Cisco Router 850 Series Software Configuration Guide

							 
7-9
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configuration Example
Configuration Example
The following configuration example shows a portion of the configuration file for a VPN using a GRE 
tunnel scenario described in the preceding sections.
!aaa new-model
!
aaa authentication login rtr-remote localaaa authorization network rtr-remote local
aaa session-id common
!username cisco password 0 cisco
!
interface tunnel 1ip address 10.62.1.193 255.255.255.252
Step 5crypto map map-name
Example:
Router(config-if)# crypto map static-mapRouter(config-if)# 
Assigns a crypto map to the tunnel.
NoteDynamic routing or static routes to the 
tunnel interface must be configured to 
establish connectivity between the sites. 
See the 
Cisco IOS Security Configuration 
Guide for details. 
Step 6exit
Example:
Router(config-if)# exit
Router(config)# 
Exits interface configuration mode, and returns to 
global configuration mode.
Step 7ip access-list {standard | extended} 
access-list-name 
Example:
Router(config)# ip access-list extended 
vpnstatic1
Router(config-acl)# 
Enters ACL configuration mode for the named 
ACL that is used by the crypto map. 
Step 8permit protocol source source-wildcard 
destination destination-wildcard 
Example:
Router(config-acl)# permit gre host 
192.168.100.1 host 192.168.101.1
Router(config-acl)# 
Specifies that only GRE traffic is permitted on the 
outbound interface. 
Step 9exit
Example:
Router(config-acl)# exitRouter(config)# 
Returns to global configuration mode.
Command or Action Purpose 
						

							 
7-10
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configuration Example
tunnel source fastethernet 0
tunnel destination interface 192.168.101.1
ip route 20.20.20.0 255.255.255.0 tunnel 1
crypto isakmp policy 1
encryption 3des
authentication pre-sharegroup 2
!
crypto isakmp client configuration group rtr-remotekey secret-password
dns 10.50.10.1 10.60.10.1
domain company.compool dynpool
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac!
crypto ipsec security-association lifetime seconds 86400
!crypto dynamic-map dynmap 1
set transform-set vpn1
reverse-route
!crypto map static-map 1 ipsec-isakmp dynamic dynmap
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond!
! Defines the key association and authentication for IPSec tunnel.
crypto isakmp policy 1 hash md5 
authentication pre-share
crypto isakmp key cisco123 address 200.1.1.1!
!
! Defines encryption and transform set for the IPSec tunnel.crypto ipsec transform-set set1 esp-3des esp-md5-hmac 
!
! Associates all crypto values and peering address for the IPSec tunnel.crypto map to_corporate 1 ipsec-isakmp 
 set peer 200.1.1.1
 set transform-set set1  match address 105
!
!! VLAN 1 is the internal home network.
interface vlan 1
 ip address 10.1.1.1 255.255.255.0 ip nat inside
 ip inspect firewall in ! Inspection examines outbound traffic.
crypto map static-mapno cdp enable
!
! FE4 is the outside or Internet-exposed interfaceinterface fastethernet 4
 ip address 210.110.101.21 255.255.255.0
 ! acl 103 permits IPSec traffic from the corp. router as well as  ! denies Internet-initiated traffic inbound. 
 ip access-group 103 in 
 ip nat outside no cdp enable
 crypto map to_corporate ! Applies the IPSec tunnel to the outside interface. 
						

							 
7-11
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configuration Example
!! Utilize NAT overload in order to make best use of the 
! single address provided by the ISP.
ip nat inside source list 102 interface Ethernet1 overloadip classless
ip route 0.0.0.0 0.0.0.0 210.110.101.1
no ip http server!
!
! acl 102 associated addresses used for NAT.access-list 102 permit ip 10.1.1.0 0.0.0.255 any
! acl 103 defines traffic allowed from the peer for the IPSec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmpaccess-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
! Allow ICMP for debugging but should be disabled because of security implications.access-list 103 permit icmp any any 
access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.
! acl 105 matches addresses for the IPSec tunnel to or from the corporate network.access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
no cdp run 
						

							 
7-12
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configuration Example 
						

							
CH A P T E R
 
8-1
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
8
Configuring a Simple Firewall
The Cisco 850 and Cisco 870 series routers support  network traffic filtering by means of access lists. 
The routers also support packet inspection an d dynamic temporary access lists by means of 
Context-Based Access Control (CBAC). 
Basic traffic filtering is limited to configured access list implementations that examine packets at the 
network layer or, at most, the transport layer, permitting or denying the passage of each packet through 
the firewall. However, the use of inspection rules in CBAC allows the creation and use of dynamic 
temporary access lists. These dynamic lists allow temp orary openings in the configured access lists at 
firewall interfaces. These openings are created when tr affic for a specified user session exits the internal 
network through the firewall. The openings allow returning traffic for the specified session (that would 
normally be blocked) back through the firewall.
See the  Cisco IOS Security Configuration Guide, Release 12.3 , for more detailed information on traffic 
filtering and firewalls.
Figure 8-1 shows a network deployment using PPPoE or PPPoA with NAT and a firewall.
Figure 8-1 Router with Firewall Configured
121781
2
3
7
56
1
4 
						

							
1Multiple networked devices—Desktops, laptop PCs, switches
2Fast Ethernet LAN interface (the inside interface for NAT)
3PPPoE or PPPoA client and firewall implementation—Cisco 851/871 or Cisco 857/876/877/878 
series access router, respectively
4Point at which NAT occurs
5Protected network
6Unprotected network
7Fast Ethernet or ATM WAN interf ace (the outside interface for NAT)
 
8-2
Cisco 850 Series and Cisco 870 Series Acce ss Routers Software Configuration Guide
OL-5332-01 
Chapter 8      Configuring a Simple Firewall
  
In the configuration example that follows, the firewall is applied to the outside WAN interface (FE4) on 
the Cisco
 851 or Cisco 871 and protects the Fast Ethernet LAN on FE0 by filtering and inspecting all 
traffic entering the router on the Fa st Ethernet WAN interface FE4. Note  that in this example, the network 
traffic originating from the corporate network, networ k address 10.1.1.0, is considered safe traffic and 
is not filtered.
Configuration Tasks
Perform the following tasks to configure this network scenario:
 Configure Access Lists
 Configure Inspection Rules
 Apply Access Lists and Inspection Rules to Interfaces
A configuration example that shows the results of these configuration tasks is provided in the 
“Configuration Example” section on page 8-5.
NoteThe procedures in this chap ter assume that you have already configur ed basic router features as well as 
PPPoE or PPPoA with NAT. If you have not pe rformed these configurations tasks, see 
Chapter 1, “Basic 
Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” and Chapter 4, 
“Configuring PPP over ATM with NAT,” as appropriate for your router. You may have also configured 
DHCP, VLANs, and secure tunnels. 
						

							
 
8-3
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 8      Config uring a Simple Firewall
  Configure Access Lists
Configure Access Lists
Perform these steps to create access lists for use by the firewall, beginning in global configuration mode:
CommandPurpose
Step 1access-list access-list-number  {deny  | permit } 
protocol source source-wildcard  [operator  [port ]] 
destination
Example:
Router(config)#  access-list 103 deny ip any 
any
Router(config)#  access-list 103 permit host 
200.1.1.1 eq isakmp any
Router(config)# 
Creates an access list which prevents Internet- 
initiated traffic from reac hing the local (inside) 
network of the router, and which compares 
source and destination ports.
See the  Cisco IOS IP Command Reference, 
Volume 1 of 4: Addressing and Services for 
details about this command.
Step 2access-list  access-list-number  {deny  | permit } 
protocol source source-wildcard destination 
destination-wildcard
Example:
Router(config)#  access-list 105 permit ip 
10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
Router(config)# 
Creates an access list that allows network traffic 
to pass freely between the corporate network 
and the local networks through the configured 
VPN tunnel.
Configure Inspection Rules
Perform these steps to configure firewall inspection rule s for all TCP and UDP traffic, as well as specific 
application protocols as defined by the security  policy, beginning in global configuration mode:
Command or ActionPurpose
Step 1ip inspect name inspection-name protocol  
Example:
Router(config)# ip inspect name firewall tcp
Router(config)# 
Defines an inspection rule for a particular 
protocol.
Step 2ip inspect name inspection-name protocol  
Example:
Router(config)# ip inspect name firewall rtsp
Router(config)# ip inspect name firewall h323
Router(config)# ip inspect name firewall 
netshow
Router(config)#  ip inspect name firewall ftp
Router(config)# ip inspect name firewall 
sqlnet
Router(config)# 
Repeat this command for each inspection rule 
that you wish to use. 
						

							
 
8-4
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 8      Configuring a Simple Firewall
  Apply Access Lists and Inspection Rules to Interfaces
Apply Access Lists and Insp ection Rules to Interfaces
Perform these steps to apply the ACLs and inspection rules to the network interfaces, beginning in global 
configuration mode:
CommandPurpose
Step 1interface type number
Example:
Router(config)#  interface vlan 1Router(config-if)# 
Enters interface configuration mode for the 
inside network interface on your router.
Step 2ip inspect inspection-name  {in  | out }
Example:
Router(config-if)#  ip inspect firewall in
Router(config-if)# 
Assigns the set of firewall inspection rules to the 
inside interface on the router.
Step 3exit
Example:
Router(config-if)#  exitRouter(config)# 
Returns to global configuration mode.
Step 4interface type number
Example:
Router(config)#  interface fastethernet 4
Router(config-if)# 
Enters interface configuration mode for the 
outside network interface on your router.
Step 5ip access-group {access-list-number  | 
access-list-name }{in | out } 
Example:
Router(config-if)#  ip access-group 103 in
Router(config-if)# 
Assigns the defined ACLs to the outside 
interface on the router.
Step 6exit
Example:
Router(config-if)# exitRouter(config)# 
Returns to global configuration mode. 
						

							 
8-5
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 8      Configuring a Simple Firewall
  Configuration Example
Configuration Example
A telecommuter is granted secure access to a corporate network, using IPSec tunneling. Security to the 
home network is accomplished through firewall inspection. The protocols that are allowed are all TCP, 
UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network; therefore, 
no traffic is allowed that is initiated from outside. IPSec tunneling secures the connection from the home 
LAN to the corporate network.
Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary. 
Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is 
specified for DNS.
The following configuration example shows a portion of the configuration file for the simple firewall 
scenario described in the preceding sections.
!
! Firewall inspection is set up for all TCP and UDP traffic as well as 
! specific application protocols as defined by the security policy.ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtspip inspect name firewall h323
ip inspect name firewall netshow
ip inspect name firewall ftp
ip inspect name firewall sqlnet!
interface vlan 1! This is the internal home network.
ip inspect firewall in ! Inspection examines outbound traffic.no cdp enable
!
interface fastethernet 4! FE4 is the outside or Internet-exposed interface.! acl 103 permits IPSec traffic from the corp. router 
! as well as denies Internet-initiated traffic inbound.
ip access-group 103 in ip nat outside
no cdp enable
!! acl 103 defines traffic allowed from the peer for the IPSec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp
access-list 103 permit udp host 200.1.1.1 eq isakmp anyaccess-list 103 permit esp host 200.1.1.1 any
! Allow ICMP for debugging but should be disabled because of security implications.
access-list 103 permit icmp any any access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.
! acl 105 matches addresses for the ipsec tunnel to or from the corporate network.
access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255no cdp run
! 
						

							 
8-6
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01 
Chapter 8      Configuring a Simple Firewall
  Configuration Example