Home » Cisco Manuals » Bridges & Routers » Cisco CISCO876-SEC-I-K9 » Manual Viewer

Cisco CISCO876-SEC-I-K9 Configuration Guide - Page 118

Configuring Cisco IOS Firewall IDS, Configuring VPNs

UPC - 882658021800

View all Cisco CISCO876-SEC-I-K9 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 118 highlights

Configuring Cisco IOS Firewall IDS Chapter 12 Configuring Security Features Configuring Cisco IOS Firewall IDS Cisco IOS Firewall Intrusion Detection System (IDS) technology enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the security policy or represent malicious network activity. Cisco IOS Firewall IDS identifies 59 of the most common attacks using "signatures" to detect patterns of misuse in network traffic. It acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised, logs the event, and, depending on configuration, sends an alarm, drops suspicious packets, or resets the TCP connection. For additional information about configuring Cisco IOS Firewall IDS, see the "Configuring Cisco IOS Firewall Intrusion Detection System" section of the Cisco IOS Release 12.3 Security Configuration Guide. Configuring VPNs A virtual private network (VPN) connection provides a secure connection between two networks over a public network such as the Internet. Cisco 850 and Cisco 870 series access routers support site-to-site VPNs using IP security (IPSec) tunnels and generic routing encapsulation (GRE). Permanent VPN connections between two peers, or dynamic VPNs using EZVPN or DMVPN which create and tear down VPN connections as needed, can be configured. Chapter 6, "Configuring a VPN Using Easy VPN and an IPSec Tunnel," and Chapter 7, "Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation," show examples of how to configure your router with these features. For more information about IPSec and GRE configuration, see the "Configuring IPSec Network Security" chapter of the Cisco IOS Release 12.3 Security Configuration Guide. For information about additional VPN configurations supported by Cisco 850 and Cisco 870 series access routers, see the following feature documents: • EZVPN Server-Cisco 870 series routers can be configured to act as EZVPN servers, letting authorized EZVPN clients establish dynamic VPN tunnels to the connected network. • Dynamic Multipoint VPN (DMVPN)-The DMVPN feature creates VPN tunnels between multiple routers in a multipoint configuration as needed, simplifying the configuration and eliminating the need for permanent, point-to-point VPN tunnels. 12-4 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01

Section	Page
Contents	3
Audience	11
Organization	12
Conventions	13
Notes, Cautions, and Timesavers	13
Command Conventions	13
Related Documents	14
Obtaining Documentation and Submitting a Service Request	14
Part 1	15
Getting Started	15
Basic Router Configuration	17
Interface Port Labels	17
Viewing the Default Configuration	18
Information Needed for Configuration	20
Configuring Basic Parameters	21
Configure Global Parameters	21
Configure Fast Ethernet LAN Interfaces	22
Configure WAN Interfaces	22
Configure the Fast Ethernet WAN Interface	22
Configure the ATM WAN Interface	23
Configure the Wireless Interface	23
Configuring a Loopback Interface	24
Configuration Example	24
Verifying Your Configuration	25
Configuring Command-Line Access to the Router	25
Configuration Example	27
Configuring Static Routes	27
Configuration Example	28
Verifying Your Configuration	28
Configuring Dynamic Routes	28
Configuring RIP	29
Configuration Example	30
Verifying Your Configuration	30
Configuring Enhanced IGRP	30
Configuration Example	31
Verifying Your Configuration	31
Part 2	33
Configuring Your Router for Ethernet and DSL Access	33
Sample Network Deployments	35
Configuring PPP over Ethernet with NAT	37
Configure the Virtual Private Dialup Network Group Number	38
Configure the Fast Ethernet WAN Interfaces	39
Configure the Dialer Interface	40
Configure Network Address Translation	42
Configuration Example	44
Verifying Your Configuration	45
Configuring PPP over ATM with NAT	47
Configure the Dialer Interface	49
Configure the ATM WAN Interface	51
Configure DSL Signaling Protocol	52
Configuring ADSL	52
Verify the Configuration	53
Configuring SHDSL	53
Verify the Configuration	54
Configure Network Address Translation	55
Configuration Example	57
Verifying Your Configuration	58
Configuring a LAN with DHCP and VLANs	59
Configure DHCP	60
Configuration Example	62
Verify Your DHCP Configuration	62
Configure VLANs	63
Assign a Switch Port to a VLAN	64
Verify Your VLAN Configuration	64
Configuring a VPN Using Easy VPN and an IPSec Tunnel	67
Configure the IKE Policy	70
Configure Group Policy Information	71
Apply Mode Configuration to the Crypto Map	72
Enable Policy Lookup	72
Configure IPSec Transforms and Protocols	73
Configure the IPSec Crypto Method and Parameters	74
Apply the Crypto Map to the Physical Interface	75
Create an Easy VPN Remote Configuration	76
Verifying Your Easy VPN Configuration	77
Configuration Example	77
Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation	79
Configure a VPN	80
Configure the IKE Policy	81
Configure Group Policy Information	82
Enable Policy Lookup	83
Configure IPSec Transforms and Protocols	83
Configure the IPSec Crypto Method and Parameters	84
Apply the Crypto Map to the Physical Interface	85
Configure a GRE Tunnel	86
Configuration Example	87
Configuring a Simple Firewall	91
Configure Access Lists	93
Configure Inspection Rules	93
Apply Access Lists and Inspection Rules to Interfaces	94
Configuration Example	95
Configuring a Wireless LAN Connection	97
Configure the Root Radio Station	98
Configure Bridging on VLANs	100
Configure Radio Station Subinterfaces	102
Configuration Example	103
Sample Configuration	105
Part 3	111
Configuring Additional Features and Troubleshooting	111
Additional Configuration Options	113
Configuring Security Features	115
Authentication, Authorization, and Accounting	115
Configuring AutoSecure	116
Configuring Access Lists	116
Access Groups	117
Guidelines for Creating Access Groups	117
Configuring a CBAC Firewall	117
Configuring Cisco IOS Firewall IDS	118
Configuring VPNs	118
Configuring Dial Backup and Remote Management	119
Dial Backup Feature Activation Methods	119
Backup Interfaces	120
Configuring Backup Interfaces	120
Floating Static Routes	120
Configuring Floating Static Routes	121
Dialer Watch	122
Configuring Dialer Watch	122
Dial Backup Feature Limitations	123
Configuration Example	124
Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port	127
Configuration Tasks	128
Configuration Example	131
Configuring Dial Backup and Remote Management Through the ISDN S/T Port	134
Configuration Tasks	135
Configure ISDN Settings	135
Configure the Aggregator and ISDN Peer Router	138
Troubleshooting	141
Getting Started	141
Before Contacting Cisco or Your Reseller	141
ADSL Troubleshooting	142
SHDSL Troubleshooting	142
ATM Troubleshooting Commands	142
ping atm interface Command	143
show interface Command	143
show atm interface Command	145
debug atm Commands	146
Guidelines for Using Debug Commands	146
debug atm errors Command	146
debug atm events Command	147
debug atm packet Command	148
Software Upgrade Methods	149
Recovering a Lost Password	149
Change the Configuration Register	150
Reset the Router	151
Reset the Password and Save Your Changes	152
Reset the Configuration Register Value	152
Managing Your Router with SDM	153
Part 4	155
Reference Information	155
Cisco IOS Software Basic Skills	157
Configuring the Router from a PC	157
Understanding Command Modes	158
Getting Help	160
Enable Secret Passwords and Enable Passwords	161
Entering Global Configuration Mode	161
Using Commands	162
Abbreviating Commands	162
Undoing Commands	162
Command-Line Error Messages	162
Saving Configuration Changes	163
Summary	163
Where to Go Next	163
Concepts	165
ADSL	165
SHDSL	166
Network Protocols	166
IP	166
Routing Protocol Options	166
RIP	167
Enhanced IGRP	167
PPP Authentication Protocols	167
PAP	168
CHAP	168
TACACS+	169
Network Interfaces	169
Ethernet	169
ATM for DSL	169
PVC	170
Dialer Interface	170
Dial Backup	170
Backup Interface	170
Floating Static Routes	171
Dialer Watch	171
NAT	171
Easy IP (Phase 1)	172
Easy IP (Phase 2)	172
QoS	173
IP Precedence	173
PPP Fragmentation and Interleaving	173
CBWFQ	174
RSVP	174
Low Latency Queuing	174
Access Lists	175
ROM Monitor	177
Entering the ROM Monitor	177
ROM Monitor Commands	178
Command Descriptions	179
Disaster Recovery with TFTP Download	179
TFTP Download Command Variables	180
Required Variables	180
Optional Variables	181
Using the TFTP Download Command	181
Configuration Register	182
Changing the Configuration Register Manually	182
Changing the Configuration Register Using Prompts	182
Console Download	183
Command Description	184
Error Reporting	184
Debug Commands	184
Exiting the ROM Monitor	186

Match case Limit results 1 per page

12-4

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

Chapter 12

Configuring Security Features

Configuring Cisco IOS Firewall IDS

Cisco IOS Firewall Intrusion Detection System (IDS) technology enhances perimeter firewall protection

by taking appropriate action on packets and flows that violate the security policy or represent malicious

network activity.

Cisco IOS Firewall IDS identifies 59 of the most common attacks using “signatures” to detect patterns

of misuse in network traffic. It acts as an in-line intrusion detection sensor, watching packets and

sessions as they flow through the router, scanning each to match any of the IDS signatures. When it

detects suspicious activity, it responds before network security can be compromised, logs the event, and,

depending on configuration, sends an alarm, drops suspicious packets, or resets the TCP connection.

For additional information about configuring Cisco IOS Firewall IDS, see the “

Configuring Cisco IOS

Firewall Intrusion Detection System

” section of the

Cisco IOS Release 12.3 Security Configuration

Guide

Configuring VPNs

A virtual private network (VPN) connection provides a secure connection between two networks over a

public network such as the Internet. Cisco 850 and Cisco 870 series access routers support site-to-site

VPNs using IP security (IPSec) tunnels and generic routing encapsulation (GRE). Permanent VPN

connections between two peers, or dynamic VPNs using EZVPN or DMVPN which create and tear down

VPN connections as needed, can be configured.

Chapter 6, “Configuring a VPN Using Easy VPN and

an IPSec Tunnel,”

and

Chapter 7, “Configuring VPNs Using an IPSec Tunnel and Generic Routing

Encapsulation,”

show examples of how to configure your router with these features. For more

information about IPSec and GRE configuration, see the “

Configuring IPSec Network Security

” chapter

of the

Cisco IOS Release 12.3 Security Configuration Guide

For information about additional VPN configurations supported by Cisco 850 and Cisco 870 series

access routers, see the following feature documents:

•

EZVPN Server

—Cisco 870 series routers can be configured to act as EZVPN servers, letting

authorized EZVPN clients establish dynamic VPN tunnels to the connected network.

•

Dynamic Multipoint VPN (DMVPN)

—The DMVPN feature creates VPN tunnels between multiple

routers in a multipoint configuration as needed, simplifying the configuration and eliminating the

need for permanent, point-to-point VPN tunnels.