Cisco Systems Router 1800 Series User Manual

							CH A P T E R
 
11-1
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
11
Additional Configuration Options
This part of the software configuration guide describes additional configuration options and 
troubleshooting tips for the Cisco
 1800 series integrated services fixed configuration routers 
(Cisco
 1801, Cisco 1802, Cisco 1803, Cisco 1811, and Cisco 1812).
The configuration options described in this part include:
 Chapter 12, “Configuring Security Features”
 Chapter 13, “Configuring Dial Backup and Remote Management”
 Chapter 14, “Troubleshooting”
The descriptions contained in these chapters do not describe all of your configuration or troubleshooting 
needs. See the appropriate Cisco
 IOS configuration guides and command references for additional 
details. 
NoteTo verify that a specific feature is compatible with your router, you can use the Software Advisor tool. 
You can access this tool at www.cisco.com > Technical Support & Documentation > Tools & 
Resources with your Cisco username and password. 
						

							 
11-2
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 11      Additional Configuration Options
   
						

							CH A P T E R
 
12-1
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
12
Configuring Security Features
This chapter gives an overview of authentication, authorization, and accounting (AAA), the primary 
Cisco framework for implementing selected security features that can be configured on the Cisco
 1800 
integrated services fixed-configuration routers.
NoteIndividual router models may not support every feature described throughout this guide. Features not 
supported by a particular router are indicated whenever possible.
This chapter contains the following sections:
 Authentication, Authorization, and Accounting
 Configuring AutoSecure
 Configuring Access Lists
 Configuring a CBAC Firewall
 Configuring Cisco IOS Firewall IDS
 Configuring VPNs
Each section includes a configuration example and verification steps, where available. 
Authentication, Authorization, and Accounting
AAA network security services provide the primary framework through which you set up access control 
on your router. Authentication provides the method of identifying users, including login and password 
dialog, challenge and response, messaging support, and, depending on the security protocol you choose, 
encryption. Authorization provides the method for remote access control, including one-time 
authorization or authorization for each service, per-user account list and profile, user group support, and 
support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet. 
Accounting provides the method for collecting and sending security server information used for billing, 
auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), 
number of packets, and number of bytes.
AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If 
your router is acting as a network access server, AAA is the means through which you establish 
communication between your network access server and your RADIUS, TACACS+, or Kerberos 
security
 server. 
						

							
 
12-2
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 12      Configuring Security Features
  Configuring AutoSecure
For information about configuring AAA services and supported security protocols, see the following 
sections of the
 Cisco IOS Security Configuration Guide:
 Configuring Authentication
 Configuring Authorization
 Configuring Accounting
 Configuring RADIUS
 Configuring TACACS+
 Configuring Kerberos
Configuring AutoSecure
The AutoSecure feature disables common IP services  that can be exploited for network attacks and 
enables IP services and features that can aid in th e defense of a network when under attack. These IP 
services are all disabled and enable d simultaneously with a single command, greatly simplifying security 
configuration on your router. For a complete de scription of the AutoSecure feature, see the 
“
AutoSecure” feature document.
Configuring Access Lists
Access lists (ACLs) permit or deny network tra ffic over an interface based on source IP address, 
destination IP address, or protocol. Access lists ar e configured as standard or extended. A standard 
access list either permits or denies passage of p ackets from a designated source. An extended access list 
allows designation of both the destination and the source, and it allows designation of individual 
protocols to be permitted or denied passage. An a ccess list is a series of commands with a common tag 
to bind them together. The tag is either a number or a name. 
Ta b l e 12-1 lists the commands used to 
configure access lists.
Ta b l e 12-1 Access List Conf iguration Commands
ACL TypeConfiguration Commands
Numbered
Standardaccess-list {1-99 }{permit  | deny } source-addr  [source-mask ]
Extendedaccess-list {100-199 }{permit  | deny } protocol source-addr  
[ source-mask ] destination-addr  [destination-mask ]
Named
Standardip access-list standard  name  followed by  deny {source  | 
source-wildcard  | any }
Extendedip access-list extended  name  followed by { permit | deny } protocol  
{ source-addr  [source-mask ] | any }{destination-addr  
[ destination-mask ] | any } 
						

							 
12-3
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 12      Configuring Security Features
  Configuring a CBAC Firewall
Access Groups
A sequence of access list definitions bound together with a common name or number is called an access 
group. An access group is enabled for an interface during interface configuration with the following 
command:
ip access-group number | name [in | out]
where in | out refers to the direction of travel of the packets being filtered.
Guidelines for Creating Access Groups
Use the following guidelines when creating access groups.
 The order of access list definitions is significant. A packet is compared against the first access list 
in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is 
compared with the next access list, and so on.
 All parameters must match the access list before the packet is permitted or denied.
 There is an implicit “deny all” at the end of all sequences.
For more complete information on creating access lists, see the “Access Control Lists: Overview and 
Guidelines” section of the Cisco IOS Release 12.3 Security Configuration Guide. 
Configuring a CBAC Firewall
Context-Based Access Control (CBAC) lets you configure a stateful firewall where packets are inspected 
internally and the state of network connections is monitored. This is superior to static access lists, 
because access lists can only permit or deny traffic based on individual packets, not streams of packets. 
Also, because CBAC inspects the packets, decisions to permit or deny traffic can be made by examining 
application layer data, something static access lists cannot do.
To configure a CBAC firewall, specify which protocols to examine by using the following command in 
interface configuration mode:
ip inspect name inspection-name protocol timeout seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list 
is created to allow the passage of return traffic. The timeout parameter specifies the length of time the 
dynamic access list remains active without return traffic passing through the router. When the timeout 
value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are 
not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules 
can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out 
command when you configure an interface at the firewall.
See Chapter 8, “Configuring a Simple Firewall,” for a sample configuration. For additional information 
about configuring a CBAC firewall, see the “Configuring Context-Based Access Control” section of the 
Cisco IOS Release 12.3 Security Configuration Guide. 
						

							 
12-4
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 12      Configuring Security Features
  Configuring Cisco IOS Firewall IDS
Configuring Cisco IOS Firewall IDS
Cisco IOS Firewall Intrusion Detection System (IDS) technology enhances perimeter firewall protection 
by taking appropriate action on packets and flows that violate the security policy or represent malicious 
network activity.
Cisco IOS Firewall IDS identifies 59 of the most common attacks using “signatures” to detect patterns 
of misuse in network traffic. It acts as an in-line intrusion detection sensor, watching packets and 
sessions as they flow through the router, scanning each to match any of the IDS signatures. When it 
detects suspicious activity, it responds before network security can be compromised, logs the event, and, 
depending on configuration, sends an alarm, drops suspicious packets, or resets the TCP connection.
For additional information about configuring Cisco IOS Firewall IDS, see the “Configuring Cisco IOS 
Firewall Intrusion Detection System” section of the Cisco IOS Release 12.3 Security Configuration 
Guide.
Configuring VPNs
A virtual private network (VPN) connection provides a secure connection between two networks over a 
public network such as the Internet. Cisco
 1800 series fixed-configuration access routers support 
site-to-site VPNs using IP security (IPSec) tunnels and generic routing encapsulation (GRE). Permanent 
VPN connections between two peers, or dynamic VPNs using EZVPN or DMVPN which create and tear 
down VPN connections as needed, can be configured. 
Chapter 6, “Configuring a VPN Using Easy VPN 
and an IPSec Tunnel,” and Chapter 7, “Configuring VPNs Using an IPSec Tunnel and Generic Routing 
Encapsulation,” show examples of how to configure your router with these features. For more 
information about IPSec and GRE configuration, see the “Configuring IPSec Network Security” chapter 
of the Cisco IOS Release 12.3 Security Configuration Guide.
For information about additional VPN configurations supported by Cisco 1800 series 
fixed-configuration access routers, see the following feature documents:
 “VPN Access Control Using 802.1X Authentication”—802.1X authentication allows enterprise 
employees to access their enterprise networks from home while allowing other household members 
to access only the Internet.
 “EZVPN Server”—Cisco 1800 series fixed-configuration routers can be configured to act as 
EZVPN servers, letting authorized EZVPN clients establish dynamic VPN tunnels to the connected 
network.
 “Dynamic Multipoint VPN (DMVPN)”—The DMVPN feature creates VPN tunnels between 
multiple routers in a multipoint configuration as needed, simplifying the configuration and 
eliminating the need for permanent, point-to-point VPN tunnels. 
						

							CH A P T E R
 
13-1
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
13
Configuring Dial Backup and Remote 
Management
The Cisco 1800 integrated services fixed-configuration routers support dial-in (for remote management) 
and dial-out (for dial backup) capabilities. By allowing you to configure a backup modem line 
connection, the Cisco
 1800 integrated services fixed-configuration routers provide protection against 
WAN downtime. Dial backup is inactive by default, and must be configured to be active.
Dial backup and remote management functions are configured through the ISDN S/T port of the 
Cisco
 1812, Cisco 1801, Cisco 1802, and Cisco 1803 routers. These functions are configured through 
the V.92 modem port of the Cisco
 1811 router.
This chapter contains the following topics:
 Dial Backup Feature Activation Methods
 Dial Backup Feature Limitations
 Configuring Dial Backup and Remote Management Through the ISDN S/T Port
 Configuring Dial Backup and Remote Management Through a V.92 Modem
Dial Backup Feature Activation Methods
Three methods are available to activate the dial backup feature:
 Backup Interfaces
 Floating Static Routes
 Dialer Watch
Backup Interfaces
When the router receives an indication that the primary line is down, a backup interface is brought up. 
You can configure the backup interface to go down once the primary connection has been restored for a 
specified period.
This is accomplished using dial-on-demand routing (DDR). When this is configured, a backup call is 
triggered by specified traffic.  
						

							
 
13-2
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 13      Configuring Dial Backup and Remote Management
  Dial Backup Feature Activation Methods
NoteEven if the backup interface comes out of standby mode (is brought up), the router does not trigger the 
backup call unless it receives the specif ied traffic for that backup interface.
Configuring Backup Interfaces
Perform these steps to configure your router with a backup interface, beginning in global configuration 
mode:
CommandPurpose
Step 1interface  type number
Example:
Router(config)#  interface atm 0
Router(config-if)#
Enters interface configuration mode for the 
interface for which you want to configure backup.
This can be a serial interface, ISDN interface, or 
asynchronous interface. 
The example shows the conf iguration of a backup 
interface for an ATM WAN connection.
Step 2backup interface  interface-type 
interface-number
Example:
Router(config-if)#  backup interface bri 0Router(config-if)#
Assigns an interface as the secondary, or backup 
interface.
This can be a serial interface or asynchronous 
interface. For example, a serial 1 interface could 
be configured to back up a serial 0 interface. 
The example shows a Basic Rate Interface 
configured as the backup interface for the ATM 0 
interface.
Step 3exit
Example:
Router(config-if)#  exitRouter(config)#
Enters global configuration mode.
Floating Static Routes
Floating static routes provide alternative routes for tr affic. Floating static routes are not activated unless 
a DDR backup call has been triggered by sp ecified traffic for a backup interface. 
Floating static routes are independent of line protoc ol status. This is an important consideration for 
Frame Relay circuits because the line protocol may not  go down if the data-link connection identifier 
(DLCI) is inactive. Floating static routes are also encapsulation independent. 
NoteWhen static routes are configured,  the primary interface protocol must go down in order to activate the 
floating static route. 
						

							
 
13-3
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 13      Configuring Dial Backup and Remote Management   Dial Backup Feature Activation Methods
Configuring Floating Static Routes
Static and dynamic routes are the two components of floating static routes. Perform these steps to 
configure the static and dynamic routes on your router, beginning in global configuration mode:
CommandPurpose
Step 1ip route  prefix mask  { ip-address  | interface-type  
interface-number  [ip-address ]}
Example:
Router(config)#  ip route 0.0.0.0 0.0.0.0 
22.0.0.2
Router(config)#
Assigns the primary static route.
Step 2ip route  prefix mask  { ip-address  | interface-type  
interface-number  [ip-address ]} [distance ]
Example:
Router(config)#  ip route 0.0.0.0 0.0.0.0 
192.168.2.2 150
Router(config)#
Assigns the lower routing administrative distance 
value for the backup interface route. 192.168.2.2 
is the peer IP address of the backup interface.
Step 3router rip
Example:
Router(config)#  router ripRouter(config)#
Enables RIP routing.
Step 4network ip-address
Example:
Router(config)#  network 22.0.0.0
Router(config)#
Defines the primary interface network. 22.0.0.0 is 
the network value of the primary interface.
Step 5ip route prefix mask  { ip-address  | interface-type  
interface-number  [ip-address ]} [distance ]
Example:
Router(config)#  ip route 0.0.0.0 0.0.0.0 
192.168.2.2 150
Router(config)#
Assigns the lower routing administrative distance 
value for the backup interface route. 192.168.2.2 
is the peer IP address of the backup interface.
NoteWhen dynamic routing is activated, the floati ng static route depends upon routing protocol 
convergence times. 
						

							 
13-4
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 13      Configuring Dial Backup and Remote Management
  Dial Backup Feature Activation Methods
Dialer Watch
The dialer watch method only supports the Extended Interior Gateway Routing Protocol (EIGRP) 
link-state dynamic routing protocols.
Configuring Dialer Watch
Perform these steps to configure a dialer watch on your router, beginning in global configuration mode:
CommandPurpose
Step 1interface type number
Example:
Router(config)# interface dialer 2Router(config-if)#
Enters configuration mode for the dial backup 
interface.
Step 2dialerwatch-group group-number
Example:
Router(config-if)# dialer watch-group 2
Router(config-if)#
Specifies the group number for the watch list.
Step 3exit
Example:
Router(config-if)# exitRouter(config)#
Enters global configuration mode.
Step 4ip route prefix mask {ip-address | interface-type 
interface-number [ip-address]} [distance]
Example:
Router(config)# ip route 0.0.0.0 0.0.0.0 
22.0.0.2
Router(config)#
Assigns the primary route. 22.0.0.2 is the peer IP 
address of the primary interface.