Cisco VPN Config Guide - CG
Cisco VPN Config Guide - CG
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,
and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet
Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise,
the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX,
Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient,
and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0502R)
Cisco IOS Enterprise VPN Configuration Guide
Copyright 1999-2005, Cisco Systems, Inc.
All rights reserved.
CONTENTS
Preface
ix
Purpose
ix
Audience
Organization
Related Documentation
xi
xiii
xiv
xvi
1-1
1-1
Getting Help 1 - 2
Finding Command Options
1-3
1-6
1-7
1-8
2-1
2-1
Assumptions
xv
2-2
2-3
2-4
Cisco IOS VPN Configuration Guide
OL-8336-01
iii
Contents
2 - 12
2 - 14
3-1
Scenario Descriptions 3 - 2
Site-to-Site Scenario 3 - 2
Extranet Scenario 3 - 4
Step 1Configuring the Tunnel 3 - 6
Configuring a GRE Tunnel 3 - 7
Configuring the Tunnel Interface, Source, and Destination 3 - 8
Verifying the Tunnel Interface, Source, and Destination 3 - 9
Configuring an IPSec Tunnel 3 - 9
Step 2Configuring Network Address Translation 3 - 10
Configuring Static Inside Source Address Translation 3 - 13
Verifying Static Inside Source Address Translation 3 - 13
Step 3Configuring Encryption and IPSec
3 - 14
iv
OL-8336-01
Contents
3 - 19
Contents
4-1
4-2
Configuring a Cisco IOS VPN Gateway for Use with Cisco Secure VPN Client Software
Configuring a Cisco IOS VPN Gateway for Use with Microsoft Dial-Up Networking
Configuring PPTP/MPPE 4 - 4
Configuring a Virtual Template for Dial-In Sessions 4 - 5
Configuring PPTP 4 - 5
Configuring MPPE 4 - 6
Verifying PPTP/MPPE 4 - 6
Configuring L2TP/IPSec 4 - 6
Configuring a Virtual Template for Dial-In Sessions 4 - 6
Configuring L2TP 4 - 7
Verifying L2TP 4 - 7
Configuring Encryption and IPSec 4 - 7
Configuring Cisco IOS Firewall Authentication Proxy 4 - 8
Configuring Authentication, Authorization, and Accounting
Configuring the HTTP Server 4 - 9
Configuring the Authentication Proxy 4 - 10
Verifying the Authentication Proxy 4 - 11
Comprehensive Configuration Examples
PPTP/MPPE Configuration 4 - 11
L2TP/IPSec Configuration 4 - 13
VPN Network Management Tools
Cisco Secure Policy Manager
4-3
4-3
4-8
4 - 11
5-1
5-1
5-2
5-3
5 - 15
vi
OL-8336-01
Contents
Related Documents
5 - 15
INDEX
vii
Contents
viii
OL-8336-01
Preface
This preface describes the purpose, objectives, audience, organization, and conventions of the Cisco IOS
VPN Configuration Guide and includes the following sections:
Note
Purpose, page ix
Audience, page x
Organization, page x
In this Guide, the term Cisco 7200 series router implies that an Integrated Service Adaptor (ISA) or a
VAM (VAM, VAM2, or VAM2+) is installed in the Cisco 7200 series router.
Purpose
This software configuration guide explains the basic considerations and tasks necessary to configure
IP-based, multiservice site-to-site, and remote access Virtual Private Networks (VPNs) on your Cisco
7200 series router. VPNs integrate security and quality of service (QoS) through network technologies
such as Generic Routing Encapsulation (GRE) and IP Security Protocol (IPSec) tunneling, and
high-speed encryption to ensure private transactions over public data networks. This guide does not
cover every available feature; it is not intended to be a comprehensive VPN configuration guide. Instead,
this guide simply explains the basic tasks necessary to configure site-to-site and remote access VPNs on
your Cisco 7200 series router.
ix
Preface
Audience
Note
Note
Use this guide after you install, power up, and initially configure your Cisco 7200 series
router for network connectivity. Refer to the Installation and Configuration Guide at
http://www.cisco.com/en/US/products/hw/routers/ps341/tsd_products_support_series_ho
me.html for instructions on how to install, power up, and initially configure your Cisco
7200 series router.
Audience
This software configuration guide is intended primarily for the following audiences:
System administrators who are responsible for installing and configuring internetworking
equipment, who are familiar with the fundamentals of Cisco 7200 series router-based
internetworking, and who are familiar with Cisco IOS software and Cisco products
System administrators who are familiar with the fundamentals of Cisco 7200 series router-based
internetworking and who are responsible for installing and configuring internetworking equipment,
but who might not be familiar with the specifics of Cisco products or the routing protocols supported
by Cisco products
Organization
The major sections of this guide follow:
Chapter
Title
Description
OL-8336-01
Preface
Related Documentation
Chapter
Title
Description
Related Documentation
Your Cisco 7200 series router and the Cisco IOS software running on it contain extensive features and
functionality, which are documented in the following resources:
For Cisco 7200 series router hardware installation and initial software configuration information,
refer to the following publications located at
http://www.cisco.com/en/US/products/hw/routers/ps341/tsd_products_support_series_home.html:
The Quick Start Guide for your Cisco 7200 series router
The Installation and Configuration Guide for your Cisco 7200 series router
For international agency compliance, safety, and statutory information for Cisco 7200 series router,
refer to the Regulatory Compliance and Safety Information publication for your Cisco 7200 series
router at
http://www.cisco.com/en/US/products/hw/routers/ps341/products_regulatory_approvals_and_com
pliance09186a00800a94d7.html.
For information on installing and replacing field-replaceable units (FRUs), refer to the Installing
field-replaceable units publication for your Cisco 7200 series router at
http://www.cisco.com/en/US/products/hw/routers/ps341/prod_installation_guides_list.html.
For information on installing and replacing the integrated service module (ISM), refer to the
integrated service adapter and integrated service module installation and configuration publication
for your Cisco 7200 series router at
http://www.cisco.com/en/US/products/hw/switches/ps708/prod_module_install_config_guide0918
6a0080145522.html.
For information on installing and replacing your VPN Acceleration Module (VAM), refer to the
VAM installation and configuration publication for your Cisco 7200 series router at
http://www.cisco.com/en/US/products/hw/routers/ps341/products_installation_and_configuration_
guides_list.html.
For information on the port adapter installed in the Cisco 7200 series router, refer to the individual
installation and configuration guides for each port adapter at
http://www.cisco.com/en/US/products/hw/modules/ps2033/tsd_products_support_series_home.ht
ml.
For configuration information and support, refer to the modular configuration and modular
command reference publications at
http://www.cisco.com/en/US/products/hw/modules/tsd_products_support_category_home.html.
xi
Preface
Obtaining Documentation
Note
To determine the minimum Cisco IOS software requirements for your Cisco 7200 series router,
Cisco maintains the Software Advisor tool on Cisco.com. This tool does not verify whether modules
within a system are compatible, but it does provide the minimum IOS requirements for individual
hardware modules or components. Registered Cisco Direct users can access the Software Advisor
at: http://tools.cisco.com/Support/Fusion/FusionHome.do.
For detailed information on hardware, software configuration, troubleshooting, and other topics
related to IP security and VPN, refer to
http://www.cisco.com/en/US/products/hw/vpndevc/tsd_products_support_category_home.html.
For information on interfaces and Cisco IOS network design, implementation, configuration,
verification, troubleshooting, operation, and maintenance, refer to
http://www.cisco.com/en/US/products/sw/iosswrel/tsd_products_support_category_home.html.
If you're a registered Cisco Direct Customer, you can access the tools index at
http://www.cisco.com/en/US/products/prod_tools_index.html.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
xii
OL-8336-01
Preface
Documentation Feedback
Ordering Documentation
Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product
Documentation Store in the Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,
or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.
You can send comments about Cisco documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
A current list of security advisories and notices for Cisco products is available at this URL:
xiii
Preface
Obtaining Technical Assistance
http://www.cisco.com/go/psirt
If you prefer to see advisories and notices as they are updated in real time, you can access a Product
Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Emergencies security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
nonemergencies.
Nonemergencies psirt@cisco.com
Tip
1 877 228-7302
1 408 525-6532
We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive
information that you send to Cisco. PSIRT can work from encrypted information that is compatible with
PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
xiv
OL-8336-01
Preface
Obtaining Technical Assistance
Note
Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose
Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco
Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by
product ID or model name; by tree view; or for certain products, by copying and pasting show command
output. Search results show an illustration of your product with the serial number label location
highlighted. Locate the serial number label on your product and record the information before placing a
service call.
xv
Preface
Obtaining Additional Publications and Information
Severity 1 (S1)Your network is down, or there is a critical impact to your business operations. You
and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)Operation of an existing network is severely degraded, or significant aspects of your
business operation are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)Operational performance of your network is impaired, but most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.
Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo
merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
Cisco Press publishes a wide range of general networking, training and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:
http://www.ciscopress.com
Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this URL:
http://www.cisco.com/packet
iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies
learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
or view the digital edition at this URL:
http://ciscoiq.texterity.com/ciscoiq/sample/
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
Networking products offered by Cisco Systems, as well as customer support services, can be
obtained at this URL:
http://www.cisco.com/en/US/products/index.html
xvi
OL-8336-01
Preface
Obtaining Additional Publications and Information
World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
xvii
Preface
Obtaining Additional Publications and Information
xviii
OL-8336-01
C H A P T E R
For an overview of Cisco IOS software configuration, refer to the Configuration Fundamentals
Configuration Guide. See Related Documentation section on page xi for additional information.
Conventions
Command descriptions use the following conventions:
Convention
Description
boldface font
italic font
[ ]
{x | y | z}
[x | y | z]
string
screen
font
boldface screen
font
italic screen font
1-1
Chapter 1
Getting Help
Convention
Description
This pointer highlights an important line of text
in an example.
Note
< >
[ ]
!, #
Means reader take note. Notes contain helpful suggestions or references to material not
covered in the publication.
Getting Help
Entering a question mark (?) at the system prompt displays a list of commands available for each
command mode. You can also get a list of any commands associated keywords and arguments with the
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the
following commands:
Command
Purpose
help
abbreviated-command-entry?
abbreviated-command-entry
<Tab>
Note
command ?
command keyword ?
Press Ctrl-P or the up arrow key to recall commands in the history buffer, beginning with the most recent
command. Repeat the key sequence to recall successively older commands. Press Ctrl-N or the down
arrow key to return to more recent commands in the history buffer after recalling commands with Ctrl-P
1-2
OL-8336-01
Chapter 1
or the up arrow key. Repeat the key sequence to recall successively more recent commands.
The arrow keys function only on ANSI-compatible terminals such as VT100s.
Table 1-1
controller t1 1
Command
Comment
Router> enable
Password: <password>
Router#
Router(config)# controller t1 ?
<0-3> Controller unit number
Router(config)# controller t1 1
Router(config-controller)#
Enter a ? to display what you must enter next on the command line.
In this example, you must enter a controller unit number from 0 to 3.
You have entered controller configuration mode when the prompt
changes to Router(config-controller)#.
1-3
Chapter 1
Getting Help
Table 1-1
Command
Comment
Router(config-controller)# ?
Controller configuration commands:
cablelengthSpecify the cable length for a
DS1 link
cas-groupConfigure the specified timeslots
for CAS (Channel Associate Signals)
channel-groupSpecify the timeslots to
channel-group mapping for an interface
clockSpecify the clock source for a DS1 link
defaultSet a command to its defaults
descriptionController specific description
ds0ds0 commands
exitExit from controller configuration mode
fdlSpecify the FDL standard for a DS1 data
link
framingSpecify the type of Framing on a DS1
link
helpDescription of the interactive help
system
linecodeSpecify the line encoding method for
a DS1 link
loopbackPut the entire T1 line into loopback
noNegate a command or set its defaults
pri-groupConfigure the specified timeslots
for PRI
shutdownShut down a DS1 link (send Blue
Alarm)
Router(config-controller)#
Router(config-controller)# cas-group ?
<0-23>Channel number
Router(config-controller)# cas-group
Enter the command that you want to configure for the controller. In
this example, the cas-group command is used.
Enter a ? to display what you must enter next on the command line.
In this example, you must enter a channel number from 0 to 23.
When the system redisplays the command, it indicates that you must
enter more keywords to complete the command.
Router(config-controller)# cas-group 1 ?
timeslots List of timeslots in the cas-group
Router(config-controller)# cas-group 1
After you enter the channel number, enter a ? to display what you
must enter next on the command line. In this example, you must enter
the timeslots keyword.
When the system redisplays the command, it indicates that you must
enter more keywords to complete the command.
Router(config-controller)# cas-group 1
timeslots ?
<1-24> List of timeslots which comprise the
cas-group
Router(config-controller)# cas-group 1
timeslots
After you enter the timeslots keyword, enter a ? to display what you
must enter next on the command line. In this example, you must enter
a list of timeslots from 1 to 24.
You can specify timeslot ranges (for example, 124), individual
timeslots separated by commas (for example 1, 3, 5), or a
combination of the two (for example 13, 8, 1724). The 16th time
slot is not specified in the command line, because it is reserved for
transmitting the channel signaling.
When the system redisplays the command, it indicates that you must
enter more keywords to complete the command.
1-4
OL-8336-01
Chapter 1
Table 1-1
Command
Comment
Router(config-controller)#
timeslots 1-24 ?
service Specify the type
type Specify the type of
Router(config-controller)#
timeslots 1-24
cas-group 1
of service
signaling
cas-group 1
After you enter the timeslot ranges, enter a ? to display what you must
enter next on the command line. In this example, you must enter the
service or type keyword.
When the system redisplays the command, it indicates that you must
enter more keywords to complete the command.
Router(config-controller)# cas-group 1
timeslots 1-24 type ?
e&m-fgb E & M Type II FGB
e&m-fgd E & M Type IIFGD
e&m-immediate-start E & M Immediate Start
fxs-ground-start FXS Ground Start
fxs-loop-start FXS Loop Start
sas-ground-start SAS Ground Start
sas-loop-start SAS Loop Start
Router(config-controller)# cas-group 1
timeslots 1-24 type
In this example, the type keyword is entered. After you enter the type
keyword, enter a ? to display what you must enter next on the
command line. In this example, you must enter one of the signaling
types.
Router(config-controller)# cas-group 1
timeslots 1-24 type e&m-fgb ?
dtmf DTMF tone signaling
mf MF tone signaling
service Specify the type of service
<cr>
Router(config-controller)# cas-group 1
timeslots 1-24 type e&m-fgb
In this example, the e&m-fgb keyword is entered. After you enter the
e&m-fgb keyword, enter a ? to display what you must enter next on
the command line. In this example, you can enter the dtmf, mf, or
service keyword to indicate the type of channel-associated signaling
available for the e&m-fgb signaling type.
Router(config-controller)# cas-group 1
timeslots 1-24 type e&m-fgb dtmf ?
dnis DNIS addr info provisioned
service Specify the type of service
<cr>
Router(config-controller)# cas-group 1
timeslots 1-24 type e&m-fgb dtmf
In this example, the dtmf keyword is entered. After you enter the
dtmf keyword, enter a ? to display what you must enter next on the
command line. In this example, you can enter the dnis or service
keyword to indicate the options available for dtmf tone signaling.
Router(config-controller)# cas-group 1
timeslots 1-24 type e&m-fgb dtmf
Router(config-controller)#
When the system redisplays the command, it indicates that you must
enter more keywords to complete the command.
When the system redisplays the command, it indicates that you can
enter more keywords or press <cr> to complete the command.
When the system redisplays the command, it indicates that you can
enter more keywords or press <cr> to complete the command.
1-5
Chapter 1
Using configuration modes, you can make changes to the running configuration. If you later save the
configuration, these commands are stored across router reboots. To get to the various configuration
modes, you must start at global configuration mode. From global configuration mode, you can enter
interface configuration mode, subinterface configuration mode, and a variety of protocol-specific modes.
ROM monitor mode is a separate mode used when the router cannot boot properly. If your router or
access server does not find a valid system image when it is booting, or if its configuration file is
corrupted at startup, the system might enter ROM monitor mode.
Prompt
Exit Method
User EXEC
Log in.
Router>
Privileged
EXEC
Router#
Global
configuration
Interface
configuration
Router(config)#
From privileged
EXEC mode, use
the configure
terminal privileged
EXEC command.
Router(config-if)#
From global
configuration mode,
enter by specifying
an interface with an
interface
command.
1-6
OL-8336-01
Chapter 1
Table 1-2
Prompt
Exit Method
Subinterface
configuration
ROM monitor
>
From privileged
EXEC mode, use
the reload EXEC
command. Press the
Break key during
the first 60 seconds
while the system is
booting.
For more information about command modes, refer to the Using the Command Line Interface chapter
of the Configuration Fundamentals Configuration Guide.
1-7
Chapter 1
It might take a minute or two to save the configuration. After the configuration has been saved, the
following output appears:
[OK]
Router#
On most platforms, this step saves the configuration to nonvolatile random-access memory (NVRAM).
On Class A Flash memory file systems, such as Cisco 7100 series routers, this step saves the
configuration to the location specified by the CONFIG_FILE environment variable. The CONFIG_FILE
variable defaults to NVRAM.
1-8
OL-8336-01
C H A P T E R
Note
In this Guide, the term Cisco 7200 series router implies that an Integrated Service Adaptor (ISA) or a
VAM (VAM, VAM2, or VAM2+) is installed in the Cisco 7200 series router.
Note
For detailed information on configuring network access server (NAS)-initiated access VPNs using the
Layer 2 Forwarding (L2F) tunneling protocol, refer to the Access VPN Solutions Using Tunneling
Technology publication.
2-1
Chapter 2
Assumptions
In each scenario, a tunnel is constructed, encryption is applied on the tunnel, and different traffic types
(for example, IP, User Datagram Protocol [UDP], and Transmission Control Protocol [TCP]) are either
permitted or denied access to the tunnel. This controls the level of access the remote office and business
partner have to the corporate intranet and secures the data exchanged between the sites.
Figure 2-1
Business Scenarios
Business
partner
IPSec tunnel
Remote
office
Internet
GRE tunnel
Secure tunnel
Remote user
27995
Headquarters
The site-to-site VPN business scenario explained in Chapter 3, Site-to-Site and Extranet VPN Business
Scenarios links the corporate headquarters to a remote office using connections across the Internet.
Users in the remote office are able to access resources as if they were part of the private corporate
intranet.
The extranet VPN business scenario explained in Chapter 3, Site-to-Site and Extranet VPN Business
Scenarios builds on the VPN scenario by linking the same corporate headquarters to a business partner
using connections across the Internet; however, the business partner is given limited access to the
headquarters networkthe business partner can access only the headquarters public server.
The remote access VPN business scenario, explained in Chapter 4, Remote Access VPN Business
Scenarios provides a remote user access to the corporate headquarters network through a secure IPSec,
PPTP, or L2TP tunnel that is initiated by the remote user running VPN client software on a PC. In this
scenario, the user can access the corporate network remotely.
Note
This guide does not explain how to configure your router for use with the Cisco Secure
VPN Client. For detailed information on client-initiated VPNs using
Cisco Secure VPN Client software, refer to the Cisco Secure VPN Client Solutions Guide
publication. If you are a registered Cisco user, you can access the Access VPNs and IP
Security Protocol Tunneling Technology publication.
Assumptions
This guide assumes the following:
You are configuring a service provider transparent VPN, whereby the tunnel endpoints are outside
of the service provider network (on the headquarters and remote site routers).
2-2
OL-8336-01
Chapter 2
You are configuring your VPN based on IP, a routing mechanism, cryptography, and tunneling
technologies, such as IPSec and GRE.
Note
The scenarios in this guide do not explain how to configure certification authority (CA)
interoperability on your Cisco 7200 series router. For detailed configuration information on
CA interoperability, refer to the Configuring Certification Authority Interoperability
chapter in the Cisco IOS Security Configuration Guide.
You have identified the Cisco IOS firewall features that you plan to configure on your Cisco 7200
series router features. When considering IOS firewall features, you may find it useful to review the
Network Traffic Considerations section on page 2-5. The business scenarios in this guide explain
how to configure extended access lists, which are sequential collections of permit and deny
conditions that apply to an IP address.
Note
For advanced firewall configuration information, refer to the Traffic Filtering and
Firewalls section of the Cisco IOS Security Configuration Guide.
Scalability
Performance
Secure Management
Security
Quality of Service
Routing
2-3
Chapter 2
Extranet Considerations
2-4
OL-8336-01
Chapter 2
The primary advantage of an overlay design in the headend configuration is that the separation of tasks
optimizes network performance. Each device may be dedicated to one or two tasks, rather than all three,
in a heavy traffic environment. For example, ACLs (Access Control Lists) require a fair amount of CPU
utilization. Therefore, performing ACL tasks on a device other than the Cisco 7200 series router allows
the Cisco 7200 series router more power to support network traffic.
Quality of Service
2-5
Chapter 2
2-6
OL-8336-01
Chapter 2
Cisco recommends using GRE tunnels with IPSec in tunnel mode to improve the flow of network traffic.
IPSec in tunnel mode can be used as a tunneling protocol itself for unicast traffic, but not for multicast
traffic. Multicast IPSec traffic requires a GRE tunnel, and that IPSec be used in either transport or tunnel
mode. Cisco recommends using IPSec in tunnel mode for the best network traffic performance.
Changing these values increases the level of security; at the same time, however, it increases the
processor overhead. The default behavior for SA rekeying is to base the new key in part on the old key
to save processing resources. Perfect forward secrecy (PFS) generates a new key based on new seed
material by carrying out a Diffie-Hellman (DH) exponentiation every time a new quick-mode (QM) SA
needs new key generation. Again, this option increases the level of security but at the same time
increases processor overhead. Cisco does not recommend changing the SA lifetimes or enabling PFS
unless the sensitivity of the data mandates it. If you choose to change these values, make sure you include
this variable when determining the network design. The strength of the Diffie-Hellman exponentiation
is configurable; Groups 1 (768 bits), 2 (1024 bits), and 5 (1536 bits) are supported. Group 2 is
recommended.
IPSec Considerations
IPSec provides numerous security features. The following have configurable values for the administrator
to define their behavior: data encryption, device authentication and credential, data integrity, address
hiding, and SA key aging. The IPSec standard requires the use of either data integrity or data encryption;
using both is optional. Cisco highly recommends using both encryption and integrity. Cisco recommends
the use of Triple DES (3DES), rather than DES, as it provides stronger encryption. Data integrity comes
in two types: 128-bit strength Message Digest 5 (MD5)-HMAC or 160-bit strength secure hash algorithm
(SHA)-HMAC. Because the bit strength of SHA is greater, it is considered more secure. Cisco
recommends the use of SHA because the increased security outweighs the slight processor increase in
overhead (in fact, SHA is sometimes faster than MD5 in certain hardware implementations).
Both IPSec phases offer the ability to change the lifetime of the SA. You might consider changing the
lifetime from the default when the sensitivity of the tunneled data mandates replacing the encryption
keys and reauthenticating each device on a more aggressive basis. Keep in mind that the shorter the SA
lifetime, the greater the impact on network traffic (see the IKE Key Lifetimes section on page 2-13).
The use of strong encryption algorithms in non-US countries is sometimes regulated by local import and
usage laws. These strong encryption algorithms cannot be exported to some countries or some
customers. For more information about the exportation of encryption algorithms, please see your sales
representative.
Point-to-Point Protocol (PPP), and Frame Relay. IPSec also works with the GRE and IPinIP
Layer 3, L2F, and L2TP tunneling protocols; however, multipoint tunnels are not supported.
IPSec and Internet Key Exchange (IKE) must be configured on the router and a crypto map must
be assigned to all interfaces that require encryption services of your Cisco 7200 series router.
When using tunnel mode, IPSec can be applied to unicast IP datagrams only. Because the IPSec
Working Group has not yet addressed the issue of group key distribution, IPSec does not
currently work with multicasts or broadcast IP datagrams. When using IPSec with GRE or
L2TP, this restriction does not apply.
If you use NAT, you should configure static NAT as redundant so that IPSec works properly. Preferably,
NAT should occur before the router performs IPSec encapsulation; in other words, IPSec should be
working with global addresses. The following section discusses NAT in further detail.
2-7
Chapter 2
2-8
OL-8336-01
Chapter 2
Quality of Service
The goal of quality of service (QoS) is to provide more efficient and predictable network service by
providing dedicated bandwidth, controlled jitter and latency, and improved loss characteristics. QoS
achieves these goals by providing tools for managing network congestion, shaping network traffic, using
expensive wide-area links more efficiently, and setting traffic policies across the network. QoS
prioritizes voice, data, and web traffic to ensure that mission-critical applications get the service they
require. Benefits to be derived from QoS include the following:
Control over resourcesYou have control over which resources (bandwidth, equipment, wide-area
facilities, and so on) are being used. As an example, you can limit the bandwidth consumed over a
backbone link by FTP transfers or give priority to an important database access.
More efficient use of network resourcesUsing Cisco's network analysis management and
accounting tools, you will know what your network is being used for and that you are servicing the
most important traffic to your business.
Tailored servicesThe control and visibility provided by QoS enables Internet service providers to
offer carefully tailored grades of service to their customers.
Foundation for a fully integrated network in the futureImplementing Cisco QoS technologies in
your network now is a good first step toward the fully integrated multimedia network needed in the
near future. For example, you can implement weighted fair queuing today and get its immediate
benefit of increasing service predictability and IP Precedence signaling for traffic differentiation.
You reap additional benefits in the future, because weighted fair queuing is Resource Reservation
Protocol (RSVP) enabled, thereby allowing you to take advantage of dynamically signaled QoS
from the inevitable coming wave of RSVP-enabled applications.
See the Related Documentation section on page xi for information on finding additional information
on Cisco IOS QoS benefits, features, and application examples.
2-9
Chapter 2
Network Resiliency
While the benefits of NIDS are compelling, NIDS significantly decreases network throughput, because
it inspects every single packet. In a headend environment, consider using alternatives to NIDS. For
example, in an overlay network environment (see the Integrated versus Overlay Design section on
page 2-4), the decrease in performance associated with NIDS can be mitigated by designating a device
other than the Cisco 7200 series router, such as the Cisco Intrusion Detection System (CIDS), to perform
NIDS functions.
Split Tunneling
Split tunneling occurs when a remote VPN user or site is allowed to access a public network (the Internet) at
the same time that they access the private VPN network without placing the public network traffic inside the
tunnel first. If split tunneling were disabled, the remote VPN user or site would need to pass all traffic through
the VPN headend where it could be decrypted and inspected before being sent out to the public network.
Therefore, enabling split tunneling can increase the traffic throughput of your VPN, but poses a security risk
if the remote user does not have a personal firewall. Despite the benefit of sending less traffic through the
Cisco 7200 series router, Cisco does not recommend enabling split tunneling unless the remote user has
sufficient firewall protection.
Network Resiliency
Network resiliency, or redundancy, enables remote sites to locate another tunneling peer if the primary
headend peer is unreachable, or if there is a permanent loss of IP connectivity between peers. Consider
network resiliency in both the network configuration and in the decision to use GRE tunnels, IPSec
tunnels, or tunnels which utilize IPSec inside GRE. Resiliency can be achieved by properly utilizing and
configuring GRE tunnels, IKE keepalives, and Hot Standby Routing Protocol (HSRP) with Reverse
Route Injection (RRI).
This section contains the following topics:
Headend Failover
GRE
IKE Keepalives
Headend Failover
Headend failover ensures that network traffic will be routed through a backup Cisco 7200 series router if the
primary Cisco 7200 series router should fail. GRE and IKE keepalives are the two primary means of attaining
headend failover in Cisco IOS VPNs.
GRE
For VPN resilience, the remote site should be configured with two GRE tunnels, one to the primary
headend Cisco 7200 series router, and the other to the backup headend Cisco 7200 series router. If the
GRE tunnels are secured with IPSec, each tunnel has its own IKE SA and a pair of IPSec SAs. Since
GRE can carry multicast and broadcast traffic, it is possible and very desirable to configure a routing
protocol for these virtual links. Once a routing protocol is configured, the failover mechanism comes
2-10
OL-8336-01
Chapter 2
automatically. The hello/keepalive packets, such as IKE keepalives, sent by the routing protocol over the
GRE tunnels provide a mechanism to detect the loss of connectivity. In other words, if the primary GRE
tunnel is lost, the remote site will detect this event by the loss of the routing protocol hello packets.
Once virtual-link loss is detected, the routing protocol will choose the next best route; the backup GRE
tunnel will be chosen. Hence, the second part of VPN resilience is obtained by the automatic behavior
of the routing protocol. Since the backup GRE tunnel is already up and secured, the failover time is
determined by the hello packet mechanism and the convergence time of the routing protocol.
Aside from providing a failover mechanism, GRE tunnels provide the ability to encrypt multicast and
broadcast packets and non-IP protocols with IPSec. They also provide enhanced performance and
scalability for site-to-site VPN services. Since GRE tunnels are unique interfaces, they can each be
assigned their own crypto maps. When the headend router needs to send a packet on the VPN, it first
makes a routing decision to send it out an interface and then does a search of the SPI table to find the
corresponding SA. With GRE tunnels, the router must make a routing decision across a multitude of
GRE interfaces. Once the GRE tunnel is chosen, there are only a few SAs to choose from.
GRE tunnels can encapsulate clear text traffic, which enables the passage of routing updates to peer
routers. Passage of routing updates provides reachability information between peers. It also enables
detection of a secondary peer in the case of a loss of reachability for the primary peer. IPSec can be
applied to the GRE tunnel packet to provide encryption for transport security.
IKE Keepalives
IKE keepalives, or hello packets, are a component of IPSec that tracks reachability of peers by sending
hello packets between peers. In the case of loss of reachability to a peer, a tunnel is established with a
predefined backup or secondary peer.
During the typical life of the IKE Security Association (SA), as defined by the RFCs, packets are only
exchanged over this SA when an IPSec quick mode (QM) negotiation is required at the expiration of the
IPSec SAs. For a Cisco IOS device, the default lifetime of an IKE SA is 24 hours and that of an IPSec
SA is one hour. There is no standards-based mechanism for either type of SA to detect the loss of a peer,
except when the QM negotiation fails. These facts imply that for IOS defaults, an IPSec termination
point could be forwarding data into a black hole for as long as one hour before the protocol detects a loss
of connectivity.
By implementing a keepalive feature over the IKE SA in Cisco IOS software, Cisco has provided
network designers with a simple and non-intrusive mechanism for detecting loss of connectivity between
two IPSec peers. The keepalive packets are sent every 10 seconds by default. Once three packets are
missed, an IPSec termination point concludes that it has lost connectivity with its peer.
To reestablish connectivity, the IPSec termination point must have at least two IPSec peer addresses in
its crypto map statement. The IPSec termination point will send out a main mode (MM) request to
initiate the MM and quick mode (QM) negotiations with the second peer in its list. This type of
functionality is available in all IOS devices that support the IPSec feature set.
IKE keepalives are suggested for use with devices that do not support GRE.
2-11
Chapter 2
VPN Reverse Route Injection (RRI) is a new IOS feature that resolves the duplicate tunnel problem by
injecting a static route for advertisement on the network. It is based on which device currently holds the
IPSec session for a specific peer. Advertising this route ensures return IPSec traffic associated with the
specific session will be routed through the device that has the active IPSec session.
The primary benefits of RRI are that it enables the routing of IPSec traffic to a specific VPN headend
device in environments with multiple (redundant) VPN headend devices, and ensures predictable
failover time of remote sessions between headend devices when using IKE keepalives.
HSRP complements the new RRI feature in attaining network resiliency. Using HSRP, a set of routers
work in concert to present the illusion of a single virtual router with a virtual IP address that is linked to
real IP addresses. The hosts on the network recognize the virtual router and IP address as the only router
and IP address. The set of routers that comprises the virtual router is known as an HSRP group, or a
standby group. A single router elected from the group is responsible for forwarding the packets that hosts
send to the virtual router. This router is known as the active router. Another router is elected as the
standby router. In the event that the active router fails, the standby router assumes the packet forwarding
duties of the active router. Although an arbitrary number of routers may run HSRP, only the active router
forwards the packets sent to the virtual router.
To minimize network traffic, only the active and the standby routers send periodic HSRP messages once
the protocol has completed the election process. If the active router fails, the standby router takes over
as the active router. If the standby router fails or becomes the active router, another router is elected as
the standby router. RRI then informs peers of the active router, ensuring that peers use the active tunnel
that HSRP has established.
While HSRP and RRI can be used in conjunction with each other for maximum network resiliency, they
can also be used separately.
Fragmentation
IKE Keepalives
2-12
OL-8336-01
Chapter 2
Fragmentation
Avoid fragmentation at all costs. Packet reassembly is resource intensive from a CPU and memory
allocation perspective, and decreases network performance. Allowing fragmented packets into your
network also creates security concerns. Fragmented IPSec packets require reassembly before the packets
can undergo integrity validation and decryption.
Fragmentation can typically be avoided, as it usually occurs when an encapsulated packet, sent over a
tunnel, is too large to fit on the smallest link on the tunnel path. As long as filtering does not block the
Internet Control Message Protocol (ICMP) messages, path maximum transmission unit discovery
(PMTUD) will determine the maximum MTU that a host can use to send a packet through the tunnel
without causing fragmentation.
To allow PMTUD in your network, do not filter ICMP message Type 3, Code 4. If ICMP filtering occurs
and is out of your administrative control, you will have to either manually set the MTU lower on the VPN
termination device and allow PMTUD locally, or clear the Don't Fragment (DF) bit and force
fragmentation. In this scenario, packets generated by hosts that do not support PMTUD, and have not set
the DF bit in the IP header, will undergo fragmentation before IPSec encapsulation. Packets generated
by hosts that do support PMTUD will use it locally to match the statically configured MTU on the tunnel.
If you manually set the MTU on the tunnel, you must set it low enough to allow packets to pass through
the smallest link on the path. Otherwise, the packets that are too large to fit will be dropped, and if ICMP
filtering is in place, no feedback will be provided.
Remember that multiple layers of encapsulation will add layers of overhead to the packet. For example,
GRE and ESP tunneling protocols are used together frequently. In this scenario, GRE adds 24 bytes of
overhead to the packet before it undergoes encapsulation again by ESP. ESP, when using 3DES and SHA,
then adds 56 bytes of additional overhead. Use of ESP and GRE to support PMTUD reduces the
likelihood of fragmentation.
Depending on the VPN termination device, the manner in which you should set the MTU on the tunnel
varies. Options include changing the MTU through the tunnel interface (routers), the TCP maximum
segment size (firewalls), policy routing (routers), clear/set/copy DF bit (routers), OS application level
(VPN clients), and physical/logical interfaces (any VPN device).
2-13
Chapter 2
IKE Keepalives
IKE keepalive settings can aid in optimizing VPN performance. By Cisco IOS default, keepalives are
sent in 10 second intervals. A longer interval between keepalives reduces CPU usage, thereby increasing
network performance. There is, however, a trade-off. The longer the interval, the longer it will take to
detect a loss of connectivity. This risk can be mitigated by implementing RRI and/or HSRP. Refer to the
Network Resiliency section on page 2-10, for a discussion of RRI and HSRP failover mechanisms.
SyslogSet up a syslog host, such as a CiscoWorks Essentials Workstation, and configure all the
routers in the network to use the syslog host. By logging all syslog messages from the routers, you
can determine when significant events, like configuration changes, occurred.
Access listsUse access list numbers and names consistently to help manage and troubleshoot
configurations.
Template configurationsUse a configuration template when deploying many routers that require
consistent configurations.
and Cisco Express Forwarding (CEF) of the IPSec tunneling protocol is supported on Cisco
7200 series router in Cisco IOS Release 12.0(4)XE or a later 12.1E software release, or Cisco
IOS Release 12.0(6)T or a later 12.0 T software release.
Be careful not to violate access control lists. You can configure a tunnel with a source and
over a multipoint real link. A tunnel might appear to be a one-hop, point-to-point link and have
the lowest-cost path, but may actually cost more.
FirewallObserve the following when configuring Cisco IOS firewall features (when configuring
your Cisco 7200 series router as a firewall):
When setting passwords for privileged access to the firewall, use the enable secret command
rather than the enable password command, which does not have as strong an encryption
algorithm.
Configure a password on the console port. In authentication, authorization, and accounting
(AAA) environments, use the same authentication for the console as for elsewhere. In a
non-AAA environment, at a minimum, configure the login and password password commands.
2-14
OL-8336-01
Chapter 2
Think about access control before you connect a console port to the network in any way,
including attaching a modem to the port. Be aware that a break on the console port might render
total control of the firewall, even with access control configured, to a hacker.
Apply access lists and password protection to all virtual terminal ports. Use access lists to limit
Network Time Protocol [NTP]) that you do not plan to use. Cisco Discovery Protocol (CDP)
and NTP are on by default, and you should turn these off if you do not need them.
To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter
the ntp disable interface configuration command on each interface not using NTP.
If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen
only to certain peers.
Any enabled service could present a potential security risk. A determined, hostile party might
be able to find creative ways to misuse the enabled services to access the firewall or the network.
For local services that are enabled, protect against misuse. Protect by configuring the services
to communicate only with specific peers, and protect by configuring access lists to deny packets
for the services at specific interfaces.
Protect against spoofing: protect the networks on both sides of the firewall from being spoofed
from the other side. You could protect against spoofing by configuring input access lists at all
interfaces to pass only traffic from expected source addresses and to deny all other traffic.
You should also disable source routing. For IP, enter the no ip source-route global
configuration command. If you disable source routing at all routers, it helps prevent spoofing.
You should also disable minor services. For IP, enter the no service tcp-small-servers and no
service udp-small-servers global configuration commands.
Prevent the firewall from being used as a relay by configuring access lists on any asynchronous
Telnet ports.
Normally, you should disable directed broadcasts for all applicable protocols on your firewall
and on all your other routers. For IP, use the no ip directed-broadcast command. Rarely, some
IP networks do require directed broadcasts; if this is the case, do not disable directed broadcasts.
Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because
every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some
hosts have other intrinsic security risks present when handling broadcasts.
Configure the no proxy-arp command to prevent internal addresses from being revealed. (This
is important to do if you do not already have NAT configured to prevent internal addresses from
being revealed).
Whenever possible, keep the firewall in a secured (locked) room.
To access the documentation for the applications discussed in this section on Cisco.com, refer to the
following URL:
http://www.cisco.com/en/US/products/sw/netmgtsw/index.html
2-15
Chapter 2
2-16
OL-8336-01
C H A P T E R
Note
In this Guide, the term Cisco 7200 series router implies that an Integrated Service Adaptor (ISA) or a
VAM (VAM, VAM2, or VAM2+) is installed in the Cisco 7200 series router.
This chapter describes basic features and configurations used in a site-to-site VPN scenario. Some
Cisco IOS security software features not described in this document can be used to increase performance
and scalability of your VPN. For up-to-date Cisco IOS security software features documentation, refer
to the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference
publications for your Cisco IOS Release. For information on how to access the publications, see
Related Documentation section on page xi.
This chapter includes the following sections:
Note
Throughout this chapter, there are numerous configuration examples and sample configuration outputs
that include unusable IP addresses. Be sure to use your own IP addresses when configuring your Cisco
7200 series router.
3-1
Chapter 3
Scenario Descriptions
Scenario Descriptions
This section includes the following topics:
Creating Extended Access Lists Using Access List Numbers, page 3-37
Site-to-Site Scenario
Figure 3-1 shows a headquarters network providing a remote office access to the corporate intranet. In
this scenario, the headquarters and remote office are connected through a secure GRE tunnel that is
established over an IP infrastructure (the Internet). Employees in the remote office are able to access
internal, private web pages and perform various IP-based network tasks.
Note
Although the site-to-site VPN scenario in this chapter is configured with GRE tunneling, a site-to-site
VPN can also be configured with IPSec only tunneling.
3-2
OL-8336-01
Chapter 3
Figure 3-1
Headquarters gateway
(hq-sanjose)
Serial line
Serial line
Remote
office
network
23244
Internet
Corporate
Intranet
Figure 3-2 shows the physical elements of the scenario. The Internet provides the core interconnecting
fabric between the headquarters and remote office routers. Both the headquarters and remote office are
using a Cisco IOS VPN gateway (a Cisco 7200 series with an Integrated Service Adaptor (ISA) or VAM
(VAM, VAM2, or VAM2+), a Cisco 2600 series router, or a Cisco 3600 series router).
Note
VPN Acceleration Module (VAM) information for your Cisco 7200 series router can be found at
http://www.cisco.com/en/US/products/hw/routers/ps341/products_installation_and_configuration_guid
es_list.html.
The GRE tunnel is configured on the first serial interface in chassis slot 1 (serial 1/0) of the headquarters
and remote office routers. Fast Ethernet interface 0/0 of the headquarters router is connected to a
corporate server and Fast Ethernet interface 0/1 is connected to a web server. Fast Ethernet interface 0/0
of the remote office router is connected to a PC client.
Figure 3-2
Headquarters gateway
(hq-sanjose)
Fast Ethernet
0/0
10.1.3.3/24
Tunnel interface 0
172.17.3.3/24
Tunnel interface 1
172.24.3.6/24
Fast Ethernet
0/0
10.1.4.2/24
Internet
Private
corporate
server
10.1.3.6/24
Serial 1/0
172.24.2.5/24
23245
Fast Ethernet
0/1
10.1.6.4/24
Serial 1/0
172.17.2.4/24
PC A
10.1.4.3/24
Public
Web server
10.1.6.5/24
The configuration steps in the following sections are for the headquarters router, unless noted otherwise.
Comprehensive configuration examples for both the headquarters and remote office routers are provided
in the Comprehensive Configuration Examples section on page 3-39.
3-3
Chapter 3
Scenario Descriptions
Physical Elements
Headquarters Network
Site
Hardware
WAN IP
Address
Ethernet IP
Address
Site
Hardware
WAN IP
Address
Ethernet IP
Address
hq-sanjose
Serial interface
1/0:
172.17.2.4
255.255.255.0
Fast Ethernet
Interface 0/0:
10.1.3.3
255.255.255.0
ro-rtp
Serial interface
1/0:
172.24.2.5
255.255.255.0
Fast Ethernet
Interface 0/0:
10.1.4.2
255.255.255.0
Tunnel interface 1:
172.24.3.6
255.255.255.0
10.1.3.6
Web server
10.1.6.5
PC A
10.1.4.3
Extranet Scenario
The extranet scenario introduced in Figure 3-3 builds on the site-to-site scenario by providing a business
partner access to the same headquarters network. In the extranet scenario, the headquarters and business
partner are connected through a secure IPSec tunnel and the business partner is given access only to the
headquarters public server to perform various IP-based network tasks, such as placing and managing
product orders.
Extranet VPN Business Scenario
Headquarters gateway
(hq-sanjose)
GRE tunnel
Internet
Corporate
Intranet
Serial line
Serial line
Remote
office
network
24219
Figure 3-3
Serial line
Business partner gateway
(bus-ptnr)
IPSec tunnel
Serial line
Internet
Business
partner
network
3-4
OL-8336-01
Chapter 3
Figure 3-4 shows the physical elements of the scenario. As in the site-to-site business scenario, the
Internet provides the core interconnecting fabric between the headquarters and business partner routers.
Like the headquarters office, the business partner is also using a Cisco IOS VPN gateway (a Cisco 7200
series with an Integrated Service Adaptor (ISA) or VAM (VAM, VAM2, or VAM2+), a Cisco 2600 series
router, or a Cisco 3600 series router).
Note
VPN Acceleration Module (VAM) information for your Cisco 7200 series router can be found at
http://www.cisco.com/en/US/products/hw/routers/ps341/products_installation_and_configuration_guid
es_list.html.
The IPSec tunnel between the two sites is configured on the second serial interface in chassis slot 2
(serial 2/0) of the headquarters router and the first serial interface in chassis slot 1 (serial 1/0) of the
business partner router. Fast Ethernet interface 0/0 of the headquarters router is still connected to a
private corporate server and Fast Ethernet interface 0/1 is connected to a public server. Fast Ethernet
interface 0/0 of the business partner router is connected to a PC client.
Figure 3-4
Headquarters gateway
(hq-sanjose)
Fast Ethernet
0/0
10.1.3.3/24
Fast Ethernet
0/1
10.1.6.4/24
GRE tunnel
Internet
Serial 2/0
172.16.2.2/24
PC A
Private
corporate
server
10.1.3.6/24
Public
Web server
10.1.6.5/24
IPSec tunnel
Business partner gateway
(bus-ptnr)
Internet
Fast Ethernet
0/0
10.1.5.2/24
24218
Serial 1/0
172.23.2.7/24
PC B
10.1.5.3/24
The configuration steps in the following sections are for the headquarters router, unless noted otherwise.
Comprehensive configuration examples for both the headquarters and business partner routers are
provided in the Comprehensive Configuration Examples section on page 3-39.
3-5
Chapter 3
Physical Elements
Headquarters Network
Site
Hardware
WAN IP
Address
Ethernet IP
Address
Site
Hardware
WAN IP
Address
Ethernet IP
Address
hq-sanjose
Serial interface
2/0:
172.16.2.2
255.255.255.0
Fast Ethernet
Interface 0/0:
10.1.3.3
255.255.255.0
bus-ptnr
Serial interface
1/0:
172.23.2.7
255.255.255.0
Fast Ethernet
Interface 0/0:
10.1.5.2
255.255.255.0
PC B
10.1.5.3
Fast Ethernet
Interface 0/1:
10.1.6.4
255.255.255.0
Corporate
server
10.1.3.6
Web server
10.1.6.51
1. The inside local IP address of the headquarters network public server (10.1.6.5) is translated to inside global IP address
10.2.2.2 in the Step 2Configuring Network Address Translation section on page 3-10.
Passenger protocol, which is the protocol you are encapsulating (AppleTalk, Banyan VINES,
Connectionless Network Service [CLNS], DECnet, IP, or Internetwork Packet Exchange [IPX]).
Carrier protocol, such as the generic routing encapsulation (GRE) protocol or IPSec protocol.
Transport protocol, such as IP, which is the protocol used to carry the encapsulated protocol.
3-6
OL-8336-01
Chapter 3
Normal packet
802.3
802.2
Payload
Ethernet
IP
GRE
Payload
24217
Tunnel packet
Passenger protocol
Encapsulation protocol
Transport protocol
3-7
Chapter 3
This section contains basic steps to configure a GRE tunnel and includes the following tasks:
Note
The following procedure assumes the tunnel interface, source, and destination on the remote office
router are configured with the values listed in Table 3-1.
Command
Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
hq-sanjose(config-if)# exit
hq-sanjose(config)# ip route 10.1.4.0
255.255.255.0 tunnel 0
1.
This command changes the state of the tunnel interface from administratively down to up.
Note
When configuring GRE, you must have only Cisco routers or access servers at both ends of the tunnel
connection.
3-8
OL-8336-01
Chapter 3
Enter the show interfaces tunnel 0 EXEC command to view the tunnel interface status, configured
IP addresses, and encapsulation type. Both the interface and the interface line protocol should be
up.
ski03_7206#show interfaces tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 1101:1::1, destination 1501:1::1
Tunnel protocol/transport IPSEC/IPV6
Tunnel TTL 255
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "tunpro")
Last input 00:08:23, output 00:04:28, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
39 packets input, 22734 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
57 packets output, 30130 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Try pinging the tunnel interface of the remote office router (this example uses the IP address of
tunnel interface 1 [172.24.3.6]):
hq-sanjose(config)# ping 172.24.3.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.24.3.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
Tip
If you have trouble, make sure you are using the correct IP address and that you enabled the tunnel
interface with the no shutdown command.
3-9
Chapter 3
mode protects against traffic analysis; with tunnel mode, an attacker can only determine the tunnel
endpoints and not the true source and destination of the packets passing through the tunnel, even if they
are the same as the tunnel endpoints.
Note
IPSec tunnel mode configuration instructions are described in detail in the Configuring IPSec and IPSec
Tunnel Mode section on page 3-22.
In IPSec transport mode, only the IP payload is encrypted, and the original IP headers are left intact.
(See Figure 3-6.) This mode has the advantage of adding only a few bytes to each packet. It also allows
devices on the public network to see the final source and destination of the packet. With this capability,
you can enable special processing in the intermediate network based on the information in the IP header.
However, the Layer 4 header will be encrypted, limiting the examination of the packet. Unfortunately,
by passing the IP header in the clear, transport mode allows an attacker to perform some traffic analysis.
(See the Defining Transform Sets and Configuring IPSec Tunnel Mode section on page 3-23 for an
IPSec transport mode configuration example.)
Figure 3-6
IP HDR
Tunnel mode
Data
Encrypted
IP HDR
IP HDR
Data
23246
Data
Transport mode
IP HDR
IPSec HDR
Data
Encrypted
NAT is used if you have conflicting private address spaces in the extranet scenario. If you have no
conflicting private address spaces, proceed to the Step 3Configuring Encryption and IPSec section
on page 3-14.
Network Address Translation (NAT) enables private IP internetworks with addresses that are not
globally unique to connect to the Internet by translating those addresses into globally routable address
space. NAT is configured on the router at the border of a stub domain (referred to as the inside network)
and a public network such as the Internet (referred to as the outside network). NAT translates the internal
3-10
OL-8336-01
Chapter 3
local addresses to globally unique IP addresses before sending packets to the outside network. NAT also
allows a more graceful renumbering strategy for organizations that are changing service providers or
voluntarily renumbering into classless interdomain routing (CIDR) blocks.
This section only explains how to configure static translation to translate internal local IP addresses into
globally unique IP addresses before sending packets to an outside network, and includes the following
tasks:
Static translation establishes a one-to-one mapping between your internal local address and an inside
global address. Static translation is useful when a host on the inside must be accessible by a fixed address
from the outside.
Note
Inside local addressThe IP address that is assigned to a host on the inside network. The address
is probably not a legitimate IP address assigned by the Network Information Center (NIC) or service
provider.
Inside global addressA legitimate IP address (assigned by the NIC or service provider) that
represents one or more inside local IP addresses to the outside world.
Outside local addressThe IP address of an outside host as it appears to the inside network. Not
necessarily a legitimate address, it was allocated from address space routable on the inside.
Outside global addressThe IP address assigned to a host on the outside network by the host
owner. The address was allocated from a globally routable address or network space.
Figure 3-7 illustrates a router that is translating a source address inside a network to a source address
outside the network.
3-11
Chapter 3
Inside
Outside
3
SA
10.2.2.2
5
DA
10.1.1.1
10.1.1.2
Internet
SA
10.1.1.1
1
Inside
10.1.1.1
4
10.2.2.2
24713
Figure 3-7
Outside
interface
interface
2
Host B
10.6.7.3
NAT table
Inside local
IP address
Inside global
IP address
10.1.1.2
10.1.1.1
10.2.2.3
10.2.2.2
The following process describes inside source address translation, as shown in Figure 3-7:
1.
2.
The first packet that the router receives from Host 10.1.1.1 causes the router to check its NAT table.
If a static translation entry was configured, the router goes to Step 3.
If no translation entry exists, the router determines that source address (SA) 10.1.1.1 must be
translated dynamically, selects a legal, global address from the dynamic address pool, and creates a
translation entry. This type of entry is called a simple entry.
3.
The router replaces the inside local source address of Host 10.1.1.1 with the translation entry global
address, and forwards the packet.
4.
Host B receives the packet and responds to Host 10.1.1.1 by using the inside global IP destination
address (DA) 10.2.2.2.
5.
When the router receives the packet with the inside global IP address, it performs a NAT table
lookup by using the inside global address as a key. It then translates the address to the inside local
address of Host 10.1.1.1 and forwards the packet to Host 10.1.1.1.
6.
Host 10.1.1.1 receives the packet and continues the conversation. The router performs Steps 2
through 5 for each packet.
3-12
OL-8336-01
Chapter 3
Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
hq-sanjose(config-if)# exit
hq-sanjose(config)#
The previous steps are the minimum you must configure for static inside source address translation. You
could configure multiple inside and outside interfaces.
Enter the show ip nat translations verbose EXEC command to see the global and local address
translations and to confirm static translation is configured.
Outside
---
Enter the show running-config EXEC command to see the inside and outside interfaces, global and
local address translations, and to confirm static translation is configured (display text has been
omitted from the following sample output for clarity).
3-13
Chapter 3
Note
You can configure a static crypto map, create a dynamic crypto map, or add a dynamic crypto map into
a static crypto map. Refer to the Configuring Crypto Maps section on page 3-24.
Optionally, you can configure CA interoperability. This guide does not explain how to configure CA
interoperability on your Cisco 7200 series router. Refer to the IP Security and Encryption part of the
Security Configuration Guide and the Cisco IOS Security Command Reference publication for detailed
information on configuring CA interoperabilty. See Related Documentation section on page xi for
additional information on how to access these publications.
Note
This section only contains basic configuration information for enabling encryption and IPSec tunneling
services. Refer to the IP Security and Encryption part of the Cisco IOS Security Configuration
Guide and the Security Command Reference publications for detailed configuration information on
IPSec, IKE, and CA. See Related Documentation section on page xi for information on how to access
these publications.
Refer to the Integrated Service Adapter and Integrated Service Module Installation and Configuration
publication for detailed configuration information on the ISM.
3-14
OL-8336-01
Chapter 3
Note
The default policy and the default values for configured policies do not show up in the configuration
when you issue a show running-config EXEC command. Instead, to see the default policy and any
default values within configured policies, use the show crypto isakmp policy EXEC command.
This section contains basic steps to configure IKE policies and includes the following tasks:
3-15
Chapter 3
Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
hq-sanjose(config-isakmp)# authentication
pre-share
Step 6
hq-sanjose(config-isakmp)# group 1
Step 7
Step 8
hq-sanjose(config-isakmp)# exit
hq-sanjose(config)#
1.
3-16
OL-8336-01
Chapter 3
The certificates are used by each peer to securely exchange public keys. (RSA signatures require
that each peer has the remote peers public signature key.) When both peers have valid certificates,
they will automatically exchange public keys with each other as part of any IKE negotiation in which
RSA signatures are used.
(The peers public keys are exchanged during the RSA-signatures-based IKE negotiations.)
To make this happen, specify two policies: a higher-priority policy with RSA encrypted nonces,
and a lower-priority policy with RSA signatures. When IKE negotiations occur, RSA signatures
will be used the first time because the peers do not yet have each others public keys. Then,
future IKE negotiations will be able to use RSA-encrypted nonces because the public keys will
have been exchanged.
Of course, this alternative requires that you have CA support configured.
If RSA encryption is configured and signature mode is negotiated, the peer will request both signature
and encryption keys. Basically, the router will request as many keys as the configuration will support. If
RSA encryption is not configured, it will just request a signature key.
Set each peer ISAKMP identity. Each peer identity should be set to either its host name or by its IP
address. By default, a peer identity is set to its IP address.
3-17
Chapter 3
Step 2
Specify the shared keys at each peer. Note that a given pre-shared key is shared between two peers. At
a given peer, you could specify the same key to share with multiple remote peers; however, a more secure
approach is to specify different keys to share between different pairs of peers.
Note
The following procedure is based on the Site-to-Site Scenario section on page 3-2. However, the same
configuration commands can be used in an extranet scenario.
To specify pre-shared keys at a peer, complete the following steps in global configuration mode:
Command
Purpose
Step 1
Step 2
Step 3
Step 4
Note
Set an ISAKMP identity whenever you specify pre-shared keys. The address keyword is typically used
when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE
negotiations, and the IP address is known. Use the hostname keyword if there is more than one interface
on the peer that might be used for IKE negotiations, or if the interface IP address is unknown (such as
with dynamically-assigned IP addresses).
3-18
OL-8336-01
Chapter 3
Configuring the Cisco 7200 Series Router for Digital Certificate Interoperability
To configure your Cisco 7200 series router to use digital certificates as the authentication method, use
the following steps, beginning in global configuration mode. This configuration assumes the use of the
IOS default ISAKMP policy, which uses DES, SHA, RSA signatures, Diffie-Hellman group 1, and a
lifetime of 86,400 seconds. Cisco recommends using 3DES. Refer to the Creating IKE Policies section
on page 3-16 for an ISAKMP configuration example which specifies 3DES as the encryption method.
Note
This example only configures the head-end Cisco 7200 series router. Additionally, each peer must be
enrolled with a CA. This configuration example does not configure the CA. CA configuration
instructions should be obtained from your CA vendor.
Command
Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
hq-sanjose(ca-identity)# exit
Enter the show crypto isakmp policy EXEC command to see the default policy and any default
values within configured policies.
3-19
Chapter 3
Note
Although the above output shows no volume limit for the lifetime, you can currently only configure a
time lifetime (such as 86400 seconds); volume limit lifetimes are not configurable.
Tip
If you have trouble, use the show version command to ensure your Cisco 7200 series router is running
a Cisco IOS software image that supports crypto.
ski03_7206#show version
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-JK9O3S-M), Version 12.3(3), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Mon 28-Jul-03 15:45 by dchih
Image text-base: 0x60008954, data-base: 0x6219E000
ROM: System Bootstrap, Version 12.1(20000710:044039) [nlaw-121E_npeb 117], DEVELOPMENT
SOFTWARE
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.1(8a)E, EARLY DEPLOYMENT RELEASE
SOFTWARE (fc1)
m5-7206 uptime is 0 minutes
System returned to ROM by reload at 22:20:24 UTC Wed Aug 13 2003
System image file is "tftp://17.8.16.70/images/c7200-jk9o3s-mz.123-3"
Last reload reason: Reload command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco 7206VXR (NPE400) processor (revision A) with 229376K/32768K bytes of memory.
Processor board ID 21281666
R7000 CPU at 350Mhz, Implementation 39, Rev 3.2, 256KB L2, 4096KB L3 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
PCI bus mb0_mb1 has 640 bandwidth points
PCI bus mb2 has 270 bandwidth points
WARNING: PCI bus mb0_mb1 Exceeds 600 bandwidth points
4 Ethernet/IEEE 802.3 interface(s)
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
1 ATM network interface(s)
1 Integrated service adapter(s)
125K bytes of non-volatile configuration memory.
125440K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x0
3-20
OL-8336-01
Chapter 3
Set each peer Internet Security Association & Key Management Protocol (ISAKMP) identity. Each peer
identity should be set to either its host name or by its IP address. By default, a peer identity is set to its
IP address. In this scenario, you only need to complete this task at the business partner router.
Step 2
Specify the shared keys at each peer. Note that a given pre-shared key is shared between two peers. At
a given peer, you could specify the same key to share with multiple remote peers; however, a more secure
approach is to specify different keys to share between different pairs of peers.
Note
The following procedure is based on the Extranet Scenario section on page 3-4.
To configure a different pre-shared key for use between the headquarters router and the business partner
router, complete the following steps in global configuration mode:
Command
Purpose
Step 1
Step 2
Step 3
Note
Set an ISAKMP identity whenever you specify pre-shared keys. The address keyword is typically used
when there is only one interface (and therefore only one IP address) that will be used by the peer for IKE
negotiations, and the IP address is known. Use the hostname keyword if there is more than one interface
on the peer that might be used for IKE negotiations, or if the interface IP address is unknown (such as
with dynamically-assigned IP addresses).
3-21
Chapter 3
Note
IKE uses User Datagram Protocol (UDP) port 500. The IPSec encapsulating security payload (ESP) and
authentication header (AH) protocols use IP protocol numbers 50 and 51. Ensure that your access lists
are configured so that IP protocol 50, 51, and UDP port 500 traffic is not blocked at interfaces used by
IPSec. In some cases, you might need to add a statement to your access lists to explicitly permit this
traffic. Crypto access lists use the same format as standard access lists. However, the permit command
instructs the router to encrypt data, and the deny command instructs the router to allow unencrypted
data.
Purpose
1. You specify conditions using an IP access list designated by either a number or a name. The access-list command designates a numbered extended access
list; the ip access-list extended command designates a named access list.
Enter the show access-lists 111 EXEC command to see the access list attributes.
3-22
OL-8336-01
Chapter 3
Tip
If you have trouble, make sure you are specifying the correct access list number.
Step 1
Command
Purpose
Step 2
Step 3
hq-sanjose(cfg-crypto-trans)# exit
hq-sanjose(config)#
1.
AH = authentication header. This header, when added to an IP datagram, ensures the integrity and authenticity of the data, including the
invariant fields in the outer IP header. It does not provide confidentiality protection. AH uses a keyed-hash function rather than digital
signatures.
2.
ESP = encapsulating security payload. This header, when added to an IP datagram, protects the confidentiality, integrity, and authenticity of
the data. If ESP is used to validate data integrity, it does not include the invariant fields in the IP header.
Note
AH and ESP can be used independently or together, although for most applications just one of them is
sufficient. For both of these protocols, IPSec does not define the specific security algorithms to use, but
rather, provides an open framework for implementing industry-standard algorithms.
3-23
Chapter 3
Enter the show crypto ipsec transform-set EXEC command to see the type of transform set
configured on the router.
The crypto map entries must contain compatible crypto access lists (for example, mirror image
access lists). In the case where the responding peer is using dynamic crypto maps, the entries in the
local crypto access list must be permitted by the peer crypto access list.
The crypto map entries must each identify the other peer (unless the responding peer is using
dynamic crypto maps).
The crypto map entries must have at least one transform set in common.
When IKE is used to establish SAs, the IPSec peers can negotiate the settings they will use for the new
SAs. This means that you can specify lists (such as lists of acceptable transforms) within the crypto map
entry.
After you have completed configuring IPSec at each participating IPSec peer, configure crypto map
entries and apply the crypto maps to interfaces.
The task of configuring IPSec at each peer can be eased by utilizing dynamic crypto maps. By
configuring the head-end Cisco 7200 series router with a dynamic map, and the peers with a static map,
the peer will be permitted to establish an IPSec security association even though the router does not have
a crypto map entry specifically configured to meet all of the remote peer requirements.
This section contains basic steps to configure crypto maps and includes the following tasks:
3-24
OL-8336-01
Chapter 3
Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
hq-sanjose(config-crypto-map)# exit
hq-sanjose(config)#
To create dynamic crypto map entries that will use IKE to establish the SAs, complete the following
steps, starting in global configuration mode:
Step 1
Command
Purpose
3-25
Chapter 3
Step 2
Step 3
Command
Purpose
Step 4
Step 5
hq-sanjose(config-crypto-map)# set
security-association lifetime seconds seconds
and/or
set security-association lifetime kilobytes
kilobytes
Step 6
hq-sanjose(config-crypto-map)# exit
hq-sanjose(config)#
Enter the show crypto map EXEC command to see the crypto map entries configured on the router.
In the following example, peer 172.23.2.7 is the IP address of the remote IPSec peer. Extended IP
access list 111 lists the access list associated with the crypto map. Current peer indicates the
current IPSec peer. Security-association lifetime indicates the lifetime of the SA.
PFS N indicates that IPSec will not negotiate perfect forward secrecy when establishing new SAs
for this crypto map. Transform sets indicates the name of the transform set that can be used with
the crypto map.
3-26
OL-8336-01
Chapter 3
Tip
If you have trouble, make sure you are using the correct IP addresses.
Purpose
Step 1
Step 2
Step 3
hq-sanjose(config-if)# exit
hq-sanjose(config)#
Step 4
3-27
Chapter 3
Enter the show crypto map interface serial 2/0 EXEC command to see the crypto maps applied to
a specific interface.
You configure QoS features throughout a network to provide for end-to-end QoS delivery. The following
three components are necessary to deliver QoS across a heterogeneous network:
QoS within a single network element, which includes queuing, scheduling, and traffic shaping
features.
QoS signaling techniques for coordinating QoS from end-to-end between network elements.
QoS policing and management functions to control and administer end-to-end traffic across a
network.
Not all QoS techniques are appropriate for all network routers. Because edge routers and backbone
routers in a network do not necessarily perform the same operations, the QoS tasks they perform might
differ as well.
In general, edge routers perform the following QoS functions:
Bandwidth management
Congestion management
Congestion avoidance
3-28
OL-8336-01
Chapter 3
Cisco IOS QoS service models, features, and sample configurations are explained in detail in the Quality
of Service Solutions Configuration Guide and the Quality of Service Solutions Command Reference.
Refer to these two publications as you plan and implement a QoS strategy for your VPN, because there
are various QoS service models and features that you can implement on your VPN. See Related
Documentation section on page xi for information on how to access these publications.
This section contains basic steps to configure QoS weighted fair queuing (WFQ), which applies priority
(or weights) to identified traffic on the GRE tunnel you configured in the Step 1Configuring the
Tunnel section on page 3-6. This section also contains basic steps to configure Network-Based
Application Recognition (NBAR), which is a classification engine that recognizes a wide variety of
applications, including web-based and other protocols that utilize dynamic TCP/UDP port assignments.
This section includes the following topics:
Note
You must enable Cisco Express Forwarding (CEF) before you configure NBAR. For more information
on CEF, refer to the Cisco IOS Release 12.0 configuration guide titled Cisco IOS Switching Services
Configuration Guide.
3-29
Chapter 3
Purpose
Step 1
Step 2
Step 3
1.
When neither match-all nor match-any is specified, the default is match-all. Use the no class-map command to disable the class map. Use
the no match-all and no match-any commands to disable these commands within the class map. Use the match not command to configure
a match that evaluates to true if the packet does not match the specified protocol.
3-30
OL-8336-01
Chapter 3
Purpose
policy-name
Step 1
Router(config)# policy-map
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Router(config-pmap-c)# random-detect
Step 8
Use the no policy-map command to deconfigure the policy map. Use the no bandwidth, no police,
no set, and no random-detect commands to disable these commands within the policy map.
Purpose
Step 1
Step 2
Use the no service-policy [input | output] policy-map-name command to detach a policy map from an
interface.
3-31
Chapter 3
Command
Purpose
Purpose
Step 1
Step 2
hq-sanjose(config-if)# fair-queue
Step 3
hq-sanjose(config-if)# exit
hq-sanjose(config)#
3-32
OL-8336-01
Chapter 3
Enter the show interfaces serial 1/0 fair-queue EXEC command to see information on the interface
that is configured for WFQ.
Enter the show interfaces serial 1/0 EXEC command to verify the queuing for the interface is WFQ.
Note
Although CBWFQ supports the use of WRED, this guide does not include WRED configuration
procedures. For more information on using WRED with CBWFQ, refer to the Cisco IOS Release 12.2
Configuration Guide Master Index.
3-33
Chapter 3
If a default class is configured, all unclassified traffic is treated as belonging to the default class. If no
default class is configured, then by default the traffic that does not match any of the configured classes
is flow classified and given best-effort treatment. Once a packet is classified, all of the standard
mechanisms that can be used to differentiate service among the classes apply.
Flow classification is standard WFQ treatment. That is, packets with the same source IP address,
destination IP address, source Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
port, or destination TCP or UDP port are classified as belonging to the same flow. WFQ allocates an
equal share of bandwidth to each flow. Flow-based WFQ is also called fair queueing because all flows
are equally weighted.
For CBWFQ, which extends the standard WFQ, the weight specified for the class becomes the weight
of each packet that meets the match criteria of the class. Packets that arrive at the output interface are
classified according to the match criteria filters you define, then each one is assigned the appropriate
weight.
The weight for a packet belonging to a specific class is derived from the bandwidth you assigned to the
class when you configured it; in this sense the weight for a class is user-configurable.
After a packet's weight is assigned, the packet is enqueued in the appropriate class queue. CBWFQ uses
the weights assigned to the queued packets to ensure that the class queue is serviced fairly.
The following tasks are required to configure CBWFQ:
Note
Attaching a service policy to an interface disables WFQ on that interface if WFQ is configured for the
interface. For this reason, you should ensure that WFQ is not enabled on such an interface. For additional
information on WFQ, see the "Configuring Weighted Fair Queueing" chapter of the Cisco IOS Release
12.0 Quality of Service Solutions Configuration Guide.
Purpose
Step 1
Step 2
Step 3
Step 4
3-34
OL-8336-01
Chapter 3
Purpose
Step 1
Step 2
Step 3
hq-sanjose(config-pmap-c)# bandwidth
bandwidth-kbps
Step 4
hq-sanjose(config-pmap-c)# queue-limit
number-of-packets
Step 5
Step 6
hq-sanjose(config-pmap-c)# bandwidth
bandwidth-kbps
Step 7
hq-sanjose(config-pmap-c)# queue-limit
number-of-packets
Purpose
Note
When CBWFQ is enabled, all classes configured as part of the service policy map are installed in the
fair queueing system.
3-35
Chapter 3
Purpose
class
Note
The Cisco Secure PIX Firewall can be used as an alternative to Cisco IOS firewall features. For detailed
information on the Cisco Secure PIX Firewall, refer to the Cisco Secure PIX Firewall documentation.
Note
Although Cisco 7200 series routers support intrusion detection features, intrusion detection
configuration procedures are not explained in this guide. For detailed information on intrusion detection,
refer to the Intrusion Detection Planning Guide.
You can use Cisco IOS firewall features to configure your Cisco IOS router as:
A firewall between your company network and your company partners networks
At a minimum, you must configure basic traffic filtering to provide a basic firewall. You can configure
your Cisco 7200 series router to function as a firewall by using the following Cisco IOS security features:
3-36
OL-8336-01
Chapter 3
Note
TCP intercept
Event logging
Refer to the Traffic Filtering and Firewalls part of the Cisco IOS Security Configuration Guide and
the Cisco IOS Security Command Reference for advanced firewall configuration information. For
information on how to access these documents, see Related Documentation section on page xi.
This section explains how to configure an extended access list, which is a sequential collection of permit
and deny conditions that apply to an IP address.
This section includes the following topics:
Note
The extended access list configuration explained in this section is different from the crypto access list
configuration explained in the Creating Crypto Access Lists section on page 3-22. Crypto access lists
are used to define which IP traffic is or is not protected by crypto, while an extended access list is used
to determine which IP traffic to forward or block at an interface.
The simplest connectivity to the Internet is to use a single device to provide the connectivity and firewall
function to the Internet. With everything being in a single device, it is easy to address translation and
termination of the VPN tunnels. Complexity arises when you need to add extra Cisco 7200 series routers
to the network. This normally leads people into building a network where the corporate network touches
the Internet through a network called the DMZ, or demilitarized zone.
Step 1
Command
Purpose
Define access list 102 and configure the access list to deny
all TCP traffic.
3-37
Chapter 3
Command
Purpose
Step 2
Step 3
Purpose
Step 1
Step 2
Step 3
Step 4
hq-sanjose(config-if)# exit
hq-sanjose(config)#
For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of
the packet against the access list. If the access list permits the address, the software continues to process
the packet. If the access list rejects the address, the software discards the packet and returns an icmp
host unreachable message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software
checks the destination address of the packet against the access list. If the access list permits the address,
the software transmits the packet. If the access list rejects the address, the software discards the packet
and returns an ICMP Host Unreachable message.
When you apply an access list that has not yet been defined to an interface, the software acts as if the
access list has not been applied to the interface and will accept all packets. Be aware of this behavior if
you use undefined access lists as a means of security in your network.
3-38
OL-8336-01
Chapter 3
Enter the show ip interface serial 1/0 EXEC command to confirm the access list is applied correctly
(inbound and outbound) on the interface.
Tip
If you have trouble, ensure that you specified the correct interface when you applied the access list.
Site-to-Site Scenario
The following sample configuration is based on the physical elements shown in Figure 3-8:
Figure 3-8
Headquarters gateway
(hq-sanjose)
Fast Ethernet
0/0
10.1.3.3/24
Tunnel interface 0
172.17.3.3/24
Tunnel interface 1
172.24.3.6/24
Fast Ethernet
0/0
10.1.4.2/24
Internet
Private
corporate
server
10.1.3.6/24
Serial 1/0
172.24.2.5/24
23245
Fast Ethernet
0/1
10.1.6.4/24
Serial 1/0
172.17.2.4/24
PC A
10.1.4.3/24
Public
Web server
10.1.6.5/24
3-39
Chapter 3
3-40
OL-8336-01
Chapter 3
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.4.0 255.255.255.0 Tunnel0
!
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
3-41
Chapter 3
no ip directed-broadcast
no keepalive
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.24.2.5 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s1first
!
ip route 10.1.3.0 255.255.255.0 Tunnel1
ip route 10.1.6.0 255.255.255.0 Tunnel1
!
access-list 101 permit gre host 172.24.2.5 host 172.17.2.4
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
3-42
OL-8336-01
Chapter 3
Extranet Scenario
The following sample configuration is based on the physical elements shown in Figure 3-9:
Figure 3-9
Headquarters gateway
(hq-sanjose)
Fast Ethernet
0/0
10.1.3.3/24
Fast Ethernet
0/1
10.1.6.4/24
GRE tunnel
Internet
Serial 2/0
172.16.2.2/24
PC A
Private
corporate
server
10.1.3.6/24
Public
Web server
10.1.6.5/24
IPSec tunnel
Business partner gateway
(bus-ptnr)
Internet
Fast Ethernet
0/0
10.1.5.2/24
24218
Serial 1/0
172.23.2.7/24
PC B
10.1.5.3/24
3-43
Chapter 3
3-44
OL-8336-01
Chapter 3
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s4second
!
router bgp 10
network 10.2.2.2 mask 255.255.255.0
network 172.16.2.0 mask 255.255.255.0
!
ip route 10.1.4.0 255.255.255.0 Tunnel0
!
ip nat inside source static 10.1.6.5 10.2.2.2
!
access-list 101 permit gre host 172.17.2.4 host 172.24.2.5
access-list 111 permit ip host 10.2.2.2 host 10.1.5.3
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
3-45
Chapter 3
full-duplex
no cdp enable
!
interface Serial1/0
ip address 172.23.2.7 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
no keepalive
fair-queue 64 256 0
framing c-bit
cablelength 10
dsu bandwidth 44210
clock source internal
no cdp enable
crypto map s4second
!
router bgp 10
network 10.1.5.0 mask 255.255.255.0
network 172.16.2.0 mask 255.255.255.0
!
access-list 111 permit ip host 10.1.5.3 host 10.2.2.2
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
3-46
OL-8336-01
C H A P T E R
Note
In this Guide, the term Cisco 7200 series router implies that an Integrated Service Adaptor (ISA) or a
VAM (VAM, VAM2, or VAM2+) is installed in the Cisco 7200 series router.
This chapter describes basic features and configurations used in a remote access VPN scenario. Some
Cisco IOS security software features not described in this document can be used to increase performance
and scalability of your VPN. For up-to-date Cisco IOS security software features documentation, refer
to the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference for your
Cisco IOS Release. To access these documents, see Related Documentation section on page xi.
This chapter includes the following sections:
Note
Configuring a Cisco IOS VPN Gateway for Use with Cisco Secure VPN Client Software, page 4-3
Configuring a Cisco IOS VPN Gateway for Use with Microsoft Dial-Up Networking, page 4-3
Throughout this chapter, there are numerous configuration examples and sample configuration outputs
that include unusable IP addresses. Be sure to use your own IP addresses when configuring your Cisco
7200 series router.
4-1
Chapter 4
Scenario Description
Scenario Description
Figure 4-1 shows a headquarters network providing a remote user access to the corporate intranet. In this
scenario, the headquarters and remote user are connected through a secure tunnel that is established over
an IP infrastructure (the Internet). The remote user is able to access internal, private web pages and
perform various IP-based network tasks.
Figure 4-1
Headquarters gateway
(hq-sanjose)
Remote user
Secure tunnel
Serial line
Serial line
32412
Internet
Corporate
Intranet
Figure 4-2 shows the physical elements of the scenario. The Internet provides the core interconnecting
fabric between the headquarters and remote user. The headquarters is using a Cisco IOS VPN gateway
(Cisco 7200 series with an Integrated Service Adaptor (ISA) or VAM, a Cisco 2600 seriesrouter or a
3600 series router), and the remote user is running VPN client software on a PC.
The tunnel is configured on the first serial interface in chassis slot 1 (serial 1/0) of the headquarters and
remote office routers. Fast Ethernet interface 0/0 of the headquarters router is connected to a corporate
server and Fast Ethernet interface 0/1 is connected to a web server.
Figure 4-2
Headquarters gateway
(hq-sanjose)
Fast Ethernet
0/0
10.1.3.3/24
Secure tunnel
Internet
Private
corporate
server
10.1.3.6/24
Public
Web server
10.1.6.5/24
32413
Fast Ethernet
0/1
10.1.6.4/24
Serial 1/0
172.17.2.4/24
4-2
OL-8336-01
Chapter 4
The configuration steps in the following sections are for the headquarters router. Comprehensive
configuration examples for the headquarters router are provided in the Comprehensive Configuration
Examples section on page 4-11. Table 4-1 lists the physical elements of the scenario.
Table 4-1
Physical Elements
Headquarters Network
Remote User
Site
Hardware
WAN IP
Address
Ethernet IP
Address
Site
Hardware
WAN IP
Address
Ethernet IP
Address
hq-sanjose
Serial interface
1/0:
172.17.2.4
255.255.255.0
Fast Ethernet
Interface 0/0:
10.1.3.3
255.255.255.0
PC running
VPN client
software
Dynamically
assigned
Fast Ethernet
Interface 0/1:
10.1.6.4
255.255.255.0
Corporate
server
10.1.3.6
Web server
10.1.6.5
4-3
Chapter 4
Configuring a Cisco IOS VPN Gateway for Use with Microsoft Dial-Up Networking
Note
PPTP/MPPE is built into Windows DUN1.2 and above. However, 128-bit encryption and stateless
(historyless) MPPE is only supported in Windows DUN1.3 or later versions. PPTP/MPPE only supports
Cisco Express Forwarding (CEF) and process switching. Regular fast switching is not supported.
Alternatively, a remote user with client software bundled into Microsoft Windows 2000 can use Layer 2
Tunneling Protocol (L2TP) with IPSec to access the corporate headquarters network through a secure
tunnel.
Because L2TP is a standard protocol, enterprises can enjoy a wide range of service offerings available
from multiple vendors. L2TP implementation is a solution that provides a flexible, scalable remote
network access environment without compromising corporate security or endangering mission-critical
applications.
Note
Configuring PPTP/MPPE
Verifying PPTP/MPPE
Configuring L2TP/IPSec
Configuring PPTP/MPPE
PPTP is a network protocol that enables the secure transfer of data from a remote client to a private
enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand,
multiprotocol, virtual private networking over public networks, such as the Internet.
MPPE is an encryption technology developed by Microsoft to encrypt point-to-point links. These PPP
connections can be over a dialup line or over a VPN tunnel. MPPE works as a subfeature of Microsoft
Point-to-Point Compression (MPPC).
MPPE uses the RC4 algorithm with either 40- or 128-bit keys. All keys are derived from the cleartext
authentication password of the user. RC4 is stream cipher; therefore, the sizes of the encrypted and
decrypted frames are the same size as the original frame. The Cisco implementation of MPPE is fully
interoperable with that of Microsoft and uses all available options, including historyless mode.
Historyless mode can increase throughput in high-loss environments such as VPNs.
Note
The VAM, available on Cisco 7200 series routers, does not support MPPE.
Note
Windows clients must use Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
authentication for MPPE to work. If you are performing mutual authentication with MS-CHAP and
MPPE, both sides of the tunnel must use the same password.
This section contains basic steps to configure PPTP/MPPE and includes the following tasks:
Configuring PPTP
Configuring MPPE
4-4
OL-8336-01
Chapter 4
Purpose
Step 1
Step 2
hq-sanjose(config-if)# ip unnumbered
interface-type number
Step 3
Step 4
Step 5
Step 6
hq-sanjose(config-if)# ip mroute-cache
Step 7
1.
Stateful MPPE encryption changes the key every 255 packets. Stateless (historyless) MPPE encryption generates a new key for every packet.
Stateless MPPE is only supported in recent versions of Dial-Up Networking (DUN1.3).
Configuring PPTP
To configure a Cisco 7200 series router to accept tunneled PPP connections from a client, use the
following commands beginning in global configuration mode:
Command
Purpose
Step 1
hq-sanjose(config)# vpdn-enable
Step 2
hq-sanjose(config)# vpdn-group 1
Step 3
Step 4
Step 5
hq-sanjose(config-vpdn-acc-in)#
virtual-template template-number
Step 6
hq-sanjose(config-vpdn-acc-in)# exit
hq-sanjose(config-vpdn)# local name localname
4-5
Chapter 4
Configuring a Cisco IOS VPN Gateway for Use with Microsoft Dial-Up Networking
Configuring MPPE
Note
The VPN Acceleration Module (VAM) card does not support MPPE.
To configure MPPE on your Cisco 7200 series router (with an ISA), use the following commands
beginning in global configuration mode:
Command
Purpose
Step 1
Step 2
Verifying PPTP/MPPE
After you complete a connection, enter the show vpdn tunnel command or the show vpdn session
command to verify your PPTP and MPPE configuration.The following example contains typical output:
hq-sanjose# show vpdn tunnel | show vpdn session
PPTP Tunnel Information (Total tunnels=1 sessions=1)
LocID RemID Remote Name
22
22
172.16.230.29
State
estabd
Remote Address
172.16.230.29
Port
1374
Sessions
1
Configuring L2TP/IPSec
L2TP is an extension of the Point-to-Point (PPP) Protocol and is often a fundamental building block for
VPNs. L2TP merges the best features of two other tunneling protocols: Layer 2 Forwarding (L2F) from
Cisco Systems and PPTP from Microsoft. L2TP is an Internet Engineering Task Force (IETF) emerging
standard.
Note
For information on IPSec, see the Step 3Configuring Encryption and IPSec section on page 3-13.
This section contains basic steps to configure L2TP/IPSec and includes the following tasks:
Configuring L2TP
Note
When configuring a virtual template for use with L2TP/IPSec, do not enable MPPE.
4-6
OL-8336-01
Chapter 4
Configuring L2TP
To configure a Cisco 7200 series router to accept tunneled L2TP connections from a client, use the
following commands beginning in global configuration mode:
Command
Purpose
Step 1
hq-sanjose(config)# vpdn-enable
Step 2
hq-sanjose(config)# vpdn-group 1
Step 3
Step 4
Step 5
hq-sanjose(config-vpdn-acc-in)#
virtual-template template-number
Step 6
hq-sanjose(config-vpdn-acc-in)# exit
hq-sanjose(config-vpdn)# local name localname
Verifying L2TP
Enter the show vpdn tunnel command to verify your LT2P configuration.
hq-sanjose# show vpdn tunnel
L2TP Tunnel and Session Information (Total tunnels=5 sessions=5)
LocID RemID Remote Name
10
8
7206b
State
est
Remote Address
10.0.0.1
Username
las
State
est
Port
1701
Sessions
1
Defining Transform Sets and Configuring IPSec Tunnel Mode, page 3-22
Note
When using IPSec with L2TP, do not configure IPSec tunnel mode.
4-7
Chapter 4
Note
Although the configuration instructions in the listed sections refer to the Extranet Scenario section on
page 3-4, the same configuration instructions apply to the remote access scenario described in the
Scenario Description section on page 4-2.
Purpose
Step 1
Step 2
Step 3
Step 4
Step 5
4-8
OL-8336-01
Chapter 4
Step 6
Command
Purpose
hq-sanjose(config)# access-list
access-list-number permit tcp host source eq
tacacs host destination
In addition to configuring AAA on the firewall router, the authentication proxy requires a per-user access
profile configuration on the AAA server. To support the authentication proxy, configure the AAA
authorization service auth-proxy on the AAA server as outlined here:
Define a separate section of authorization for auth-proxy to specify the downloadable user profiles.
This does not interfere with other types of service, such as EXEC. The following example shows a
user profile on a TACACS server:
default authorization = permit
key = cisco
user = newuser1 {
login = cleartext cisco
service = auth-proxy
{
priv-lvl=15
proxyacl#1="permit tcp any any eq 26"
proxyacl#2="permit icmp any host 60.0.0.2
proxyacl#3="permit tcp any any eq ftp"
proxyacl#4="permit tcp any any eq ftp-data"
proxyacl#5="permit tcp any any eq smtp"
proxyacl#6="permit tcp any any eq telnet"
The only supported attribute in the AAA server user configuration is proxyacl#n. Use the
proxyacl#n attribute when configuring the access lists in the profile. The attribute proxyacl#n is for
both RADIUS and TACACS+ attribute-value (AV) pairs.
The access lists in the user profile on the AAA server must have permit only access commands.
Set the source address to any in each of the user profile access list entries. The source address in the
access lists is replaced with the source address of the host making the authentication proxy request
when the user profile is downloaded to the firewall.
The supported AAA servers are CiscoSecure ACS 2.1.x for Window NT (where x is a number 0 to
12) and CiscoSecure ACS 2.3 for Windows NT, CiscoSecure ACS 2.2.4 for UNIX and CiscoSecure
ACS 2.3 for UNIX, TACACS+ server (vF4.02.alpha), Ascend RADIUS server - radius-980618
(required avpair patch), and Livingston RADIUS server (v1.16).
Step 1
Command
Purpose
4-9
Chapter 4
Command
Purpose
Step 2
hq-sanjose(config)# ip http
authentication aaa
Step 3
Purpose
Step 1
hq-sanjose(config)# ip auth-proxy
auth-cache-time min
Step 2
hq-sanjose(config)# ip auth-proxy
auth-proxy-banner
Step 3
Step 4
Step 5
hq-sanjose(config-if)# ip auth-proxy
auth-proxy-name
4-10
OL-8336-01
Chapter 4
To verify that the authentication proxy is successfully configured on the router, ask a user to initiate an
HTTP connection through the router. The user must have authentication and authorization configured at
the AAA server. If the user authentication is successful, the firewall completes the HTTP connection for
the user. If the authentication is unsuccessful, check the access list and the AAA server configurations.
Display the user authentication entries using the show ip auth-proxy cache command in privileged EXEC
mode. The authentication proxy cache lists the host IP address, the source port number, the timeout value for
the authentication proxy, and the state of the connection. If the authentication proxy state is HTTP_ESTAB,
the user authentication was successful.
router# show ip auth-proxy cache
Authentication Proxy Cache
Client IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB
Wait for one minute, which is the timeout value for this named rule, and ask the user to try the connection
again. After one minute, the user connection is denied because the authentication proxy has removed the user
authentication entry and any associated dynamic ACLs. The user is presented with a new authentication login
page and must log in again to gain access through the firewall.
PPTP/MPPE Configuration
hq-sanjose# show running-config
Current configuration
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mp12
!
no logging console guaranteed
enable password lab
!
username tester41 password 0 lab41
!
4-11
Chapter 4
ip subnet-zero
no ip domain-lookup
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name cisco_pns
!
memory check-interval 1
!
controller ISA 5/0
encryption mppe
!
process-max-time 200
!
interface FastEthernet0/0
ip address 10.1.3.3 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.6.4 255.255.255.0
no ip directed-broadcast
duplex auto
speed auto
!
interface Serial1/0
no ip address
no ip directed-broadcast
shutdown
framing c-bit
cablelength 10
dsu bandwidth 44210
!
interface Serial1/1
no ip address
no ip directed-broadcast
shutdown
framing c-bit
cablelength 10
dsu bandwidth 44210
!
interface FastEthernet4/0
no ip address
no ip directed-broadcast
shutdown
duplex half
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no ip directed-broadcast
ip mroute-cache
no keepalive
ppp encrypt mppe 40
ppp authentication ms-chap
!
ip classless
ip route 172.29.1.129 255.255.255.255 1.1.1.1
ip route 172.29.63.9 255.255.255.255 1.1.1.1
4-12
OL-8336-01
Chapter 4
no ip http server
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
login
!
aaa new-model
aaa authentication login default tacacs+ radius
!Set up the aaa new model to use the authentication proxy.
aaa authorization auth-proxy default tacacs+ radius
!Define the AAA servers used by the router
tacacs-server host 172.31.54.143
tacacs-server key cisco
radius-server host 172.31.54.143
radius-server key cisco
!
! Enable the HTTP server on the router:
ip http server
! Set the HTTP server authentication method to AAA:
ip http authentication aaa
!Define standard access list 61 to deny any host.
access-list 61 deny any
! Use ACL 61 to deny connections from any host to the HTTP server.
ip http access-class 61
!
!set the global authentication proxy timeout value.
ip auth-proxy auth-cache-time 60
!Apply a name to the authentication proxy configuration rule.
ip auth-proxy name HQ_users http
!
! Apply the authentication proxy rule at an interface.
interface e0
ip address 10.1.1.210 255.255.255.0
ip auth-proxy HQ_users
!
end
L2TP/IPSec Configuration
hq-sanjose# show running-config
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LNS
!
enable password ww
!
username LNS password 0 tunnelpass
username test@cisco.com password 0 cisco
ip subnet-zero
!
vpdn enable
!
vpdn-group 1
4-13
Chapter 4
4-14
OL-8336-01
Chapter 4
4-15
Chapter 4
4-16
OL-8336-01
C H A P T E R
5-1
Chapter 5
Note
The term Cisco 7200 series router in this Guide implies that an Integrated Service Adaptor (ISA) or a
VAM (VAM, VAM2, or VAM2+) is installed in the Cisco 7200 series router.
The following modules are included in the Cisco VPN/Security Management Solution. Together, these
modules provide essential VPN and security management capabilities:
Note
Cisco Secure Policy Manager Lite (CSPM-Lite) Provides policies for defining VPN policies on
Cisco 7200 series routers and PIX Firewalls. CSPM also defines security policies on Cisco PIX
Firewalls, and reporting and notifying of intrusions when Cisco Intrusion Detection Sensors
technology is deployed.
Cisco VPN Monitor is a web-based management tool that allows network administrators to collect,
store, and report information on L2TP, PPTP remote access, and IPSec-based site-to-site VPNs
configured on the Cisco 7200 series routers, Cisco 3600 series routers, Cisco 2600 series routers,
Cisco 1700 series routers, Cisco 800 series routers, and Cisco VPN 3000 Concentrator Series.
Multiple devices can be viewed from an easy-to-use dashboard configured on a web browser. After
the dashboard is configured, Cisco VPN Monitor continuously collects data from the devices it
manages over a rolling seven-day window. Operational status, performance, and security
information can be viewed at a glance, providing status information on IPsec VPN implementations.
The Cisco VPN Monitor does not support PIX Firewalls. For information on monitoring PIX Firewalls,
see the PIX Firewall System Management documentation.
CiscoViewProvides administrators with browser access to real-time device status, and operational
and configuration functions. CiscoView is the most widely used Cisco graphical device management
application and is now web-based.
CiscoWorks2000 Management Server (CD-One) Provides the common database, web, and
desktop services used to integrate with other Cisco and third- party tools.
5-2
OL-8336-01
Chapter 5
Note
The traps are not supported in the current version of the MIB. They only pertain to the Cisco IOS-specific
IPSec MIB.
The IPSec MIB feature is used in conjunction with an SNMP agent, which is based on Version 1 of the
SNMP protocol. The SNMP agent implements the IPSec MIB subsystem, which implements the MIBs
referred to in the "Supported Standards, MIBs, and RFCs" section of this feature module. By allowing
the user to adjust tunnel tables and enable IPSec trap notifications, the IPSec MIB feature provides
enhancements to the SNMP agent process.
See IPSecSNMP Support for more information on IPSec MIB.
VDM Overview
Related Documents
5-3
Chapter 5
VDM Overview
VDM enables network administrators to manage and configure site-to-site VPNs on a single IOS VPN
device from a web browser, and view the effects of their changes in real time. VDM implements a
wizard-based GUI to simplify the process of configuring site-to-site VPNs using the IPSec protocol.
VDM software is installed directly on Cisco VPN devices. It is designed for use and compatibility with
other device manager products.
Note
Figure 5-1
Number
Description
between 3 and 4
5-4
OL-8336-01
Chapter 5
Using a browser, you can log into a Cisco device and use VDM to efficiently configure VPNs on it. You
can set particular tunneling, encryption, and other VPN options, which can then be applied to the
interfaces facing peer devices. Use VDM to conveniently troubleshoot specific problems and perform
configuration updates and changes.
Benefits
This section contains information about the following benefits of using VDM:
Configuration Wizards
Monitoring Functions
Convenient Navigation
No Client Installation
Configuration Wizards
Browser-based VDM wizards help you perform ordinarily complex setup operations including:
Step-by-step instructional panes for simplified VPN configuration, such as peer-to-peer setup.
Tunneling and encryption support using transform sets, key lifetimes, IKE policies, security
association (SA) lifetime, authentication policies, error reports, and performance monitoring.
Monitoring Functions
Monitored data in graphs and charts contains basic device information, a VPN report card, top-ten lists,
and detailed views of user-specified tunnels that monitor duration, errors, and throughput.
Convenient Navigation
The following navigation methods ensure that you can conveniently identify your current location within
each wizard:
A step-by-step tasks list in each wizards left frame contains a highlighted bar which moves down
the list as you progress through that wizard.
No Client Installation
VDM is distributed in the following two components:
5-5
Chapter 5
5-6
OL-8336-01
Chapter 5
Figure 5-2 shows the type of VPN that VDM can configure:
Figure 5-2
Peers
VDM-enabled
router
Web browser
LAN
Internet
48451
Order the device with VDM installed (if the device is ordered new).
Install a Cisco IOS version that VDM supports and upload the VDM client to the device Flash
memory.
VDM supports crypto-enabled IOS images. See VPN Device Manager - Release and Installation Notes
for further information on obtaining the correct Cisco IOS image.
To simplify its use, VDM starts as a GUI into a web-browser home page that is run from the managed
device (VPN device on which VDM is installed) at connection time. VDM is a Java application that uses
continuous XML data exchange to update the appropriate part of the VDM GUI.
The VDM GUI contains step-by-step configuration wizards for common VPN setups, interfaces, and
policies and protocols, including:
Note
IPSec tunnels
VDM does not work with RSA-encrypted nonces. (Nonces are random numbers or keys that are
generated once and not reused.)
5-7
Chapter 5
Wizard
Description
Certificates
Starts the Certificates wizard, which allows you to enroll the device with a
certificate authority and use digital certificates for authenticating peers.
Connections
Starts the Connections wizard, which creates VPN protected connections for
selected traffic between selected local and remote hosts and subnets.
IKE
Starts the IKE wizard, which allows you to create IKE policies that determine how
IKE establishes SAs with peers.
Peer Keys
Starts the Peer Keys wizard, which assigns and edits pre-shared keys, used to
authenticate peers.
Transforms
VLANs
Starts the VLANs wizard, which allows you to create access and interface VLANs
on the device.
Tunneling and encryption support using transforms sets, key lifetimes, IKE policies, SA lifetime,
authentication policies, error reports, and performance monitoring.
The wizard navigation buttons within the VDM Configure menu allow for flexible multi-directional
navigation. The wizard configuration action buttons within the same menu allow you to create or modify
your VPN settings conveniently.
5-8
OL-8336-01
Chapter 5
Figure 5-3 shows the Connections page for the VDM Connections wizard. This wizard allows you to
add, edit, or remove VPN connections. The Select a Connection list displays existing connections.
The Connection Description list provides the following details about the selected connection:
IP addresses of peers
Protocols
Transforms
The interface VLAN that acts as the inside interface to a IPSec VPN Acceleration Serviced Module
(only on devices that contain this module)
Figure 5-3
5-9
Chapter 5
Figure 5-4 shows the Certificates page for the VDM Certificates wizard. This wizard allows you to
enroll a certificate identity with the Certificate Authority (CA) by using the Certificate Enrollment
wizard, as well as add, edit, and remove existing certificate identities.
The Select a Certificate Identity list displays existing certificate identities. The Certificate Identity
Description list provides the following details about the selected certificate identity, such as:
Enrolled URL
Retry specifics
Figure 5-4
5-10
OL-8336-01
Chapter 5
Figure 5-5 shows the IKE Overview page for the VDM IKE wizard. This wizard allows you to add, edit,
or remove IKE policies.
The Select a Policy list displays existing user-configured policies, as well as one global and one default
IKE policy. The Policy Description list provides the following details about the policy selected:
Authentication method
SA specifics
Figure 5-5
5-11
Chapter 5
Figure 5-6 shows the VDM Charts page with the CPU Utilization chart selected. You can generate many
charts from this page based on your charting object and charting object attribute selections.
The left list displays all objects with attributes that can be charted, such as CPU, IKE, IPSec, and a
variety of interfaces. The right list displays all object attributes associated with a selected object.
You must first select an object attribute to generate a chart. For example, under the IPSec object, you
have a choice of the following three different object attributes:
Tunnels
Total throughput
Available object attributes vary according to the selected object. For example, chartable object attributes
for the Interface object include the following:
Dropped packets
Octets
Errors
You can customize charts to display both historical and real-time data from periods as short as 10
minutes to as much as 5 days.
Figure 5-6
5-12
OL-8336-01
Chapter 5
Figure 5-7 shows the VDM Report Card page, which displays information about the following activity
on the device:
Total throughput
Replayed Packets
Figure 5-7
5-13
Chapter 5
Figure 5-8 shows the VDM Top-Ten Lists page, which displays details about IKE and IPSec tunnels by
duration, errors, and traffic volume. You can select any of these reports from the drop-down list.
A top-ten list is a list of 10 tunnels on the device that rank highest when measured by particular criteria.
For example, you can view a list of the 10 IKE tunnels on the device that have the highest traffic volume.
Each top-ten list displays information about the following:
Monitored tunnels
Peers
SA details
Figure 5-8
5-14
OL-8336-01
Chapter 5
Related Documents
Further information on VDM can be found in the following related documents:
For additional information, see the Cisco VPN Device Manager (VDM).
5-15
Chapter 5
5-16
OL-8336-01
INDEX
accounting
Symbols
See AAA
? command
1-2
4-8
ACLs
CBWFQ and
3 - 18
AHs
description
AAA
configuring
3 - 23
4-8
servers supported
IP numbers
4-9
4-8
3 - 22
1-3
attaching
policy maps
4-8
3 - 23
4-8
3 - 31
service policies
1-2
3 - 35
authentication
4 - 5, 4 - 7
See AAA
access control
planning
3 - 33
authentication command
2 - 15
3 - 16
authentication headers
3 - 38
See AHs
authentication proxies
See ACLs
access-list (encryption) command
access-list command
3 - 22
3 - 37
3 - 22
configuring
4 - 8 to 4 - 10
description
4-8
verifying
4-9
4 - 11
authorization
See AAA
IP access lists
See also crypto access lists
access lists
applying to interfaces
considerations
3 - 38
2 - 14
2 - 15
2 - 14
3 - 32
3 - 28
3 - 31, 3 - 35
broadcasts
disabling directed
2 - 15
business scenarios
figure
2-2
IN-1
Index
See CBWFQ
class class-default command
class command
class-map match-all
3 - 30
configuring
3 - 35
verifying
3 - 36
3 - 27
CLI
2 - 15
VDM commands
2 - 14, 4 - 4
1-1
5-5
command-line interface
See CLI
2-6
command modes
1-8
command options
description
1-5
online help
1-2
summary (table)
abbreviating
5-5
1-6
1-2
disabling functions
1-7
1-3
configuration examples
extranet
See firewalls
2-3
See CSPM
Cisco Secure VPN Client
locating documentation
4-3
headquarters router
3 - 45 to 3 - 46
3 - 43 to 3 - 45
remote access
1-3
commands
3 - 35
changes, saving
3 - 30
class policies
3 - 33
CEF support
3 - 30
3 - 34
verifying
enabling
See VMS
3 - 30, 3 - 34
defining
3-6
CBWFQ
See CRLs
class-map command
configuring
3 - 14
configuring
3 - 31, 3 - 35
class maps
CA interoperability
description
3 - 35
5-3
5-2
L2TP/IPSec configuration
4 - 13
PPTP/MPPE configuration
4 - 11
site-to-site
headquarters router
3 - 40 to 3 - 41
3 - 41 to 3 - 42
configuration files
corrupted
1-6
IN-2
OL-8336-01
Index
saving changes
1-8
saving to NVRAM
commands (table)
1-8
compatibility
1-6
configuring
AAA
creating
3 - 18
3 - 18
3 - 18, 3 - 21
3 - 25
3 - 22
3 - 26
crypto maps
3 - 23
3 - 27
4-6
3 - 28
3 - 27
CSPM
3 - 10 to 3 - 13
description
3 - 29
5-1
3 - 31
4-5
PPTP/MPPE
4-4
pre-shared keys
3 - 17, 3 - 21
3 - 28
virtual templates
4 - 5, 4 - 6
1-7
3 - 34
demilitarized zone
connectivity
5 - 15
2 - 14
console ports
breaks on
3 - 16
3 - 24
3 - 16 to 3 - 17
4-6
testing
3 - 23
3 - 25
applying to interfaces
policy maps
QoS
creating
4-9
4-7
NBAR
PPTP
configuring
3 - 3, 3 - 8 to 3 - 9
verifying
L2TP/IPSec
3 - 25
NAT
4-7
MPPE
3 - 36
IKE policies
3 - 22
3 - 32
HTTP servers
verifying
3 - 35
3 - 22 to 3 - 24, 4 - 7
GRE tunnels
3 - 16
3 - 37
3 - 24
fair queuing
L2TP
3 - 22
3 - 30
class policies
IPSec
4 - 8 to 4 - 10
3 - 33
firewalls
3 - 24
4-8
CBWFQ
3 - 22
dial-in sessions
4-5
3 - 16
digital certificates
configuring passwords on
controller isa command
2 - 15
2 - 14
4-6
CAs and
CRLs
performance considerations
authentication
3 - 17
3 - 14
directed broadcasts
2-6
See broadcasts
Cisco IOS VPN Configuration Guide
OL-8336-01
IN-3
Index
3 - 37
fair-queue command
3 - 14
3 - 32
fair queuing
3 - 25
ease of configuration
configuring
3 - 24
3 - 32
flow-based WFQ
3 - 32
3 - 32
3 - 28
3 - 36
considerations
encryption
tunnels and
3-7
encryption command
2 - 14
3 - 16
3 - 36
3 - 36
configuring
See ESP
3 - 14, 4 - 7
2 - 14
firewalls
2 - 14
2 - 14
configuring
3 - 32
3 - 32
G
4-6
error messages
ICMP Host Unreachable
See GRE
3 - 38
ESP
AH and (note)
3 - 23
IP numbers and
summary
3 - 22
performance considerations
exit command
GRE
2 - 13
description
4 - 5, 4 - 7
IPSec and
3-5
2-7
3 - 38, 3 - 39
description
2-7
GRE tunnels
3 - 36
2-6
3 - 37
description
1-6
3 - 45
3 - 43 to 3 - 45
protocol
3-8
3 - 3, 3 - 8
3-6
troubleshooting configurations
2-2
verifying
3-4
configuring
3-8
3-5
3-6
3-9
3-9
3 - 16
sample configurations
physical elements (figure)
3 - 43
IN-4
OL-8336-01
Index
UDP port
3 - 22
IKE keepalives
hash command
3 - 16
2 - 11, 3 - 15
IKE keys
IKE policies
configuration requirements
configuring
hello packets
3 - 16 to 3 - 17
defaults, viewing
3-9
help
3 - 15
enabling by default
CLI
1-2
identifying
1-3
3 - 15
3 - 16
1-2
troubleshooting
3 - 18, 3 - 21
viewing configuration
inside global address
HSRP
3 - 19
inside network
http
3 - 11
3 - 10
//www.cisco.com/en/US/products/hw/routers/ps341/pro
d_installation_guides_list.html xi
interface command
//www.cisco.com/en/US/products/hw/routers/ps341/tsd
_products_support_series_home.html x
2-4
4 - 10
1-6
3 - 13
interfaces
HTTP servers
configuring
3-9
3 - 11
3 - 16
3 - 20
See HSRP
description
3 - 16
4-9
2-4
3 - 27
3 - 38
3 - 32
3-8
3 - 28
4-5
ICMP filtering
fragmentation and
See IKE
2 - 13
3 - 38
description
3 - 14
performance considerations
policies
IOS Commands
3 - 36
5-5
ip access-group command
verifying
SAs and
intrusion detection
2 - 13
3 - 19
3 - 24
3 - 38
3 - 22
IP access lists
Cisco IOS VPN Configuration Guide
OL-8336-01
IN-5
Index
applying to interfaces
requirements
3 - 38
IPSec MIBs
2 - 14
3 - 38
outbound
software checking of
description
3 - 38
configuring
verifying
3 - 11
renumbering
3-9
IP Security Protocol
See IPSec
3 - 11
4 - 10
4 - 10
4 - 10
IP datagrams
4-5
3 - 18
4 - 10
4 - 10
4-9
ip mroute-cache command
ip nat inside command
K
keys
4-5
4-5
3 - 13
3 - 13
3 - 13
L2TP
3-8
compatibility
IPSec
configuring
clearing SAs
configuring
3 - 27
verifying
3 - 22 to 3 - 24, 4 - 7
configuring tunnels
description
4-4
4-7
4-7
L2TP/IPSec
3 - 14
configuring
3 - 14
4-6
5-4
IP unicast frames
3 - 21
3-9
ip route command
3-7
ISAKMP identities
4 - 10
proxies
3 - 24
configuring
2 - 15
3 - 10
static translation
4-7
IPSec tunnels
3 - 10
protecting internal
NAT and
3 - 23
nonregistered
in VDM
3 - 10
3 - 38
NAT definitions
5-3
3 - 38
undefined
3 - 22
See L2TP
3-7
lifetime command
2-8
3-9
4 - 5, 4 - 7
loopback interfaces
3 - 16
emulating interfaces
2 - 14
3 - 22
IN-6
OL-8336-01
Index
using
configuring
3 - 25
4-6
MQC
4-4
4-6
3 - 29
MS-CHAP
maps
See specific kinds of maps (for example, class maps)
match access-group command
match address command
match-all command
3 - 25, 3 - 26
address definitions
3 - 30
3 - 34
3 - 30
N
NAT
3 - 30
4-4
3 - 34
3 - 30
match-any command
3 - 30, 3 - 34
MIBs
configuring
3 - 11
3 - 10 to 3 - 13
2-8
3 - 12
tunnels and
Microsoft
3 - 13
3-7
NBAR
Windows 2000
4-3
Windows 95
4-3
configuring
Windows 98
4-3
Windows NT 4.0
3 - 29 to 3 - 32
4-3
3 - 30
3 - 31
4-3
See MPPE
2-4
modes
fragmentation
GRE and
2-3
2 - 10
2 - 10
IKE and
3 - 23
4-4
MPPE
3 - 31
See MPPC
See MQC
3 - 30
3 - 31
2 - 10
2 - 13
2-4
2-5
2 - 10
2 - 10
2 - 16
Cisco IOS VPN Configuration Guide
OL-8336-01
IN-7
Index
network redundancy
fragmentation
3-7
network resiliency
2 - 13
passwords
See NTP
no cdp run command
no commands
ping command
3-9
no ip directed-broadcast command
no ip source-route command
no match-all command
2 - 15
no proxy-arp command
3 - 31
2 - 15
no random-detect command
3 - 31
policy-map command
no service-policy command
3 - 31
policy maps
no shutdown command
3-8
NTP
2 - 15
2 - 15
3 - 31, 3 - 35
attaching to interfaces
configuring
3 - 31
3 - 31
configuring classes
3 - 35
displaying contents
3 - 36
verifying
3 - 31
2 - 15
3 - 31
policies
3 - 30
3 - 31
no policy-map command
2 - 15
3 - 30
no match-any command
no set command
4-5
PIX Firewall
3 - 30
1-7
no police command
2 - 14
3 - 31
2 - 15
no class-map command
disabling
2 - 14
no bandwidth command
3-6
2 - 15
1-8
4-5
PPTP
configuration example
configuring
4-5
4 - 11 to 4 - 13
4-5
PPTP/MPPE
configuring
outside
global address
local address
network
3 - 11
verifying
4-4
4-6
pre-shared keys
3 - 11
configuring
3 - 10
specifying
3 - 17, 3 - 21
3 - 18, 3 - 21
priority traffic
See WFQ
privileged EXEC mode, summary
packets
flow classification
3 - 32
1-6
2 - 14
1-6
IN-8
OL-8336-01
Index
4-7
4-5
protocols, tunneling
scenarios
See intranet VPN scenarios
See remote access VPN scenarios
3-6
proxyacl#n command
4-9
security associations
See SAs
service policies
attaching
QoS
benefits
service-policy command
2 - 9 to ??
characteristics
configuring
3 - 35
3 - 28
3 - 31
3 - 28
queue-limit command
3 - 35
3 - 31, 3 - 35
3 - 31
3 - 25, 3 - 26
3 - 31
3 - 31
RADIUS
implementing
2 - 14
random-detect command
3 - 22, 3 - 38
3 - 30
See RADIUS
4-3
3 - 28
3 - 33
3 - 39
3 - 33
3-9
16
3-
SAFE
See Cisco SAFE Blueprint
SAs
3 - 13
3 - 36
4 - 11, 4 - 13
3 - 20
4 - 11
3 - 31
4 - 11
3 - 17
3 - 15, 3 - 19
1-7
3 - 24
3 - 26
summary
3 - 25, 3 - 26
3 - 31
description
3 - 26
4-6
4 - 6, 4 - 7
IKE established
creating crypto map entries
saving, configuration changes
3 - 24
1-8
configuring
3-8
description
2-2
figure
3-3
Cisco IOS VPN Configuration Guide
OL-8336-01
IN-9
Index
physical elements
See TACACS+
3-3
3-4
See WFQ
transform sets
3 - 39 to 3 - 42
3 - 40 to 3 - 41
defining
3 - 41 to 3 - 42
3 - 23
verifying
3-2
3 - 24
transport mode
xii
description
2 - 15
2 - 15
1-8
3 - 10
3-6
troubleshooting
entering ROM monitor mode at startup
static translation
configuring
3 - 11
description
3 - 11
GRE tunnels
verifiying
3 - 24
3 - 39
3-9
3 - 20
static translation
2 - 14
configuring
3 - 13
3 - 13
static translation
configuring
1-6
3-8
3 - 13
tunneling
Statistics
graphing in VDM
components
5 - 11
description
3 - 10
encryption in
1-7
syslog
3-6
3-6
3-7
special considerations
advantages
2 - 14
tunnel mode
2 - 14
description
3-9
3-8
tunnel modes
configuring
1-2
TACACS+
implementing
2 - 14
4-8
4-8
tail drop
3 - 35
3-8
TED
description
3 - 22 to 3 - 24
2 - 16
1-6
2 - 14
2 - 14
IN-10
OL-8336-01
Index
VDM
benefits
See WFQ
5-5
client installation
5-5
See WRED
configuring VPNs
5-8
graphing statistics
5 - 11
WFQ
installing
5-7
configuring
overview
5-4
troubleshooting connectivity
VPN monitors
verifying configuration
5 - 15
compatibility
verifying
CBWFQ
3 - 30
3 - 22
3 - 26
5-8
configuring VPNs
5-8
3 - 33
3 - 33
3-9
3 - 19
configuring VDM
3 - 38, 3 - 39
4-4
WRED
3 - 33
wizards
4 - 11
3 - 36
class maps
3 - 32
Windows 2000
5 - 5, 5 - 11
authentication proxies
3 - 32
3 - 24
4-7
PPTP/MPPE
4-6
transform sets
3 - 24
WFQ configuration
3 - 33
4 - 5, 4 - 7
virtual templates
configuring
4 - 5, 4 - 6
2 - 15
4 - 5, 4 - 7
4 - 5, 4 - 7
VPNs
configuration assumptions
2-2
IN-11