Manuals / Cisco Systems / Power Tools / Saw

Cisco Systems OL-6426-02 manual Configuring Security Features, 12-1

Models: OL-6426-02

1 196

Download 196 pages 47.1 Kb

Page 121

C H A P T E R 12

Configuring Security Features

This chapter gives an overview of authentication, authorization, and accounting (AAA), the primary Cisco framework for implementing selected security features that can be configured on the Cisco 1800 integrated services fixed-configuration routers.

Note Individual router models may not support every feature described throughout this guide. Features not supported by a particular router are indicated whenever possible.

This chapter contains the following sections:

•Authentication, Authorization, and Accounting

•Configuring AutoSecure

•Configuring Access Lists

•Configuring a CBAC Firewall

•Configuring Cisco IOS Firewall IDS

•Configuring VPNs

Each section includes a configuration example and verification steps, where available.

Authentication, Authorization, and Accounting

AAAnetwork security services provide the primary framework through which you set up access control on your router. Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you choose, encryption. Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet. Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes.

AAAuses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your router is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

	OL-6426-02	12-1

Image 121

Cisco Systems OL-6426-02 manual Configuring Security Features, Authentication, Authorization, and Accounting, 12-1

Contents

Cisco Systems, Inc Page N T E N T S Configuring Your Router for Ethernet and DSL Access 802.1x Authentication Configure the IPSec Crypto Method and Parameters Configuring Backup Interfaces Chap Configuration Register C-6 OL-6426-02 Audience PrefaceChapter Title Description OrganizationVPN Conventions Command ConventionsConvention Description BoldfaceObtaining Documentation Related DocumentsCisco.com Cisco Product Security Overview Documentation FeedbackDocumentation DVD Ordering DocumentationObtaining Technical Assistance Reporting Security Problems in Cisco ProductsCisco Technical Support Website An emergency, you can also reach Psirt by telephone 877 408Definitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Getting Started Page Interface Port Labels Basic Router ConfigurationRouter Interface Port Label ADSLoISDN Viewing the Default ConfigurationATM WAN Shdsl USB ModemExample 1-1 Cisco 1812 Default Configuration on Startup Information Needed for Configuration To configure the router, perform one or more of these tasks Configuring Basic ParametersConfigure Fast Ethernet LAN Interfaces Configure Global ParametersCommand Purpose ExampleConfigure the Fast Ethernet WAN Interface Configure WAN InterfacesMode atm Exit Configure the ATM WAN InterfaceController dsl No shutdownConfiguring a Loopback Interface Configure the Wireless InterfaceConfiguration Example Verifying Your Configuration Configuring Command-Line Access to the RouterPassword password Line aux console tty vty line-numberExec-timeout minutes seconds LoginEnd Exits router configuration mode, and enters Configuring Static RoutesPrivileged Exec mode Parameters that can be set, see the Cisco IOS IPConfiguration Example Configuring Dynamic RoutesVerifying Your Configuration Command Task Configuring RIPRouter rip Version 1Enters router configuration mode, and enables Configuring Enhanced IgrpEigrp on the router. The autonomous-system Number identifies the route to other Eigrp routersRouterconfig# network Be applied, using the IP address of the networkSpecifies a list of networks on which Eigrp is to Configuring Your Router for Ethernet and DSL Access Page For Ethernet-Based Network Deployments Sample Network DeploymentsFor DSL-Based Network Deployments OL-6426-02 Configuring PPP over Ethernet with NAT Command or Action Purpose Configuration TasksVpdn enable PPPoERequest-dialin Configure the Fast Ethernet WAN InterfacesInitiate to ip ip-address Protocol l2f l2tp pppoe anyThese steps to configure one or both of them Cisco 1800 integrated services routers haveConfigures the PPPoE client and specifies Enables the Fast Ethernet interfaceConfigure the Dialer Interface Exits the dialer 0 interface configuration Using a dialer group controls access toAssigns the dialer interface to a dialer group Your routerConfigure Network Address Translation Ip nat inside outside Access-list access-list-number deny permitSource source-wildcard Configuration Example Router# show ip nat statistics PPP over ATM with NAT Configuring PPP over ATM with NATPPPoA Authentication Protocol Chap Sets the PPP authentication methodSpecifies that the IP address for the dialer Interface is obtained through PPP/IPCP IPCommand Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Configuring Adsl Configure DSL Signaling ProtocolAttribute Description Default Value Verify the Configuration Configuring ShdslDsl lom integer Dsl enable-training-log Wire Line-mode 4-wire enhanced 4-wire standardIgnore-error-duration number Configure Network Address Translation About enabling static translation, see the Cisco Enables the configuration changes just made toFE2-FE9 reside to be the inside interface For NATExits configuration mode for the ATM interface Static translation, see the Cisco IOS IP CommandDefines a standard access list permitting addresses Identifies the specified WAN interface as the NATATM0 Vlan Configuring a LAN with Dhcp and VLANsVLANs Configure Dhcp Import all Default-router address address2 ...address8Dns-server address address2 ...address8 Domain-name domainRouter# show ip dhcp import Verify Your Dhcp ConfigurationIp dhcp pool Verify Your Vlan Configuration Configure VLANsVlan ? ExampleVlan Router# show vlan-switchSwitch Port Configurations Vlan Trunking Protocol VTP 802.1x AuthenticationSwitched Port Analyzer Span Maximum Switched Virtual Interfaces SVIsIP Multicast Switching Layer 2 InterfacesFallback Bridging Per-Port Storm ControlSeparate Voice and Data Subnets Igmp SnoopingInternet Configuring a VPN Using Easy VPN and an IPSec TunnelCisco Easy VPN Configure the IKE Policy Crypto isakmp client configuration group Configure Group Policy InformationGroup-name default Key nameIp local pool default poolname Apply Mode Configuration to the Crypto MapConfigure IPSec Transforms and Protocols Enable Policy LookupConfigure the IPSec Crypto Method and Parameters Reverse-route Apply the Crypto Map to the Physical InterfaceCrypto map map-name seq-num ipsec-isakmp Dynamic dynamic-map-name discoverCrypto map map-name Create an Easy VPN Remote ConfigurationCrypto ipsec client ezvpn name outside inside Verifying Your Easy VPN ConfigurationCrypto ipsec client ezvpn ezvpnclient connect auto Beta Draft Cisco Confidential Site-to-Site VPN Using an IPSec Tunnel and GRE VPNs GRE TunnelsConfigure the IKE Policy Configure a VPNAlso enters Internet Security Association Key Example uses 168-bit Data EncryptionGroup 1 2 Configure Group Policy InformationLifetime seconds Exits IKE group policy configuration mode, Enable Policy LookupEnters global configuration mode Specifies group domain membershipMethod used to do so Configure IPSec Transforms and ProtocolsSpecifies global lifetime values used when Negotiating IPSec security associationsCreates a dynamic crypto map entry, and enters Configure the IPSec Crypto Method and ParametersCreates source proxy information for the crypto Map entryApply the Crypto Map to the Physical Interface Configure a GRE TunnelMap Applies the crypto map to the interfaceExits interface configuration mode, and returns to Tunnel interface must be configured toEnters ACL configuration mode for the named Access-list-name ACL that is used by the crypto mapConfiguration Example Ip nat outside no cdp enable Beta Draft Cisco Confidential Router with Firewall Configured Configuring a Simple FirewallFast Ethernet LAN interface the inside interface for NAT Series integrated services router, respectivelyProtected network Unprotected networkConfigure Inspection Rules Configure Access ListsCreates an access list which prevents Internet Details about this commandAssigns the set of firewall inspection rules to Apply Access Lists and Inspection Rules to InterfacesInside interface on the router Configuring a Simple Firewall Configuration Example Beta Draft Cisco Confidential 1shows a wireless network deployment Configuring a Wireless LAN ConnectionConfiguring a Wireless LAN Connection Configure the Root Radio Station User attempting access to the wireless LAN Sets the permitted authentication methods for aExits Ssid configuration mode, and enters Interface configuration mode for the wirelessStation-role repeater root Configure Bridging on VLANsBridge number crb irb mac-address-table Bridge-group numberEnables Ieee 802.1q encapsulation on Configure Radio Station SubinterfacesSpecified subinterface Assigns a bridge group to the subinterface Exits subinterface configuration mode,No bridge-group 3 unicast-flooding Interface Vlan1 Router# show running-config Sample Configuration10-1 Ip dhcp pool vlan3 10-210-3 10-4 10-5 10-6 11-1 Additional Configuration Options11-2 Configuring Additional Features and Troubleshooting Page Authentication, Authorization, and Accounting Configuring Security Features12-1 Configuring Access Lists Configuring AutoSecureConfiguration Commands ACL TypeAccess Groups Configuring a Cbac FirewallGuidelines for Creating Access Groups Ip access-group number name in outConfiguring VPNs Configuring Cisco IOS Firewall IDS12-4 Dial Backup Feature Activation Methods Configuring Dial Backup and Remote ManagementBackup Interfaces 13-1Floating Static Routes Configuring Backup Interfaces13-2 Enables RIP routing Configuring Floating Static Routes13-3 Dialer Watch Configuring Dialer WatchSpecifies the group number for the watch list 13-4Dial Backup Type Possible? Dial Backup Method Limitations Dial Backup Feature Limitations13-5 13-6 13-7 13-8 Example 13-3 Configuring Dial Backup Using Dialer Watch13-9 Configure Isdn Settings13-10 Ip address negotiated Access-groupDialer pool number Dialer-group group-numberFor your Cisco router during the ATM network downtime Configure the Aggregator and Isdn Peer Router13-12 13-13 Asynchronous Interface Configuration13-14 13-15 Line Configuration13-16 Getting Started TroubleshootingBefore Contacting Cisco or Your Reseller 14-1Shdsl Troubleshooting Adsl TroubleshootingPortFast Troubleshooting 14-2Ping atm interface Command ATM Troubleshooting CommandsShow interface Command 14-3Output Cause Shutdown command14-4 14-5 Show atm interface CommandRouter# show atm interface atm Guidelines for Using Debug Commands Debug atm CommandsDebug atm errors Command Field DescriptionRouter# debug atm errors ATM errors debugging is on Router# Debug atm events Command14-7 Router# debug atm events Router#Where the keywords are defined as follows Debug atm packet CommandOptional ATM interface or subinterface number Example 14-7shows a sample outputRecovering a Lost Password Software Upgrade MethodsATM0 14-914-10 Change the Configuration RegisterRouter# show version Router# show startup-config Reset the RouterPress Return. The following prompt appears Prompt changes to the privileged Exec promptReset the Configuration Register Value Reset the Password and Save Your Changes14-12 14-13 Managing Your Router with SDM14-14 Reference Information Page One of the configuration topic chapters in this guide Configuring the Router from a PCCisco IOS Software Basic Skills PC Operating System SoftwareUnderstanding Command Modes As interface atm ExecCtrl-Z Getting Help Configuration mode Routing protocol AppropriateRouter Enter one of the router Router rip, fromEntering Global Configuration Mode Enable Secret Passwords and Enable PasswordsYou can now make changes to your router configuration Abbreviating Commands Using CommandsUndoing Commands Command-Line Error MessagesWhere to Go Next Saving Configuration ChangesSummary OL-6426-02 Adsl ConceptsRouting Protocol Options Network ProtocolsProtocol Ideal Topology Metric Routing Updates PPP Authentication ProtocolsEnhanced Igrp RIPPAP Ethernet Network InterfacesBackup Interface Dial BackupDialer Interface NAT Easy IP Phase IP Precedence QoSPPP Fragmentation and Interleaving Low Latency Queuing CbwfqAccess Lists OL-6426-02 Config-reg EnableResets the configuration register ROM MonitorExits global configuration mode ROM Monitor CommandsReload Descriptions section in this appendixDisaster Recovery with Tftp Download Command DescriptionsTftp Download Command Variables Command DescriptionRequired Variables Variable CommandOptional Variables TFTPTIMEOUT= time Using the Tftp Download CommandTFTPCHECKSUM= setting RetrytimesChanging the Configuration Register Manually Configuration RegisterChanging the Configuration Register Using Prompts Rommon 1 confregConsole Download Command DescriptionError Reporting Debug CommandsContext-Displays processor context for example Frame-Displays an individual stack frameExiting the ROM Monitor OL-6426-02 Port Keyword Description Common Port AssignmentsNETBIOS-DGM NETBIOS-NSNETBIOS-SSN FingerSee AAL See ARPSee ATM IN-1See CAR See ChapIN-2 IN-3 DhcpSee also examples Experience, user Extended access list Overview B-11Ethernet B-5 Events, ATM, displaying GRESee NCP See LCPIN-5 See PVC See PAPSee PPP See IpcpSee NAT See RIPIN-7 See UDP Upgrading software, methods for 14-9User Datagram ProtocolIN-8