Manuals / Cisco Systems / Power Tools / Router

Cisco Systems C819HG4GVK9, C819GUK9 manual Configuring Security Features, C H A P T E R

Models: C819GUK9

1 196

Download 196 pages 51.42 Kb

Page 95

Configuring Security Features

C H A P T E R 9

Configuring Security Features

This chapter provides an overview of authentication, authorization, and accounting (AAA), which is the primary Cisco framework for implementing selected security features that can be configured on the Cisco 819 Integrated Services Routers (ISRs).

This chapter contains the following sections:

•Authentication, Authorization, and Accounting, page 9-1

•Configuring AutoSecure, page 9-2

•Configuring Access Lists, page 9-2

•Configuring Cisco IOS Firewall, page 9-3

•Configuring Cisco IOS IPS, page 9-4

•URL Filtering, page 9-4

•Configuring VPN, page 9-4

Authentication, Authorization, and Accounting

AAAnetwork security services provide the primary framework through which you set up access control on your router. Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you choose, encryption. Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet. Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.

AAAuses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your router is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server.

Cisco 819 Series Integrated Services Routers Software Configuration Guide

	OL-23590-02	9-1

Image 95

Cisco Systems C819HG4GVK9 Configuring Security Features, Authentication, Authorization, and Accounting, C H A P T E R

Contents

Text Part Number OL-23590-02 September 2 Americas HeadquartersCisco Systems, Inc 170 West Tasman Drive San Jose, CA 800 553-NETS Fax 408THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Wireless Device Overview Information Needed for ConfigurationNew Features WLAN FeaturesVerifying Configuration Configuring a Cellular InterfacePrerequisites for Configuring the 3G Wireless Interface Configuring DDRConfiguring Security Features Ignoring DCD and Monitoring DSR as Line Up/Down IndicatorConfiguration Examples Interface Enablement Configuration ExamplesConfiguring the Ethernet Switches Configure the IKE PolicyCreate a Cisco Easy VPN Remote Configuration Configure a Site-to-Site GRE TunnelConfiguration Tasks Configure the Virtual Private Dialup Network Group NumberConfiguring VLANs Configuring 802.1x AuthenticationUnderstanding Command Modes Entering Global Configuration Mode A-5Configure the IKE Policy Configure Group Policy InformationROM Monitor Commands Changing the Configuration Register Manually C-11Changing the Configuration Register Using Prompts C-11 Backup InterfaceOL-23590-02 ContentsC H A P T E R General Description, page SKU Information, page New Features, pageProduct Overview General DescriptionOL-23590-02 Figure 1-1 Cisco 819HG Integrated Services RouterFigure 1-2 Cisco 819HGW Integrated Services Router Chapter 1 Product Overview General DescriptionPlatform Features, page Security Features, page New Features3G Features 3G Features, page WLAN Features, page 4G LTE Features, pageSecurity Features WLAN FeaturesPlatform Features LEDs, page Wireless Device OverviewScanSafe ScanSafe, page TFTP support with Ethernet WAN interface, pageDescription TFTP support with Ethernet WAN interfaceLEDs Color3G LED Descriptions continued show platform led for all LEDs show controller cellular 0 for 3G LEDsColor Descriptionrouter# show controllers cellular Chapter 2 Wireless Device Overview LEDsDual-Radio Wireless Local Area NetworkWLAN Features Dual-Radio, page Images Supported, page CleanAir Technology, pageLEDs CleanAir TechnologyImages Supported Dynamic Frequency SelectionWLAN LED Descriptions WLAN LEDColor DescriptionOL-23590-02 Chapter 3 Wireless Local Area Network WLAN FeaturesC H A P T E R 4G LTE Wireless WANOL-23590-02 Chapter 4 4G LTE Wireless WANConfiguring Command-Line Access, page Basic Router ConfigurationInterface Ports, page Default Configuration, page Information Needed for Configuration, pageInterface Default ConfigurationInterface Ports RouterInformation Needed for Configuration If you are setting up IP routing 3G-ACC-OUT-LA-See Cisco 3G Lightning Arrestor 3G-ACC-OUT-LA4. exec-timeout minutes seconds Configuring Command-Line Access1. line aux console tty vty line-number 2. password password 3. loginExample CommandDETAILED STEPS PurposeExample ExampleCommand Purposehostname name Configuring Global Parametersconfigure terminal enable secret passwordConfiguring the Cellular Wireless WAN Interface, page Configuring WAN InterfacesConfiguring a Gigabit Ethernet WAN Interface Configuring a Gigabit Ethernet WAN Interface, pageEnables the Ethernet interface, changing its Configuring the Cellular Wireless WAN InterfaceCommand Enters the configuration mode for a Gigabit5-11 Prerequisites for Configuring the 3G Wireless InterfaceRestrictions for Configuring the Cellular Wireless Interface Command or Action Verifying Signal Strength and Service AvailabilityVerifying Signal Strength and Service Availability, page Configuring a GSM Modem Data Profile, pageCommand or Action Configuring a GSM Modem Data Profile5-13 Command or ActionPassword authenticationType of authentication, for example, CHAP, PAP Username provided by your service provider5-15 Activating with Over-the-Air Service Provisioningcellular cdma activate iota router # cellular 0 cdma activate otasp phonenumber6. asynchronous mode interactive 7. ip address negotiated Configuring a Cellular Interface1. configure terminal 2. interface cellular 3. encapsulation ppp 4. ppp chap hostname hostname 5. ppp chap password 0 password9. ip access-list access list number permit ip source address Configuring DDR1. configure terminal 2. interface cellular 3. dialer in-band 4. dialer idle-timeout seconds 5. dialer string stringPurpose 5-18Command or Action DETAILED STEPSExample 5-19Command or Action PurposeTunnel over Cellular Interface Configuration, page Examples for Configuring Cellular Wireless InterfacesBasic Cellular Interface Configuration Basic Cellular Interface Configuration, pageChapter 5 Basic Router Configuration Configuring WAN Interfaces Tunnel over Cellular Interface ConfigurationConfiguration for 8705 modem 5-21Command Configuring Dual SIM for Cellular NetworksSyntax 5-22Syntax Configuring Router for Image and Config Recovery Using Push Button5-23 CommandIOS Behavior Output When Button Is Not Pushed ExampleOutput When Button Is Pushed Example ROMMON Behavior3. exit Configuring a Loopback InterfaceConfiguring the Fast Ethernet LAN Interfaces Push Button in WLAN APinterface and returns to global configuration Verifying ConfigurationEnters configuration mode for the loopback Exits configuration mode for the loopbackExits router configuration mode and enters Configuring Static RoutesFor details about this command and about IOS IP Routing Protocol-Independent CommandConfiguring Enhanced Interior Gateway Routing Protocol, page Configuring Dynamic RoutesVerifying Configuration Configuring Routing Information Protocol, page3. network ip-address Configuring Routing Information Protocolrouter rip 2. version 13. end Configuring Enhanced Interior Gateway Routing Protocol1. router eigrp as-number 2. network ip-addressExample 5-31Verifying Configuration CommandOL-23590-02 5-32Chapter 5 Basic Router Configuration Configuring Dynamic Routes Configuring Cellular Dial-on-Demand Routing Backup, page Configuring Backup Data Lines and Remote ManagementConfiguring Backup Interfaces Configuring Backup Interfaces, pageSUMMARY STEPS 2. backup interface interface-type interface-number1. interface type number Command6. ip access-list access list number permit ip source address Configuring Cellular Dial-on-Demand Routing BackupConfiguring DDR Backup Using Dialer Watch 1. configure terminalExample Command or ActionDETAILED STEPS PurposeCommand or Action Configuring DDR Backup Using Floating Static RouteCellular Wireless Modem as Backup with NAT and IPsec Configuration 1. configure terminalno aaa new-model Chapter 6 Configuring Backup Data Lines and Remote ManagementConfiguring Cellular Dial-on-Demand Routing Backup OL-23590-02 Chapter 6 Configuring Backup Data Lines and Remote ManagementConfiguring Cellular Dial-on-Demand Routing Backup route-map track-primary-if permit 10 match ip address line con no modem enable line aux 0 lineexec-timeout 0 0 script dialer gsm login line vty 0 4 loginCisco 819 router 1 A6. exit 15. modem enable 16. exit1. ip name-server server-address 2. ip dhcp pool name 3. exit 4. chat-script script-name expect-send 5. interface type numberDETAILED STEPS section on page6-11 CommandDefines an extended access list that indicates Exits the interface configuration modeEnables dynamic translation of addresses on the a default gatewaymodem enable 6-13Command Chapter 6 Configuring Backup Data Lines and Remote ManagementChapter 6 Configuring Backup Data Lines and Remote Management 6-14OL-23590-02 6-15Chapter 6 Configuring Backup Data Lines and Remote Management no ip http server ip pim bidir-enableOL-23590-02 6-16Chapter 6 Configuring Backup Data Lines and Remote Management C H A P T E R Environmental and Power ManagementCisco EnergyWise Support How to Configure Serial Interfaces, page Configuration Examples, page Configuring the Serial InterfaceLegacy Protocol Transport, page Configuring Serial Interfaces, page Information About Configuring Serial Interfaces, pageProduct Number Configuring Serial InterfacesConnector Type Legacy Protocol TransportPPP Encapsulation Information About Configuring Serial InterfacesKeepalive Timer, page Frame Relay Encapsulation, page Cisco HDLC EncapsulationMultilink PPP Keepalive TimerOL-23590-02 Frame Relay EncapsulationChapter 8 Configuring the Serial Interface Information About Configuring Serial InterfacesConfiguring Low-Speed Serial Interfaces, page How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface Configuring a Synchronous Serial Interface, pageSetting Transmit Delay, page 8-11 Optional Configuring Compression of HDLC Data, page 8-9 OptionalUsing the NRZI Line-Coding Format, page 8-9 Optional Inverting the Transmit Clock Signal, page 8-10 OptionalCommand Configuring PPPConfiguring Bisync Command1. nrzi-encoding Configuring Compression of HDLC DataUsing the NRZI Line-Coding Format 1. encapsulation hdlc 2. compress stac1. invert txclock 2. invert rxclock Inverting the Transmit Clock SignalEnabling the Internal Clock 1. transmit-clock-internal8-11 Setting Transmit DelayConfiguring DTR Signal Pulsing Ignoring DCD and Monitoring DSR as Line Up/Down Indicator1. ignore-dcd 1. dce-terminal-timing enableConfigures the DCE to use SCTE from the DTE Specifying the Serial Network Interface Module TimingChapter 8 Configuring the Serial Interface 1. dte-invert-txc8-13 Command or ActionUnderstanding Half-Duplex DTE and DCE State Machines, page Configuring Low-Speed Serial InterfacesUnderstanding Half-Duplex DTE and DCE State Machines Half-Duplex DTE State MachinesHalf-Duplex DTE Receive State Machine Half-Duplex DCE State Machines8-15 Half-Duplex DCE Transmit State Machine 8-16Command or Action Placing a Low-Speed Serial Interface in Constant-Carrier Mode1. no half-duplex controlled-carrier 8-171. physical-layer sync async Tuning Half-Duplex Timerssdlc cts-delay sdlc rts-timeout Changing Between Synchronous and Asynchronous Modes8-19 Configuration ExamplesInterface Enablement Configuration Examples 1. no physical-layerSynchronous or Asynchronous Mode Examples Half-Duplex Timers ExampleHalf-Duplex Timers Example, page Low-Speed Serial Interface ExamplesConfiguring AutoSecure, page Configuring Access Lists, page Configuring Security FeaturesAuthentication, Authorization, and Accounting Authentication, Authorization, and Accounting, pageaccess-list 1-99permit deny source-addr source-mask Configuring AutoSecureConfiguring Access Lists Configuration Commandsip inspect name inspection-name protocol timeout seconds Configuring Cisco IOS FirewallAccess Groups Configuration Examples, page Configuring Cisco IOS IPSConfiguring VPN Remote Access VPN, page Site-to-Site VPN, pageRemote Access VPN Library, Cisco IOS Release 12.4T Site-to-Site VPNConfigure the IKE Policy, page Configuration ExamplesConfigure a VPN over an IPSec Tunnel Configure the IKE PolicyExits IKE policy configuration mode and enters Command or ActionMD5 algorithm. The default is Secure Hash Specifies the authentication method used in the2. key name Configure Group Policy Information1. crypto isakmp client configuration group group-name default 6. ip local pool default poolname low-ip-address high-ip-address2. crypto map tag client configuration address initiate respond Apply Mode Configuration to the Crypto MapTechnologies Command Reference 1. crypto map map-name isakmp authorization list list-nameIOS Security Command Reference Enable Policy Lookup2. aaa authentication login default list-name method1 method2 details, see Securing User Services ConfigurationSee Secure Connectivity Configuration Guide Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters Configures IPSec profile to apply protection onReturns to global configuration mode crypto map configuration modeSee Cisco IOS Security Command Reference for more details about this command2. crypto map map-name 3. exit Where to Go NextEnters the interface configuration mode for the Apply the Crypto Map to the Physical Interfacehostname resolution Create a Cisco Easy VPN Remote ConfigurationCreates a Cisco Easy VPN remote configuration and enters Cisco Easy VPN remote configurationPurpose Configuration Example9-16 Command or Action3. tunnel source interface-type number Configure a Site-to-Site GRE Tunnel4. tunnel destination default-gateway-ip-address 7. ip access-list standard extended access-list-nameCreates a tunnel interface and enters interface tunnel interface must be configured toExits interface configuration mode and returns to Enters ACL configuration mode for the named9-19 Returns to global configuration modeSpecifies that only GRE traffic is permitted on the outbound interfacehash md5 authentication pre-share crypto isakmp key cisco123 address 9-20Chapter 9 Configuring Security Features Configuring VPN Switch Port Numbering and Naming, page Configuring the Ethernet SwitchesSwitch Port Numbering and Naming Restrictions for the FE SwitchVLANs and VLAN Trunk Protocol, page Layer 2 Ethernet Switching, page Information About Ethernet SwitchesLayer 2 Ethernet Switching 802.1x AuthenticationStorm Control Switched Port AnalyzerOverview of SNMP MIBs IGMP SnoopingMIBs Link BRIDGE-MIB for Layer 2 Ethernet SwitchingRouterconfig#snmp-server community public RW MIBsRouterconfig#snmp-server community public RW MAC Address Notification10-5 Routerconfig#Routersnmp-server group public v2c context bridge-groupConfiguring 802.1x Authentication, page How to Configure Ethernet SwitchesConfiguring VLANs Configuring VLANs, page Configuring Layer 2 Interfaces, pageComand Configuring Layer 2 Interfacesswitchport mode dynamic desirable VLANs on the GE Port10-8 Configuring 802.1x AuthenticationConfiguring Spanning Tree Protocol Port Security Configuring MAC Table ManipulationConfiguring Cisco Discovery Protocol ManipulationConfiguring Per-Port Storm Control Configuring the Switched Port AnalyzerConfiguring IP Multicast Layer 3 Switching Configuring IGMP Snooping10-11 Configuring Fallback Bridging10-12 Managing the SwitchC H A P T E R Configuring PPP over Ethernet with NAT11-1 Configure the Fast Ethernet WAN Interfaces, page Configuration TasksConfigure the Virtual Private Dialup Network Group Number Configure the Virtual Private Dialup Network Group Number, pageDETAILED STEPS Configure the Fast Ethernet WAN Interfaces11-3 Command or ActionEnables the Fast Ethernet interface and the Configure the Dialer InterfaceEnters interface configuration mode for a Configures the PPPoE client and specifies the2. ip address negotiated 3. ip mtu bytes 5. ppp authentication protocol1 protocol2 6. dialer pool numberCommand Reference 1. interface dialer dialer-rotary-group-numberFor details about this command and additional Configure Network Address TranslationUsing a dialer group controls access to Exits the dialer 0 interface configuration11-7 3. interface type number4. ip nat inside outside 5. no shutdown 6. exit 8. ip nat inside outside 9. no shutdown 10. exitand Services by the access list 1 to be translated to one of thepermitted by access list acl1 to be translated to one Command Reference, Volume 1 of 4 AddressingWAN interface FE4 to be the outside interface Configuration ExampleEnters configuration mode for the Fast Ethernet Defines a standard access list indicating whichvpdn enable vpdn-group 1 request-dialin protocol pppoe 11-10Chapter 11 Configuring PPP over Ethernet with NAT Configuration ExampleConfiguration Example Verifying Your Configuration11-11 Chapter 11 Configuring PPP over Ethernet with NATOL-23590-02 11-12Chapter 11 Configuring PPP over Ethernet with NAT Configuration ExampleC H A P T E R Configuring a LAN with DHCP and VLANsDHCP 12-1VLANs Configure DHCPConfigure DHCP, page Configure VLANs, page 7. default-router address address2...address8Specifies up to eight default routers for a DHCP Identifies the default domain that the router uses toresolution enters DHCP pool configuration mode. The nameDHCP client Verify Your DHCP ConfigurationExits DHCP configuration mode and enters global Specifies up to eight DNS servers available to aChapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Configure VLANs1. vlan ? 2. ISL VLAN ID 3. exit 12-52. switchport access vlan vlan-id 3. end Assign a Switch Port to a VLANServices Command Reference 1. interface switch port idAssigns a port to the VLAN Verify Your VLAN ConfigurationSpecifies the switch port that you want to assign to the VLANRouter# vlan database 12-8Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Cisco 819 Integrated Services Routers Software Configuration GuideOL-23590-02 12-9Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Router# show vlan-switchOL-23590-02 12-10Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Cisco 819 Integrated Services Routers Software Configuration GuideC H A P T E R Configuring a VPN Using Easy VPN and an IPSec Tunnel13-1 Figure 13-1 Remote Access VPN Using IPSec Tunnel Cisco Easy VPN13-2 Configuration Tasks Configure the IKE PolicyCreate an Easy VPN Remote Configuration, page 13-3Specifies the Diffie-Hellman group to be used in The example specifies 168-bit data encryptionstandard SHA-1 The example specifies a pre-shared key6. ip local pool default poolname low-ip-address high-ip-address Configure Group Policy Information13-5 1. crypto isakmp client configuration group group-name defaultTechnologies Command Reference Apply Mode Configuration to the Crypto Map13-6 Command or ActionCommand or Action Enable Policy Lookup13-7 2. aaa authentication login default list-name method1 method2Command or Action Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters 13-8See Cisco IOS Security Command Reference for 13-9Command or Action crypto map configuration mode13-10 Create an Easy VPN Remote ConfigurationApply the Crypto Map to the Physical Interface 2. group group-name key group-key 3. peer ipaddress hostname7. crypto ipsec client ezvpn name outside inside 8. exit remote configuration appliedthis command would be interface atm 6. interface type numberCommand or Action Verifying Your Easy VPN Configuration13-12 Configuration ExampleOL-23590-02 13-13Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration ExampleCisco 819 Integrated Services Routers Software Configuration Guide 13-14Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration ExampleEnable Secret Passwords and Enable Passwords, page A-5 Configuring the Router from a PCConfiguring the Router from a PC, page A-1 Understanding Command Modes, page A-2 Getting Help, page A-4Terminal Emulation Software Understanding Command ModesPC Operating System Mode Access Methodthe “Enable Secret Passwords and Enable Passwords” procedure onMode Getting Helprouter rip-from Access MethodEntering Global Configuration Mode Enable Secret Passwords and Enable PasswordsCommand-Line Error Messages Using CommandsAbbreviating Commands Undoing CommandsSummary Saving Configuration ChangesWhere to Go Next OL-18906-02 Appendix A Cisco IOS Software Basic Skills Where to Go NextCisco 819 Integrated Services Routers Software Configuration Guide Access Lists, page B-9 PPP Authentication Protocols, page B-3 TACACS+, page B-4Ethernet, page B-4 Dial Backup, page B-5 NAT, page B-6 Easy IP Phase 1, page B-6 Easy IP Phase 2, page B-7 QoS, page B-7Ideal Topology Routing UpdatesRouting Protocol Options ProtocolEnhanced IGRP PPP Authentication ProtocolsCHAP TACACS+Ethernet Floating Static Routes Dial BackupBackup Interface Backup Interface, page B-5 Floating Static Routes, page B-5Easy IP Phase Easy IP Phase IP Precedence, page B-8 PPP Fragmentation and Interleaving, page B-8CBWFQ, page B-8 RSVP, page B-8 Low Latency Queuing, page B-9 RSVP IP PrecedencePPP Fragmentation and Interleaving CBWFQLow Latency Queuing Access ListsOL-18906-02 B-10Appendix B Concepts Access Lists Configuration Register, page C-10 Console Download, page C-12 Entering the ROM Monitor, page C-1 ROM Monitor Commands, page C-2Command Descriptions, page C-3 Disaster Recovery with TFTP Download, page C-3Descriptions” section on page C-3 ROM Monitor Commandsexit reloadConfiguration Fundamentals and Network Management Guide Command DescriptionsDisaster Recovery with TFTP Download reset orCommand TFTP Download Command VariablesRequired Variables VariableVariable Using the TFTP Download CommandOptional Variables CommandExamples OL-18906-02 Appendix C ROM Monitor Disaster Recovery with TFTP DownloadCisco 819 Integrated Services Routers Software Configuration Guide Cisco 819 Integrated Services Routers Software Configuration Guide Appendix C ROM Monitor Disaster Recovery with TFTP DownloadOL-18906-02 Disaster Recovery with TFTP DownloadAppendix C ROM Monitor Cisco 819 Integrated Services Routers Software Configuration Guide Configuration RegisterC-10 Appendix C ROM Monitor Configuration RegisterC-11 Changing the Configuration Register ManuallyChanging the Configuration Register Using Prompts xmodem -cyrx destinationfilename Command Descriptionrecognize it, the name of the configuration file must be routerconfg Console DownloadC-13 Debug CommandsError Reporting C-14 Exiting the ROM MonitorKeyword Common Port AssignmentsA P P E N D I X D PortTable D-1 PortKeyword Description