H3CTE安全试验整理.docx

1、H3CTE安全试验整理 目 录1 ISP 12 Headquarters 33 branch1 74 branch2 105 LAC 126 vpdnuser 147 GREIPSecB1 167.1 Headquarters-Branch1 167.2 Branch1 178 GREIPSecB2 188.1 Headquarters-Branch2 188.2 Branch2 199 L2TP 199.1 HeadquartersL2TPLNS 199.2 LACL2TP 2010 VPDN 2110.1 HeadquartersVPDNLNS 2110.2 LACVPDN 221 ISP

2、ISPdis cur Now create configuration. Current configuration ! version 1.74 firewall enable sysname ISP ! interface Aux0 async mode flow link-protocol ppp ! interface Ethernet0 ip address 20.0.0.1 255.255.255.0 ! interface Serial0 link-protocol ppp ip address 202.0.0.1 255.255.255.252 ! interface Seri

3、al1 clock DTECLK3 link-protocol ppp ip address 202.0.0.5 255.255.255.252 ! interface Serial2 clock DTECLK3 link-protocol ppp ip address 202.0.0.9 255.255.255.252 ! interface Serial3 link-protocol ppp ip address 202.0.0.13 255.255.255.252 ! return2 HeadquartersHeadquartersdis cur Now create configura

4、tion. Current configuration ! version 1.74 undo login telnet local-user ftp service-type ftp password simple ftplocal-user vpdnuser service-type ppp password simple vpdnuserlocal-user win2000 service-type ppp password simple win2000 l2tp enable ip pool 1 10.0.5.3 10.0.5.254 info-center console firew

5、all enable aaa-enable aaa authentication-scheme ppp default local aaa authentication-scheme login default local aaa accounting-scheme optional sysname Headquarters ftp-server enable undo idle-timeout ! ike pre-shared-key Headquartersandbranch2 remote 10.0.4.6 ike pre-shared-key Headquartersandbranch

6、1 remote 10.0.4.2 ! acl 1 match-order auto /NAT rule normal permit source 10.0.0.0 0.255.255.255 rule normal deny source any ! acl 101 match-order auto rule normal permit ip source 10.0.0.0 0.255.255.255 destination 10.0.0.0 0.255.255.255 rule normal deny ip source any destination any ! acl 102 matc

7、h-order auto rule normal permit ip source 10.0.0.0 0.255.255.255 destination 10.0.0.0 0.255.255.255 rule normal deny ip source any destination any ! ipsec proposal ToBranch1 ! ipsec proposal ToBranch2 ! ipsec policy ToBranch1 1 isakmp security acl 101 proposal ToBranch1 tunnel remote 10.0.4.2 ! ipse

8、c policy ToBranch2 2 isakmp security acl 102 proposal ToBranch2 tunnel remote 10.0.4.6 ! interface Aux0 async mode flow link-protocol ppp ! interface Ethernet0 ip address 10.0.0.1 255.255.255.0 ospf enable area 0.0.0.0 ! interface Serial0 clock DTECLK1 link-protocol ppp ip address 202.0.0.2 255.255.

9、255.252 nat outbound 1 interface / NAT ! interface Serial1 link-protocol ppp ! interface Tunnel1 link-protocol tunnel ip address 10.0.4.1 255.255.255.252 ospf enable area 0.0.0.0 ospf peer 10.0.4.2 ipsec policy ToBranch1 应用ipsec policy source 202.0.0.2 destination 202.0.0.6 ! interface Tunnel2 link-

10、protocol tunnel ip address 10.0.4.5 255.255.255.252 ospf enable area 0.0.0.0 ospf peer 10.0.4.6 ipsec policy ToBranch2应用ipsec policy source 202.0.0.2 destination 202.0.0.10 ! interface Virtual-Template1 link-protocol ppp ppp authentication-mode pap remote address pool 1ip address 10.0.5.1 255.255.25

11、5.0undo ip fast-forwarding ! l2tp-group 1 allow l2tp virtual-template 1 remote vpdnlac mandatory-chap tunnel name vpdnlns tunnel password simple vpdnlab ! quit ospf enable ! quit ! quit ip route-static 0.0.0.0 0.0.0.0 Serial 0 preference 60 ip route-static 10.0.7.0 255.255.255.0 10.0.5.3 preference

12、60 ! return3 branch1branch1dis cur Now create configuration. Current configuration ! version 1.74 undo login con undo login telnet local-user ftp service-type ftp password simple ftp tty enable info-center console firewall enable sysname branch1 ftp-server enable undo idle-timeout ! ike pre-shared-k

13、ey Headquartersandbranch1 remote 10.0.4.1 ! acl 101 match-order auto rule normal permit ip source 10.0.0.0 0.255.255.255 destination 10.0.0.0 0.255.255.255 rule normal deny ip source any destination any ! acl 102 match-order auto / 限制B1与B2互访 rule normal permit ip source 10.0.1.0 0.0.0.255 destinatio

14、n 10.0.0.0 0.0.0.255 rule normal permit ospf source any destination any rule normal permit udp source any source-port equal 500 destination any destination-port equal 500 rule normal permit 50 source any destination any rule normal deny ip source any destination any ! ipsec proposal ToHeadquarters !

15、 ipsec policy ToHeadquarters 1 isakmp security acl 101 proposal ToHeadquarters tunnel remote 10.0.4.1 ! interface Aux0 async mode flow link-protocol ppp ! interface Ethernet0 ip address 10.0.1.1 255.255.255.0 ospf enable area 0.0.0.0 ! interface Serial0 link-protocol ppp ip address 202.0.0.6 255.255

16、.255.252 ! interface Serial1 link-protocol ppp ! interface Tunnel0 link-protocol tunnel ! interface Tunnel1 link-protocol tunnel ip address 10.0.4.2 255.255.255.252 firewall packet-filter 102 outbound / 控制B1和B2互访 ospf enable area 0.0.0.0 ospf peer 10.0.4.1 ipsec policy ToHeadquarters source 202.0.0.

17、6 destination 202.0.0.2 ! quit ospf enable ! quit ! quit ip route-static 0.0.0.0 0.0.0.0 Tunnel 1 preference 60 ip route-static 202.0.0.2 255.255.255.255 Serial 0 preference 60 ! return4 branch2branch2dis cur Now create configuration. Current configuration ! version 1.74 local-user ftp service-type

18、ftp password simple ftp info-center console firewall enable sysname branch2 ftp-server enable ! ike pre-shared-key Headquartersandbranch2 remote 10.0.4.5 ! acl 101 match-order auto rule normal permit ip source 10.0.0.0 0.255.255.255 destination 10.0.0.0 0.255.255.255 rule normal deny ip source any d

19、estination any ! ipsec proposal ToHeadquarters ! ipsec policy ToHeadquarters 2 isakmp security acl 101 proposal ToHeadquarters tunnel remote 10.0.4.5 ! interface Aux0 async mode flow link-protocol ppp ! interface Ethernet0 ip address 10.0.2.1 255.255.255.0 ospf enable area 0.0.0.0 ! interface Serial

20、0 link-protocol ppp ip address 202.0.0.10 255.255.255.252 ! interface Serial1 link-protocol ppp ! interface Tunnel1 link-protocol tunnel ip address 10.0.4.6 255.255.255.252 ospf enable area 0.0.0.0 ospf peer 10.0.4.5 ipsec policy ToHeadquarters source 202.0.0.10 destination 202.0.0.2 ! quit ospf ena

21、ble ! quit ! quit ip route-static 0.0.0.0 0.0.0.0 Tunnel 1 preference 60 ip route-static 202.0.0.2 255.255.255.255 Serial 0 preference 60 ! return5 LACLACdis cur Now create configuration. Current configuration ! version 1.74 local-user vpdnuser service-type ppp password simple vpdnuser local-user ft

22、p service-type ftp password simple ftp local-user win2000 service-type ppp password simple win2000 l2tp enable l2tp match-order domain l2tp domain suffix-separator info-center console firewall enable aaa-enable aaa authentication-scheme ppp default local aaa authentication-scheme login default local

23、 aaa accounting-scheme optional sysname LAC ftp-server enable undo idle-timeout ! interface Aux0 async mode flow link-protocol ppp ! interface Ethernet0 ip address 10.0.8.1 255.255.255.0 ! interface Serial0 clock DTECLK1 link-protocol ppp ip address 202.0.0.14 255.255.255.252 ! interface Serial1 lin

24、k-protocol ppp ppp authentication-mode pap / L2TP 拨号 ! interface Serial2 / VPDN 拨号 physical-mode async modem async mode protocol link-protocol pppppp authentication-mode pap/ 这个接口是不是需要地址？ ! l2tp-group 1 start l2tp ip 202.0.0.2 domain tunnel name vpdnlac tunnel password simple vpdnlab ! quit ip route

25、-static 202.0.0.2 255.255.255.255 Serial 0 preference 60 ! return6 vpdnuservpdnuserdis cur Now create configuration. Current configuration ! version 1.44 local-user ftp service-type ftp password simple ftp info-center console firewall enable sysname vpdnuser ftp-server enable undo idle-timeout ! int

26、erface Ethernet0 ip address 10.0.7.1 255.255.255.0 ! interface Serial0 clock DTECLK1 link-protocol ppp ppp chap user vpdnuser ppp chap password simple vpdnuser ppp pap local-user vpdnuser password simple vpdnuser ip address ppp-negotiate / 和谁协商？ ! interface Bri0 link-protocol ppp dialer enable-circu

27、lar ! quit ip route-static 0.0.0.0 0.0.0.0 Serial 0 preference 60 ! return完成上述配置之后，可以用组网需求描述中介绍的方法来验证一下是否达到了网络需求。7 GREIPSecB17.1.1 Headquarters-Branch1 ike pre-shared-key Headquartersandbranch1 remote 10.0.4.2/ 对端 Tunnel IP ! acl 101 match-order auto rule normal permit ip source 10.0.0.0 0.255.255.2

28、55 destination 10.0.0.0 0.255.255.255 rule normal deny ip source any destination any ! ipsec proposal ToBranch1 ! ipsec policy ToBranch1 1 isakmp security acl 101 proposal ToBranch1tunnel remote 10.0.4.2ip route-static 0.0.0.0 0.0.0.0 Serial 0 preference 607.1.2 Branch18 GREIPSecB28.1.1 Headquarters

29、-Branch2ike pre-shared-key Headquartersandbranch2 remote 10.0.4.6 ike pre-shared-key Headquartersandbranch1 remote 10.0.4.2 ! acl 1 match-order auto rule normal permit source 10.0.0.0 0.255.255.255 rule normal deny source any ! acl 101 match-order auto rule normal permit ip source 10.0.0.0 0.255.255.255 destination 10.0.0.0 0.255.255.255 rule normal deny ip source any destination any ! acl 102 match-order auto rule normal permit ip source 10.0.0.0 0.255.255.255 destination 10.0.0.0 0.255.255.255 rule normal deny ip source any destination any ! ipsec proposal ToBranch1 ! ipsec proposal