Enterasys Networks XSR-3150 manual Enable Network Address Translation

Page 75

VPN Sample Configuration with Network Extension Mode

Generate the master key. Refer to the following sample key:

XSR(config)#crypto key master generate

New key is 2173 4521 3764 2ff5 163b 4bdf fe92 dbc1 1232 ffe0 f8d9 3649

Apply the following ACLs to the public interface of the XSR before creating the VPN configuration. These ACLs are applied only to an XSR configured to terminate Network Extension Mode (NEM) tunnels initiated from ANG-1100s. These ACLs allow all outbound IP traffic and established inbound TCP traffic and employ well-known protocol numbers for IKE UDP (500) and ICMP to and from the public interface (if preferred).

XSR(config)#access-list 1 deny 26.26.26.0 0.0.0.255

XSR(config)#access-list 1 permit any

XSR(config)#access-list 110 permit udp any any eq 500

XSR(config)#access-list 110 permit icmp any host 26.26.26.10

XSR(config)#access-list 110 deny ip any any

XSR(config)#access-list 111 permit udp any any eq 500

XSR(config)#access-list 111 permit icmp host 26.26.26.10 any

XSR(config)#access-list 111 deny ip any any

XSR(config)#interface gigabitethernet 2

XSR(config-if<F2>)#ip access-group 110 in

XSR(config-if<F2>)#ip access-group 111 out

Enable Network Address Translation:

XSR(config-if<F2>)#ip nat source assigned overload

Create the VPN virtual subnet:

XSR(config)#ip local pool virtual_subnet 10.10.10.0 255.255.255.248

Configure AAA authentication by assigning a virtual subnet to the DEFAULT AAA group, associate it with DNS and WINs servers, and add two AAA users with passwords.

When a remote XSR tunnels into the local XSR, it will be assigned these DNS, WINS and PPTP values and be assigned dynamically to the IP pool virtual_subnet. Be aware that users not added to a specified group will automatically be assigned to the DEFAULT group and groups must be created before users can be added to them. Remember to create the same users and passwords on the remote XSRs.

XSR(ip-local-pool)#aaa group DEFAULT

XSR(aaa-group)#ip pool virtual_subnet

Configure DNS and WINS parameters:

XSR(aaa-group)#dns server primary 172.16.10.10

XSR(aaa-group)#dns server secondary 172.16.10.11

XSR(aaa-group)#wins server primary 172.16.10.10

XSR(aaa-group)#wins server secondary 172.16.10.11

XSR Getting Started Guide 3-31

Image 75

Contents Version PeditionSecurity RouterPage Enterasys Networks, Inc Minuteman Road Andover, MA Regulatory Compliance Information Industry Canada Notices Product Safety Supplement to Product Instructions Vcci Notice N826 Enterasys Networks, Inc. Firmware License Agreement Page Page Contents BRI Leased Line BRI Leased Frame Relay BRI Switched Line Index Appendix a SpecificationsXiv About This Guide Contents of the GuideBold/En negrilla FTP Getting HelpXviii System Description OverviewTypical XSR-3150 Topology Hardware FeaturesXSR-3150 IP Protocol Software FeaturesOperating System Industry-common CLISnmp and Statistics Gathering IP RoutingFrame Relay SecurityIntegrated Services Digital Network Isdn BRI/PRI Dynamic Host Configuration Protocol DhcpVirtual Private Network VPN Quality of Service QoSGRE over IPSec Dial-on-Demand/Bandwidth-on-Demand DoD/BoD Dial ServiceDial Backup Asynchronous Digital Subscriber Line AdslUnpack the XSR from the shipping box. Remove accessories Installation OverviewInstallation Overview Installation Site Suggestions IntroductionVerifying Your Shipment Removing XSR Cover Installing NIM Cards and Rack MountingXSR Fastening Rack Brackets CompactFlash Card Installation Installing a CompactFlash Memory CardFormatting the CompactFlash Card CompactFlash Card for the Adsl NIM3150 Connecting Cables11 Connecting High Speed Serial Connector 13 Connecting Adsl Connector 15 Attaching GigabitEthernet Connector 17 Attaching Ethernet LAN NIM Connector 19 Connecting Dual Internal Power Supply Cords Initializing XSR Software Software ConfigurationInitializing XSR Software Optional Configuring Remote Auto Install Configuring RAI for Frame RelayOpening a COM Console Session Remote Auto Install Attempting Forever Configuring RAI over Adsl Configuring RAI for Dhcp over LANPppoe limit max-sessions Configuring the XSR Name and User Information Setting the ClockSetting User Name, Privilege and Password Configuring the LAN Ports Configuring the WAN PortsPRI Configuration BRI Leased Line BRI ConfigurationBRI Leased Frame Relay BRI Switched LineAdsl Configuration PPPoEPPPoA IPoA Firewall Sample ConfigurationXSR Complete LAN and WAN interface configuration Setting Up RIP RoutingConfiguring Frame Relay Point to Point Networks Configure Ospf RoutingSetting Up an Snmp Community String, Traps and V3 Values Configuring Message Logging and Severity Level Connecting Remotely via the Web Viewing Your ConfigurationWeb Product Version Window Pstn LAN-PPP Services Sample ConfigurationXSRconfig-controllerT1-1/0#no shutdown Configure Quality of Service Frame Relay WAN Link with PPP Backup Sample ConfigurationConfigure Users and Passwords Configure LAN InterfaceXSRconfig-pmap-cpriority-policy#priority high 30 Configure WAN/Frame Relay PortApply QoS XSRconfig#interface serial 1/0.2 multipointConfigure the Dial Backup Connection Configure Ospf RoutingConfigure More Access Lists Configure DHCP/BOOTP RelayConfigure Snmp VPN Site-to-Site Sample Configuration Configure Access Control ListsGenerate Master Encryption Key Create a Transform Set Set Up IKE Phase I SecurityConfigure IKE Policy for Remote Peer Configure Crypto MapsConfiguring VPN at Interface Mode and Setting Up RIP Configuring Authentication AAA VPN Sample Configuration with Network Extension ModeEnable Network Address Translation Create the Isakmp IKE global peer Initialization Output XSR Rebooting CharacteristicsPower-Up Reboot Reboot TriggersPower-up Error Conditions Bootrom Monitor Mode CommandsXSR-3150 bu btXSR300012.fls Verifying btXSR300012.fls file Copy Dir DelFfc Rename RemoveFTP Bootrom Monitor Mode Commands System Specifications SpecificationsWAN Cable, CompactFlash and Accessory SpecificationsXSR Getting Started Guide A-3 COM COM Console PortMini-GBIC Fiber, Copper Port GigabitEthernet PortsCopper/Fiber-optic Ethernet NIMs Regulatory/Safety Compliance21 DTE Port Serial NIM Card PortFigure A-8 EIA-232/530 DTE Pin Assignments Figure A-9 EIA-449 DTE Pin Assignments Figure A-10 Combined V.35/EIA-232/530 DTE Pin Assignments Figure A-11 DTE Pin Assignments T1/E1/ISDN PRI T1/E1/ISDN PRI NIM Card PortsFigure A-14 Balun for E1 or PRI Connection Balun for E1 or PRI NIM CardsGrounding Shunt for E1 NIM Cards Installing Shunt/Terminal StripFigure A-17 1-Port T3/E3 NIM Card T3/E3 NIM CardTermination Shunt for the Isdn BRI-S/T NIM Card Port BRI-S/T Isdb NIM Card PortsXSR Getting Started Guide A-17 Figure A-21 Isdn BRI-U NIM Card RJ-49C ports shown Port BRI-U NIM Card PortsFigure A-23 Adsl NIM Card Port Adsl NIM Card PortFigure A-25 T1/E1 D&I NIM Card T1/E1 Drop & Insert D&I NIMLED Behavior CompactFlash Memory CardTX LED Index Index-2