Remote Access VPN | Cisco Systems C819HG4GVK9, C819GUK9 guide

Chapter 9 Configuring Security Features

Configuring VPN

Remote Access VPN

The configuration of a remote access VPN uses Cisco Easy VPN and an IP Security (IPSec) tunnel to configure and secure the connection between the remote client and the corporate network. Figure 9-1shows a typical deployment scenario.

Figure 9-1 Remote Access VPN Using IPSec Tunnel

3 4

2

Internet

6

5

121782

	1

1	Remote networked users

2	VPN client—Cisco 819 access router

3	Router—Providing the corporate office network access

4	VPN server—Easy VPN server; for example, a Cisco VPN 3000 concentrator with outside
	interface address 210.110.101.1

5	Corporate office with a network address of 10.1.1.1

6	IPSec tunnel

The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing the Cisco Unity Client protocol. This protocol allows most VPN parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, Windows Internet Naming Service (WINS) server addresses, and split-tunneling flags, to be defined at a VPN server, such as a Cisco VPN 3000 concentrator that is acting as an IPSec server.

A Cisco Easy VPN server–enabled device can terminate VPN tunnels initiated by mobile and remote workers who are running Cisco Easy VPN Remote software on PCs. Cisco Easy VPN server-enabled devices allow remote routers to act as Cisco Easy VPN Remote nodes.

The Cisco Easy VPN client feature can be configured in one of two modes—client mode or network extension mode. Client mode is the default configuration and allows only devices at the client site to access resources at the central site. Resources at the client site are unavailable to the central site.

Network extension mode allows users at the central site (where the VPN 3000 series concentrator is located) to access network resources on the client site.

Cisco 819 Series Integrated Services Routers Software Configuration Guide

	OL-23590-02	9-5

Image 99

Cisco Systems C819HG4GVK9, C819GUK9 manual Remote Access VPN

Contents

Text Part Number OL-23590-02 September 2 Americas HeadquartersPage N T E N T S Data Account Provisioning Configuring a Cellular Interface Specifying a Synchronous Serial Interface Create a Cisco Easy VPN Remote Configuration NAT Getting Help TACACS+ OL-23590-02 General Description Product Overview 1shows the Cisco 819HG ISR New Features 3G FeaturesSKU Information Wlan Features Platform FeaturesSecurity Features ScanSafe Wireless Device Overview Tftp support with Ethernet WAN interface LEDsColor Description Rssi Router# show controllers cellular Wireless Local Area Network Wlan FeaturesDual-Radio LEDs CleanAir TechnologyImages Supported Dynamic Frequency Selection Wlan LED OL-23590-02 4G LTE Wireless WAN OL-23590-02 Basic Router Configuration Default Configuration Interface PortsRouter Interface Port Label Information Needed for Configuration OL-23590-02 Line aux console tty vty line-number Password password Login Configuring Command-Line Access Example Command Purpose Privileged Exec mode Enables password checking at the virtual terminalSession login Exits line configuration mode and returns to Configuring Global Parameters Configuring WAN Interfaces Configuring a Gigabit Ethernet WAN InterfaceNo shutdown Exit Example Configuring the Cellular Wireless WAN Interface Restrictions for Configuring the Cellular Wireless Interface Prerequisites for Configuring the 3G Wireless Interface Data Account Provisioning Command or Action Purpose Displays the cellular gps information Shows the radio signal strengthSignal strength, the network security, and so on Details about the command parameters Cellular unit cdma activate manual mdn msid msl 2lists the modem data profile parametersActivation and Provisioning Process Carrier Manual Activation Activating with Over-the-Air Service Provisioning Cellular cdma activate iotaRouter # cellular 0 cdma activate otasp phonenumber Configuring a Cellular Interface Interface cellular Dialer string string Configuring DDR Enters the global configuration mode Enters global configuration modeEnables DDR and configures the specified serial Specifies the number of the dialer access group to Configures this line for GSM Specifies the line configuration mode. It is alwaysSpecifies a default modem chat script Exits line configuration mode This section provides the following configuration examples Examples for Configuring Cellular Wireless Interfaces Following shows how to configure an HSPA+ modem Tunnel over Cellular Interface Configuration Command Syntax Description Configuring Dual SIM for Cellular Networks Locks or unlocks the SIM Perform the following commands to manually switch the SIMFollowing command forces the modem to connect to SIM1 Cellular GSM SIM Output When Button Is Not Pushed Example Output When Button Is Pushed ExampleRommon Behavior IOS Behavior Configuring a Loopback Interface Configuring the Fast Ethernet LAN InterfacesPush Button in Wlan AP Router# show interface loopback Verifying Configuration Another way to verify the loopback interface is to ping it Configuring Static Routes Configuring Dynamic Routes Verifying ConfigurationExample No auto-summary End Configuring Routing Information ProtocolCommand Task Router rip Version 1 Router eigrp as-number Configuring Enhanced Interior Gateway Routing Protocol Number identifies the route to other Eigrp routers Enters router configuration mode and enablesBe applied, using the IP address of the network Eigrp on the router. The autonomous-system OL-23590-02 Configuring Backup Data Lines and Remote Management Configuring Backup Interfaces819 Yes Be configured to back up a serial 0 interface Enters interface configuration mode forInterface for which you want to configure backup Assigns an interface as the secondary or backup Dialer watch group group-number Configuring Cellular Dial-on-Demand Routing BackupConfiguring DDR Backup Using Dialer Watch Configure terminal Specifies the interface Enables dialer watch on the backup interfaceDo not use the access list permit all command to Using the chat script command Configuring DDR Backup Using Floating Static Route No aaa new-model Source-interface Dialer2 Line vty 0 4 login Scheduler max-task-time Webvpn cef end Dial Backup and Remote Management Through the Auxiliary Port Ip name-server server-address Ip dhcp pool name Exit Pool configuration mode, see the Example Enters Dhcp pool configuration mode. The nameConfigure the Dhcp address pool. For Sample commands that you can use in Dhcp Enters configuration mode for the line interface Enables hardware signal flow control Switches the port from console to auxiliary portExits the configure interface mode Enters configuration mode for the auxiliary Ppp authentication pap callin PC IP address behind CPE OL-23590-02 Router# show environment Environmental and Power Management Cisco EnergyWise Support Environmental and Power Management Cisco EnergyWise Support WAN Concentration Configuring the Serial Interface Configuring Serial Interfaces Product Number Cable Type Length Connector TypeLegacy Protocol Transport Information About Configuring Serial Interfaces Cisco Hdlc EncapsulationPPP Encapsulation Multilink PPP Keepalive Timer Frame Relay Encapsulation This section contains the following tasks How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface LMI on Frame Relay Interfaces Configures synchronous serial encapsulation Specifying a Synchronous Serial InterfaceSpecifying Synchronous Serial Encapsulation Configuring PPP Configures an Sdlc interface for half-duplex modeSignals Nrzi-encoding Configuring Compression of Hdlc DataUsing the Nrzi Line-Coding Format Encapsulation hdlc Compress stac Invert txclock Invert rxclock Inverting the Transmit Clock SignalEnabling the Internal Clock Transmit-clock-internal Setting Transmit Delay Configuring DTR Signal PulsingIgnoring DCD and Monitoring DSR as Line Up/Down Indicator Ignore-dcd Dce-terminal-timing enableConfigures the DCE to use Scte from the DTE Specifying the Serial Network Interface Module Timing Dte-invert-txc Specifies timing configuration to invert TXC clock Understanding Half-Duplex DTE and DCE State Machines Configuring Low-Speed Serial Interfaces Half-Duplex DCE State Machines Half-Duplex DCE Transmit State Machine Constant-carrier mode No half-duplex controlled-carrierPlaces a low-speed serial interface Sdlc cts-delay Sdlc rts-timeout Changing Between Synchronous and Asynchronous ModesPhysical-layer sync async No physical-layer Configuration ExamplesInterface Enablement Configuration Examples Returns the interface to its default mode, which is Synchronous or Asynchronous Mode Examples Half-Duplex Timers ExampleLow-Speed Serial Interface Examples Authentication, Authorization, and Accounting Configuring Security Features ACL Type Configuring AutoSecureConfiguring Access Lists Configuration Commands Access Groups Configuring Cisco IOS Firewall Configuring Cisco IOS IPS Configuring VPNURL Filtering Remote Access VPN Corporate office network Site-to-Site VPNBranch office containing multiple LANs and VLANs VPN client-Cisco 819 ISR Configuration Examples Configure a VPN over an IPSec TunnelConfigure the IKE Policy Command or Action Purpose Domain name Exit Configure Group Policy Information Specifies a local address pool for the group Apply Mode Configuration to the Crypto MapExits IKE group policy configuration mode For details about this command and additional Enable Policy Lookup Configure IPSec Transforms and Protocols Configure the IPSec Crypto Method and ParametersCrypto ipsec profile profile-name See Cisco IOS Security Command Reference for Where to Go Next Apply the Crypto Map to the Physical InterfaceCrypto map map-name Exit Create a Cisco Easy VPN Remote Configuration Crypto ipsec client ezvpn nameCrypto ipsec client ezvpn name outside inside Exit Configuration Example Configure a Site-to-Site GRE Tunnel Creates a tunnel interface and enters interface Returns to global configuration mode No cdp run 10-1 Configuring the Ethernet SwitchesSwitch Port Numbering and Naming Restrictions for the FE Switch Information About Ethernet Switches Storm Control Switched Port AnalyzerOverview of Snmp MIBs Igmp Snooping 10-4 BRIDGE-MIB for Layer 2 Ethernet SwitchingRouterconfig#snmp-server community public RW MIBs MIBs Link 10-5 MAC Address Notification 10-6 How to Configure Ethernet SwitchesConfiguring VLANs VLANs on the FE Ports Comand Purpose Configuring Layer 2 InterfacesSwitchport mode dynamic desirable VLANs on the GE Port Configuring 802.1x Authentication Configuring Spanning Tree Protocol10-8 10-9 Configuring MAC Table ManipulationConfiguring Cisco Discovery Protocol Port Security Configuring Per-Port Storm Control Configuring the Switched Port AnalyzerConfiguring IP Multicast Layer 3 Switching Configuring Igmp Snooping 10-11 Configuring Fallback Bridging 10-12 Managing the Switch 11-1 Configuring PPP over Ethernet with NAT 11-2 Configuration TasksConfigure the Virtual Private Dialup Network Group Number PPPoE 11-3 Configure the Fast Ethernet WAN Interfaces 11-4 Configure the Dialer Interface 11-5 Ip address negotiated Ip mtu bytes 11-6 Configure Network Address Translation 11-7 Ip nat inside outside No shutdown Exit 11-8 11-9 Configuration Example 11-10 11-11 Verifying Your Configuration 11-12 12-1 Configuring a LAN with Dhcp and VLANs Configure Dhcp VLANs12-2 12-3 Detailed Steps 12-4 Verify Your Dhcp Configuration Configure VLANs Vlan ?12-5 12-6 Assign a Switch Port to a VlanSwitchport access vlan vlan-id End Example 12-7 Verify Your Vlan Configuration Router# vlan database 12-8 12-9 Router# show vlan-switch 12-10 13-1 Configuring a VPN Using Easy VPN and an IPSec Tunnel VPN server-Easy VPN server Cisco Easy VPNRemote, networked users VPN client-Cisco 819 ISRs 13-3 Configure the IKE Policy Lifetime seconds Exit 13-5 Configure Group Policy InformationInternet Naming Service Wins servers For the group by using the wins command 13-6 Apply Mode Configuration to the Crypto Map Enable Policy Lookup Login, and specifies the method used13-7 Configure IPSec Transforms and Protocols Configure the IPSec Crypto Method and Parameters13-8 13-9 Create an Easy VPN Remote Configuration Apply the Crypto Map to the Physical Interface13-10 13-11 Mode client network-extension network extension plus Exit Verifying Your Easy VPN Configuration Following example verifies your easy vpn connection13-12 13-13 13-14 Cisco IOS Software Basic Skills Configuring the Router from a PC PC Operating System Terminal Emulation Software Understanding Command Modes As interface atm To exit to user Exec Use this mode toGlobal Enter the configure User Exec Begin a session with Router rip-from Configuration mode Routing protocol AppropriateGetting Help Router Enter one of the router Enable Secret Passwords and Enable Passwords Entering Global Configuration ModeYou can now make changes to your router configuration Command-Line Error Messages Using CommandsAbbreviating Commands Undoing Commands Saving Configuration Changes Where to Go NextSummary OL-18906-02 Network Protocols Concepts Routing Protocol Options Protocol Ideal Topology Metric Routing Updates Enhanced Igrp PPP Authentication Protocols Chap Ethernet Dialer Watch Dial BackupBackup Interface Floating Static Routes Easy IP Phase QoS PPP Fragmentation and Interleaving IP Precedence Low Latency Queuing Access Lists OL-18906-02 Entering the ROM Monitor Configure terminal Enters global configuration modeConfig-reg Resets the configuration register ROM Monitor Prompt increments with each new line ROM Monitor CommandsExits global configuration mode Reload Command Descriptions Disaster Recovery with Tftp DownloadCommand Description Tftp Download Command Variables Variable CommandRequired Variables Using the Tftp Download Command Configures how the router displays fileOptional Variables You will see an output similar to the following Examples Type Embedded AP s Appendix C ROM Monitor Appendix C ROM Monitor Configuration Register Configuration Register Changing the Configuration Register Using Prompts Changing the Configuration Register Manually Console Download Command Description Debug Commands Error ReportingContext-Displays processor context for example Appendix C ROM Monitor Exiting the ROM Monitor Exiting the ROM Monitor Port Keyword Description Common Port Assignments Authentication service Any private RJE serviceISO-Transport Service Access Point Procedure Call