13-9 | Cisco Systems C819HG4GVK9, C819GUK9 specification

Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel

Configuration Tasks

SUMMARY STEPS

1.crypto dynamic-mapdynamic-map-name dynamic-seq-num

2.set transform-settransform-set-name [transform-set-name2...transform-set-name6]

3.reverse-route

4.exit

5.crypto map map-nameseq-num[ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]

DETAILED STEPS

	Command or Action	Purpose
Step 1
Step 1	crypto dynamic-map dynamic-map-name	Creates a dynamic crypto map entry and enters
	dynamic-seq-num	crypto map configuration mode.
	Example:	See Cisco IOS Security Command Reference for
	Example:	more details about this command.
	Router(config)# crypto dynamic-map dynmap 1	more details about this command.
	Router(config)# crypto dynamic-map dynmap 1
	Router(config-crypto-map)#
Step 2
Step 2	set transform-set transform-set-name	Specifies which transform sets can be used with
	[transform-set-name2...transform-set-name6]	the crypto map entry.
	Example:
	Router(config-crypto-map)# set
	transform-set vpn1
	Router(config-crypto-map)#
Step 3
Step 3	reverse-route	Creates source proxy information for the crypto
	Example:	map entry.
	Example:	See Cisco IOS Security Command Reference for
	Router(config-crypto-map)# reverse-route	See Cisco IOS Security Command Reference for
	Router(config-crypto-map)# reverse-route	details.
	Router(config-crypto-map)#	details.
	Router(config-crypto-map)#
Step 4
Step 4	exit	Returns to global configuration mode.
	Example:
	Router(config-crypto-map)# exit
	Router(config)#
Step 5
Step 5	crypto map map-nameseq-num[ipsec-isakmp]	Creates a crypto map profile.
	[dynamic dynamic-map-name] [discover]
	[profile profile-name]
	Example:
	Router(config)# crypto map static-map 1
	ipsec-isakmp dynamic dynmap
	Router(config)#

		Cisco 819 Integrated Services Routers Software Configuration Guide

	OL-23590-02			13-9
	OL-23590-02			13-9

Image 157

Cisco Systems C819HG4GVK9, C819GUK9 manual 13-9

Contents

Text Part Number OL-23590-02 September 2 Americas HeadquartersPage N T E N T S Data Account Provisioning Configuring a Cellular Interface Specifying a Synchronous Serial Interface Create a Cisco Easy VPN Remote Configuration NAT Getting Help TACACS+ OL-23590-02 General Description Product Overview 1shows the Cisco 819HG ISR 3G Features New FeaturesSKU Information Platform Features Wlan FeaturesSecurity Features ScanSafe Wireless Device Overview LEDs Tftp support with Ethernet WAN interfaceColor Description Rssi Router# show controllers cellular Wlan Features Wireless Local Area NetworkDual-Radio Images Supported CleanAir TechnologyDynamic Frequency Selection LEDs Wlan LED OL-23590-02 4G LTE Wireless WAN OL-23590-02 Basic Router Configuration Interface Ports Default ConfigurationRouter Interface Port Label Information Needed for Configuration OL-23590-02 Line aux console tty vty line-number Password password Login Configuring Command-Line Access Example Command Purpose Session login Enables password checking at the virtual terminalExits line configuration mode and returns to Privileged Exec mode Configuring Global Parameters Configuring a Gigabit Ethernet WAN Interface Configuring WAN InterfacesNo shutdown Exit Example Configuring the Cellular Wireless WAN Interface Restrictions for Configuring the Cellular Wireless Interface Prerequisites for Configuring the 3G Wireless Interface Data Account Provisioning Command or Action Purpose Signal strength, the network security, and so on Shows the radio signal strengthDetails about the command parameters Displays the cellular gps information Activation and Provisioning Process Carrier 2lists the modem data profile parametersManual Activation Cellular unit cdma activate manual mdn msid msl Cellular cdma activate iota Activating with Over-the-Air Service ProvisioningRouter # cellular 0 cdma activate otasp phonenumber Configuring a Cellular Interface Interface cellular Dialer string string Configuring DDR Enables DDR and configures the specified serial Enters global configuration modeSpecifies the number of the dialer access group to Enters the global configuration mode Specifies a default modem chat script Specifies the line configuration mode. It is alwaysExits line configuration mode Configures this line for GSM This section provides the following configuration examples Examples for Configuring Cellular Wireless Interfaces Following shows how to configure an HSPA+ modem Tunnel over Cellular Interface Configuration Command Syntax Description Configuring Dual SIM for Cellular Networks Following command forces the modem to connect to SIM1 Perform the following commands to manually switch the SIMCellular GSM SIM Locks or unlocks the SIM Output When Button Is Pushed Example Output When Button Is Not Pushed ExampleRommon Behavior IOS Behavior Configuring the Fast Ethernet LAN Interfaces Configuring a Loopback InterfacePush Button in Wlan AP Router# show interface loopback Verifying Configuration Another way to verify the loopback interface is to ping it Configuring Static Routes Verifying Configuration Configuring Dynamic RoutesExample Command Task Configuring Routing Information ProtocolRouter rip Version 1 No auto-summary End Router eigrp as-number Configuring Enhanced Interior Gateway Routing Protocol Be applied, using the IP address of the network Enters router configuration mode and enablesEigrp on the router. The autonomous-system Number identifies the route to other Eigrp routers OL-23590-02 Configuring Backup Interfaces Configuring Backup Data Lines and Remote Management819 Yes Interface for which you want to configure backup Enters interface configuration mode forAssigns an interface as the secondary or backup Be configured to back up a serial 0 interface Configuring DDR Backup Using Dialer Watch Configuring Cellular Dial-on-Demand Routing BackupConfigure terminal Dialer watch group group-number Do not use the access list permit all command to Enables dialer watch on the backup interfaceUsing the chat script command Specifies the interface Configuring DDR Backup Using Floating Static Route No aaa new-model Source-interface Dialer2 Line vty 0 4 login Scheduler max-task-time Webvpn cef end Dial Backup and Remote Management Through the Auxiliary Port Ip name-server server-address Ip dhcp pool name Exit Configure the Dhcp address pool. For Enters Dhcp pool configuration mode. The nameSample commands that you can use in Dhcp Pool configuration mode, see the Example Enters configuration mode for the line interface Exits the configure interface mode Switches the port from console to auxiliary portEnters configuration mode for the auxiliary Enables hardware signal flow control Ppp authentication pap callin PC IP address behind CPE OL-23590-02 Router# show environment Environmental and Power Management Cisco EnergyWise Support Environmental and Power Management Cisco EnergyWise Support WAN Concentration Configuring the Serial Interface Product Number Cable Type Length Connector Type Configuring Serial InterfacesLegacy Protocol Transport Cisco Hdlc Encapsulation Information About Configuring Serial InterfacesPPP Encapsulation Multilink PPP Keepalive Timer Frame Relay Encapsulation Configuring a Synchronous Serial Interface How to Configure Serial InterfacesLMI on Frame Relay Interfaces This section contains the following tasks Specifying a Synchronous Serial Interface Configures synchronous serial encapsulationSpecifying Synchronous Serial Encapsulation Configures an Sdlc interface for half-duplex mode Configuring PPPSignals Using the Nrzi Line-Coding Format Configuring Compression of Hdlc DataEncapsulation hdlc Compress stac Nrzi-encoding Enabling the Internal Clock Inverting the Transmit Clock SignalTransmit-clock-internal Invert txclock Invert rxclock Configuring DTR Signal Pulsing Setting Transmit DelayIgnoring DCD and Monitoring DSR as Line Up/Down Indicator Configures the DCE to use Scte from the DTE Dce-terminal-timing enableSpecifying the Serial Network Interface Module Timing Ignore-dcd Dte-invert-txc Specifies timing configuration to invert TXC clock Understanding Half-Duplex DTE and DCE State Machines Configuring Low-Speed Serial Interfaces Half-Duplex DCE State Machines Half-Duplex DCE Transmit State Machine No half-duplex controlled-carrier Constant-carrier modePlaces a low-speed serial interface Changing Between Synchronous and Asynchronous Modes Sdlc cts-delay Sdlc rts-timeoutPhysical-layer sync async Interface Enablement Configuration Examples Configuration ExamplesReturns the interface to its default mode, which is No physical-layer Half-Duplex Timers Example Synchronous or Asynchronous Mode ExamplesLow-Speed Serial Interface Examples Authentication, Authorization, and Accounting Configuring Security Features Configuring Access Lists Configuring AutoSecureConfiguration Commands ACL Type Access Groups Configuring Cisco IOS Firewall Configuring VPN Configuring Cisco IOS IPSURL Filtering Remote Access VPN Branch office containing multiple LANs and VLANs Site-to-Site VPNVPN client-Cisco 819 ISR Corporate office network Configure a VPN over an IPSec Tunnel Configuration ExamplesConfigure the IKE Policy Command or Action Purpose Domain name Exit Configure Group Policy Information Exits IKE group policy configuration mode Apply Mode Configuration to the Crypto MapFor details about this command and additional Specifies a local address pool for the group Enable Policy Lookup Configure the IPSec Crypto Method and Parameters Configure IPSec Transforms and ProtocolsCrypto ipsec profile profile-name See Cisco IOS Security Command Reference for Apply the Crypto Map to the Physical Interface Where to Go NextCrypto map map-name Exit Crypto ipsec client ezvpn name Create a Cisco Easy VPN Remote ConfigurationCrypto ipsec client ezvpn name outside inside Exit Configuration Example Configure a Site-to-Site GRE Tunnel Creates a tunnel interface and enters interface Returns to global configuration mode No cdp run Switch Port Numbering and Naming Configuring the Ethernet SwitchesRestrictions for the FE Switch 10-1 Information About Ethernet Switches Overview of Snmp MIBs Switched Port AnalyzerIgmp Snooping Storm Control Routerconfig#snmp-server community public RW BRIDGE-MIB for Layer 2 Ethernet SwitchingMIBs MIBs Link 10-4 10-5 MAC Address Notification Configuring VLANs How to Configure Ethernet SwitchesVLANs on the FE Ports 10-6 Switchport mode dynamic desirable Configuring Layer 2 InterfacesVLANs on the GE Port Comand Purpose Configuring Spanning Tree Protocol Configuring 802.1x Authentication10-8 Configuring Cisco Discovery Protocol Configuring MAC Table ManipulationPort Security 10-9 Configuring IP Multicast Layer 3 Switching Configuring the Switched Port AnalyzerConfiguring Igmp Snooping Configuring Per-Port Storm Control 10-11 Configuring Fallback Bridging 10-12 Managing the Switch 11-1 Configuring PPP over Ethernet with NAT Configure the Virtual Private Dialup Network Group Number Configuration TasksPPPoE 11-2 11-3 Configure the Fast Ethernet WAN Interfaces 11-4 Configure the Dialer Interface 11-5 Ip address negotiated Ip mtu bytes 11-6 Configure Network Address Translation 11-7 Ip nat inside outside No shutdown Exit 11-8 11-9 Configuration Example 11-10 11-11 Verifying Your Configuration 11-12 12-1 Configuring a LAN with Dhcp and VLANs VLANs Configure Dhcp12-2 12-3 Detailed Steps 12-4 Verify Your Dhcp Configuration Vlan ? Configure VLANs12-5 Switchport access vlan vlan-id End Assign a Switch Port to a VlanExample 12-6 12-7 Verify Your Vlan Configuration Router# vlan database 12-8 12-9 Router# show vlan-switch 12-10 13-1 Configuring a VPN Using Easy VPN and an IPSec Tunnel Remote, networked users Cisco Easy VPNVPN client-Cisco 819 ISRs VPN server-Easy VPN server 13-3 Configure the IKE Policy Lifetime seconds Exit Internet Naming Service Wins servers Configure Group Policy InformationFor the group by using the wins command 13-5 13-6 Apply Mode Configuration to the Crypto Map Login, and specifies the method used Enable Policy Lookup13-7 Configure the IPSec Crypto Method and Parameters Configure IPSec Transforms and Protocols13-8 13-9 Apply the Crypto Map to the Physical Interface Create an Easy VPN Remote Configuration13-10 13-11 Mode client network-extension network extension plus Exit Following example verifies your easy vpn connection Verifying Your Easy VPN Configuration13-12 13-13 13-14 Cisco IOS Software Basic Skills Configuring the Router from a PC PC Operating System Terminal Emulation Software Understanding Command Modes Global Enter the configure To exit to user Exec Use this mode toUser Exec Begin a session with As interface atm Getting Help Configuration mode Routing protocol AppropriateRouter Enter one of the router Router rip-from Entering Global Configuration Mode Enable Secret Passwords and Enable PasswordsYou can now make changes to your router configuration Abbreviating Commands Using CommandsUndoing Commands Command-Line Error Messages Where to Go Next Saving Configuration ChangesSummary OL-18906-02 Network Protocols Concepts Routing Protocol Options Protocol Ideal Topology Metric Routing Updates Enhanced Igrp PPP Authentication Protocols Chap Ethernet Backup Interface Dial BackupFloating Static Routes Dialer Watch Easy IP Phase QoS PPP Fragmentation and Interleaving IP Precedence Low Latency Queuing Access Lists OL-18906-02 Config-reg Resets the configuration register Configure terminal Enters global configuration modeROM Monitor Entering the ROM Monitor Exits global configuration mode ROM Monitor CommandsReload Prompt increments with each new line Disaster Recovery with Tftp Download Command DescriptionsCommand Description Variable Command Tftp Download Command VariablesRequired Variables Configures how the router displays file Using the Tftp Download CommandOptional Variables You will see an output similar to the following Examples Type Embedded AP s Appendix C ROM Monitor Appendix C ROM Monitor Configuration Register Configuration Register Changing the Configuration Register Using Prompts Changing the Configuration Register Manually Console Download Command Description Error Reporting Debug CommandsContext-Displays processor context for example Appendix C ROM Monitor Exiting the ROM Monitor Exiting the ROM Monitor Port Keyword Description Common Port Assignments ISO-Transport Service Access Point Any private RJE serviceProcedure Call Authentication service