Configuring Security Features | Cisco Systems C819HG4GVK9, C819GUK9

C H A P T E R 9

Configuring Security Features

This chapter provides an overview of authentication, authorization, and accounting (AAA), which is the primary Cisco framework for implementing selected security features that can be configured on the Cisco 819 Integrated Services Routers (ISRs).

This chapter contains the following sections:

•Authentication, Authorization, and Accounting, page 9-1

•Configuring AutoSecure, page 9-2

•Configuring Access Lists, page 9-2

•Configuring Cisco IOS Firewall, page 9-3

•Configuring Cisco IOS IPS, page 9-4

•URL Filtering, page 9-4

•Configuring VPN, page 9-4

Authentication, Authorization, and Accounting

AAAnetwork security services provide the primary framework through which you set up access control on your router. Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you choose, encryption. Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet. Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.

AAAuses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your router is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server.

Cisco 819 Series Integrated Services Routers Software Configuration Guide

	OL-23590-02	9-1

Image 95

Cisco Systems C819HG4GVK9, C819GUK9 manual Configuring Security Features, Authentication, Authorization, and Accounting

Contents

Text Part Number OL-23590-02 September 2 Americas HeadquartersPage N T E N T S Data Account Provisioning Configuring a Cellular Interface Specifying a Synchronous Serial Interface Create a Cisco Easy VPN Remote Configuration NAT Getting Help TACACS+ OL-23590-02 General Description Product Overview 1shows the Cisco 819HG ISR SKU Information New Features3G Features Security Features Wlan FeaturesPlatform Features ScanSafe Wireless Device Overview Color Description Tftp support with Ethernet WAN interfaceLEDs Rssi Router# show controllers cellular Dual-Radio Wireless Local Area NetworkWlan Features LEDs CleanAir TechnologyImages Supported Dynamic Frequency Selection Wlan LED OL-23590-02 4G LTE Wireless WAN OL-23590-02 Basic Router Configuration Router Interface Port Label Default ConfigurationInterface Ports Information Needed for Configuration OL-23590-02 Line aux console tty vty line-number Password password Login Configuring Command-Line Access Example Command Purpose Privileged Exec mode Enables password checking at the virtual terminalSession login Exits line configuration mode and returns to Configuring Global Parameters No shutdown Exit Configuring WAN InterfacesConfiguring a Gigabit Ethernet WAN Interface Example Configuring the Cellular Wireless WAN Interface Restrictions for Configuring the Cellular Wireless Interface Prerequisites for Configuring the 3G Wireless Interface Data Account Provisioning Command or Action Purpose Displays the cellular gps information Shows the radio signal strengthSignal strength, the network security, and so on Details about the command parameters Cellular unit cdma activate manual mdn msid msl 2lists the modem data profile parametersActivation and Provisioning Process Carrier Manual Activation Router # cellular 0 cdma activate otasp phonenumber Activating with Over-the-Air Service ProvisioningCellular cdma activate iota Configuring a Cellular Interface Interface cellular Dialer string string Configuring DDR Enters the global configuration mode Enters global configuration modeEnables DDR and configures the specified serial Specifies the number of the dialer access group to Configures this line for GSM Specifies the line configuration mode. It is alwaysSpecifies a default modem chat script Exits line configuration mode This section provides the following configuration examples Examples for Configuring Cellular Wireless Interfaces Following shows how to configure an HSPA+ modem Tunnel over Cellular Interface Configuration Command Syntax Description Configuring Dual SIM for Cellular Networks Locks or unlocks the SIM Perform the following commands to manually switch the SIMFollowing command forces the modem to connect to SIM1 Cellular GSM SIM Rommon Behavior IOS Behavior Output When Button Is Not Pushed ExampleOutput When Button Is Pushed Example Push Button in Wlan AP Configuring a Loopback InterfaceConfiguring the Fast Ethernet LAN Interfaces Router# show interface loopback Verifying Configuration Another way to verify the loopback interface is to ping it Configuring Static Routes Example Configuring Dynamic RoutesVerifying Configuration No auto-summary End Configuring Routing Information ProtocolCommand Task Router rip Version 1 Router eigrp as-number Configuring Enhanced Interior Gateway Routing Protocol Number identifies the route to other Eigrp routers Enters router configuration mode and enablesBe applied, using the IP address of the network Eigrp on the router. The autonomous-system OL-23590-02 819 Yes Configuring Backup Data Lines and Remote ManagementConfiguring Backup Interfaces Be configured to back up a serial 0 interface Enters interface configuration mode forInterface for which you want to configure backup Assigns an interface as the secondary or backup Dialer watch group group-number Configuring Cellular Dial-on-Demand Routing BackupConfiguring DDR Backup Using Dialer Watch Configure terminal Specifies the interface Enables dialer watch on the backup interfaceDo not use the access list permit all command to Using the chat script command Configuring DDR Backup Using Floating Static Route No aaa new-model Source-interface Dialer2 Line vty 0 4 login Scheduler max-task-time Webvpn cef end Dial Backup and Remote Management Through the Auxiliary Port Ip name-server server-address Ip dhcp pool name Exit Pool configuration mode, see the Example Enters Dhcp pool configuration mode. The nameConfigure the Dhcp address pool. For Sample commands that you can use in Dhcp Enters configuration mode for the line interface Enables hardware signal flow control Switches the port from console to auxiliary portExits the configure interface mode Enters configuration mode for the auxiliary Ppp authentication pap callin PC IP address behind CPE OL-23590-02 Router# show environment Environmental and Power Management Cisco EnergyWise Support Environmental and Power Management Cisco EnergyWise Support WAN Concentration Configuring the Serial Interface Legacy Protocol Transport Configuring Serial InterfacesProduct Number Cable Type Length Connector Type PPP Encapsulation Information About Configuring Serial InterfacesCisco Hdlc Encapsulation Multilink PPP Keepalive Timer Frame Relay Encapsulation This section contains the following tasks How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface LMI on Frame Relay Interfaces Specifying Synchronous Serial Encapsulation Configures synchronous serial encapsulationSpecifying a Synchronous Serial Interface Signals Configuring PPPConfigures an Sdlc interface for half-duplex mode Nrzi-encoding Configuring Compression of Hdlc DataUsing the Nrzi Line-Coding Format Encapsulation hdlc Compress stac Invert txclock Invert rxclock Inverting the Transmit Clock SignalEnabling the Internal Clock Transmit-clock-internal Ignoring DCD and Monitoring DSR as Line Up/Down Indicator Setting Transmit DelayConfiguring DTR Signal Pulsing Ignore-dcd Dce-terminal-timing enableConfigures the DCE to use Scte from the DTE Specifying the Serial Network Interface Module Timing Dte-invert-txc Specifies timing configuration to invert TXC clock Understanding Half-Duplex DTE and DCE State Machines Configuring Low-Speed Serial Interfaces Half-Duplex DCE State Machines Half-Duplex DCE Transmit State Machine Places a low-speed serial interface Constant-carrier modeNo half-duplex controlled-carrier Physical-layer sync async Sdlc cts-delay Sdlc rts-timeoutChanging Between Synchronous and Asynchronous Modes No physical-layer Configuration ExamplesInterface Enablement Configuration Examples Returns the interface to its default mode, which is Low-Speed Serial Interface Examples Synchronous or Asynchronous Mode ExamplesHalf-Duplex Timers Example Authentication, Authorization, and Accounting Configuring Security Features ACL Type Configuring AutoSecureConfiguring Access Lists Configuration Commands Access Groups Configuring Cisco IOS Firewall URL Filtering Configuring Cisco IOS IPSConfiguring VPN Remote Access VPN Corporate office network Site-to-Site VPNBranch office containing multiple LANs and VLANs VPN client-Cisco 819 ISR Configure the IKE Policy Configuration ExamplesConfigure a VPN over an IPSec Tunnel Command or Action Purpose Domain name Exit Configure Group Policy Information Specifies a local address pool for the group Apply Mode Configuration to the Crypto MapExits IKE group policy configuration mode For details about this command and additional Enable Policy Lookup Crypto ipsec profile profile-name Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters See Cisco IOS Security Command Reference for Crypto map map-name Exit Where to Go NextApply the Crypto Map to the Physical Interface Crypto ipsec client ezvpn name outside inside Exit Create a Cisco Easy VPN Remote ConfigurationCrypto ipsec client ezvpn name Configuration Example Configure a Site-to-Site GRE Tunnel Creates a tunnel interface and enters interface Returns to global configuration mode No cdp run 10-1 Configuring the Ethernet SwitchesSwitch Port Numbering and Naming Restrictions for the FE Switch Information About Ethernet Switches Storm Control Switched Port AnalyzerOverview of Snmp MIBs Igmp Snooping 10-4 BRIDGE-MIB for Layer 2 Ethernet SwitchingRouterconfig#snmp-server community public RW MIBs MIBs Link 10-5 MAC Address Notification 10-6 How to Configure Ethernet SwitchesConfiguring VLANs VLANs on the FE Ports Comand Purpose Configuring Layer 2 InterfacesSwitchport mode dynamic desirable VLANs on the GE Port 10-8 Configuring 802.1x AuthenticationConfiguring Spanning Tree Protocol 10-9 Configuring MAC Table ManipulationConfiguring Cisco Discovery Protocol Port Security Configuring Per-Port Storm Control Configuring the Switched Port AnalyzerConfiguring IP Multicast Layer 3 Switching Configuring Igmp Snooping 10-11 Configuring Fallback Bridging 10-12 Managing the Switch 11-1 Configuring PPP over Ethernet with NAT 11-2 Configuration TasksConfigure the Virtual Private Dialup Network Group Number PPPoE 11-3 Configure the Fast Ethernet WAN Interfaces 11-4 Configure the Dialer Interface 11-5 Ip address negotiated Ip mtu bytes 11-6 Configure Network Address Translation 11-7 Ip nat inside outside No shutdown Exit 11-8 11-9 Configuration Example 11-10 11-11 Verifying Your Configuration 11-12 12-1 Configuring a LAN with Dhcp and VLANs 12-2 Configure DhcpVLANs 12-3 Detailed Steps 12-4 Verify Your Dhcp Configuration 12-5 Configure VLANsVlan ? 12-6 Assign a Switch Port to a VlanSwitchport access vlan vlan-id End Example 12-7 Verify Your Vlan Configuration Router# vlan database 12-8 12-9 Router# show vlan-switch 12-10 13-1 Configuring a VPN Using Easy VPN and an IPSec Tunnel VPN server-Easy VPN server Cisco Easy VPNRemote, networked users VPN client-Cisco 819 ISRs 13-3 Configure the IKE Policy Lifetime seconds Exit 13-5 Configure Group Policy InformationInternet Naming Service Wins servers For the group by using the wins command 13-6 Apply Mode Configuration to the Crypto Map 13-7 Enable Policy LookupLogin, and specifies the method used 13-8 Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters 13-9 13-10 Create an Easy VPN Remote ConfigurationApply the Crypto Map to the Physical Interface 13-11 Mode client network-extension network extension plus Exit 13-12 Verifying Your Easy VPN ConfigurationFollowing example verifies your easy vpn connection 13-13 13-14 Cisco IOS Software Basic Skills Configuring the Router from a PC PC Operating System Terminal Emulation Software Understanding Command Modes As interface atm To exit to user Exec Use this mode toGlobal Enter the configure User Exec Begin a session with Router rip-from Configuration mode Routing protocol AppropriateGetting Help Router Enter one of the router You can now make changes to your router configuration Enable Secret Passwords and Enable PasswordsEntering Global Configuration Mode Command-Line Error Messages Using CommandsAbbreviating Commands Undoing Commands Summary Saving Configuration ChangesWhere to Go Next OL-18906-02 Network Protocols Concepts Routing Protocol Options Protocol Ideal Topology Metric Routing Updates Enhanced Igrp PPP Authentication Protocols Chap Ethernet Dialer Watch Dial BackupBackup Interface Floating Static Routes Easy IP Phase QoS PPP Fragmentation and Interleaving IP Precedence Low Latency Queuing Access Lists OL-18906-02 Entering the ROM Monitor Configure terminal Enters global configuration modeConfig-reg Resets the configuration register ROM Monitor Prompt increments with each new line ROM Monitor CommandsExits global configuration mode Reload Command Description Command DescriptionsDisaster Recovery with Tftp Download Required Variables Tftp Download Command VariablesVariable Command Optional Variables Using the Tftp Download CommandConfigures how the router displays file You will see an output similar to the following Examples Type Embedded AP s Appendix C ROM Monitor Appendix C ROM Monitor Configuration Register Configuration Register Changing the Configuration Register Using Prompts Changing the Configuration Register Manually Console Download Command Description Context-Displays processor context for example Debug CommandsError Reporting Appendix C ROM Monitor Exiting the ROM Monitor Exiting the ROM Monitor Port Keyword Description Common Port Assignments Authentication service Any private RJE serviceISO-Transport Service Access Point Procedure Call