Home > Cisco > Router > Cisco Router 860, 880 Series User Manual

Cisco Router 860, 880 Series User Manual

    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    							 
    5-29
    Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide
    OL-xxxxx-xx
    Chapter 5      Configuring Backup Data Lines and Remote Management
      Configuring the Cellular Wireless Interface
     ip virtual-reassembly load-interval 30
     no atm ilmi-keepalive
    !interface ATM0.1 point-to-point
     backup interface Cellular0
     ip nat outside ip virtual-reassembly
     pvc 0/35 
      pppoe-client dial-pool-number 2 !
    !
    interface FastEthernet0!
    interface FastEthernet1
    !interface FastEthernet2
    !
    interface FastEthernet3!
    interface Cellular0
     ip address negotiated ip nat outside
     ip virtual-reassembly
     encapsulation ppp
     no ip mroute-cache dialer in-band
     dialer idle-timeout 0
     dialer string gsm dialer-group 1
     async mode interactive
     no ppp lcp fast-start ppp chap hostname [email protected]
     ppp chap password 0 B7uhestacr
     ppp ipcp dns request crypto map gsm1
    !
    interface Vlan1 description used as default gateway address for DHCP clients
     ip address 10.4.0.254 255.255.0.0
     ip nat inside ip virtual-reassembly
    !
    interface Dialer2 ip address negotiated
     ip mtu 1492
     ip nat outside ip virtual-reassembly
     encapsulation ppp
     load-interval 30 dialer pool 2
     dialer-group 2
     ppp authentication chap callin ppp chap hostname [email protected]
     ppp chap password 0 cisco
     ppp ipcp dns request crypto map gsm1
    !
    ip local policy route-map track-primary-ifip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer2 track 234
    ip route 0.0.0.0 0.0.0.0 Cellular0 254no ip http server
    no ip http secure-server 
    						
    							 
    5-30
    Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide
    OL-xxxxx-xx
    Chapter 5      Configuring Backup Data Lines and Remote Management
      Configuring the Cellular Wireless Interface
    !!
    ip nat inside source route-map nat2cell interface Cellular0 overload
    ip nat inside source route-map nat2dsl interface Dialer2 overload!         
    ip sla 1
     icmp-echo 209.131.36.158 source-interface Dialer2 timeout 1000
     frequency 2
    ip sla schedule 1 life forever start-time nowaccess-list 1 permit any
    access-list 2 permit 10.4.0.0 0.0.255.255
    access-list 3 permit anyaccess-list 101 permit ip 10.4.0.0 0.0.255.255 any
    access-list 102 permit icmp any host 209.131.36.158
    access-list 103 permit ip host 166.136.225.89 128.107.0.0 0.0.255.255access-list 103 permit ip host 75.40.113.246 128.107.0.0 0.0.255.255
    dialer-list 1 protocol ip list 1
    dialer-list 2 protocol ip permit!
    !
    !route-map track-primary-if permit 10
     match ip address 102
     set interface Dialer2
    !route-map nat2dsl permit 10
     match ip address 101
     match interface Dialer2!
    route-map nat2cell permit 10
     match ip address 101 match interface Cellular0
    !
    !control-plane
    !
    !line con 0
     no modem enable
    line aux 0line 3
     exec-timeout 0 0
     script dialer gsm login
     modem InOut
     no execline vty 0 4
     login
    !scheduler max-task-time 5000
     
    !webvpn cef
    end 
    						
    							 
    5-31
    Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide
    OL-xxxxx-xx
    Chapter 5      Configuring Backup Data Lines and Remote Management
      Configuring Cellular Wireless Interface Data Line Backup
    Configuring Cellular Wireless Interface Data Line Backup
    The Cisco 881 and 888G Integrated Services Routers (ISRs) provide a Third Generation (3G) wireless 
    interface for use over Global System for Mobile Communications (GSM) and code division multiple 
    access (CDMA) networks. Its primary application is WAN connectivity as a backup data link for critical 
    data applications. However, the 3G wireless interface can also function as the primary WAN connection. 
    The interface is a 34-mm PCMCIA slot.
    Prerequisites for Configuring 3G Wireless Interface
     You must have wireless service from a carrier, and you must have network coverage where your 
    router will be physically placed. For a complete list of supported carriers, see the data sheet at the 
    following URL:
    http://www.cisco.com/go/3g
     You must subscribe to a service plan with a wireless service provider and obtain a SIM card (GSM 
    modem only) from the service provider. 
     You must check your LEDs for signal strength as described in Ta b l e 5-2.
     You should be familiar with the Cisco IOS software, beginning with Cisco IOS Release 12.4(15)XZ 
    or later for Cisco 3G Wireless support. (See the Cisco IOS documentation.)
     To configure your GSM data profile, you will need the following information from your service 
    provider:
     –Username
     –Password
     –Access point name (APN)
     To configure your CDMA data profile for manual activation, you need the following information 
    from your service provider: 
     –Master Subsidy Lock (MSL) number 
     –Mobile Directory number (MDN) 
     –Mobile Station Identifier (MSID) 
     –Electronic Serial Number (ESN) 
    Ta b l e 5-2 Front Panel LED Signal Strength Indications
    LEDLED ColorSignal Strength
    3G RSSI1
    1. 3G receive signal strength indication
    AmberNo service available and no 
    RSSI detected
    Solid greenHigh RSSI (-69 dBm or higher)
    Fast (16 Hz) blinking greenMedium RSSI (-89 to -70 dBm)
    Slow (1 Hz) blinking greenLow to medium RSSI (-99 to -90 
    dBm), minimum level for a 
    reliable connection
    OffLow RSSI (less than -100 dBm)  
    						
    							 
    5-32
    Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide
    OL-xxxxx-xx
    Chapter 5      Configuring Backup Data Lines and Remote Management
      Configuring Cellular Wireless Interface Data Line Backup 
    						
    							CH A P T E R
     
    6-1
    Book Title
    OL-xxxxx-xx
    6
    Configuring Security Features
    This chapter provides an overview of authentication, authorization, and accounting (AAA), which is the 
    primary Cisco framework for implementing selected security features that can be configured on the 
    Cisco
     860 and Cisco 880 series Integrated Services Routers (ISRs).
    This chapter contains the following sections:
     Authentication, Authorization, and Accounting, page 6-1
     Configuring AutoSecure, page 6-2
     Configuring Access Lists, page 6-2
     Configuring Cisco IOS Firewall, page 6-3
     Configuring Cisco IOS IPS, page 6-4
     URL Filtering, page 6-4
     Cisco Adaptive Control Technology, page 6-4
     Configuring VPN, page 6-5
    Authentication, Authorization, and Accounting
    AAA network security services provide the primary framework through which you set up access control 
    on your router. Authentication provides the method of identifying users, including login and password 
    dialog, challenge and response, messaging support, and, depending on the security protocol you choose, 
    encryption. Authorization provides the method for remote access control, including one-time 
    authorization or authorization for each service, per-user account list and profile, user group support, and 
    support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet. 
    Accounting provides the method for collecting and sending security server information used for billing, 
    auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), 
    number of packets, and number of bytes.
    AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If 
    your router is acting as a network access server, AAA is the means through which you establish 
    communication between your network access server and your RADIUS, TACACS+, or Kerberos security 
    server. 
    						
    							 
    6-2
    Book Title
    OL-xxxxx-xx
    Chapter 6      Configuring Security Features
      Configuring AutoSecure
    For information about configuring AAA services and supported security protocols, see the following 
    sections of the 
    Cisco IOS Release 12.4T Security Configuration Guide at 
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html:
     Configuring Authentication
     Configuring Authorization
     Configuring Accounting
     Configuring RADIUS
     Configuring TACACS+
     Configuring Kerberos
    Configuring AutoSecure
    The AutoSecure feature disables common IP services that can be exploited for network attacks and 
    enables IP services and features that can aid in the defense of a network when under attack. These IP 
    services are all disabled and enabled simultaneously with a single command, greatly simplifying security 
    configuration on your router. For a complete description of the AutoSecure feature, see the 
    AutoSecure 
    feature document at 
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/ftatosec.htm.
    Configuring Access Lists
    Access lists permit or deny network traffic over an interface based on source IP address, destination IP 
    address, or protocol. Access lists are configured as standard or extended. A standard access list either 
    permits or denies passage of packets from a designated source. An extended access list allows 
    designation of both the destination and the source, and it allows designation of individual protocols to 
    be permitted or denied passage. 
    For more complete information on creating access lists, see the “Access Control Lists: Overview and 
    Guidelines” section of the Cisco IOS Release 12.4 Security Configuration Guide at 
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html.
    An access list is a series of commands with a common tag to bind them together. The tag is either a 
    number or a name. 
    Ta b l e 6-1 lists the commands used to configure access lists.
    Ta b l e 6-1 Access List Configuration Commands
    ACL TypeConfiguration Commands
    Numbered
    Standardaccess-list {1-99}{permit | deny} source-addr [source-mask]
    Extendedaccess-list {100-199}{permit | deny} protocol source-addr 
    [source-mask] destination-addr [destination-mask]
    Named
    Standardip access-list standard name deny {source | source-wildcard | any}
    Extendedip access-list extended name {permit | deny} protocol 
    {source-addr[source-mask] | any}{destination-addr 
    [destination-mask] | any} 
    						
    							 
    6-3
    Book Title
    OL-xxxxx-xx
    Chapter 6      Configuring Security Features
      Configuring Cisco IOS Firewall
    To create, refine, and manage access lists, see the following sections of the “Traffic Filtering, Firewalls, 
    and Virus Detection” part of the 
    Cisco IOS Release 12.4T Security Configuration Guide at 
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html:
     Creating an IP Access List and Applying It to an Interface
     Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
     Refining an IP Access List
     Displaying and Clearing IP Access List Data Using ACL Manageability
    Access Groups
    An access group is a sequence of access list definitions bound together with a common name or number. 
    An access group is enabled for an interface during interface configuration. Use the following guidelines 
    when creating access groups.
     The order of access list definitions is significant. A packet is compared against the first access list 
    in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is 
    compared with the next access list, and so on.
     All parameters must match the access list before the packet is permitted or denied.
     There is an implicit “deny all” at the end of all sequences.
    For information on configuring and managing access groups, see the ““Creating an IP Access List to 
    Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values” section of the Cisco IOS Release 
    12.4T Security Configuration Guide at 
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html:.
    Configuring Cisco IOS Firewall
    The Cisco IOS Firewall lets you configure a stateful firewall where packets are inspected internally and 
    the state of network connections is monitored. Stateful firewall is superior to static access lists, because 
    access lists can only permit or deny traffic based on individual packets, not based on streams of packets. 
    Also, because Cisco
     IOS Firewall inspects the packets, decisions to permit or deny traffic can be made 
    by examining application layer data, which static access lists cannot examine.
    To configure a Cisco IOS Firewall, specify which protocols to examine by using the following command 
    in interface configuration mode:
    ip inspect name inspection-name protocol timeout seconds
    When inspection detects that the specified protocol is passing through the firewall, a dynamic access list 
    is created to allow the passage of return traffic. The timeout parameter specifies the length of time the 
    dynamic access list remains active without return traffic passing through the router. When the timeout 
    value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are 
    not permitted.
    Use the same inspection name in multiple statements to group them into one set of rules. This set of rules 
    can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out 
    command when you configure an interface at the firewall.
    For additional information about configuring a Cisco IOS Firewall, see the “Cisco IOS Firewall 
    Overview” section of the Cisco IOS Release 12.4 Security Configuration Guide at 
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html. 
    						
    							 
    6-4
    Book Title
    OL-xxxxx-xx
    Chapter 6      Configuring Security Features
      Configuring Cisco IOS IPS
    The Cisco IOS Firewall may also be configured to provide voice security in Session Initiated Protocol 
    (SIP) applications. SIP inspection provides basic inspect functionality (SIP packet inspection and 
    detection of pin-hole openings), as well protocol conformance and application security. For more 
    information, see 
    “Cisco IOS Firewall: SIP Enhancements: ALG and AIC” at 
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_sip_alg_aic.html.
    Configuring Cisco IOS IPS
    Cisco IOS Intrusion Prevention System (IPS) technology is available on Cisco 880 series ISRs and 
    enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the 
    security policy or represent malicious network activity.
    Cisco IOS IPS identifies attacks using “signatures” to detect patterns of misuse in network traffic. 
    Cisco
     IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow 
    through the router, scanning each to match known IPS signatures. When Cisco
     IOS IPS detects 
    suspicious activity, it responds before network security can be compromised, it logs the event, and, 
    depending on configuration, it does one of the following:
     sends an alarm
     drops suspicious packets
     resets the connection
     denies traffic from the source IP address of the attacker for a specified amount of time
     denies traffic on the connection for which the signature was seen for a specified amount of time
    For additional information about configuring Cisco IOS IPS, see the “Configuring Cisco IOS Intrusion 
    Prevention System (IPS)” section of the Cisco IOS Release 12.4T Security Configuration Guide at 
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html:.
    URL Filtering
    Cisco 860 series and Cisco 880 series ISRs provide category based URL filtering. The user provisions 
    URL filtering on the ISR by selecting categories of websites to be permitted or blocked. An external 
    server, maintained by a 3rd party, will be used to check for URLs in each category. Permit and deny 
    policies are maintained on the ISR. The service is subscription based, and the URLs in each category are 
    maintained by the 3rd party vendor.
    For additional information about configuring URL filtering, see Subscription-based Cisco IOS Content 
    Filtering at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_url_filtering.html.
    Cisco Adaptive Control Technology
    Cisco 860 series and Cisco 880 series ISRs support Cisco Adaptive Control Technology (ACT), a 
    reliable rapid-response communication mechanism for responding to and controlling security threats on 
    a network. ACT incorperates the Threat Information Distribution Protocol (TIDP), which provides a 
    rapid and secure mechanism to distribute security threat information, and TIDP Based Mitigation 
    Service (TMS), which provides a framework to rapidly and efficiently distribute threat information to 
    devices across the network. 
    						
    							 
    6-5
    Book Title
    OL-xxxxx-xx
    Chapter 6      Configuring Security Features
      Configuring VPN
    For additional information about configuring ACT, see Cisco Adaptive Control Technology (ACT) at 
    http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_c_act.html.
    Configuring VPN
    A virtual private network (VPN) connection provides a secure connection between two networks over a 
    public network such as the Internet. Cisco 860 and Cisco 880 series ISRs support two types of 
    VPNs—site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate 
    offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network. 
    Two examples are given in this section: remote access VPN and site-to-site VPN.
    Remote Access VPN
    The configuration of a remote access VPN uses Cisco Easy VPN and an IP Security (IPSec) tunnel to 
    configure and secure the connection between the remote client and the corporate network. 
    Figure 6-1 
    shows a typical deployment scenario.
    Figure 6-1 Remote Access VPN Using IPSec Tunnel
    1Remote networked users
    2VPN client—Cisco 880 series access router
    3Router—Providing the corporate office network access
    4VPN server—Easy VPN server; for example, a Cisco VPN 3000 concentrator with outside 
    interface address 210.110.101.1
    5Corporate office with a network address of 10.1.1.1
    6IPSec tunnel
    2
    1
    121782
    Internet
    34
    5
    6 
    						
    							 
    6-6
    Book Title
    OL-xxxxx-xx
    Chapter 6      Configuring Security Features
      Configuring VPN
    The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing 
    the Cisco
     Unity Client protocol. This protocol allows most VPN parameters, such as internal IP 
    addresses, internal subnet masks, DHCP server addresses, Windows Internet Naming Service (WINS) 
    server addresses, and split-tunneling flags, to be defined at a VPN server, such as a Cisco VPN 3000 
    series concentrator that is acting as an IPSec server. 
    A Cisco Easy VPN server–enabled device can terminate VPN tunnels initiated by mobile and remote 
    workers who are running Cisco Easy VPN Remote software on PCs. Cisco
     Easy VPN server–enabled 
    devices allow remote routers to act as Cisco
     Easy VPN Remote nodes.
    The Cisco Easy VPN client feature can be configured in one of two modes—client mode or network 
    extension mode. Client mode is the default configuration and allows only devices at the client site to 
    access resources at the central site. Resources at the client site are unavailable to the central site. 
    Network extension mode allows users at the central site (where the VPN 3000 series concentrator is 
    located) to access network resources on the client site.
    After the IPSec server has been configured, a VPN connection can be created with minimal configuration 
    on an IPSec client, such as a supported Cisco
     880 series ISR. When the IPSec client initiates the VPN 
    tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the 
    corresponding VPN tunnel connection. 
    NoteThe Cisco Easy VPN client feature supports configuration of only one destination peer. If your 
    application requires creation of multiple VPN tunnels, you must manually configure the IPSec VPN and 
    Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the 
    server. 
    Cisco 860 and Cisco 880 series ISRs can be also configured to act as Cisco Easy VPN servers, letting 
    authorized Cisco
     Easy VPN clients establish dynamic VPN tunnels to the connected network. For 
    information on the configuration of Cisco
     Easy VPN servers see the Easy VPN Server feature document 
    at http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html.
    Site-to-Site VPN
    The configuration of a site-to-site VPN uses IPSec and the generic routing encapsulation (GRE) protocol 
    to secure the connection between the branch office and the corporate network. 
    Figure 6-2 shows a typical 
    deployment scenario.
    Figure 6-2 Site-to-Site VPN Using an IPSec Tunnel and GRE
    1Branch office containing multiple LANs and VLANs
    2Fast Ethernet LAN interface—With address 192.165.0.0/16 (also the inside interface for NAT)
    3VPN client—Cisco 860 or Cisco 880 series ISR
    121783
    Internet
    3
    1
    2457
    6
    8
    9 
    						
    All Cisco manuals Comments (0)

    Related Manuals for Cisco Router 860, 880 Series User Manual