No cdp run | Cisco Systems C819GUK9, C819HG4GVK9 guide

Chapter 9 Configuring Security Features

Configuring VPN

crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond

!

!Defines the key association and authentication for IPsec tunnel. crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 200.1.1.1

!Defines encryption and transform set for the IPsec tunnel. crypto ipsec transform-set set1 esp-3des esp-md5-hmac

!Associates all crypto values and peering address for the IPsec tunnel. crypto map to_corporate 1 ipsec-isakmp

set peer 200.1.1.1

set transform-set set1 match address 105

!VLAN 1 is the internal home network.

interface vlan 1

ip address 10.1.1.1 255.255.255.0 ip nat inside

ip inspect firewall in ! Inspection examines outbound traffic. crypto map static-map

no cdp enable

!

!FE4 is the outside or Internet-exposed interface interface fastethernet 4

ip address 210.110.101.21 255.255.255.0

!acl 103 permits IPsec traffic from the corp. router as well as

!denies Internet-initiated traffic inbound.

ip access-group 103 in ip nat outside

no cdp enable

crypto map to_corporate ! Applies the IPsec tunnel to the outside interface.

!

!Utilize NAT overload in order to make best use of the

!single address provided by the ISP.

ip nat inside source list 102 interface Ethernet1 overload ip classless

ip route 0.0.0.0 0.0.0.0 210.110.101.1 no ip http server

!

!

!acl 102 associated addresses used for NAT. access-list 102 permit ip 10.1.1.0 0.0.0.255 any

!acl 103 defines traffic allowed from the peer for the IPsec tunnel. access-list 103 permit udp host 200.1.1.1 any eq isakmp access-list 103 permit udp host 200.1.1.1 eq isakmp any access-list 103 permit esp host 200.1.1.1 any

!Allow ICMP for debugging but should be disabled because of security implications. access-list 103 permit icmp any any

access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.

!acl 105 matches addresses for the IPsec tunnel to or from the corporate network. access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255

no cdp run

	Cisco 819 Series Integrated Services Routers Software Configuration Guide
9-20	OL-23590-02

Image 114

Cisco Systems C819GUK9, C819HG4GVK9 manual No cdp run

Contents

Americas Headquarters Text Part Number OL-23590-02 September 2Page N T E N T S Data Account Provisioning Configuring a Cellular Interface Specifying a Synchronous Serial Interface Create a Cisco Easy VPN Remote Configuration NAT Getting Help TACACS+ OL-23590-02 Product Overview General Description 1shows the Cisco 819HG ISR New Features 3G FeaturesSKU Information Wlan Features Platform FeaturesSecurity Features Wireless Device Overview ScanSafe Tftp support with Ethernet WAN interface LEDsColor Description Rssi Router# show controllers cellular Wireless Local Area Network Wlan FeaturesDual-Radio Dynamic Frequency Selection CleanAir TechnologyImages Supported LEDs Wlan LED OL-23590-02 4G LTE Wireless WAN OL-23590-02 Basic Router Configuration Default Configuration Interface PortsRouter Interface Port Label Information Needed for Configuration OL-23590-02 Configuring Command-Line Access Line aux console tty vty line-number Password password Login Command Purpose Example Exits line configuration mode and returns to Enables password checking at the virtual terminalSession login Privileged Exec mode Configuring Global Parameters Configuring WAN Interfaces Configuring a Gigabit Ethernet WAN InterfaceNo shutdown Exit Configuring the Cellular Wireless WAN Interface Example Prerequisites for Configuring the 3G Wireless Interface Restrictions for Configuring the Cellular Wireless Interface Command or Action Purpose Data Account Provisioning Details about the command parameters Shows the radio signal strengthSignal strength, the network security, and so on Displays the cellular gps information Manual Activation 2lists the modem data profile parametersActivation and Provisioning Process Carrier Cellular unit cdma activate manual mdn msid msl Activating with Over-the-Air Service Provisioning Cellular cdma activate iotaRouter # cellular 0 cdma activate otasp phonenumber Configuring a Cellular Interface Configuring DDR Interface cellular Dialer string string Specifies the number of the dialer access group to Enters global configuration modeEnables DDR and configures the specified serial Enters the global configuration mode Exits line configuration mode Specifies the line configuration mode. It is alwaysSpecifies a default modem chat script Configures this line for GSM Examples for Configuring Cellular Wireless Interfaces This section provides the following configuration examples Tunnel over Cellular Interface Configuration Following shows how to configure an HSPA+ modem Configuring Dual SIM for Cellular Networks Command Syntax Description Cellular GSM SIM Perform the following commands to manually switch the SIMFollowing command forces the modem to connect to SIM1 Locks or unlocks the SIM Output When Button Is Not Pushed Example Output When Button Is Pushed ExampleRommon Behavior IOS Behavior Configuring a Loopback Interface Configuring the Fast Ethernet LAN InterfacesPush Button in Wlan AP Verifying Configuration Router# show interface loopback Configuring Static Routes Another way to verify the loopback interface is to ping it Configuring Dynamic Routes Verifying ConfigurationExample Router rip Version 1 Configuring Routing Information ProtocolCommand Task No auto-summary End Configuring Enhanced Interior Gateway Routing Protocol Router eigrp as-number Eigrp on the router. The autonomous-system Enters router configuration mode and enablesBe applied, using the IP address of the network Number identifies the route to other Eigrp routers OL-23590-02 Configuring Backup Data Lines and Remote Management Configuring Backup Interfaces819 Yes Assigns an interface as the secondary or backup Enters interface configuration mode forInterface for which you want to configure backup Be configured to back up a serial 0 interface Configure terminal Configuring Cellular Dial-on-Demand Routing BackupConfiguring DDR Backup Using Dialer Watch Dialer watch group group-number Using the chat script command Enables dialer watch on the backup interfaceDo not use the access list permit all command to Specifies the interface Configuring DDR Backup Using Floating Static Route No aaa new-model Source-interface Dialer2 Line vty 0 4 login Scheduler max-task-time Webvpn cef end Dial Backup and Remote Management Through the Auxiliary Port Ip name-server server-address Ip dhcp pool name Exit Sample commands that you can use in Dhcp Enters Dhcp pool configuration mode. The nameConfigure the Dhcp address pool. For Pool configuration mode, see the Example Enters configuration mode for the line interface Enters configuration mode for the auxiliary Switches the port from console to auxiliary portExits the configure interface mode Enables hardware signal flow control Ppp authentication pap callin PC IP address behind CPE OL-23590-02 Environmental and Power Management Router# show environment Environmental and Power Management Cisco EnergyWise Support Cisco EnergyWise Support Configuring the Serial Interface WAN Concentration Configuring Serial Interfaces Product Number Cable Type Length Connector TypeLegacy Protocol Transport Information About Configuring Serial Interfaces Cisco Hdlc EncapsulationPPP Encapsulation Keepalive Timer Multilink PPP Frame Relay Encapsulation LMI on Frame Relay Interfaces How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface This section contains the following tasks Configures synchronous serial encapsulation Specifying a Synchronous Serial InterfaceSpecifying Synchronous Serial Encapsulation Configuring PPP Configures an Sdlc interface for half-duplex modeSignals Encapsulation hdlc Compress stac Configuring Compression of Hdlc DataUsing the Nrzi Line-Coding Format Nrzi-encoding Transmit-clock-internal Inverting the Transmit Clock SignalEnabling the Internal Clock Invert txclock Invert rxclock Setting Transmit Delay Configuring DTR Signal PulsingIgnoring DCD and Monitoring DSR as Line Up/Down Indicator Specifying the Serial Network Interface Module Timing Dce-terminal-timing enableConfigures the DCE to use Scte from the DTE Ignore-dcd Specifies timing configuration to invert TXC clock Dte-invert-txc Configuring Low-Speed Serial Interfaces Understanding Half-Duplex DTE and DCE State Machines Half-Duplex DCE State Machines Half-Duplex DCE Transmit State Machine Constant-carrier mode No half-duplex controlled-carrierPlaces a low-speed serial interface Sdlc cts-delay Sdlc rts-timeout Changing Between Synchronous and Asynchronous ModesPhysical-layer sync async Returns the interface to its default mode, which is Configuration ExamplesInterface Enablement Configuration Examples No physical-layer Synchronous or Asynchronous Mode Examples Half-Duplex Timers ExampleLow-Speed Serial Interface Examples Configuring Security Features Authentication, Authorization, and Accounting Configuration Commands Configuring AutoSecureConfiguring Access Lists ACL Type Configuring Cisco IOS Firewall Access Groups Configuring Cisco IOS IPS Configuring VPNURL Filtering Remote Access VPN VPN client-Cisco 819 ISR Site-to-Site VPNBranch office containing multiple LANs and VLANs Corporate office network Configuration Examples Configure a VPN over an IPSec TunnelConfigure the IKE Policy Command or Action Purpose Configure Group Policy Information Domain name Exit For details about this command and additional Apply Mode Configuration to the Crypto MapExits IKE group policy configuration mode Specifies a local address pool for the group Enable Policy Lookup Configure IPSec Transforms and Protocols Configure the IPSec Crypto Method and ParametersCrypto ipsec profile profile-name See Cisco IOS Security Command Reference for Where to Go Next Apply the Crypto Map to the Physical InterfaceCrypto map map-name Exit Create a Cisco Easy VPN Remote Configuration Crypto ipsec client ezvpn nameCrypto ipsec client ezvpn name outside inside Exit Configuration Example Configure a Site-to-Site GRE Tunnel Creates a tunnel interface and enters interface Returns to global configuration mode No cdp run Restrictions for the FE Switch Configuring the Ethernet SwitchesSwitch Port Numbering and Naming 10-1 Information About Ethernet Switches Igmp Snooping Switched Port AnalyzerOverview of Snmp MIBs Storm Control MIBs MIBs Link BRIDGE-MIB for Layer 2 Ethernet SwitchingRouterconfig#snmp-server community public RW 10-4 MAC Address Notification 10-5 VLANs on the FE Ports How to Configure Ethernet SwitchesConfiguring VLANs 10-6 VLANs on the GE Port Configuring Layer 2 InterfacesSwitchport mode dynamic desirable Comand Purpose Configuring 802.1x Authentication Configuring Spanning Tree Protocol10-8 Port Security Configuring MAC Table ManipulationConfiguring Cisco Discovery Protocol 10-9 Configuring Igmp Snooping Configuring the Switched Port AnalyzerConfiguring IP Multicast Layer 3 Switching Configuring Per-Port Storm Control Configuring Fallback Bridging 10-11 Managing the Switch 10-12 Configuring PPP over Ethernet with NAT 11-1 PPPoE Configuration TasksConfigure the Virtual Private Dialup Network Group Number 11-2 Configure the Fast Ethernet WAN Interfaces 11-3 Configure the Dialer Interface 11-4 Ip address negotiated Ip mtu bytes 11-5 Configure Network Address Translation 11-6 Ip nat inside outside No shutdown Exit 11-7 11-8 Configuration Example 11-9 11-10 Verifying Your Configuration 11-11 11-12 Configuring a LAN with Dhcp and VLANs 12-1 Configure Dhcp VLANs12-2 Detailed Steps 12-3 Verify Your Dhcp Configuration 12-4 Configure VLANs Vlan ?12-5 Example Assign a Switch Port to a VlanSwitchport access vlan vlan-id End 12-6 Verify Your Vlan Configuration 12-7 12-8 Router# vlan database Router# show vlan-switch 12-9 12-10 Configuring a VPN Using Easy VPN and an IPSec Tunnel 13-1 VPN client-Cisco 819 ISRs Cisco Easy VPNRemote, networked users VPN server-Easy VPN server Configure the IKE Policy 13-3 Lifetime seconds Exit For the group by using the wins command Configure Group Policy InformationInternet Naming Service Wins servers 13-5 Apply Mode Configuration to the Crypto Map 13-6 Enable Policy Lookup Login, and specifies the method used13-7 Configure IPSec Transforms and Protocols Configure the IPSec Crypto Method and Parameters13-8 13-9 Create an Easy VPN Remote Configuration Apply the Crypto Map to the Physical Interface13-10 Mode client network-extension network extension plus Exit 13-11 Verifying Your Easy VPN Configuration Following example verifies your easy vpn connection13-12 13-13 13-14 Configuring the Router from a PC Cisco IOS Software Basic Skills Understanding Command Modes PC Operating System Terminal Emulation Software User Exec Begin a session with To exit to user Exec Use this mode toGlobal Enter the configure As interface atm Router Enter one of the router Configuration mode Routing protocol AppropriateGetting Help Router rip-from Enable Secret Passwords and Enable Passwords Entering Global Configuration ModeYou can now make changes to your router configuration Undoing Commands Using CommandsAbbreviating Commands Command-Line Error Messages Saving Configuration Changes Where to Go NextSummary OL-18906-02 Concepts Network Protocols Protocol Ideal Topology Metric Routing Updates Routing Protocol Options PPP Authentication Protocols Enhanced Igrp Ethernet Chap Floating Static Routes Dial BackupBackup Interface Dialer Watch Easy IP Phase QoS IP Precedence PPP Fragmentation and Interleaving Access Lists Low Latency Queuing OL-18906-02 ROM Monitor Configure terminal Enters global configuration modeConfig-reg Resets the configuration register Entering the ROM Monitor Reload ROM Monitor CommandsExits global configuration mode Prompt increments with each new line Command Descriptions Disaster Recovery with Tftp DownloadCommand Description Tftp Download Command Variables Variable CommandRequired Variables Using the Tftp Download Command Configures how the router displays fileOptional Variables Examples You will see an output similar to the following Type Embedded AP s Appendix C ROM Monitor Configuration Register Appendix C ROM Monitor Configuration Register Changing the Configuration Register Manually Changing the Configuration Register Using Prompts Command Description Console Download Debug Commands Error ReportingContext-Displays processor context for example Exiting the ROM Monitor Appendix C ROM Monitor Exiting the ROM Monitor Common Port Assignments Port Keyword Description Procedure Call Any private RJE serviceISO-Transport Service Access Point Authentication service