Table Of Contents
Cisco 1710 Security Router Configuration
Before You Configure Your Network
Configuring a Virtual Private Dialup Network
Configuring the Dialer Interface
Configuring the Ethernet Interfaces
Configuring Dynamic Host Configuration Protocol
Manual Binding Configuration Example
Configuring Network Address Translation
Cisco 1710 Security Router Configuration
Network Access Router Configuration
Cisco 1710 Security Router Configuration
This chapter presents basic configuration procedures for features of the Cisco 1710 Security router. For a full description of these features and their configurations, please refer to Cisco IOS Software Configuration: Cisco IOS Release 12.2.
This chapter contains the following sections:
•
Before You Configure Your Network
•
•
•
•
•
•
Before You Configure Your Network
Before you configure your network, you must do the following:
•
•
–
–
–
–
•
–
–
–
•
Configuring a Virtual Private Dialup Network
Complete the following tasks to configure a virtual private dialup network (VPDN). Start in global configuration mode.
Configuring IP Security
IP Security (IPSec) is a framework of open standards for ensuring secure private communications over IP networks. Based on standards developed by the Internet Engineering Task Force (IETF), IPSec ensures confidentiality, integrity, and authenticity of data communications across a public IP network. Cisco's realization of IPSec implements the Data Encryption Standard (DES) and triple DES (3DES).
Refer to the Cisco IOS Security Configuration Guide, Release 12.1, for more detailed information on IPSec.
Perform the following tasks to configure IPSec. Start in global configuration mode.
Disabling Hardware Encryption
The Cisco 1710 Security router is equipped with a Virtual Private Network (VPN) module that provides hardware 3DES encryption by default. It is possible to disable the VPN module and use Cisco IOS software encryption/decryption instead.
The command which disables the VPN module is as follows:
no crypto engine accelerator
The command is executed in configuration mode. An example of its use is as follows:
c1710(config)#no crypto engine acceleratorWarning! all current connections will be torn down.Do you want to continue? [yes/no]: yes.Crypto accelerator in slot 0 disabled.switching to IPsec crypto engineAfter this command is executed, it is necessary to perform the following procedures to bring up all encryption tunnels appropriately.
Step 1
Step 2
Step 3
To re-enable the VPN module, use the following command:
crypto engine accelerator
An example of its use is as follows:
c1710(config)#crypto engine acceleratorWarning! all current connections will be torn down.Do you want to continue? [yes|no]:yes.switching to crypto accelerator.The following is a useful command that shows statistical information about the VPN module:
show crypto engine accelerator statistic
An example of its use is as follows:
c1710#show crypto engine accelerator statistic C1700_EM:ds: 0x81784BA4 idb:0x81780560Statistics for Virtual Private Network (VPN) Module:0 packets in 0 packets out0 paks/sec in 0 paks/sec out0 Kbits/sec in 0 Kbits/sec outrx_no_endp: 0 rx_hi_discards: 0 fw_failure: 0invalid_sa: 0 invalid_flow: 0 cgx_errors 0fw_qs_filled: 0 fw_resource_lock:0 lotx_full_err: 0null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0esp_auth_fail: 0 ah_auth_failure: 0 crypto_pad_error: 0ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0esp_prot_absent:0 esp_seq_fail: 0 esp_spi_failure: 0obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0dsp_coproc_err: 0 comp_unsupported:0 pak_too_big: 0pak_mp_length_spec_fault: 0tx_lo_queue_size_max 0 cmd_unimplemented: 0159405 seconds since last clear of countersInterrupts: Notify = 0, Reflected = 0, Spurious = 0cgx_cmd_pending:0 packet_loop_max: 0 packet_loop_limit: 512This command can also be used as follows to verify that the VPN module is disabled:
c1710#show crypto engine accelerator statisticThere is no crypto accelerator.Configuring the Dialer Interface
Complete the following tasks to configure the dialer interface. Start in global configuration mode.
Configuring the Ethernet Interfaces
Configure the Ethernet interfaces by performing the following tasks. Begin in the global configuration mode.
Configuring Dynamic Host Configuration Protocol
The Dynamic Host Configuration Protocol (DHCP) is used to enable hosts (DHCP clients) on an IP network to obtain their configurations from a server (DHCP server). This reduces the work necessary to administer an IP network. The most significant configuration option the client receives from the server is its IP address.
Perform the following tasks to configure DHCP. Begin in global configuration mode.
Configuration Example
In the following example, three DHCP address pools are created: one in network 172.16.0.0, one in subnetwork 172.16.1.0, and one in subnetwork 172.16.2.0. Attributes from network 172.16.0.0, such as the domain name, DNS server, NetBIOS name server, and NetBIOS node type, are inherited in subnetworks 172.16.1.0 and 172.16.2.0. In each pool, clients are granted 30-day leases and all addresses in each subnetwork, except the excluded addresses, are available to the DHCP server for assigning to clients.
ip dhcp database ftp://user:password@172.16.4.253/router-dhcp write-delay 120ip dhcp excluded-address 172.16.1.100 172.16.1.103ip dhcp excluded-address 172.16.2.100 172.16.2.103!ip dhcp pool 0network 172.16.0.0 /16domain-name cisco.comdns-server 172.16.1.102 172.16.2.102netbios-name-server 172.16.1.103 172.16.2.103netbios-node-type h-node!ip dhcp pool 1network 172.16.1.0 /24default-router 172.16.1.100 172.16.1.101lease 30!ip dhcp pool 2network 172.16.2.0 /24default-router 172.16.2.100 172.16.2.101lease 30Manual Binding Configuration Example
The following example creates a manual binding for a client named Mars.cisco.com. The MAC address of the client is 02c7.f800.0422 and the IP address of the client is 172.16.2.254.
ip dhcp pool Marshost 172.16.2.254hardware-address 02c7.f800.0422 ieee802client-name MarsBecause attributes are inherited, the previous configuration is equivalent to the following:
ip dhcp pool Marshost 172.16.2.254 mask 255.255.255.0hardware-address 02c7.f800.0422 ieee802client-name Marsdefault-router 172.16.2.100 172.16.2.101domain-name cisco.comdns-server 172.16.1.102 172.16.2.102netbios-name-server 172.16.1.103 172.16.2.103netbios-node-type h-nodeConfiguring Network Address Translation
Network Address Translation (NAT) translates IP addresses within private "internal" networks to "legal" IP addresses for transport over public "external" networks (such as the Internet). Incoming traffic is translated back for delivery within the inside network. Thus, NAT allows an organization with unregistered "private" addresses to connect to the Internet by translating those addresses into globally registered IP addresses.
Ethernet interfaces are configured as "NAT inside" or "NAT outside" as shown in the previous section "Configuring the Ethernet Interfaces." Once the interfaces are configured, the following steps can be performed to establish the NAT configuration within the router.
Configuration Example
In this example, we want NAT to allow certain devices on the inside to originate communication with devices on the outside by translating their internal addresses to valid outside addresses or a pool of addresses. The pool in this example is defined as the range of addresses 172.16.10.1 through 172.16.10.63.
In order to accomplish this translation, we need to use dynamic NAT. With dynamic NAT, the translation table in the router is initially empty and gets populated once traffic that needs to be translated passes through the router. (This is opposed to static NAT, in which a translation is statically configured and is placed in the translation table without the need for any traffic.)
In this example, we can configure NAT to translate each inside device address to a unique valid outside address, or to translate each inside device address to the same valid outside address. The second method is known as overloading. An example of how to configure each method is given here.
To begin, configure the Fast Ethernet interface with an IP address and as a "NAT inside" interface.
interface FastEthernet 0ip address 10.10.10.1 255.255.255.0ip nat insideThen configure the Ethernet interface with an IP address and as a "NAT outside" interface.
interface Ethernet 0ip address 172.16.10.64 255.255.255.0ip nat outsideTo handle the case in which each inside address is translated to its own unique outside address, define a NAT pool named "no-overload" with a range of addresses from 172.16.10.0 to 172.16.10.63
ip nat pool no-overload 172.16.10.0 172.16.10.63 prefix 24Define access list 7 to permit packets with source addresses ranging from 10.10.10.0 through 10.10.10.31 and from 10.10.20.0 through 10.10.20.31.
access-list 7 permit 10.10.10.0 0.0.0.31access-list 7 permit 10.10.20.0 0.0.0.31Then indicate that any packet received on the inside interface, as permitted by access list 7, will have its source address translated to an address from the NAT pool "no-overload."
ip nat inside source list 7 pool no-overloadAlternatively, to handle the case where all inside addresses are translated to a single outside address, define a NAT pool named "ovrld," which has a range of a single IP address: 172.16.10.1.
ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24Then indicate that any packet received on the inside interface, as permitted by access list 7, will have its source address translated to the address from the NAT pool "ovrld." Translations will be overloaded, which will allow multiple inside devices to be translated to the same outside IP address.
ip nat inside source list 7 pool ovrld overloadThe keyword overload used in this command allows NAT to translate multiple inside devices to the single address in the pool.
Another variation of this command is ip nat inside source list 7 interface Ethernet 0 overload, which configures NAT to overload on the address that is assigned to the Ethernet 0 interface.
Configuring Firewalls
Basic traffic filtering is limited to configured access list implementations that examine packets at the network layer, or at most, the transport layer, permitting or denying the passage of each packet through the firewall. However, the use of inspection rules in Context-based Access Control (CBAC) allows creation and use of dynamic temporary access lists. These dynamic lists allow temporary openings in the configured access lists at firewall interfaces. These openings are created when traffic for a specified user session exits the internal network through the firewall. The openings allow returning traffic for the specified session (that would normally be blocked) back through the firewall.
Refer to the Cisco IOS Security Configuration Guide, Release 12.1, for more detailed information on traffic filtering and firewalls.
Access Lists
Access lists are configured as standard or extended. A standard access list either permits or denies passage of packets from a designated source. An extended access list allows designation of both the destination and the source, and it allows designation of individual protocols to be permitted or denied passage. An access list is a series of commands with a common tag to bind them together. The tag is either a number or a name.
Standard numbered access list commands take the following form:
access-list {1-99} {permit|deny} source-addr [source-mask]
Extended numbered access list commands take the following form:
access-list {100-199} {permit|deny} protocol source-addr [source-mask] destination-addr [destination-mask]
Named access list commands take the form:
ip access-list {standard|extended} name
A standard named access list command must be followed by subcommands in this form:
deny {source|source-wildcard|any}
An extended named access list command must be followed by a subcommand in this form:
{permit|deny} protocol {source-addr[source-mask]|any} {destination-addr [destination-mask]|any}
A sequence of access list commands bound together with a common name or number is referred to as an access group. An access group is enabled for an interface during interface configuration with the command
ip access-group number|name [in|out]
where in|out refers to the direction of travel of the packets being filtered.
When a sequence of access list commands is used, three things must be kept in mind:
•
•
•
Configuration Examples
The following examples illustrate the configuration of standard numbered access lists and extended numbered access lists.
Configuring Standard Numbered Access Lists
In the following example, access list 2, a standard numbered access list, is defined to operate on the router, permitting or denying passage of packets associated with network 36.0.0.0. This network is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 36.0.0.0 address specify a particular host. Using access list 2, the router would accept one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the router would accept addresses on all other network 36.0.0.0 subnets.
access-list 2 permit 36.48.0.3access-list 2 deny 36.48.0.0 0.0.255.255access-list 2 permit 36.0.0.0 0.255.255.255Note that all other accesses are implicitly denied.
The following commands tie the access group to a specific interface on the router, and specify that incoming packets are to be permitted or denied passage:
interface ethernet 0ip access-group 2 inConfiguring Extended Numbered Access Lists
In the following example, access list 102, an extended numbered access list, is defined. The first command permits any incoming TCP messages with destination ports greater than 1023. The second command permits incoming TCP messages to the SMTP port of host 128.88.1.2. The third command permits incoming ICMP messages for error feedback.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 255.255.255.255The following commands tie the access group to a specific interface on the router and specify that incoming packets are to be permitted or denied passage:
interface ethernet 0ip access-group 102 inInspection Rules
Specify which protocols to examine by using the ip inspect name command. When inspection detects that the specified protocol is passing through the firewall, a dynamic access list is created to allow the passage of return traffic. The timeout parameter specifies the length of time the dynamic access list will remain active without return traffic passing through the router. When a timeout is reached, the dynamic access list is removed, and subsequent packets (possibly even valid ones) are not permitted.
For each protocol you want to inspect, enter a line in global configuration mode using the following syntax:
ip inspect name inspection-name protocol timeout seconds
Use the same inspection-name in multiple statements to group them into one set of rules. This set of rules can be activated elsewhere in the configuration by using the ip inspect inspection-name in|out command when configuring an interface at the firewall.
Complete Sample Configuration
An example configuration is presented here, in which a Cisco 1710 Security router is a PPPoE client connected through a modem to an external network access router. The router might be located in a branch office with the network access router located at the corporate site. One alternate scenario could be that the router is in a small or medium business, and the network access router belongs to a service provider. In each case, the network access router provides a dial-in data service with secure tunnels to the business or branch office for mobile users.
This example presents a full configuration of the Cisco 1710 Security router, along with a complementary configuration of IPSec on the network access router.
In this example, both the Cisco 1710 Security router and the network access router have inside and outside interfaces. The outside interfaces have global IP addresses while the inside interfaces have local IP addresses. These addresses are as follows:
•
•
•
•
The outside interface of the router in this example is the Ethernet port, while the inside interface is the Fast Ethernet port.
Figure 2-1 illustrates the topology of this example.
Figure 2-1 Configuration Example
Cisco 1710 Security Router Configuration
The following commands configure the router so that it provides a secure connection to the network access router.
ip domain-name cisco.comip name-server 24.1.64.33ip name-server 24.1.64.34ip dhcp excluded-address 192.168.1.1 192.168.1.5!ip dhcp pool home-poolnetwork 192.168.1.0 255.255.255.0default-router 192.168.1.1domain-name cisco.comdns-server 24.1.64.34!ip inspect name fw_all ftpip inspect name fw_all http java-list 10ip inspect name fw_all rcmdip inspect name fw_all rpc program-number 100000ip inspect name fw_all smtpip inspect name fw_all tftpip inspect name fw_all realaudioip inspect name fw_all streamworksip inspect name fw_all vdoliveip inspect name fw_all cuseemeip inspect name fw_all h323ip inspect name fw_all tcpip inspect name fw_all udpip audit notify logip audit po max-events 100!vpdn enableno vpdn logging!vpdn-group 1request-dialinprotocol pppoe!crypto isakmp key 12abcjhrweit345 address 16.0.0.2!crypto isakmp policy 1authentication pre-shareencryption 3deshash shagroup 2!crypto ipsec transform-set proposal1 esp-3des esp-sha-hmac ah-sha-hmac!crypto map tag local-address Ethernet0crypto map tag 10 ipsec-isakmpset peer 16.0.0.2set security-association level per-hostset transform-set proposal1set pfs group2match address 100!interface Dialer0ip unnumbered Ethernet0no ip route-cacheencapsulation pppip mtu 1492dialer pool 1dialer-group 1ip nat outsideip inspect fw_all inip access-group 102 incrypto map tag!interface FastEthernet0ip address 192.168.1.1 255.255.255.0ip nat inside!interface Ethernet0ip address 24.19.216.150 255.255.255.0pppoe enablepppoe-client dial-pool-number 1crypto map tag!dialer-list 1 protocol ip permit!access-list 100 permit 192.168.1.0 0.255.255.255!ip nat inside source list homenet interface Ethernet0 overloadip nat outside source static 24.19.216.129 192.168.1.5!ip access-list extended homenetpermit ip 192.168.1.0 0.255.255.255 any!access-list 102 deny tcp any anyaccess-list 102 permit esp any anyaccess-list 102 permit ahp any anyaccess-list 102 permit udp any eq isakmp any eq isakmpaccess-list 102 deny udp any anyaccess-list 102 permit ip any anyaccess-list 102 permit icmp any anyNetwork Access Router Configuration
The following commands configure the network access router so that it provides a secure connection to the Cisco 1710 Security router.
crypto isakmp key 12abcjhrweit345 address 24.19.216.150!crypto isakmp policy 1authentication pre-shareencryption 3deshash shagroup 2!crypto ipsec transform-set proposal1 esp-3des esp-sha-hmac ah-sha-hmac!crypto map mymap1 local-address FastEthernet0/1crypto map tag 10 ipsec-isakmpset peer 24.19.216.150set security-association level per-hostset transform-set proposal1set pfs group2match address 100!access-list 100 permit 172.28.0.0 0.0.255.255!interface FastEthernet0/1ip address 16.0.0.2 255.0.0.0crypto map tag!interface FastEthernet0/0ip address 172.28.0.1 255.255.0.0
