Manuals / Cisco Systems / Power Tools / Saw

Cisco Systems OL-6426-02 manual Fast Ethernet LAN interface the inside interface for NAT

Models: OL-6426-02

1 196

Download 196 pages 47.1 Kb

Page 98

			Chapter 8 Configuring a Simple Firewall
			BETA DRAFT - CISCO CONFIDENTIAL
			BETA DRAFT - CISCO CONFIDENTIAL

1			Multiple networked devices—Desktops, laptop PCs, switches

2			Fast Ethernet LAN interface (the inside interface for NAT)

3			PPPoE or PPPoA client and firewall implementation—Cisco 1811/1812 or Cisco 1801/1802/1803
			series integrated services router, respectively

4			Point at which NAT occurs

5			Protected network

6			Unprotected network

7			Fast Ethernet or ATM WAN interface (the outside interface for NAT)

In the configuration example that follows, the firewall is applied to the outside WAN interface (FE0) on the Cisco 1811 or Cisco 1812 and protects the Fast Ethernet LAN on FE2 by filtering and inspecting all traffic entering the router on the Fast Ethernet WAN interface FE1. Note that in this example, the network traffic originating from the corporate network, network address 10.1.1.0, is considered safe traffic and is not filtered.

Configuration Tasks

Perform the following tasks to configure this network scenario:

•Configure Access Lists

•Configure Inspection Rules

•Apply Access Lists and Inspection Rules to Interfaces

An example showing the results of these configuration tasks is shown in the section “Configuration Example.”

Note The procedures in this chapter assume that you have already configured basic router features as well as PPPoE or PPPoA with NAT. If you have not performed these configurations tasks, see Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” and Chapter 4, “Configuring PPP over ATM with NAT,” as appropriate for your router. You may have also configured DHCP, VLANs, and secure tunnels.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

8-2	OL-6426-02

Image 98

Cisco Systems OL-6426-02 Fast Ethernet LAN interface the inside interface for NAT, Protected network, Unprotected network

Contents

Cisco Systems, Inc Page N T E N T S Configuring Your Router for Ethernet and DSL Access 802.1x Authentication Configure the IPSec Crypto Method and Parameters Configuring Backup Interfaces Chap Configuration Register C-6 OL-6426-02 Preface AudienceVPN OrganizationChapter Title Description Convention Description Command ConventionsConventions BoldfaceCisco.com Related DocumentsObtaining Documentation Documentation DVD Documentation FeedbackCisco Product Security Overview Ordering DocumentationCisco Technical Support Website Reporting Security Problems in Cisco ProductsObtaining Technical Assistance An emergency, you can also reach Psirt by telephone 877 408Submitting a Service Request Definitions of Service Request SeverityObtaining Additional Publications and Information Getting Started Page Router Interface Port Label Basic Router ConfigurationInterface Port Labels ATM WAN Shdsl Viewing the Default ConfigurationADSLoISDN USB ModemExample 1-1 Cisco 1812 Default Configuration on Startup Information Needed for Configuration Configuring Basic Parameters To configure the router, perform one or more of these tasksCommand Purpose Configure Global ParametersConfigure Fast Ethernet LAN Interfaces ExampleConfigure WAN Interfaces Configure the Fast Ethernet WAN InterfaceController dsl Configure the ATM WAN InterfaceMode atm Exit No shutdownConfiguration Example Configure the Wireless InterfaceConfiguring a Loopback Interface Password password Configuring Command-Line Access to the RouterVerifying Your Configuration Line aux console tty vty line-numberEnd LoginExec-timeout minutes seconds Privileged Exec mode Configuring Static RoutesExits router configuration mode, and enters Parameters that can be set, see the Cisco IOS IPVerifying Your Configuration Configuring Dynamic RoutesConfiguration Example Router rip Configuring RIPCommand Task Version 1Eigrp on the router. The autonomous-system Configuring Enhanced IgrpEnters router configuration mode, and enables Number identifies the route to other Eigrp routersSpecifies a list of networks on which Eigrp is to Be applied, using the IP address of the networkRouterconfig# network Configuring Your Router for Ethernet and DSL Access Page For DSL-Based Network Deployments Sample Network DeploymentsFor Ethernet-Based Network Deployments OL-6426-02 Configuring PPP over Ethernet with NAT Vpdn enable Configuration TasksCommand or Action Purpose PPPoEInitiate to ip ip-address Configure the Fast Ethernet WAN InterfacesRequest-dialin Protocol l2f l2tp pppoe anyConfigures the PPPoE client and specifies Cisco 1800 integrated services routers haveThese steps to configure one or both of them Enables the Fast Ethernet interfaceConfigure the Dialer Interface Assigns the dialer interface to a dialer group Using a dialer group controls access toExits the dialer 0 interface configuration Your routerConfigure Network Address Translation Source source-wildcard Access-list access-list-number deny permitIp nat inside outside Configuration Example Router# show ip nat statistics Configuring PPP over ATM with NAT PPP over ATM with NATPPPoA Specifies that the IP address for the dialer Sets the PPP authentication methodAuthentication Protocol Chap Interface is obtained through PPP/IPCP IPCommand Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Attribute Description Default Value Configure DSL Signaling ProtocolConfiguring Adsl Dsl lom integer Dsl enable-training-log Configuring ShdslVerify the Configuration Ignore-error-duration number Line-mode 4-wire enhanced 4-wire standardWire Configure Network Address Translation FE2-FE9 reside to be the inside interface Enables the configuration changes just made toAbout enabling static translation, see the Cisco For NATDefines a standard access list permitting addresses Static translation, see the Cisco IOS IP CommandExits configuration mode for the ATM interface Identifies the specified WAN interface as the NATATM0 VLANs Configuring a LAN with Dhcp and VLANsVlan Configure Dhcp Dns-server address address2 ...address8 Default-router address address2 ...address8Import all Domain-name domainIp dhcp pool Verify Your Dhcp ConfigurationRouter# show ip dhcp import Vlan ? Configure VLANsVerify Your Vlan Configuration ExampleRouter# show vlan-switch VlanSwitch Port Configurations 802.1x Authentication Vlan Trunking Protocol VTPIP Multicast Switching Maximum Switched Virtual Interfaces SVIsSwitched Port Analyzer Span Layer 2 InterfacesSeparate Voice and Data Subnets Per-Port Storm ControlFallback Bridging Igmp SnoopingConfiguring a VPN Using Easy VPN and an IPSec Tunnel InternetCisco Easy VPN Configure the IKE Policy Group-name default Configure Group Policy InformationCrypto isakmp client configuration group Key nameApply Mode Configuration to the Crypto Map Ip local pool default poolnameEnable Policy Lookup Configure IPSec Transforms and ProtocolsConfigure the IPSec Crypto Method and Parameters Crypto map map-name seq-num ipsec-isakmp Apply the Crypto Map to the Physical InterfaceReverse-route Dynamic dynamic-map-name discoverCreate an Easy VPN Remote Configuration Crypto map map-nameVerifying Your Easy VPN Configuration Crypto ipsec client ezvpn name outside insideCrypto ipsec client ezvpn ezvpnclient connect auto Beta Draft Cisco Confidential Site-to-Site VPN Using an IPSec Tunnel and GRE GRE Tunnels VPNsAlso enters Internet Security Association Key Configure a VPNConfigure the IKE Policy Example uses 168-bit Data EncryptionLifetime seconds Configure Group Policy InformationGroup 1 2 Enters global configuration mode Enable Policy LookupExits IKE group policy configuration mode, Specifies group domain membershipSpecifies global lifetime values used when Configure IPSec Transforms and ProtocolsMethod used to do so Negotiating IPSec security associationsCreates source proxy information for the crypto Configure the IPSec Crypto Method and ParametersCreates a dynamic crypto map entry, and enters Map entryMap Configure a GRE TunnelApply the Crypto Map to the Physical Interface Applies the crypto map to the interfaceEnters ACL configuration mode for the named Tunnel interface must be configured toExits interface configuration mode, and returns to Access-list-name ACL that is used by the crypto mapConfiguration Example Ip nat outside no cdp enable Beta Draft Cisco Confidential Configuring a Simple Firewall Router with Firewall ConfiguredProtected network Series integrated services router, respectivelyFast Ethernet LAN interface the inside interface for NAT Unprotected networkCreates an access list which prevents Internet Configure Access ListsConfigure Inspection Rules Details about this commandInside interface on the router Apply Access Lists and Inspection Rules to InterfacesAssigns the set of firewall inspection rules to Configuring a Simple Firewall Configuration Example Beta Draft Cisco Confidential Configuring a Wireless LAN Connection 1shows a wireless network deploymentConfiguring a Wireless LAN Connection Configure the Root Radio Station Exits Ssid configuration mode, and enters Sets the permitted authentication methods for aUser attempting access to the wireless LAN Interface configuration mode for the wirelessBridge number crb irb mac-address-table Configure Bridging on VLANsStation-role repeater root Bridge-group numberSpecified subinterface Configure Radio Station SubinterfacesEnables Ieee 802.1q encapsulation on Exits subinterface configuration mode, Assigns a bridge group to the subinterfaceNo bridge-group 3 unicast-flooding Interface Vlan1 10-1 Sample ConfigurationRouter# show running-config 10-2 Ip dhcp pool vlan310-3 10-4 10-5 10-6 Additional Configuration Options 11-111-2 Configuring Additional Features and Troubleshooting Page 12-1 Configuring Security FeaturesAuthentication, Authorization, and Accounting Configuration Commands Configuring AutoSecureConfiguring Access Lists ACL TypeGuidelines for Creating Access Groups Configuring a Cbac FirewallAccess Groups Ip access-group number name in out12-4 Configuring Cisco IOS Firewall IDSConfiguring VPNs Backup Interfaces Configuring Dial Backup and Remote ManagementDial Backup Feature Activation Methods 13-113-2 Configuring Backup InterfacesFloating Static Routes 13-3 Configuring Floating Static RoutesEnables RIP routing Specifies the group number for the watch list Configuring Dialer WatchDialer Watch 13-413-5 Dial Backup Feature LimitationsDial Backup Type Possible? Dial Backup Method Limitations 13-6 13-7 Example 13-3 Configuring Dial Backup Using Dialer Watch 13-8Configure Isdn Settings 13-913-10 Dialer pool number Access-groupIp address negotiated Dialer-group group-number13-12 Configure the Aggregator and Isdn Peer RouterFor your Cisco router during the ATM network downtime Asynchronous Interface Configuration 13-1313-14 Line Configuration 13-1513-16 Before Contacting Cisco or Your Reseller TroubleshootingGetting Started 14-1PortFast Troubleshooting Adsl TroubleshootingShdsl Troubleshooting 14-2Show interface Command ATM Troubleshooting CommandsPing atm interface Command 14-314-4 Shutdown commandOutput Cause Router# show atm interface atm Show atm interface Command14-5 Debug atm errors Command Debug atm CommandsGuidelines for Using Debug Commands Field Description14-7 Debug atm events CommandRouter# debug atm errors ATM errors debugging is on Router# Router# debug atm events Router#Optional ATM interface or subinterface number Debug atm packet CommandWhere the keywords are defined as follows Example 14-7shows a sample outputATM0 Software Upgrade MethodsRecovering a Lost Password 14-9Router# show version Change the Configuration Register14-10 Press Return. The following prompt appears Reset the RouterRouter# show startup-config Prompt changes to the privileged Exec prompt14-12 Reset the Password and Save Your ChangesReset the Configuration Register Value Managing Your Router with SDM 14-1314-14 Reference Information Page Cisco IOS Software Basic Skills Configuring the Router from a PCOne of the configuration topic chapters in this guide PC Operating System SoftwareUnderstanding Command Modes Ctrl-Z ExecAs interface atm Router Enter one of the router Configuration mode Routing protocol AppropriateGetting Help Router rip, fromYou can now make changes to your router configuration Enable Secret Passwords and Enable PasswordsEntering Global Configuration Mode Undoing Commands Using CommandsAbbreviating Commands Command-Line Error MessagesSummary Saving Configuration ChangesWhere to Go Next OL-6426-02 Concepts AdslNetwork Protocols Routing Protocol OptionsEnhanced Igrp PPP Authentication ProtocolsProtocol Ideal Topology Metric Routing Updates RIPPAP Network Interfaces EthernetDialer Interface Dial BackupBackup Interface NAT Easy IP Phase PPP Fragmentation and Interleaving QoSIP Precedence Cbwfq Low Latency QueuingAccess Lists OL-6426-02 Resets the configuration register EnableConfig-reg ROM MonitorReload ROM Monitor CommandsExits global configuration mode Descriptions section in this appendixTftp Download Command Variables Command DescriptionsDisaster Recovery with Tftp Download Command DescriptionOptional Variables Variable CommandRequired Variables TFTPCHECKSUM= setting Using the Tftp Download CommandTFTPTIMEOUT= time RetrytimesChanging the Configuration Register Using Prompts Configuration RegisterChanging the Configuration Register Manually Rommon 1 confregCommand Description Console DownloadContext-Displays processor context for example Debug CommandsError Reporting Frame-Displays an individual stack frameExiting the ROM Monitor OL-6426-02 Common Port Assignments Port Keyword DescriptionNETBIOS-SSN NETBIOS-NSNETBIOS-DGM FingerSee ATM See ARPSee AAL IN-1IN-2 See ChapSee CAR Dhcp IN-3Ethernet B-5 Events, ATM, displaying Experience, user Extended access list Overview B-11See also examples GREIN-5 See LCPSee NCP See PPP See PAPSee PVC See IpcpIN-7 See RIPSee NAT IN-8 Upgrading software, methods for 14-9User Datagram ProtocolSee UDP