一、ssh配置

给需要自动化管理的设备配置ssh服务端用户名和密码

1.FW1

#注意不要使用本地登录的用户

aaa     
manager-user user1
password cipher Huawei@123
level 15     
service-type ssh     
quit     
quit     


user-interface vty 0 4
 authentication-mode aaa
 protocol inbound all
quit

stelnet server enable   
ssh user user1
ssh user user1 authentication-type password
ssh user user1 service-type stelnet

#注意长度为2048
rsa local-key-pair create
Y
2048

2.core-sw1

aaa     

local-user huawei password cipher huawei

local-user huawei service-type ssh telnet

local-user huawei privilege level 15

quit

stelnet server enable

user-interface vty 0 4
authentication-mode aaa
protocol inbound all

quit

rsa local-key-pair create  
Y
2048

ssh user huawei authentication-type password  

ssh user huawei service-type stelnet
quit

3.core-sw2

aaa     

local-user huawei password cipher huawei

local-user huawei service-type ssh telnet

local-user huawei privilege level 15

quit

stelnet server enable

user-interface vty 0 4
authentication-mode aaa
protocol inbound all

quit

rsa local-key-pair create  
Y
2048

ssh user huawei authentication-type password  

ssh user huawei service-type stelnet
quit

二、python自动化配置防火墙

import paramiko
import getpass
import time

ip = "1.1.1.1"

username = input("Username: ")
password = getpass.getpass("Password: ")

ssh_client = paramiko.SSHClient()

# SNAT配置
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh_client.connect(hostname=ip, username=username, password=password, look_for_keys=False)

print("Successfully logged in" + ip)

# 配置外网地址
command = ssh_client.invoke_shell()
command.send("system-view\n")
command.send("inter gi1/0/4\n")
command.send("ip address 132.12.12.10\n")

time.sleep(0.2)
# PNAT转化地址池

command.send("nat address-group SNAT\n")
command.send("mode pat\n")
command.send("section 0 132.12.12.10\n")
command.send("route enable\n")
time.sleep(0.2)

# PNAT源地址转化策略

command.send("nat-policy\n")
command.send("rule name pat\n")
command.send("source-zone trust\n")
command.send("destination-zone untrust\n")
command.send("source-address 172.16.0.0 16\n")
command.send("source-address 172.200.0.0 0.0.1.255\n")
command.send("source-address 172.210.2.0 0.0.1.255\n")
command.send("source-address 172.220.4.0 0.0.1.255\n")
command.send("source-address 172.230.6.0 0.0.1.255\n")
command.send("source-address 172.240.8.0 0.0.1.255\n")
command.send("source-address 172.250.10.0 0.0.1.255\n")
command.send("action source-nat address-group SNAT\n")
time.sleep(0.2)

# PNAT源地址转化策略

command.send("security-policy\n")
command.send("rule name NAT\n")
command.send("source-zone trust\n")
command.send("destination-zone untrust\n")
command.send("source-address 172.16.0.0 16\n")
command.send("source-address 172.200.0.0 0.0.1.255\n")
command.send("source-address 172.210.2.0 0.0.1.255\n")
command.send("source-address 172.220.4.0 0.0.1.255\n")
command.send("source-address 172.230.6.0 0.0.1.255\n")
command.send("source-address 172.240.8.0 0.0.1.255\n")
command.send("source-address 172.250.10.0 0.0.1.255\n")
command.send("action permit\n")
time.sleep(0.2)

# 缺省路由

command.send("ip route-static 0.0.0.0 0 132.12.12.11\n")
command.send("ospf 1\n")
command.send("default-route-advertise always\n")
command.send("q\n")
time.sleep(0.2)

# ----------------------------------------------------------------------------------------------------


# DNAT转化内网地址池
command.send("ip pool dmz-pool\n")
command.send("network 192.168.170.0 mask 255.255.255.0 \n")
command.send("gateway 192.168.170.254\n")

time.sleep(0.2)

# DNAT转化
command.send("nat server protocol udp global 132.12.12.10 80 inside 192.168.170.100 80\n")
command.send("nat server protocol tcp global 132.12.12.10 80 inside 192.168.170.100 80\n")

# 安全策略
command.send("security-policy \n")
command.send("rule name allow-http-to-dmz\n")
command.send("source-zone untrust\n")
command.send("destination-zone dmz\n")
command.send("destination-address 192.168.170.100 32\n")
command.send("action permit \n")

time.sleep(0.2)

# 允许http流量通过外网口
command.send("inter gi1/0/4\n")
command.send("service-manage http permit\n")
time.sleep(0.2)

# ----------------------------------------------------------
# 配置ospf路由,让监控区访问内部设备
command.send("inter gi1/0/2\n")
command.send("ip address 10.1.90.2 30\n")
command.send("quit\n")
command.send("ospf 1\n")
command.send("area 2\n")
command.send("network 10.1.0.0 255.255.0.0\n")
command.send("area 1\n")
command.send("network 10.1.90.0 0.0.0.3\n")
time.sleep(0.2)
time.sleep(0.2)


output = command.recv(65535)
print(output.decode('utf-8'))

ssh_client.close

运行脚本

1f08a124d8984ad2be5ef562de1973db.png

三、验证DNAT

6529a3e2d1e54930b494855fd504bde2.png
9fc998785ea345a7b391ffc7a233380d.png