Manuals / Cisco Systems / Power Tools / Saw

Cisco Systems OL-6426-02 manual Enable Policy Lookup, Specifies group domain membership

Models: OL-6426-02

1 196

Download 196 pages 47.1 Kb

Page 89

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configure a VPN

BETA DRAFT - CISCO CONFIDENTIAL

	Command or Action		Purpose
Step 4
Step 4	domain name		Specifies group domain membership.
	Example:
	Router(config-isakmp-group)# domain
	company.com
	Router(config-isakmp-group)#
Step 5
Step 5	exit		Exits IKE group policy configuration mode, and
			enters global configuration mode.
	Example:
	Router(config-isakmp-group)# exit
	Router(config)#
Step 6
Step 6	ip local pool {default poolname}		Specifies a local address pool for the group.
	[low-ip-address [high-ip-address]]		For details about this command and additional
			For details about this command and additional
	Example:		parameters that can be set, see the Cisco IOS Dial
	Example:		Technologies Command Reference.
			Technologies Command Reference.
	Router(config)# ip local pool dynpool
	30.30.30.20	30.30.30.30
	Router(config)#

Enable Policy Lookup

Perform these steps to enable policy lookup through AAA, beginning in global configuration mode:

	Command or Action	Purpose
Step 1
Step 1	aaa new-model	Enables the AAA access control model.
	Example:
	Router(config)# aaa new-model
	Router(config)#
Step 2
Step 2	aaa authentication login {default list-name}	Specifies AAA authentication of selected users at
	method1 [method2...]	login, and specifies the method used.
	Example:	This example uses a local authentication database.
	Example:	You could also use a RADIUS server for this. See
		You could also use a RADIUS server for this. See
	Router(config)# aaa authentication login	the Cisco IOS Security Configuration Guide and
	rtr-remote local	the Cisco IOS Security Command Reference for
	Router(config)#	the Cisco IOS Security Command Reference for
	Router(config)#	details.
		details.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

	OL-6426-02	7-5

Image 89

Cisco Systems OL-6426-02 manual Enable Policy Lookup, Specifies group domain membership, Enters global configuration mode

Contents

Cisco Systems, Inc Page N T E N T S Configuring Your Router for Ethernet and DSL Access 802.1x Authentication Configure the IPSec Crypto Method and Parameters Configuring Backup Interfaces Chap Configuration Register C-6 OL-6426-02 Audience PrefaceVPN OrganizationChapter Title Description Conventions Command ConventionsConvention Description BoldfaceCisco.com Related DocumentsObtaining Documentation Cisco Product Security Overview Documentation FeedbackDocumentation DVD Ordering DocumentationObtaining Technical Assistance Reporting Security Problems in Cisco ProductsCisco Technical Support Website An emergency, you can also reach Psirt by telephone 877 408Definitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Getting Started Page Router Interface Port Label Basic Router ConfigurationInterface Port Labels ADSLoISDN Viewing the Default ConfigurationATM WAN Shdsl USB ModemExample 1-1 Cisco 1812 Default Configuration on Startup Information Needed for Configuration To configure the router, perform one or more of these tasks Configuring Basic ParametersConfigure Fast Ethernet LAN Interfaces Configure Global ParametersCommand Purpose ExampleConfigure the Fast Ethernet WAN Interface Configure WAN InterfacesMode atm Exit Configure the ATM WAN InterfaceController dsl No shutdownConfiguration Example Configure the Wireless InterfaceConfiguring a Loopback Interface Verifying Your Configuration Configuring Command-Line Access to the RouterPassword password Line aux console tty vty line-numberEnd LoginExec-timeout minutes seconds Exits router configuration mode, and enters Configuring Static RoutesPrivileged Exec mode Parameters that can be set, see the Cisco IOS IPVerifying Your Configuration Configuring Dynamic RoutesConfiguration Example Command Task Configuring RIPRouter rip Version 1Enters router configuration mode, and enables Configuring Enhanced IgrpEigrp on the router. The autonomous-system Number identifies the route to other Eigrp routersSpecifies a list of networks on which Eigrp is to Be applied, using the IP address of the networkRouterconfig# network Configuring Your Router for Ethernet and DSL Access Page For DSL-Based Network Deployments Sample Network DeploymentsFor Ethernet-Based Network Deployments OL-6426-02 Configuring PPP over Ethernet with NAT Command or Action Purpose Configuration TasksVpdn enable PPPoERequest-dialin Configure the Fast Ethernet WAN InterfacesInitiate to ip ip-address Protocol l2f l2tp pppoe anyThese steps to configure one or both of them Cisco 1800 integrated services routers haveConfigures the PPPoE client and specifies Enables the Fast Ethernet interfaceConfigure the Dialer Interface Exits the dialer 0 interface configuration Using a dialer group controls access toAssigns the dialer interface to a dialer group Your routerConfigure Network Address Translation Source source-wildcard Access-list access-list-number deny permitIp nat inside outside Configuration Example Router# show ip nat statistics PPP over ATM with NAT Configuring PPP over ATM with NATPPPoA Authentication Protocol Chap Sets the PPP authentication methodSpecifies that the IP address for the dialer Interface is obtained through PPP/IPCP IPCommand Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Attribute Description Default Value Configure DSL Signaling ProtocolConfiguring Adsl Dsl lom integer Dsl enable-training-log Configuring ShdslVerify the Configuration Ignore-error-duration number Line-mode 4-wire enhanced 4-wire standardWire Configure Network Address Translation About enabling static translation, see the Cisco Enables the configuration changes just made toFE2-FE9 reside to be the inside interface For NATExits configuration mode for the ATM interface Static translation, see the Cisco IOS IP CommandDefines a standard access list permitting addresses Identifies the specified WAN interface as the NATATM0 VLANs Configuring a LAN with Dhcp and VLANsVlan Configure Dhcp Import all Default-router address address2 ...address8Dns-server address address2 ...address8 Domain-name domainIp dhcp pool Verify Your Dhcp ConfigurationRouter# show ip dhcp import Verify Your Vlan Configuration Configure VLANsVlan ? ExampleVlan Router# show vlan-switchSwitch Port Configurations Vlan Trunking Protocol VTP 802.1x AuthenticationSwitched Port Analyzer Span Maximum Switched Virtual Interfaces SVIsIP Multicast Switching Layer 2 InterfacesFallback Bridging Per-Port Storm ControlSeparate Voice and Data Subnets Igmp SnoopingInternet Configuring a VPN Using Easy VPN and an IPSec TunnelCisco Easy VPN Configure the IKE Policy Crypto isakmp client configuration group Configure Group Policy InformationGroup-name default Key nameIp local pool default poolname Apply Mode Configuration to the Crypto MapConfigure IPSec Transforms and Protocols Enable Policy LookupConfigure the IPSec Crypto Method and Parameters Reverse-route Apply the Crypto Map to the Physical InterfaceCrypto map map-name seq-num ipsec-isakmp Dynamic dynamic-map-name discoverCrypto map map-name Create an Easy VPN Remote ConfigurationCrypto ipsec client ezvpn name outside inside Verifying Your Easy VPN ConfigurationCrypto ipsec client ezvpn ezvpnclient connect auto Beta Draft Cisco Confidential Site-to-Site VPN Using an IPSec Tunnel and GRE VPNs GRE TunnelsConfigure the IKE Policy Configure a VPNAlso enters Internet Security Association Key Example uses 168-bit Data EncryptionLifetime seconds Configure Group Policy InformationGroup 1 2 Exits IKE group policy configuration mode, Enable Policy LookupEnters global configuration mode Specifies group domain membershipMethod used to do so Configure IPSec Transforms and ProtocolsSpecifies global lifetime values used when Negotiating IPSec security associationsCreates a dynamic crypto map entry, and enters Configure the IPSec Crypto Method and ParametersCreates source proxy information for the crypto Map entryApply the Crypto Map to the Physical Interface Configure a GRE TunnelMap Applies the crypto map to the interfaceExits interface configuration mode, and returns to Tunnel interface must be configured toEnters ACL configuration mode for the named Access-list-name ACL that is used by the crypto mapConfiguration Example Ip nat outside no cdp enable Beta Draft Cisco Confidential Router with Firewall Configured Configuring a Simple FirewallFast Ethernet LAN interface the inside interface for NAT Series integrated services router, respectivelyProtected network Unprotected networkConfigure Inspection Rules Configure Access ListsCreates an access list which prevents Internet Details about this commandInside interface on the router Apply Access Lists and Inspection Rules to InterfacesAssigns the set of firewall inspection rules to Configuring a Simple Firewall Configuration Example Beta Draft Cisco Confidential 1shows a wireless network deployment Configuring a Wireless LAN ConnectionConfiguring a Wireless LAN Connection Configure the Root Radio Station User attempting access to the wireless LAN Sets the permitted authentication methods for aExits Ssid configuration mode, and enters Interface configuration mode for the wirelessStation-role repeater root Configure Bridging on VLANsBridge number crb irb mac-address-table Bridge-group numberSpecified subinterface Configure Radio Station SubinterfacesEnables Ieee 802.1q encapsulation on Assigns a bridge group to the subinterface Exits subinterface configuration mode,No bridge-group 3 unicast-flooding Interface Vlan1 10-1 Sample ConfigurationRouter# show running-config Ip dhcp pool vlan3 10-210-3 10-4 10-5 10-6 11-1 Additional Configuration Options11-2 Configuring Additional Features and Troubleshooting Page 12-1 Configuring Security FeaturesAuthentication, Authorization, and Accounting Configuring Access Lists Configuring AutoSecureConfiguration Commands ACL TypeAccess Groups Configuring a Cbac FirewallGuidelines for Creating Access Groups Ip access-group number name in out12-4 Configuring Cisco IOS Firewall IDSConfiguring VPNs Dial Backup Feature Activation Methods Configuring Dial Backup and Remote ManagementBackup Interfaces 13-113-2 Configuring Backup InterfacesFloating Static Routes 13-3 Configuring Floating Static RoutesEnables RIP routing Dialer Watch Configuring Dialer WatchSpecifies the group number for the watch list 13-413-5 Dial Backup Feature LimitationsDial Backup Type Possible? Dial Backup Method Limitations 13-6 13-7 13-8 Example 13-3 Configuring Dial Backup Using Dialer Watch13-9 Configure Isdn Settings13-10 Ip address negotiated Access-groupDialer pool number Dialer-group group-number13-12 Configure the Aggregator and Isdn Peer RouterFor your Cisco router during the ATM network downtime 13-13 Asynchronous Interface Configuration13-14 13-15 Line Configuration13-16 Getting Started TroubleshootingBefore Contacting Cisco or Your Reseller 14-1Shdsl Troubleshooting Adsl TroubleshootingPortFast Troubleshooting 14-2Ping atm interface Command ATM Troubleshooting CommandsShow interface Command 14-314-4 Shutdown commandOutput Cause Router# show atm interface atm Show atm interface Command14-5 Guidelines for Using Debug Commands Debug atm CommandsDebug atm errors Command Field DescriptionRouter# debug atm errors ATM errors debugging is on Router# Debug atm events Command14-7 Router# debug atm events Router#Where the keywords are defined as follows Debug atm packet CommandOptional ATM interface or subinterface number Example 14-7shows a sample outputRecovering a Lost Password Software Upgrade MethodsATM0 14-9Router# show version Change the Configuration Register14-10 Router# show startup-config Reset the RouterPress Return. The following prompt appears Prompt changes to the privileged Exec prompt14-12 Reset the Password and Save Your ChangesReset the Configuration Register Value 14-13 Managing Your Router with SDM14-14 Reference Information Page One of the configuration topic chapters in this guide Configuring the Router from a PCCisco IOS Software Basic Skills PC Operating System SoftwareUnderstanding Command Modes Ctrl-Z ExecAs interface atm Getting Help Configuration mode Routing protocol AppropriateRouter Enter one of the router Router rip, fromYou can now make changes to your router configuration Enable Secret Passwords and Enable PasswordsEntering Global Configuration Mode Abbreviating Commands Using CommandsUndoing Commands Command-Line Error MessagesSummary Saving Configuration ChangesWhere to Go Next OL-6426-02 Adsl ConceptsRouting Protocol Options Network ProtocolsProtocol Ideal Topology Metric Routing Updates PPP Authentication ProtocolsEnhanced Igrp RIPPAP Ethernet Network InterfacesDialer Interface Dial BackupBackup Interface NAT Easy IP Phase PPP Fragmentation and Interleaving QoSIP Precedence Low Latency Queuing CbwfqAccess Lists OL-6426-02 Config-reg EnableResets the configuration register ROM MonitorExits global configuration mode ROM Monitor CommandsReload Descriptions section in this appendixDisaster Recovery with Tftp Download Command DescriptionsTftp Download Command Variables Command DescriptionOptional Variables Variable CommandRequired Variables TFTPTIMEOUT= time Using the Tftp Download CommandTFTPCHECKSUM= setting RetrytimesChanging the Configuration Register Manually Configuration RegisterChanging the Configuration Register Using Prompts Rommon 1 confregConsole Download Command DescriptionError Reporting Debug CommandsContext-Displays processor context for example Frame-Displays an individual stack frameExiting the ROM Monitor OL-6426-02 Port Keyword Description Common Port AssignmentsNETBIOS-DGM NETBIOS-NSNETBIOS-SSN FingerSee AAL See ARPSee ATM IN-1IN-2 See ChapSee CAR IN-3 DhcpSee also examples Experience, user Extended access list Overview B-11Ethernet B-5 Events, ATM, displaying GREIN-5 See LCPSee NCP See PVC See PAPSee PPP See IpcpIN-7 See RIPSee NAT IN-8 Upgrading software, methods for 14-9User Datagram ProtocolSee UDP