Cisco Router 850 Series Software Configuration Guide
Have a look at the manual Cisco Router 850 Series Software Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
10-3 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01 Chapter 10 Sample Configuration crypto isakmp client configuration group rtr-remotekey secret-password dns 10.50.10.1 10.60.10.1 domain company.compool dynpool ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac! crypto ipsec security-association lifetime seconds 86400 !crypto dynamic-map dynmap 1 set transform-set vpn1 reverse-route! crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remotecrypto map dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclientconnect auto group 2 key secret-password mode clientpeer 192.168.100.1 ! interface Dot11Radio0 no ip address! broadcast-key vlan 1 change 45 !encryption vlan 1 mode ciphers tkip ! ssid cisco vlan 1 authentication open authentication network-eap eap_methods authentication key-management wpa optional ! ssid ciscowepvlan 2 authentication open !ssid ciscowpa vlan 3 authentication open ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312power local cck 50 power local ofdm 30 channel 2462station-role root ! interface Dot11Radio0.1description Cisco Open encapsulation dot1Q 1 native no cdp enablebridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabledbridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!
10-4 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01 Chapter 10 Sample Configuration interface Dot11Radio0.2encapsulation dot1Q 2 bridge-group 2 bridge-group 2 subscriber-loop-controlbridge-group 2 spanning-disabled bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding ! interface Dot11Radio0.3encapsulation dot1Q 3 bridge-group 3 bridge-group 3 subscriber-loop-controlbridge-group 3 spanning-disabled bridge-group 3 block-unknown-source no bridge-group 3 source-learningno bridge-group 3 unicast-flooding ! interface Vlan1ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast (default) ip nat insidecrypto ipsec client ezvpn ezvpnclient inside ip inspect firewall in no cdp enable bridge-group 1bridge-group 1 spanning-disabled ! interface Vlan2no ip address bridge-group 2 bridge-group 2 spanning-disabled! interface Vlan3 no ip addressbridge-group 3 bridge-group 3 spanning-disabled !interface BVI1 ip address 10.0.1.1 255.255.255.0 !interface BVI2 ip address 10.0.2.1 255.255.255.0 !interface BVI3 ip address 10.0.3.1 255.255.255.0 !ip classless ! ip http serverno ip http secure-server ! radius-server localnas 10.0.1.1 key 0 cisco123 group rad_eap !user jsomeone nthash 7 0529575803696F2C492143375828267C7A760E1113734624452725707C010B065B user AMER\jsomeone nthash 7 0224550C29232E041C6A5D3C5633305D5D560C09027966167137233026580E0B0D ! radius-server host 10.0.1.1 auth-port 1812 acct-port 1813 key cisco123 !control-plane !
10-5 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01 Chapter 10 Sample Configuration bridge 1 route ipbridge 2 route ip bridge 3 route ip !ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall rtspip inspect name firewall h323 ip inspect name firewall netshow ip inspect name firewall ftpip inspect name firewall sqlnet ! access-list 103 permit udp host 200.1.1.1 any eq isakmpaccess-list 103 permit udp host 200.1.1.1 eq isakmp any access-list 103 permit esp host 200.1.1.1 any access-list 103 permit icmp any anyaccess-list 103 deny ip any any access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 no cdp run! line con 0 password cisco123no modem enable transport preferred all transport output all line aux 0transport preferred all transport output all line vty 0 4password cisco123 transport preferred all transport input alltransport output all !
10-6 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01 Chapter 10 Sample Configuration
PART 3 Configuring Additional Features and Troubleshooting
CH A P T E R 11-1 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01 11 Additional Configuration Options This part of the software configuration guide describes additional configuration options and troubleshooting tips for the Cisco 850 series routers (Cisco 851 and Cisco 857) and Cisco 870 series routers (Cisco 871, Cisco 876, Cisco 877, and Cisco 878). The configuration options described in this part include: Chapter 12, “Configuring Security Features” Chapter 13, “Configuring Dial Backup and Remote Management” Chapter 14, “Troubleshooting” The descriptions contained in these chapters do not describe all of your configuration or troubleshooting needs. See the appropriate Cisco IOS configuration guides and command references for additional details. NoteTo verify that a specific feature is compatible with your router, you can use the Software Advisor tool. You can access this tool at www.cisco.com > Technical Support & Documentation > Tools & Resources with your Cisco username and password.
11-2 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01 Chapter 11 Additional Configuration Options
CH A P T E R 12-1 Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide OL-5332-01 12 Configuring Security Features This chapter gives an overview of authentication, authorization, and accounting (AAA), the primary Cisco framework for implementing selected security features that can be configured on the Cisco 850 and Cisco 870 series access routers. NoteIndividual router models may not support every feature described throughout this guide. Features not supported by a particular router are indicated whenever possible. This chapter contains the following sections: Authentication, Authorization, and Accounting Configuring AutoSecure Configuring Access Lists Configuring a CBAC Firewall Configuring Cisco IOS Firewall IDS Configuring VPNs Each section includes a configuration example and verification steps, where available. Authentication, Authorization, and Accounting AAA network security services provide the primary framework through which you set up access control on your router. Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you choose, encryption. Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet. Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your router is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server.
12-2
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
Chapter 12 Configuring Security Features
Configuring AutoSecure
For information about configuring AAA services and supported security protocols, see the following
sections of the
Cisco IOS Security Configuration Guide:
Configuring Authentication
Configuring Authorization
Configuring Accounting
Configuring RADIUS
Configuring TACACS+
Configuring Kerberos
Configuring AutoSecure
The AutoSecure feature disables common IP services that can be exploited for network attacks and
enables IP services and features that can aid in th e defense of a network when under attack. These IP
services are all disabled and enable d simultaneously with a single command, greatly simplifying security
configuration on your router. For a complete de scription of the AutoSecure feature, see the
AutoSecure
feature document.
Configuring Access Lists
Access lists (ACLs) permit or deny network traffic over an interface based on source IP address,
destination IP address, or protocol. Access lists ar e configured as standard or extended. A standard
access list either permits or denies passage of p ackets from a designated source. An extended access list
allows designation of both the destination and the source, and it allows designation of individual
protocols to be permitted or denied passage. An a ccess list is a series of commands with a common tag
to bind them together. The tag is either a number or a name.
Ta b l e 12-1 lists the commands used to
configure access lists.
Ta b l e 12-1 Access List Conf iguration Commands
ACL TypeConfiguration Commands
Numbered
Standardaccess-list {1-99 }{permit | deny } source-addr [source-mask ]
Extendedaccess-list {100-199 }{permit | deny } protocol source-addr
[ source-mask ] destination-addr [destination-mask ]
Named
Standardip access-list standard name followed by deny {source |
source-wildcard | any }
Extendedip access-list extended name followed by {permit | deny} protocol
{ source-addr [source-mask ] | any }{destination-addr
[ destination-mask ] | any }