Manuals / Cisco Systems / Power Tools / Saw

Cisco Systems OL-6426-02 manual Ip nat outside no cdp enable

Models: OL-6426-02

1 196

Download 196 pages 47.1 Kb

Page 95

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configuration Example

BETA DRAFT - CISCO CONFIDENTIAL

ip address 10.1.1.1 255.255.255.0 ip nat inside

ip inspect firewall in ! inspection examines outbound traffic crypto map static-map

no cdp enable

!

interface fastethernet 0! FE0 is the outside or internet exposed interface ip address 210.110.101.21 255.255.255.0

ip access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as denies internet initiated traffic inbound.

ip nat outside no cdp enable

crypto map to_corporate ! applies the ipsec tunnel to the outside interface.

!

ip nat inside source list 102 interface Ethernet1 overload ! utilize nat overload in order to make best use of the single address provided by the isp.

ip classless

ip route 0.0.0.0 0.0.0.0 210.110.101.1 no ip http server

!

!

!acl 102 associated addresses used for nat. access-list 102 permit ip 10.1.1.0 0.0.0.255 any

!acl 103 defines traffic allowed from the peer for the ipsec tunnel. access-list 103 permit udp host 200.1.1.1 any eq isakmp access-list 103 permit udp host 200.1.1.1 eq isakmp any access-list 103 permit esp host 200.1.1.1 any

access-list 103 permit icmp any any ! allow icmp for debugging but should be disabled due to security implications.

access-list 103 deny ip any any ! prevents internet initiated traffic inbound.

!acl 105 matches addresses for the ipsec tunnel to/from the corporate network.

access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 no cdp run

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

	OL-6426-02	7-11

Image 95

Cisco Systems OL-6426-02 manual Ip nat outside no cdp enable

Contents

Cisco Systems, Inc Page N T E N T S Configuring Your Router for Ethernet and DSL Access 802.1x Authentication Configure the IPSec Crypto Method and Parameters Configuring Backup Interfaces Chap Configuration Register C-6 OL-6426-02 Audience PrefaceVPN OrganizationChapter Title Description Boldface Command ConventionsConventions Convention DescriptionCisco.com Related DocumentsObtaining Documentation Ordering Documentation Documentation FeedbackCisco Product Security Overview Documentation DVDAn emergency, you can also reach Psirt by telephone 877 408 Reporting Security Problems in Cisco ProductsObtaining Technical Assistance Cisco Technical Support WebsiteDefinitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Getting Started Page Router Interface Port Label Basic Router ConfigurationInterface Port Labels USB Modem Viewing the Default ConfigurationADSLoISDN ATM WAN ShdslExample 1-1 Cisco 1812 Default Configuration on Startup Information Needed for Configuration To configure the router, perform one or more of these tasks Configuring Basic ParametersExample Configure Global ParametersConfigure Fast Ethernet LAN Interfaces Command PurposeConfigure the Fast Ethernet WAN Interface Configure WAN InterfacesNo shutdown Configure the ATM WAN InterfaceMode atm Exit Controller dslConfiguration Example Configure the Wireless InterfaceConfiguring a Loopback Interface Line aux console tty vty line-number Configuring Command-Line Access to the RouterVerifying Your Configuration Password passwordEnd LoginExec-timeout minutes seconds Parameters that can be set, see the Cisco IOS IP Configuring Static RoutesExits router configuration mode, and enters Privileged Exec modeVerifying Your Configuration Configuring Dynamic RoutesConfiguration Example Version 1 Configuring RIPCommand Task Router ripNumber identifies the route to other Eigrp routers Configuring Enhanced IgrpEnters router configuration mode, and enables Eigrp on the router. The autonomous-systemSpecifies a list of networks on which Eigrp is to Be applied, using the IP address of the networkRouterconfig# network Configuring Your Router for Ethernet and DSL Access Page For DSL-Based Network Deployments Sample Network DeploymentsFor Ethernet-Based Network Deployments OL-6426-02 Configuring PPP over Ethernet with NAT PPPoE Configuration TasksCommand or Action Purpose Vpdn enableProtocol l2f l2tp pppoe any Configure the Fast Ethernet WAN InterfacesRequest-dialin Initiate to ip ip-addressEnables the Fast Ethernet interface Cisco 1800 integrated services routers haveThese steps to configure one or both of them Configures the PPPoE client and specifiesConfigure the Dialer Interface Your router Using a dialer group controls access toExits the dialer 0 interface configuration Assigns the dialer interface to a dialer groupConfigure Network Address Translation Source source-wildcard Access-list access-list-number deny permitIp nat inside outside Configuration Example Router# show ip nat statistics PPP over ATM with NAT Configuring PPP over ATM with NATPPPoA Interface is obtained through PPP/IPCP IP Sets the PPP authentication methodAuthentication Protocol Chap Specifies that the IP address for the dialerCommand Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Attribute Description Default Value Configure DSL Signaling ProtocolConfiguring Adsl Dsl lom integer Dsl enable-training-log Configuring ShdslVerify the Configuration Ignore-error-duration number Line-mode 4-wire enhanced 4-wire standardWire Configure Network Address Translation For NAT Enables the configuration changes just made toAbout enabling static translation, see the Cisco FE2-FE9 reside to be the inside interfaceIdentifies the specified WAN interface as the NAT Static translation, see the Cisco IOS IP CommandExits configuration mode for the ATM interface Defines a standard access list permitting addressesATM0 VLANs Configuring a LAN with Dhcp and VLANsVlan Configure Dhcp Domain-name domain Default-router address address2 ...address8Import all Dns-server address address2 ...address8Ip dhcp pool Verify Your Dhcp ConfigurationRouter# show ip dhcp import Example Configure VLANsVerify Your Vlan Configuration Vlan ?Vlan Router# show vlan-switchSwitch Port Configurations Vlan Trunking Protocol VTP 802.1x AuthenticationLayer 2 Interfaces Maximum Switched Virtual Interfaces SVIsSwitched Port Analyzer Span IP Multicast SwitchingIgmp Snooping Per-Port Storm ControlFallback Bridging Separate Voice and Data SubnetsInternet Configuring a VPN Using Easy VPN and an IPSec TunnelCisco Easy VPN Configure the IKE Policy Key name Configure Group Policy InformationCrypto isakmp client configuration group Group-name defaultIp local pool default poolname Apply Mode Configuration to the Crypto MapConfigure IPSec Transforms and Protocols Enable Policy LookupConfigure the IPSec Crypto Method and Parameters Dynamic dynamic-map-name discover Apply the Crypto Map to the Physical InterfaceReverse-route Crypto map map-name seq-num ipsec-isakmpCrypto map map-name Create an Easy VPN Remote ConfigurationCrypto ipsec client ezvpn name outside inside Verifying Your Easy VPN ConfigurationCrypto ipsec client ezvpn ezvpnclient connect auto Beta Draft Cisco Confidential Site-to-Site VPN Using an IPSec Tunnel and GRE VPNs GRE TunnelsExample uses 168-bit Data Encryption Configure a VPNConfigure the IKE Policy Also enters Internet Security Association KeyLifetime seconds Configure Group Policy InformationGroup 1 2 Specifies group domain membership Enable Policy LookupExits IKE group policy configuration mode, Enters global configuration modeNegotiating IPSec security associations Configure IPSec Transforms and ProtocolsMethod used to do so Specifies global lifetime values used whenMap entry Configure the IPSec Crypto Method and ParametersCreates a dynamic crypto map entry, and enters Creates source proxy information for the cryptoApplies the crypto map to the interface Configure a GRE TunnelApply the Crypto Map to the Physical Interface MapAccess-list-name ACL that is used by the crypto map Tunnel interface must be configured toExits interface configuration mode, and returns to Enters ACL configuration mode for the namedConfiguration Example Ip nat outside no cdp enable Beta Draft Cisco Confidential Router with Firewall Configured Configuring a Simple FirewallUnprotected network Series integrated services router, respectivelyFast Ethernet LAN interface the inside interface for NAT Protected networkDetails about this command Configure Access ListsConfigure Inspection Rules Creates an access list which prevents InternetInside interface on the router Apply Access Lists and Inspection Rules to InterfacesAssigns the set of firewall inspection rules to Configuring a Simple Firewall Configuration Example Beta Draft Cisco Confidential 1shows a wireless network deployment Configuring a Wireless LAN ConnectionConfiguring a Wireless LAN Connection Configure the Root Radio Station Interface configuration mode for the wireless Sets the permitted authentication methods for aUser attempting access to the wireless LAN Exits Ssid configuration mode, and entersBridge-group number Configure Bridging on VLANsStation-role repeater root Bridge number crb irb mac-address-tableSpecified subinterface Configure Radio Station SubinterfacesEnables Ieee 802.1q encapsulation on Assigns a bridge group to the subinterface Exits subinterface configuration mode,No bridge-group 3 unicast-flooding Interface Vlan1 10-1 Sample ConfigurationRouter# show running-config Ip dhcp pool vlan3 10-210-3 10-4 10-5 10-6 11-1 Additional Configuration Options11-2 Configuring Additional Features and Troubleshooting Page 12-1 Configuring Security FeaturesAuthentication, Authorization, and Accounting ACL Type Configuring AutoSecureConfiguring Access Lists Configuration CommandsIp access-group number name in out Configuring a Cbac FirewallAccess Groups Guidelines for Creating Access Groups12-4 Configuring Cisco IOS Firewall IDSConfiguring VPNs 13-1 Configuring Dial Backup and Remote ManagementDial Backup Feature Activation Methods Backup Interfaces13-2 Configuring Backup InterfacesFloating Static Routes 13-3 Configuring Floating Static RoutesEnables RIP routing 13-4 Configuring Dialer WatchDialer Watch Specifies the group number for the watch list13-5 Dial Backup Feature LimitationsDial Backup Type Possible? Dial Backup Method Limitations 13-6 13-7 13-8 Example 13-3 Configuring Dial Backup Using Dialer Watch13-9 Configure Isdn Settings13-10 Dialer-group group-number Access-groupIp address negotiated Dialer pool number13-12 Configure the Aggregator and Isdn Peer RouterFor your Cisco router during the ATM network downtime 13-13 Asynchronous Interface Configuration13-14 13-15 Line Configuration13-16 14-1 TroubleshootingGetting Started Before Contacting Cisco or Your Reseller14-2 Adsl TroubleshootingShdsl Troubleshooting PortFast Troubleshooting14-3 ATM Troubleshooting CommandsPing atm interface Command Show interface Command14-4 Shutdown commandOutput Cause Router# show atm interface atm Show atm interface Command14-5 Field Description Debug atm CommandsGuidelines for Using Debug Commands Debug atm errors CommandRouter# debug atm events Router# Debug atm events CommandRouter# debug atm errors ATM errors debugging is on Router# 14-7Example 14-7shows a sample output Debug atm packet CommandWhere the keywords are defined as follows Optional ATM interface or subinterface number14-9 Software Upgrade MethodsRecovering a Lost Password ATM0Router# show version Change the Configuration Register14-10 Prompt changes to the privileged Exec prompt Reset the RouterRouter# show startup-config Press Return. The following prompt appears14-12 Reset the Password and Save Your ChangesReset the Configuration Register Value 14-13 Managing Your Router with SDM14-14 Reference Information Page PC Operating System Software Configuring the Router from a PCOne of the configuration topic chapters in this guide Cisco IOS Software Basic SkillsUnderstanding Command Modes Ctrl-Z ExecAs interface atm Router rip, from Configuration mode Routing protocol AppropriateGetting Help Router Enter one of the routerYou can now make changes to your router configuration Enable Secret Passwords and Enable PasswordsEntering Global Configuration Mode Command-Line Error Messages Using CommandsAbbreviating Commands Undoing CommandsSummary Saving Configuration ChangesWhere to Go Next OL-6426-02 Adsl ConceptsRouting Protocol Options Network ProtocolsRIP PPP Authentication ProtocolsProtocol Ideal Topology Metric Routing Updates Enhanced IgrpPAP Ethernet Network InterfacesDialer Interface Dial BackupBackup Interface NAT Easy IP Phase PPP Fragmentation and Interleaving QoSIP Precedence Low Latency Queuing CbwfqAccess Lists OL-6426-02 ROM Monitor EnableConfig-reg Resets the configuration registerDescriptions section in this appendix ROM Monitor CommandsExits global configuration mode ReloadCommand Description Command DescriptionsDisaster Recovery with Tftp Download Tftp Download Command VariablesOptional Variables Variable CommandRequired Variables Retrytimes Using the Tftp Download CommandTFTPTIMEOUT= time TFTPCHECKSUM= settingRommon 1 confreg Configuration RegisterChanging the Configuration Register Manually Changing the Configuration Register Using PromptsConsole Download Command DescriptionFrame-Displays an individual stack frame Debug CommandsError Reporting Context-Displays processor context for exampleExiting the ROM Monitor OL-6426-02 Port Keyword Description Common Port AssignmentsFinger NETBIOS-NSNETBIOS-DGM NETBIOS-SSNIN-1 See ARPSee AAL See ATMIN-2 See ChapSee CAR IN-3 DhcpGRE Experience, user Extended access list Overview B-11See also examples Ethernet B-5 Events, ATM, displayingIN-5 See LCPSee NCP See Ipcp See PAPSee PVC See PPPIN-7 See RIPSee NAT IN-8 Upgrading software, methods for 14-9User Datagram ProtocolSee UDP