Configuring a remote login mode for the USG6000.

9

Procedure for configuring a remote login for the USG6000:

Remote login through Telnet/SSH
Procedure:
1. Configure an administrator IP address for the remote access device. A user whose address is on the network range beyond the one specified in the ACL cannot remotely access the device through Telnet or SSH.
system-view
[sysname] acl 2000
[sysname-acl-basic-2000] rule permit source x.x.x.x 0
[sysname-acl-basic-2000] quit
x.x.x.x is the IP address that can be used to remotely access the device.

2. Configure the limit on the number of connections on the VTY administrator interface. Limiting the maximum number of sessions for remote login prevents excessive system resource consumption, facilitates centralized operation and maintenance, and ensures service continuity upon failures.
system-view
[sysname] user-interface maximum-vty 3

3. Configure login through Telnet/SSH.
Note:
It is risky to use Telnet for login. You are advised to use SSH for login.
Set the account and password of the administrator who logs in to the device through Telnet. Set the administrator level to 3 and the maximum number of connections for the account to 1. Set the IP addresses of users who can access the device remotely using ACL2000.
system-view
[sysname] telnet server enable
[sysname] user-interface vty 0 4
[sysname-ui-vty0-4] authentication-mode aaa
[sysname-ui-vty0-4] acl 2000 inbound
[sysname-ui-vty0-4] quit
[sysname] aaa
[sysname-aaa] manager-user admin1
[sysname-aaa-manager-user-admin1] password
Enter Password:
Confirm Password:
[sysname-aaa-manager-user-admin1] service-type telnet
[sysname-aaa-manager-user-admin1] level 3
[sysname-aaa-manager-user-admin1] access-limit 1
Set the password and account of the administrator who logs in to the device through SSH.
Set the account and password of the administrator who logs in to the device through SSH. Set the administrator level to 3 and the maximum number of connections for the account to 1.
system-view
[sysname] user-interface vty 0 4
[sysname-ui-vty0-4] authentication-mode aaa
[sysname-ui-vty0-4] quit
[sysname] aaa
[sysname-aaa] manager-user admin1
[sysname-aaa-manager-user-admin1] ssh authentication-type password
[sysname-aaa-manager-user-admin1] password
Enter Password:
Confirm Password:
[sysname-aaa-manager-user-admin1] service-type ssh
[sysname-aaa-manager-user-admin1] level 3
[sysname-aaa-manager-user-admin1] access-limit 1
Enable the STelnet service on the device.
system-view
[sysname] stelnet server enable
Set the client service mode of SSH user admin1 to STelnet.
[sysname-aaa-manager-user-admin1] ssh service-type stelnet

Other related questions:
Configuring a remote login mode for the USG2000&5000
Configure a remote login mode for the USG2000&5000 as follows: 1. Log in to the device through SSH. Through the configuration, users log in to the device through SSH to configure and management the device. Note: In hot standby networking, SSH configuration commands are not synchronized from the active device to the standby device. You must configure SSH on both devices. Procedure: a. Set IP addresses for interfaces. system-view [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0 [USG-GigabitEthernet0/0/1] quit b. Create SSH user Client001. Configure the VTY user interface. [USG] user-interface vty 0 4 [USG-ui-vty0-4] authentication-mode aaa [USG-ui-vty0-4] protocol inbound ssh [USG-ui-vty0-4] quit Create SSH user Client001. Create SSH user Client001 and set the authentication mode to password authentication. [USG] ssh user client001 [USG] ssh user client001 authentication-type password Set the password to Admin@123 for SSH user Client001. [USG] aaa [USG-aaa] local-user client001 password irreversible-cipher Admin@123 [USG-aaa] local-user client001 service-type ssh [USG-aaa] quit c. Set the service to STelnet for SSH users Client001 and Client002 and enable the STelnet service. [USG] ssh user client001 service-type stelnet [USG] stelnet server enable d. Run the client software that supports SSH and establish an SSH connection. 2. Log in to the device through Telnet. Through the configuration, users log in to the device through Telnet to configure and management the device. Note: Port 23 and Telnet are enabled on the USG by default. Users can run the undo telnet server enable command to disable port 23 and Telnet. Procedure: a. Access the USG user view through the console interface. b. Set IP addresses for interfaces. The local user access GigabitEthernet0/0/1 of the USG through Telnet, the interface IP address is 10.10.10.10, and subnet mask is 255.0.0.0. system-view [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] ip address 10.10.10.10 255.0.0.0 [USG-GigabitEthernet0/0/1] quit c. Configure user information. Configure the authentication mode to AAA for the VTY interface, and set the Telnet user name to user1, password to password@123, password storage mode to cipher, and level to level 3. system-view [USG] user-interface vty 0 4 [USG-ui-vty0-4] authentication-mode aaa [USG-ui-vty0-4] protocol inbound telnet [USG-ui-vty0-4] quit [USG] aaa [USG-aaa] local-user user1 password irreversible-cipher password@123 [USG-aaa] local-user user1 service-type telnet [USG-aaa] local-user user1 level 3 d. Run the Telnet program on a PC (Windows). Choose Start > Run on the PC. In the Run window, enter telnet 10.10.10.10 (to connect interface IP address 10.10.10.10). e. Click OK to connect to the USG.

Method for configuring remote login to the web UI of the USG6000 series
The management interface of the firewall has the web UI login function enabled by default.

Method for configuring Telnet login to the USG6000 series
To understand how to log in to the USG6000 series through Telnet, log in to Huawei Enterprise Service Support website, view or download the product document based on the product model and version, and search the product document for the following case: Configuring Telnet Login to the CLI.

Configuring Telnet login on the USG2000&5000
For details on how to configure Telnet login on the USG2000&5000, visit the Huawei enterprise website. View or download the desired product documentation by the device model and version. For example, search for "Logging in to the device through Telnet" in the product documentation.

Configuring IPSec aggressive mode on the USG6000
Configuring IPSec tunnel-based link backup on the USG6000 Tunnel-based link backup applies to a scenario where IPSec tunnels are established between multiple public network egresses at one end and the remote end. The configuration procedure differs only a little bit with the common IPSec configuration procedure. The configuration procedure and roadmap are as follows: 1. Complete basic configurations, including setting IP addresses and assigning interfaces to security zones. 2. Create a tunnel interface and assign the tunnel interface to a security zone. 3. Configure a route (usually a static route) to the Internet on the NGFW. 4. Create an ACL to define the data flow to be protected. 5. Configure the security policy. 6. Configure an IPSec proposal. 7. Configure an IKE proposal. 8. Configure an IKE peer. 9. Configure an IPSec policy. 10. Apply the IPSec policy. Operation steps Here provides only key configurations related to tunneling. For other basic policy configurations, see complete configuration examples. Key configuration steps on USG_A (the end with multiple egresses): 1. Configure a tunnel interface. [NGFW_A] interface tunnel 0 [NGFW_A-tunnel0] tunnel-protocol ipsec [NGFW_A-tunnel0] ip address 10.1.0.2 24 [NGFW_A] firewall zone untrust [NGFW_A-zone-untrust] add interface tunnel 0 [NGFW_A] ip route-static 10.4.0.0 255.255.255.0 tunnel 0 //Configure the route to the peer intranet to pass through the tunnel interface. [NGFW_A] ip route-static 4.4.4.4 32 1.1.1.254 [NGFW_A] ip route-static 4.4.4.4 32 2.2.2.254 [NGFW_A] ip route-static 4.4.4.4 32 3.3.3.254 //Configure equal-cost routes to the peer interface through three egresses. [NGFW_A] acl 3000 [NGFW_A-acl-adv-3000] rule permit ip source 10.3.0.0 0.0.0.255 destination 10.4.0.0 0.0.0.255 [NGFW_A] ipsec proposal tran1 [NGFW_A-ipsec-proposal-tran1] encapsulation-mode tunnel [NGFW_A-ipsec-proposal-tran1] transform esp [NGFW_A-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [NGFW_A-ipsec-proposal-tran1] esp encryption-algorithm aes [NGFW_A] ike proposal 10 [NGFW_A-ike-proposal-10] quit [NGFW_A] ike peer b [NGFW_A-ike-peer-b]ike-proposal 10 [NGFW_A-ike-peer-b]remote-address 4.4.4.4 [NGFW_A-ike-peer-b]pre-shared-key Test!123 [NGFW_A] ipsec policy map1 10 isakmp [NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000 [NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1 [NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b [NGFW_A-ipsec-policy-isakmp-map1-10] quit [NGFW_A] interface tunnel 0 Apply IPSec policy map1 to the tunnel interface. [NGFW_A-tunnel0] ipsec policy map1 [NGFW_A-tunnel0] quit Configure NGFW_B. [NGFW_B] ip route-static 10.3.0.0 255.255.255.0 4.4.4.254 [NGFW_B] ip route-static 10.1.0.2 255.255.255.255 4.4.4.254 [NGFW_B] acl 3000 [NGFW_B-acl-adv-3000] rule permit ip source 10.4.0.0 0.0.0.255 destination 10.3.0.0 0.0.0.255 [NGFW_B-acl-adv-3000] quit [NGFW_B] ipsec proposal tran1 [NGFW_B-ipsec-proposal-tran1] encapsulation-mode tunnel [NGFW_B-ipsec-proposal-tran1] transform esp [NGFW_B-ipsec-proposal-tran1] esp authentication-algorithm sha2-256 [NGFW_B-ipsec-proposal-tran1] esp encryption-algorithm aes [NGFW_B-ipsec-proposal-tran1] quit [NGFW_B] ike proposal 10 [NGFW_B-ike-proposal-10] quit [NGFW_B] ike peer a [NGFW_B-ike-peer-a] ike-proposal 10 [NGFW_B-ike-peer-a] remote-address 10.1.0.2 [NGFW_B-ike-peer-a] pre-shared-key Test!123 [NGFW_B-ike-peer-a] quit [NGFW_B] ipsec policy map1 10 isakmp [NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000 [NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1 [NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a [NGFW_B-ipsec-policy-isakmp-map1-10] quit [NGFW_B] interface GigabitEthernet 1/0/1 [NGFW_B-GigabitEthernet1/0/1] ipsec policy map1

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top