Saturday , April 20 2024
Home / Security (page 2)

Security

NAT server on Huawei USG5500

The last article dealt with outbound NAT. Let’s focus today on NAT server. NAT server enables private network servers to provide services for external networks with public IP addresses. In this lab, our enterprise provides FTP services for external users.

We can use the topology from the last post:

In our case AR router works as FTP server:

Read More »

outbound NAT on Huawei USG5500

What does it mean outbound NAT?

Outbound NAT translates the source IP addresses of packets sent from a high-priority security zone to a low-priority one.

I allowed myself to post a flowchart of configuring intranet users to access extranet through NAT (from Huawei documentation):

It easily lets us to choose a suitable way of configuring outbound NAT. In this lab I will try to do a review of these methods.

Read More »

https—>webUI—>Huawei Secospace USG6300

As a graphical user interface is useless in case of routers and switches, it looks useful when configuring a firewall. Of course it is my point of view. I do not go into what is better for you. I like using CLI but, sometimes, it is worth to simplify your daily routine. The first step is to configure HTTPS access to webUI of USG6300. This is what we will focus today.

Well known topology from the last post:

Topology_USG_access

Configure IP address of firewall’s interface and add it to trust zone:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24

[USG6300]firewall zone trust
[USG6300-zone-trust]add interface GigabitEthernet 0/0/7

Read More »

VTY access to Secospace USG6300

A new box for fun 🙂

Thanks to my colleagues I have opportunity to test Huawei Secospace USG6300.

A rental period is not long, so let’s start from the beginning.

Telnet and SSH

Topology_USG_access

Configure IP address of firewall’s interface and assign it to trust zone:

[USG6300]interface GigabitEthernet 0/0/7
[USG6300-GigabitEthernet0/0/7]ip address 172.16.1.1 24

[USG6300]firewall zone trust
[USG6300-zone-trust]add interface GigabitEthernet 0/0/7

Read More »

HWTACACS configuration on Huawei device

Let’s look at a typical configuration of HWTACACS server on Huawei device:

#
hwtacacs-server template labnario
 hwtacacs-server authentication 172.16.10.1
 hwtacacs-server authorization 172.16.10.1
 hwtacacs-server accounting 172.16.10.1
 hwtacacs-server source-ip 172.16.10.10
 hwtacacs-server shared-key cipher %$%$;XioR#N`7=~][vLDTr2S(2.#%$%$
 undo hwtacacs-server user-name domain-included
#
aaa 
 authentication-scheme hwtacacs
  authentication-mode hwtacacs local
 authorization-scheme hwtacacs
  authorization-mode hwtacacs local
 accounting-scheme hwtacacs
  accounting-mode hwtacacs
 domain default_admin  
  authentication-scheme hwtacacs 
  accounting-scheme hwtacacs
  authorization-scheme hwtacacs
  hwtacacs-server labnario
 local-user labnario password cipher %$%$'3N&Y#>c>Ibb;f:!o4mW(7#h%$%$
 local-user labnario privilege level 15
 local-user labnario service-type telnet terminal ssh ftp
#
user-interface vty 0 4
 authentication-mode aaa

Read More »