- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

411

412

413

414

415

416

417

418

419

420

Configuration Examples

16-32 Configuring Security on the XSR

Define service to support IPSec NAT traversal (Release 7.0 or later):

XSR(config)#ip firewall service ietfNatT eq 4500 gt 1023 udp

Define service for ISAKMP:

XSR(config)#ip firewall service ike eq 500 gt 499 udp

Define service for L2TP tunnels:

XSR(config)#ip firewall service l2tp eq 1701 eq 1701 udp

Define service for RADIUS authentication:

XSR(config)#ip firewall service radiusauth gt 1023 eq 1645 udp

Define service for RADIUS accounting:

XSR(config)#ip firewall service radiusacct gt 1023 eq 1646 udp

Write policies allowing traffic through the public VPN interface (crypto map) including enabling

NAT Traversal:

XSR(config)#ip firewall policy nattraversal internet vpngateway nattraversal

allow bidirectional

XSR(config)#ip firewall policy PPTP internet vpngateway PPTP allow bidirectional

XSR(config)#ip firewall policy ike internet vpngateway ike allow bidirectional

XSR(config)#ip firewall policy l2tp internet vpngateway l2tp allow bidirectional

XSR(config)#ip firewall policy ietfNatT internet vpngateway ietfNatT allow

bidirectional

Allow HTTP and LDAP CRL retrieval out of the public VPN interface:

XSR(config)#ip firewall policy pki vpngateway internet HTTP allow

XSR(config)#ip firewall policy ldap vpngateway internet LDAP allow

Write policies permitting RADIUS and all TCP and UDP traffic from remote VPN networks into

the corporate networks:

XSR(config)#ip firewall policy radiusauth f1a trusted radiusauth allow

XSR(config)#ip firewall policy radiusacct f1a trusted radiusacct allow

XSR(config)#ip firewall policy ANY_TCP remote trusted ANY_TCP allow bidirectional

XSR(config)#ip firewall policy ANY_UDP remote trusted ANY_UDP allow bidirectional

Allow IPSec (protocol 50) traffic from the Internet into the public VPN interface:

XSR(config)#ip firewall filter ipsec internet vpngateway protocol-id 50

bidirectional

Allow GRE traffic from the Internet into the public VPN interface:

XSR(config)#ip firewall filter gre internet vpngateway protocol-id 47

bidirectional

Allow OSPF through the firewall (trusted VPN interface) to the next hop corporate router:

XSR(config)#ip firewall filter ospf1 f1 ospf protocol-id 89 bidirectional

XSR(config)#ip firewall filter ospf2 ssr ospf protocol-id 89 bidirectional

XSR(config)#ip firewall filter ospf3 f1 ssr protocol-id 89 bidirectional

Permit ICMP traffic to flow from the trusted networks, through the VPN tunnels, to the remote

trusted networks, and back:

XSR(config)#ip firewall filter icmp1 trusted remote protocol-id 1 bidirectional

Allow any IP address on the Internet to send ICMP traffic to the public VPN interface (the crypto

map interface):

XSR(config)#ip firewall filter icmp2 vpngateway internet protocol-id 1 bi