Home » Cisco Manuals » Bridges & Routers » Cisco ESW-520-48P-K9 » Manual Viewer

Cisco ESW-520-48P-K9 Software Guide - Page 93

interface, ip access-group, Step 4

View all Cisco ESW-520-48P-K9 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 93 highlights

Chapter 8 Configuring a Simple Firewall Configuration Example Step 4 Command interface type number Example: Router(config)# interface fastethernet 4 Router(config-if)# Step 5 ip access-group {access-list-number | access-list-name}{in | out} Example: Router(config-if)# ip access-group 103 in Router(config-if)# Step 6 exit Example: Router(config-if)# exit Router(config)# Purpose Enters interface configuration mode for the outside network interface on your router. Assigns the defined ACLs to the outside interface on the router. Returns to global configuration mode. Configuration Example A telecommuter is granted secure access to a corporate network, using IPsec tunneling. Security to the home network is accomplished through firewall inspection. The protocols that are allowed are all TCP, UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network; therefore, no traffic is allowed that is initiated from outside. IPsec tunneling secures the connection from the home LAN to the corporate network. Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary. Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is specified for DNS. The following configuration example shows a portion of the configuration file for the simple firewall scenario described in the preceding sections. ! ! Firewall inspection is set up for all TCP and UDP traffic as well as ! specific application protocols as defined by the security policy. ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall rtsp ip inspect name firewall h323 ip inspect name firewall netshow ip inspect name firewall ftp ip inspect name firewall sqlnet ! interface vlan 1! This is the internal home network. ip inspect firewall in ! Inspection examines outbound traffic. no cdp enable ! interface fastethernet 4! FE4 is the outside or Internet-exposed interface. ! acl 103 permits IPsec traffic from the corp. router ! as well as denies Internet-initiated traffic inbound. ip access-group 103 in OL-14210-01 Cisco Secure Router 520 Series Software Configuration Guide 8-5

Section	Page
Cisco Secure Router 520 Series Software Configuration Guide	1
Contents	3
Preface	9
Objective	9
Audience	9
Organization	10
This guide is organized into the following chapters and appendix.	10
Conventions	11
Related Documentation	16
Obtaining Documentation and Submitting a Service Request	17
Part 1	19
Getting Started	19
Basic Router Configuration	21
Viewing the Default Configuration	22
Information Needed for Customizing the Default Parameters	22
Interface Port Labels	23
Configuring Basic Parameters	23
Configure Global Parameters	24
Example:	24
Example:	24
Example:	24
Example:	24
Configure Fast Ethernet LAN Interfaces	24
Configure WAN Interfaces	24
Configure the Fast Ethernet WAN Interface	25
Example:	25
Example:	25
Example:	25
Example:	25
Configure the ATM WAN Interface	25
Example:	26
Example:	26
Example:	26
Example:	26
Configure the Wireless Interface	26
Configuring a Loopback Interface	26
Example:	27
ip address ip-address mask	27
Example:	27
Example:	27
Configuration Example	27
Verifying Your Configuration	27
Configuring Command-Line Access to the Router	28
Example:	28
Example:	28
Example:	28
Example:	28
Example:	29
Example:	29
Example:	29
Example:	29
Example:	29
Configuration Example	29
Configuring Static Routes	30
Example:	30
Example:	30
Configuration Example	30
Verifying Your Configuration	30
Configuring Dynamic Routes	31
Configuring RIP	31
Example:	31
Example:	31
Example:	31
Example:	32
Example:	32
Configuration Example	32
Verifying Your Configuration	32
Part 2	33
Configuring Your Router for Ethernet and DSL Access	33
Sample Network Deployments	35
For Ethernet-Based Network Deployments	35
For DSL-Based Network Deployments	35
Configuring PPP over Ethernet with NAT	37
PPPoE	38
NAT	38
Configuration Tasks	38
Configure the Virtual Private Dialup Network Group Number	38
Example:	38
Example:	38
Example:	39
Example:	39
Example:	39
Example:	39
Configure the Fast Ethernet WAN Interfaces	39
Example:	39
Example:	39
Example:	40
Example:	40
Configure the Dialer Interface	40
Example:	40
Example:	40
Example:	40
Example:	40
Example:	41
Example:	41
Example:	41
Example:	41
Example:	41
Example:	41
Configure Network Address Translation	41
Example:	42
Example 1:	42
Example 2:	42
Example:	42
Example:	42
Example:	42
Example:	43
Example:	43
Example:	43
Example:	43
Example:	43
Example:	43
Configuration Example	44
Verifying Your Configuration	44
Configuring PPP over ATM with NAT	47
PPPoA	48
NAT	48
Configuration Tasks	48
Configure the Dialer Interface	48
Example:	49
Example:	49
Example:	49
Example:	49
Example:	49
Example:	49
Example:	49
Example:	50
Example:	50
Example:	50
Configure the ATM WAN Interface	51
Example:	51
Example:	51
Example:	51
Example:	51
Example:	52
Example:	52
Configure DSL Signaling Protocol	52
Configuring ADSL	52
Verify the Configuration	53
Configure Network Address Translation	53
Example:	53
Example 1:	53
Example 2:	53
Example:	53
Example:	54
Example:	54
Example:	54
Example:	54
Example:	54
Example:	54
Example:	55
Example:	55
Configuration Example	55
Verifying Your Configuration	56
Configuring a LAN with DHCP and VLANs	57
DHCP	57
VLANs	58
Configuration Tasks	58
Configure DHCP	58
Example:	58
Example:	58
Example:	58
Example:	59
Example:	59
Example:	59
Example:	59
Example:	59
Example:	59
Example:	59
Configuration Example	60
Verify Your DHCP Configuration	60
Configure VLANs	61
Example:	61
Example:	61
Example:	61
Assign a Switch Port to a VLAN	62
Example:	62
Example:	62
Example:	62
Verify Your VLAN Configuration	62
Configuring a VPN Using Easy VPN and an IPsec Tunnel	65
Cisco Easy VPN	66
Configuration Tasks	66
Configure the IKE Policy	67
Example:	67
Example:	67
Example:	67
Example:	67
Example:	68
Example:	68
Example:	68
Configure Group Policy Information	68
Example:	68
Example:	68
Example:	68
Example:	69
Example:	69
Example:	69
Apply Mode Configuration to the Crypto Map	69
Example:	69
Example:	69
Enable Policy Lookup	70
Example:	70
Example:	70
Example:	70
Example:	70
Configure IPsec Transforms and Protocols	70
Example:	71
Example:	71
Configure the IPsec Crypto Method and Parameters	71
Example:	71
Example:	71
Example:	72
Example:	72
Example:	72
Apply the Crypto Map to the Physical Interface	72
Example:	72
Example:	73
Example:	73
Create an Easy VPN Remote Configuration	73
Example:	73
Example:	73
Example:	73
Example:	73
Example:	74
Example:	74
Example:	74
Example:	74
Verifying Your Easy VPN Configuration	74
Configuration Example	74
Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation	77
GRE Tunnels	78
VPNs	78
Configuration Tasks	78
Configure a VPN	78
Configure the IKE Policy	79
Example:	79
Example:	79
Example:	79
Example:	79
Example:	79
Example:	79
Example:	79
Configure Group Policy Information	80
Example:	80
Example:	80
Example:	80
Example:	80
Example:	80
Example:	80
Enable Policy Lookup	81
Example:	81
Example:	81
Example:	81
Example:	81
Configure IPsec Transforms and Protocols	81
Example:	82
Example:	82
Configure the IPsec Crypto Method and Parameters	82
Example:	82
Example:	82
Example:	83
Example:	83
Example:	83
Apply the Crypto Map to the Physical Interface	83
Example:	83
Example:	84
Example:	84
Configure a GRE Tunnel	84
Example:	84
Example:	84
Example:	84
Example:	84
Example:	85
Example:	85
Example:	85
Example:	85
Example:	85
Configuration Example	85
Configuring a Simple Firewall	89
Configuration Tasks	90
Configure Access Lists	91
Example:	91
Example:	91
Configure Inspection Rules	92
Example:	92
Example:	92
Apply Access Lists and Inspection Rules to Interfaces	92
Example:	92
Example:	92
Example:	92
Example:	93
Example:	93
Example:	93
Configuration Example	93
Configuring a Wireless LAN Connection	95
Configuration Tasks	96
Configure the Root Radio Station	96
Example:	96
Example:	96
Example:	97
Example:	97
Example:	97
Example:	97
Example:	97
Example:	97
Example:	97
Example:	98
Example:	98
Example:	98
Example:	98
Configure Bridging on VLANs	98
Example:	98
Example:	98
Example:	99
Example:	99
Example:	99
Example:	99
Configure Radio Station Subinterfaces	99
Example:	99
Example:	99
Example:	100
Example:	100
Example:	100
Example:	100
Configuration Example	100
Part 3	103
Configuring Additional Features and Troubleshooting	103
Additional Configuration Options	105
Configuring Security Features	107
Authentication, Authorization, and Accounting	107
Configuring AutoSecure	108
Configuring Access Lists	108
Access Groups	109
Guidelines for Creating Access Groups	109
Configuring a CBAC Firewall	109
Configuring Cisco IOS Firewall IDS	110
Configuring VPNs	110
Troubleshooting	111
Getting Started	111
Before Contacting Cisco or Your Reseller	111
ADSL Troubleshooting	112
ATM Troubleshooting Commands	112
ping atm interface Command	112
Example 12-1 Determining If a PVC Is in Use	112
show interface Command	113
Example 12-2 Viewing Status of Selected Interfaces	113
show atm interface Command	115
Example 12-3 Viewing Information About an ATM Interface	115
debug atm Commands	115
Guidelines for Using Debug Commands	115
debug atm errors Command	116
Example 12-4 Viewing ATM Errors	116
debug atm events Command	116
Example 12-5 Viewing ATM Interface Processor Events-Success	116
Example 12-6 Viewing ATM Interface Processor Events-Failure	117
debug atm packet Command	117
Example 12-7 Viewing ATM Packet Processing	118
Software Upgrade Methods	118
Recovering a Lost Password	119
Change the Configuration Register	119
Reset the Router	120
Reset the Password and Save Your Changes	121
Reset the Configuration Register Value	121
Part 4	123
Reference Information	123
A	125
Cisco IOS Software Basic Skills	125
Configuring the Router from a PC	125
Understanding Command Modes	126
Getting Help	128
Enable Secret Passwords and Enable Passwords	128
Entering Global Configuration Mode	129
Using Commands	129
Abbreviating Commands	130
Undoing Commands	130
Command-Line Error Messages	130
Saving Configuration Changes	130
Summary	131
Where to Go Next	131
B	133
Concepts	133
ADSL	133
Network Protocols	134
IP	134
Routing Protocol Options	134
RIP	134
PPP Authentication Protocols	135
PAP	135
CHAP	135
TACACS+	136
Network Interfaces	136
Ethernet	136
ATM for DSL	136
PVC	137
Dialer Interface	137
NAT	137
Easy IP (Phase 1)	138
Easy IP (Phase 2)	138
QoS	139
IP Precedence	139
PPP Fragmentation and Interleaving	139
CBWFQ	140
RSVP	140
Low Latency Queuing	140
Access Lists	141
ROM Monitor	143
Entering the ROM Monitor	143
ROM Monitor Commands	144
Command Descriptions	145
Disaster Recovery with TFTP Download	145
TFTP Download Command Variables	146
Required Variables	146
Optional Variables	146
Using the TFTP Download Command	147
Configuration Register	147
Changing the Configuration Register Manually	148
Changing the Configuration Register Using Prompts	148
Console Download	149
Command Description	149
Error Reporting	150
Debug Commands	150
Exiting the ROM Monitor	151
D	153
Common Port Assignments	153

Match case Limit results 1 per page

8-5

Cisco Secure Router 520 Series Software Configuration Guide

OL-14210-01

Chapter 8

Configuring a Simple Firewall

Configuration Example

A telecommuter is granted secure access to a corporate network, using IPsec tunneling. Security to the

home network is accomplished through firewall inspection. The protocols that are allowed are all TCP,

UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network; therefore,

no traffic is allowed that is initiated from outside. IPsec tunneling secures the connection from the home

LAN to the corporate network.

Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary.

Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is

specified for DNS.

The following configuration example shows a portion of the configuration file for the simple firewall

scenario described in the preceding sections.

! Firewall inspection is set up for all TCP and UDP traffic as well as

! specific application protocols as defined by the security policy.

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall rtsp

ip inspect name firewall h323

ip inspect name firewall netshow

ip inspect name firewall ftp

ip inspect name firewall sqlnet

interface vlan 1! This is the internal home network.

ip inspect firewall in ! Inspection examines outbound traffic.

no cdp enable

interface fastethernet 4! FE4 is the outside or Internet-exposed interface.

! acl 103 permits IPsec traffic from the corp. router

! as well as denies Internet-initiated traffic inbound.

ip access-group 103 in

Step 4

interface

type number

Example:

Router(config)#

interface fastethernet 4

Router(config-if)#

Enters interface configuration mode for the

outside network interface on your router.

Step 5

ip access-group

{

access-list-number

access-list-name

}{

out

}

Example:

Router(config-if)#

ip access-group 103 in

Router(config-if)#

Assigns the defined ACLs to the outside

interface on the router.

Step 6

exit

Example:

Router(config-if)#

exit

Router(config)#

Returns to global configuration mode.

Command

Purpose