Manuals / Cisco Systems / Power Tools / Router

Cisco Systems C819GUK9, C819HG4GVK9 manual 9-20, Configuring Security Features Configuring VPN

Models: C819GUK9

1 196

Download 196 pages 51.42 Kb

Page 114

hash md5

Chapter 9 Configuring Security Features

Configuring VPN

crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond

!

!Defines the key association and authentication for IPsec tunnel. crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 200.1.1.1

!Defines encryption and transform set for the IPsec tunnel. crypto ipsec transform-set set1 esp-3des esp-md5-hmac

!Associates all crypto values and peering address for the IPsec tunnel. crypto map to_corporate 1 ipsec-isakmp

set peer 200.1.1.1

set transform-set set1 match address 105

!VLAN 1 is the internal home network.

interface vlan 1

ip address 10.1.1.1 255.255.255.0 ip nat inside

ip inspect firewall in ! Inspection examines outbound traffic. crypto map static-map

no cdp enable

!

!FE4 is the outside or Internet-exposed interface interface fastethernet 4

ip address 210.110.101.21 255.255.255.0

!acl 103 permits IPsec traffic from the corp. router as well as

!denies Internet-initiated traffic inbound.

ip access-group 103 in ip nat outside

no cdp enable

crypto map to_corporate ! Applies the IPsec tunnel to the outside interface.

!

!Utilize NAT overload in order to make best use of the

!single address provided by the ISP.

ip nat inside source list 102 interface Ethernet1 overload ip classless

ip route 0.0.0.0 0.0.0.0 210.110.101.1 no ip http server

!

!

!acl 102 associated addresses used for NAT. access-list 102 permit ip 10.1.1.0 0.0.0.255 any

!acl 103 defines traffic allowed from the peer for the IPsec tunnel. access-list 103 permit udp host 200.1.1.1 any eq isakmp access-list 103 permit udp host 200.1.1.1 eq isakmp any access-list 103 permit esp host 200.1.1.1 any

!Allow ICMP for debugging but should be disabled because of security implications. access-list 103 permit icmp any any

access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.

!acl 105 matches addresses for the IPsec tunnel to or from the corporate network. access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255

no cdp run

	Cisco 819 Series Integrated Services Routers Software Configuration Guide
9-20	OL-23590-02

Image 114

Cisco Systems C819GUK9, C819HG4GVK9 manual 9-20, Configuring Security Features Configuring VPN

Contents

800 553-NETS Fax 408 Americas HeadquartersCisco Systems, Inc 170 West Tasman Drive San Jose, CA Text Part Number OL-23590-02 September 2THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS WLAN Features Information Needed for ConfigurationNew Features Wireless Device OverviewConfiguring DDR Configuring a Cellular InterfacePrerequisites for Configuring the 3G Wireless Interface Verifying ConfigurationInterface Enablement Configuration Examples Ignoring DCD and Monitoring DSR as Line Up/Down IndicatorConfiguration Examples Configuring Security FeaturesConfigure a Site-to-Site GRE Tunnel Configure the IKE PolicyCreate a Cisco Easy VPN Remote Configuration Configuring the Ethernet SwitchesConfiguring 802.1x Authentication Configure the Virtual Private Dialup Network Group NumberConfiguring VLANs Configuration TasksConfigure Group Policy Information Entering Global Configuration Mode A-5Configure the IKE Policy Understanding Command ModesBackup Interface Changing the Configuration Register Manually C-11Changing the Configuration Register Using Prompts C-11 ROM Monitor CommandsContents OL-23590-02General Description General Description, page SKU Information, page New Features, pageProduct Overview C H A P T E RChapter 1 Product Overview General Description Figure 1-1 Cisco 819HG Integrated Services RouterFigure 1-2 Cisco 819HGW Integrated Services Router OL-23590-023G Features, page WLAN Features, page 4G LTE Features, page New Features3G Features Platform Features, page Security Features, pageWLAN Features Platform FeaturesSecurity Features ScanSafe, page TFTP support with Ethernet WAN interface, page Wireless Device OverviewScanSafe LEDs, pageColor TFTP support with Ethernet WAN interfaceLEDs DescriptionDescription show platform led for all LEDs show controller cellular 0 for 3G LEDsColor 3G LED Descriptions continuedChapter 2 Wireless Device Overview LEDs router# show controllers cellularDual-Radio, page Images Supported, page CleanAir Technology, page Wireless Local Area NetworkWLAN Features Dual-RadioDynamic Frequency Selection CleanAir TechnologyImages Supported LEDsDescription WLAN LEDColor WLAN LED DescriptionsChapter 3 Wireless Local Area Network WLAN Features OL-23590-024G LTE Wireless WAN C H A P T E RChapter 4 4G LTE Wireless WAN OL-23590-02Information Needed for Configuration, page Basic Router ConfigurationInterface Ports, page Default Configuration, page Configuring Command-Line Access, pageRouter Default ConfigurationInterface Ports InterfaceInformation Needed for Configuration 3G-ACC-OUT-LA-See Cisco 3G Lightning Arrestor 3G-ACC-OUT-LA If you are setting up IP routing3. login Configuring Command-Line Access1. line aux console tty vty line-number 2. password password 4. exec-timeout minutes secondsPurpose CommandDETAILED STEPS ExamplePurpose ExampleCommand Exampleenable secret password Configuring Global Parametersconfigure terminal hostname nameConfiguring a Gigabit Ethernet WAN Interface, page Configuring WAN InterfacesConfiguring a Gigabit Ethernet WAN Interface Configuring the Cellular Wireless WAN Interface, pageEnters the configuration mode for a Gigabit Configuring the Cellular Wireless WAN InterfaceCommand Enables the Ethernet interface, changing itsPrerequisites for Configuring the 3G Wireless Interface Restrictions for Configuring the Cellular Wireless Interface5-11 Configuring a GSM Modem Data Profile, page Verifying Signal Strength and Service AvailabilityVerifying Signal Strength and Service Availability, page Command or ActionCommand or Action Configuring a GSM Modem Data Profile5-13 Command or ActionUsername provided by your service provider authenticationType of authentication, for example, CHAP, PAP Passwordrouter # cellular 0 cdma activate otasp phonenumber Activating with Over-the-Air Service Provisioningcellular cdma activate iota 5-154. ppp chap hostname hostname 5. ppp chap password 0 password Configuring a Cellular Interface1. configure terminal 2. interface cellular 3. encapsulation ppp 6. asynchronous mode interactive 7. ip address negotiated4. dialer idle-timeout seconds 5. dialer string string Configuring DDR1. configure terminal 2. interface cellular 3. dialer in-band 9. ip access-list access list number permit ip source addressDETAILED STEPS 5-18Command or Action PurposePurpose 5-19Command or Action ExampleBasic Cellular Interface Configuration, page Examples for Configuring Cellular Wireless InterfacesBasic Cellular Interface Configuration Tunnel over Cellular Interface Configuration, page5-21 Tunnel over Cellular Interface ConfigurationConfiguration for 8705 modem Chapter 5 Basic Router Configuration Configuring WAN Interfaces5-22 Configuring Dual SIM for Cellular NetworksSyntax CommandCommand Configuring Router for Image and Config Recovery Using Push Button5-23 SyntaxROMMON Behavior Output When Button Is Not Pushed ExampleOutput When Button Is Pushed Example IOS BehaviorPush Button in WLAN AP Configuring a Loopback InterfaceConfiguring the Fast Ethernet LAN Interfaces 3. exitExits configuration mode for the loopback Verifying ConfigurationEnters configuration mode for the loopback interface and returns to global configurationIOS IP Routing Protocol-Independent Command Configuring Static RoutesFor details about this command and about Exits router configuration mode and entersConfiguring Routing Information Protocol, page Configuring Dynamic RoutesVerifying Configuration Configuring Enhanced Interior Gateway Routing Protocol, page2. version 1 Configuring Routing Information Protocolrouter rip 3. network ip-address2. network ip-address Configuring Enhanced Interior Gateway Routing Protocol1. router eigrp as-number 3. endCommand 5-31Verifying Configuration Example5-32 Chapter 5 Basic Router Configuration Configuring Dynamic RoutesOL-23590-02 Configuring Backup Interfaces, page Configuring Backup Data Lines and Remote ManagementConfiguring Backup Interfaces Configuring Cellular Dial-on-Demand Routing Backup, pageCommand 2. backup interface interface-type interface-number1. interface type number SUMMARY STEPS1. configure terminal Configuring Cellular Dial-on-Demand Routing BackupConfiguring DDR Backup Using Dialer Watch 6. ip access-list access list number permit ip source addressPurpose Command or ActionDETAILED STEPS Example1. configure terminal Configuring DDR Backup Using Floating Static RouteCellular Wireless Modem as Backup with NAT and IPsec Configuration Command or ActionChapter 6 Configuring Backup Data Lines and Remote Management Configuring Cellular Dial-on-Demand Routing Backupno aaa new-model Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Cellular Dial-on-Demand Routing BackupOL-23590-02 line vty 0 4 login line con no modem enable line aux 0 lineexec-timeout 0 0 script dialer gsm login route-map track-primary-if permit 10 match ip address1 A Cisco 819 router4. chat-script script-name expect-send 5. interface type number 15. modem enable 16. exit1. ip name-server server-address 2. ip dhcp pool name 3. exit 6. exitCommand section on page6-11 DETAILED STEPSa default gateway Exits the interface configuration modeEnables dynamic translation of addresses on the Defines an extended access list that indicatesChapter 6 Configuring Backup Data Lines and Remote Management 6-13Command modem enable6-14 Chapter 6 Configuring Backup Data Lines and Remote Managementno ip http server ip pim bidir-enable 6-15Chapter 6 Configuring Backup Data Lines and Remote Management OL-23590-026-16 Chapter 6 Configuring Backup Data Lines and Remote ManagementOL-23590-02 Environmental and Power Management C H A P T E RCisco EnergyWise Support Information About Configuring Serial Interfaces, page Configuring the Serial InterfaceLegacy Protocol Transport, page Configuring Serial Interfaces, page How to Configure Serial Interfaces, page Configuration Examples, pageLegacy Protocol Transport Configuring Serial InterfacesConnector Type Product NumberCisco HDLC Encapsulation Information About Configuring Serial InterfacesKeepalive Timer, page Frame Relay Encapsulation, page PPP EncapsulationKeepalive Timer Multilink PPPInformation About Configuring Serial Interfaces Frame Relay EncapsulationChapter 8 Configuring the Serial Interface OL-23590-02Configuring a Synchronous Serial Interface, page How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface Configuring Low-Speed Serial Interfaces, pageInverting the Transmit Clock Signal, page 8-10 Optional Configuring Compression of HDLC Data, page 8-9 OptionalUsing the NRZI Line-Coding Format, page 8-9 Optional Setting Transmit Delay, page 8-11 OptionalCommand Configuring PPPConfiguring Bisync Command1. encapsulation hdlc 2. compress stac Configuring Compression of HDLC DataUsing the NRZI Line-Coding Format 1. nrzi-encoding1. transmit-clock-internal Inverting the Transmit Clock SignalEnabling the Internal Clock 1. invert txclock 2. invert rxclockIgnoring DCD and Monitoring DSR as Line Up/Down Indicator Setting Transmit DelayConfiguring DTR Signal Pulsing 8-11Specifying the Serial Network Interface Module Timing 1. dce-terminal-timing enableConfigures the DCE to use SCTE from the DTE 1. ignore-dcdCommand or Action 1. dte-invert-txc8-13 Chapter 8 Configuring the Serial InterfaceHalf-Duplex DTE State Machines Configuring Low-Speed Serial InterfacesUnderstanding Half-Duplex DTE and DCE State Machines Understanding Half-Duplex DTE and DCE State Machines, pageHalf-Duplex DCE State Machines 8-15Half-Duplex DTE Receive State Machine 8-16 Half-Duplex DCE Transmit State Machine8-17 Placing a Low-Speed Serial Interface in Constant-Carrier Mode1. no half-duplex controlled-carrier Command or ActionChanging Between Synchronous and Asynchronous Modes Tuning Half-Duplex Timerssdlc cts-delay sdlc rts-timeout 1. physical-layer sync async1. no physical-layer Configuration ExamplesInterface Enablement Configuration Examples 8-19Low-Speed Serial Interface Examples Half-Duplex Timers ExampleHalf-Duplex Timers Example, page Synchronous or Asynchronous Mode ExamplesAuthentication, Authorization, and Accounting, page Configuring Security FeaturesAuthentication, Authorization, and Accounting Configuring AutoSecure, page Configuring Access Lists, pageConfiguration Commands Configuring AutoSecureConfiguring Access Lists access-list 1-99permit deny source-addr source-maskConfiguring Cisco IOS Firewall Access Groupsip inspect name inspection-name protocol timeout seconds Remote Access VPN, page Site-to-Site VPN, page Configuring Cisco IOS IPSConfiguring VPN Configuration Examples, pageRemote Access VPN Site-to-Site VPN Library, Cisco IOS Release 12.4TConfigure the IKE Policy Configuration ExamplesConfigure a VPN over an IPSec Tunnel Configure the IKE Policy, pageSpecifies the authentication method used in the Command or ActionMD5 algorithm. The default is Secure Hash Exits IKE policy configuration mode and enters6. ip local pool default poolname low-ip-address high-ip-address Configure Group Policy Information1. crypto isakmp client configuration group group-name default 2. key name1. crypto map map-name isakmp authorization list list-name Apply Mode Configuration to the Crypto MapTechnologies Command Reference 2. crypto map tag client configuration address initiate responddetails, see Securing User Services Configuration Enable Policy Lookup2. aaa authentication login default list-name method1 method2 IOS Security Command ReferenceConfigures IPSec profile to apply protection on Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters See Secure Connectivity Configuration Guidemore details about this command crypto map configuration modeSee Cisco IOS Security Command Reference for Returns to global configuration modeApply the Crypto Map to the Physical Interface Where to Go NextEnters the interface configuration mode for the 2. crypto map map-name 3. exitand enters Cisco Easy VPN remote configuration Create a Cisco Easy VPN Remote ConfigurationCreates a Cisco Easy VPN remote configuration hostname resolutionCommand or Action Configuration Example9-16 Purpose7. ip access-list standard extended access-list-name Configure a Site-to-Site GRE Tunnel4. tunnel destination default-gateway-ip-address 3. tunnel source interface-type numberEnters ACL configuration mode for the named tunnel interface must be configured toExits interface configuration mode and returns to Creates a tunnel interface and enters interfaceoutbound interface Returns to global configuration modeSpecifies that only GRE traffic is permitted on the 9-199-20 Chapter 9 Configuring Security Features Configuring VPNhash md5 authentication pre-share crypto isakmp key cisco123 address Restrictions for the FE Switch Configuring the Ethernet SwitchesSwitch Port Numbering and Naming Switch Port Numbering and Naming, page802.1x Authentication Information About Ethernet SwitchesLayer 2 Ethernet Switching VLANs and VLAN Trunk Protocol, page Layer 2 Ethernet Switching, pageIGMP Snooping Switched Port AnalyzerOverview of SNMP MIBs Storm ControlMIBs BRIDGE-MIB for Layer 2 Ethernet SwitchingRouterconfig#snmp-server community public RW MIBs LinkRouterconfig#Routersnmp-server group public v2c context bridge-group MAC Address Notification10-5 Routerconfig#snmp-server community public RWConfiguring VLANs, page Configuring Layer 2 Interfaces, page How to Configure Ethernet SwitchesConfiguring VLANs Configuring 802.1x Authentication, pageVLANs on the GE Port Configuring Layer 2 Interfacesswitchport mode dynamic desirable ComandConfiguring 802.1x Authentication Configuring Spanning Tree Protocol10-8 Manipulation Configuring MAC Table ManipulationConfiguring Cisco Discovery Protocol Port SecurityConfiguring IGMP Snooping Configuring the Switched Port AnalyzerConfiguring IP Multicast Layer 3 Switching Configuring Per-Port Storm ControlConfiguring Fallback Bridging 10-11Managing the Switch 10-12Configuring PPP over Ethernet with NAT 11-1C H A P T E R Configure the Virtual Private Dialup Network Group Number, page Configuration TasksConfigure the Virtual Private Dialup Network Group Number Configure the Fast Ethernet WAN Interfaces, pageCommand or Action Configure the Fast Ethernet WAN Interfaces11-3 DETAILED STEPSConfigures the PPPoE client and specifies the Configure the Dialer InterfaceEnters interface configuration mode for a Enables the Fast Ethernet interface and the1. interface dialer dialer-rotary-group-number 5. ppp authentication protocol1 protocol2 6. dialer pool numberCommand Reference 2. ip address negotiated 3. ip mtu bytesExits the dialer 0 interface configuration Configure Network Address TranslationUsing a dialer group controls access to For details about this command and additional8. ip nat inside outside 9. no shutdown 10. exit 3. interface type number4. ip nat inside outside 5. no shutdown 6. exit 11-7Command Reference, Volume 1 of 4 Addressing by the access list 1 to be translated to one of thepermitted by access list acl1 to be translated to one and ServicesDefines a standard access list indicating which Configuration ExampleEnters configuration mode for the Fast Ethernet WAN interface FE4 to be the outside interfaceConfiguration Example 11-10Chapter 11 Configuring PPP over Ethernet with NAT vpdn enable vpdn-group 1 request-dialin protocol pppoeChapter 11 Configuring PPP over Ethernet with NAT Verifying Your Configuration11-11 Configuration ExampleConfiguration Example 11-12Chapter 11 Configuring PPP over Ethernet with NAT OL-23590-0212-1 Configuring a LAN with DHCP and VLANsDHCP C H A P T E R7. default-router address address2...address8 Configure DHCPConfigure DHCP, page Configure VLANs, page VLANsenters DHCP pool configuration mode. The name Identifies the default domain that the router uses toresolution Specifies up to eight default routers for a DHCPSpecifies up to eight DNS servers available to a Verify Your DHCP ConfigurationExits DHCP configuration mode and enters global DHCP client12-5 Configure VLANs1. vlan ? 2. ISL VLAN ID 3. exit Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks1. interface switch port id Assign a Switch Port to a VLANServices Command Reference 2. switchport access vlan vlan-id 3. endto the VLAN Verify Your VLAN ConfigurationSpecifies the switch port that you want to assign Assigns a port to the VLANCisco 819 Integrated Services Routers Software Configuration Guide 12-8Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Router# vlan databaseRouter# show vlan-switch 12-9Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks OL-23590-02Cisco 819 Integrated Services Routers Software Configuration Guide 12-10Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks OL-23590-02Configuring a VPN Using Easy VPN and an IPSec Tunnel 13-1C H A P T E R Cisco Easy VPN 13-2Figure 13-1 Remote Access VPN Using IPSec Tunnel 13-3 Configure the IKE PolicyCreate an Easy VPN Remote Configuration, page Configuration TasksThe example specifies a pre-shared key The example specifies 168-bit data encryptionstandard SHA-1 Specifies the Diffie-Hellman group to be used in1. crypto isakmp client configuration group group-name default Configure Group Policy Information13-5 6. ip local pool default poolname low-ip-address high-ip-addressCommand or Action Apply Mode Configuration to the Crypto Map13-6 Technologies Command Reference2. aaa authentication login default list-name method1 method2 Enable Policy Lookup13-7 Command or Action13-8 Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters Command or Actioncrypto map configuration mode 13-9Command or Action See Cisco IOS Security Command Reference for2. group group-name key group-key 3. peer ipaddress hostname Create an Easy VPN Remote ConfigurationApply the Crypto Map to the Physical Interface 13-106. interface type number remote configuration appliedthis command would be interface atm 7. crypto ipsec client ezvpn name outside inside 8. exitConfiguration Example Verifying Your Easy VPN Configuration13-12 Command or ActionConfiguration Example 13-13Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel OL-23590-02Configuration Example 13-14Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Cisco 819 Integrated Services Routers Software Configuration GuideUnderstanding Command Modes, page A-2 Getting Help, page A-4 Configuring the Router from a PCConfiguring the Router from a PC, page A-1 Enable Secret Passwords and Enable Passwords, page A-5Understanding Command Modes PC Operating SystemTerminal Emulation Software Enable Passwords” procedure on Access Methodthe “Enable Secret Passwords and ModeAccess Method Getting Helprouter rip-from ModeEnable Secret Passwords and Enable Passwords Entering Global Configuration ModeUndoing Commands Using CommandsAbbreviating Commands Command-Line Error MessagesSaving Configuration Changes Where to Go NextSummary Appendix A Cisco IOS Software Basic Skills Where to Go Next Cisco 819 Integrated Services Routers Software Configuration GuideOL-18906-02 Easy IP Phase 1, page B-6 Easy IP Phase 2, page B-7 QoS, page B-7 PPP Authentication Protocols, page B-3 TACACS+, page B-4Ethernet, page B-4 Dial Backup, page B-5 NAT, page B-6 Access Lists, page B-9Protocol Routing UpdatesRouting Protocol Options Ideal TopologyPPP Authentication Protocols Enhanced IGRPTACACS+ EthernetCHAP Backup Interface, page B-5 Floating Static Routes, page B-5 Dial BackupBackup Interface Floating Static RoutesEasy IP Phase IP Precedence, page B-8 PPP Fragmentation and Interleaving, page B-8 CBWFQ, page B-8 RSVP, page B-8 Low Latency Queuing, page B-9Easy IP Phase CBWFQ IP PrecedencePPP Fragmentation and Interleaving RSVPAccess Lists Low Latency QueuingB-10 Appendix B Concepts Access ListsOL-18906-02 Disaster Recovery with TFTP Download, page C-3 Entering the ROM Monitor, page C-1 ROM Monitor Commands, page C-2Command Descriptions, page C-3 Configuration Register, page C-10 Console Download, page C-12reload ROM Monitor Commandsexit Descriptions” section on page C-3reset or Command DescriptionsDisaster Recovery with TFTP Download Configuration Fundamentals and Network Management GuideVariable TFTP Download Command VariablesRequired Variables CommandCommand Using the TFTP Download CommandOptional Variables VariableExamples Appendix C ROM Monitor Disaster Recovery with TFTP Download Cisco 819 Integrated Services Routers Software Configuration GuideOL-18906-02 Appendix C ROM Monitor Disaster Recovery with TFTP Download Cisco 819 Integrated Services Routers Software Configuration GuideDisaster Recovery with TFTP Download Appendix C ROM MonitorOL-18906-02 Appendix C ROM Monitor Configuration Register Configuration RegisterC-10 Cisco 819 Integrated Services Routers Software Configuration GuideChanging the Configuration Register Manually Changing the Configuration Register Using PromptsC-11 Console Download Command Descriptionrecognize it, the name of the configuration file must be routerconfg xmodem -cyrx destinationfilenameDebug Commands Error ReportingC-13 Exiting the ROM Monitor C-14Port Common Port AssignmentsA P P E N D I X D KeywordDescription PortKeyword Table D-1