Configuration Examples

Terminate Network Extension Mode (NEM) and Client mode tunnels

Terminate remote access L2TP/IPSec tunnels

Terminate PPTP remote access tunnels

Firewall inspection on the public VPN interface (the crypto map interface)

Firewall inspection on the trusted VPN interface (the connection to the corporate network)

Enable NAT Traversal on the firewall

OSPF routing with the next hop corporate router on the trusted VPN interface

DF bit clear on the public VPN interface to handle large non-fragmentable IP frames

OSPF routing over the multi-point VPN interface for other site-to-site tunnels

Assign the first IP address of the pool to the multi-point VPN interface

Figure 16-16 XSR Firewall, VPN and OSPF Topology

 

XSR

Internet

 

96.96.96.0

 

10.120.84.0

 

 

XSR

 

 

SSR

 

 

 

 

 

 

 

router

 

 

 

 

 

 

 

 

 

 

 

 

FE2

 

 

SSR-GLX19-02

 

 

 

 

 

 

1000BASE-LX

SSR-GSX11-02

 

 

 

 

 

 

1000BASE-SX

 

 

 

FE1

 

 

1

 

 

2

 

 

 

 

 

1

 

2

 

 

Client

 

 

SSR-HTX12-08

 

 

 

 

 

 

10/100BASE-TX

SSR-HTX12-08

 

 

 

 

 

 

10/100BASE-TX

 

 

1

2

3

4

5

6

7

8

1

2

3

4

5

6

7

8

Internet

 

 

 

SSR-HTX12-08

 

 

 

 

 

 

10/100BASE-TX

SSR-HTX12-08

 

 

 

 

 

 

10/100BASE-TX

 

 

 

1

2

3

4

5

6

7

8

1

2

3

4

5

6

7

8

 

 

 

 

SSR-CM-2

 

 

 

 

 

CONTROL MODULE

3

 

 

4

 

7

 

8

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1

 

 

2

 

5

 

6

 

 

 

 

6

7

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4

5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2

3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

CM

CM/1

 

 

SSR-PS-8

 

 

 

 

 

 

 

SSR-PS-8

 

 

 

 

 

 

 

 

PS1

PS2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

SSR-8

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

XSR

141.154.196.93

96.96.96.7

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

10.120.112.0

 

 

141.154.196.106

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

XP PC

NEM

172.16.1.0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Begin by setting the XSR system time via SNTP. This configuration is critical for XSRs which use time-sensitive certificates.

XSR(config)#sntp-client server 10.120.84.3

XSR(config)#sntp-client poll-interval 60

Add four ACLs to permit IP pool, L2TP and NEM traffic:

XSR(config)#access-list 110 permit ip any 10.120.70.0 0.0.0.255 XSR(config)#access-list 120 permit udp any any eq 1701 XSR(config)#access-list 140 permit ip any 172.16.1.0 0.0.0.255 XSR(config)#access-list 150 permit ip any 192.168.111.0 0.0.0.255

Define IKE Phase I security parameters with the following two policies:

XSR(config)#crypto isakmp proposal xp-soho

XSR(config-isakmp)#hash md5

XSR(config-isakmp)#lifetime 50000

XSR(config)#crypto isakmp proposal p2p

XSR(config-isakmp)#authentication pre-share

XSR(config-isakmp)#lifetime 50000

Configure IKE policy for the remote peer:

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0

16-28 Configuring Security on the XSR

Page 414
Image 414
Enterasys Networks X-PeditionTM manual Xp Pc Nem, Add four ACLs to permit IP pool, L2TP and NEM traffic