Set transform-set set1 match address | Cisco Systems 520 series

Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation

Configuration Example

tunnel source fastethernet 0

tunnel destination interface 192.168.101.1

ip route 20.20.20.0 255.255.255.0 tunnel 1

crypto isakmp policy 1 encryption 3des authentication pre-share group 2

!

crypto isakmp client configuration group rtr-remote key secret-password

dns 10.50.10.1 10.60.10.1 domain company.com

pool dynpool

!

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

!

crypto ipsec security-association lifetime seconds 86400

!

crypto dynamic-map dynmap 1 set transform-set vpn1 reverse-route

!

crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond

!

!Defines the key association and authentication for IPsec tunnel. crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 200.1.1.1

!Defines encryption and transform set for the IPsec tunnel. crypto ipsec transform-set set1 esp-3des esp-md5-hmac

!Associates all crypto values and peering address for the IPsec tunnel. crypto map to_corporate 1 ipsec-isakmp

set peer 200.1.1.1

set transform-set set1 match address 105

!VLAN 1 is the internal interface.

interface vlan 1

ip address 10.1.1.1 255.255.255.0 ip nat inside

ip inspect firewall in ! Inspection examines outbound traffic. crypto map static-map

no cdp enable

!

!FE4 is the outside or Internet-exposed interface interface fastethernet 4

ip address 210.110.101.21 255.255.255.0

!acl 103 permits IPsec traffic from the corp. router as well as

!denies Internet-initiated traffic inbound.

ip access-group 103 in

			ip nat	outside
			no cdp	enable
			crypto	map to_corporate ! Applies the IPsec tunnel to the outside interface.
			Cisco Secure Router 520 Series Software Configuration Guide
			Cisco Secure Router 520 Series Software Configuration Guide

	7-10			OL-14210-01
	7-10			OL-14210-01

Image 86

Cisco Systems 520 series manual Set transform-set set1 match address

Contents

Cisco Secure Router 520 Series Software Configuration Guide Americas HeadquartersPage N T E N T S Iii Verify the Configuration Additional Configuration Options Reference Information Rsvp Vii Using the Tftp Download Command C-5 Viii Audience PrefaceObjective Organization Part 2 Configuring Your Router for Ethernet and DSL AccessPart 3 Configuring Additional Features and Troubleshooting Part 1 Getting Started Conventions Appendix D, Common Port Assignments Aviso Instruções Importantes DE Segurança Warnung Wichtige SicherheitshinweiseAvvertenza Importanti Istruzioni Sulla Sicurezza Xii Guarde Estas Instrucciones Xiii GEM Disse Anvisninger XivPage Related Documentation Cisco Regulatory Compliance and Safety Information RoadmapCisco Secure Router 520 Series Hardware Installation Guide Xvi Obtaining Documentation and Submitting a Service Request Xvii Xviii Getting Started Page Basic Router Configuration Viewing the Default Configuration Information Needed for Customizing the Default Parameters Router Interface Port Label Configuring Basic ParametersInterface Port Labels Configure WAN Interfaces Configure Global ParametersConfigure Fast Ethernet LAN Interfaces Command Purpose Interface type number Routerconfig# interface fastethernetRouterconfig-if# ip address 255.255.255.0 No shutdown Enables the ATM 0 interface Configure the Wireless InterfaceConfiguring a Loopback Interface Exits configuration mode for the ATM interface Loopback interface Exits configuration mode for the loopbackInterface and returns to global configuration mode Router# show interface loopback Login Configuring Command-Line Access to the RouterPassword password Exec-timeoutminutes seconds End Verifying Your Configuration Configuring Static RoutesConfiguration Example Command Task Configuring Dynamic RoutesConfiguring RIP Router rip No auto-summary Configuring Your Router for Ethernet and DSL Access Page For DSL-Based Network Deployments Sample Network DeploymentsFor Ethernet-Based Network Deployments Sample Network Deployments Configuring PPP over Ethernet with NAT PPPoE session between the client and a PPPoE server Vpdn enable Configuration TasksCommand or Action Purpose PPPoE Request-dialin Configure the Fast Ethernet WAN InterfacesConfigures the PPPoE client and specifies Protocol l2tp pppoe Configure the Dialer Interface Dialer pool number Configure Network Address TranslationPpp authentication protocol1 protocol2 Dialer-group group-number Permitted by access list acl1 to be translated to one Enables dynamic translation of addresses onBy the access list 1 to be translated to one Enables the configuration changes just made to Ip nat inside outside Access-list access-list-number deny permitRouterconfig# access-list 1 permit Source source-wildcard Configuration Example Router# show ip nat statistics Id 1 access-list 1 interface Dialer0 refcount Queued Packets OL-14210-01 Configuring PPP over ATM with NAT PPP over ATM with NAT PPPoA Using a dialer group controls access to Sets the PPP authentication methodAuthentication Protocol Chap Specifies that the IP address for the dialer Command Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Attribute Description Default Value Configure DSL Signaling ProtocolConfiguring Adsl Dsl lom integer Dsl enable-training-log Pool1 Permitted by access list acl1 to be translated toOne of the addresses specified in the NAT pool Reference, Volume 1 of 4 Addressing 0.255 ATM0 Configuring a LAN with Dhcp and VLANs Dhcp Dotted-decimal domain name Configure DhcpVLANs Global configuration mode Enters Dhcp pool configuration mode. The nameExits Dhcp configuration mode, and enters Creates a Dhcp address pool on the router Ip dhcp pool Verify Your Dhcp ConfigurationRouter# show ip dhcp import Server statistics Vlan vlan-id media type name vlan-name Configure VLANsVlan database Exits interface mode and returns to privileged Assign a Switch Port to a VlanVerify Your Vlan Configuration Exec mode Router# show vlan-switch Vlan Said MTU Configuring a VPN Using Easy VPN and an IPsec Tunnel Remote Access VPN Using IPsec Tunnel Cisco Easy VPN Configure the IKE Policy Configure Group Policy Information Apply Mode Configuration to the Crypto Map Enable Policy Lookup Configure IPsec Transforms and Protocols Configure the IPsec Crypto Method and Parameters Crypto map map-name seq-num ipsec-isakmp Apply the Crypto Map to the Physical InterfaceReverse-route Dynamic dynamic-map-name discover Create an Easy VPN Remote Configuration Crypto map map-name Ezvpn ezvpnclient outside Verifying Your Easy VPN ConfigurationCrypto ipsec client ezvpn name outside inside Router# show crypto ipsec client ezvpn Crypto ipsec client ezvpn ezvpnclient connect auto OL-14210-01 Site-to-Site VPN Using an IPsec Tunnel and GRE VPNs Configure a VPNGRE Tunnels Configure the IKE Policy Domain name Configure Group Policy InformationIp local pool default poolname Low-ip-address high-ip-address Enable Policy Lookup Configure IPsec Transforms and Protocols Creates a dynamic crypto map entry, and enters Configure the IPsec Crypto Method and ParametersSpecifies global lifetime values used when Apply the Crypto Map to the Physical Interface Map Configure a GRE Tunnel 192.168.101.1 Enters ACL configuration mode for the named Tunnel interface must be configured toExits interface configuration mode, and returns to Access-list-name ACL that is used by the crypto map Set transform-set set1 match address No cdp run OL-14210-01 Configuring a Simple Firewall Fast Ethernet LAN interface the inside interface for NAT Details about this command Configure Access ListsCreates an access list which prevents Internet Creates an access list that allows network traffic Configure Inspection Rules Apply Access Lists and Inspection Rules to Interfaces Routerconfig-if# ip access-group 103 Ip nat outside no cdp enable Configuring a Wireless LAN Connection 1shows a wireless network deployment Equivalent Privacy WEP cannot use Configure the Root Radio StationFor clients Bridges for more details Sets the permitted authentication methods for a Creates a Service Set ID SSID, the publicName of a wireless network User attempting access to the wireless LAN Configure Bridging on VLANs Bridge-group parameter Configure Radio Station SubinterfacesBridge-group number Enabled, the following commands are Disables the Cisco Discovery Protocol CDPOn the wireless interface Automatically enabled, and cannot be No bridge-group 2 unicast-flooding No ip address bridge-group Configuring Additional Features and Troubleshooting Page Additional Configuration Options 10-1 10-2 11-1 Configuring Security FeaturesAuthentication, Authorization, and Accounting Configuration Commands Configuring AutoSecureConfiguring Access Lists ACL Type Ip access-groupaccess-list-number access-list-nameinout Configuring a Cbac FirewallAccess Groups Ip inspect name inspection-name protocol timeout seconds 11-4 Configuring Cisco IOS Firewall IDSConfiguring VPNs Before Contacting Cisco or Your Reseller TroubleshootingGetting Started 12-1 Ping atm interface Command Adsl TroubleshootingATM Troubleshooting Commands 12-2 Show interface Command 12-3 12-4 Shutdown commandOutput Cause Field Description Show atm interface CommandDebug atm Commands 12-5 Router# debug atm events Router# Router# debug atm errors ATM errors debugging is on Router#12-6 12-7 Example 12-6 Viewing ATM Interface Processor Events-Failure Router# debug atm packet Router# 012348ATM0O Software Upgrade Methods12-8 12-9 Recovering a Lost PasswordChange the Configuration Register Router# show version 12-10 Rommon 2 confreg Router# show startup-config Reset the Password and Save Your ChangesReset the Configuration Register Value Router# copy running-config startup-config 12-12 Reference Information Page PC Operating System Software Configuring the Router from a PCCisco IOS Software Basic Skills Understanding Command Modes As interface atm Ctrl-Z Router rip, from Enable Secret Passwords and Enable PasswordsGetting Help Entering Global Configuration Mode Using Commands Undoing Commands Saving Configuration ChangesAbbreviating Commands Command-Line Error Messages Where to Go Next Summary OL-14210-01 Concepts Adsl Network Protocols Routing Protocol Options PPP Authentication Protocols PAP ATM for DSL Network InterfacesEthernet Dialer Interface PVC Easy IP Phase PPP Fragmentation and Interleaving QoSIP Precedence Cbwfq Low Latency Queuing Access Lists OL-14210-01 ROM Monitor Configure terminal Enters global configuration modeConfig-reg Resets the configuration register Entering the ROM Monitor ROM Monitor Commands Reload Command Description Command DescriptionsDisaster Recovery with Tftp Download Tftp Download Command Variables Variable Command TFTPTIMEOUT= time Configuration RegisterUsing the Tftp Download Command Retrytimes Rommon 1 confreg Changing the Configuration Register ManuallyChanging the Configuration Register Using Prompts Xmodem -cyrxdestinationfilename Command DescriptionConsole Download Debug Commands Error Reporting Exiting the ROM Monitor Appendix C ROM Monitor Exiting the ROM Monitor OL-14210-01 Common Port Assignments Port Keyword Description Finger See AAL See ARPSee Adsl See ATM See CAR IN-2 See Dhcp IN-3 See LCP IN-4 IN-5 IN-6 See RIPSee NAT IN-7 IN-8