本案例适用于如F1000-AK180、F1000-AK170等F1000-AK系列的防火墙。
用户可以通过电脑上运行的SSH客户端软件(SSH2版本)安全地登录到Device上,并被授予用户角色network-admin进行配置管理;设备采用password认证方式对SSH客户端进行认证,客户端的用户名和密码保存在本地。
<H3C>system-view
#
[H3C]public-key local create rsa
The local key pair already exists.
Confirm to replace it? [Y/N]:y
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys....
Create the key pair successfully.
#
[H3C]public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys.....
Create the key pair successfully.
#
[H3C]ssh server enable
#
[H3C]interface GigabitEthernet1/0/4
[H3C-GigabitEthernet1/0/4]ip address 192.168.10.1 255.255.255.0
[H3C-GigabitEthernet1/0/4]quit
#
[H3C]line vty 0 63
[H3C-line-vty0-63]authentication-mode scheme
[H3C-line-vty0-63]quit
#
[H3C]local-user admin
[H3C-luser-manage-admin]service-type ssh
[H3C-luser-manage-admin]authorization-attribute user-role network-admin
[H3C-luser-manage-admin]password simple admin
[H3C-luser-manage-admin]quit
#
[H3C]security-zone name Trust
[H3C-security-zone-Trust]import interface GigabitEthernet1/0/1
[H3C-security-zone-Trust]quit
#创建对象策略pass。
[H3C]object-policy ip pass
[H3C-object-policy-ip-pass] rule 0 pass
[H3C-object-policy-ip-pass]quit
#创建Trust到Local域的域间策略调用pass策略。
[H3C]zone-pair security source Trust destination Local
[H3C-zone-pair-security-Trust-Local]object-policy apply ip pass
[H3C-zone-pair-security-Trust-Local]quit
#创建Local到Trust域的域间策略调用pass策略。
[H3C]zone-pair security source Local destination Trust
[H3C-zone-pair-security-Local-Trust]object-policy apply ip pass
[H3C-zone-pair-security-Local-Trust]quit
#只允许内网192.168.10.0/24网段用户登录设备
#配置ACL:
[H3C]acl basic 2999
[H3C-acl-ipv4-basic-2999]rule permit source 192.168.10.0 0.0.0.255
[H3C-acl-ipv4-basic-2999]quit
#在SSH服务中调用
[H3C]SSH server acl 2999
#测试无问题后,再保存配置
[H3C]save force
#
#电脑上开启CRT软件开始连接设备,点击快速连接,然后协议选择“SSH2”,主机名输入设备的地址“192.168.10.1”,点击“连接”。
#
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作