Home » Cisco Manuals » Bridges & Routers » Cisco 520-T1 » Manual Viewer

Cisco 520-T1 Software Guide - Page 107

Configuring Security Features, Authentication, and Accounting

UPC - 882658299889

Add to My Manuals
Save this manual to your list of manuals

Page 107 highlights

11 C H A P T E R Configuring Security Features This chapter gives an overview of authentication, authorization, and accounting (AAA), the primary Cisco framework for implementing selected security features that can be configured on the Cisco Secure Router 520 Series routers. Note Individual router models may not support every feature described throughout this guide. Features not supported by a particular router are indicated whenever possible. This chapter contains the following sections: • Authentication, Authorization, and Accounting • Configuring AutoSecure • Configuring Access Lists • Configuring a CBAC Firewall • Configuring Cisco IOS Firewall IDS • Configuring VPNs Each section includes a configuration example and verification steps, where available. Authentication, Authorization, and Accounting AAA network security services provide the primary framework through which you set up access control on your router. Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you choose, encryption. Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet. Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your router is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server. OL-14210-01 Cisco Secure Router 520 Series Software Configuration Guide 11-1

Section	Page
Cisco Secure Router 520 Series Software Configuration Guide	1
Contents	3
Preface	9
Objective	9
Audience	9
Organization	10
This guide is organized into the following chapters and appendix.	10
Conventions	11
Related Documentation	16
Obtaining Documentation and Submitting a Service Request	17
Part 1	19
Getting Started	19
Basic Router Configuration	21
Viewing the Default Configuration	22
Information Needed for Customizing the Default Parameters	22
Interface Port Labels	23
Configuring Basic Parameters	23
Configure Global Parameters	24
Example:	24
Example:	24
Example:	24
Example:	24
Configure Fast Ethernet LAN Interfaces	24
Configure WAN Interfaces	24
Configure the Fast Ethernet WAN Interface	25
Example:	25
Example:	25
Example:	25
Example:	25
Configure the ATM WAN Interface	25
Example:	26
Example:	26
Example:	26
Example:	26
Configure the Wireless Interface	26
Configuring a Loopback Interface	26
Example:	27
ip address ip-address mask	27
Example:	27
Example:	27
Configuration Example	27
Verifying Your Configuration	27
Configuring Command-Line Access to the Router	28
Example:	28
Example:	28
Example:	28
Example:	28
Example:	29
Example:	29
Example:	29
Example:	29
Example:	29
Configuration Example	29
Configuring Static Routes	30
Example:	30
Example:	30
Configuration Example	30
Verifying Your Configuration	30
Configuring Dynamic Routes	31
Configuring RIP	31
Example:	31
Example:	31
Example:	31
Example:	32
Example:	32
Configuration Example	32
Verifying Your Configuration	32
Part 2	33
Configuring Your Router for Ethernet and DSL Access	33
Sample Network Deployments	35
For Ethernet-Based Network Deployments	35
For DSL-Based Network Deployments	35
Configuring PPP over Ethernet with NAT	37
PPPoE	38
NAT	38
Configuration Tasks	38
Configure the Virtual Private Dialup Network Group Number	38
Example:	38
Example:	38
Example:	39
Example:	39
Example:	39
Example:	39
Configure the Fast Ethernet WAN Interfaces	39
Example:	39
Example:	39
Example:	40
Example:	40
Configure the Dialer Interface	40
Example:	40
Example:	40
Example:	40
Example:	40
Example:	41
Example:	41
Example:	41
Example:	41
Example:	41
Example:	41
Configure Network Address Translation	41
Example:	42
Example 1:	42
Example 2:	42
Example:	42
Example:	42
Example:	42
Example:	43
Example:	43
Example:	43
Example:	43
Example:	43
Example:	43
Configuration Example	44
Verifying Your Configuration	44
Configuring PPP over ATM with NAT	47
PPPoA	48
NAT	48
Configuration Tasks	48
Configure the Dialer Interface	48
Example:	49
Example:	49
Example:	49
Example:	49
Example:	49
Example:	49
Example:	49
Example:	50
Example:	50
Example:	50
Configure the ATM WAN Interface	51
Example:	51
Example:	51
Example:	51
Example:	51
Example:	52
Example:	52
Configure DSL Signaling Protocol	52
Configuring ADSL	52
Verify the Configuration	53
Configure Network Address Translation	53
Example:	53
Example 1:	53
Example 2:	53
Example:	53
Example:	54
Example:	54
Example:	54
Example:	54
Example:	54
Example:	54
Example:	55
Example:	55
Configuration Example	55
Verifying Your Configuration	56
Configuring a LAN with DHCP and VLANs	57
DHCP	57
VLANs	58
Configuration Tasks	58
Configure DHCP	58
Example:	58
Example:	58
Example:	58
Example:	59
Example:	59
Example:	59
Example:	59
Example:	59
Example:	59
Example:	59
Configuration Example	60
Verify Your DHCP Configuration	60
Configure VLANs	61
Example:	61
Example:	61
Example:	61
Assign a Switch Port to a VLAN	62
Example:	62
Example:	62
Example:	62
Verify Your VLAN Configuration	62
Configuring a VPN Using Easy VPN and an IPsec Tunnel	65
Cisco Easy VPN	66
Configuration Tasks	66
Configure the IKE Policy	67
Example:	67
Example:	67
Example:	67
Example:	67
Example:	68
Example:	68
Example:	68
Configure Group Policy Information	68
Example:	68
Example:	68
Example:	68
Example:	69
Example:	69
Example:	69
Apply Mode Configuration to the Crypto Map	69
Example:	69
Example:	69
Enable Policy Lookup	70
Example:	70
Example:	70
Example:	70
Example:	70
Configure IPsec Transforms and Protocols	70
Example:	71
Example:	71
Configure the IPsec Crypto Method and Parameters	71
Example:	71
Example:	71
Example:	72
Example:	72
Example:	72
Apply the Crypto Map to the Physical Interface	72
Example:	72
Example:	73
Example:	73
Create an Easy VPN Remote Configuration	73
Example:	73
Example:	73
Example:	73
Example:	73
Example:	74
Example:	74
Example:	74
Example:	74
Verifying Your Easy VPN Configuration	74
Configuration Example	74
Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation	77
GRE Tunnels	78
VPNs	78
Configuration Tasks	78
Configure a VPN	78
Configure the IKE Policy	79
Example:	79
Example:	79
Example:	79
Example:	79
Example:	79
Example:	79
Example:	79
Configure Group Policy Information	80
Example:	80
Example:	80
Example:	80
Example:	80
Example:	80
Example:	80
Enable Policy Lookup	81
Example:	81
Example:	81
Example:	81
Example:	81
Configure IPsec Transforms and Protocols	81
Example:	82
Example:	82
Configure the IPsec Crypto Method and Parameters	82
Example:	82
Example:	82
Example:	83
Example:	83
Example:	83
Apply the Crypto Map to the Physical Interface	83
Example:	83
Example:	84
Example:	84
Configure a GRE Tunnel	84
Example:	84
Example:	84
Example:	84
Example:	84
Example:	85
Example:	85
Example:	85
Example:	85
Example:	85
Configuration Example	85
Configuring a Simple Firewall	89
Configuration Tasks	90
Configure Access Lists	91
Example:	91
Example:	91
Configure Inspection Rules	92
Example:	92
Example:	92
Apply Access Lists and Inspection Rules to Interfaces	92
Example:	92
Example:	92
Example:	92
Example:	93
Example:	93
Example:	93
Configuration Example	93
Configuring a Wireless LAN Connection	95
Configuration Tasks	96
Configure the Root Radio Station	96
Example:	96
Example:	96
Example:	97
Example:	97
Example:	97
Example:	97
Example:	97
Example:	97
Example:	97
Example:	98
Example:	98
Example:	98
Example:	98
Configure Bridging on VLANs	98
Example:	98
Example:	98
Example:	99
Example:	99
Example:	99
Example:	99
Configure Radio Station Subinterfaces	99
Example:	99
Example:	99
Example:	100
Example:	100
Example:	100
Example:	100
Configuration Example	100
Part 3	103
Configuring Additional Features and Troubleshooting	103
Additional Configuration Options	105
Configuring Security Features	107
Authentication, Authorization, and Accounting	107
Configuring AutoSecure	108
Configuring Access Lists	108
Access Groups	109
Guidelines for Creating Access Groups	109
Configuring a CBAC Firewall	109
Configuring Cisco IOS Firewall IDS	110
Configuring VPNs	110
Troubleshooting	111
Getting Started	111
Before Contacting Cisco or Your Reseller	111
ADSL Troubleshooting	112
ATM Troubleshooting Commands	112
ping atm interface Command	112
Example 12-1 Determining If a PVC Is in Use	112
show interface Command	113
Example 12-2 Viewing Status of Selected Interfaces	113
show atm interface Command	115
Example 12-3 Viewing Information About an ATM Interface	115
debug atm Commands	115
Guidelines for Using Debug Commands	115
debug atm errors Command	116
Example 12-4 Viewing ATM Errors	116
debug atm events Command	116
Example 12-5 Viewing ATM Interface Processor Events-Success	116
Example 12-6 Viewing ATM Interface Processor Events-Failure	117
debug atm packet Command	117
Example 12-7 Viewing ATM Packet Processing	118
Software Upgrade Methods	118
Recovering a Lost Password	119
Change the Configuration Register	119
Reset the Router	120
Reset the Password and Save Your Changes	121
Reset the Configuration Register Value	121
Part 4	123
Reference Information	123
A	125
Cisco IOS Software Basic Skills	125
Configuring the Router from a PC	125
Understanding Command Modes	126
Getting Help	128
Enable Secret Passwords and Enable Passwords	128
Entering Global Configuration Mode	129
Using Commands	129
Abbreviating Commands	130
Undoing Commands	130
Command-Line Error Messages	130
Saving Configuration Changes	130
Summary	131
Where to Go Next	131
B	133
Concepts	133
ADSL	133
Network Protocols	134
IP	134
Routing Protocol Options	134
RIP	134
PPP Authentication Protocols	135
PAP	135
CHAP	135
TACACS+	136
Network Interfaces	136
Ethernet	136
ATM for DSL	136
PVC	137
Dialer Interface	137
NAT	137
Easy IP (Phase 1)	138
Easy IP (Phase 2)	138
QoS	139
IP Precedence	139
PPP Fragmentation and Interleaving	139
CBWFQ	140
RSVP	140
Low Latency Queuing	140
Access Lists	141
ROM Monitor	143
Entering the ROM Monitor	143
ROM Monitor Commands	144
Command Descriptions	145
Disaster Recovery with TFTP Download	145
TFTP Download Command Variables	146
Required Variables	146
Optional Variables	146
Using the TFTP Download Command	147
Configuration Register	147
Changing the Configuration Register Manually	148
Changing the Configuration Register Using Prompts	148
Console Download	149
Command Description	149
Error Reporting	150
Debug Commands	150
Exiting the ROM Monitor	151
D	153
Common Port Assignments	153

Match case Limit results 1 per page

CHAPTER

11-1

Cisco Secure Router 520 Series Software Configuration Guide

OL-14210-01

Configuring Security Features

This chapter gives an overview of authentication, authorization, and accounting (AAA), the primary

Cisco framework for implementing selected security features that can be configured on the

Cisco Secure Router 520 Series routers.

Note

Individual router models may not support every feature described throughout this guide. Features not

supported by a particular router are indicated whenever possible.

This chapter contains the following sections:

•

Authentication, Authorization, and Accounting

•

Configuring AutoSecure

•

Configuring Access Lists

•

Configuring a CBAC Firewall

•

Configuring Cisco IOS Firewall IDS

•

Configuring VPNs

Each section includes a configuration example and verification steps, where available.

Authentication, Authorization, and Accounting

AAA network security services provide the primary framework through which you set up access control

on your router. Authentication provides the method of identifying users, including login and password

dialog, challenge and response, messaging support, and, depending on the security protocol you choose,

encryption. Authorization provides the method for remote access control, including one-time

authorization or authorization for each service, per-user account list and profile, user group support, and

support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet.

Accounting provides the method for collecting and sending security server information used for billing,

auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP),

number of packets, and number of bytes.

AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If

your router is acting as a network access server, AAA is the means through which you establish

communication between your network access server and your RADIUS, TACACS+, or Kerberos

security server.