Manuals / Cisco Systems / Power Tools / Saw

Cisco Systems OL-6426-02 manual Configuration Example

Models: OL-6426-02

1 196

Download 196 pages 47.1 Kb

Page 94

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configuration Example

BETA DRAFT - CISCO CONFIDENTIAL

Configuration Example

The following configuration example shows a portion of the configuration file for a VPN using a GRE tunnel scenario described in the preceding sections.

!

aaanew-model

!

aaa authentication login rtr-remote local aaa authorization network rtr-remote local aaa session-id common

!

username cisco password 0 cisco

!

interface tunnel 1

ip address 10.62.1.193 255.255.255.252

tunnel source fastethernet 2

tunnel destination interface 192.168.101.1

ip route 20.20.20.0 255.255.255.0 tunnel 1

crypto isakmp policy 1 encryption 3des authentication pre-share group 2

!

crypto isakmp client configuration group rtr-remote key secret-password

dns 10.50.10.1 10.60.10.1 domain company.com

pool dynpool

!

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

!

crypto ipsec security-association lifetime seconds 86400

!

crypto dynamic-map dynmap 1 set transform-set vpn1 reverse-route

!

crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond

!

crypto isakmp policy 1 ! defines the key association and authentication for ipsec tunnel. hash md5

authentication pre-share

crypto isakmp key cisco123 address 200.1.1.1

!

!

crypto ipsec transform-set set1 esp-3des esp-md5-hmac ! defines encryption and transform set for the ipsec tunnel.

!

crypto map to_corporate 1 ipsec-isakmp ! associates all crypto values and peering address for the ipsec tunnel.

set peer 200.1.1.1

set transform-set set1

			match address	105
!
!!
			interface vlan	1 ! VLAN 1 is the internal home network
			Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide


	7-10			OL-6426-02
	7-10			OL-6426-02

Image 94

Cisco Systems OL-6426-02 manual Configuration Example

Contents

Cisco Systems, Inc Page N T E N T S Configuring Your Router for Ethernet and DSL Access 802.1x Authentication Configure the IPSec Crypto Method and Parameters Configuring Backup Interfaces Chap Configuration Register C-6 OL-6426-02 Preface AudienceChapter Title Description OrganizationVPN Convention Description Command ConventionsConventions BoldfaceObtaining Documentation Related DocumentsCisco.com Documentation DVD Documentation FeedbackCisco Product Security Overview Ordering DocumentationCisco Technical Support Website Reporting Security Problems in Cisco ProductsObtaining Technical Assistance An emergency, you can also reach Psirt by telephone 877 408Submitting a Service Request Definitions of Service Request SeverityObtaining Additional Publications and Information Getting Started Page Interface Port Labels Basic Router ConfigurationRouter Interface Port Label ATM WAN Shdsl Viewing the Default ConfigurationADSLoISDN USB ModemExample 1-1 Cisco 1812 Default Configuration on Startup Information Needed for Configuration Configuring Basic Parameters To configure the router, perform one or more of these tasksCommand Purpose Configure Global ParametersConfigure Fast Ethernet LAN Interfaces ExampleConfigure WAN Interfaces Configure the Fast Ethernet WAN InterfaceController dsl Configure the ATM WAN InterfaceMode atm Exit No shutdownConfiguring a Loopback Interface Configure the Wireless InterfaceConfiguration Example Password password Configuring Command-Line Access to the RouterVerifying Your Configuration Line aux console tty vty line-numberExec-timeout minutes seconds LoginEnd Privileged Exec mode Configuring Static RoutesExits router configuration mode, and enters Parameters that can be set, see the Cisco IOS IPConfiguration Example Configuring Dynamic RoutesVerifying Your Configuration Router rip Configuring RIPCommand Task Version 1Eigrp on the router. The autonomous-system Configuring Enhanced IgrpEnters router configuration mode, and enables Number identifies the route to other Eigrp routersRouterconfig# network Be applied, using the IP address of the networkSpecifies a list of networks on which Eigrp is to Configuring Your Router for Ethernet and DSL Access Page For Ethernet-Based Network Deployments Sample Network DeploymentsFor DSL-Based Network Deployments OL-6426-02 Configuring PPP over Ethernet with NAT Vpdn enable Configuration TasksCommand or Action Purpose PPPoEInitiate to ip ip-address Configure the Fast Ethernet WAN InterfacesRequest-dialin Protocol l2f l2tp pppoe anyConfigures the PPPoE client and specifies Cisco 1800 integrated services routers haveThese steps to configure one or both of them Enables the Fast Ethernet interfaceConfigure the Dialer Interface Assigns the dialer interface to a dialer group Using a dialer group controls access toExits the dialer 0 interface configuration Your routerConfigure Network Address Translation Ip nat inside outside Access-list access-list-number deny permitSource source-wildcard Configuration Example Router# show ip nat statistics Configuring PPP over ATM with NAT PPP over ATM with NATPPPoA Specifies that the IP address for the dialer Sets the PPP authentication methodAuthentication Protocol Chap Interface is obtained through PPP/IPCP IPCommand Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Configuring Adsl Configure DSL Signaling ProtocolAttribute Description Default Value Verify the Configuration Configuring ShdslDsl lom integer Dsl enable-training-log Wire Line-mode 4-wire enhanced 4-wire standardIgnore-error-duration number Configure Network Address Translation FE2-FE9 reside to be the inside interface Enables the configuration changes just made toAbout enabling static translation, see the Cisco For NATDefines a standard access list permitting addresses Static translation, see the Cisco IOS IP CommandExits configuration mode for the ATM interface Identifies the specified WAN interface as the NATATM0 Vlan Configuring a LAN with Dhcp and VLANsVLANs Configure Dhcp Dns-server address address2 ...address8 Default-router address address2 ...address8Import all Domain-name domainRouter# show ip dhcp import Verify Your Dhcp ConfigurationIp dhcp pool Vlan ? Configure VLANsVerify Your Vlan Configuration ExampleRouter# show vlan-switch VlanSwitch Port Configurations 802.1x Authentication Vlan Trunking Protocol VTPIP Multicast Switching Maximum Switched Virtual Interfaces SVIsSwitched Port Analyzer Span Layer 2 InterfacesSeparate Voice and Data Subnets Per-Port Storm ControlFallback Bridging Igmp SnoopingConfiguring a VPN Using Easy VPN and an IPSec Tunnel InternetCisco Easy VPN Configure the IKE Policy Group-name default Configure Group Policy InformationCrypto isakmp client configuration group Key nameApply Mode Configuration to the Crypto Map Ip local pool default poolnameEnable Policy Lookup Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters Crypto map map-name seq-num ipsec-isakmp Apply the Crypto Map to the Physical InterfaceReverse-route Dynamic dynamic-map-name discoverCreate an Easy VPN Remote Configuration Crypto map map-nameVerifying Your Easy VPN Configuration Crypto ipsec client ezvpn name outside insideCrypto ipsec client ezvpn ezvpnclient connect auto Beta Draft Cisco Confidential Site-to-Site VPN Using an IPSec Tunnel and GRE GRE Tunnels VPNsAlso enters Internet Security Association Key Configure a VPNConfigure the IKE Policy Example uses 168-bit Data EncryptionGroup 1 2 Configure Group Policy InformationLifetime seconds Enters global configuration mode Enable Policy LookupExits IKE group policy configuration mode, Specifies group domain membershipSpecifies global lifetime values used when Configure IPSec Transforms and ProtocolsMethod used to do so Negotiating IPSec security associationsCreates source proxy information for the crypto Configure the IPSec Crypto Method and ParametersCreates a dynamic crypto map entry, and enters Map entryMap Configure a GRE TunnelApply the Crypto Map to the Physical Interface Applies the crypto map to the interfaceEnters ACL configuration mode for the named Tunnel interface must be configured toExits interface configuration mode, and returns to Access-list-name ACL that is used by the crypto mapConfiguration Example Ip nat outside no cdp enable Beta Draft Cisco Confidential Configuring a Simple Firewall Router with Firewall ConfiguredProtected network Series integrated services router, respectivelyFast Ethernet LAN interface the inside interface for NAT Unprotected networkCreates an access list which prevents Internet Configure Access ListsConfigure Inspection Rules Details about this commandAssigns the set of firewall inspection rules to Apply Access Lists and Inspection Rules to InterfacesInside interface on the router Configuring a Simple Firewall Configuration Example Beta Draft Cisco Confidential Configuring a Wireless LAN Connection 1shows a wireless network deploymentConfiguring a Wireless LAN Connection Configure the Root Radio Station Exits Ssid configuration mode, and enters Sets the permitted authentication methods for aUser attempting access to the wireless LAN Interface configuration mode for the wirelessBridge number crb irb mac-address-table Configure Bridging on VLANsStation-role repeater root Bridge-group numberEnables Ieee 802.1q encapsulation on Configure Radio Station SubinterfacesSpecified subinterface Exits subinterface configuration mode, Assigns a bridge group to the subinterfaceNo bridge-group 3 unicast-flooding Interface Vlan1 Router# show running-config Sample Configuration10-1 10-2 Ip dhcp pool vlan310-3 10-4 10-5 10-6 Additional Configuration Options 11-111-2 Configuring Additional Features and Troubleshooting Page Authentication, Authorization, and Accounting Configuring Security Features12-1 Configuration Commands Configuring AutoSecureConfiguring Access Lists ACL TypeGuidelines for Creating Access Groups Configuring a Cbac FirewallAccess Groups Ip access-group number name in outConfiguring VPNs Configuring Cisco IOS Firewall IDS12-4 Backup Interfaces Configuring Dial Backup and Remote ManagementDial Backup Feature Activation Methods 13-1Floating Static Routes Configuring Backup Interfaces13-2 Enables RIP routing Configuring Floating Static Routes13-3 Specifies the group number for the watch list Configuring Dialer WatchDialer Watch 13-4Dial Backup Type Possible? Dial Backup Method Limitations Dial Backup Feature Limitations13-5 13-6 13-7 Example 13-3 Configuring Dial Backup Using Dialer Watch 13-8Configure Isdn Settings 13-913-10 Dialer pool number Access-groupIp address negotiated Dialer-group group-numberFor your Cisco router during the ATM network downtime Configure the Aggregator and Isdn Peer Router13-12 Asynchronous Interface Configuration 13-1313-14 Line Configuration 13-1513-16 Before Contacting Cisco or Your Reseller TroubleshootingGetting Started 14-1PortFast Troubleshooting Adsl TroubleshootingShdsl Troubleshooting 14-2Show interface Command ATM Troubleshooting CommandsPing atm interface Command 14-3Output Cause Shutdown command14-4 14-5 Show atm interface CommandRouter# show atm interface atm Debug atm errors Command Debug atm CommandsGuidelines for Using Debug Commands Field Description14-7 Debug atm events CommandRouter# debug atm errors ATM errors debugging is on Router# Router# debug atm events Router#Optional ATM interface or subinterface number Debug atm packet CommandWhere the keywords are defined as follows Example 14-7shows a sample outputATM0 Software Upgrade MethodsRecovering a Lost Password 14-914-10 Change the Configuration RegisterRouter# show version Press Return. The following prompt appears Reset the RouterRouter# show startup-config Prompt changes to the privileged Exec promptReset the Configuration Register Value Reset the Password and Save Your Changes14-12 Managing Your Router with SDM 14-1314-14 Reference Information Page Cisco IOS Software Basic Skills Configuring the Router from a PCOne of the configuration topic chapters in this guide PC Operating System SoftwareUnderstanding Command Modes As interface atm ExecCtrl-Z Router Enter one of the router Configuration mode Routing protocol AppropriateGetting Help Router rip, fromEntering Global Configuration Mode Enable Secret Passwords and Enable PasswordsYou can now make changes to your router configuration Undoing Commands Using CommandsAbbreviating Commands Command-Line Error MessagesWhere to Go Next Saving Configuration ChangesSummary OL-6426-02 Concepts AdslNetwork Protocols Routing Protocol OptionsEnhanced Igrp PPP Authentication ProtocolsProtocol Ideal Topology Metric Routing Updates RIPPAP Network Interfaces EthernetBackup Interface Dial BackupDialer Interface NAT Easy IP Phase IP Precedence QoSPPP Fragmentation and Interleaving Cbwfq Low Latency QueuingAccess Lists OL-6426-02 Resets the configuration register EnableConfig-reg ROM MonitorReload ROM Monitor CommandsExits global configuration mode Descriptions section in this appendixTftp Download Command Variables Command DescriptionsDisaster Recovery with Tftp Download Command DescriptionRequired Variables Variable CommandOptional Variables TFTPCHECKSUM= setting Using the Tftp Download CommandTFTPTIMEOUT= time RetrytimesChanging the Configuration Register Using Prompts Configuration RegisterChanging the Configuration Register Manually Rommon 1 confregCommand Description Console DownloadContext-Displays processor context for example Debug CommandsError Reporting Frame-Displays an individual stack frameExiting the ROM Monitor OL-6426-02 Common Port Assignments Port Keyword DescriptionNETBIOS-SSN NETBIOS-NSNETBIOS-DGM FingerSee ATM See ARPSee AAL IN-1See CAR See ChapIN-2 Dhcp IN-3Ethernet B-5 Events, ATM, displaying Experience, user Extended access list Overview B-11See also examples GRESee NCP See LCPIN-5 See PPP See PAPSee PVC See IpcpSee NAT See RIPIN-7 See UDP Upgrading software, methods for 14-9User Datagram ProtocolIN-8