Configuration Examples | Cisco Systems C819HG4GVK9, C819GUK9

Chapter 9 Configuring Security Features

Configuring VPN

Configuration Examples

Each example configures a VPN over an IPSec tunnel, using the procedure given in the “Configure a VPN over an IPSec Tunnel” section on page 9-7. Then, the specific procedure for a remote access configuration is given, followed by the specific procedure for a site-to-site configuration.

The examples shown in this chapter apply only to the endpoint configuration on the Cisco 819 ISRs. Any VPN connection requires both endpoints to be configured properly to function. See the software configuration documentation as needed to configure VPN for other router models.

VPN configuration information must be configured on both endpoints. You must specify parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, and Network Address Translation (NAT).

Configure a VPN over an IPSec Tunnel

Perform the following tasks to configure a VPN over an IPSec tunnel:

•Configure the IKE Policy, page 9-7

•Configure Group Policy Information, page 9-9

•Apply Mode Configuration to the Crypto Map, page 9-10

•Enable Policy Lookup, page 9-11

•Configure IPSec Transforms and Protocols, page 9-12

•Configure the IPSec Crypto Method and Parameters, page 9-12

•Apply the Crypto Map to the Physical Interface, page 9-14

•Where to Go Next, page 9-14

Configure the IKE Policy

To configure the Internet Key Exchange (IKE) policy, perform these steps, beginning in global configuration mode:

SUMMARY STEPS

1.crypto isakmp policy priority

2.encryption {des 3des aes aes 192 aes 256}

3.hash {md5 sha}

4.authentication {rsa-sig rsa-encr pre-share}

5.group {1 2 5}

6.lifetime seconds

7.exit

Cisco 819 Series Integrated Services Routers Software Configuration Guide

	OL-23590-02	9-7

Image 101

Cisco Systems C819HG4GVK9, C819GUK9 Configuration Examples, Configure a VPN over an IPSec Tunnel, Configure the IKE Policy

Contents

Text Part Number OL-23590-02 September 2 Americas HeadquartersPage N T E N T S Data Account Provisioning Configuring a Cellular Interface Specifying a Synchronous Serial Interface Create a Cisco Easy VPN Remote Configuration NAT Getting Help TACACS+ OL-23590-02 General Description Product Overview 1shows the Cisco 819HG ISR SKU Information New Features3G Features Security Features Wlan FeaturesPlatform Features ScanSafe Wireless Device Overview Color Description Tftp support with Ethernet WAN interfaceLEDs Rssi Router# show controllers cellular Dual-Radio Wireless Local Area NetworkWlan Features Images Supported CleanAir TechnologyDynamic Frequency Selection LEDs Wlan LED OL-23590-02 4G LTE Wireless WAN OL-23590-02 Basic Router Configuration Router Interface Port Label Default ConfigurationInterface Ports Information Needed for Configuration OL-23590-02 Line aux console tty vty line-number Password password Login Configuring Command-Line Access Example Command Purpose Session login Enables password checking at the virtual terminalExits line configuration mode and returns to Privileged Exec mode Configuring Global Parameters No shutdown Exit Configuring WAN InterfacesConfiguring a Gigabit Ethernet WAN Interface Example Configuring the Cellular Wireless WAN Interface Restrictions for Configuring the Cellular Wireless Interface Prerequisites for Configuring the 3G Wireless Interface Data Account Provisioning Command or Action Purpose Signal strength, the network security, and so on Shows the radio signal strengthDetails about the command parameters Displays the cellular gps information Activation and Provisioning Process Carrier 2lists the modem data profile parametersManual Activation Cellular unit cdma activate manual mdn msid msl Router # cellular 0 cdma activate otasp phonenumber Activating with Over-the-Air Service ProvisioningCellular cdma activate iota Configuring a Cellular Interface Interface cellular Dialer string string Configuring DDR Enables DDR and configures the specified serial Enters global configuration modeSpecifies the number of the dialer access group to Enters the global configuration mode Specifies a default modem chat script Specifies the line configuration mode. It is alwaysExits line configuration mode Configures this line for GSM This section provides the following configuration examples Examples for Configuring Cellular Wireless Interfaces Following shows how to configure an HSPA+ modem Tunnel over Cellular Interface Configuration Command Syntax Description Configuring Dual SIM for Cellular Networks Following command forces the modem to connect to SIM1 Perform the following commands to manually switch the SIMCellular GSM SIM Locks or unlocks the SIM Rommon Behavior IOS Behavior Output When Button Is Not Pushed ExampleOutput When Button Is Pushed Example Push Button in Wlan AP Configuring a Loopback InterfaceConfiguring the Fast Ethernet LAN Interfaces Router# show interface loopback Verifying Configuration Another way to verify the loopback interface is to ping it Configuring Static Routes Example Configuring Dynamic RoutesVerifying Configuration Command Task Configuring Routing Information ProtocolRouter rip Version 1 No auto-summary End Router eigrp as-number Configuring Enhanced Interior Gateway Routing Protocol Be applied, using the IP address of the network Enters router configuration mode and enablesEigrp on the router. The autonomous-system Number identifies the route to other Eigrp routers OL-23590-02 819 Yes Configuring Backup Data Lines and Remote ManagementConfiguring Backup Interfaces Interface for which you want to configure backup Enters interface configuration mode forAssigns an interface as the secondary or backup Be configured to back up a serial 0 interface Configuring DDR Backup Using Dialer Watch Configuring Cellular Dial-on-Demand Routing BackupConfigure terminal Dialer watch group group-number Do not use the access list permit all command to Enables dialer watch on the backup interfaceUsing the chat script command Specifies the interface Configuring DDR Backup Using Floating Static Route No aaa new-model Source-interface Dialer2 Line vty 0 4 login Scheduler max-task-time Webvpn cef end Dial Backup and Remote Management Through the Auxiliary Port Ip name-server server-address Ip dhcp pool name Exit Configure the Dhcp address pool. For Enters Dhcp pool configuration mode. The nameSample commands that you can use in Dhcp Pool configuration mode, see the Example Enters configuration mode for the line interface Exits the configure interface mode Switches the port from console to auxiliary portEnters configuration mode for the auxiliary Enables hardware signal flow control Ppp authentication pap callin PC IP address behind CPE OL-23590-02 Router# show environment Environmental and Power Management Cisco EnergyWise Support Environmental and Power Management Cisco EnergyWise Support WAN Concentration Configuring the Serial Interface Legacy Protocol Transport Configuring Serial InterfacesProduct Number Cable Type Length Connector Type PPP Encapsulation Information About Configuring Serial InterfacesCisco Hdlc Encapsulation Multilink PPP Keepalive Timer Frame Relay Encapsulation Configuring a Synchronous Serial Interface How to Configure Serial InterfacesLMI on Frame Relay Interfaces This section contains the following tasks Specifying Synchronous Serial Encapsulation Configures synchronous serial encapsulationSpecifying a Synchronous Serial Interface Signals Configuring PPPConfigures an Sdlc interface for half-duplex mode Using the Nrzi Line-Coding Format Configuring Compression of Hdlc DataEncapsulation hdlc Compress stac Nrzi-encoding Enabling the Internal Clock Inverting the Transmit Clock SignalTransmit-clock-internal Invert txclock Invert rxclock Ignoring DCD and Monitoring DSR as Line Up/Down Indicator Setting Transmit DelayConfiguring DTR Signal Pulsing Configures the DCE to use Scte from the DTE Dce-terminal-timing enableSpecifying the Serial Network Interface Module Timing Ignore-dcd Dte-invert-txc Specifies timing configuration to invert TXC clock Understanding Half-Duplex DTE and DCE State Machines Configuring Low-Speed Serial Interfaces Half-Duplex DCE State Machines Half-Duplex DCE Transmit State Machine Places a low-speed serial interface Constant-carrier modeNo half-duplex controlled-carrier Physical-layer sync async Sdlc cts-delay Sdlc rts-timeoutChanging Between Synchronous and Asynchronous Modes Interface Enablement Configuration Examples Configuration ExamplesReturns the interface to its default mode, which is No physical-layer Low-Speed Serial Interface Examples Synchronous or Asynchronous Mode ExamplesHalf-Duplex Timers Example Authentication, Authorization, and Accounting Configuring Security Features Configuring Access Lists Configuring AutoSecureConfiguration Commands ACL Type Access Groups Configuring Cisco IOS Firewall URL Filtering Configuring Cisco IOS IPSConfiguring VPN Remote Access VPN Branch office containing multiple LANs and VLANs Site-to-Site VPNVPN client-Cisco 819 ISR Corporate office network Configure the IKE Policy Configuration ExamplesConfigure a VPN over an IPSec Tunnel Command or Action Purpose Domain name Exit Configure Group Policy Information Exits IKE group policy configuration mode Apply Mode Configuration to the Crypto MapFor details about this command and additional Specifies a local address pool for the group Enable Policy Lookup Crypto ipsec profile profile-name Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters See Cisco IOS Security Command Reference for Crypto map map-name Exit Where to Go NextApply the Crypto Map to the Physical Interface Crypto ipsec client ezvpn name outside inside Exit Create a Cisco Easy VPN Remote ConfigurationCrypto ipsec client ezvpn name Configuration Example Configure a Site-to-Site GRE Tunnel Creates a tunnel interface and enters interface Returns to global configuration mode No cdp run Switch Port Numbering and Naming Configuring the Ethernet SwitchesRestrictions for the FE Switch 10-1 Information About Ethernet Switches Overview of Snmp MIBs Switched Port AnalyzerIgmp Snooping Storm Control Routerconfig#snmp-server community public RW BRIDGE-MIB for Layer 2 Ethernet SwitchingMIBs MIBs Link 10-4 10-5 MAC Address Notification Configuring VLANs How to Configure Ethernet SwitchesVLANs on the FE Ports 10-6 Switchport mode dynamic desirable Configuring Layer 2 InterfacesVLANs on the GE Port Comand Purpose 10-8 Configuring 802.1x AuthenticationConfiguring Spanning Tree Protocol Configuring Cisco Discovery Protocol Configuring MAC Table ManipulationPort Security 10-9 Configuring IP Multicast Layer 3 Switching Configuring the Switched Port AnalyzerConfiguring Igmp Snooping Configuring Per-Port Storm Control 10-11 Configuring Fallback Bridging 10-12 Managing the Switch 11-1 Configuring PPP over Ethernet with NAT Configure the Virtual Private Dialup Network Group Number Configuration TasksPPPoE 11-2 11-3 Configure the Fast Ethernet WAN Interfaces 11-4 Configure the Dialer Interface 11-5 Ip address negotiated Ip mtu bytes 11-6 Configure Network Address Translation 11-7 Ip nat inside outside No shutdown Exit 11-8 11-9 Configuration Example 11-10 11-11 Verifying Your Configuration 11-12 12-1 Configuring a LAN with Dhcp and VLANs 12-2 Configure DhcpVLANs 12-3 Detailed Steps 12-4 Verify Your Dhcp Configuration 12-5 Configure VLANsVlan ? Switchport access vlan vlan-id End Assign a Switch Port to a VlanExample 12-6 12-7 Verify Your Vlan Configuration Router# vlan database 12-8 12-9 Router# show vlan-switch 12-10 13-1 Configuring a VPN Using Easy VPN and an IPSec Tunnel Remote, networked users Cisco Easy VPNVPN client-Cisco 819 ISRs VPN server-Easy VPN server 13-3 Configure the IKE Policy Lifetime seconds Exit Internet Naming Service Wins servers Configure Group Policy InformationFor the group by using the wins command 13-5 13-6 Apply Mode Configuration to the Crypto Map 13-7 Enable Policy LookupLogin, and specifies the method used 13-8 Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters 13-9 13-10 Create an Easy VPN Remote ConfigurationApply the Crypto Map to the Physical Interface 13-11 Mode client network-extension network extension plus Exit 13-12 Verifying Your Easy VPN ConfigurationFollowing example verifies your easy vpn connection 13-13 13-14 Cisco IOS Software Basic Skills Configuring the Router from a PC PC Operating System Terminal Emulation Software Understanding Command Modes Global Enter the configure To exit to user Exec Use this mode toUser Exec Begin a session with As interface atm Getting Help Configuration mode Routing protocol AppropriateRouter Enter one of the router Router rip-from You can now make changes to your router configuration Enable Secret Passwords and Enable PasswordsEntering Global Configuration Mode Abbreviating Commands Using CommandsUndoing Commands Command-Line Error Messages Summary Saving Configuration ChangesWhere to Go Next OL-18906-02 Network Protocols Concepts Routing Protocol Options Protocol Ideal Topology Metric Routing Updates Enhanced Igrp PPP Authentication Protocols Chap Ethernet Backup Interface Dial BackupFloating Static Routes Dialer Watch Easy IP Phase QoS PPP Fragmentation and Interleaving IP Precedence Low Latency Queuing Access Lists OL-18906-02 Config-reg Resets the configuration register Configure terminal Enters global configuration modeROM Monitor Entering the ROM Monitor Exits global configuration mode ROM Monitor CommandsReload Prompt increments with each new line Command Description Command DescriptionsDisaster Recovery with Tftp Download Required Variables Tftp Download Command VariablesVariable Command Optional Variables Using the Tftp Download CommandConfigures how the router displays file You will see an output similar to the following Examples Type Embedded AP s Appendix C ROM Monitor Appendix C ROM Monitor Configuration Register Configuration Register Changing the Configuration Register Using Prompts Changing the Configuration Register Manually Console Download Command Description Context-Displays processor context for example Debug CommandsError Reporting Appendix C ROM Monitor Exiting the ROM Monitor Exiting the ROM Monitor Port Keyword Description Common Port Assignments ISO-Transport Service Access Point Any private RJE serviceProcedure Call Authentication service