目录
前言
一、ssh配置
1.FW1
2.core-sw1
3.core-sw2
二、python自动化配置防火墙
三、验证DNAT
四、验证DNAT
前言
视频演示请访问b站主页
白帽小丑的个人空间-白帽小丑个人主页-哔哩哔哩视频
一、ssh配置
给需要自动化管理的设备配置ssh服务端用户名和密码
1.FW1
#注意不要使用本地登录的用户
aaa
manager-user user1
password cipher Huawei@123
level 15
service-type ssh
quit
quit
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
quit
stelnet server enable
ssh user user1
ssh user user1 authentication-type password
ssh user user1 service-type stelnet
#注意长度为2048
rsa local-key-pair create
Y
2048
2.core-sw1
aaa
local-user huawei password cipher huawei
local-user huawei service-type ssh telnet
local-user huawei privilege level 15
quit
stelnet server enable
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
quit
rsa local-key-pair create
Y
2048
ssh user huawei authentication-type password
ssh user huawei service-type stelnet
quit
3.core-sw2
aaa
local-user huawei password cipher huawei
local-user huawei service-type ssh telnet
local-user huawei privilege level 15
quit
stelnet server enable
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
quit
rsa local-key-pair create
Y
2048
ssh user huawei authentication-type password
ssh user huawei service-type stelnet
quit
二、python自动化配置防火墙
import paramiko
import getpass
import time
ip = "1.1.1.1"
username = input("Username: ")
password = getpass.getpass("Password: ")
ssh_client = paramiko.SSHClient()
#SNAT配置
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh_client.connect(hostname=ip, username=username, password=password, look_for_keys=False)
print("Successfully logged in" + ip)
#配置外网地址
command = ssh_client.invoke_shell()
command.send("system-view\n")
command.send("inter gi1/0/4\n")
command.send("ip address 132.12.12.10\n")
time.sleep(0.2)
#PNAT转化地址池
command.send("nat address-group SNAT\n")
command.send("mode pat\n")
command.send("section 0 132.12.12.10\n")
command.send("route enable\n")
time.sleep(0.2)
#PNAT源地址转化策略
command.send("nat-policy\n")
command.send("rule name pat\n")
command.send("source-zone trust\n")
command.send("destination-zone untrust\n")
command.send("source-address 172.16.0.0 16\n")
command.send("source-address 172.200.0.0 0.0.1.255\n")
command.send("source-address 172.210.2.0 0.0.1.255\n")
command.send("source-address 172.220.4.0 0.0.1.255\n")
command.send("source-address 172.230.6.0 0.0.1.255\n")
command.send("source-address 172.240.8.0 0.0.1.255\n")
command.send("source-address 172.250.10.0 0.0.1.255\n")
command.send("action source-nat address-group SNAT\n")
time.sleep(0.2)
#PNAT源地址转化策略
command.send("security-policy\n")
command.send("rule name NAT\n")
command.send("source-zone trust\n")
command.send("destination-zone untrust\n")
command.send("source-address 172.16.0.0 16\n")
command.send("source-address 172.200.0.0 0.0.1.255\n")
command.send("source-address 172.210.2.0 0.0.1.255\n")
command.send("source-address 172.220.4.0 0.0.1.255\n")
command.send("source-address 172.230.6.0 0.0.1.255\n")
command.send("source-address 172.240.8.0 0.0.1.255\n")
command.send("source-address 172.250.10.0 0.0.1.255\n")
command.send("action permit\n")
time.sleep(0.2)
#缺省路由
command.send("ip route-static 0.0.0.0 0 132.12.12.11\n")
command.send("ospf 1\n")
command.send("default-route-advertise always\n")
command.send("q\n")
time.sleep(0.2)
#----------------------------------------------------------------------------------------------------
#DNAT转化内网地址池
command.send("ip pool dmz-pool\n")
command.send("network 192.168.170.0 mask 255.255.255.0 \n")
command.send("gateway 192.168.170.254\n")
time.sleep(0.2)
#DNAT转化
command.send("nat server protocol udp global 132.12.12.10 80 inside 192.168.170.100 80\n")
command.send("nat server protocol tcp global 132.12.12.10 80 inside 192.168.170.100 80\n")
#安全策略
command.send("security-policy \n")
command.send("rule name allow-http-to-dmz\n")
command.send("source-zone untrust\n")
command.send("destination-zone dmz\n")
command.send("destination-address 192.168.170.100 32\n")
command.send("action permit \n")
time.sleep(0.2)
#允许http流量通过外网口
command.send("inter gi1/0/2\n")
command.send("service-manage http permit\n")
time.sleep(0.2)
#----------------------------------------------------------
#配置ospf路由,让监控区访问内部设备
command.send("inter gi1/0/2\n")
command.send("ip address 10.1.90.2 30\n")
command.send("quit\n")
command.send("ospf 1\n")
command.send("area 2\n")
command.send("network 10.1.0.0 255.255.0.0\n")
command.send("area 1\n")
command.send("network 10.1.90.0 0.0.0.3\n")
time.sleep(0.2)
time.sleep(0.2)
output = command.recv(65535)
print(output.decode('utf-8'))
ssh_client.close
运行脚本