Cisco IOS VPN Configuration Guide - Index [Cisco 7200 Series Routers]

Table Of Contents

Symbols - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W -

Index

Symbols

? command     1 - 2

A

AAA

configuring     4 - 8

servers supported     4 - 9

aaa authentication login default command     4 - 8

aaa authorization auth-proxy default command     4 - 8

aaa new-model command     4 - 8

abbreviating commands, context-sensitive help     1 - 2

accept dialin command     4 - 5, 4 - 7

access control

planning     2 - 15

undefined packets and     3 - 38

access control lists

See ACLs

access-list (encryption) command     3 - 22

access-list command     3 - 37

access-list permit host eq host command     4 - 9

access-list permit ip host command     3 - 22

IP access lists

See also crypto access lists

access lists

applying to interfaces     3 - 38

considerations     2 - 14

protecting from spoofing     2 - 15

violating     2 - 14

WFQ and     3 - 32

See also extended access lists

accounting

See AAA     4 - 8

ACLs

CBWFQ and     3 - 33

address keywords, using (note)     3 - 18

AHs

description     3 - 23

ESP and (note)     3 - 23

IP numbers     3 - 22

arrow keys, on ANSI-compatible terminals (note)     1 - 3

attaching

policy maps     3 - 31

service policies     3 - 35

authentication

See AAA

authentication command     3 - 16

authentication headers

See AHs

authentication proxies

configuring     4 - 8 to 4 - 10

description     4 - 8

verifying     4 - 11

authorization

See AAA

B

backbone routers, QoS functions     3 - 28

bandwidth command     3 - 31, 3 - 35

broadcasts

disabling directed     2 - 15

business scenarios

figure     2 - 2

See also extranet VPN scenarios

See also remote access VPN scenarios

See also site-to-site VPN scenarios

C

CA interoperability

description     3 - 14

carrier protocols (tunneling)     3 - 6

CBWFQ

configuring     3 - 33

enabling     3 - 35

verifying     3 - 36

See also WFQ

CDP, turning off     2 - 15

CEF support     2 - 14, 4 - 4

certificate revocation lists

See CRLs     2 - 6

changes, saving     1 - 8

Cisco Discovery Protocol

See CDP

Cisco Express Forwarding support

See CEF support

Cisco IOS commands

See commands     5 - 5

Cisco IOS firewall authentication proxy

See authentication proxy

Cisco IOS firewalls

See firewalls

Cisco SAFE Blueprint

network design considerations     2 - 3

Cisco Secure Policy Manager

See CSPM

Cisco Secure VPN Client

locating documentation     4 - 3

Cisco VPN and Security Management Solution

See VMS     5 - 2

Cisco VPN Device Manager     5 - 3

Cisco VPN Monitor     5 - 2

Class-Based Weighted Fair Queuing

See CBWFQ

class class-default command     3 - 35

class command     3 - 31, 3 - 35

class-map command     3 - 30, 3 - 34

class-map match-all     3 - 30

class maps

configuring     3 - 30

defining     3 - 34

verifying     3 - 30

class policies

configuring     3 - 35

clear crypto sa command     3 - 27

CLI

configuring software using     1 - 1

VDM commands     5 - 5

command-line interface

See CLI

command modes

command options     1 - 3

description     1 - 5

online help     1 - 2

summary (table)     1 - 6

commands

abbreviating     1 - 2

disabling functions     1 - 7

finding options (table)     1 - 3

configuration examples

extranet

business partner router     3 - 45 to 3 - 46

headquarters router     3 - 43 to 3 - 45

remote access

L2TP/IPSec configuration     4 - 13

PPTP/MPPE configuration     4 - 11

site-to-site

headquarters router     3 - 40 to 3 - 41

remote office router     3 - 41 to 3 - 42

configuration files

corrupted     1 - 6

saving changes     1 - 8

saving to NVRAM     1 - 8

configuration modes, using     1 - 6

configuring

AAA     4 - 8

authentication methods with IKE policies     3 - 16

authentication proxies     4 - 8 to 4 - 10

CBWFQ     3 - 33

class maps     3 - 30

class policies     3 - 35

crypto maps     3 - 24

encryption     3 - 22 to 3 - 24, 4 - 7

fair queuing     3 - 32

firewalls     3 - 36

GRE tunnels     3 - 3, 3 - 8 to 3 - 9

HTTP servers     4 - 9

IKE policies     3 - 16 to 3 - 17

IPSec     4 - 7

IPSec tunnel mode     3 - 23

L2TP     4 - 7

L2TP/IPSec     4 - 6

MPPE     4 - 6

NAT     3 - 10 to 3 - 13

NBAR     3 - 29

policy maps     3 - 31

PPTP     4 - 5

PPTP/MPPE     4 - 4

pre-shared keys     3 - 17, 3 - 21

QoS     3 - 28

virtual templates     4 - 5, 4 - 6

connectivity

testing     5 - 15

console access considerations     2 - 14

console ports

breaks on     2 - 15

configuring passwords on     2 - 14

controller isa command     4 - 6

CRLs

performance considerations     2 - 6

crypto access lists

commands (table)     3 - 22

compatibility     3 - 24

creating     3 - 22

extended access lists and     3 - 37

verifying     3 - 22

crypto dynamic-map command     3 - 25

crypto ipsec transform-set command     3 - 23

crypto isakmp enable command     3 - 16

crypto isakmp identity address command     3 - 18

crypto isakmp key address command     3 - 18

crypto isakmp key command     3 - 18, 3 - 21

crypto map command     3 - 25

crypto map entries

configuring     3 - 24

creating     3 - 25

defining IPSec processing     3 - 22

verifying     3 - 26

crypto maps

applying to interfaces     3 - 27

verifying interface associations     3 - 28

crypto map s4second command     3 - 27

CSPM

description     5 - 1

D

default commands, using     1 - 7

defining class maps     3 - 34

demilitarized zone

See DMZ network description

denial-of-service attacks, directed broadcasts and     2 - 15

dial-in sessions     4 - 5

Diffie-Hellman group identifier, specifying     3 - 16

digital certificates

authentication     3 - 17

CAs and     3 - 14

directed broadcasts

See broadcasts

DMZ network description     3 - 37

dynamic crypto map

configuring     3 - 14

creating     3 - 25

ease of configuration     3 - 24

E

edge routers, QoS functions     3 - 28

enable password command     2 - 14

enable secret command     2 - 14

encapsulating security payload

See ESP

encryption

configuring     3 - 14, 4 - 7

tunnels and     3 - 7

encryption command     3 - 16

encryption mppe command     4 - 6

error messages

ICMP Host Unreachable     3 - 38

ESP

AH and (note)     3 - 23

IP numbers and     3 - 22

performance considerations     2 - 13

exit command     4 - 5, 4 - 7

extended access lists

creating     3 - 37

description     3 - 36

verifying     3 - 38, 3 - 39

extranet VPN scenarios     3 - 5

configuring business partner routers     3 - 45

configuring headquarters routers     3 - 43 to 3 - 45

description     2 - 2

figure     3 - 4

physical elements (figure)     3 - 5

physical elements (table)     3 - 6

sample configurations

physical elements (figure)     3 - 43

F

fair-queue command     3 - 32

fair queuing

configuring     3 - 32

flow-based WFQ     3 - 32

See also CBWFQ     3 - 32

See also WFQ     3 - 32

fast switching support     2 - 14

firewalls

basic traffic filtering configurations     3 - 36

benefits     3 - 36

configuring     3 - 36

considerations     2 - 14

flow classification of packets     3 - 32

G

generic routing encapsulation

See GRE

See GRE tunnels

global configuration mode

summary     1 - 6

GRE

description     2 - 6

IPSec and     2 - 7

See also GRE tunnels     2 - 7

GRE tunnels

access servers (note)     3 - 8

Cisco routers (note)     3 - 8

configuring     3 - 3, 3 - 8

protocol     3 - 6

troubleshooting configurations     3 - 9

verifying     3 - 9

See also site-to-site VPN scenarios

group command     3 - 16

H

hash command     3 - 16

headquarters network scenarios

See also extranet VPN scenarios

See also remote access VPN scenarios

See also site-to-site VPN scenarios

hello packets

See IKE Keepalives

help

CLI     1 - 2

finding command options     1 - 3

help command     1 - 2

hostname keywords, using (note)     3 - 18, 3 - 21

Hot Standby Routing Protocol

See HSRP

HSRP

description     2 - 11

http

//www.cisco.com/en/US/products/hw/routers/ps341/prod_installation_guides_list.html     xi

//www.cisco.com/en/US/products/hw/routers/ps341/tsd_products_support_series_home.html     x

HTTP servers

configuring     4 - 9

hybrid network environments

network design considerations     2 - 4

I

ICMP filtering

fragmentation and     2 - 13

ICMP Host Unreachable messages     3 - 38

IKE

description     3 - 14

performance considerations     2 - 13

policies

verifying     3 - 19

SAs and     3 - 24

UDP port     3 - 22

IKE keepalives     2 - 11, 3 - 15

IKE keys

See pre-shared keys

IKE policies

configuration requirements     3 - 16

configuring     3 - 16 to 3 - 17

defaults, viewing     3 - 9

default values (note)     3 - 15

enabling by default     3 - 15

identifying     3 - 16

RSA signatures method requirements     3 - 16

troubleshooting     3 - 20

viewing configuration     3 - 19

viewing default configuration     3 - 9

inside global address     3 - 11

inside local address     3 - 11

inside network     3 - 10

integrated versus overlay design     2 - 4

interface command     4 - 10

interface configuration mode, summary     1 - 6

interface fastethernet command     3 - 13

interfaces

applying crypto maps     3 - 27

applying IP access lists     3 - 38

verifying crypto map associations     3 - 28

interface serial command     3 - 32

interface tunnel command     3 - 8

interface virtual-template number command     4 - 5

Internet Key Exchange

See IKE

Internet Security Association & Key Management Protocol identities

See ISAKMP identities

intrusion detection     3 - 36

IOS Commands     5 - 5

ip access-group command     3 - 38

ip access-list extended command     3 - 22

IP access lists

applying to interfaces     3 - 38

configuring security and     2 - 14

inbound     3 - 38

outbound     3 - 38

software checking of     3 - 38

undefined     3 - 38

See also extended access lists

IP addresses

NAT definitions     3 - 11

nonregistered     3 - 10

protecting internal     2 - 15

renumbering     3 - 10

static translation     3 - 11

ip auth-proxy auth-cache-time command     4 - 10

ip auth-proxy auth-proxy-banner command     4 - 10

ip auth-proxy command     4 - 10

ip auth-proxy name http command     4 - 10

IP datagrams

in IPSec tunnel mode     3 - 9

ip http access-class command     4 - 10

ip http authentication aaa command     4 - 10

ip http server command     4 - 9

ip local pool default command     4 - 5

ip mroute-cache command     4 - 5

ip nat inside command     3 - 13

ip nat inside source command     3 - 13

ip nat outside command     3 - 13

ip route command     3 - 8

IPSec

clearing SAs     3 - 27

configuring     3 - 22 to 3 - 24, 4 - 7

configuring tunnels     3 - 14

description     3 - 14

in VDM     5 - 4

IP unicast frames     3 - 7

NAT and     2 - 8

proxies     3 - 9

IPSec access lists

explicitly permitting traffic (note)     3 - 22

requirements     3 - 22

IPSec MIBs

as network management tool     5 - 3

IPSec transport mode

description     3 - 10

IPSec tunnel mode

configuring     3 - 23

GRE tunnels and (note)     4 - 7

verifying     3 - 24

IPSec tunnels

configuring     3 - 9

IP Security Protocol

See IPSec

IP unicast frames, IPSec and     3 - 7

ip unnumbered command     4 - 5

ISAKMP identities

setting     3 - 18

ISAKMP identities, setting     3 - 21

K

keys

See pre-shared keys

L

L2TP

compatibility     4 - 4

configuring     4 - 7

verifying     4 - 7

L2TP/IPSec

configuring     4 - 6

Layer 2 Tunneling Protocol

See L2TP

lifetime command     3 - 16

local name command     4 - 5, 4 - 7

loopback interfaces

emulating interfaces     2 - 14

using     3 - 25

M

maps

See specific kinds of maps (for example, class maps)

match access-group command     3 - 34

match address command     3 - 25, 3 - 26

match-all command     3 - 30

match-any command     3 - 30

match class-map command     3 - 30

match input-interface command     3 - 34

match not command     3 - 30

match protocol command     3 - 30, 3 - 34

MIBs

See IPSec MIBs

Microsoft

Windows 2000     4 - 3

Windows 95     4 - 3

Windows 98     4 - 3

Windows NT 4.0     4 - 3

Microsoft Challenge Handshake Authenication Protocol

See MS-CHAP

Microsoft Dial-Up Networking     4 - 3

Microsoft Point-to-Point Compression

See MPPC

Microsoft Point-to-Point Encryption

See MPPE

mixed device deployments

network design considerations     2 - 4

modes

See command modes

See IPSec transport modes

See IPSec tunnel modes

mode tunnel command     3 - 23

Modular QoS Command-Line Interface

See MQC

MPPC     4 - 4

MPPE

configuring     4 - 6

MS-CHAP and (note)     4 - 4

verifying     4 - 6

MQC     3 - 29

MS-CHAP

MPPE and (note)     4 - 4

N

NAT

address definitions     3 - 11

configuring     3 - 10 to 3 - 13

network design considerations and     2 - 8

source address translation process     3 - 12

static translation process     3 - 13

tunnels and     3 - 7

NBAR

attaching policy maps to interfaces     3 - 31

configuring     3 - 29 to 3 - 32

configuring class maps     3 - 30

configuring policy maps     3 - 31

verifying class map configuration     3 - 30

verifying policy map configuration     3 - 31

Network Address Translation

See NAT

network-based application recognition

See NBAR

network design considerations

Cisco SAFE Blueprint     2 - 3

fragmentation     2 - 10

GRE and     2 - 10

IKE and     2 - 10

IKE key lifetimes and     2 - 13

mixed devices deployments     2 - 4

optimizing traffic throughput     2 - 5

resiliency and     2 - 10

RRI with HSRP and     2 - 10

network management applications

description     2 - 16

network redundancy     3 - 7

network resiliency

See network redundancy

Network Time Protocol

See NTP

no bandwidth command     3 - 31

no cdp run command     2 - 15

no class-map command     3 - 30

no commands     1 - 7

no ip directed-broadcast command     2 - 15

no ip source-route command     2 - 15

no match-all command     3 - 30

no match-any command     3 - 30

no police command     3 - 31

no policy-map command     3 - 31

no proxy-arp command     2 - 15

no random-detect command     3 - 31

no service-policy command     3 - 31

no service tcp-small-servers command     2 - 15

no service udp-small-servers command     2 - 15

no set command     3 - 31

no shutdown command     3 - 8

NTP

disabling     2 - 15

ntp disable command     2 - 15

NVRAM, saving configuration to     1 - 8

O

outside

global address     3 - 11

local address     3 - 11

network     3 - 10

P

packets

flow classification     3 - 32

fragmentation     2 - 13

passenger protocols (tunneling)     3 - 6

passwords

commands for setting     2 - 14

port for configuring     2 - 14

peer default ip address pool default command     4 - 5

ping command     3 - 9

PIX Firewall

See Cisco Secure PIX Firewall

Point-to-Point Tunneling Protocol

See PPTP

police bps conform transmit exceed drop command     3 - 31

policies

See class policies

See IKE policies

See service policies

policy-map command     3 - 31, 3 - 35

policy maps

attaching to interfaces     3 - 31

configuring     3 - 31

configuring classes     3 - 35

displaying contents     3 - 36

verifying     3 - 31

ppp authentication ms-chap command     4 - 5

ppp encrypt mppe command     4 - 5

PPTP

configuration example     4 - 11 to 4 - 13

configuring     4 - 5

PPTP/MPPE

configuring     4 - 4

verifying     4 - 6

pre-shared keys

configuring     3 - 17, 3 - 21

specifying     3 - 18, 3 - 21

priority traffic

See WFQ

privileged EXEC mode, summary     1 - 6

process switching support     2 - 14

prompts, system     1 - 6

protocol l2tp command     4 - 7

protocol pptp command     4 - 5

protocols, tunneling     3 - 6

proxyacl#n command     4 - 9

Q

QoS

benefits     2 - 9 to ??

characteristics     3 - 28

configuring     3 - 28

queue-limit command     3 - 31, 3 - 35

R

RADIUS

implementing     2 - 14

random-detect command     3 - 31

Remote Access Dial-In User Service

See RADIUS

remote access VPN scenarios

physical elements (table)     4 - 3

Rivest, Shamir, and Adelman

See RSA encrypted nonces method

ROM monitor mode

description     1 - 6

summary     1 - 7

RSA encrypted nonces method     3 - 17

RSA signatures, configuration requirements for IKE     3 - 16

S

SAFE

See Cisco SAFE Blueprint      2 - 3

SAs

IKE established

creating crypto map entries     3 - 24

saving, configuration changes     1 - 8

scenarios

See intranet VPN scenarios

See remote access VPN scenarios

See site-to-site VPN scenarios

security associations

See SAs

service policies

attaching     3 - 35

service-policy command     3 - 35

service-policy input command     3 - 31

service-policy output command     3 - 31

set ip precedence command     3 - 31

set peer command     3 - 25, 3 - 26

set qos-group command     3 - 31

set security-association lifetime command     3 - 26

set transform-set command     3 - 25, 3 - 26

show access-lists command     3 - 22, 3 - 38

show class-map command     3 - 30

show crypto ipsec transform-set command     3 - 24

show crypto isakmp policy command     3 - 15, 3 - 19

show crypto map command     3 - 26

show crypto map interface command     3 - 28

show interfaces fair-queue command     3 - 33

show interfaces ip command     3 - 39

show interfaces serial command     3 - 33

show interfaces tunnel command     3 - 9

show ip auth-proxy cache command     4 - 11

show ip auth-proxy configuration command     4 - 11

show ip nat translations verbose command     3 - 13

show policy-map command     3 - 31

show policy policy-map command     3 - 36

show running-config command     4 - 11, 4 - 13

show version command     3 - 20

show vpdn session command     4 - 6

show vpdn tunnel command     4 - 6, 4 - 7

site-to-site VPN scenario

configuring     3 - 8

description     2 - 2

figure     3 - 3

physical elements     3 - 3

physical elements (table)     3 - 4

site-to-site VPN scenarios

configuration, example     3 - 39 to 3 - 42

configuring headquarters router     3 - 40 to 3 - 41

configuring remote office router     3 - 41 to 3 - 42

description     3 - 2

software and hardware compatability     xii

source routing, disabling     2 - 15

spoofing, protecting against     2 - 15

startup configuration, saving     1 - 8

static translation

configuring     3 - 11

description     3 - 11

verifiying     3 - 13

static translation

configuring     3 - 13

static translation

configuring     3 - 13

Statistics

graphing in VDM     5 - 11

stub domain, NAT configured on     3 - 10

subinterface configuration mode, summary     1 - 7

syslog

advantages     2 - 14

T

Tab key, command completion     1 - 2

TACACS+

implementing     2 - 14

tacacs-server host command     4 - 8

tacacs-server key command     4 - 8

tail drop     3 - 35

TED

description     2 - 16

Telnet access considerations     2 - 14

template configurations, special considerations     2 - 14

Terminal Access Controller Access Control System Plus

See TACACS+

traffic priority management

See WFQ

transform sets

crypto map entries and     3 - 24

defining     3 - 23

verifying     3 - 24

transport mode

description     3 - 10

transport protocols (tunneling)     3 - 6

troubleshooting

entering ROM monitor mode at startup     1 - 6

extended access lists     3 - 39

GRE tunnels     3 - 9

IKE policy verification     3 - 20

syslog message logs for     2 - 14

tunnel destination command     3 - 8

tunnel endpoint discovery

See TED

tunneling

components     3 - 6

description     3 - 6

encryption in     3 - 7

special considerations     2 - 14

tunnel mode

description     3 - 9

tunnel mode gre ip command     3 - 8

tunnel modes

configuring     3 - 22 to 3 - 24

See also GRE tunnels

See also IPSec tunnel modes

tunnel source command     3 - 8

U

user EXEC mode, summary     1 - 6

V

VDM

benefits     5 - 5

client installation     5 - 5

configuring VPNs     5 - 8

graphing statistics     5 - 11

installing     5 - 7

overview     5 - 4

troubleshooting connectivity     5 - 15

VPN monitors     5 - 5, 5 - 11

verifying

authentication proxies     4 - 11

CBWFQ     3 - 36

class maps     3 - 30

crypto access lists     3 - 22

crypto map entries     3 - 26

crypto map interface associations     3 - 28

extended access lists     3 - 38, 3 - 39

GRE tunnel configuration     3 - 9

IKE policies     3 - 19

IPSec tunnel mode     3 - 24

L2TP     4 - 7

PPTP/MPPE     4 - 6

transform sets     3 - 24

WFQ configuration     3 - 33

Virtual Private Networks

See VPNs

virtual-template command     4 - 5, 4 - 7

virtual templates

configuring     4 - 5, 4 - 6

virtual terminal ports, protecting     2 - 15

vpdn-enable command     4 - 5, 4 - 7

vpdn-group 1 command     4 - 5, 4 - 7

VPNs

configuration assumptions     2 - 2

See also extranet VPN scenario

See also remote access VPN scenario

See also site-to-site VPN scenario

W

weighted fair queuing

See WFQ

weighted random early detection

See WRED

WFQ

configuring     3 - 32

traffic priority management     3 - 32

verifying configuration     3 - 33

Windows 2000

compatibility     4 - 4

wizards

configuring VDM     5 - 8

configuring VPNs     5 - 8

WRED

CBWFQ support and     3 - 33

See also CBWFQ     3 - 33

	Cisco IOS VPN Configuration Guide
	Index
Cisco IOS VPN Configuration Guide Preface Using Cisco IOS Software Network Design Considerations Remote Access VPN Business Scenarios Site-to-Site and Extranet VPN Business Scenarios VPN Network Management Tools Title Page Index	Download this chapter Index Download the complete book Book (PDF - 2 MB) Feedback Table Of Contents Symbols - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W - Index Symbols ? command 1 - 2 A AAA configuring 4 - 8 servers supported 4 - 9 aaa authentication login default command 4 - 8 aaa authorization auth-proxy default command 4 - 8 aaa new-model command 4 - 8 abbreviating commands, context-sensitive help 1 - 2 accept dialin command 4 - 5, 4 - 7 access control planning 2 - 15 undefined packets and 3 - 38 access control lists See ACLs access-list (encryption) command 3 - 22 access-list command 3 - 37 access-list permit host eq host command 4 - 9 access-list permit ip host command 3 - 22 IP access lists See also crypto access lists access lists applying to interfaces 3 - 38 considerations 2 - 14 protecting from spoofing 2 - 15 violating 2 - 14 WFQ and 3 - 32 See also extended access lists accounting See AAA 4 - 8 ACLs CBWFQ and 3 - 33 address keywords, using (note) 3 - 18 AHs description 3 - 23 ESP and (note) 3 - 23 IP numbers 3 - 22 arrow keys, on ANSI-compatible terminals (note) 1 - 3 attaching policy maps 3 - 31 service policies 3 - 35 authentication See AAA authentication command 3 - 16 authentication headers See AHs authentication proxies configuring 4 - 8 to 4 - 10 description 4 - 8 verifying 4 - 11 authorization See AAA B backbone routers, QoS functions 3 - 28 bandwidth command 3 - 31, 3 - 35 broadcasts disabling directed 2 - 15 business scenarios figure 2 - 2 See also extranet VPN scenarios See also remote access VPN scenarios See also site-to-site VPN scenarios C CA interoperability description 3 - 14 carrier protocols (tunneling) 3 - 6 CBWFQ configuring 3 - 33 enabling 3 - 35 verifying 3 - 36 See also WFQ CDP, turning off 2 - 15 CEF support 2 - 14, 4 - 4 certificate revocation lists See CRLs 2 - 6 changes, saving 1 - 8 Cisco Discovery Protocol See CDP Cisco Express Forwarding support See CEF support Cisco IOS commands See commands 5 - 5 Cisco IOS firewall authentication proxy See authentication proxy Cisco IOS firewalls See firewalls Cisco SAFE Blueprint network design considerations 2 - 3 Cisco Secure Policy Manager See CSPM Cisco Secure VPN Client locating documentation 4 - 3 Cisco VPN and Security Management Solution See VMS 5 - 2 Cisco VPN Device Manager 5 - 3 Cisco VPN Monitor 5 - 2 Class-Based Weighted Fair Queuing See CBWFQ class class-default command 3 - 35 class command 3 - 31, 3 - 35 class-map command 3 - 30, 3 - 34 class-map match-all 3 - 30 class maps configuring 3 - 30 defining 3 - 34 verifying 3 - 30 class policies configuring 3 - 35 clear crypto sa command 3 - 27 CLI configuring software using 1 - 1 VDM commands 5 - 5 command-line interface See CLI command modes command options 1 - 3 description 1 - 5 online help 1 - 2 summary (table) 1 - 6 commands abbreviating 1 - 2 disabling functions 1 - 7 finding options (table) 1 - 3 configuration examples extranet business partner router 3 - 45 to 3 - 46 headquarters router 3 - 43 to 3 - 45 remote access L2TP/IPSec configuration 4 - 13 PPTP/MPPE configuration 4 - 11 site-to-site headquarters router 3 - 40 to 3 - 41 remote office router 3 - 41 to 3 - 42 configuration files corrupted 1 - 6 saving changes 1 - 8 saving to NVRAM 1 - 8 configuration modes, using 1 - 6 configuring AAA 4 - 8 authentication methods with IKE policies 3 - 16 authentication proxies 4 - 8 to 4 - 10 CBWFQ 3 - 33 class maps 3 - 30 class policies 3 - 35 crypto maps 3 - 24 encryption 3 - 22 to 3 - 24, 4 - 7 fair queuing 3 - 32 firewalls 3 - 36 GRE tunnels 3 - 3, 3 - 8 to 3 - 9 HTTP servers 4 - 9 IKE policies 3 - 16 to 3 - 17 IPSec 4 - 7 IPSec tunnel mode 3 - 23 L2TP 4 - 7 L2TP/IPSec 4 - 6 MPPE 4 - 6 NAT 3 - 10 to 3 - 13 NBAR 3 - 29 policy maps 3 - 31 PPTP 4 - 5 PPTP/MPPE 4 - 4 pre-shared keys 3 - 17, 3 - 21 QoS 3 - 28 virtual templates 4 - 5, 4 - 6 connectivity testing 5 - 15 console access considerations 2 - 14 console ports breaks on 2 - 15 configuring passwords on 2 - 14 controller isa command 4 - 6 CRLs performance considerations 2 - 6 crypto access lists commands (table) 3 - 22 compatibility 3 - 24 creating 3 - 22 extended access lists and 3 - 37 verifying 3 - 22 crypto dynamic-map command 3 - 25 crypto ipsec transform-set command 3 - 23 crypto isakmp enable command 3 - 16 crypto isakmp identity address command 3 - 18 crypto isakmp key address command 3 - 18 crypto isakmp key command 3 - 18, 3 - 21 crypto map command 3 - 25 crypto map entries configuring 3 - 24 creating 3 - 25 defining IPSec processing 3 - 22 verifying 3 - 26 crypto maps applying to interfaces 3 - 27 verifying interface associations 3 - 28 crypto map s4second command 3 - 27 CSPM description 5 - 1 D default commands, using 1 - 7 defining class maps 3 - 34 demilitarized zone See DMZ network description denial-of-service attacks, directed broadcasts and 2 - 15 dial-in sessions 4 - 5 Diffie-Hellman group identifier, specifying 3 - 16 digital certificates authentication 3 - 17 CAs and 3 - 14 directed broadcasts See broadcasts DMZ network description 3 - 37 dynamic crypto map configuring 3 - 14 creating 3 - 25 ease of configuration 3 - 24 E edge routers, QoS functions 3 - 28 enable password command 2 - 14 enable secret command 2 - 14 encapsulating security payload See ESP encryption configuring 3 - 14, 4 - 7 tunnels and 3 - 7 encryption command 3 - 16 encryption mppe command 4 - 6 error messages ICMP Host Unreachable 3 - 38 ESP AH and (note) 3 - 23 IP numbers and 3 - 22 performance considerations 2 - 13 exit command 4 - 5, 4 - 7 extended access lists creating 3 - 37 description 3 - 36 verifying 3 - 38, 3 - 39 extranet VPN scenarios 3 - 5 configuring business partner routers 3 - 45 configuring headquarters routers 3 - 43 to 3 - 45 description 2 - 2 figure 3 - 4 physical elements (figure) 3 - 5 physical elements (table) 3 - 6 sample configurations physical elements (figure) 3 - 43 F fair-queue command 3 - 32 fair queuing configuring 3 - 32 flow-based WFQ 3 - 32 See also CBWFQ 3 - 32 See also WFQ 3 - 32 fast switching support 2 - 14 firewalls basic traffic filtering configurations 3 - 36 benefits 3 - 36 configuring 3 - 36 considerations 2 - 14 flow classification of packets 3 - 32 G generic routing encapsulation See GRE See GRE tunnels global configuration mode summary 1 - 6 GRE description 2 - 6 IPSec and 2 - 7 See also GRE tunnels 2 - 7 GRE tunnels access servers (note) 3 - 8 Cisco routers (note) 3 - 8 configuring 3 - 3, 3 - 8 protocol 3 - 6 troubleshooting configurations 3 - 9 verifying 3 - 9 See also site-to-site VPN scenarios group command 3 - 16 H hash command 3 - 16 headquarters network scenarios See also extranet VPN scenarios See also remote access VPN scenarios See also site-to-site VPN scenarios hello packets See IKE Keepalives help CLI 1 - 2 finding command options 1 - 3 help command 1 - 2 hostname keywords, using (note) 3 - 18, 3 - 21 Hot Standby Routing Protocol See HSRP HSRP description 2 - 11 http //www.cisco.com/en/US/products/hw/routers/ps341/prod_installation_guides_list.html xi //www.cisco.com/en/US/products/hw/routers/ps341/tsd_products_support_series_home.html x HTTP servers configuring 4 - 9 hybrid network environments network design considerations 2 - 4 I ICMP filtering fragmentation and 2 - 13 ICMP Host Unreachable messages 3 - 38 IKE description 3 - 14 performance considerations 2 - 13 policies verifying 3 - 19 SAs and 3 - 24 UDP port 3 - 22 IKE keepalives 2 - 11, 3 - 15 IKE keys See pre-shared keys IKE policies configuration requirements 3 - 16 configuring 3 - 16 to 3 - 17 defaults, viewing 3 - 9 default values (note) 3 - 15 enabling by default 3 - 15 identifying 3 - 16 RSA signatures method requirements 3 - 16 troubleshooting 3 - 20 viewing configuration 3 - 19 viewing default configuration 3 - 9 inside global address 3 - 11 inside local address 3 - 11 inside network 3 - 10 integrated versus overlay design 2 - 4 interface command 4 - 10 interface configuration mode, summary 1 - 6 interface fastethernet command 3 - 13 interfaces applying crypto maps 3 - 27 applying IP access lists 3 - 38 verifying crypto map associations 3 - 28 interface serial command 3 - 32 interface tunnel command 3 - 8 interface virtual-template number command 4 - 5 Internet Key Exchange See IKE Internet Security Association & Key Management Protocol identities See ISAKMP identities intrusion detection 3 - 36 IOS Commands 5 - 5 ip access-group command 3 - 38 ip access-list extended command 3 - 22 IP access lists applying to interfaces 3 - 38 configuring security and 2 - 14 inbound 3 - 38 outbound 3 - 38 software checking of 3 - 38 undefined 3 - 38 See also extended access lists IP addresses NAT definitions 3 - 11 nonregistered 3 - 10 protecting internal 2 - 15 renumbering 3 - 10 static translation 3 - 11 ip auth-proxy auth-cache-time command 4 - 10 ip auth-proxy auth-proxy-banner command 4 - 10 ip auth-proxy command 4 - 10 ip auth-proxy name http command 4 - 10 IP datagrams in IPSec tunnel mode 3 - 9 ip http access-class command 4 - 10 ip http authentication aaa command 4 - 10 ip http server command 4 - 9 ip local pool default command 4 - 5 ip mroute-cache command 4 - 5 ip nat inside command 3 - 13 ip nat inside source command 3 - 13 ip nat outside command 3 - 13 ip route command 3 - 8 IPSec clearing SAs 3 - 27 configuring 3 - 22 to 3 - 24, 4 - 7 configuring tunnels 3 - 14 description 3 - 14 in VDM 5 - 4 IP unicast frames 3 - 7 NAT and 2 - 8 proxies 3 - 9 IPSec access lists explicitly permitting traffic (note) 3 - 22 requirements 3 - 22 IPSec MIBs as network management tool 5 - 3 IPSec transport mode description 3 - 10 IPSec tunnel mode configuring 3 - 23 GRE tunnels and (note) 4 - 7 verifying 3 - 24 IPSec tunnels configuring 3 - 9 IP Security Protocol See IPSec IP unicast frames, IPSec and 3 - 7 ip unnumbered command 4 - 5 ISAKMP identities setting 3 - 18 ISAKMP identities, setting 3 - 21 K keys See pre-shared keys L L2TP compatibility 4 - 4 configuring 4 - 7 verifying 4 - 7 L2TP/IPSec configuring 4 - 6 Layer 2 Tunneling Protocol See L2TP lifetime command 3 - 16 local name command 4 - 5, 4 - 7 loopback interfaces emulating interfaces 2 - 14 using 3 - 25 M maps See specific kinds of maps (for example, class maps) match access-group command 3 - 34 match address command 3 - 25, 3 - 26 match-all command 3 - 30 match-any command 3 - 30 match class-map command 3 - 30 match input-interface command 3 - 34 match not command 3 - 30 match protocol command 3 - 30, 3 - 34 MIBs See IPSec MIBs Microsoft Windows 2000 4 - 3 Windows 95 4 - 3 Windows 98 4 - 3 Windows NT 4.0 4 - 3 Microsoft Challenge Handshake Authenication Protocol See MS-CHAP Microsoft Dial-Up Networking 4 - 3 Microsoft Point-to-Point Compression See MPPC Microsoft Point-to-Point Encryption See MPPE mixed device deployments network design considerations 2 - 4 modes See command modes See IPSec transport modes See IPSec tunnel modes mode tunnel command 3 - 23 Modular QoS Command-Line Interface See MQC MPPC 4 - 4 MPPE configuring 4 - 6 MS-CHAP and (note) 4 - 4 verifying 4 - 6 MQC 3 - 29 MS-CHAP MPPE and (note) 4 - 4 N NAT address definitions 3 - 11 configuring 3 - 10 to 3 - 13 network design considerations and 2 - 8 source address translation process 3 - 12 static translation process 3 - 13 tunnels and 3 - 7 NBAR attaching policy maps to interfaces 3 - 31 configuring 3 - 29 to 3 - 32 configuring class maps 3 - 30 configuring policy maps 3 - 31 verifying class map configuration 3 - 30 verifying policy map configuration 3 - 31 Network Address Translation See NAT network-based application recognition See NBAR network design considerations Cisco SAFE Blueprint 2 - 3 fragmentation 2 - 10 GRE and 2 - 10 IKE and 2 - 10 IKE key lifetimes and 2 - 13 mixed devices deployments 2 - 4 optimizing traffic throughput 2 - 5 resiliency and 2 - 10 RRI with HSRP and 2 - 10 network management applications description 2 - 16 network redundancy 3 - 7 network resiliency See network redundancy Network Time Protocol See NTP no bandwidth command 3 - 31 no cdp run command 2 - 15 no class-map command 3 - 30 no commands 1 - 7 no ip directed-broadcast command 2 - 15 no ip source-route command 2 - 15 no match-all command 3 - 30 no match-any command 3 - 30 no police command 3 - 31 no policy-map command 3 - 31 no proxy-arp command 2 - 15 no random-detect command 3 - 31 no service-policy command 3 - 31 no service tcp-small-servers command 2 - 15 no service udp-small-servers command 2 - 15 no set command 3 - 31 no shutdown command 3 - 8 NTP disabling 2 - 15 ntp disable command 2 - 15 NVRAM, saving configuration to 1 - 8 O outside global address 3 - 11 local address 3 - 11 network 3 - 10 P packets flow classification 3 - 32 fragmentation 2 - 13 passenger protocols (tunneling) 3 - 6 passwords commands for setting 2 - 14 port for configuring 2 - 14 peer default ip address pool default command 4 - 5 ping command 3 - 9 PIX Firewall See Cisco Secure PIX Firewall Point-to-Point Tunneling Protocol See PPTP police bps conform transmit exceed drop command 3 - 31 policies See class policies See IKE policies See service policies policy-map command 3 - 31, 3 - 35 policy maps attaching to interfaces 3 - 31 configuring 3 - 31 configuring classes 3 - 35 displaying contents 3 - 36 verifying 3 - 31 ppp authentication ms-chap command 4 - 5 ppp encrypt mppe command 4 - 5 PPTP configuration example 4 - 11 to 4 - 13 configuring 4 - 5 PPTP/MPPE configuring 4 - 4 verifying 4 - 6 pre-shared keys configuring 3 - 17, 3 - 21 specifying 3 - 18, 3 - 21 priority traffic See WFQ privileged EXEC mode, summary 1 - 6 process switching support 2 - 14 prompts, system 1 - 6 protocol l2tp command 4 - 7 protocol pptp command 4 - 5 protocols, tunneling 3 - 6 proxyacl#n command 4 - 9 Q QoS benefits 2 - 9 to ?? characteristics 3 - 28 configuring 3 - 28 queue-limit command 3 - 31, 3 - 35 R RADIUS implementing 2 - 14 random-detect command 3 - 31 Remote Access Dial-In User Service See RADIUS remote access VPN scenarios physical elements (table) 4 - 3 Rivest, Shamir, and Adelman See RSA encrypted nonces method ROM monitor mode description 1 - 6 summary 1 - 7 RSA encrypted nonces method 3 - 17 RSA signatures, configuration requirements for IKE 3 - 16 S SAFE See Cisco SAFE Blueprint 2 - 3 SAs IKE established creating crypto map entries 3 - 24 saving, configuration changes 1 - 8 scenarios See intranet VPN scenarios See remote access VPN scenarios See site-to-site VPN scenarios security associations See SAs service policies attaching 3 - 35 service-policy command 3 - 35 service-policy input command 3 - 31 service-policy output command 3 - 31 set ip precedence command 3 - 31 set peer command 3 - 25, 3 - 26 set qos-group command 3 - 31 set security-association lifetime command 3 - 26 set transform-set command 3 - 25, 3 - 26 show access-lists command 3 - 22, 3 - 38 show class-map command 3 - 30 show crypto ipsec transform-set command 3 - 24 show crypto isakmp policy command 3 - 15, 3 - 19 show crypto map command 3 - 26 show crypto map interface command 3 - 28 show interfaces fair-queue command 3 - 33 show interfaces ip command 3 - 39 show interfaces serial command 3 - 33 show interfaces tunnel command 3 - 9 show ip auth-proxy cache command 4 - 11 show ip auth-proxy configuration command 4 - 11 show ip nat translations verbose command 3 - 13 show policy-map command 3 - 31 show policy policy-map command 3 - 36 show running-config command 4 - 11, 4 - 13 show version command 3 - 20 show vpdn session command 4 - 6 show vpdn tunnel command 4 - 6, 4 - 7 site-to-site VPN scenario configuring 3 - 8 description 2 - 2 figure 3 - 3 physical elements 3 - 3 physical elements (table) 3 - 4 site-to-site VPN scenarios configuration, example 3 - 39 to 3 - 42 configuring headquarters router 3 - 40 to 3 - 41 configuring remote office router 3 - 41 to 3 - 42 description 3 - 2 software and hardware compatability xii source routing, disabling 2 - 15 spoofing, protecting against 2 - 15 startup configuration, saving 1 - 8 static translation configuring 3 - 11 description 3 - 11 verifiying 3 - 13 static translation configuring 3 - 13 static translation configuring 3 - 13 Statistics graphing in VDM 5 - 11 stub domain, NAT configured on 3 - 10 subinterface configuration mode, summary 1 - 7 syslog advantages 2 - 14 T Tab key, command completion 1 - 2 TACACS+ implementing 2 - 14 tacacs-server host command 4 - 8 tacacs-server key command 4 - 8 tail drop 3 - 35 TED description 2 - 16 Telnet access considerations 2 - 14 template configurations, special considerations 2 - 14 Terminal Access Controller Access Control System Plus See TACACS+ traffic priority management See WFQ transform sets crypto map entries and 3 - 24 defining 3 - 23 verifying 3 - 24 transport mode description 3 - 10 transport protocols (tunneling) 3 - 6 troubleshooting entering ROM monitor mode at startup 1 - 6 extended access lists 3 - 39 GRE tunnels 3 - 9 IKE policy verification 3 - 20 syslog message logs for 2 - 14 tunnel destination command 3 - 8 tunnel endpoint discovery See TED tunneling components 3 - 6 description 3 - 6 encryption in 3 - 7 special considerations 2 - 14 tunnel mode description 3 - 9 tunnel mode gre ip command 3 - 8 tunnel modes configuring 3 - 22 to 3 - 24 See also GRE tunnels See also IPSec tunnel modes tunnel source command 3 - 8 U user EXEC mode, summary 1 - 6 V VDM benefits 5 - 5 client installation 5 - 5 configuring VPNs 5 - 8 graphing statistics 5 - 11 installing 5 - 7 overview 5 - 4 troubleshooting connectivity 5 - 15 VPN monitors 5 - 5, 5 - 11 verifying authentication proxies 4 - 11 CBWFQ 3 - 36 class maps 3 - 30 crypto access lists 3 - 22 crypto map entries 3 - 26 crypto map interface associations 3 - 28 extended access lists 3 - 38, 3 - 39 GRE tunnel configuration 3 - 9 IKE policies 3 - 19 IPSec tunnel mode 3 - 24 L2TP 4 - 7 PPTP/MPPE 4 - 6 transform sets 3 - 24 WFQ configuration 3 - 33 Virtual Private Networks See VPNs virtual-template command 4 - 5, 4 - 7 virtual templates configuring 4 - 5, 4 - 6 virtual terminal ports, protecting 2 - 15 vpdn-enable command 4 - 5, 4 - 7 vpdn-group 1 command 4 - 5, 4 - 7 VPNs configuration assumptions 2 - 2 See also extranet VPN scenario See also remote access VPN scenario See also site-to-site VPN scenario W weighted fair queuing See WFQ weighted random early detection See WRED WFQ configuring 3 - 32 traffic priority management 3 - 32 verifying configuration 3 - 33 Windows 2000 compatibility 4 - 4 wizards configuring VDM 5 - 8 configuring VPNs 5 - 8 WRED CBWFQ support and 3 - 33 See also CBWFQ 3 - 33
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks