H3CTE安全试验整理.docx
《H3CTE安全试验整理.docx》由会员分享,可在线阅读,更多相关《H3CTE安全试验整理.docx(21页珍藏版)》请在冰豆网上搜索。
H3CTE安全试验整理
目录
1ISP1
2Headquarters3
3branch17
4branch210
5LAC12
6vpdnuser14
7GRE+IPSec-B116
7..1Headquarters-Branch116
7..2Branch117
8GRE+IPSec-B218
8..1Headquarters-Branch218
8..2Branch219
9L2TP19
9..1Headquarters-L2TP-LNS19
9..2LAC-L2TP20
10VPDN21
10..1Headquarters-VPDN-LNS21
10..2LAC-VPDN22
1ISP
[ISP]discur
Nowcreateconfiguration...
Currentconfiguration
!
version1.74
firewallenable
sysnameISP
!
interfaceAux0
asyncmodeflow
link-protocolppp
!
interfaceEthernet0
ipaddress20.0.0.1255.255.255.0
!
interfaceSerial0
link-protocolppp
ipaddress202.0.0.1255.255.255.252
!
interfaceSerial1
clockDTECLK3
link-protocolppp
ipaddress202.0.0.5255.255.255.252
!
interfaceSerial2
clockDTECLK3
link-protocolppp
ipaddress202.0.0.9255.255.255.252
!
interfaceSerial3
link-protocolppp
ipaddress202.0.0.13255.255.255.252
!
return
2Headquarters
[Headquarters]discur
Nowcreateconfiguration...
Currentconfiguration
!
version1.74
undologintelnet
local-userftpservice-typeftppasswordsimpleftp
local-uservpdnuser@service-typeppppasswordsimplevpdnuser
local-userwin2000@service-typeppppasswordsimplewin2000
l2tpenable
ippool110.0.5.310.0.5.254
info-centerconsole
firewallenable
aaa-enable
aaaauthentication-schemepppdefaultlocal
aaaauthentication-schemelogindefaultlocal
aaaaccounting-schemeoptional
sysnameHeadquarters
ftp-serverenable
undoidle-timeout
!
ikepre-shared-keyHeadquartersandbranch2remote10.0.4.6
ikepre-shared-keyHeadquartersandbranch1remote10.0.4.2
!
acl1match-orderauto//NAT
rulenormalpermitsource10.0.0.00.255.255.255
rulenormaldenysourceany
!
acl101match-orderauto
rulenormalpermitipsource10.0.0.00.255.255.255destination10.0.0.00.255.255.255
rulenormaldenyipsourceanydestinationany
!
acl102match-orderauto
rulenormalpermitipsource10.0.0.00.255.255.255destination10.0.0.00.255.255.255
rulenormaldenyipsourceanydestinationany
!
ipsecproposalToBranch1
!
ipsecproposalToBranch2
!
ipsecpolicyToBranch11isakmp
securityacl101
proposalToBranch1
tunnelremote10.0.4.2
!
ipsecpolicyToBranch22isakmp
securityacl102
proposalToBranch2
tunnelremote10.0.4.6
!
interfaceAux0
asyncmodeflow
link-protocolppp
!
interfaceEthernet0
ipaddress10.0.0.1255.255.255.0
ospfenablearea0.0.0.0
!
interfaceSerial0
clockDTECLK1
link-protocolppp
ipaddress202.0.0.2255.255.255.252
natoutbound1interface//NAT
!
interfaceSerial1
link-protocolppp
!
interfaceTunnel1
link-protocoltunnel
ipaddress10.0.4.1255.255.255.252
ospfenablearea0.0.0.0
ospfpeer10.0.4.2
ipsecpolicyToBranch1应用ipsecpolicy
source202.0.0.2
destination202.0.0.6
!
interfaceTunnel2
link-protocoltunnel
ipaddress10.0.4.5255.255.255.252
ospfenablearea0.0.0.0
ospfpeer10.0.4.6
ipsecpolicyToBranch2应用ipsecpolicy
source202.0.0.2
destination202.0.0.10
!
interfaceVirtual-Template1
link-protocolppp
pppauthentication-modepap
remoteaddresspool1
ipaddress10.0.5.1255.255.255.0
undoipfast-forwarding
!
l2tp-group1
allowl2tpvirtual-template1remotevpdnlac
mandatory-chap
tunnelnamevpdnlns
tunnelpasswordsimplevpdnlab
!
quit
ospfenable
!
quit
!
quit
iproute-static0.0.0.00.0.0.0Serial0preference60
iproute-static10.0.7.0255.255.255.010.0.5.3preference60
!
return
3branch1
[branch1]discur
Nowcreateconfiguration...
Currentconfiguration
!
version1.74
undologincon
undologintelnet
local-userftpservice-typeftppasswordsimpleftp
ttyenable
info-centerconsole
firewallenable
sysnamebranch1
ftp-serverenable
undoidle-timeout
!
ikepre-shared-keyHeadquartersandbranch1remote10.0.4.1
!
acl101match-orderauto
rulenormalpermitipsource10.0.0.00.255.255.255destination10.0.0.00.255.255.255
rulenormaldenyipsourceanydestinationany
!
acl102match-orderauto//限制B1与B2互访
rulenormalpermitipsource10.0.1.00.0.0.255destination10.0.0.00.0.0.255
rulenormalpermitospfsourceanydestinationany
rulenormalpermitudpsourceanysource-portequal500destinationanydestination-portequal500
rulenormalpermit50sourceanydestinationany
rulenormaldenyipsourceanydestinationany
!
ipsecproposalToHeadquarters
!
ipsecpolicyToHeadquarters1isakmp
securityacl101
proposalToHeadquarters
tunnelremote10.0.4.1
!
interfaceAux0
asyncmodeflow
link-protocolppp
!
interfaceEthernet0
ipaddress10.0.1.1255.255.255.0
ospfenablearea0.0.0.0
!
interfaceSerial0
link-protocolppp
ipaddress202.0.0.6255.255.255.252
!
interfaceSerial1
link-protocolppp
!
interfaceTunnel0
link-protocoltunnel
!
interfaceTunnel1
link-protocoltunnel
ipaddress10.0.4.2255.255.255.252
firewallpacket-filter102outbound//控制B1和B2互访
ospfenablearea0.0.0.0
ospfpeer10.0.4.1
ipsecpolicyToHeadquarters
source202.0.0.6
destination202.0.0.2
!
quit
ospfenable
!
quit
!
quit
iproute-static0.0.0.00.0.0.0Tunnel1preference60
iproute-static202.0.0.2255.255.255.255Serial0preference60
!
return
4branch2
[branch2]discur
Nowcreateconfiguration...
Currentconfiguration
!
version1.74
local-userftpservice-typeftppasswordsimpleftp
info-centerconsole
firewallenable
sysnamebranch2
ftp-serverenable
!
ikepre-shared-keyHeadquartersandbranch2remote10.0.4.5
!
acl101match-orderauto
rulenormalpermitipsource10.0.0.00.255.255.255destination10.0.0.00.255.255.255
rulenormaldenyipsourceanydestinationany
!
ipsecproposalToHeadquarters
!
ipsecpolicyToHeadquarters2isakmp
securityacl101
proposalToHeadquarters
tunnelremote10.0.4.5
!
interfaceAux0
asyncmodeflow
link-protocolppp
!
interfaceEthernet0
ipaddress10.0.2.1255.255.255.0
ospfenablearea0.0.0.0
!
interfaceSerial0
link-protocolppp
ipaddress202.0.0.10255.255.255.252
!
interfaceSerial1
link-protocolppp
!
interfaceTunnel1
link-protocoltunnel
ipaddress10.0.4.6255.255.255.252
ospfenablearea0.0.0.0
ospfpeer10.0.4.5
ipsecpolicyToHeadquarters
source202.0.0.10
destination202.0.0.2
!
quit
ospfenable
!
quit
!
quit
iproute-static0.0.0.00.0.0.0Tunnel1preference60
iproute-static202.0.0.2255.255.255.255Serial0preference60
!
return
5LAC
[LAC]discur
Nowcreateconfiguration...
Currentconfiguration
!
version1.74
local-uservpdnuser@service-typeppppasswordsimplevpdnuser
local-userftpservice-typeftppasswordsimpleftp
local-userwin2000@service-typeppppasswordsimplewin2000
l2tpenable
l2tpmatch-orderdomain
l2tpdomainsuffix-separator@
info-centerconsole
firewallenable
aaa-enable
aaaauthentication-schemepppdefaultlocal
aaaauthentication-schemelogindefaultlocal
aaaaccounting-schemeoptional
sysnameLAC
ftp-serverenable
undoidle-timeout
!
interfaceAux0
asyncmodeflow
link-protocolppp
!
interfaceEthernet0
ipaddress10.0.8.1255.255.255.0
!
interfaceSerial0
clockDTECLK1
link-protocolppp
ipaddress202.0.0.14255.255.255.252
!
interfaceSerial1
link-protocolppp
pppauthentication-modepap//L2TP拨号
!
interfaceSerial2//VPDN拨号
physical-modeasync
modem
asyncmodeprotocol
link-protocolppp
pppauthentication-modepap
//这个接口是不是需要地址?
!
l2tp-group1
startl2tpip202.0.0.2domain
tunnelnamevpdnlac
tunnelpasswordsimplevpdnlab
!
quit
iproute-static202.0.0.2255.255.255.255Serial0preference60
!
return
6vpdnuser
[vpdnuser]discur
Nowcreateconfiguration...
Currentconfiguration
!
version1.44
local-userftpservice-typeftppasswordsimpleftp
info-centerconsole
firewallenable
sysnamevpdnuser
ftp-serverenable
undoidle-timeout
!
interfaceEthernet0
ipaddress10.0.7.1255.255.255.0
!
interfaceSerial0
clockDTECLK1
link-protocolppp
pppchapuservpdnuser@
pppchappasswordsimplevpdnuser
ppppaplocal-uservpdnuser@passwordsimplevpdnuser
ipaddressppp-negotiate//和谁协商?
!
interfaceBri0
link-protocolppp
dialerenable-circular
!
quit
iproute-static0.0.0.00.0.0.0Serial0preference60
!
return
完成上述配置之后,可以用组网需求描述中介绍的方法来验证一下是否达到了网络需求。
7GRE+IPSec-B1
7.1.1Headquarters-Branch1
ikepre-shared-keyHeadquartersandbranch1remote10.0.4.2
//对端TunnelIP
!
acl101match-orderauto
rulenormalpermitipsource10.0.0.00.255.255.255destination10.0.0.00.255.255.255
rulenormaldenyipsourceanydestinationany
!
ipsecproposalToBranch1
!
ipsecpolicyToBranch11isakmp
securityacl101
proposalToBranch1
tunnelremote10.0.4.2
iproute-static0.0.0.00.0.0.0Serial0preference60
7.1.2Branch1
8GRE+IPSec-B2
8.1.1Headquarters-Branch2
ikepre-shared-keyHeadquartersandbranch2remote10.0.4.6
ikepre-shared-keyHeadquartersandbranch1remote10.0.4.2
!
acl1match-orderauto
rulenormalpermitsource10.0.0.00.255.255.255
rulenormaldenysourceany
!
acl101match-orderauto
rulenormalpermitipsource10.0.0.00.255.255.255destination10.0.0.00.255.255.255
rulenormaldenyipsourceanydestinationany
!
acl102match-orderauto
rulenormalpermitipsource10.0.0.00.255.255.255destination10.0.0.00.255.255.255
rulenormaldenyipsourceanydestinationany
!
ipsecproposalToBranch1
!
ipsecproposal
升级会员 