问题描述:
这些配置对应华三那些配置
组网及组网描述:
router#show run
Building configuration...
Current configuration : 6411 bytes
!
! Last configuration change at 14:52:59 UTC Thu Dec 4 2025
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable password veolia
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name ***.***
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1197494751
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1197494751
revocation-check none
rsakeypair TP-self-signed-1197494751
!
!
crypto pki certificate chain TP-self-signed-1197494751
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313937 34393437 3531301E 170D3137 30393032 32313535
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31393734
39343735 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1E8 368FF766 BCB0E015 DDF68CAB A15B7366 CC08535B 1C78594D D91AB7AF
24F27C6B F1207C80 6109053D 6359B59E 6A3FC1CA 1191D203 ACDB9011 C689CF97
E8976F27 44FB16FA F28B9E74 78A05D43 AC0A9463 3CEBF90E 697B2BC4 7359FB9B
7277AA3F 1D499815 2454F5A8 1EFA7840 5FA03962 97F3C359 D4ABF164 92A60BF9
4E3D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14CF07F5 B6A3864B 3B2D1601 506B7067 86381A47 05301D06
03551D0E 04160414 CF07F5B6 A3864B3B 2D160150 6B706786 381A4705 300D0609
2A864886 F70D0101 05050003 818100AB 0A7065EF 47E87CC9 FDF7E16E 70CB1E73
75405E27 ABCC05CC C7209131 70F5DD23 AF40D3C4 23ACBADC 3C4F917E 10502740
B92EA03B B2345C75 BA755231 7908CECA 15C2E361 5721099B 637E594E 57322C60
42CA429C 35545013 3FC4A1CC F982F50B 8F655CC1 B09DE761 AA6D1588 48485E49
514AF28D 0C897C2C CE66BAB1 0BDB32
quit
license udi pid CISCO1941/K9 sn FGL2135934F
!
!
username admin password 0 alex@veolia100
username cisco privilege 5 password 0 #edc2wsX
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key weiliya address 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ccnp esp-des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map mydynamic 10
set transform-set ccnp
match address 110
reverse-route
!
!
crypto map mymap 65000 ipsec-isakmp dynamic mydynamic
!
!
!
!
!
您好,参考
# 1. 基础配置(对标Cisco hostname、enable密码等)
sysname H3C
password-recovery enable
super password simple veolia // 对应Cisco enable password veolia
# 2. 本地用户配置(对标Cisco username)
local-user admin class manage
password simple alex@veolia100
service-type ssh http telnet
authorization-attribute user-role network-admin
local-user cisco class manage
password simple #edc2wsX
service-type ssh telnet
authorization-attribute user-role level-5 // 对应Cisco privilege 5
# 3. 接口配置(公网口+内网口,对标Cisco G0/0、G0/1)
interface GigabitEthernet0/0
description WAN-INTERFACE
port link-mode route
ip address 203.0.113.10 255.255.255.248 // 替换为实际公网IP
nat outbound 2000 // NAT出方向,对应Cisco NAT overload
ipsec policy map1 65000 isakmp template dynamic1 // 绑定IPsec策略到公网口
undo shutdown
interface GigabitEthernet0/1
description LAN-INTERFACE
port link-mode route
ip address 192.168.1.1 255.255.255.0 // 内网网段,按需修改
undo shutdown
# 4. IKE策略配置(对标Cisco crypto isakmp policy)
ike proposal 10
encryption-algorithm aes-256 // 替换Cisco的DES,高安全加密
authentication-algorithm sha256 // 替换SHA1
dh group14 // 密钥交换组,对标Cisco group14
authentication-algorithm sha1 // 兼容老设备可选,优先sha256
encryption-algorithm aes-128 // 若对等体不支持aes256可降级
ike peer default-peer
pre-shared-key simple weiliya // 对应Cisco isakmp key weiliya
remote-address 0.0.0.0 0.0.0.0 // 允许任意IP对等体接入,对标0.0.0.0
ike-proposal 10
# 5. IPsec策略模板(动态映射核心,对标Cisco dynamic-map)
ipsec proposal ccnp
esp encryption-algorithm aes-256 // 对标Cisco transform-set
esp authentication-algorithm sha256
ipsec policy-template dynamic1 10
proposal ccnp
security acl 3010 // 对应Cisco ACL 110,定义需要加密的流量
ike-peer default-peer
pfs dh14 // 开启PFS,对标Cisco set pfs
sa duration time 3600 // IPsec SA生存期,对标3600秒
# 6. ACL配置(定义加密流量+NAT豁免,对标Cisco ACL 110/100)
# 6.1 加密流量ACL(需要IPsec加密的内网流量)
acl number 3010
rule permit ip source 192.168.1.0 0.0.0.255 destination any // 对标Cisco ACL 110
# 6.2 NAT豁免ACL(加密流量不做NAT,核心!)
acl number 2000
rule deny ip source 192.168.1.0 0.0.0.255 destination any // 加密流量不NAT
rule permit ip source any destination any // 其他流量正常NAT
# 7. 路由与安全优化(对标Cisco reverse-route)
ip route-static 0.0.0.0 0.0.0.0 203.0.113.1 // 公网默认路由,替换为实际网关
ipsec reverse-route enable // 开启反向路由注入,对标Cisco reverse-route
# 8. 管理安全优化(对标Cisco line配置)
line con 0
idle-timeout 5 0
authentication-mode scheme
line vty 0 63
idle-timeout 5 0
authentication-mode scheme
protocol inbound ssh // 仅允许SSH,关闭Telnet
ssh server enable
undo ip http server // 关闭无用服务
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论