Inside Outside | Enterasys Networks X-PeditionTM manual

Configuring NAT Examples

	Figure 5-15 Static NAT within Interface

Inside	Outside

Request

After Translation

SA: 10.1.1.1

DA: 164.17.2.1

DA: 172.20.2.1

SA: 201.2.2.1

10.1.1.1

Internal

External

interface

interface

XSR

F2

After Translation

10.1.1.2

DA: 172.20.2.1

SA: 201.2.2.1

NAT Table

Inside local

Inside global

Request

IP Address

IP Address

SA: 10.1.1.2

10.1.1.1

203.2.2.1

DA: 164.17.2.1

10.1.1.2

201.2.2.1

164.17.2.2

Internet

Reply DA: 203.2.2.1 SA: 172.20.2.1 172.20.2.1

As shown in Figure 5-15, packets from the PC at 10.1.1.1 are statically NATted to the PC at

203.2.2.1but through neither of the pools. This occurs because static NAT takes precedence over other NAT forms. Also, this static NAT would be used only when packets from PC 10.1.1.1 exit the F2 interface. On any other interface the translation would not occur, unless the same mapping is configured. Static NAT within an interface procedes as follows:

1.The user at 10.1.1.1 opens a connection to host 172.20.2.1.

2.When the XSR receives the first packet from 10.1.1.1, the static NAT table for the interface is checked and a mapping found. That mapping is used to translate the source IP address to 203.2.2.1.

3.The packet goes out as being transmitted from 203.2.2.1 to destination 172.20.2.1.

4.When a reply packet is received by the XSR, static mappings are again checked resulting in the translation of the destination IP address from 203.2.2.1 to 10.1.1.1.

Enter the following commands to configure static NAT at interface F2:

XSR(config)#access-list 101 permit ip any 172.20.0.0 0.0.255.255

+Configures the ACL for the destination on the 172.20.0.0 network

XSR(config)#access-list 102 permit ip any 164.17.0.0 0.0.255.255

+Configures the ACL for the destination on the 164.17.0.0 network

XSR(config)#ip local pool NatPool 200.2.2.0/24

XSR(ip-local-pool)#exit

XSR(config)#ip local pool NatPool1 201.2.2.0/24

XSR(ip-local-pool)#exit

+Create two IP local pools with the specified inside global IP addresses

XSR(config)#ip nat pool NatPool

XSR(config)#ip nat pool NatPool1

+Assigns the above pools to NAT

XSR(config)#interface F2

XSR(config-if<F2>)#ip nat source list 101 pool NatPool

XSR(config-if<F2>)#ip nat source list 102 pool NatPool1

XSR User’s Guide 5-43

Image 145

Enterasys Networks X-PeditionTM manual Inside Outside, Static NAT within Interface

Contents

Version PeditionSecurity RouterPage Enterasys Networks, Inc Minuteman Road Andover, MA Federal Communications Commission FCC Notice Regulatory Compliance Information Industry Canada Notices Product SafetyTTE Directive Declaration Class a ITE Notice Clase A. Aviso de ITE Compatibilidad Electromágnetica EMC Electromagnetic Compatibility EMCElektro- magnetische Kompatibilität EMC Vcci Notice USA Declaration of Conformity Approved Enterasys Networks, Inc Firmware License Agreement Viii Page Page Contents Configuring an Interface Displaying Interface Attributes Configuring IP Configuring T1/E1 & T3/E3 InterfacesManaging LAN/WAN Interfaces How Triggered-on-Demand RIP Works Configuration Considerations Configuring the Border Gateway Protocol Route Reflectors Confederations Configuring PIM-SM and Igmp Configuring PPP Configuring Dialer Services Configuring Frame Relay 10-13 Configuring Quality of Service Configuring Integrated Services Digital Network Configuring Adsl Configuring the Virtual Private Network Configuring Dhcp Configuring Security on the XSR Appendix B XSR Snmp Proprietary and Associated Standard MIBs DOS Attacks Blocked Counters DOS Attacks Blocked Table Preface Contents of the Guide Following conventions are used in this guide Conventions Used in This Guide Bold/En negrilla FTP Getting Help Overview Overview XSR User’s Guide Overview Connecting via the Console Port on XSR Series Utilizing the Command Line Interface Connecting a Serial Interface to a Modem Using the Console Port to Remotely Control the XSR Connecting via SSH Connecting via TelnetTerminal Commands Synchronizing the Clock Accessing the Initial Prompt RAI Features and Requirements Remote Auto InstallManaging the Session Utilizing the Command Line Interface How RAI Components Work RAI Requirements on the XSRFrame Relay Remote Router Reverse DNS Client Bootp ClientTftp Client Frame Relay Central Site Dhcp over LAN RAI over Ethernet PPP RAI over a Dial-in Line PPP RAI over a Leased LinePPP RAI over Adsl CLI Editing Rules CLI Shortcuts Command Description Setting CLI Configuration Modes Refer to -1for a graphic example of configuration modes CLI Configuration Modes Function Access Method Prompt Exiting From the Current Mode Global Configuration ModeUser Exec Mode Privileged Exec Mode Observing Command Syntax and Conventions Mode ExamplesFollowing example Describing Ports and Interfaces CLI Command LimitsSupported Physical Interfaces Supported Virtual Interfaces Setting Port Configuration Mode Setting Interface Type and NumberingNumbering XSR Slots, Cards, and Ports Supported Ports T1 Example Configuration ExamplesT1-PRI Isdn Example Dialer Example Following interfaces are added BRI-Dialer Idsn Example Adding Table Entries Entering Commands that Control TablesFollowing sub-interfaces are added You may type Deleting Table Entries Managing XSR InterfacesModifying Table Entries Displaying Table Entries Following command enables an interface Configuring an InterfaceEnabling an Interface Disabling an Interface Logging Commands Performing Fault ManagementManaging Message Logs Capturing Fault Report Data Fault Report Commands Managing the System Configuration Using the Real-Time ClockRTC Commands RTC/Network Clock Options Using the Default Button XSR 1800/1200 Series Only Resetting the Configuration to Factory Default Bulk Configuration Management Configuration Save OptionsUsing File System Commands Downloading the Configuration Creating Alternate Configuration Files Uploading the Configuration/Crash ReportFull-config Backup Pre-upgrade Procedures BootRom Upgrade ChoicesManaging the Software Image Creating Alternate Software Image Files Using the Bootrom Update Utility Using TFTP, transfer updateBootrom.fls from the network Local Bootrom Upgrade XSR1800 bU bootromuncmp.fls Loading Software Images Using EOS Fallback to Upgrade the Image Configuring EOS Fallback via Snmp Configuring EOS Fallback on the CLI Configuration Change Hashing Software Image CommandsDownloading with Fips Security Set the operation to imageSetSelected Displaying System Status and Statistics Memory ManagementCreating Resources Network Management through Snmp Shaping Trap Traffic Snmp InformsStatistics Network Monitoring via Service Level Agreement Agent Alarm Management TrapsMeasuring Performance Metrics Via CLI Create an OwnerVia Snmp Create a Measurement to Ping Via CLI Schedule a measurement Via CLI Following command schedules a measurement immediately Using the SLA Agent in Snmp Full Configuration Backup/RestoreEnterasys Configuration Management MIB Cabletron CTdownload MIB Appending CLI Commands to Configuration Files via Snmp Software Image Download using NetSightSnmp Download with Auto-Reboot Option CLI Translator NetSight Atlas Router Services Manager Accessing the XSR Through the WebFirmware Upgrade Procedures Network Management Tools Using the CLI for Downloads Fault ReportingUsing Snmp for Downloads Auto-discovery XSR supports the following LAN interface features LAN FeaturesOverview of LAN Interfaces MIB Statistics Configuring the LAN XSR supports the following WAN interface features WAN FeaturesOverview of WAN Interfaces Configuring the WAN Following example configures the XSR to dial-out async Configuring the WAN Managing LAN/WAN Interfaces T1/E1 Mode FeaturesOverview T1/E1 Functionality E3 Mode T3 Mode T3/E3 Subsystem Configuration T1/E1 Subsystem Configuration D&I NIM does not support channelized mode nor PRI Drop and Insert FeaturesT1 Drop & Insert One-to-One DS0 Bypassing Enter the no shutdown command to enable the line Configuring Channelized T1/E1 InterfacesSpecify the clock source for the controller Specify the controllers framing type Enable the Controller line Configuring Un-channelized T3/E3 InterfacesOptionally, if you prefer to configure internal clocking Enable the Serial line T1/E1 & T3/E3 Physical Layer Troubleshooting Troubleshooting T1/E1 & T3/E3 Links XSRconfig#controller t1 1/0 XSRconfig-controllerT1-1/0# Receive Alarm Indication Signal AIS Blue Alarm T1/E1 & T3/E3 Alarm AnalysisRestart the controller Transmit Remote Alarm Indication RAI Yellow Alarm Receive Remote Alarm Indication RAI Yellow AlarmTransmit Sending Remote Alarm Red Alarm Transmit Alarm Indication Signal AIS Blue Alarm XSR T1/E1 & T3/E3 Error Events Analysis Controller Slip Seconds Counter Increasing Framing Loss Seconds Increasing Configuring the D&I NIMLine Code Violations Increasing Page General IP Features Configuring IP Secondary IP Telnet RIP Troubleshooting Tools Ping Traceroute IP Routing ARP and Proxy ARP BOOTP/DHCP RelayProxy DNS Directed Broadcast BroadcastLocal Broadcast Telnet TCP IP Interface Trivial File Transfer Protocol TftpSecondary IP Interface & Secondary IP Icmp & Secondary IP ARP & Secondary IP Ospf & Secondary IP Routing Table Manager & Secondary IPRIP & Secondary IP Unnumbered Interface & Secondary IP Maximum Transmission Unit MTU IP Routing ProtocolsPing Traceroute RIPv1 How Triggered-on-Demand RIP Works Triggered-on-Demand RIP IP Routing Protocols Ospf Ospf Database Overflow LSA Type 3 and 5 Summarization Following is a high priority Overflow Entered log report Ospf Passive InterfacesFollowing is a high priority Overflow Exited log report Null Interface Ospf TroubleshootingRoute Preference Vlan Routing Static Routes 802.1Q Vlan Tag Forwarding VLAN, PPPoE over Vlan IP Routing Table Vlan Processing Over the XSR’s Ethernet Interfaces Vlan Ethernet to Fast/GigabitEthernet Topology Vlan Processing VLAN-enabled Ethernet to WAN Interfaces Policy Based Routing Accessing the Global Routing Policy TableQoS with Vlan Set Clauses Match ClausesPBR Cache Classless Inter-Domain Routing Cidr Default NetworkRouter ID Real Time Protocol RTP Header Compression Network Address Translation Features Virtual Router Redundancy Protocol XSR1 XSR2 Vrrp Definitions Different States of a Vrrp Router How the Vrrp Works Authentication Vrrp FeaturesMultiple Virtual IP Addresses per VR Multiple VRs Per Router ARP Process on a Vrrp Router Load BalancingHost ARP Proxy ARP Interface Monitoring Icmp Ping Watch Group Monitoring Equal-Cost Multi-Path Ecmp Configuration Considerations Central XSR Configuring RIP Examples Configuring RIP Examples Configuring Ospf Example Configuring Unnumbered IP Serial Interface Example Configuring Static Translation Configuring NAT ExamplesBasic One-to-One Static NAT Configuring Dynamic Pool Translation Dynamic Pool ConfigurationRegister the global NAT pool Enable an interface F1, for example Configuring NaptNetwork Address and Port Translation Bind the interface and optional ACL to the NAT pool 14 Multiple NAT Pools within Interface Multiple NAT Pools within an Interface Static NAT within an Interface 15 Static NAT within Interface Inside Outside Enter the following commands to enable NAT Port Forwarding Configuring Policy Based Routing ExampleNAT Port Forwarding Router XSRa Configuring Vrrp ExampleRouter XSRb Following example configures a Vlan interface for PPPoE Configuring Vlan ExamplesFor a QoS with Vlan example, refer to QoS with Vlan on Configuring the Border Gateway Protocol Open Describing BGP Messages Defining BGP Path Attributes UpdateKeepalive Notification Origin AS Path Local Preference Next Hop Local Preference Applied to Direct Egress Traffic from AS Atomic Aggregate Weight Multi-Exit Discriminator Aggregator Aspath Communities Community Application of Community Attribute BGP Routing Policy BGP Path Selection Process Filter Lists Access Control ListsCommunity Lists Route Maps Regular Expression Characters Regular ExpressionsRegular Expression Examples Creating a Peer Group Peer GroupsAssigning Peer Group Options Display all routes with any AS path Resetting BGP Connections Initial BGP ConfigurationFor an example, refer to Configuring BGP Neighbors on Adding BGP Neighbors Address Aggregation SynchronizationRoute Flap Dampening Route Refresh Capability AdvertisementRecommendations for Route Flap Dampening 10 Fully Meshed BGP Scaling BGP 11 Route Reflector Applied to Minimize Ibgp Mesh Route Reflectors Confederations 12 Use of Confederations to Reduce Ibgp Mesh Sub AS-302 Displaying System and Network Statistics Configuring BGP Route Maps BGP Path Filtering by Neighbor Example Configuring BGP Neighbors BGP Aggregate Route Examples Configuring BGP Confederations TCP MD5 Authentication for BGP Example Configuring BGP Peer GroupsIbgp Peer Group Example This section details Ibgp and an Ebgp peer group examples BGP Community with Route Maps Examples Ebgp Peer Group Example XSRconfig#router bgp XSRconfig-router#network 1.0.0.0 mask Configuring BGP Peer Groups Differences with Industry-Standard Approach Configuring PIM-SM and Igmp Defining Multicast Group Addressing IP Multicast Overview Comparing Multicast Distribution Trees Outlining Igmp Versions Forwarding Multicast Traffic Describing the XSR’s IP Multicast Features Sending and Receiving Queries and Reports Group Membership ActionsSending a Query Interoperating with Older Igmp Versions Behavior of Group Members Among Older Version Group Members Describing the XSR’s PIM-SM v2 FeaturesBehavior of Multicast Routers Among Older Version Queriers Phase 2 Building Shortest Path Tree Between Sender & RP Phase 1 Building a Shared Tree Phase 2 Topology Shortest Path Tree Between Sender and RP Neighbor Discovery and DR Election PIM Register Message Bootstrap & Rendezvous PointPIM Join/Prune Message Assert Processing PIM SM over Frame Relay Source-Specific Multicast PIM Configuration Examples PIM Configuration Examples Configuring PIM-SM and Igmp PPP Features Configuring PPP Network Control Protocol NCP Link Control Protocol LCP Password Authentication Protocol PAP AuthenticationChallenge Handshake Authentication Protocol Chap Microsoft Challenge Handshake Protocol MS-CHAP Multilink PPP Mlppp Link Quality Monitoring LQM Multi-Class Mlppp Multilink Header Option Format Multilink Head Format Negotiation Fragment Interleaving Over the Link IP Control Protocol Ipcp Events and AlarmsMulti-Class Option Negotiation Multi-Class Receiving Packet IP Address Assignment PPP Bandwidth Allocation/Control Protocols BAP/BAPC Configuring a Synchronous Serial Interface Configuring PPP with a Dialed Backup LineEnter the media-type for the interface default RS232 Enter encapsulation ppp to enable PPP encapsulation Configuring the Dialer Interface Configuring a Dialed Backup LineConfiguring the Physical Interface for the Dialer Interface Enter no shutdown to enable this interface Configure interface dialer 1 to use dial pool Configuring the Interface as the Backup Dialer Interface Multilink Example Configuring Mlppp on a Multilink/Dialer interfaceDialer Example Dual XSRs One Router Using DoD with Call Request Configuring BAPXSR1 Configuration Configure the Dialer 1 interface with a dialer pool XSR2 ConfigurationConfigure the dialer list and ACL for DoD Dual XSRs BAP Using Call/Callback Request Configuring BAP Configuring BAP Configuring PPP DLCIs Virtual Circuits DCEs DTEs Multi-Protocol Encapsulation Frame Relay Features Dynamic Resolution Using Inverse ARP Address ResolutionControlling Congestion in Frame Relay Networks Rate Enforcement CIR Generic Traffic Shaping Forward Explicit Congestion Notification Fecn Discard Eligibility DE BitBackward Explicit Congestion Notification Becn Controlling Congestion in Frame Relay Networks Sub-interfaces Link Management Information LMI FRF.12 Fragmentation User Configuration CommandsEnd-to-End Fragmentation Map-Class Configuration Reports and AlarmsShow Running Configuration Clear Statistics Minneapolis Houston Memphis Interconnecting via Frame Relay Network Multi-point to Point-to-Point Example Configuring Frame Relay Configuring Frame Relay Configuring Frame Relay Configuring Frame Relay Dial Services Features Overview of Dial Services Asynchronous and Synchronous Support AT Commands on Asynchronous Ports25bis over Synchronous Interfaces Typical Use for Dial Services Time of Day featureEthernet Backup DTR Dialing for Synchronous Interfaces Dialer Profiles Implementing Dial Services Dialer Strings Dialer InterfaceDialer Pool Addressing Dialer Resources Isdn Callback Configuring Encapsulation Logical View of Dialer Profiles Sample Dialer Topology Dialer Profile of Destination 416 Dialer Profile of Destination 987 Creating and Configuring the Dialer Interface Configuring the Map Class Sample Dialer ConfigurationConfiguring the Physical Interface for the Dialer Interface Configure a backup link for dial purposes with priority Point-to-Point with Matched Calling/Called Numbers Configuring Isdn CallbackPoint-to-Point with Different Calling/Called Numbers Point-to-Multipoint with One Neighbor Sequence of Backup Events Overview of Dial BackupDial Backup Features Backup Link Failure Example Link Failure Backup Example Configure backup serial port for dialing purposes Configuring Interface as the Backup Dialer Interface Configure interface dialer 2 to use dial pool Sample ConfigurationDialer Overview of Dial on Demand/Bandwidth on Demand Dialer Watch Dialer Interface Spoofing Dialer Watch Topology Dialer Watch Behavior Caveat Answering Incoming Isdn Calls Following command maps ACL 101 to dialer group Node a Calling Node ConfigurationIncoming Call Mapping Example Node D Calling Node Configuration Node B Called Node Configuration Following command maps ACL 1061 to dialer group Configuring DoD/BoD 11 Dial on Demand Topology PPP Point-to-Multipoint Configuration Node a Configuration PPP Multipoint-to-Multipoint Configuration Node B Configuration PPP Point-to-Point ConfigurationsFollowing command maps ACL 105 to dialer group Dial-in Routing for Dial on Demand Example Following commands configure dialer interfaceDial-out Routing for Dial on Demand Example 13 PPP Point-to-Multipoint Topology PPP Point-to-Multipoint Configurations Dial-in Router Example Dial-out Router Example Following command sets remote user authentication Mlppp Point-to-Multipoint Configuration 14 Mlppp Point-to-Point Topology Mlppp Point-to-Point Configurations Mlppp Point-to-Multipoint Configurations 15 Mlppp Point-to-Multipoint Topology Mlppp Multipoint-to-Multipoint Configuration Bandwidth-on-Demand Switched PPP Multilink Configuration Following command maps ACL 106 to dialer group Node C Called Node Configuration Backup Using Isdn Backup ConfigurationNode a Backed-up Node Configuration XSRconfig#username toronto privilege 0 password cleartext z Following command configures Serial sub-interface 2/00 Configuration for Backup with Mlppp BundleFollowing command configures Serial sub-interface 2/01 Following commands configure Serial sub-interface 2/00 Configuration for Ethernet Failover Configuration for Frame Relay Encapsulation Backup Configuration Configuring Dialer Services Leased line Isdn configuration examples T1 PRI E1 PRI Isdn Features PRI Features BRI FeaturesUnderstanding Isdn Primary Rate Interface Basic Rate InterfaceChannels Channel Isdn Equipment Configurations Channel Signaling and Carrier NetworksChannel Standards Security Bandwidth Optimization Isdn Trace Call MonitoringTrace Decoding Q921 Decoding Reference Parameters Q931 Decoding Status + Next line 04 Bearer capability Terminal Endpoint Identifier TEI Management Procedures Isdn ConfigurationDecoded IEs BRI NI-1, DMS100 & 5ESS Spid Registration BRI Switched Configuration Model Switched BRI Configuration Model PRI Configuration Model PRI Configuration Model Interface BRI 0/1/21 Leased-Line Configuration Model Following example configures a PRI connection on a T1 card More Configuration ExamplesFollowing example configures a PRI connection on an E1 card Following example configures a switched line BRI connection Isdn ITU Standard Q.931 Call Status Cause Codes Following example configures a leased-line BRI connectionBRI Leased Line BRI Leased PPP Call Status Cause Codes Code Cause Incoming calls barred Configuring Quality of Service Traffic Classification Mechanisms Providing QoS Describing the Policy Map Describing the Class Map Describing Class-Based Weight Fair Queuing Queuing and Services Configuring Priority Queues Configuring CbwfqMeasuring Bandwidth Utilization Describing Priority Queues Describing Traffic Policing Configuring Traffic PolicingAssign the class frost to the priority queue Class-based Traffic Shaping Traffic Shaping per Policy-Map Traffic Shaping and Queue Limit Differences Between Traffic Policing and Traffic Shaping Describing Queue Size Control Drop Tail Congestion Control & AvoidanceDescribing Random Early Detection RED Drop Probability Calculation Describing Weighted Random Early Detection VPN Configuration per Interface Configuring QoS with Mlppp Multi-Class Suggestions for Using QoS on the XSRQoS and Link Fragmentation and Interleaving LFI QoS with Vlan Configuring QoS with FRF.12 Vlan Packet with Priority Routed out a Serial Interface Describing Vlan QoS Packet Flow LAN/QoS Serial Scenario QoS with Vlan Configuration Process QoS on VPN QoS on Input Configuring QoS on a Physical Interface QoS over VPN FeaturesConfiguring QoS on a Virtual Tunnel Interface QoS on a Virtual Interface Example Configure the output policy map Ser classes RTP1 and FTP1 Configure the input policy map Vpn classes RTP and FTP Configure the IKE policy foo for pre-share keys Configure ACLsConfigure the IPSec SA Route QoS and VPN Interaction AH Hmac ESP+3DES Configuring the Shaper on the VPN Interface Simple QoS on Physical Interface Policy QoS Policy Configuration ExamplesCreate the policy map QoS for Frame Relay Policy Apply the configuration to the interface QoS with Mlppp Multi-Class Policy QoS with FRF.12 Policy Input and Output QoS Policy QoS with Vlan Policy Input QoS on Ingress to the Diffserv Domain Policy QoS Policy Configuration Examples Configuring Adsl PPP over ATM PDU Encapsulation Choices PPP over Ethernet over ATM Routed PPPoA Network Diagram Routed IP over ATM PPPoE Network Diagram Adsl Hardware Adsl LimitationsNIM Card ATM Support Adsl Data FramingAdsl on the Motherboard DSP Firmware Class of Service Access Concentrator RestrictionsDslam Compatibility OAM Cells Inverse ARP Configuration ExamplesQoS PPPoE Following optional commands configure NAT Following optional commands configure two default routesPPPoA IPoA Enter the following commands to configure a IPoA topology VPN Overview Internet Security Issues How a Virtual Private Network Works Ensuring VPN Security with IPSec/IKE/GRE Transport Mode Processing GRE over IPSec Tunnel Mode Processing Defining VPN Encryption Describing Public-Key Infrastructure PKIDigital Signatures Machine Certificates for the XSR Certificates Certificate Chains CA Hierarchies Certificate Chain Example RA Mode Enroll Password Pending ModeDF Bit Functionality CRL Retrieval VPN Applications Site-to-Central-Site Networks Site-to-Site NetworksNAT Traversal Internet Client Mode Network Extension Mode NEM Remote Access Networks Ospf Commands Using Ospf Over a VPN NetworkConfiguring Ospf Over Site-to-Central Site in Client Mode Server ClientServer Client Internet Server Configuring Ospf with Fail Over RedundancyClient Interfaces Fast/GigabitEthernet 1 and VPN Limitations XSR VPN FeaturesInterfaces Fast/GigabitEthernet 1, VPN 1 and VPN Napt Master Encryption Key Generation VPN Configuration Overview Configuring ACLs ACL Configuration Rules SA lifetimes Selecting Policies IKE/IPSec Transform-Sets Security Policy Considerations Configuring Policy Creating Crypto Maps Configuring Crypto Maps User-Name Authentication, Authorization and Accounting Configuration Configuring AAA AAA Commands PKI Configuration Options PKI Certificate Enrollment Example Configuring PKI CA-AUTHENTICATED XSRconfig#ip domain acme.com Interface VPN Options VPN Interface Sub-Commands Configuring a Simple VPN Site-to-Site ApplicationFollowing sub-commands are available at VPN Interface mode XSRconfig#crypto isakmp proposal Test XSRconfig-crypto-m#description external interface Configuring the VPN Using EZ-IPSec XSRconfig#interface vpn 1 point-to-point EZ-IPSec Configuration XSR with VPN Central Gateway Configure the following four IPSec SAs Configure IKE policy for the remote peerAdd ACLs to permit IP and UDP traffic Add a default route to the next hop Internet gateway Configure and enable the FastEthernet 1 interface Clear the DF bit globally Create a group for NEM and Client mode users Tunnel a XSR-3250 VPN GRE Site-to-Site Tunnel GRE Tunnel for Ospf XSRconfig-isakmp-peer#proposal shared Tunnel B XSR-1805 VPN GRE Site-to-Site Tunnel Enable Ospf on the trusted and VPN interfaces Enable Ospf on the trusted and VPN interfaces XSR/Cisco Site-to-Site Example Cisco Configuration XSR Configuration Scenario 1 Gateway-to-Gateway with Pre-Shared Secrets Interoperability Profile for the XSR Configure a default route Configure the Gateway a external LAN network AWConfigure IKE Phase 1 policy Interoperability Profile for the XSR 14 Gateway-to Gateway with Certificates Topology Scenario 2 Gateway-to-Gateway with Certificates XSR#clock timezone -7 State CA-AUTHENTICATED Overview of Dhcp Configuring Dhcp Dhcp Server Standards How Dhcp Works Assigned Network Configuration Values to Clients Options Dhcp ServicesPersistent Storage of Network Parameters for Clients Temporary or Permanent Network Address Allocation Provisioning Differentiated Network Values by Client Class Bootp Legacy SupportNested Scopes IP Pool Subsets Pool subnet Manual Bindings Scope Caveat Router Option Dhcp Client ServicesParameter Request List Option Dhcp Client Interaction Interaction with Remote Auto Install RAI Dhcp Client Timeouts Dhcp CLI Commands Configuration Steps Dhcp Set Up OverviewConfiguring Dhcp Address Pools Configuring Dhcp Network Configuration Parameters Enable the Dhcp Server Configure Dhcp Network ParametersOptional Set Up a Dhcp Nested Scope Optional Configure a Dhcp Manual Binding Pool with Hybrid Servers Example Dhcp Server Configuration ExamplesManual Binding Example Manual Binding with Class Example Dhcp Option Examples Bootp Client Support Example Access Control Lists Configuring Security on the XSR First alarms logged will display as follows ACL Violations Alarm ExamplePacket Filtering LANd Attack Fraggle Attack Smurf AttackIP Packet with Multicast/Broadcast Source Address Spoofed Address Check Spurious State Transition General Security PrecautionsLarge Icmp Packets Ping of Death Attack AAA Services Connecting Remotely via SSH or Telnet with AAA Service PuTTY Exit Option PuTTY Alert Message Reasons for Installing a Firewall Firewall Feature Set Overview ACL and Packet Filter Firewalls Types of Firewalls ALG and Proxy Firewalls Stateful Inspection Firewalls XSR Firewall Feature Set FunctionalityStateful Firewall Inspection SFI Filtering non-TCP/UDP Packets Application Level Gateway Application Level Commands Importing URL Lists from an Ascii File On Board URL FilteringWriting URL List Entries Enabling URL Filtering in Firewall Policy Configuring URL Redirection Denial of Service DoS Attack Protection Alarms Alarm Logging 12 Authentication Process Authentication Firewall and NAT Dynamic ReconfigurationFirewall and VPN ACLs and Firewall Firewall CLI Commands Firewall CLI Commands 13 Sample Telnet Screen Firewall Limitations Steps to Configure the Firewall Pre-configuring the Firewall XSR with Firewall Log only critical events Complete LAN and WAN interface configuration 15 XSR Firewall with PPPoE DSL and Dhcp XSR with Firewall, PPPoE and Dhcp XSR with Firewall and VPN Configure the Dhcp pool, DNS server and related settings Add four ACLs to permit IP pool, L2TP and NEM traffic XP PC NEM Configure the following IPSec SAs XSRconfig#ip local pool test 10.120.70.0 Define the public VPN interface crypto map Define the Internet as all possible IP addressesDefine three trusted networks in the enterprise Define the local pool network used for tunnel IP addresses Define service for L2TP tunnels Define service for IsakmpDefine service for Radius authentication Define service for Radius accounting Load the firewall configuration Firewall Configuration for VrrpConfigure Radius network objects Configuring Simple Security RPC Policy Configuration Configuration Examples Configuring Security on the XSR Recommended System Limits Alarms/Events, System Limits Standard Ascii Table Snmp views Table A-5 Alarm Behavior System Alarms and Events Driv ETH1 ETH0 Table A-6 High Severity Alarms/Events Table A-7 Medium Severity Alarms/Events Sntp PPP MS-CHAP authentication failed while Shutdown command Portchannel Corrected the problem by resetting itself Table A-9 Firewall and NAT Alarms Firewall and NAT Alarms and Reports NAT TCP reset, NAT port %d, %IPP2 UDP Detected UDP Flood attack %IPP2 Deny Icmp unsupported packet %IP2ICMP UDP Request Entry pool is empty Space Standard Ascii Character Table Standard Ascii Character Table EtsysSrvcLvlMetricTable Service Level Reporting MIB TablesVPN MIB Tables on page B-12 EtsysSrvcLvlHistoryTable EtsysSrvcLvlOwnerTable EtsysSrvcLvlNetMeasureTable Field Example CLI command Rtr schedule aliased to EtsysSrvcLvlAggrMeasureTable General Variables Table BGP v4 MIB TablesBGP v4 Peer Table BgpPeerAdminStatus Bgp4PathAttrIpAddrPrefix BGP-4 Received Path Attribute Table BGP-4 Traps Global Interface Operations Firewall MIB Tables Policy Rule Table Totals Counters Monitoring ObjectsPolicy Rule True Table Session Totals Counters Authenticated Addresses Table Authenticated Address CountersIP Session Counters IP Session Table DOS Attacks Blocked Counters VPN MIB TablesDOS Attacks Blocked Table EtsysVpnIkePeerProposals Table EtsysVpnIkePeer Table EtsysVpnIpsecPolicy Table EtsysVpnIkeProposal TableEtsysVpnIntfPolicy Table EtsysVpnIpsecPolProposals Table EtsysVpnIpsecPolicyRule Table EtsysVpnIpsecPropTransforms Table EtsysVpnIpsecProposal TableEtsysVpnAhTransform Table EtsysVpnIpcompTransform Table EtsysVpnEspTransform Table Host Resources MIB Objects IpCidrRouteTable for Static Routes Field Description ConfigMgmtOperations Enterasys Configuration Management MIB Field Description EtsysConfigChangeNonVolatile Group Enterasys Configuration Change MIB Enterasys Snmp Persistence MIB Field Description EtsysSyslogClient Group Enterasys Syslog Client MIB Table B-46 Enterasys Syslog Client MIB Compliance Statements