Manualshelf

- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM
411412413414415416417418419420
Configuration Examples
16-28 Configuring Security on the XSR
Terminate Network Extension Mode (NEM) and Client mode tunnels
Terminate remote access L2TP/IPSec tunnels
Terminate PPTP remote access tunnels
Firewall inspection on the public VPN interface (the crypto map interface)
Firewall inspection on the trusted VPN interface (the connection to the corporate
network)
Enable NAT Traversal on the firewall
OSPF routing with the next hop corporate router on the trusted VPN interface
DF bit clear on the public VPN interface to handle large non-fragmentable IP frames
OSPF routing over the multi-point VPN interface for other site-to-site tunnels
Assign the first IP address of the pool to the multi-point VPN interface
Figure 16-16 XSR Firewall, VPN and OSPF Topology
Begin by setting the XSR system time via SNTP. This configuration is critical for XSRs which use
time-sensitive certificates.
XSR(config)#sntp-client server 10.120.84.3
XSR(config)#sntp-client poll-interval 60
Add four ACLs to permit IP pool, L2TP and NEM traffic:
XSR(config)#access-list 110 permit ip any 10.120.70.0 0.0.0.255
XSR(config)#access-list 120 permit udp any any eq 1701
XSR(config)#access-list 140 permit ip any 172.16.1.0 0.0.0.255
XSR(config)#access-list 150 permit ip any 192.168.111.0 0.0.0.255
Define IKE Phase I security parameters with the following two policies:
XSR(config)#crypto isakmp proposal xp-soho
XSR(config-isakmp)#hash md5
XSR(config-isakmp)#lifetime 50000
XSR(config)#crypto isakmp proposal p2p
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#lifetime 50000
Configure IKE policy for the remote peer:
XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0
XSR
172.16.1.0
Internet
Internet
router
SSR
XP PC
Client
141.154.196.93
96.96.96.7
96.96.96.0
141.154.196.106
FE1
FE2
10.120.84.0
10.120.112.0
NEM
XSR
XSR
6
4
2
7
5
3
CM/1
PS2PS1
CM
21 21
87654321 87654321
87654321 87654321
87
6
5
4
3
21
SSR-CM-2 CONTROL MODULE
10/100BASE-TXSSR-HTX12-08
10/100BASE-TXSSR-HTX12-08
10/100BASE-TXSSR-HTX12-08
10/100BASE-TXSSR-HTX12-08
1000BASE-LXSSR-GLX19-02
SSR-8
SSR-8
1000BASE-SXSSR-GSX11-02
100BASE-FXSSR-HFX11-08
SSR-PS-8
100-125~5A
200-240~3A
50-60 Hz
PWR
SSR-PS-8
100-125~5A
200-240~3A
50-60 Hz
PWR