Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
5-29 Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide OL-xxxxx-xx Chapter 5 Configuring Backup Data Lines and Remote Management Configuring the Cellular Wireless Interface ip virtual-reassembly load-interval 30 no atm ilmi-keepalive !interface ATM0.1 point-to-point backup interface Cellular0 ip nat outside ip virtual-reassembly pvc 0/35 pppoe-client dial-pool-number 2 ! ! interface FastEthernet0! interface FastEthernet1 !interface FastEthernet2 ! interface FastEthernet3! interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp no ip mroute-cache dialer in-band dialer idle-timeout 0 dialer string gsm dialer-group 1 async mode interactive no ppp lcp fast-start ppp chap hostname [email protected] ppp chap password 0 B7uhestacr ppp ipcp dns request crypto map gsm1 ! interface Vlan1 description used as default gateway address for DHCP clients ip address 10.4.0.254 255.255.0.0 ip nat inside ip virtual-reassembly ! interface Dialer2 ip address negotiated ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp load-interval 30 dialer pool 2 dialer-group 2 ppp authentication chap callin ppp chap hostname [email protected] ppp chap password 0 cisco ppp ipcp dns request crypto map gsm1 ! ip local policy route-map track-primary-ifip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer2 track 234 ip route 0.0.0.0 0.0.0.0 Cellular0 254no ip http server no ip http secure-server
5-30 Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide OL-xxxxx-xx Chapter 5 Configuring Backup Data Lines and Remote Management Configuring the Cellular Wireless Interface !! ip nat inside source route-map nat2cell interface Cellular0 overload ip nat inside source route-map nat2dsl interface Dialer2 overload! ip sla 1 icmp-echo 209.131.36.158 source-interface Dialer2 timeout 1000 frequency 2 ip sla schedule 1 life forever start-time nowaccess-list 1 permit any access-list 2 permit 10.4.0.0 0.0.255.255 access-list 3 permit anyaccess-list 101 permit ip 10.4.0.0 0.0.255.255 any access-list 102 permit icmp any host 209.131.36.158 access-list 103 permit ip host 166.136.225.89 128.107.0.0 0.0.255.255access-list 103 permit ip host 75.40.113.246 128.107.0.0 0.0.255.255 dialer-list 1 protocol ip list 1 dialer-list 2 protocol ip permit! ! !route-map track-primary-if permit 10 match ip address 102 set interface Dialer2 !route-map nat2dsl permit 10 match ip address 101 match interface Dialer2! route-map nat2cell permit 10 match ip address 101 match interface Cellular0 ! !control-plane ! !line con 0 no modem enable line aux 0line 3 exec-timeout 0 0 script dialer gsm login modem InOut no execline vty 0 4 login !scheduler max-task-time 5000 !webvpn cef end
5-31 Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide OL-xxxxx-xx Chapter 5 Configuring Backup Data Lines and Remote Management Configuring Cellular Wireless Interface Data Line Backup Configuring Cellular Wireless Interface Data Line Backup The Cisco 881 and 888G Integrated Services Routers (ISRs) provide a Third Generation (3G) wireless interface for use over Global System for Mobile Communications (GSM) and code division multiple access (CDMA) networks. Its primary application is WAN connectivity as a backup data link for critical data applications. However, the 3G wireless interface can also function as the primary WAN connection. The interface is a 34-mm PCMCIA slot. Prerequisites for Configuring 3G Wireless Interface You must have wireless service from a carrier, and you must have network coverage where your router will be physically placed. For a complete list of supported carriers, see the data sheet at the following URL: http://www.cisco.com/go/3g You must subscribe to a service plan with a wireless service provider and obtain a SIM card (GSM modem only) from the service provider. You must check your LEDs for signal strength as described in Ta b l e 5-2. You should be familiar with the Cisco IOS software, beginning with Cisco IOS Release 12.4(15)XZ or later for Cisco 3G Wireless support. (See the Cisco IOS documentation.) To configure your GSM data profile, you will need the following information from your service provider: –Username –Password –Access point name (APN) To configure your CDMA data profile for manual activation, you need the following information from your service provider: –Master Subsidy Lock (MSL) number –Mobile Directory number (MDN) –Mobile Station Identifier (MSID) –Electronic Serial Number (ESN) Ta b l e 5-2 Front Panel LED Signal Strength Indications LEDLED ColorSignal Strength 3G RSSI1 1. 3G receive signal strength indication AmberNo service available and no RSSI detected Solid greenHigh RSSI (-69 dBm or higher) Fast (16 Hz) blinking greenMedium RSSI (-89 to -70 dBm) Slow (1 Hz) blinking greenLow to medium RSSI (-99 to -90 dBm), minimum level for a reliable connection OffLow RSSI (less than -100 dBm)
5-32 Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide OL-xxxxx-xx Chapter 5 Configuring Backup Data Lines and Remote Management Configuring Cellular Wireless Interface Data Line Backup
CH A P T E R 6-1 Book Title OL-xxxxx-xx 6 Configuring Security Features This chapter provides an overview of authentication, authorization, and accounting (AAA), which is the primary Cisco framework for implementing selected security features that can be configured on the Cisco 860 and Cisco 880 series Integrated Services Routers (ISRs). This chapter contains the following sections: Authentication, Authorization, and Accounting, page 6-1 Configuring AutoSecure, page 6-2 Configuring Access Lists, page 6-2 Configuring Cisco IOS Firewall, page 6-3 Configuring Cisco IOS IPS, page 6-4 URL Filtering, page 6-4 Cisco Adaptive Control Technology, page 6-4 Configuring VPN, page 6-5 Authentication, Authorization, and Accounting AAA network security services provide the primary framework through which you set up access control on your router. Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you choose, encryption. Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet. Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If your router is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server.
6-2 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring AutoSecure For information about configuring AAA services and supported security protocols, see the following sections of the Cisco IOS Release 12.4T Security Configuration Guide at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html: Configuring Authentication Configuring Authorization Configuring Accounting Configuring RADIUS Configuring TACACS+ Configuring Kerberos Configuring AutoSecure The AutoSecure feature disables common IP services that can be exploited for network attacks and enables IP services and features that can aid in the defense of a network when under attack. These IP services are all disabled and enabled simultaneously with a single command, greatly simplifying security configuration on your router. For a complete description of the AutoSecure feature, see the AutoSecure feature document at http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/ftatosec.htm. Configuring Access Lists Access lists permit or deny network traffic over an interface based on source IP address, destination IP address, or protocol. Access lists are configured as standard or extended. A standard access list either permits or denies passage of packets from a designated source. An extended access list allows designation of both the destination and the source, and it allows designation of individual protocols to be permitted or denied passage. For more complete information on creating access lists, see the “Access Control Lists: Overview and Guidelines” section of the Cisco IOS Release 12.4 Security Configuration Guide at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html. An access list is a series of commands with a common tag to bind them together. The tag is either a number or a name. Ta b l e 6-1 lists the commands used to configure access lists. Ta b l e 6-1 Access List Configuration Commands ACL TypeConfiguration Commands Numbered Standardaccess-list {1-99}{permit | deny} source-addr [source-mask] Extendedaccess-list {100-199}{permit | deny} protocol source-addr [source-mask] destination-addr [destination-mask] Named Standardip access-list standard name deny {source | source-wildcard | any} Extendedip access-list extended name {permit | deny} protocol {source-addr[source-mask] | any}{destination-addr [destination-mask] | any}
6-3 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring Cisco IOS Firewall To create, refine, and manage access lists, see the following sections of the “Traffic Filtering, Firewalls, and Virus Detection” part of the Cisco IOS Release 12.4T Security Configuration Guide at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html: Creating an IP Access List and Applying It to an Interface Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values Refining an IP Access List Displaying and Clearing IP Access List Data Using ACL Manageability Access Groups An access group is a sequence of access list definitions bound together with a common name or number. An access group is enabled for an interface during interface configuration. Use the following guidelines when creating access groups. The order of access list definitions is significant. A packet is compared against the first access list in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is compared with the next access list, and so on. All parameters must match the access list before the packet is permitted or denied. There is an implicit “deny all” at the end of all sequences. For information on configuring and managing access groups, see the ““Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values” section of the Cisco IOS Release 12.4T Security Configuration Guide at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html:. Configuring Cisco IOS Firewall The Cisco IOS Firewall lets you configure a stateful firewall where packets are inspected internally and the state of network connections is monitored. Stateful firewall is superior to static access lists, because access lists can only permit or deny traffic based on individual packets, not based on streams of packets. Also, because Cisco IOS Firewall inspects the packets, decisions to permit or deny traffic can be made by examining application layer data, which static access lists cannot examine. To configure a Cisco IOS Firewall, specify which protocols to examine by using the following command in interface configuration mode: ip inspect name inspection-name protocol timeout seconds When inspection detects that the specified protocol is passing through the firewall, a dynamic access list is created to allow the passage of return traffic. The timeout parameter specifies the length of time the dynamic access list remains active without return traffic passing through the router. When the timeout value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are not permitted. Use the same inspection name in multiple statements to group them into one set of rules. This set of rules can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out command when you configure an interface at the firewall. For additional information about configuring a Cisco IOS Firewall, see the “Cisco IOS Firewall Overview” section of the Cisco IOS Release 12.4 Security Configuration Guide at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html.
6-4 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring Cisco IOS IPS The Cisco IOS Firewall may also be configured to provide voice security in Session Initiated Protocol (SIP) applications. SIP inspection provides basic inspect functionality (SIP packet inspection and detection of pin-hole openings), as well protocol conformance and application security. For more information, see “Cisco IOS Firewall: SIP Enhancements: ALG and AIC” at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_sip_alg_aic.html. Configuring Cisco IOS IPS Cisco IOS Intrusion Prevention System (IPS) technology is available on Cisco 880 series ISRs and enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the security policy or represent malicious network activity. Cisco IOS IPS identifies attacks using “signatures” to detect patterns of misuse in network traffic. Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match known IPS signatures. When Cisco IOS IPS detects suspicious activity, it responds before network security can be compromised, it logs the event, and, depending on configuration, it does one of the following: sends an alarm drops suspicious packets resets the connection denies traffic from the source IP address of the attacker for a specified amount of time denies traffic on the connection for which the signature was seen for a specified amount of time For additional information about configuring Cisco IOS IPS, see the “Configuring Cisco IOS Intrusion Prevention System (IPS)” section of the Cisco IOS Release 12.4T Security Configuration Guide at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html:. URL Filtering Cisco 860 series and Cisco 880 series ISRs provide category based URL filtering. The user provisions URL filtering on the ISR by selecting categories of websites to be permitted or blocked. An external server, maintained by a 3rd party, will be used to check for URLs in each category. Permit and deny policies are maintained on the ISR. The service is subscription based, and the URLs in each category are maintained by the 3rd party vendor. For additional information about configuring URL filtering, see Subscription-based Cisco IOS Content Filtering at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_url_filtering.html. Cisco Adaptive Control Technology Cisco 860 series and Cisco 880 series ISRs support Cisco Adaptive Control Technology (ACT), a reliable rapid-response communication mechanism for responding to and controlling security threats on a network. ACT incorperates the Threat Information Distribution Protocol (TIDP), which provides a rapid and secure mechanism to distribute security threat information, and TIDP Based Mitigation Service (TMS), which provides a framework to rapidly and efficiently distribute threat information to devices across the network.
6-5 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN For additional information about configuring ACT, see Cisco Adaptive Control Technology (ACT) at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_c_act.html. Configuring VPN A virtual private network (VPN) connection provides a secure connection between two networks over a public network such as the Internet. Cisco 860 and Cisco 880 series ISRs support two types of VPNs—site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network. Two examples are given in this section: remote access VPN and site-to-site VPN. Remote Access VPN The configuration of a remote access VPN uses Cisco Easy VPN and an IP Security (IPSec) tunnel to configure and secure the connection between the remote client and the corporate network. Figure 6-1 shows a typical deployment scenario. Figure 6-1 Remote Access VPN Using IPSec Tunnel 1Remote networked users 2VPN client—Cisco 880 series access router 3Router—Providing the corporate office network access 4VPN server—Easy VPN server; for example, a Cisco VPN 3000 concentrator with outside interface address 210.110.101.1 5Corporate office with a network address of 10.1.1.1 6IPSec tunnel 2 1 121782 Internet 34 5 6
6-6 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing the Cisco Unity Client protocol. This protocol allows most VPN parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, Windows Internet Naming Service (WINS) server addresses, and split-tunneling flags, to be defined at a VPN server, such as a Cisco VPN 3000 series concentrator that is acting as an IPSec server. A Cisco Easy VPN server–enabled device can terminate VPN tunnels initiated by mobile and remote workers who are running Cisco Easy VPN Remote software on PCs. Cisco Easy VPN server–enabled devices allow remote routers to act as Cisco Easy VPN Remote nodes. The Cisco Easy VPN client feature can be configured in one of two modes—client mode or network extension mode. Client mode is the default configuration and allows only devices at the client site to access resources at the central site. Resources at the client site are unavailable to the central site. Network extension mode allows users at the central site (where the VPN 3000 series concentrator is located) to access network resources on the client site. After the IPSec server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a supported Cisco 880 series ISR. When the IPSec client initiates the VPN tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection. NoteThe Cisco Easy VPN client feature supports configuration of only one destination peer. If your application requires creation of multiple VPN tunnels, you must manually configure the IPSec VPN and Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the server. Cisco 860 and Cisco 880 series ISRs can be also configured to act as Cisco Easy VPN servers, letting authorized Cisco Easy VPN clients establish dynamic VPN tunnels to the connected network. For information on the configuration of Cisco Easy VPN servers see the Easy VPN Server feature document at http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html. Site-to-Site VPN The configuration of a site-to-site VPN uses IPSec and the generic routing encapsulation (GRE) protocol to secure the connection between the branch office and the corporate network. Figure 6-2 shows a typical deployment scenario. Figure 6-2 Site-to-Site VPN Using an IPSec Tunnel and GRE 1Branch office containing multiple LANs and VLANs 2Fast Ethernet LAN interface—With address 192.165.0.0/16 (also the inside interface for NAT) 3VPN client—Cisco 860 or Cisco 880 series ISR 121783 Internet 3 1 2457 6 8 9