Reverse-route | Cisco Systems OL-6426-02 manual

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

Apply the Crypto Map to the Physical Interface

BETA DRAFT - CISCO CONFIDENTIAL

	Command or Action	Purpose
Step 3
Step 3	reverse-route	Creates source proxy information for the crypto
		map entry.
	Example:	See the Cisco IOS Security Command Reference
		See the Cisco IOS Security Command Reference
	Router(config-crypto-map)# reverse-route	for details.
	Router(config-crypto-map)#
Step 4
Step 4	exit	Returns to global configuration mode.
	Example:
	Router(config-crypto-map)# exit
	Router(config)#
Step 5
Step 5	crypto map map-nameseq-num[ipsec-isakmp]	Creates a crypto map profile.
	[dynamic dynamic-map-name] [discover]
	[profile profile-name]
	Example:
	Router(config)# crypto map static-map 1
	ipsec-isakmp dynamic dynmap
	Router(config)#

Apply the Crypto Map to the Physical Interface

The crypto maps must be applied to each interface through which IP Security (IPSec) traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites. However, the public interface still allows the rest of the traffic to pass and provides connectivity to the Internet.

Perform these steps to apply a crypto map to an interface, beginning in global configuration mode:

	Command or Action	Purpose
Step 1
Step 1	interface type number	Enters the interface configuration mode for the
		interface to which you want the crypto map
	Example:	applied.
	Router(config)# interface fastethernet 0
	Router(config-if)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

6-8	OL-6426-02

Image 80

Cisco Systems OL-6426-02 Apply the Crypto Map to the Physical Interface, Reverse-route, Dynamic dynamic-map-name discover

Contents

Cisco Systems, Inc Page N T E N T S Configuring Your Router for Ethernet and DSL Access 802.1x Authentication Configure the IPSec Crypto Method and Parameters Configuring Backup Interfaces Chap Configuration Register C-6 OL-6426-02 Preface Audience VPN OrganizationChapter Title Description Command Conventions ConventionsConvention Description Boldface Cisco.com Related DocumentsObtaining Documentation Documentation Feedback Cisco Product Security OverviewDocumentation DVD Ordering Documentation Reporting Security Problems in Cisco Products Obtaining Technical AssistanceCisco Technical Support Website An emergency, you can also reach Psirt by telephone 877 408 Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Getting Started Page Router Interface Port Label Basic Router ConfigurationInterface Port Labels Viewing the Default Configuration ADSLoISDNATM WAN Shdsl USB Modem Example 1-1 Cisco 1812 Default Configuration on Startup Information Needed for Configuration Configuring Basic Parameters To configure the router, perform one or more of these tasks Configure Global Parameters Configure Fast Ethernet LAN InterfacesCommand Purpose Example Configure WAN Interfaces Configure the Fast Ethernet WAN Interface Configure the ATM WAN Interface Mode atm ExitController dsl No shutdown Configuration Example Configure the Wireless InterfaceConfiguring a Loopback Interface Configuring Command-Line Access to the Router Verifying Your ConfigurationPassword password Line aux console tty vty line-number End LoginExec-timeout minutes seconds Configuring Static Routes Exits router configuration mode, and entersPrivileged Exec mode Parameters that can be set, see the Cisco IOS IP Verifying Your Configuration Configuring Dynamic RoutesConfiguration Example Configuring RIP Command TaskRouter rip Version 1 Configuring Enhanced Igrp Enters router configuration mode, and enablesEigrp on the router. The autonomous-system Number identifies the route to other Eigrp routers Specifies a list of networks on which Eigrp is to Be applied, using the IP address of the networkRouterconfig# network Configuring Your Router for Ethernet and DSL Access Page For DSL-Based Network Deployments Sample Network DeploymentsFor Ethernet-Based Network Deployments OL-6426-02 Configuring PPP over Ethernet with NAT Configuration Tasks Command or Action PurposeVpdn enable PPPoE Configure the Fast Ethernet WAN Interfaces Request-dialinInitiate to ip ip-address Protocol l2f l2tp pppoe any Cisco 1800 integrated services routers have These steps to configure one or both of themConfigures the PPPoE client and specifies Enables the Fast Ethernet interface Configure the Dialer Interface Using a dialer group controls access to Exits the dialer 0 interface configurationAssigns the dialer interface to a dialer group Your router Configure Network Address Translation Source source-wildcard Access-list access-list-number deny permitIp nat inside outside Configuration Example Router# show ip nat statistics Configuring PPP over ATM with NAT PPP over ATM with NAT PPPoA Sets the PPP authentication method Authentication Protocol ChapSpecifies that the IP address for the dialer Interface is obtained through PPP/IPCP IP Command Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Attribute Description Default Value Configure DSL Signaling ProtocolConfiguring Adsl Dsl lom integer Dsl enable-training-log Configuring ShdslVerify the Configuration Ignore-error-duration number Line-mode 4-wire enhanced 4-wire standardWire Configure Network Address Translation Enables the configuration changes just made to About enabling static translation, see the CiscoFE2-FE9 reside to be the inside interface For NAT Static translation, see the Cisco IOS IP Command Exits configuration mode for the ATM interfaceDefines a standard access list permitting addresses Identifies the specified WAN interface as the NAT ATM0 VLANs Configuring a LAN with Dhcp and VLANsVlan Configure Dhcp Default-router address address2 ...address8 Import allDns-server address address2 ...address8 Domain-name domain Ip dhcp pool Verify Your Dhcp ConfigurationRouter# show ip dhcp import Configure VLANs Verify Your Vlan ConfigurationVlan ? Example Router# show vlan-switch Vlan Switch Port Configurations 802.1x Authentication Vlan Trunking Protocol VTP Maximum Switched Virtual Interfaces SVIs Switched Port Analyzer SpanIP Multicast Switching Layer 2 Interfaces Per-Port Storm Control Fallback BridgingSeparate Voice and Data Subnets Igmp Snooping Configuring a VPN Using Easy VPN and an IPSec Tunnel Internet Cisco Easy VPN Configure the IKE Policy Configure Group Policy Information Crypto isakmp client configuration groupGroup-name default Key name Apply Mode Configuration to the Crypto Map Ip local pool default poolname Enable Policy Lookup Configure IPSec Transforms and Protocols Configure the IPSec Crypto Method and Parameters Apply the Crypto Map to the Physical Interface Reverse-routeCrypto map map-name seq-num ipsec-isakmp Dynamic dynamic-map-name discover Create an Easy VPN Remote Configuration Crypto map map-name Verifying Your Easy VPN Configuration Crypto ipsec client ezvpn name outside inside Crypto ipsec client ezvpn ezvpnclient connect auto Beta Draft Cisco Confidential Site-to-Site VPN Using an IPSec Tunnel and GRE GRE Tunnels VPNs Configure a VPN Configure the IKE PolicyAlso enters Internet Security Association Key Example uses 168-bit Data Encryption Lifetime seconds Configure Group Policy InformationGroup 1 2 Enable Policy Lookup Exits IKE group policy configuration mode,Enters global configuration mode Specifies group domain membership Configure IPSec Transforms and Protocols Method used to do soSpecifies global lifetime values used when Negotiating IPSec security associations Configure the IPSec Crypto Method and Parameters Creates a dynamic crypto map entry, and entersCreates source proxy information for the crypto Map entry Configure a GRE Tunnel Apply the Crypto Map to the Physical InterfaceMap Applies the crypto map to the interface Tunnel interface must be configured to Exits interface configuration mode, and returns toEnters ACL configuration mode for the named Access-list-name ACL that is used by the crypto map Configuration Example Ip nat outside no cdp enable Beta Draft Cisco Confidential Configuring a Simple Firewall Router with Firewall Configured Series integrated services router, respectively Fast Ethernet LAN interface the inside interface for NATProtected network Unprotected network Configure Access Lists Configure Inspection RulesCreates an access list which prevents Internet Details about this command Inside interface on the router Apply Access Lists and Inspection Rules to InterfacesAssigns the set of firewall inspection rules to Configuring a Simple Firewall Configuration Example Beta Draft Cisco Confidential Configuring a Wireless LAN Connection 1shows a wireless network deployment Configuring a Wireless LAN Connection Configure the Root Radio Station Sets the permitted authentication methods for a User attempting access to the wireless LANExits Ssid configuration mode, and enters Interface configuration mode for the wireless Configure Bridging on VLANs Station-role repeater rootBridge number crb irb mac-address-table Bridge-group number Specified subinterface Configure Radio Station SubinterfacesEnables Ieee 802.1q encapsulation on Exits subinterface configuration mode, Assigns a bridge group to the subinterface No bridge-group 3 unicast-flooding Interface Vlan1 10-1 Sample ConfigurationRouter# show running-config 10-2 Ip dhcp pool vlan3 10-3 10-4 10-5 10-6 Additional Configuration Options 11-1 11-2 Configuring Additional Features and Troubleshooting Page 12-1 Configuring Security FeaturesAuthentication, Authorization, and Accounting Configuring AutoSecure Configuring Access ListsConfiguration Commands ACL Type Configuring a Cbac Firewall Access GroupsGuidelines for Creating Access Groups Ip access-group number name in out 12-4 Configuring Cisco IOS Firewall IDSConfiguring VPNs Configuring Dial Backup and Remote Management Dial Backup Feature Activation MethodsBackup Interfaces 13-1 13-2 Configuring Backup InterfacesFloating Static Routes 13-3 Configuring Floating Static RoutesEnables RIP routing Configuring Dialer Watch Dialer WatchSpecifies the group number for the watch list 13-4 13-5 Dial Backup Feature LimitationsDial Backup Type Possible? Dial Backup Method Limitations 13-6 13-7 Example 13-3 Configuring Dial Backup Using Dialer Watch 13-8 Configure Isdn Settings 13-9 13-10 Access-group Ip address negotiatedDialer pool number Dialer-group group-number 13-12 Configure the Aggregator and Isdn Peer RouterFor your Cisco router during the ATM network downtime Asynchronous Interface Configuration 13-13 13-14 Line Configuration 13-15 13-16 Troubleshooting Getting StartedBefore Contacting Cisco or Your Reseller 14-1 Adsl Troubleshooting Shdsl TroubleshootingPortFast Troubleshooting 14-2 ATM Troubleshooting Commands Ping atm interface CommandShow interface Command 14-3 14-4 Shutdown commandOutput Cause Router# show atm interface atm Show atm interface Command14-5 Debug atm Commands Guidelines for Using Debug CommandsDebug atm errors Command Field Description Debug atm events Command Router# debug atm errors ATM errors debugging is on Router#14-7 Router# debug atm events Router# Debug atm packet Command Where the keywords are defined as followsOptional ATM interface or subinterface number Example 14-7shows a sample output Software Upgrade Methods Recovering a Lost PasswordATM0 14-9 Router# show version Change the Configuration Register14-10 Reset the Router Router# show startup-configPress Return. The following prompt appears Prompt changes to the privileged Exec prompt 14-12 Reset the Password and Save Your ChangesReset the Configuration Register Value Managing Your Router with SDM 14-13 14-14 Reference Information Page Configuring the Router from a PC One of the configuration topic chapters in this guideCisco IOS Software Basic Skills PC Operating System Software Understanding Command Modes Ctrl-Z ExecAs interface atm Configuration mode Routing protocol Appropriate Getting HelpRouter Enter one of the router Router rip, from You can now make changes to your router configuration Enable Secret Passwords and Enable PasswordsEntering Global Configuration Mode Using Commands Abbreviating CommandsUndoing Commands Command-Line Error Messages Summary Saving Configuration ChangesWhere to Go Next OL-6426-02 Concepts Adsl Network Protocols Routing Protocol Options PPP Authentication Protocols Protocol Ideal Topology Metric Routing UpdatesEnhanced Igrp RIP PAP Network Interfaces Ethernet Dialer Interface Dial BackupBackup Interface NAT Easy IP Phase PPP Fragmentation and Interleaving QoSIP Precedence Cbwfq Low Latency Queuing Access Lists OL-6426-02 Enable Config-regResets the configuration register ROM Monitor ROM Monitor Commands Exits global configuration modeReload Descriptions section in this appendix Command Descriptions Disaster Recovery with Tftp DownloadTftp Download Command Variables Command Description Optional Variables Variable CommandRequired Variables Using the Tftp Download Command TFTPTIMEOUT= timeTFTPCHECKSUM= setting Retrytimes Configuration Register Changing the Configuration Register ManuallyChanging the Configuration Register Using Prompts Rommon 1 confreg Command Description Console Download Debug Commands Error ReportingContext-Displays processor context for example Frame-Displays an individual stack frame Exiting the ROM Monitor OL-6426-02 Common Port Assignments Port Keyword Description NETBIOS-NS NETBIOS-DGMNETBIOS-SSN Finger See ARP See AALSee ATM IN-1 IN-2 See ChapSee CAR Dhcp IN-3 Experience, user Extended access list Overview B-11 See also examplesEthernet B-5 Events, ATM, displaying GRE IN-5 See LCPSee NCP See PAP See PVCSee PPP See Ipcp IN-7 See RIPSee NAT IN-8 Upgrading software, methods for 14-9User Datagram ProtocolSee UDP