Manuals / Cisco Systems / Power Tools / Router

Cisco Systems C819HG4GVK9, C819GUK9 manual Remote Access VPN

Models: C819GUK9

1 196

Download 196 pages 51.42 Kb

Page 99

Remote Access VPN

Chapter 9 Configuring Security Features

Configuring VPN

Remote Access VPN

The configuration of a remote access VPN uses Cisco Easy VPN and an IP Security (IPSec) tunnel to configure and secure the connection between the remote client and the corporate network. Figure 9-1shows a typical deployment scenario.

Figure 9-1 Remote Access VPN Using IPSec Tunnel

3 4

2

Internet

6

5

121782

	1

1	Remote networked users

2	VPN client—Cisco 819 access router

3	Router—Providing the corporate office network access

4	VPN server—Easy VPN server; for example, a Cisco VPN 3000 concentrator with outside
	interface address 210.110.101.1

5	Corporate office with a network address of 10.1.1.1

6	IPSec tunnel

The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing the Cisco Unity Client protocol. This protocol allows most VPN parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, Windows Internet Naming Service (WINS) server addresses, and split-tunneling flags, to be defined at a VPN server, such as a Cisco VPN 3000 concentrator that is acting as an IPSec server.

A Cisco Easy VPN server–enabled device can terminate VPN tunnels initiated by mobile and remote workers who are running Cisco Easy VPN Remote software on PCs. Cisco Easy VPN server-enabled devices allow remote routers to act as Cisco Easy VPN Remote nodes.

The Cisco Easy VPN client feature can be configured in one of two modes—client mode or network extension mode. Client mode is the default configuration and allows only devices at the client site to access resources at the central site. Resources at the client site are unavailable to the central site.

Network extension mode allows users at the central site (where the VPN 3000 series concentrator is located) to access network resources on the client site.

Cisco 819 Series Integrated Services Routers Software Configuration Guide

	OL-23590-02	9-5

Image 99

Cisco Systems C819HG4GVK9, C819GUK9 manual Remote Access VPN

Contents

Text Part Number OL-23590-02 September 2 Americas HeadquartersCisco Systems, Inc 170 West Tasman Drive San Jose, CA 800 553-NETS Fax 408THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS Wireless Device Overview Information Needed for ConfigurationNew Features WLAN FeaturesVerifying Configuration Configuring a Cellular InterfacePrerequisites for Configuring the 3G Wireless Interface Configuring DDRConfiguring Security Features Ignoring DCD and Monitoring DSR as Line Up/Down IndicatorConfiguration Examples Interface Enablement Configuration ExamplesConfiguring the Ethernet Switches Configure the IKE PolicyCreate a Cisco Easy VPN Remote Configuration Configure a Site-to-Site GRE TunnelConfiguration Tasks Configure the Virtual Private Dialup Network Group NumberConfiguring VLANs Configuring 802.1x AuthenticationUnderstanding Command Modes Entering Global Configuration Mode A-5Configure the IKE Policy Configure Group Policy InformationROM Monitor Commands Changing the Configuration Register Manually C-11Changing the Configuration Register Using Prompts C-11 Backup InterfaceOL-23590-02 ContentsC H A P T E R General Description, page SKU Information, page New Features, pageProduct Overview General DescriptionOL-23590-02 Figure 1-1 Cisco 819HG Integrated Services RouterFigure 1-2 Cisco 819HGW Integrated Services Router Chapter 1 Product Overview General DescriptionPlatform Features, page Security Features, page New Features3G Features 3G Features, page WLAN Features, page 4G LTE Features, pageWLAN Features Platform FeaturesSecurity Features LEDs, page Wireless Device OverviewScanSafe ScanSafe, page TFTP support with Ethernet WAN interface, pageDescription TFTP support with Ethernet WAN interfaceLEDs Color3G LED Descriptions continued show platform led for all LEDs show controller cellular 0 for 3G LEDsColor Descriptionrouter# show controllers cellular Chapter 2 Wireless Device Overview LEDsDual-Radio Wireless Local Area NetworkWLAN Features Dual-Radio, page Images Supported, page CleanAir Technology, pageLEDs CleanAir TechnologyImages Supported Dynamic Frequency SelectionWLAN LED Descriptions WLAN LEDColor DescriptionOL-23590-02 Chapter 3 Wireless Local Area Network WLAN FeaturesC H A P T E R 4G LTE Wireless WANOL-23590-02 Chapter 4 4G LTE Wireless WANConfiguring Command-Line Access, page Basic Router ConfigurationInterface Ports, page Default Configuration, page Information Needed for Configuration, pageInterface Default ConfigurationInterface Ports RouterInformation Needed for Configuration If you are setting up IP routing 3G-ACC-OUT-LA-See Cisco 3G Lightning Arrestor 3G-ACC-OUT-LA4. exec-timeout minutes seconds Configuring Command-Line Access1. line aux console tty vty line-number 2. password password 3. loginExample CommandDETAILED STEPS PurposeExample ExampleCommand Purposehostname name Configuring Global Parametersconfigure terminal enable secret passwordConfiguring the Cellular Wireless WAN Interface, page Configuring WAN InterfacesConfiguring a Gigabit Ethernet WAN Interface Configuring a Gigabit Ethernet WAN Interface, pageEnables the Ethernet interface, changing its Configuring the Cellular Wireless WAN InterfaceCommand Enters the configuration mode for a GigabitPrerequisites for Configuring the 3G Wireless Interface Restrictions for Configuring the Cellular Wireless Interface5-11 Command or Action Verifying Signal Strength and Service AvailabilityVerifying Signal Strength and Service Availability, page Configuring a GSM Modem Data Profile, pageCommand or Action Configuring a GSM Modem Data Profile5-13 Command or ActionPassword authenticationType of authentication, for example, CHAP, PAP Username provided by your service provider5-15 Activating with Over-the-Air Service Provisioningcellular cdma activate iota router # cellular 0 cdma activate otasp phonenumber6. asynchronous mode interactive 7. ip address negotiated Configuring a Cellular Interface1. configure terminal 2. interface cellular 3. encapsulation ppp 4. ppp chap hostname hostname 5. ppp chap password 0 password9. ip access-list access list number permit ip source address Configuring DDR1. configure terminal 2. interface cellular 3. dialer in-band 4. dialer idle-timeout seconds 5. dialer string stringPurpose 5-18Command or Action DETAILED STEPSExample 5-19Command or Action PurposeTunnel over Cellular Interface Configuration, page Examples for Configuring Cellular Wireless InterfacesBasic Cellular Interface Configuration Basic Cellular Interface Configuration, pageChapter 5 Basic Router Configuration Configuring WAN Interfaces Tunnel over Cellular Interface ConfigurationConfiguration for 8705 modem 5-21Command Configuring Dual SIM for Cellular NetworksSyntax 5-22Syntax Configuring Router for Image and Config Recovery Using Push Button5-23 CommandIOS Behavior Output When Button Is Not Pushed ExampleOutput When Button Is Pushed Example ROMMON Behavior3. exit Configuring a Loopback InterfaceConfiguring the Fast Ethernet LAN Interfaces Push Button in WLAN APinterface and returns to global configuration Verifying ConfigurationEnters configuration mode for the loopback Exits configuration mode for the loopbackExits router configuration mode and enters Configuring Static RoutesFor details about this command and about IOS IP Routing Protocol-Independent CommandConfiguring Enhanced Interior Gateway Routing Protocol, page Configuring Dynamic RoutesVerifying Configuration Configuring Routing Information Protocol, page3. network ip-address Configuring Routing Information Protocolrouter rip 2. version 13. end Configuring Enhanced Interior Gateway Routing Protocol1. router eigrp as-number 2. network ip-addressExample 5-31Verifying Configuration Command5-32 Chapter 5 Basic Router Configuration Configuring Dynamic RoutesOL-23590-02 Configuring Cellular Dial-on-Demand Routing Backup, page Configuring Backup Data Lines and Remote ManagementConfiguring Backup Interfaces Configuring Backup Interfaces, pageSUMMARY STEPS 2. backup interface interface-type interface-number1. interface type number Command6. ip access-list access list number permit ip source address Configuring Cellular Dial-on-Demand Routing BackupConfiguring DDR Backup Using Dialer Watch 1. configure terminalExample Command or ActionDETAILED STEPS PurposeCommand or Action Configuring DDR Backup Using Floating Static RouteCellular Wireless Modem as Backup with NAT and IPsec Configuration 1. configure terminalChapter 6 Configuring Backup Data Lines and Remote Management Configuring Cellular Dial-on-Demand Routing Backupno aaa new-model Chapter 6 Configuring Backup Data Lines and Remote Management Configuring Cellular Dial-on-Demand Routing BackupOL-23590-02 route-map track-primary-if permit 10 match ip address line con no modem enable line aux 0 lineexec-timeout 0 0 script dialer gsm login line vty 0 4 loginCisco 819 router 1 A6. exit 15. modem enable 16. exit1. ip name-server server-address 2. ip dhcp pool name 3. exit 4. chat-script script-name expect-send 5. interface type numberDETAILED STEPS section on page6-11 CommandDefines an extended access list that indicates Exits the interface configuration modeEnables dynamic translation of addresses on the a default gatewaymodem enable 6-13Command Chapter 6 Configuring Backup Data Lines and Remote ManagementChapter 6 Configuring Backup Data Lines and Remote Management 6-14OL-23590-02 6-15Chapter 6 Configuring Backup Data Lines and Remote Management no ip http server ip pim bidir-enable6-16 Chapter 6 Configuring Backup Data Lines and Remote ManagementOL-23590-02 C H A P T E R Environmental and Power ManagementCisco EnergyWise Support How to Configure Serial Interfaces, page Configuration Examples, page Configuring the Serial InterfaceLegacy Protocol Transport, page Configuring Serial Interfaces, page Information About Configuring Serial Interfaces, pageProduct Number Configuring Serial InterfacesConnector Type Legacy Protocol TransportPPP Encapsulation Information About Configuring Serial InterfacesKeepalive Timer, page Frame Relay Encapsulation, page Cisco HDLC EncapsulationMultilink PPP Keepalive TimerOL-23590-02 Frame Relay EncapsulationChapter 8 Configuring the Serial Interface Information About Configuring Serial InterfacesConfiguring Low-Speed Serial Interfaces, page How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface Configuring a Synchronous Serial Interface, pageSetting Transmit Delay, page 8-11 Optional Configuring Compression of HDLC Data, page 8-9 OptionalUsing the NRZI Line-Coding Format, page 8-9 Optional Inverting the Transmit Clock Signal, page 8-10 OptionalCommand Configuring PPPConfiguring Bisync Command1. nrzi-encoding Configuring Compression of HDLC DataUsing the NRZI Line-Coding Format 1. encapsulation hdlc 2. compress stac1. invert txclock 2. invert rxclock Inverting the Transmit Clock SignalEnabling the Internal Clock 1. transmit-clock-internal8-11 Setting Transmit DelayConfiguring DTR Signal Pulsing Ignoring DCD and Monitoring DSR as Line Up/Down Indicator1. ignore-dcd 1. dce-terminal-timing enableConfigures the DCE to use SCTE from the DTE Specifying the Serial Network Interface Module TimingChapter 8 Configuring the Serial Interface 1. dte-invert-txc8-13 Command or ActionUnderstanding Half-Duplex DTE and DCE State Machines, page Configuring Low-Speed Serial InterfacesUnderstanding Half-Duplex DTE and DCE State Machines Half-Duplex DTE State MachinesHalf-Duplex DCE State Machines 8-15Half-Duplex DTE Receive State Machine Half-Duplex DCE Transmit State Machine 8-16Command or Action Placing a Low-Speed Serial Interface in Constant-Carrier Mode1. no half-duplex controlled-carrier 8-171. physical-layer sync async Tuning Half-Duplex Timerssdlc cts-delay sdlc rts-timeout Changing Between Synchronous and Asynchronous Modes8-19 Configuration ExamplesInterface Enablement Configuration Examples 1. no physical-layerSynchronous or Asynchronous Mode Examples Half-Duplex Timers ExampleHalf-Duplex Timers Example, page Low-Speed Serial Interface ExamplesConfiguring AutoSecure, page Configuring Access Lists, page Configuring Security FeaturesAuthentication, Authorization, and Accounting Authentication, Authorization, and Accounting, pageaccess-list 1-99permit deny source-addr source-mask Configuring AutoSecureConfiguring Access Lists Configuration CommandsConfiguring Cisco IOS Firewall Access Groupsip inspect name inspection-name protocol timeout seconds Configuration Examples, page Configuring Cisco IOS IPSConfiguring VPN Remote Access VPN, page Site-to-Site VPN, pageRemote Access VPN Library, Cisco IOS Release 12.4T Site-to-Site VPNConfigure the IKE Policy, page Configuration ExamplesConfigure a VPN over an IPSec Tunnel Configure the IKE PolicyExits IKE policy configuration mode and enters Command or ActionMD5 algorithm. The default is Secure Hash Specifies the authentication method used in the2. key name Configure Group Policy Information1. crypto isakmp client configuration group group-name default 6. ip local pool default poolname low-ip-address high-ip-address2. crypto map tag client configuration address initiate respond Apply Mode Configuration to the Crypto MapTechnologies Command Reference 1. crypto map map-name isakmp authorization list list-nameIOS Security Command Reference Enable Policy Lookup2. aaa authentication login default list-name method1 method2 details, see Securing User Services ConfigurationSee Secure Connectivity Configuration Guide Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters Configures IPSec profile to apply protection onReturns to global configuration mode crypto map configuration modeSee Cisco IOS Security Command Reference for more details about this command2. crypto map map-name 3. exit Where to Go NextEnters the interface configuration mode for the Apply the Crypto Map to the Physical Interfacehostname resolution Create a Cisco Easy VPN Remote ConfigurationCreates a Cisco Easy VPN remote configuration and enters Cisco Easy VPN remote configurationPurpose Configuration Example9-16 Command or Action3. tunnel source interface-type number Configure a Site-to-Site GRE Tunnel4. tunnel destination default-gateway-ip-address 7. ip access-list standard extended access-list-nameCreates a tunnel interface and enters interface tunnel interface must be configured toExits interface configuration mode and returns to Enters ACL configuration mode for the named9-19 Returns to global configuration modeSpecifies that only GRE traffic is permitted on the outbound interface9-20 Chapter 9 Configuring Security Features Configuring VPNhash md5 authentication pre-share crypto isakmp key cisco123 address Switch Port Numbering and Naming, page Configuring the Ethernet SwitchesSwitch Port Numbering and Naming Restrictions for the FE SwitchVLANs and VLAN Trunk Protocol, page Layer 2 Ethernet Switching, page Information About Ethernet SwitchesLayer 2 Ethernet Switching 802.1x AuthenticationStorm Control Switched Port AnalyzerOverview of SNMP MIBs IGMP SnoopingMIBs Link BRIDGE-MIB for Layer 2 Ethernet SwitchingRouterconfig#snmp-server community public RW MIBsRouterconfig#snmp-server community public RW MAC Address Notification10-5 Routerconfig#Routersnmp-server group public v2c context bridge-groupConfiguring 802.1x Authentication, page How to Configure Ethernet SwitchesConfiguring VLANs Configuring VLANs, page Configuring Layer 2 Interfaces, pageComand Configuring Layer 2 Interfacesswitchport mode dynamic desirable VLANs on the GE PortConfiguring 802.1x Authentication Configuring Spanning Tree Protocol10-8 Port Security Configuring MAC Table ManipulationConfiguring Cisco Discovery Protocol ManipulationConfiguring Per-Port Storm Control Configuring the Switched Port AnalyzerConfiguring IP Multicast Layer 3 Switching Configuring IGMP Snooping10-11 Configuring Fallback Bridging10-12 Managing the SwitchConfiguring PPP over Ethernet with NAT 11-1C H A P T E R Configure the Fast Ethernet WAN Interfaces, page Configuration TasksConfigure the Virtual Private Dialup Network Group Number Configure the Virtual Private Dialup Network Group Number, pageDETAILED STEPS Configure the Fast Ethernet WAN Interfaces11-3 Command or ActionEnables the Fast Ethernet interface and the Configure the Dialer InterfaceEnters interface configuration mode for a Configures the PPPoE client and specifies the2. ip address negotiated 3. ip mtu bytes 5. ppp authentication protocol1 protocol2 6. dialer pool numberCommand Reference 1. interface dialer dialer-rotary-group-numberFor details about this command and additional Configure Network Address TranslationUsing a dialer group controls access to Exits the dialer 0 interface configuration11-7 3. interface type number4. ip nat inside outside 5. no shutdown 6. exit 8. ip nat inside outside 9. no shutdown 10. exitand Services by the access list 1 to be translated to one of thepermitted by access list acl1 to be translated to one Command Reference, Volume 1 of 4 AddressingWAN interface FE4 to be the outside interface Configuration ExampleEnters configuration mode for the Fast Ethernet Defines a standard access list indicating whichvpdn enable vpdn-group 1 request-dialin protocol pppoe 11-10Chapter 11 Configuring PPP over Ethernet with NAT Configuration ExampleConfiguration Example Verifying Your Configuration11-11 Chapter 11 Configuring PPP over Ethernet with NATOL-23590-02 11-12Chapter 11 Configuring PPP over Ethernet with NAT Configuration ExampleC H A P T E R Configuring a LAN with DHCP and VLANsDHCP 12-1VLANs Configure DHCPConfigure DHCP, page Configure VLANs, page 7. default-router address address2...address8Specifies up to eight default routers for a DHCP Identifies the default domain that the router uses toresolution enters DHCP pool configuration mode. The nameDHCP client Verify Your DHCP ConfigurationExits DHCP configuration mode and enters global Specifies up to eight DNS servers available to aChapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Configure VLANs1. vlan ? 2. ISL VLAN ID 3. exit 12-52. switchport access vlan vlan-id 3. end Assign a Switch Port to a VLANServices Command Reference 1. interface switch port idAssigns a port to the VLAN Verify Your VLAN ConfigurationSpecifies the switch port that you want to assign to the VLANRouter# vlan database 12-8Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Cisco 819 Integrated Services Routers Software Configuration GuideOL-23590-02 12-9Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Router# show vlan-switchOL-23590-02 12-10Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks Cisco 819 Integrated Services Routers Software Configuration GuideConfiguring a VPN Using Easy VPN and an IPSec Tunnel 13-1C H A P T E R Cisco Easy VPN 13-2Figure 13-1 Remote Access VPN Using IPSec Tunnel Configuration Tasks Configure the IKE PolicyCreate an Easy VPN Remote Configuration, page 13-3Specifies the Diffie-Hellman group to be used in The example specifies 168-bit data encryptionstandard SHA-1 The example specifies a pre-shared key6. ip local pool default poolname low-ip-address high-ip-address Configure Group Policy Information13-5 1. crypto isakmp client configuration group group-name defaultTechnologies Command Reference Apply Mode Configuration to the Crypto Map13-6 Command or ActionCommand or Action Enable Policy Lookup13-7 2. aaa authentication login default list-name method1 method2Command or Action Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters 13-8See Cisco IOS Security Command Reference for 13-9Command or Action crypto map configuration mode13-10 Create an Easy VPN Remote ConfigurationApply the Crypto Map to the Physical Interface 2. group group-name key group-key 3. peer ipaddress hostname7. crypto ipsec client ezvpn name outside inside 8. exit remote configuration appliedthis command would be interface atm 6. interface type numberCommand or Action Verifying Your Easy VPN Configuration13-12 Configuration ExampleOL-23590-02 13-13Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration ExampleCisco 819 Integrated Services Routers Software Configuration Guide 13-14Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel Configuration ExampleEnable Secret Passwords and Enable Passwords, page A-5 Configuring the Router from a PCConfiguring the Router from a PC, page A-1 Understanding Command Modes, page A-2 Getting Help, page A-4Understanding Command Modes PC Operating SystemTerminal Emulation Software Mode Access Methodthe “Enable Secret Passwords and Enable Passwords” procedure onMode Getting Helprouter rip-from Access MethodEntering Global Configuration Mode Enable Secret Passwords and Enable PasswordsCommand-Line Error Messages Using CommandsAbbreviating Commands Undoing CommandsSaving Configuration Changes Where to Go NextSummary Appendix A Cisco IOS Software Basic Skills Where to Go Next Cisco 819 Integrated Services Routers Software Configuration GuideOL-18906-02 Access Lists, page B-9 PPP Authentication Protocols, page B-3 TACACS+, page B-4Ethernet, page B-4 Dial Backup, page B-5 NAT, page B-6 Easy IP Phase 1, page B-6 Easy IP Phase 2, page B-7 QoS, page B-7Ideal Topology Routing UpdatesRouting Protocol Options ProtocolEnhanced IGRP PPP Authentication ProtocolsTACACS+ EthernetCHAP Floating Static Routes Dial BackupBackup Interface Backup Interface, page B-5 Floating Static Routes, page B-5Easy IP Phase IP Precedence, page B-8 PPP Fragmentation and Interleaving, page B-8 CBWFQ, page B-8 RSVP, page B-8 Low Latency Queuing, page B-9Easy IP Phase RSVP IP PrecedencePPP Fragmentation and Interleaving CBWFQLow Latency Queuing Access ListsB-10 Appendix B Concepts Access ListsOL-18906-02 Configuration Register, page C-10 Console Download, page C-12 Entering the ROM Monitor, page C-1 ROM Monitor Commands, page C-2Command Descriptions, page C-3 Disaster Recovery with TFTP Download, page C-3Descriptions” section on page C-3 ROM Monitor Commandsexit reloadConfiguration Fundamentals and Network Management Guide Command DescriptionsDisaster Recovery with TFTP Download reset orCommand TFTP Download Command VariablesRequired Variables VariableVariable Using the TFTP Download CommandOptional Variables CommandExamples Appendix C ROM Monitor Disaster Recovery with TFTP Download Cisco 819 Integrated Services Routers Software Configuration GuideOL-18906-02 Cisco 819 Integrated Services Routers Software Configuration Guide Appendix C ROM Monitor Disaster Recovery with TFTP DownloadDisaster Recovery with TFTP Download Appendix C ROM MonitorOL-18906-02 Cisco 819 Integrated Services Routers Software Configuration Guide Configuration RegisterC-10 Appendix C ROM Monitor Configuration RegisterChanging the Configuration Register Manually Changing the Configuration Register Using PromptsC-11 xmodem -cyrx destinationfilename Command Descriptionrecognize it, the name of the configuration file must be routerconfg Console DownloadDebug Commands Error ReportingC-13 C-14 Exiting the ROM MonitorKeyword Common Port AssignmentsA P P E N D I X D PortTable D-1 PortKeyword Description