✧用超级终端登录到设备✧备份现有配置:<h3c> copy config.cfg config.bak/备份当前配置Copy flash:/config.cfg to flash:/config.bak?[Y/N]:y...%Copy file flash:/config.cfg to flash:/config.bak...Done.<h3c>查看备份文件是否在flash中:<h3c>dirDirectory of flash:/(*) -rw- 1561 Apr 02 2000 00:17:55 config.cfg-rw- 1561 Apr 01 2000 23:56:36 config.bak(*) -with main attribute (b) -with backup attribute(*b) -with both main and backup attribute注: h3c处为设备名,不用修改,请记下配置的该台设备的设备名称,每台设备不一样,请注意<h3c>表示处于用户模式[h3c]表示处于配置模式3、删除原有配置在本次迁移中,原有的ADSL线路需要迁移到中国电信CN2网络上,因此首先需要将原先的配置删除,具体如下:✧删除原有配置✧使用超级终端登陆到设备上,依次使用如下的命令:<h3c>reset saved-configuration /删除原有配置The saved configuration will be erased.Are you sure?[Y/N]yConfiguration in flash memory is being cleared.Please wait ......reset saved-configuration successfully.<h3c>reboot /重启设备Start to check configuration with next startup configuration file, please wait.........DONE!This command will reboot the device. Current configuration may be lost in nextstartup if you continue. Continue? [Y/N]:y4、加载新配置删除完原有的配置后,依次使用如下的命令:配置接口E1/0作为分支机构的网网关:<h3c>system-view /进入配置模式[h3c] interface Ethernet1/0 /进入E1/0端口配置视图[h3c-Ethernet1/0] ip address x.x.x.x x.x.x.x /配置E1/0地址(地址为网网关) [h3c-Ethernet1/0] quit /返回上一层配置防火墙作为各分支机构的DHCP服务器:[h3c]dhcp server ip-pool 1 /创建DHCP全局地址池或进入DHCP地址池视图[h3c-dhcp-pool-1] network x.x.x.x mask 255.255.255.240 /配置动态分配的IP地址围(网地址段) [h3c-dhcp-pool-1] gateway-list x.x.x.x /配置DHCP客户端的出口网关(网网关) [h3c-dhcp-pool-1] dns-list 10.11.111.9 10.11.111.10 10.37.111.8 /配置DHCP客户端的DNS服务器的IP地址[h3c-dhcp-pool-1] nbns-list 10.11.111.9 10.11.111.10 10.37.111.8 /配置DHCP客户端的NetBIOS服务器地址[h3c-dhcp-pool-1]quit /返回上一层[h3c] dhcp server forbidden-ip x.x.x.x /配置DHCP地址池中不参与自动分配的IP地址(网网关)配置防火墙支持BIMS管理:[h3c] bims enable (Branch Intelligent Management System) /配置在设备上启动BIMS功能[h3c-bims]bims device-id设备名称 /配置设备的唯一标识符(填写当前的设备名称)[h3c-bims]bims ip address 10.16.111.156 port 80 /配置BIMS中心的IP地址和使用的端口号[h3c-bims]bims source ip-address 10.255.x.x(网网关)/配置BIMS设备发送报文时携带的源地址[h3c-bims]bims interval 10 /配置触发访问BIMS中心的间隔时间(分钟) [h3c-bims]bims boot request /配置设备上电启动完成时访问BIMS中心[h3c-bims]bims sharekey simple 123 /设置BIMS设备侧和BIMS中心侧的共享密钥配置接口E2/0作为分支机构的外网CE口:[h3c]int Ethernet 2/0 /进入E2/0端口配置视图[h3c-Ethernet2/0]ip address x.x.x.x x.x.x.x WAN口 /配置CE地址[h3c-Ethernet2/0]quit /返回上一层配置静态路由:[h3c] ip route-static 10.0.0.0 255.0.0.0 x.x.x.x x.x.x.x /去往10.0.0.0网段的路由下一跳为x.x.x.x即PE地址[h3c] ip route-static 172.16.0.0 255.255.0.0 x.x.x.x x.x.x.x /去往172.16.0.0网段的路由下一跳同上[h3c] ip route-static 61.129.61.0 255.255.255.192 x.x.x.x x.x.x.x /去往61.129.61.0网段的路由下一跳同上配置SSH访问:[h3c]local-user pingan /创建新的本地用户pingan,并且进入本地用户视图New local user added.[h3c-luser-pingan]service-type ssh /设置用户可以使用的服务类型[h3c-luser-pingan]password cipher pingan /配置用户的密码[h3c-luser-pingan]quit /返回上一层[h3c]rsa local-pair creat /产生本地RSA密钥对,注意个别华三型号只能用rsa local-key-pair creat 配置指令The range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Press CTRL+C to abort.Input the bits of the modulus[default = 1024]: /(直接回车)配置本地RSA密匙对的长度Generating keys….....++++++[h3c] ssh user pingan authentication-type password /为SSH用户配置验证方式[h3c]user-interface vty 0 4 /配置虚拟线路VTY 0 4用户界面视图[h3c-ui-vty0-4]authentication-mode scheme /设置所在用户界面验证方式[h3c-ui-vty0-4]protocol inbound ssh /设置所在用户界面支持的协议[h3c-ui-vty0-4]quit /返回上一层[h3c]super password cipher pingan /配置切换用户级别的口令[h3c]snmp-agent /网管snmp配置(共7行)[h3c]snmp-agent local-engineid 000007DB7FD19[h3c]snmp-agent community read Ragga0ck3rd0M[h3c]snmp-agent community write Raggawall0p3R[h3c]snmp-agent sys-info version all[h3c]snmp-agent target-host trap address udp-domain 61.129.61.50 params securitynameRagga0ck3rd0M v2c[h3c]snmp-agent trap source Ethernet2/0查看当前设备使用的版本信息:[H3C]display version /显示当前设备使用的版本信息H3C Comware Software Comware software, Version 3.40, Release 1608P04Copyright (c) 2004-2007 Hangzhou H3C Technologies Co., Ltd. All rights reserved.Without the owner's prior written consent, no decompiling nor reverse-engineering shall be allowed.H3C SecPath F100-C uptime is 0 week, 0 day, 1 hour, 39 minutesCPU type: PowerPC 859DSL 80MHz 64M bytes SDRAM Memory 8M bytes Flash Memory 0K bytes NvRAM Memory Pcb Version:5.0 Logic Version:1.0 BootROM Version:2.06[SLOT 1] 1FE (Hardware)5.0, (Driver)1.0, (Cpld)1.0[SLOT 2] 1ETH (Hardware)5.0, (Driver)1.0, (Cpld)1.0查看目前接口状态:查看WAN口的协商速率/工作模式/与协转是否协商正常:[h3c]display interface e2/0下面是H3C F100-C II(二代产品为铁盒)配置容:1、配置容一览表●保存/删除原有配置●配置接口和网桥组●配置DHCP服务器●配置BIMS管理●配置静态路由●配置SSH访问●配置用户和密码●配置虚拟线路终端●查看配置●配置测试●回退操作2、H3C SecPath F100-C II型防火墙新配置配置网桥组:<h3c>system-view /进入配置模式[h3c]bridge enable /启用网桥功能[h3c]bridge 1 enable /启用网桥组功能并建立网桥组1[h3c] interface Ethernet0/0 /进入E0/0端口配置视图[h3c-Ethernet0/0] bridge-set 1 /把端口加入桥组1[h3c-Ethernet0/0] quit /返回上一层[h3c] interface Ethernet0/1 /进入E0/1端口配置视图[h3c-Ethernet0/0] bridge-set 1 /把端口加入桥组1[h3c-Ethernet0/0] quit /返回上一层[h3c] interface Ethernet0/2 /进入E0/2端口配置视图[h3c-Ethernet0/0] bridge-set 1 /把端口加入桥组1[h3c-Ethernet0/0] quit /返回上一层[h3c] interface Ethernet0/3 /进入E0/3端口配置视图[h3c-Ethernet0/0] bridge-set 1 /把端口加入桥组1[h3c-Ethernet0/0] quit /返回上一层[h3c]interface bridge-template 1 /创建bridge-template虚拟接口,将指定的网桥组连接到网络中[h3c- bridge-template 1] ip address x.x.x.x x.x.x.x /配置bridge-template 1接口IP地址(网网关)[h3c- bridge-template 1] quit /返回上一层配置防火墙作为各分支机构的DHCP服务器:[h3c]dhcp server ip-pool 1 /创建DHCP全局地址池或进入DHCP地址池视图[h3c-dhcp-pool-1] network x.x.x.x mask 255.255.255.240 /配置动态分配的IP地址围(网地址段) [h3c-dhcp-pool-1] gateway-list x.x.x.x /配置DHCP客户端的出口网关(网网关) [h3c-dhcp-pool-1] dns-list 10.11.111.9 10.11.111.10 10.37.111.8 /配置DHCP客户端的DNS服务器的IP地址[h3c-dhcp-pool-1] nbns-list 10.11.111.9 10.11.111.10 10.37.111.8 /配置DHCP客户端的NetBIOS服务器地址[h3c-dhcp-pool-1]quit /返回上一层[h3c] dhcp server forbidden-ip x.x.x.x /配置DHCP地址池中不参与自动分配的IP地址(网网关)配置防火墙支持BIMS管理:[h3c] bims enable (Branch Intelligent Management System) /配置在设备上启动BIMS功能[h3c-bims]bims device-id设备名称 /配置设备的唯一标识符(填写当前的设备名称)[h3c-bims]bims ip address 10.16.111.156 port 80 /配置BIMS中心的IP地址和使用的端口号[h3c-bims]bims source ip-address 10.255.x.x(网网关)/配置BIMS设备发送报文时携带的源地址[h3c-bims]bims interval 10 /配置触发访问BIMS中心的间隔时间(分钟) [h3c-bims]bims boot request /配置设备上电启动完成时访问BIMS中心[h3c-bims]bims sharekey simple 123 /设置BIMS设备侧和BIMS中心侧的共享密钥配置接口E0/4作为分支机构的外网CE口:[h3c]int Ethernet 0/4 /进入E0/4端口配置视图[h3c-Ethernet0/4]ip address x.x.x.x x.x.x.x WAN口 /配置CE地址[h3c-Ethernet0/4]quit /返回上一层配置静态路由:[h3c] ip route-static 10.0.0.0 255.0.0.0 x.x.x.x x.x.x.x /去往10.0.0.0网段的路由下一跳为x.x.x.x即PE地址[h3c] ip route-static 172.16.0.0 255.255.0.0 x.x.x.x x.x.x.x /去往172.16.0.0网段的路由下一跳同上[h3c] ip route-static 61.129.61.0 255.255.255.192 x.x.x.x x.x.x.x /去往61.129.61.0网段的路由下一跳同上配置SSH访问:[h3c]local-user pingan /创建新的本地用户pingan,并且进入本地用户视图New local user added.[h3c-luser-pingan]service-type ssh /设置用户可以使用的服务类型[h3c-luser-pingan]password cipher pingan /配置用户的密码[h3c-luser-pingan]quit /返回上一层[h3c]rsa local-pair creat /产生本地RSA密钥对The range of public key size is (512 ~ 2048).NOTES: If the key modulus is greater than 512, It will take a few minutes.Press CTRL+C to abort.Input the bits of the modulus[default = 1024]: /(直接回车)配置本地RSA密匙对的长度Generating keys….....++++++[h3c] ssh user pingan authentication-type password /为SSH用户配置验证方式[h3c]user-interface vty 0 4 /配置虚拟线路VTY 0 4用户界面视图[h3c-ui-vty0-4]authentication-mode scheme /设置所在用户界面验证方式[h3c-ui-vty0-4]protocol inbound ssh /设置所在用户界面支持的协议[h3c-ui-vty0-4]quit /返回上一层[h3c]super password cipher pingan /配置切换用户级别的口令[h3c]snmp-agent /网管snmp配置(共7行)[h3c]snmp-agent local-engineid 000007DB7FD19[h3c]snmp-agent community read Ragga0ck3rd0M[h3c]snmp-agent community write Raggawall0p3R[h3c]snmp-agent sys-info version all[h3c]snmp-agent target-host trap address udp-domain 61.129.61.50 params securitynameRagga0ck3rd0M v2c[h3c]snmp-agent trap source Ethernet0/4查看当前设备使用的版本信息:[H3C]display version /显示当前设备使用的版本信息H3C Comware Software Comware software, Version 3.40, Release 5102P02Copyright (c) 2004-2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.Without the owner's prior written consent, no decompiling nor reverse-engineering shall be allowed.H3C SecPath F100-C uptime is 0 week, 0 day, 3 hours, 58 minutesCPU type: Mips IDT RC32365 150MHz 64M bytes SDRAM Memory 8M bytes Flash MemoryPcb Version:2.0 Logic Version:1.0 BootROM Version:1.17[SLOT 0] 5FE (Hardware)2.0, (Driver)2.0, (Cpld)1.0[SLOT 1] 1SE (Hardware)1.0, (Driver)1.0, (Cpld)1.0保存配置:<h3c>save /将设备的配置进行保存The current configuration will be written to the device. Are you sure? [Y/N]:yPlease input the file name(*.cfg)[config.cfg](To leave the existing filename unchanged, press the enter key): (直接回车 )五、H3C SecPath F100-C 防火墙测试手册1、设备接线图配置完成后,保持设备接线图中的局域网PC至少有一台接在上面,具体设备接线图如下:H3C SecPath F100-C塑料外壳型号H3C SecPath F100-CII铁盒外壳型号2、检查验证广域网线及CN2线路连通性1)当按上述图接好后,首先通过超级终端登陆到设备中,然后使用下面的命令:<h3c>ping x.x.x.x /(x.x.x.x为当地电信PE地址)<h3c>ping –a x.x.x.x 10.16.111.156 /(-a后x.x.x.x为ICMP的源IP地址,即各分支机构网网关)查看这两个地址是否能ping通,如果<h3c>ping –a x.x.x.x 10.16.111.156 不通,则登陆设备来检查配置,同时按如下步骤测试线路连通性:2)用一台PC直接连接电信线路;3)将此电脑配置成分支机构的CE地址,不设置网关;4)使用电脑的ping命令:开始运行输入cmd ping 分支机构所在地电信PE地址,查看是否能够成功ping通。
H3C SecPath F100系列防火墙01-入门配置指导-基本配置
该命令在接口视图下执行
1-8
操作
基于ACL的 NAT Server
命令
nat server protocol pro-type global acl-number inside local-address [ local-port ] [ vpn-instance local-name ]
配置接口的IP地址
(12) 在 NAT 配置页面单击<下一步>按钮,进入如下图所示的页面。 图1-6 6/6: 基本配置向导
1-7
(13) 设置在提交配置的同时是否将设备当前的配置保存到下次启动配置文件(包括.cfg 文件和.xml 文件),并确认配置的参数是否正确,如果需要修改,则单击<上一步>按钮返回到前面的页 面对配置进行修改。
接口指定 IP 地址和网络掩码
• DHCP:表示接口通过 DHCP 协议自动获取 IP 地址 • 保持现有配置:表示保持接口 IP 地址的现有配置不变
修改当前接入接口的 IP 地址将导致与设备的连 接中断,请谨慎操作
当接口获取IP地址的方式为“静态地址”时,设置接口的IP 地址和网络掩码
(10) 在接口 IP 地址配置页面单击<下一步>按钮,进入 NAT 配置页面,如下图所示。 图1-5 5/6: 基本配置向导(NAT 配置)
外部IP地址:端口 内部IP地址:端口
配置内部服务器功能可能会导致与设备的连接中断(例如将外部 IP 地址指定为本地主 机的 IP 地址或当前接入接口的 IP 地址时),请谨慎操作
启用内部服务器时,设置服务器提供给外部访问的合法IP地址和服务端口号
启用内部服务器时,设置服务器在内部局域网的IP地址和服务端口号
设置是否在设备上启用Telnet服务 缺省情况下,Telnet服务处于关闭状态
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
H3C SecPath F100系列防火墙配置教程初始化配置〈H3C〉system-view开启防火墙功能[H3C]firewall packet-filter enable[H3C]firewall packet-filter default permit分配端口区域[H3C] firewall zone untrust[H3C-zone-trust] add interface GigabitEthernet0/0[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/1工作模式firewall mode transparent 透明传输firewall mode route 路由模式http 服务器使能HTTP 服务器 undo ip http shutdown关闭HTTP 服务器 ip http shutdown添加WEB用户[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3开启防范功能firewall defend all 打开所有防范切换为中文模式 language-mode chinese设置防火墙的名称 sysname sysname配置防火墙系统IP 地址 firewall system-ip system-ip-address [ address-mask ] 设置标准时间 clock datetime time date设置所在的时区 clock timezone time-zone-name { add | minus } time取消时区设置 undo clock timezone配置切换用户级别的口令 super password [ level user-level ] { simple | cipher } password取消配置的口令 undo super password [ level user-level ]缺缺省情况下,若不指定级别,则设置的为切换到3 级的密码。
切换用户级别 super [ level ]直接重新启动防火墙 reboot开启信息中心 info-center enable关闭信息中心 undo info-center enableftp server enable显示下次启动时加载的配置文件 display saved-configuration [ by-linenum ]显示系统本次启动及下次启动使用的配置文件 display startup显示当前视图的配置 display this显示防火墙的当前的运行配置display current-configuration[ interface interface-type [ interface-number ] | configuration[ isp | zone | interzone | radius-template | system |user-interface ] ] [ by-linenum ] [ | { begin | include |exclude } string ]保存当前配置 save [ file-name | safely ]删除Flash 中保存的下次启动时加载的配置文件 reset saved-configuration配置防火墙工作在透明模式 firewall mode transparentH3C SecPath 系列安全产品操作手册(安全)第8 章透明防火墙操作命令配置防火墙工作在路由模式 firewall mode route恢复防火墙的工作模式为缺省模式 undo firewall mode缺省情况下,防火墙工作在路由模式(route)下。
启动ARP 表项自动学习功能 firewall arp-learning enable禁止ARP 表项自动学习功能 undo firewall arp-learning enable缺省情况下,当防火墙工作在透明模式下时,防火墙启动ARP 表项自动学习功能。
配置VLAN ID 透传操作命令使能接口的VLAN ID 透传功能 bridge vlanid-transparent-transmit enable禁止接口的VLAN ID 透传功能 undo bridge vlanid-transparent-transmit enable 缺省情况下,禁止接口的VLAN ID 透传功能。
使能ARP Flood 攻击防范功能 firewall defend arp-flood [ max-raterate-number ]关闭ARP Flood 攻击防范功能 undo firewall defend arp-flood [ max-rate ]缺省为关闭ARP Flood 攻击防范功能。
ARP 报文的最大连接速率范围为1~1,000,000,缺省为100。
SecPath 系列安全产品支持以HTTP 方式登录到系统中,并通过Web 管理界面对系统进行配置和管理。
在使用Web 界面登录到系统前,必须先使能HTTP 服务器功能。
请在系统视图下进行下列配置。
H3C SecPath 系列安全产品操作手册(基础配置)第4 章系统维护管理开启/关闭HTTP 服务器开启HTTP 服务器 undo ip http shutdown关闭HTTP 服务器 ip http shutdown缺省情况下,系统开启HTTP 服务器。
仅当登录用户具有Telnet 的服务类型时(service-type telnet),才允许登录HTTP 服务器,且不同等级的用户在Web 界面中的可配置项也会不同。
配置HTTP 服务器的访问限制可以配置HTTP 服务器,使仅具有特定IP 地址的用户才可以登录HTTP 服务器,对设备进行配置和管理。
请在系统视图下进行下列配置。
表4-18 配置HTTP 服务器的访问限制操作命令配置HTTP 服务器的访问限制 ip http acl acl-number取消对HTTP 服务器的访问限制 undo ip http acl缺省情况下,未配置HTTP 服务器的访问限制。
仅ACL 中允许的IP 地址才可以访问HTTP 服务器。
表3-10 显示系统状态信息操作命令显示系统版本信息 display version显示详细的软件版本信息 vrbd显示系统时钟 display clock显示终端用户 display users [ all ]显示起始配置信息 display saved-configuration显示当前配置信息 display current-configuration显示调试开关状态 display debugging [ interface interface-typeinterface-number ] [ module-name ]显示当前视图的运行配置 display this显示技术支持信息 display diagnostic-information显示剪贴板的内容 display clipboardH3C SecPath 系列安全产品操作手册(基础配置)第3 章 Comware 的基本配置操作命令显示当前系统内存使用情况 display memory [ limit ]显示CPU 占用率的统计信息 display cpu-usage [ configuration | number[ offset ] [ verbose ] [ from-device ] ]设置CPU 占用率统计的周期 cpu-usage cycle { 5sec | 1min | 5min | 72min }以图形方式显示CPU 占用率统计历史信息 display cpu-usage history [ task task-id ]对插槽中的插卡进行拔出预处理 remove slot slot-id取消拔出预处理操作 undo remove slot slot-id显示设备和插卡的信息(任意视图) display device [ slot-id ]配置防火墙网页登陆1. 配置防火墙缺省允许报文通过。
<H3C> system-view[H3C] firewall packet-filter default permit2. 为防火墙的以太网接口(以GigabitEthernet0/0为例)配置IP地址,并将接口加入到安全区域。
[H3C] interface GigabitEthernet0/0[H3C-GigabitEthernet0/0] ip address 192.168.0.1 255.255.255.0[H3C-GigabitEthernet0/0] quit[H3C] firewall zone trust[H3C-zone-trust] add interface GigabitEthernet0/03. 为PC配置IP地址。
假设PC的IP地址为192.168.0.2。
4. 使用Ping命令验证网络连接性。
<H3C> ping 192.168.0.2Ping命令成功!5.添加登录用户为使用户可以通过Web登录,并且有权限对防火墙进行管理,必须为用户添加登录帐户并且赋予其权限。
例如:建立一个帐户名和密码都为admin,帐户类型为telnet,权限等级为3的管理员用户。
[H3C] local-user admin[H3C-luser-admin] password simple admin[H3C-luser-admin] service-type telnet[H3C-luser-admin] level 3在 PC上启动浏览器(建议使用IE5.0及以上版本),在地址栏中输入IP地址“192.168.0.1”后回车,即可进入防火墙Web登录页面,使用之前创建的 admin帐户登录防火墙,单击<Login>按钮即可登录。
用户可以通过“Language”下拉框选择界面语言内部主机通过域名区分并访问对应的内部服务器组网应用1)配置easy ip(不用配地址池,直接通过接口地址做转换)nat outbound acl-number2)DNS MAPnat dns-map domain-name global-addrglobal-port [ tcp | udp ]实例:# 在Ethernet0/0/0 接口上配置FTP 及WWW内部服务器。