Command or Action Purpose | Cisco Systems C819GUK9, C819HG4GVK9

Chapter 9 Configuring Security Features

Configuring VPN

DETAILED STEPS

	Command or Action	Purpose
Step 1
Step 1	crypto isakmp policy priority	Creates an IKE policy that is used during IKE
	Example:	negotiation. The priority is a number from 1 to
	Example:	10000, with 1 being the highest.
	Router(config)# crypto isakmp policy 1	Also enters the Internet Security Association Key
	Router(config-isakmp)#	Also enters the Internet Security Association Key
	Router(config-isakmp)#	and Management Protocol (ISAKMP) policy
		and Management Protocol (ISAKMP) policy
		configuration mode.
Step 2
Step 2	encryption {des 3des aes aes 192	Specifies the encryption algorithm used in the IKE
	aes 256}	policy.
	Example:	The example specifies 168-bit data encryption
	Example:	standard (DES).
	Router(config-isakmp)# encryption 3des	standard (DES).
	Router(config-isakmp)# encryption 3des
	Router(config-isakmp)#
Step 3
Step 3	hash {md5 sha}	Specifies the hash algorithm used in the IKE
	Example:	policy.
	Example:	The example specifies the Message Digest 5
	Router(config-isakmp)# hash md5	The example specifies the Message Digest 5
	Router(config-isakmp)# hash md5	(MD5) algorithm. The default is Secure Hash
	Router(config-isakmp)#	(MD5) algorithm. The default is Secure Hash
	Router(config-isakmp)#	standard (SHA-1).
		standard (SHA-1).
Step 4
Step 4	authentication {rsa-sig rsa-encr	Specifies the authentication method used in the
	pre-share}	IKE policy.
	Example:	The example specifies a pre-shared key.
	Example:
	Router(config-isakmp)# authentication
	pre-share
	Router(config-isakmp)#
Step 5
Step 5	group {1 2 5}	Specifies the Diffie-Hellman group to be used in
	Example:	an IKE policy.
	Example:
	Router(config-isakmp)# group 2
	Router(config-isakmp)#
Step 6
Step 6	lifetime seconds	Specifies the lifetime, from 60 to 86400 seconds,
	Example:	for an IKE security association (SA).
	Example:
	Router(config-isakmp)# lifetime 480
	Router(config-isakmp)#
Step 7
Step 7	exit	Exits IKE policy configuration mode and enters
	Example:	global configuration mode.
	Example:
	Router(config-isakmp)# exit
	Router(config)#

Cisco 819 Series Integrated Services Routers Software Configuration Guide

9-8	OL-23590-02

Image 102

Cisco Systems C819GUK9, C819HG4GVK9 manual Command or Action Purpose

Contents

Americas Headquarters Text Part Number OL-23590-02 September 2Page N T E N T S Data Account Provisioning Configuring a Cellular Interface Specifying a Synchronous Serial Interface Create a Cisco Easy VPN Remote Configuration NAT Getting Help TACACS+ OL-23590-02 Product Overview General Description 1shows the Cisco 819HG ISR New Features 3G FeaturesSKU Information Wlan Features Platform FeaturesSecurity Features Wireless Device Overview ScanSafe Tftp support with Ethernet WAN interface LEDsColor Description Rssi Router# show controllers cellular Wireless Local Area Network Wlan FeaturesDual-Radio Dynamic Frequency Selection CleanAir TechnologyImages Supported LEDs Wlan LED OL-23590-02 4G LTE Wireless WAN OL-23590-02 Basic Router Configuration Default Configuration Interface PortsRouter Interface Port Label Information Needed for Configuration OL-23590-02 Configuring Command-Line Access Line aux console tty vty line-number Password password Login Command Purpose Example Exits line configuration mode and returns to Enables password checking at the virtual terminalSession login Privileged Exec mode Configuring Global Parameters Configuring WAN Interfaces Configuring a Gigabit Ethernet WAN InterfaceNo shutdown Exit Configuring the Cellular Wireless WAN Interface Example Prerequisites for Configuring the 3G Wireless Interface Restrictions for Configuring the Cellular Wireless Interface Command or Action Purpose Data Account Provisioning Details about the command parameters Shows the radio signal strengthSignal strength, the network security, and so on Displays the cellular gps information Manual Activation 2lists the modem data profile parametersActivation and Provisioning Process Carrier Cellular unit cdma activate manual mdn msid msl Activating with Over-the-Air Service Provisioning Cellular cdma activate iotaRouter # cellular 0 cdma activate otasp phonenumber Configuring a Cellular Interface Configuring DDR Interface cellular Dialer string string Specifies the number of the dialer access group to Enters global configuration modeEnables DDR and configures the specified serial Enters the global configuration mode Exits line configuration mode Specifies the line configuration mode. It is alwaysSpecifies a default modem chat script Configures this line for GSM Examples for Configuring Cellular Wireless Interfaces This section provides the following configuration examples Tunnel over Cellular Interface Configuration Following shows how to configure an HSPA+ modem Configuring Dual SIM for Cellular Networks Command Syntax Description Cellular GSM SIM Perform the following commands to manually switch the SIMFollowing command forces the modem to connect to SIM1 Locks or unlocks the SIM Output When Button Is Not Pushed Example Output When Button Is Pushed ExampleRommon Behavior IOS Behavior Configuring a Loopback Interface Configuring the Fast Ethernet LAN InterfacesPush Button in Wlan AP Verifying Configuration Router# show interface loopback Configuring Static Routes Another way to verify the loopback interface is to ping it Configuring Dynamic Routes Verifying ConfigurationExample Router rip Version 1 Configuring Routing Information ProtocolCommand Task No auto-summary End Configuring Enhanced Interior Gateway Routing Protocol Router eigrp as-number Eigrp on the router. The autonomous-system Enters router configuration mode and enablesBe applied, using the IP address of the network Number identifies the route to other Eigrp routers OL-23590-02 Configuring Backup Data Lines and Remote Management Configuring Backup Interfaces819 Yes Assigns an interface as the secondary or backup Enters interface configuration mode forInterface for which you want to configure backup Be configured to back up a serial 0 interface Configure terminal Configuring Cellular Dial-on-Demand Routing BackupConfiguring DDR Backup Using Dialer Watch Dialer watch group group-number Using the chat script command Enables dialer watch on the backup interfaceDo not use the access list permit all command to Specifies the interface Configuring DDR Backup Using Floating Static Route No aaa new-model Source-interface Dialer2 Line vty 0 4 login Scheduler max-task-time Webvpn cef end Dial Backup and Remote Management Through the Auxiliary Port Ip name-server server-address Ip dhcp pool name Exit Sample commands that you can use in Dhcp Enters Dhcp pool configuration mode. The nameConfigure the Dhcp address pool. For Pool configuration mode, see the Example Enters configuration mode for the line interface Enters configuration mode for the auxiliary Switches the port from console to auxiliary portExits the configure interface mode Enables hardware signal flow control Ppp authentication pap callin PC IP address behind CPE OL-23590-02 Environmental and Power Management Router# show environment Environmental and Power Management Cisco EnergyWise Support Cisco EnergyWise Support Configuring the Serial Interface WAN Concentration Configuring Serial Interfaces Product Number Cable Type Length Connector TypeLegacy Protocol Transport Information About Configuring Serial Interfaces Cisco Hdlc EncapsulationPPP Encapsulation Keepalive Timer Multilink PPP Frame Relay Encapsulation LMI on Frame Relay Interfaces How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface This section contains the following tasks Configures synchronous serial encapsulation Specifying a Synchronous Serial InterfaceSpecifying Synchronous Serial Encapsulation Configuring PPP Configures an Sdlc interface for half-duplex modeSignals Encapsulation hdlc Compress stac Configuring Compression of Hdlc DataUsing the Nrzi Line-Coding Format Nrzi-encoding Transmit-clock-internal Inverting the Transmit Clock SignalEnabling the Internal Clock Invert txclock Invert rxclock Setting Transmit Delay Configuring DTR Signal PulsingIgnoring DCD and Monitoring DSR as Line Up/Down Indicator Specifying the Serial Network Interface Module Timing Dce-terminal-timing enableConfigures the DCE to use Scte from the DTE Ignore-dcd Specifies timing configuration to invert TXC clock Dte-invert-txc Configuring Low-Speed Serial Interfaces Understanding Half-Duplex DTE and DCE State Machines Half-Duplex DCE State Machines Half-Duplex DCE Transmit State Machine Constant-carrier mode No half-duplex controlled-carrierPlaces a low-speed serial interface Sdlc cts-delay Sdlc rts-timeout Changing Between Synchronous and Asynchronous ModesPhysical-layer sync async Returns the interface to its default mode, which is Configuration ExamplesInterface Enablement Configuration Examples No physical-layer Synchronous or Asynchronous Mode Examples Half-Duplex Timers ExampleLow-Speed Serial Interface Examples Configuring Security Features Authentication, Authorization, and Accounting Configuration Commands Configuring AutoSecureConfiguring Access Lists ACL Type Configuring Cisco IOS Firewall Access Groups Configuring Cisco IOS IPS Configuring VPNURL Filtering Remote Access VPN VPN client-Cisco 819 ISR Site-to-Site VPNBranch office containing multiple LANs and VLANs Corporate office network Configuration Examples Configure a VPN over an IPSec TunnelConfigure the IKE Policy Command or Action Purpose Configure Group Policy Information Domain name Exit For details about this command and additional Apply Mode Configuration to the Crypto MapExits IKE group policy configuration mode Specifies a local address pool for the group Enable Policy Lookup Configure IPSec Transforms and Protocols Configure the IPSec Crypto Method and ParametersCrypto ipsec profile profile-name See Cisco IOS Security Command Reference for Where to Go Next Apply the Crypto Map to the Physical InterfaceCrypto map map-name Exit Create a Cisco Easy VPN Remote Configuration Crypto ipsec client ezvpn nameCrypto ipsec client ezvpn name outside inside Exit Configuration Example Configure a Site-to-Site GRE Tunnel Creates a tunnel interface and enters interface Returns to global configuration mode No cdp run Restrictions for the FE Switch Configuring the Ethernet SwitchesSwitch Port Numbering and Naming 10-1 Information About Ethernet Switches Igmp Snooping Switched Port AnalyzerOverview of Snmp MIBs Storm Control MIBs MIBs Link BRIDGE-MIB for Layer 2 Ethernet SwitchingRouterconfig#snmp-server community public RW 10-4 MAC Address Notification 10-5 VLANs on the FE Ports How to Configure Ethernet SwitchesConfiguring VLANs 10-6 VLANs on the GE Port Configuring Layer 2 InterfacesSwitchport mode dynamic desirable Comand Purpose Configuring 802.1x Authentication Configuring Spanning Tree Protocol10-8 Port Security Configuring MAC Table ManipulationConfiguring Cisco Discovery Protocol 10-9 Configuring Igmp Snooping Configuring the Switched Port AnalyzerConfiguring IP Multicast Layer 3 Switching Configuring Per-Port Storm Control Configuring Fallback Bridging 10-11 Managing the Switch 10-12 Configuring PPP over Ethernet with NAT 11-1 PPPoE Configuration TasksConfigure the Virtual Private Dialup Network Group Number 11-2 Configure the Fast Ethernet WAN Interfaces 11-3 Configure the Dialer Interface 11-4 Ip address negotiated Ip mtu bytes 11-5 Configure Network Address Translation 11-6 Ip nat inside outside No shutdown Exit 11-7 11-8 Configuration Example 11-9 11-10 Verifying Your Configuration 11-11 11-12 Configuring a LAN with Dhcp and VLANs 12-1 Configure Dhcp VLANs12-2 Detailed Steps 12-3 Verify Your Dhcp Configuration 12-4 Configure VLANs Vlan ?12-5 Example Assign a Switch Port to a VlanSwitchport access vlan vlan-id End 12-6 Verify Your Vlan Configuration 12-7 12-8 Router# vlan database Router# show vlan-switch 12-9 12-10 Configuring a VPN Using Easy VPN and an IPSec Tunnel 13-1 VPN client-Cisco 819 ISRs Cisco Easy VPNRemote, networked users VPN server-Easy VPN server Configure the IKE Policy 13-3 Lifetime seconds Exit For the group by using the wins command Configure Group Policy InformationInternet Naming Service Wins servers 13-5 Apply Mode Configuration to the Crypto Map 13-6 Enable Policy Lookup Login, and specifies the method used13-7 Configure IPSec Transforms and Protocols Configure the IPSec Crypto Method and Parameters13-8 13-9 Create an Easy VPN Remote Configuration Apply the Crypto Map to the Physical Interface13-10 Mode client network-extension network extension plus Exit 13-11 Verifying Your Easy VPN Configuration Following example verifies your easy vpn connection13-12 13-13 13-14 Configuring the Router from a PC Cisco IOS Software Basic Skills Understanding Command Modes PC Operating System Terminal Emulation Software User Exec Begin a session with To exit to user Exec Use this mode toGlobal Enter the configure As interface atm Router Enter one of the router Configuration mode Routing protocol AppropriateGetting Help Router rip-from Enable Secret Passwords and Enable Passwords Entering Global Configuration ModeYou can now make changes to your router configuration Undoing Commands Using CommandsAbbreviating Commands Command-Line Error Messages Saving Configuration Changes Where to Go NextSummary OL-18906-02 Concepts Network Protocols Protocol Ideal Topology Metric Routing Updates Routing Protocol Options PPP Authentication Protocols Enhanced Igrp Ethernet Chap Floating Static Routes Dial BackupBackup Interface Dialer Watch Easy IP Phase QoS IP Precedence PPP Fragmentation and Interleaving Access Lists Low Latency Queuing OL-18906-02 ROM Monitor Configure terminal Enters global configuration modeConfig-reg Resets the configuration register Entering the ROM Monitor Reload ROM Monitor CommandsExits global configuration mode Prompt increments with each new line Command Descriptions Disaster Recovery with Tftp DownloadCommand Description Tftp Download Command Variables Variable CommandRequired Variables Using the Tftp Download Command Configures how the router displays fileOptional Variables Examples You will see an output similar to the following Type Embedded AP s Appendix C ROM Monitor Configuration Register Appendix C ROM Monitor Configuration Register Changing the Configuration Register Manually Changing the Configuration Register Using Prompts Command Description Console Download Debug Commands Error ReportingContext-Displays processor context for example Exiting the ROM Monitor Appendix C ROM Monitor Exiting the ROM Monitor Common Port Assignments Port Keyword Description Procedure Call Any private RJE serviceISO-Transport Service Access Point Authentication service