Cisco Systems 7401ASR Configuring IPSec

4-3

Cisco 7401ASR Installation and Configuration Guide

OL-5419-01 B0

Chapter4 Configuring the VPN Accele rat ion Module Configuration Tasks

Configuring IPSec

After you have completed IKE configuration, configure IPSec at each participating IPSec peer. This

section contains basic steps to configure IPSec and includes the tasks discussed in the following sect ions:

•Creating Crypto Access Lists, page 4-3

•Defining Transform Sets, page 4-4

•Creating Crypto Map Entries, page 4-5

•Verifying the Configuration, page 4-6

For detailed information on configuring IPSec, refer to the “Configuring IPSec Network Security”

chapter in the Security Configuration Guide publication.

Creating Crypto Access Lists

Crypto access lists define which IP traffic will be protected by encryption.

Note IKE uses UDP port 500. The IPSec Encapsulation Security Prot ocol (E SP) a nd A uthe nti cat ion He ad er

(AH) protocols use protocol numbers 50 and 51. Ens ure t h at y our int erfa ce a c cess l ist s ar e co nfigur ed

so that protocol numbers 50, 51, and UDP port 500 traffic are not blocked at interfaces used by IPSec.

In some cases you might need to add a statement to your access lists to explicitly permit this traffic.

To create crypto access lists, use the following commands in global configuration m ode:

For detailed information on configuring access lists, refer to the “Configuring IPSec Network Security”

chapter in the Security Configuration Guide publication.

Step Command Purpose

Step1 access-list access-list-number {deny |

permit} protocol source

source-wildcard destination

destination-wildcard [log]

or

ip access-list extended name

Specifies conditions to determine which IP

packets are protected.1 (Enable or disable

encryption for traffic that matches these

conditions.)

We recommend that you configure “mirror

image” crypto access lists for use by IPSec and

that you avoid using the any keyword.

1. You specify conditions using anIP access list designated by either a number or a name. The access-list command designates

a numbered extended access list; the ip access-list extended command designates a named access list.

Step2 Add permit and deny statements as

appropriate. Adds permit or deny statements to access lists.

Step3 end Exits the configuration command mode.

Contents

Main Page CONTENTS Page Page Page Page Page Preface Audience Organization Document Conventions Page xii Warning Definition xiii xiv Terms and Acronyms Page Related Documentation Obtaining Documentation Cisco.com Ordering Documentation Documentation Feedback Obtaining Technical Assistance Cisco Technical Support Website Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Overview and Parts Installation Hardware Overview Front View LEDs Rear View System Board System Management Functions Checking the Shipping Container Contents Installation Checklist Installing the CompactFlash Disk, GBIC, and Port Adapter Installing and Removing the CompactFlash Disk Installing and Removing the Gigabit Interface Converter Page Installing and Removing a Port Adapter or Service Adapter Replacing the SDRAM DIMM Removing the Cover Removing and Installing the SDRAM DIMM Replacing the Cover Rack-Mounting, Tabletop Installation, and Cabling Preparing to Install the Cisco 7401ASR Router Tools and Parts Required Electrical Equipment Guidelines Safety Guidelines Preventing Electrostatic Discharge Damage Electrostatic Discharge Prevention Site Requirement Guidelines Installing the Router General Tabletop or Workbench Installation Rack-Mounting a Cisco 7401ASR Router Attaching the Chassis Rack-Mount and Cable-Management Bracke ts Installing Rack-Mount Brackets on the Front of the Chassis Attaching the Cable-Management Bracket Installing Rack-Mount Brackets on the Rear of the Chassis Installing the Chassis in the Rack Two-Post Rack Installation Four-Post Rack Installation Attaching a Chassis Ground Connection Page Connecting Port Adapter Cables Connecting I/O Cables Connecting Console and Auxiliary Port Cables 1 3 Connecting Native Gigabit Ethernet and Fast Ethernet/Ethernet Cables 4 5 Attaching the Fast Ethernet/Ethernet 10/100 Cables Intra-Building Lightning Protection Attaching the GBIC Interface Cables Attaching Multimode and Single-Mode Optical Fiber Cables Page Mode-Conditioning Patch Cord Description Page Attaching the Mode-Conditioning Patch Cord / / / / / / Attaching the Alarm Port Cable Using the Cable-Management Bracket Connecting Power Connecting AC-Input Power Connecting DC-Input Power Page Page Starting and Configuring Functional Overview Chassis Slot and Logical Interface Numbering Page MAC Address Online Insertion and Removal Environmental Monitoring and Reporting Functions Environmental Monitoring Reporting Functions Page 3-7 With a single 24V DC power supply installed: With a single 48V DC power supply installed: Fan Failures Checking Conditions Prior to System Startup Starting the System and Observing Initial Conditions Configuring a Cisco 7401ASR Router Performing a Basic Configuration Using AutoInstall Performing a Basic Configuration Using the Setup Facility Configuring Global Parameters Page Page Configuring the Native Gigabit Ethernet and Fast Ethernet/Ethernet Interfaces Changing the Media Type Debugging Resetting the Interface Clearing Counters Configuring Port Adapter Interfaces Configuring ATM Interfaces Configuring Fast Ethernet Interfaces Configuring Synchronous Serial Interfaces 3-19 Performing a Basic Configuration Using Global Configuration Mode Saving the Running Configuration to NVRAM Checking the Running Configuration Settings Performing Other Configuration Tasks Replacing or Recovering a Lost Password Overview of the Password Recovery Procedure Details of the Password Recovery Procedure Page Viewing Your System Configuration 3-26 Performing Complex Configurations Page Configuring the VPN Acceleration Module Overview Configuration Tasks Using the EXEC Command Interpreter Configuring IKE Configuring IPSec Creating Crypto Access Lists Defining Transform Sets Creating Crypto Map Entries Verifying the Configuration 4-7 Page Troubleshooting Troubleshooting Overview Problem Solving Using a Subsystems Approach Identifying Startup Problems Troubleshooting the Power Subsystem Troubleshooting the Cooling Subsystem Troubleshooting the I/O Subsystem Troubleshooting the Processor Subsystem Troubleshooting the Port Adapter or Service Adapter Upgrading the Boot Helper (Boot Loader) Image PXF Troubleshooting Information Page Page A Specifications System Specifications Software Requirements Processor Specifications Memory Specifications and Configurations Gigabit Ethernet GBIC Configurations and Port and Cabling Specifications GBIC Cabling and Connection Equipment GBIC-SX or WS-G5484 GBIC-LX/LH or WS-G5486 GBIC-ZX or WS-G5487 Fast Ethernet/Ethernet RJ-45 Port Pinouts 3 34 5 Console and Auxiliary Port Signals and Pinouts Alarm Port Lithium Battery Caution Page B PXF Information Using show Commands B-2 Using the show version Command B-3 Using the show c7400 Command Use the show c7400 command to obtain information about the router. Using the show pxf Commands B-4 show pxf interface show pxf feature ? Sample output for these commands follows. Using the show pxf accounting ? Command and Subcommands The following is an example of the show pxf accounting ? command with sample output: The following is an example of the show pxf accounting summary command with sample output: B-5 The following is an example of the show pxf accounting interface command with sample output: Using the show pxf crash Command The following is an example of the show pxf crash command with sample output: B-6 Using the show pxf info Command The following is an example of the show pxf info command with sample output: Using the show pxf interface Command Using the show pxf feature ? Command and Subcommands The following is an example of the feature-specific show pxf feature ? command with sample output: B-7 show pxf feature cef ? show pxf feature nat ? Router# show pxf feature nat entry Router# show pxf feature nat stat Page C Using the CompactFlash Disk Hardware and Software Requirements Tools and Parts Required Product Description Compatibility Requirements System Memory and Software Image Functions and Interactions Boot Environment Variables Sample Upgrade Process Working with a CompactFlash Disk Software Command Overview Using Software Commands Using the cd Command Using the show Command Using the pwd Command Using the dir Command Using the format Command Using the mkdir Command Using the rmdir Command Using the delete Command Enabling Booting from a CompactFlash Disk Making a CompactFlash Disk-Based Software Image the Bootable Software Image Page D Configuration Register Information Configuration Bit Meanings Bits 03 Bit 6 Bit 7 Bit 8 Bit 10 and Bit 14 Bit 11 and Bit 12 Bit 13 D-5 Displaying the Configuration Register While Running Cisco IOS Displaying the Configuration Register While Running ROM Monitor Setting the Configuration Register While Running Cisco IOS Setting the Configuration Register While Running ROM Monitor D-7 Page INDEX A B C Page D E F G H I K L M N O P R S T V W