-
Cisco 1700 Series Router Software Configuration Guide
-
Preface
-
Cisco IOS Software Skills
-
Configuring Security Features
-
Miscellaneous Features
-
Configuring Routing Among VLANs with IEEE 802.1Q Encapsulation
-
Configuring ISDN
-
Configuring a Leased Line
-
Configuring Frame Relay
-
Configuring Asynchronous Connections
-
Configuring X.25
-
Networking Concepts for the Cisco 1700 Router
-
ROM Monitor Software
-
Table Of Contents
Configuring a Virtual Private Dial-Up Network
Configuring Security Features
This chapter presents basic configuration procedures for security features in the Cisco 1700 series routers. For a full description of these features and their configurations, please refer to the Cisco IOS command references and configuration guides for Cisco IOS Release 12.2.
This chapter contains the following sections:
•
Configuring a Virtual Private Dial-Up Network
Configuring IP Security
IP Security (IPSec) is a framework of open standards for ensuring secure private communications over IP networks. Based on standards developed by the Internet Engineering Task Force (IETF), IPSec ensures confidentiality, integrity, and authenticity of data communications across a public IP network. Cisco's realization of IPSec implements the Data Encryption Standard (DES) and triple DES (3DES).
Refer to the Cisco IOS Security Configuration Guide, Release 12.2, for more detailed information on IPSec.
Perform the following tasks to configure IPSec. Start in global configuration mode.
Disabling Hardware Encryption
If your Cisco 1700 series router is equipped with an optional Virtual Private Network (VPN) module, it provides hardware 3DES encryption by default. If you wish, you can disable the VPN module and use Cisco IOS software encryption/decryption instead.
The command that disables the VPN module is as follows:
no crypto engine accelerator
The command is executed in configuration mode. The following is an example of its use:
Router(config)#no crypto engine acceleratorWarning! all current connections will be torn down.Do you want to continue? [yes/no]: yes.Crypto accelerator in slot 0 disabled.switching to IPsec crypto engineAfter this command is executed, the following procedure must be performed to bring up all encryption tunnels appropriately.
Step 1
Step 2
You may need to repeat these commands until no connections are listed.
Step 3
To reenable the VPN module, use the following command:
crypto engine accelerator
For example:
Router(config)#crypto engine acceleratorWarning! all current connections will be torn down.Do you want to continue? [yes|no]:yes.switching to crypto accelerator.The following is a useful command that shows statistical information about the VPN module:
show crypto engine accelerator statistic
For example:
Router#show crypto engine accelerator statistic C1700_EM:ds: 0x81784BA4 idb:0x81780560Statistics for Virtual Private Network (VPN) Module:0 packets in 0 packets out0 paks/sec in 0 paks/sec out0 Kbits/sec in 0 Kbits/sec outrx_no_endp: 0 rx_hi_discards: 0 fw_failure: 0invalid_sa: 0 invalid_flow: 0 cgx_errors 0fw_qs_filled: 0 fw_resource_lock:0 lotx_full_err: 0null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0esp_auth_fail: 0 ah_auth_failure: 0 crypto_pad_error: 0ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0esp_prot_absent:0 esp_seq_fail: 0 esp_spi_failure: 0obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0dsp_coproc_err: 0 comp_unsupported:0 pak_too_big: 0pak_mp_length_spec_fault: 0tx_lo_queue_size_max 0 cmd_unimplemented: 0159405 seconds since last clear of countersInterrupts: Notify = 0, Reflected = 0, Spurious = 0cgx_cmd_pending:0 packet_loop_max: 0 packet_loop_limit: 512The show crypto engine accelerator statistic command can also be used as follows to verify that the VPN module is disabled.
For example:
Router#show crypto engine accelerator statisticThere is no crypto accelerator.Configuring a Virtual Private Dial-Up Network
Complete the following tasks to configure a virtual private dial-up network (VPDN). Start in global configuration mode.
Configuring Firewalls
Basic traffic filtering is limited to configured access list implementations that examine packets at the network layer or, at most, the transport layer, permitting or denying the passage of each packet through the firewall. However, the use of inspection rules in Context-based Access Control (CBAC) allows the creation and use of dynamic temporary access lists. These dynamic lists allow temporary openings in the configured access lists at firewall interfaces. These openings are created when traffic for a specified user session exits the internal network through the firewall. The openings allow returning traffic for the specified session (that would normally be blocked) back through the firewall.
Refer to the Cisco IOS Security Configuration Guide, Release 12.2, for more detailed information on traffic filtering and firewalls.
Access Lists
Access lists are configured as standard or extended. A standard access list either permits or denies passage of packets from a designated source. An extended access list allows designation of both the destination and the source, and it allows designation of individual protocols to be permitted or denied passage. An access list is a series of commands with a common tag to bind them together. The tag is either a number or a name.
Standard numbered access list commands take the following form:
access-list {1-99} {permit | deny} source-addr [source-mask]
Extended numbered access list commands take the following form:
access-list {100-199} {permit | deny} protocol source-addr [source-mask] destination-addr [destination-mask]
Named access list commands take the form:
ip access-list {standard | extended} name
A standard named access list command must be followed by subcommands in this form:
deny {source | source-wildcard | any}
An extended named access list command must be followed by a subcommand in this form:
{permit | deny} protocol {source-addr[source-mask] | any} {destination-addr [destination-mask] | any}
A sequence of access list commands bound together with a common name or number is referred to as an access group. An access group is enabled for an interface during interface configuration with the command
ip access-group number|name [in | out]
where in | out refers to the direction of travel of the packets being filtered.
When a sequence of access list commands is used, three things must be kept in mind:
•
•
•
Configuration Examples
The following examples illustrate the configuration of standard numbered access lists and extended numbered access lists.
Configuring Standard Numbered Access Lists
In the following example, access list 2, a standard numbered access list, is defined to operate on the router, permitting or denying passage of packets associated with network 36.0.0.0. This network is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the router would accept one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the router would accept addresses on all other network 36.0.0.0 subnets.
access-list 2 permit 36.48.0.3access-list 2 deny 36.48.0.0 0.0.255.255access-list 2 permit 36.0.0.0 0.255.255.255Note that all other accesses are implicitly denied.
The following commands tie the access group to a specific interface on the router and specify that incoming packets are to be permitted or denied passage:
interface ethernet 0ip access-group 2 inConfiguring Extended Numbered Access Lists
In the following example, access list 102, an extended numbered access list, is defined. The first command permits any incoming TCP messages with destination ports greater than 1023. The second command permits incoming TCP messages to the Simple Mail Transfer Protocol (SMTP) port of host 128.88.1.2. The third command permits incoming Internet Control Message Protocol (ICMP) messages for error feedback.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255The following commands tie the access group to a specific interface on the router and specify that incoming packets are to be permitted or denied passage:
interface ethernet 0ip access-group 102 inInspection Rules
Specify which protocols to examine by using the ip inspect name command. When inspection detects that the specified protocol is passing through the firewall, a dynamic access list is created to allow the passage of return traffic. The timeout parameter specifies the length of time the dynamic access list will remain active without return traffic passing through the router. When a timeout is reached, the dynamic access list is removed, and subsequent packets (possibly even valid ones) are not permitted.
For each protocol you want to inspect, enter a line in global configuration mode, using the following syntax:
ip inspect name inspection-name protocol timeout seconds
Use the same inspection-name in multiple statements to group them into one set of rules. This set of rules can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out command when you configure an interface at the firewall.