Near the end of the year, a company's network management year-end award did not take, directly ran, the network was also paralyzed, this is how much revenge.
The use of Huawei USG5000 series unified security gateway: Secoway USG5120BSR, which was jointly produced by Huawei and Symantec that year, can provide users with firewall, anti-intrusion, anti-virus, anti-spam, URL filtering and other security functions, provide a full range of network security protection, to ensure the efficient operation of the network.
At that time, those who could afford to use this guy were also willing to spend money, but the external danger was prevented, but in the end it was destroyed by the internal ghost, and it seemed that the internal management had to be strengthened.
Now in this era, no network is almost a semi-shutdown state, presumably customers have been looking forward to it for a long time, nonsense is not much to say, directly get started, connect the Console line, find a pen to resist the Reset key, about 30 seconds later, the lights are all off, and then on, accompanied by the sound of "helicopter take-off", the laptop screen shows that the device is starting.
When "Press Ctrl+B to Enter Main Menu..." appears, quickly press Ctrl+B, and then "Password:", Mo panic, this is not the administrator password, at this time you need to enter the BootROM password: O&m15213, and then enter the BootROM menu.
At this time, enter the number 6, that is, select <6> Reset Factory Configuration, restore the factory settings, it should be noted that the customer requires us to reconfigure them all, so select this, if you just need to reset the administrator password, then you should press Ctrl+Z at this time to enter the hidden menu, enter the "Recover Console Password" corresponding to the number sequence number.
Prompt: This action will lose the current configuration, select "Yes" to continue, at this time enter the number 1.
There's nothing good to say here, enter the number 1 and start the system.
According to past experience, after re-entering the system, you must change the password immediately, otherwise you will have to do it again after the login timeout or restart!
Configure the ip address of the laptop NIC: 192.168.0.2, the subnet mask 255.255.255.0, and then connect the network cable to the G0/0/0 port of the firewall (the default management port), open the browser, and enter https: 192.168.1.1:8443
Username: admin, password: Admin@123, note that some versions of the default password is Admin@huawei, and some versions are admin@huawei, com, try a few times, there is always a suitable one for you.
Look at this interface, or the familiar taste, the familiar recipe. Get started with the web.
1. Configure the intranet interface: set G0/0/1 as the intranet port and the IP address to 192.168.10.1;
2. Configure the Internet interface: set G0/0/3 as the Internet port, and the IP address is the fixed IP provided by the operator;
Pay attention to the interface in the corresponding security area, look at the text: the inner network port is of course the Trust area, and the outer network port is of course the Untrust area
3, the new security policy: Trust2Untrust, source security area Trust, the destination security area Untrust, move as a permit (allowed), the meaning is obvious, intranet to extranet communication is allowed; note that Untrust2Trust security policy, should be set to deny, prohibit the extranet unlimited access to the intranet.
4. Configure NAT to enable intranet users to access the Internet, source security area: Trust, destination security area: Untrust, source address: 192.168.10.0/24, action: NAT translation, convert the source address to: outbound interface IP address.
5, of course, can not forget to configure the default route, otherwise it is still unable to go to the Internet, the next hop address here is the gateway address given by the operator;
At this time, the extranet is restored, the laptop is changed back to automatically obtain the IP address, access the core switch: Huawei S5700-28P, it is not bad, the configuration should not be lost, the IP is obtained normally, and the Internet can be accessed.
First inform the customer that the network has been restored, we continue to work: publish the intranet server, the following use of the release of Windows Server remote desktop as an example:
1, new virtual server, the external address directly select the External Network interface can be, the internal address fill in the IP address of the server, check "port translation", the protocol selects "TCP", for security reasons, the external port is strongly recommended to use a custom port, do not use the service default port, the internal port fill in the port actually used, here is the remote desktop, so fill in as 3389.
2, create a new security policy to match it, otherwise the Internet will not be able to access this server, because we changed The Trust2Trust to deny earlier.
After doing it, make sure that this policy is on top of the deny policy, otherwise it is an invalid policy.
As for the other ports of other servers that need to be mapped to the Extranet, that's another, and so on, but the security policies must match one by one.
After all the configurations are completed, pay attention to the "Save", otherwise once the device is restarted, all configurations will be lost
My routine operation is to save the configuration, and then export the configuration file to the computer, which day there is a problem, directly import the configuration on the line, save a lot of trouble. Every time you change the configuration, you can also export a copy, trust me, the more configuration files, the easier it is for you to deal with various problems.
——The author is a network engineer, good at the field of computer networks, entrepreneurial for many years, hope to share their own experience to everyone, feel useful, you can pay attention to, like, forward, if there is the same or different views, welcome to comment. Recently, the "circle" has been opened, and interested friends are welcome to enter the circle to learn and discuss together.
#IT##Network Engineer ##华为 #