Manuals / Cisco Systems / Power Tools / Router

Cisco Systems C819GUK9, C819HG4GVK9 manual Site-to-Site VPN, Library, Cisco IOS Release 12.4T

Models: C819GUK9

1 196

Download 196 pages 51.42 Kb

Page 100

Site-to-Site VPN

Chapter 9 Configuring Security Features

Configuring VPN

After the IPSec server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a supported Cisco 819 ISR. When the IPSec client initiates the VPN tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection.

Note The Cisco Easy VPN client feature supports configuration of only one destination peer. If your application requires the creation of multiple VPN tunnels, you must manually configure the IPSec VPN and Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the server.

Cisco 819 ISRs can be also configured to act as Cisco Easy VPN servers, letting authorized

Cisco Easy VPN clients establish dynamic VPN tunnels to the connected network. For information on the configuration of Cisco Easy VPN servers, see the Easy VPN Server feature document.

Site-to-Site VPN

The configuration of a site-to-site VPN uses IPSec and the generic routing encapsulation (GRE) protocol to secure the connection between the branch office and the corporate network. Figure 9-2shows a typical deployment scenario.

Figure 9-2 Site-to-Site VPN Using an IPSec Tunnel and GRE

8

	3		6
2	4	5	7

Internet

1

9

121783

1	Branch office containing multiple LANs and VLANs

2	Fast Ethernet LAN interface—With address 192.165.0.0/16 (also the inside interface for NAT)

3	VPN client—Cisco 819 ISR

4	Fast Ethernet —With address 200.1.1.1 (also the outside interface for NAT)

5	LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1

6	VPN client—Another router, which controls access to the corporate network

7	LAN interface—Connects to the corporate network, with inside interface address of 10.1.1.1

8	Corporate office network

9	IPSec tunnel with GRE

For more information about IPSec and GRE configuration, see Secure Connectivity Configuration Guide

Library, Cisco IOS Release 12.4T.

Cisco 819 Series Integrated Services Routers Software Configuration Guide

9-6	OL-23590-02

Image 100

Cisco Systems C819GUK9, C819HG4GVK9 manual Site-to-Site VPN, Library, Cisco IOS Release 12.4T

Contents

Americas Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA800 553-NETS Fax 408 Text Part Number OL-23590-02 September 2THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Information Needed for Configuration New FeaturesWLAN Features Wireless Device OverviewConfiguring a Cellular Interface Prerequisites for Configuring the 3G Wireless InterfaceConfiguring DDR Verifying ConfigurationIgnoring DCD and Monitoring DSR as Line Up/Down Indicator Configuration ExamplesInterface Enablement Configuration Examples Configuring Security FeaturesConfigure the IKE Policy Create a Cisco Easy VPN Remote ConfigurationConfigure a Site-to-Site GRE Tunnel Configuring the Ethernet SwitchesConfigure the Virtual Private Dialup Network Group Number Configuring VLANsConfiguring 802.1x Authentication Configuration TasksEntering Global Configuration Mode A-5 Configure the IKE PolicyConfigure Group Policy Information Understanding Command ModesChanging the Configuration Register Manually C-11 Changing the Configuration Register Using Prompts C-11Backup Interface ROM Monitor CommandsContents OL-23590-02General Description, page SKU Information, page New Features, page Product OverviewGeneral Description C H A P T E RFigure 1-1 Cisco 819HG Integrated Services Router Figure 1-2 Cisco 819HGW Integrated Services RouterChapter 1 Product Overview General Description OL-23590-02New Features 3G Features3G Features, page WLAN Features, page 4G LTE Features, page Platform Features, page Security Features, pagePlatform Features WLAN FeaturesSecurity Features Wireless Device Overview ScanSafeScanSafe, page TFTP support with Ethernet WAN interface, page LEDs, pageTFTP support with Ethernet WAN interface LEDsColor Descriptionshow platform led for all LEDs show controller cellular 0 for 3G LEDs ColorDescription 3G LED Descriptions continuedChapter 2 Wireless Device Overview LEDs router# show controllers cellularWireless Local Area Network WLAN FeaturesDual-Radio, page Images Supported, page CleanAir Technology, page Dual-RadioCleanAir Technology Images SupportedDynamic Frequency Selection LEDsWLAN LED ColorDescription WLAN LED DescriptionsChapter 3 Wireless Local Area Network WLAN Features OL-23590-024G LTE Wireless WAN C H A P T E RChapter 4 4G LTE Wireless WAN OL-23590-02Basic Router Configuration Interface Ports, page Default Configuration, pageInformation Needed for Configuration, page Configuring Command-Line Access, pageDefault Configuration Interface PortsRouter InterfaceInformation Needed for Configuration 3G-ACC-OUT-LA-See Cisco 3G Lightning Arrestor 3G-ACC-OUT-LA If you are setting up IP routingConfiguring Command-Line Access 1. line aux console tty vty line-number 2. password password3. login 4. exec-timeout minutes secondsCommand DETAILED STEPSPurpose ExampleExample CommandPurpose ExampleConfiguring Global Parameters configure terminalenable secret password hostname nameConfiguring WAN Interfaces Configuring a Gigabit Ethernet WAN InterfaceConfiguring a Gigabit Ethernet WAN Interface, page Configuring the Cellular Wireless WAN Interface, pageConfiguring the Cellular Wireless WAN Interface CommandEnters the configuration mode for a Gigabit Enables the Ethernet interface, changing itsRestrictions for Configuring the Cellular Wireless Interface Prerequisites for Configuring the 3G Wireless Interface5-11 Verifying Signal Strength and Service Availability Verifying Signal Strength and Service Availability, pageConfiguring a GSM Modem Data Profile, page Command or ActionConfiguring a GSM Modem Data Profile 5-13Command or Action Command or Actionauthentication Type of authentication, for example, CHAP, PAPUsername provided by your service provider PasswordActivating with Over-the-Air Service Provisioning cellular cdma activate iotarouter # cellular 0 cdma activate otasp phonenumber 5-15Configuring a Cellular Interface 1. configure terminal 2. interface cellular 3. encapsulation ppp4. ppp chap hostname hostname 5. ppp chap password 0 password 6. asynchronous mode interactive 7. ip address negotiatedConfiguring DDR 1. configure terminal 2. interface cellular 3. dialer in-band4. dialer idle-timeout seconds 5. dialer string string 9. ip access-list access list number permit ip source address5-18 Command or ActionDETAILED STEPS Purpose5-19 Command or ActionPurpose ExampleExamples for Configuring Cellular Wireless Interfaces Basic Cellular Interface ConfigurationBasic Cellular Interface Configuration, page Tunnel over Cellular Interface Configuration, pageTunnel over Cellular Interface Configuration Configuration for 8705 modem5-21 Chapter 5 Basic Router Configuration Configuring WAN InterfacesConfiguring Dual SIM for Cellular Networks Syntax5-22 CommandConfiguring Router for Image and Config Recovery Using Push Button 5-23Command SyntaxOutput When Button Is Not Pushed Example Output When Button Is Pushed ExampleROMMON Behavior IOS BehaviorConfiguring a Loopback Interface Configuring the Fast Ethernet LAN InterfacesPush Button in WLAN AP 3. exitVerifying Configuration Enters configuration mode for the loopbackExits configuration mode for the loopback interface and returns to global configurationConfiguring Static Routes For details about this command and aboutIOS IP Routing Protocol-Independent Command Exits router configuration mode and entersConfiguring Dynamic Routes Verifying ConfigurationConfiguring Routing Information Protocol, page Configuring Enhanced Interior Gateway Routing Protocol, pageConfiguring Routing Information Protocol router rip2. version 1 3. network ip-addressConfiguring Enhanced Interior Gateway Routing Protocol 1. router eigrp as-number2. network ip-address 3. end5-31 Verifying ConfigurationCommand ExampleChapter 5 Basic Router Configuration Configuring Dynamic Routes 5-32OL-23590-02 Configuring Backup Data Lines and Remote Management Configuring Backup InterfacesConfiguring Backup Interfaces, page Configuring Cellular Dial-on-Demand Routing Backup, page2. backup interface interface-type interface-number 1. interface type numberCommand SUMMARY STEPSConfiguring Cellular Dial-on-Demand Routing Backup Configuring DDR Backup Using Dialer Watch1. configure terminal 6. ip access-list access list number permit ip source addressCommand or Action DETAILED STEPSPurpose ExampleConfiguring DDR Backup Using Floating Static Route Cellular Wireless Modem as Backup with NAT and IPsec Configuration1. configure terminal Command or ActionConfiguring Cellular Dial-on-Demand Routing Backup Chapter 6 Configuring Backup Data Lines and Remote Managementno aaa new-model Configuring Cellular Dial-on-Demand Routing Backup Chapter 6 Configuring Backup Data Lines and Remote ManagementOL-23590-02 line con no modem enable line aux 0 line exec-timeout 0 0 script dialer gsm loginline vty 0 4 login route-map track-primary-if permit 10 match ip address1 A Cisco 819 router15. modem enable 16. exit 1. ip name-server server-address 2. ip dhcp pool name 3. exit4. chat-script script-name expect-send 5. interface type number 6. exitsection on page 6-11Command DETAILED STEPSExits the interface configuration mode Enables dynamic translation of addresses on thea default gateway Defines an extended access list that indicates6-13 CommandChapter 6 Configuring Backup Data Lines and Remote Management modem enable6-14 Chapter 6 Configuring Backup Data Lines and Remote Management6-15 Chapter 6 Configuring Backup Data Lines and Remote Managementno ip http server ip pim bidir-enable OL-23590-02Chapter 6 Configuring Backup Data Lines and Remote Management 6-16OL-23590-02 Environmental and Power Management C H A P T E RCisco EnergyWise Support Configuring the Serial Interface Legacy Protocol Transport, page Configuring Serial Interfaces, pageInformation About Configuring Serial Interfaces, page How to Configure Serial Interfaces, page Configuration Examples, pageConfiguring Serial Interfaces Connector TypeLegacy Protocol Transport Product NumberInformation About Configuring Serial Interfaces Keepalive Timer, page Frame Relay Encapsulation, pageCisco HDLC Encapsulation PPP EncapsulationKeepalive Timer Multilink PPPFrame Relay Encapsulation Chapter 8 Configuring the Serial InterfaceInformation About Configuring Serial Interfaces OL-23590-02How to Configure Serial Interfaces Configuring a Synchronous Serial InterfaceConfiguring a Synchronous Serial Interface, page Configuring Low-Speed Serial Interfaces, pageConfiguring Compression of HDLC Data, page 8-9 Optional Using the NRZI Line-Coding Format, page 8-9 OptionalInverting the Transmit Clock Signal, page 8-10 Optional Setting Transmit Delay, page 8-11 OptionalConfiguring PPP Configuring BisyncCommand CommandConfiguring Compression of HDLC Data Using the NRZI Line-Coding Format1. encapsulation hdlc 2. compress stac 1. nrzi-encodingInverting the Transmit Clock Signal Enabling the Internal Clock1. transmit-clock-internal 1. invert txclock 2. invert rxclockSetting Transmit Delay Configuring DTR Signal PulsingIgnoring DCD and Monitoring DSR as Line Up/Down Indicator 8-111. dce-terminal-timing enable Configures the DCE to use SCTE from the DTESpecifying the Serial Network Interface Module Timing 1. ignore-dcd1. dte-invert-txc 8-13Command or Action Chapter 8 Configuring the Serial InterfaceConfiguring Low-Speed Serial Interfaces Understanding Half-Duplex DTE and DCE State MachinesHalf-Duplex DTE State Machines Understanding Half-Duplex DTE and DCE State Machines, page8-15 Half-Duplex DCE State MachinesHalf-Duplex DTE Receive State Machine 8-16 Half-Duplex DCE Transmit State MachinePlacing a Low-Speed Serial Interface in Constant-Carrier Mode 1. no half-duplex controlled-carrier8-17 Command or ActionTuning Half-Duplex Timers sdlc cts-delay sdlc rts-timeoutChanging Between Synchronous and Asynchronous Modes 1. physical-layer sync asyncConfiguration Examples Interface Enablement Configuration Examples1. no physical-layer 8-19Half-Duplex Timers Example Half-Duplex Timers Example, pageLow-Speed Serial Interface Examples Synchronous or Asynchronous Mode ExamplesConfiguring Security Features Authentication, Authorization, and AccountingAuthentication, Authorization, and Accounting, page Configuring AutoSecure, page Configuring Access Lists, pageConfiguring AutoSecure Configuring Access ListsConfiguration Commands access-list 1-99permit deny source-addr source-maskAccess Groups Configuring Cisco IOS Firewallip inspect name inspection-name protocol timeout seconds Configuring Cisco IOS IPS Configuring VPNRemote Access VPN, page Site-to-Site VPN, page Configuration Examples, pageRemote Access VPN Site-to-Site VPN Library, Cisco IOS Release 12.4TConfiguration Examples Configure a VPN over an IPSec TunnelConfigure the IKE Policy Configure the IKE Policy, pageCommand or Action MD5 algorithm. The default is Secure HashSpecifies the authentication method used in the Exits IKE policy configuration mode and entersConfigure Group Policy Information 1. crypto isakmp client configuration group group-name default6. ip local pool default poolname low-ip-address high-ip-address 2. key nameApply Mode Configuration to the Crypto Map Technologies Command Reference1. crypto map map-name isakmp authorization list list-name 2. crypto map tag client configuration address initiate respondEnable Policy Lookup 2. aaa authentication login default list-name method1 method2details, see Securing User Services Configuration IOS Security Command ReferenceConfigure IPSec Transforms and Protocols Configure the IPSec Crypto Method and ParametersConfigures IPSec profile to apply protection on See Secure Connectivity Configuration Guidecrypto map configuration mode See Cisco IOS Security Command Reference formore details about this command Returns to global configuration modeWhere to Go Next Enters the interface configuration mode for theApply the Crypto Map to the Physical Interface 2. crypto map map-name 3. exitCreate a Cisco Easy VPN Remote Configuration Creates a Cisco Easy VPN remote configurationand enters Cisco Easy VPN remote configuration hostname resolutionConfiguration Example 9-16Command or Action PurposeConfigure a Site-to-Site GRE Tunnel 4. tunnel destination default-gateway-ip-address7. ip access-list standard extended access-list-name 3. tunnel source interface-type numbertunnel interface must be configured to Exits interface configuration mode and returns toEnters ACL configuration mode for the named Creates a tunnel interface and enters interfaceReturns to global configuration mode Specifies that only GRE traffic is permitted on theoutbound interface 9-19Chapter 9 Configuring Security Features Configuring VPN 9-20hash md5 authentication pre-share crypto isakmp key cisco123 address Configuring the Ethernet Switches Switch Port Numbering and NamingRestrictions for the FE Switch Switch Port Numbering and Naming, pageInformation About Ethernet Switches Layer 2 Ethernet Switching802.1x Authentication VLANs and VLAN Trunk Protocol, page Layer 2 Ethernet Switching, pageSwitched Port Analyzer Overview of SNMP MIBsIGMP Snooping Storm ControlBRIDGE-MIB for Layer 2 Ethernet Switching Routerconfig#snmp-server community public RWMIBs MIBs LinkMAC Address Notification 10-5Routerconfig#Routersnmp-server group public v2c context bridge-group Routerconfig#snmp-server community public RWHow to Configure Ethernet Switches Configuring VLANsConfiguring VLANs, page Configuring Layer 2 Interfaces, page Configuring 802.1x Authentication, pageConfiguring Layer 2 Interfaces switchport mode dynamic desirableVLANs on the GE Port ComandConfiguring Spanning Tree Protocol Configuring 802.1x Authentication10-8 Configuring MAC Table Manipulation Configuring Cisco Discovery ProtocolManipulation Port SecurityConfiguring the Switched Port Analyzer Configuring IP Multicast Layer 3 SwitchingConfiguring IGMP Snooping Configuring Per-Port Storm ControlConfiguring Fallback Bridging 10-11Managing the Switch 10-1211-1 Configuring PPP over Ethernet with NATC H A P T E R Configuration Tasks Configure the Virtual Private Dialup Network Group NumberConfigure the Virtual Private Dialup Network Group Number, page Configure the Fast Ethernet WAN Interfaces, pageConfigure the Fast Ethernet WAN Interfaces 11-3Command or Action DETAILED STEPSConfigure the Dialer Interface Enters interface configuration mode for aConfigures the PPPoE client and specifies the Enables the Fast Ethernet interface and the5. ppp authentication protocol1 protocol2 6. dialer pool number Command Reference1. interface dialer dialer-rotary-group-number 2. ip address negotiated 3. ip mtu bytesConfigure Network Address Translation Using a dialer group controls access toExits the dialer 0 interface configuration For details about this command and additional3. interface type number 4. ip nat inside outside 5. no shutdown 6. exit8. ip nat inside outside 9. no shutdown 10. exit 11-7by the access list 1 to be translated to one of the permitted by access list acl1 to be translated to oneCommand Reference, Volume 1 of 4 Addressing and ServicesConfiguration Example Enters configuration mode for the Fast EthernetDefines a standard access list indicating which WAN interface FE4 to be the outside interface11-10 Chapter 11 Configuring PPP over Ethernet with NATConfiguration Example vpdn enable vpdn-group 1 request-dialin protocol pppoeVerifying Your Configuration 11-11Chapter 11 Configuring PPP over Ethernet with NAT Configuration Example11-12 Chapter 11 Configuring PPP over Ethernet with NATConfiguration Example OL-23590-02Configuring a LAN with DHCP and VLANs DHCP12-1 C H A P T E RConfigure DHCP Configure DHCP, page Configure VLANs, page7. default-router address address2...address8 VLANsIdentifies the default domain that the router uses to resolutionenters DHCP pool configuration mode. The name Specifies up to eight default routers for a DHCPVerify Your DHCP Configuration Exits DHCP configuration mode and enters globalSpecifies up to eight DNS servers available to a DHCP clientConfigure VLANs 1. vlan ? 2. ISL VLAN ID 3. exit12-5 Chapter 12 Configuring a LAN with DHCP and VLANs Configuration TasksAssign a Switch Port to a VLAN Services Command Reference1. interface switch port id 2. switchport access vlan vlan-id 3. endVerify Your VLAN Configuration Specifies the switch port that you want to assignto the VLAN Assigns a port to the VLAN12-8 Chapter 12 Configuring a LAN with DHCP and VLANs Configuration TasksCisco 819 Integrated Services Routers Software Configuration Guide Router# vlan database12-9 Chapter 12 Configuring a LAN with DHCP and VLANs Configuration TasksRouter# show vlan-switch OL-23590-0212-10 Chapter 12 Configuring a LAN with DHCP and VLANs Configuration TasksCisco 819 Integrated Services Routers Software Configuration Guide OL-23590-0213-1 Configuring a VPN Using Easy VPN and an IPSec TunnelC H A P T E R 13-2 Cisco Easy VPNFigure 13-1 Remote Access VPN Using IPSec Tunnel Configure the IKE Policy Create an Easy VPN Remote Configuration, page13-3 Configuration TasksThe example specifies 168-bit data encryption standard SHA-1The example specifies a pre-shared key Specifies the Diffie-Hellman group to be used inConfigure Group Policy Information 13-51. crypto isakmp client configuration group group-name default 6. ip local pool default poolname low-ip-address high-ip-addressApply Mode Configuration to the Crypto Map 13-6Command or Action Technologies Command ReferenceEnable Policy Lookup 13-72. aaa authentication login default list-name method1 method2 Command or ActionConfigure IPSec Transforms and Protocols Configure the IPSec Crypto Method and Parameters13-8 Command or Action13-9 Command or Actioncrypto map configuration mode See Cisco IOS Security Command Reference forCreate an Easy VPN Remote Configuration Apply the Crypto Map to the Physical Interface2. group group-name key group-key 3. peer ipaddress hostname 13-10remote configuration applied this command would be interface atm6. interface type number 7. crypto ipsec client ezvpn name outside inside 8. exitVerifying Your Easy VPN Configuration 13-12Configuration Example Command or Action13-13 Chapter 13 Configuring a VPN Using Easy VPN and an IPSec TunnelConfiguration Example OL-23590-0213-14 Chapter 13 Configuring a VPN Using Easy VPN and an IPSec TunnelConfiguration Example Cisco 819 Integrated Services Routers Software Configuration GuideConfiguring the Router from a PC Configuring the Router from a PC, page A-1Understanding Command Modes, page A-2 Getting Help, page A-4 Enable Secret Passwords and Enable Passwords, page A-5PC Operating System Understanding Command ModesTerminal Emulation Software Access Method the “Enable Secret Passwords andEnable Passwords” procedure on ModeGetting Help router rip-fromAccess Method ModeEnable Secret Passwords and Enable Passwords Entering Global Configuration ModeUsing Commands Abbreviating CommandsUndoing Commands Command-Line Error MessagesWhere to Go Next Saving Configuration ChangesSummary Cisco 819 Integrated Services Routers Software Configuration Guide Appendix A Cisco IOS Software Basic Skills Where to Go NextOL-18906-02 PPP Authentication Protocols, page B-3 TACACS+, page B-4 Ethernet, page B-4 Dial Backup, page B-5 NAT, page B-6Easy IP Phase 1, page B-6 Easy IP Phase 2, page B-7 QoS, page B-7 Access Lists, page B-9Routing Updates Routing Protocol OptionsProtocol Ideal TopologyPPP Authentication Protocols Enhanced IGRPEthernet TACACS+CHAP Dial Backup Backup InterfaceBackup Interface, page B-5 Floating Static Routes, page B-5 Floating Static RoutesEasy IP Phase CBWFQ, page B-8 RSVP, page B-8 Low Latency Queuing, page B-9 IP Precedence, page B-8 PPP Fragmentation and Interleaving, page B-8Easy IP Phase IP Precedence PPP Fragmentation and InterleavingCBWFQ RSVPAccess Lists Low Latency QueuingAppendix B Concepts Access Lists B-10OL-18906-02 Entering the ROM Monitor, page C-1 ROM Monitor Commands, page C-2 Command Descriptions, page C-3Disaster Recovery with TFTP Download, page C-3 Configuration Register, page C-10 Console Download, page C-12ROM Monitor Commands exitreload Descriptions” section on page C-3Command Descriptions Disaster Recovery with TFTP Downloadreset or Configuration Fundamentals and Network Management GuideTFTP Download Command Variables Required VariablesVariable CommandUsing the TFTP Download Command Optional VariablesCommand VariableExamples Cisco 819 Integrated Services Routers Software Configuration Guide Appendix C ROM Monitor Disaster Recovery with TFTP DownloadOL-18906-02 Appendix C ROM Monitor Disaster Recovery with TFTP Download Cisco 819 Integrated Services Routers Software Configuration GuideAppendix C ROM Monitor Disaster Recovery with TFTP DownloadOL-18906-02 Configuration Register C-10Appendix C ROM Monitor Configuration Register Cisco 819 Integrated Services Routers Software Configuration GuideChanging the Configuration Register Using Prompts Changing the Configuration Register ManuallyC-11 Command Description recognize it, the name of the configuration file must be routerconfgConsole Download xmodem -cyrx destinationfilenameError Reporting Debug CommandsC-13 Exiting the ROM Monitor C-14Common Port Assignments A P P E N D I X DPort KeywordPort KeywordDescription Table D-1