Cisco Secure Router 520 Series Software Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface ix Objective ix Audience ix Organization x Conventions xi Related Documentation xvi Obtaining Documentation and Submitting a Service Request PART Getting Started 1 CHAPTER xvii 1 Basic Router Configuration 1-1 Viewing the Default Configuration 1-2 Information Needed for Customizing the Default Parameters Interface Port Labels 1-2 1-3 Configuring Basic Parameters 1-3 Configure Global Parameters 1-4 Configure Fast Ethernet LAN Interfaces 1-4 Configure WAN Interfaces
Contents PART Configuring Your Router for Ethernet and DSL Access 2 CHAPTER 2 Sample Network Deployments CHAPTER 3 Configuring PPP over Ethernet with NAT 2-1 3-1 Configure the Virtual Private Dialup Network Group Number Configure the Fast Ethernet WAN Interfaces Configure the Dialer Interface Configuration Example 3-8 Verifying Your Configuration 4 3-5 3-8 Configuring PPP over ATM with NAT Configure the Dialer Interface 4-1 4-2 Configure the ATM WAN Interface Configure DSL Signaling Proto
Contents Apply the Crypto Map to the Physical Interface Create an Easy VPN Remote Configuration Verifying Your Easy VPN Configuration Configuration Example CHAPTER 7 6-8 6-9 6-10 6-10 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation 7-1 Configure a VPN 7-2 Configure the IKE Policy 7-3 Configure Group Policy Information 7-4 Enable Policy Lookup 7-5 Configure IPsec Transforms and Protocols 7-5 Configure the IPsec Crypto Method and Parameters 7-6 Apply the Crypto Map to the Ph
Contents Guidelines for Creating Access Groups Configuring a CBAC Firewall 11-3 Configuring Cisco IOS Firewall IDS Configuring VPNs CHAPTER 12 Troubleshooting Getting Started 11-3 11-4 11-4 12-1 12-1 Before Contacting Cisco or Your Reseller ADSL Troubleshooting 12-1 12-2 ATM Troubleshooting Commands 12-2 ping atm interface Command 12-2 show interface Command 12-3 show atm interface Command 12-5 debug atm Commands 12-5 Guidelines for Using Debug Commands debug atm errors Command 12-6 debug atm
Contents Saving Configuration Changes Summary A-7 Where to Go Next B APPENDIX Concepts B-1 ADSL B-1 Network Protocols IP B-2 A-7 B-2 Routing Protocol Options RIP B-2 B-2 PPP Authentication Protocols PAP B-3 CHAP B-3 TACACS+ A-6 B-3 B-4 Network Interfaces B-4 Ethernet B-4 ATM for DSL B-4 PVC B-5 Dialer Interface B-5 NAT B-5 Easy IP (Phase 1) B-6 Easy IP (Phase 2) B-6 QoS B-7 IP Precedence B-7 PPP Fragmentation and Interleaving CBWFQ B-8 RSVP B-8 Low Latency Queuing B-8 Access Lists
Contents Optional Variables C-4 Using the TFTP Download Command C-5 Configuration Register C-5 Changing the Configuration Register Manually C-6 Changing the Configuration Register Using Prompts C-6 Console Download C-7 Command Description Error Reporting C-8 Debug Commands APPENDIX D C-7 C-8 Exiting the ROM Monitor C-9 Common Port Assignments D-1 INDEX Cisco Secure Router 520 Series Software Configuration Guide viii OL-14210-01
Preface This preface describes the objectives, audience, organization, and conventions of this guide, and describes related documents that have additional information.
Preface Organization This guide is organized into the following chapters and appendix. Part 1: Getting Started Chapter 1, “Basic Router Configuration” Describes how to configure basic router features and interfaces. Part 2: Configuring Your Router for Ethernet and DSL Access Chapter 2, “Sample Network Deployments” Provides a road map for Part 2.
Preface Appendix C, “ROM Monitor” Describes the use of the ROM Monitor (ROMMON) utility. Appendix D, “Common Port Assignments” Describes the currently assigned Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers. Conventions This section describes the conventions used in this guide. Note Caution Warning Means reader take note. Notes contain helpful suggestions or references to additional information and material. This symbol means reader be careful.
Preface Attention IMPORTANTES INFORMATIONS DE SÉCURITÉ Ce symbole d'avertissement indique un danger. Vous vous trouvez dans une situation pouvant entraîner des blessures ou des dommages corporels. Avant de travailler sur un équipement, soyez conscient des dangers liés aux circuits électriques et familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents.
Preface ¡Advertencia! INSTRUCCIONES IMPORTANTES DE SEGURIDAD Este símbolo de aviso indica peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considere los riesgos de la corriente eléctrica y familiarícese con los procedimientos estándar de prevención de accidentes. Al final de cada advertencia encontrará el número que le ayudará a encontrar el texto traducido en el apartado de traducciones que acompaña a este dispositivo.
Preface Aviso INSTRUÇÕES IMPORTANTES DE SEGURANÇA Este símbolo de aviso significa perigo. Você se encontra em uma situação em que há risco de lesões corporais. Antes de trabalhar com qualquer equipamento, esteja ciente dos riscos que envolvem os circuitos elétricos e familiarize-se com as práticas padrão de prevenção de acidentes. Use o número da declaração fornecido ao final de cada aviso para localizar sua tradução nos avisos de segurança traduzidos que acompanham o dispositivo.
Preface Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01 xv
Preface Related Documentation The Cisco Secure Router 520 Series product is shipped with a minimal set of printed documentation. Additional product documentation is available on Cisco.com. In addition to the Cisco Secure Router 520 Series Software Configuration Guide (this document), the Cisco Secure Router 520 Series documentation set includes the following documents.
Preface Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
Preface Cisco Secure Router 520 Series Software Configuration Guide xviii OL-14210-01
PA R T 1 Getting Started
CH A P T E R 1 Basic Router Configuration The Cisco Secure Router 520 Series routers are designed for small businesses with up to 50 users and teleworkers who want secure connectivity to corporate LANs and to the Internet. These routers provide advanced security features that include secure Virtual Private Network (VPN) access and comprehensive threat defense with Cisco IOS Firewall, Intrusion Prevention Solution (IPS), and URL filtering.
Chapter 1 Basic Router Configuration Viewing the Default Configuration Viewing the Default Configuration When the router first boots up, some basic configuration has already been performed. All of the LAN and WAN interfaces have been created, console and VTY ports are configured, and the inside interface for Network Address Translation has been assigned.
Chapter 1 Basic Router Configuration Interface Port Labels – Order the appropriate line from your public telephone service provider. Ensure that the ADSL signaling type is DMT (also called ANSI T1.413) or DMT Issue 2. Once you have collected the appropriate information, you can perform a full configuration on your router, beginning with the tasks in the “Configuring Basic Parameters” section.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Configure Global Parameters Perform these steps to configure selected global parameters for your router: Step 1 Command Purpose configure terminal Enters global configuration mode, when using the console port.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Based on the router you have, configure the WAN interface(s) by using one of the following procedures: • Configure the Fast Ethernet WAN Interface • Configure the ATM WAN Interface Configure the Fast Ethernet WAN Interface This procedure applies only to the Cisco Secure Router 520 Ethernet-to-Ethernet routers.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Perform these steps to configure the ATM interface, beginning in global configuration mode: Step 1 Command Purpose interface type number Identifies and enters the configuration mode for an ATM interface. Example: Router(config)# interface atm0 Router(config-if)# Step 2 ip address ip-address mask Sets the IP address and subnet mask for the ATM interface. Example: Router(config-if)# ip address 200.200.100.1 255.255.255.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Perform these steps to configure a loopback interface, beginning in global configuration mode: Step 1 Command Purpose interface type number Enters configuration mode for the loopback interface. Example: Router(config)# interface Loopback 0 Router(config-if)# Step 2 ip address ip-address mask Sets the IP address and subnet mask for the loopback interface. Example: Router(config-if)# ip address 10.108.1.1 255.255.255.
Chapter 1 Basic Router Configuration Configuring Basic Parameters Last clearing of "show interface" counters never Queuing strategy: fifo Output queue 0/0, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0
Chapter 1 Basic Router Configuration Configuring Basic Parameters Step 5 Command Purpose exit Exits line configuration mode, and returns to global configuration mode. Example: Router(config-line)# exit Router (config)# Step 6 line [aux | console | tty | vty] line-number Specifies a virtual terminal for remote console access. Example: Router(config)# line vty 0 4 Router(config-line)# Step 7 password password Specifies a unique password for the virtual terminal line.
Chapter 1 Basic Router Configuration Configuring Static Routes Configuring Static Routes Static routes provide fixed routing paths through the network. They are manually configured on the router. If the network topology changes, the static route must be updated with a new route. Static routes are private routes unless they are redistributed by a routing protocol. Configuring static routes on the Cisco Secure Router 520 Series router is optional.
Chapter 1 Basic Router Configuration Configuring Dynamic Routes ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/24 is subnetted, 1 subnets C 10.108.1.0 is directly connected, Loopback0 S* 0.0.0.0/0 is directly connected, FastEthernet0 Configuring Dynamic Routes In dynamic routing, the network protocol adjusts the path automatically, based on network traffic or topology.
Chapter 1 Basic Router Configuration Configuring Dynamic Routes Step 4 Command Task no auto-summary Disables automatic summarization of subnet routes into network-level routes. This allows subprefix routing information to pass across classful network boundaries. Example: Router(config-router)# no auto-summary Router(config-router)# Step 5 end Exits router configuration mode, and enters privileged EXEC mode.
PA R T 2 Configuring Your Router for Ethernet and DSL Access
CH A P T E R 2 Sample Network Deployments This part of the software configuration guide presents a variety of possible Ethernet and Digital Subscriber Line (DSL)—based network configurations using the Cisco Secure Router 520 Series router. Each scenario is described with a network topology, a step-by-step procedure that is used to implement the network configuration, and a configuration example that shows the results of the configuration.
Chapter 2 Sample Network Deployments • Chapter 7, “Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation” • Chapter 8, “Configuring a Simple Firewall” Cisco Secure Router 520 Series Software Configuration Guide 2-2 OL-14210-01
CH A P T E R 3 Configuring PPP over Ethernet with NAT The Cisco Secure Router 520 Ethernet-to-Ethernet routers support Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT). Multiple PCs can be connected to the LAN behind the router. Before the traffic from these PCs is sent to the PPPoE session, it can be encrypted, filtered, and so forth. Figure 3-1 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router.
Chapter 3 Configuring PPP over Ethernet with NAT Configure the Virtual Private Dialup Network Group Number PPPoE The PPPoE Client feature on the router provides PPPoE client support on Ethernet interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoE client sessions can be configured on an Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.
Chapter 3 Configuring PPP over Ethernet with NAT Configure the Fast Ethernet WAN Interfaces Step 3 Command or Action Purpose request-dialin Creates a request-dialin VPDN subgroup, indicating the dialing direction, and initiates the tunnel. Example: Router(config-vpdn)# request-dialin Router(config-vpdn-req-in)# Step 4 protocol {l2tp | pppoe} Specifies the type of sessions the VPDN subgroup can establish.
Chapter 3 Configuring PPP over Ethernet with NAT Configure the Dialer Interface Step 3 Command Purpose no shutdown Enables the Fast Ethernet interface and the configuration changes just made to it. Example: Router(config-if)# no shutdown Router(config-if)# Step 4 exit Example: Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode.
Chapter 3 Configuring PPP over Ethernet with NAT Configure Network Address Translation Step 5 Command Purpose ppp authentication {protocol1 [protocol2...]} Sets the PPP authentication method to Challenge Handshake Authentication Protocol (CHAP). Example: For details about this command and additional parameters that can be set, see the Cisco IOS Security Command Reference.
Chapter 3 Configuring PPP over Ethernet with NAT Configure Network Address Translation Perform these steps to configure the outside Fast Ethernet WAN interface with dynamic NAT, beginning in global configuration mode: Step 1 Command Purpose ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} Creates pool of global IP addresses for NAT. Example: Router(config)# ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 255.255.252.
Chapter 3 Configuring PPP over Ethernet with NAT Configure Network Address Translation Step 6 Command Purpose exit Exits configuration mode for the Fast Ethernet interface. Example: Router(config-if)# exit Router(config)# Step 7 interface type number Enters configuration mode for the Fast Ethernet WAN interface (FE4) to be the outside interface for NAT.
Chapter 3 Configuring PPP over Ethernet with NAT Configuration Example Configuration Example The following configuration example shows a portion of the configuration file for the PPPoE scenario described in this chapter. The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside and outside. Note Since the VLAN interface is on LAN, we have used a private IP address.
Chapter 3 Configuring PPP over Ethernet with NAT Configuration Example Dynamic mappings: -- Inside Source [Id: 1] access-list 1 interface Dialer0 refcount 0 Queued Packets: 0 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01 3-9
Chapter 3 Configuring PPP over Ethernet with NAT Configuration Example Cisco Secure Router 520 Series Software Configuration Guide 3-10 OL-14210-01
CH A P T E R 4 Configuring PPP over ATM with NAT The Cisco Secure Router 520 ADSL-over-POTS and Cisco Secure Router 520 ADSL-over-ISDN routers support Point-to-Point Protocol over Asynchronous Transfer Mode (PPPoA) clients and network address translation (NAT). Multiple PCs can be connected to the LAN behind the router. Before traffic from the PCs is sent to the PPPoA session, it can be encrypted, filtered, and so forth.
Chapter 4 Configuring PPP over ATM with NAT Configure the Dialer Interface In this scenario, the small business or remote user on the Fast Ethernet LAN can connect to an Internet service provider (ISP) using the following protocols on the WAN connection: • Asymmetric digital subscriber line (ADSL) over plain old telephone service (POTS) using the Cisco Secure Router 520 ADSL-over-POTS routers • ADSL over integrated services digital network (ISDN) using the Cisco Secure Router 520 ADSL-over-ISDN router
Chapter 4 Configuring PPP over ATM with NAT Configure the Dialer Interface Perform these steps to configure a dialer interface for the ATM interface on the router, starting in global configuration mode: Step 1 Command Purpose interface dialer dialer-rotary-group-number Creates a dialer interface (numbered 0–255), and enters into interface configuration mode.
Chapter 4 Configuring PPP over ATM with NAT Configure the Dialer Interface Step 8 Command Purpose exit Exits the dialer 0 interface configuration. Example: Router(config-if)# exit Router(config)# Step 9 dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group} Creates a dialer list and associates a dial group with it. Packets are then forwarded through the specified interface dialer group.
Chapter 4 Configuring PPP over ATM with NAT Configure the ATM WAN Interface Configure the ATM WAN Interface Perform these steps to configure the ATM interface, beginning in global configuration mode: Step 1 Command Purpose interface type number Enters interface configuration mode for the ATM interface (labeled ADSLoPOTS). Example: Note Router(config)# interface atm 0 Router(config-if)# Step 2 pvc vpi/vci This interface was initially configured during basic router configuration.
Chapter 4 Configuring PPP over ATM with NAT Configure DSL Signaling Protocol Step 5 Command Purpose no shutdown Enables interface and configuration changes just made to the ATM interface. Example: Router(config-if-atm-vc)# no shutdown Router(config-if)# Step 6 exit Exits configuration mode for the ATM interface. Example: Router(config-if)# exit Router(config)# Configure DSL Signaling Protocol DSL signaling must be configured on the ATM interface for connection to your ISP.
Chapter 4 Configuring PPP over ATM with NAT Configure Network Address Translation Verify the Configuration You can verify that the configuration is set the way you want by using the show dsl interface atm command from privileged EXEC mode. Configure Network Address Translation Network Address Translation (NAT) translates packets from addresses that match a standard access list, using global addresses allocated by the dialer interface.
Chapter 4 Configuring PPP over ATM with NAT Configure Network Address Translation Step 4 Command Purpose ip nat {inside | outside} Applies NAT to the Fast Ethernet LAN interface as the inside interface. Example: For details about this command and additional parameters that can be set, as well as information about enabling static translation, see the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services.
Chapter 4 Configuring PPP over ATM with NAT Configuration Example Step 10 Command Purpose exit Exits configuration mode for the ATM interface. Example: Router(config-if)# exit Router(config)# Step 11 access-list access-list-number {deny | permit} source [source-wildcard] Defines a standard access list permitting addresses that need translation. Note Example: All other addresses are implicitly denied. Router(config)# access-list 1 permit 192.168.1.0 0.0.0.
Chapter 4 Configuring PPP over ATM with NAT Configuration Example ip mtu 1492 encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap ! ip classless (default) ! ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 0.0.0.255 ip nat inside source list 1 interface Dialer0 overload ! access-list 1 permit 192.168.1.0 0.0.0.255 dialer-list 1 protocol ip permit ip route 10.10.25.2 0.255.255.
CH A P T E R 5 Configuring a LAN with DHCP and VLANs The Cisco Secure Router 520 Series routers support clients on both physical LANs and virtual LANs (VLANs). The routers can use the Dynamic Host Configuration Protocol (DHCP) to enable automatic assignment of IP configurations for nodes on these networks. Figure 5-1 shows a typical deployment scenario with two physical LANs connected by the router and two VLANs.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure DHCP Note Whenever you change server properties, you must reload the server with the configuration data from the Network Registrar database. VLANs The Cisco Secure Router 520 Series routers support four Fast Ethernet ports on which you can configure VLANs. VLANs enable networks to be segmented and formed into logical groups of users, regardless of the user’s physical location or LAN connection.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure DHCP Step 4 Command Purpose ip dhcp pool name Creates a DHCP address pool on the router and enters DHCP pool configuration mode. The name argument can be a string or an integer. Example: Router(config)# ip dhcp pool dpool1 Router(dhcp-config)# Step 5 network network-number [mask | prefix-length] Defines subnet number (IP) address for the DHCP address pool, optionally including the mask. Example: Router(dhcp-config)# network 10.10.0.0 255.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure DHCP Configuration Example The following configuration example shows a portion of the configuration file for the DCHP configuration described in this chapter. ip dhcp excluded-address 192.168.9.0 ! ip dhcp pool dpool1 import all network 10.10.0.0 255.255.255.0 default-router 10.10.10.10 dns-server 192.168.35.2 domain-name cisco.com ! ip domain name smallbiz.com ip name-server 192.168.11.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure VLANs Message BOOTREPLY DHCPOFFER DHCPACK DHCPNAK Router# Sent 0 0 0 0 Configure VLANs Perform these steps to configure VLANs on your router, beginning in privileged EXEC mode: Step 1 Command Purpose vlan database Enters VLAN configuration mode. Example: Router# vlan database Router(vlan)# Step 2 vlan vlan-id [media type] [name vlan-name] Adds VLANs, with identifiers ranging from 2 to 1001.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure VLANs Assign a Switch Port to a VLAN Perform these steps to assign a switch port to a VLAN, beginning in global configuration mode: Step 1 Command Purpose interface switch port id Specifies the switch port that you want to assign to the VLAN. Example: Router(config)# interface FastEthernet 2 Router(config-if)# Step 2 switchport access vlan vlan-id Assigns a port to the VLAN.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure VLANs VLAN ISL Id: 3 Name: red-vlan Media Type: Ethernet VLAN 802.10 Id: 100003 State: Operational MTU: 1500 VLAN ISL Id: 1002 Name: fddi-default Media Type: FDDI VLAN 802.10 Id: 101002 State: Operational MTU: 1500 Bridge Type: SRB Translational Bridged VLAN: 1 Translational Bridged VLAN: 1003 VLAN ISL Id: 1003 Name: token-ring-default Media Type: Token Ring VLAN 802.
Chapter 5 Configuring a LAN with DHCP and VLANs Configure VLANs VLAN ---1 2 1002 1003 1004 1005 Type ----enet enet fddi tr fdnet trnet SAID ---------100001 100002 101002 101003 101004 101005 MTU ----1500 1500 1500 1500 1500 1500 Parent -----1005 - RingNo -----0 - BridgeNo -------1 1 Stp ---ibm ibm BrdgMode -------srb - Trans1 -----1002 0 1 1 0 0 Trans2 -----1003 0 1003 1002 0 0 Cisco Secure Router 520 Series Software Configuration Guide 5-8 OL-14210-01
CH A P T E R 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel The Cisco Secure Router 520 Series routers support the creation of Virtual Private Networks (VPNs). Cisco routers and other broadband devices provide high-performance connections to the Internet, but many applications also require the security of VPN connections which perform a high level of authentication and which encrypt the data between two particular endpoints. Two types of VPNs are supported—site-to-site and remote access.
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel 4 VPN server—Easy VPN server; for example, a Cisco Adaptive Security Appliance (ASA) Series concentrator with outside interface address 210.110.101.1 5 Corporate office with a network address of 10.1.1.1 6 IPsec tunnel Cisco Easy VPN The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing the Cisco Unity Client protocol.
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Configure the IKE Policy Note The procedures in this chapter assume that you have already configured basic router features as well as PPPoE or PPPoA with NAT, DCHP and VLANs.
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Configure Group Policy Information Step 5 Command or Action Purpose group {1 | 2 | 5} Specifies the Diffie-Hellman group to be used in an IKE policy. Example: Router(config-isakmp)# group 2 Router(config-isakmp)# Step 6 lifetime seconds Specifies the lifetime, 60–86400 seconds, for an IKE security association (SA).
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Apply Mode Configuration to the Crypto Map Step 4 Command or Action Purpose domain name Specifies group domain membership. Example: Router(config-isakmp-group)# domain company.com Router(config-isakmp-group)# Step 5 exit Exits IKE group policy configuration mode, and enters global configuration mode.
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Enable Policy Lookup Enable Policy Lookup Perform these steps to enable policy lookup through AAA, beginning in global configuration mode: Step 1 Command or Action Purpose aaa new-model Enables the AAA access control model. Example: Router(config)# aaa new-model Router(config)# Step 2 aaa authentication login {default | list-name} method1 [method2...
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Configure the IPsec Crypto Method and Parameters Perform these steps to specify the IPsec transform set and protocols, beginning in global configuration mode: Step 1 Command or Action Purpose crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4] Defines a transform set—an acceptable combination of IPsec security protocols and algorithms.
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Apply the Crypto Map to the Physical Interface Step 3 Command or Action Purpose reverse-route Creates source proxy information for the crypto map entry. Example: See the Cisco IOS Security Command Reference for details. Router(config-crypto-map)# reverse-route Router(config-crypto-map)# Step 4 exit Returns to global configuration mode.
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Create an Easy VPN Remote Configuration Step 2 Command or Action Purpose crypto map map-name Applies the crypto map to the interface. Example: See the Cisco IOS Security Command Reference for more detail about this command. Router(config-if)# crypto map static-map Router(config-if)# Step 3 exit Returns to global configuration mode.
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Verifying Your Easy VPN Configuration Step 5 Command or Action Purpose exit Returns to global configuration mode. Example: Router(config-crypto-ezvpn)# exit Router(config)# Step 6 interface type number Example: Router(config)# interface fastethernet 4 Router(config-if)# Step 7 Enters the interface configuration mode for the interface to which you want the Cisco Easy VPN remote configuration applied.
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Configuration Example username Cisco password 0 Cisco ! crypto isakmp policy 1 encryption 3des authentication pre-share group 2 lifetime 480 ! crypto isakmp client configuration group rtr-remote key secret-password dns 10.50.10.1 10.60.10.1 domain company.
Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Configuration Example Cisco Secure Router 520 Series Software Configuration Guide 6-12 OL-14210-01
CH A P T E R 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation The Cisco Secure Router 520 Series routers support the creation of virtual private networks (VPNs). Cisco routers and other broadband devices provide high-performance connections to the Internet, but many applications also require the security of VPN connections which perform a high level of authentication and which encrypt the data between two particular endpoints.
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configure a VPN GRE Tunnels GRE tunnels are typically used to establish a VPN between the Cisco router and a remote device that controls access to a private network, such as a corporate network. Traffic forwarded through the GRE tunnel is encapsulated and routed out onto the physical interface of the router.
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configure a VPN Configure the IKE Policy Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global configuration mode: Step 1 Command or Action Purpose crypto isakmp policy priority Creates an IKE policy that is used during IKE negotiation. The priority is a number from 1 to 10000, with 1 being the highest.
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configure a VPN Configure Group Policy Information Perform these steps to configure the group policy, beginning in global configuration mode: Step 1 Command or Action Purpose crypto isakmp client configuration group {group-name | default} Creates an IKE policy group that contains attributes to be downloaded to the remote client.
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configure a VPN Enable Policy Lookup Perform these steps to enable policy lookup through AAA, beginning in global configuration mode: Step 1 Command or Action Purpose aaa new-model Enables the AAA access control model. Example: Router(config)# aaa new-model Router(config)# Step 2 aaa authentication login {default | list-name} method1 [method2...
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configure a VPN Perform these steps to specify the IPsec transform set and protocols, beginning in global configuration mode: Step 1 Command or Action Purpose crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4] Defines a transform set—An acceptable combination of IPsec security protocols and algorithms.
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configure a VPN Step 3 Command or Action Purpose reverse-route Creates source proxy information for the crypto map entry. Example: See the Cisco IOS Security Command Reference for details. Router(config-crypto-map)# reverse-route Router(config-crypto-map)# Step 4 exit Enters global configuration mode.
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configure a GRE Tunnel Step 2 Command or Action Purpose crypto map map-name Applies the crypto map to the interface. Example: See the Cisco IOS Security Command Reference for more detail about this command. Router(config-if)# crypto map static-map Router(config-if)# Step 3 exit Enters global configuration mode.
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configuration Example Step 5 Command or Action Purpose crypto map map-name Assigns a crypto map to the tunnel. Note Example: Router(config-if)# crypto map static-map Router(config-if)# Step 6 exit Dynamic routing or static routes to the tunnel interface must be configured to establish connectivity between the sites. See the Cisco IOS Security Configuration Guide for details.
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configuration Example tunnel source fastethernet 0 tunnel destination interface 192.168.101.1 ip route 20.20.20.0 255.255.255.0 tunnel 1 crypto isakmp policy 1 encryption 3des authentication pre-share group 2 ! crypto isakmp client configuration group rtr-remote key secret-password dns 10.50.10.1 10.60.10.1 domain company.
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configuration Example ! ! Utilize NAT overload in order to make best use of the ! single address provided by the ISP. ip nat inside source list 102 interface Ethernet1 overload ip classless ip route 0.0.0.0 0.0.0.0 210.110.101.1 no ip http server ! ! ! acl 102 associated addresses used for NAT. access-list 102 permit ip 10.1.1.0 0.0.0.255 any ! acl 103 defines traffic allowed from the peer for the IPsec tunnel.
Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configuration Example Cisco Secure Router 520 Series Software Configuration Guide 7-12 OL-14210-01
CH A P T E R 8 Configuring a Simple Firewall The Cisco Secure Router 520 Series routers support network traffic filtering by means of access lists. The routers also support packet inspection and dynamic temporary access lists by means of Context-Based Access Control (CBAC). Basic traffic filtering is limited to configured access list implementations that examine packets at the network layer or, at most, the transport layer, permitting or denying the passage of each packet through the firewall.
Chapter 8 Configuring a Simple Firewall Figure 8-1 shows a network deployment using PPPoE or PPPoA with NAT and a firewall.
Chapter 8 Configuring a Simple Firewall Configure Access Lists Note The procedures in this chapter assume that you have already configured basic router features as well as PPPoE or PPPoA with NAT. If you have not performed these configurations tasks, see Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” and Chapter 4, “Configuring PPP over ATM with NAT,” as appropriate for your router. You may have also configured DHCP, VLANs, and secure tunnels.
Chapter 8 Configuring a Simple Firewall Configure Inspection Rules Configure Inspection Rules Perform these steps to configure firewall inspection rules for all TCP and UDP traffic, as well as specific application protocols as defined by the security policy, beginning in global configuration mode: Step 1 Command or Action Purpose ip inspect name inspection-name protocol Defines an inspection rule for a particular protocol.
Chapter 8 Configuring a Simple Firewall Configuration Example Step 4 Command Purpose interface type number Enters interface configuration mode for the outside network interface on your router. Example: Router(config)# interface fastethernet 4 Router(config-if)# Step 5 ip access-group {access-list-number | access-list-name}{in | out} Assigns the defined ACLs to the outside interface on the router.
Chapter 8 Configuring a Simple Firewall Configuration Example ip nat outside no cdp enable ! ! acl 103 defines traffic allowed from the peer for the IPsec tunnel. access-list 103 permit udp host 200.1.1.1 any eq isakmp access-list 103 permit udp host 200.1.1.1 eq isakmp any access-list 103 permit esp host 200.1.1.1 any ! Allow ICMP for debugging but should be disabled because of security implications.
CH A P T E R 9 Configuring a Wireless LAN Connection The Cisco Secure Router 520 Series routers support a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, the Cisco routers act as access points, and are Wi-Fi certified, IEEE 802.11a/b/g-compliant wireless LAN transceivers.
Chapter 9 Configuring a Wireless LAN Connection Configure the Root Radio Station Configuration Tasks Perform the following tasks to configure this network scenario: • Configure the Root Radio Station • Configure Bridging on VLANs • Configure Radio Station Subinterfaces A configuration example showing the results of these configuration tasks is provided in the “Configuration Example” section on page 9-6.
Chapter 9 Configuring a Wireless LAN Connection Configure the Root Radio Station Step 3 Command Purpose encryption method algorithm key Specifies the encryption method, algorithm, and key used to access the wireless interface. Example: The example uses the VLAN with optional encryption method of data ciphers. Router(config-if)# encryption vlan 1 mode ciphers tkip Router(config-if)# Step 4 ssid name Creates a Service Set ID (SSID), the public name of a wireless network.
Chapter 9 Configuring a Wireless LAN Connection Configure Bridging on VLANs Step 10 Command Purpose power [client | local] [cck [number | maximum] | ofdm [number | maximum]] (Optional) Specifies the radio transmitter power level. Example: See the Cisco Access Router Wireless Configuration Guide for available power level values.
Chapter 9 Configuring a Wireless LAN Connection Configure Radio Station Subinterfaces Step 3 Command or Action Purpose bridge-group number Assigns a bridge group to the interface. Example: Router(config-if)# bridge-group 1 Router(config-if)# Step 4 bridge-group parameter Sets other bridge parameters for the bridging interface. Example: Router(config-if)# bridge-group 1 spanning-disabled Router(config-if)# Step 5 interface name number Enters configuration mode for the virtual bridge interface.
Chapter 9 Configuring a Wireless LAN Connection Configuration Example Step 3 Command Purpose encapsulation dot1q vlanID [native | second-dot1q] Specifies that IEEE 802.1Q (dot1q) encapsulation is used on the specified subinterface. Example: Router(config-subif)# encapsulation dot1q 1 native Router(config-subif)# Step 4 no cdp enable Disables the Cisco Discovery Protocol (CDP) on the wireless interface.
Chapter 9 Configuring a Wireless LAN Connection Configuration Example ! encryption vlan 1 mode ciphers tkip ! ssid cisco vlan 1 authentication open wpa-psk ascii 0 cisco123 authentication key-management wpa ! ssid ciscowep vlan 2 authentication open ! ssid ciscowpa vlan 3 authentication open ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312 power local cck 50 power local ofdm 30 channel 2462 station-role root ! interface Dot11Radio0.
Chapter 9 Configuring a Wireless LAN Connection Configuration Example no ip address bridge-group 3 bridge-group 3 spanning-disabled ! interface BVI1 ip address 10.0.1.1 255.255.255.0 ! interface BVI2 ip address 10.0.2.1 255.255.255.0 ! interface BVI3 ip address 10.0.3.1 255.255.255.
PA R T 3 Configuring Additional Features and Troubleshooting
CH A P T E R 10 Additional Configuration Options This part of the software configuration guide describes additional configuration options and troubleshooting tips for the Cisco Secure Router 520 Series routers. The configuration options described in this part include: • Chapter 11, “Configuring Security Features” • Chapter 12, “Troubleshooting” The descriptions contained in these chapters do not describe all of your configuration or troubleshooting needs.
Chapter 10 Additional Configuration Options Cisco Secure Router 520 Series Software Configuration Guide 10-2 OL-14210-01
CH A P T E R 11 Configuring Security Features This chapter gives an overview of authentication, authorization, and accounting (AAA), the primary Cisco framework for implementing selected security features that can be configured on the Cisco Secure Router 520 Series routers. Note Individual router models may not support every feature described throughout this guide. Features not supported by a particular router are indicated whenever possible.
Chapter 11 Configuring Security Features Configuring AutoSecure For information about configuring AAA services and supported security protocols, see the following sections of the Cisco IOS Security Configuration Guide: • Configuring Authentication • Configuring Authorization • Configuring Accounting • Configuring RADIUS • Configuring TACACS+ • Configuring Kerberos Configuring AutoSecure The AutoSecure feature disables common IP services that can be exploited for network attacks and enables IP
Chapter 11 Configuring Security Features Configuring a CBAC Firewall Access Groups A sequence of access list definitions bound together with a common name or number is called an access group. An access group is enabled for an interface during interface configuration with the following command: ip access-group {access-list-number | access-list-name}{in | out} where in | out refers to the direction of travel of the packets being filtered.
Chapter 11 Configuring Security Features Configuring Cisco IOS Firewall IDS Configuring Cisco IOS Firewall IDS Cisco IOS Firewall Intrusion Detection System (IDS) technology enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the security policy or represent malicious network activity. Cisco IOS Firewall IDS identifies 59 of the most common attacks using “signatures” to detect patterns of misuse in network traffic.
CH A P T E R 12 Troubleshooting Use the information in this chapter to help isolate problems you might encounter or to rule out the router as the source of a problem.
Chapter 12 Troubleshooting ADSL Troubleshooting ADSL Troubleshooting If you experience trouble with the ADSL connection, verify the following: • The ADSL line is connected and is using pins 3 and 4. For more information on the ADSL connection, see the hardware guide for your router. • The ADSL CD LED is on. If it is not on, the router may not be connected to the DSL access multiplexer (DSLAM). For more information on the ADSL LEDs, see the hardware installation guide specific for your router.
Chapter 12 Troubleshooting ATM Troubleshooting Commands This command sends end-to-end OAM F5 packets, which are echoed back by the aggregator. show interface Command Use the show interface command to display the status of all physical ports (Ethernet and ATM) and logical interfaces on the router. Table 12-1 describes messages in the command output.
Chapter 12 Troubleshooting ATM Troubleshooting Commands Table 12-1 describes possible command output for the show interface command. Table 12-1 show interface Command Output Description Output Cause For ATM Interfaces ATM 0 is up, line protocol is up ATM 0 is down, line protocol is down The ATM line is up and operating correctly. • The ATM interface has been disabled with the shutdown command. or • ATM 0.
Chapter 12 Troubleshooting ATM Troubleshooting Commands show atm interface Command To display ATM-specific information about an ATM interface, use the show atm interface atm 0 command from privileged EXEC mode, as shown in Example 12-3. Example 12-3 Viewing Information About an ATM Interface Router# show atm interface atm 0 Interface ATM0: AAL enabled: AAL5 , Maximum VCs:11, Current VCCs:0 Maximum Transmit Channels:0 Max.
Chapter 12 Troubleshooting ATM Troubleshooting Commands Caution • To disable debugging, enter the undebug all command. • To use debug commands during a Telnet session on your router, enter the terminal monitor command. Debugging is assigned a high priority in your router CPU process, and it can render your router unusable. For this reason, use debug commands only to troubleshoot specific problems.
Chapter 12 Troubleshooting ATM Troubleshooting Commands 00:03:00: 00:03:02: 00:03:05: 00:03:07: 00:03:09: 00:03:09: 00:03:09: 00:03:09: 00:03:09: 00:03:09: 00:03:09: 00:03:09: 00:03:09: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: DSL: 1: Modem state = 0x8 2: Modem state = 0x10 3: Modem state = 0x10 4: Modem state = 0x10 Received response: 0x24 Showtime! Sent command 0x11 Received response: 0x61 Read firmware revision 0x1A04 Sent command 0x31 Received response: 0x12 operation mode 0x0001
Chapter 12 Troubleshooting Software Upgrade Methods Example 12-7 shows sample output for the debug atm packet command.
Chapter 12 Troubleshooting Recovering a Lost Password Recovering a Lost Password To recover a lost enable or lost enable-secret password: 1. Change the Configuration Register 2. Reset the Router 3. Reset the Password and Save Your Changes (for lost enable secret passwords only) 4. Reset the Configuration Register Value Note Recovering a lost password is only possible when you are connected to the router through the console port. These procedures cannot be performed through a Telnet session.
Chapter 12 Troubleshooting Recovering a Lost Password Cisco SR520W-ADSL (MPC8272) processor (revision 0x100) with 118784K/12288K bytes of memory. Processor board ID FOC09171CB7 MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10 4 FastEthernet interfaces 1 ATM interface 1 802.11 Radio 128K bytes of non-volatile configuration memory. 20480K bytes of processor board System flash (Intel Strataflash) Configuration register is 0x0 Step 4 Record the setting of the configuration register.
Chapter 12 Troubleshooting Recovering a Lost Password Step 7 Enter the enable command to enter enable mode. Configuration changes can be made only in enable mode: Router> enable The prompt changes to the privileged EXEC prompt: Router# Step 8 Enter the show startup-config command to display an enable password in the configuration file: Router# show startup-config If you are recovering an enable password, do not perform the steps in the following “Reset the Password and Save Your Changes” section.
Chapter 12 Troubleshooting Recovering a Lost Password Step 3 Enter exit to exit configuration mode: Router(config)# exit Note Step 4 To return to the configuration being used before you recovered the lost enable password, do not save the configuration changes before rebooting the router. Reboot the router, and enter the recovered password.
PA R T 4 Reference Information
A P P E N D I X A Cisco IOS Software Basic Skills Understanding how to use Cisco IOS software can save you time when you are configuring your router. If you need a refresher, take a few minutes to read this appendix.
Appendix A Cisco IOS Software Basic Skills Understanding Command Modes Table A-1 Terminal Emulation Software PC Operating System Software Windows 3.1 Terminal (included with Windows software) Macintosh ProComm, VersaTerm (supplied separately) You can use the terminal emulation software to change settings for the type of device that is connected to the PC, in this case a router.
Appendix A Cisco IOS Software Basic Skills Understanding Command Modes Table A-2 Command Modes Summary Mode Access Method Prompt Exit and Entrance Method User EXEC Begin a session with your router. Router> To exit a router session, enter Use this mode for these tasks: the logout command. • Change terminal settings. Privileged EXEC Enter the enable command from user EXEC mode. Router# • • Global configuration Enter the configure command from privileged EXEC mode.
Appendix A Cisco IOS Software Basic Skills Getting Help Table A-2 Command Modes Summary (continued) Mode Access Method Router configuration Enter one of the router Router commands followed by (configrouter)# the appropriate keyword, for example router rip, from global configuration mode. • To exit to global Use this mode to configure an IP configuration mode, routing protocol. enter the exit command. • To exit to privileged EXEC mode, enter the end command, or press Ctrl-Z.
Appendix A Cisco IOS Software Basic Skills Entering Global Configuration Mode You can use two commands to do this: • enable secret password—A very secure, encrypted password • enable password—A less secure, unencrypted local password Both the enable and enable secret passwords control access to various privilege levels (0 to 15). The enable password is intended for local use and is thus unencrypted.
Appendix A Cisco IOS Software Basic Skills Saving Configuration Changes Abbreviating Commands You only have to enter enough characters for the router to recognize the command as unique. This example shows how to enter the show version command: Router # sh v Undoing Commands If you want to disable a feature or undo a command you entered, you can enter the keyword no before most commands; for example, no ip routing.
Appendix A Cisco IOS Software Basic Skills Summary Press Return to accept the default destination filename startup-config, or enter your desired destination filename and press Return. It might take a minute or two to save the configuration to NVRAM. After the configuration has been saved, the following message appears: Building configuration... Router# Summary Now that you have reviewed some Cisco IOS software basics, you can begin to configure your router.
Appendix A Cisco IOS Software Basic Skills Where to Go Next Cisco Secure Router 520 Series Software Configuration Guide A-8 OL-14210-01
A P P E N D I X B Concepts This appendix contains conceptual information that may be useful to Internet service providers or network administrators when they configure Cisco routers. To review some typical network scenarios, see Chapter 2, “Sample Network Deployments.” For information on additional details or configuration topics, see Chapter 10, “Additional Configuration Options.
Appendix B Concepts Network Protocols Network Protocols Network protocols enable the network to pass data from its source to a specific destination over LAN or WAN links. Routing address tables are included in the network protocols to provide the best path for moving the data through the network. IP The best-known Transmission Control Protocol/Internet Protocol (TCP/IP) at the internetwork layer is IP, which provides the basic packet delivery service for all TCP/IP networks.
Appendix B Concepts PPP Authentication Protocols PPP Authentication Protocols The Point-to-Point Protocol (PPP) encapsulates network layer protocol information over point-to-point links. PPP originally emerged as an encapsulation protocol for transporting IP traffic over point-to-point links.
Appendix B Concepts TACACS+ Note We recommend using CHAP because it is the more secure of the two protocols. TACACS+ Cisco Secure Router 520 Series routers support the Terminal Access Controller Access Control System Plus (TACACS+) protocol through Telnet. TACACS+ is a Cisco proprietary authentication protocol that provides remote access authentication and related network security services, such as event logging. User passwords are administered in a central database rather than in individual routers.
Appendix B Concepts NAT PVC A PVC is a connection between remote hosts and routers. A PVC is established for each ATM end node with which the router communicates. The characteristics of the PVC that are established when it is created are set by the ATM adaptation layer (AAL) and the encapsulation type. An AAL defines the conversion of user information into cells. An AAL segments upper-layer information into cells at the transmitter and reassembles the cells at the receiver.
Appendix B Concepts Easy IP (Phase 1) Translations can be static or dynamic. A static address translation establishes a one-to-one mapping between the inside network and the outside domain. Dynamic address translations are defined by describing the local addresses to be translated and the pool of addresses from which to allocate outside addresses. Allocation occurs in numeric order, and multiple pools of contiguous address blocks can be defined.
Appendix B Concepts QoS QoS This section describes Quality of Service (QoS) parameters, including the following: • IP Precedence • PPP Fragmentation and Interleaving • CBWFQ • RSVP • Low Latency Queuing QoS refers to the capability of a network to provide better service to selected network traffic over various technologies, including ATM, Ethernet and IEEE 802.1 networks, and IP-routed networks that may use any or all of these underlying technologies.
Appendix B Concepts QoS In general, multilink PPP with interleaving is used in conjunction with CBWFQ and RSVP or IP Precedence to ensure voice packet delivery. Use multilink PPP with interleaving and CBWFQ to define how data is managed; use Resource Reservation Protocol (RSVP) or IP Precedence to give priority to voice packets. CBWFQ In general, class-based weighted fair queuing (CBWFQ) is used in conjunction with multilink PPP and interleaving and RSVP or IP Precedence to ensure voice packet delivery.
Appendix B Concepts Access Lists Access Lists With basic standard and static extended access lists, you can approximate session filtering by using the established keyword with the permit command. The established keyword filters TCP packets based on whether the ACK or RST bits are set. (Set ACK or RST bits indicate that the packet is not the first in the session and the packet therefore belongs to an established session.
Appendix B Concepts Access Lists Cisco Secure Router 520 Series Software Configuration Guide B-10 OL-14210-01
A P P E N D I X C ROM Monitor The ROM monitor firmware runs when the router is powered up or reset. The firmware helps to initialize the processor hardware and boot the operating system software. You can use the ROM monitor to perform certain configuration tasks, such as recovering a lost password or downloading software over the console port. If there is no Cisco IOS software image loaded on the router, the ROM monitor runs the router.
Appendix C ROM Monitor ROM Monitor Commands Command Purpose Step 4 exit Exits global configuration mode. Step 5 reload Reboots the router with the new configuration register value. The router remains in ROM monitor and does not boot the Cisco IOS software. As long as the configuration value is 0x0, you must manually boot the operating system from the console. See the boot command in the “Command Descriptions” section in this appendix. After the router reboots, it is in ROM monitor mode.
Appendix C ROM Monitor Command Descriptions Commands are case sensitive. You can halt any command by pressing the Break key on a terminal. If you are using a PC, most terminal emulation programs halt a command when you press the Ctrl and the Break keys at the same time. If you are using another type of terminal emulator or terminal emulation software, see the documentation for that product for information on how to send a Break command.
Appendix C ROM Monitor Disaster Recovery with TFTP Download TFTP Download Command Variables This section describes the system variables that can be set in ROM monitor mode and that are used during the TFTP download process. There are both required variables and optional variables. Note The commands described in this section are case sensitive and must be entered exactly as shown.
Appendix C ROM Monitor Configuration Register Number of times the router attempts ARP and TFTP download. The default is 7. TFTP_RETRY_COUNT= retry_times Length of time, in seconds, before the download process times out. The TFTP_TIMEOUT= time default is 2,400 seconds (40 minutes). Whether or not the router performs a checksum test on the downloaded TFTP_CHECKSUM=settin image: g 1—Checksum test is performed. 0—No checksum test is performed.
Appendix C ROM Monitor Configuration Register Changing the Configuration Register Manually To change the virtual configuration register from the ROM monitor manually, enter the confreg command followed by the new value of the register in hexadecimal format, as shown in the following example: rommon 1 > confreg 0x2101 You must reset or power cycle for new config to take effect rommon 2 > The value is always interpreted as hexadecimal.
Appendix C ROM Monitor Console Download Console Download You can use console download, a ROM monitor function, to download either a software image or a configuration file over the router console port. After download, the file is either saved to the mini-flash memory module or to main memory for execution (image files only). Use console download when you do not have access to a TFTP server.
Appendix C ROM Monitor Debug Commands Error Reporting Because the ROM monitor console download uses the console to perform the data transfer, when an error occurs during a data transfer, error messages are only displayed on the console once the data transfer is terminated. If you have changed the baud rate from the default rate, the error message is followed by a message telling you to restore the terminal to the baud rate specified in the configuration register.
Appendix C ROM Monitor Exiting the ROM Monitor FP: FP: FP: FP: FP: • 0x80005f9c, 0x80005fac, 0x80005fc4, 0x80005ffc, 0x00000000, PC: PC: PC: PC: PC: 0x80008118 0x80008064 0xfff03d70 0x00000000 0x00000000 meminfo—Displays size in bytes, starting address, available range of main memory, the starting point and size of packet memory, and size of NVRAM; for example: rommon 9> meminfo Main memory size: 40 MB.
Appendix C ROM Monitor Exiting the ROM Monitor Cisco Secure Router 520 Series Software Configuration Guide C-10 OL-14210-01
A P P E N D I X D Common Port Assignments Table D-1 lists currently assigned Transmission Control Protocol (TCP) port numbers. To the extent possible, the User Datagram Protocol (UDP) uses the same numbers.
Appendix D Common Port Assignments Table D-1 TCP Port Numbers (continued) Port Keyword Description 75 — Any private dial-out service 77 — Any private RJE service 79 FINGER Finger 95 SUPDUP SUPDUP Protocol 101 HOST NAME Network interface card (NIC) hostname server 102 ISO-TSAP ISO-Transport Service Access Point (TSAP) 103 X400 X400 104 X400-SND X400-SND 111 SUNRPC Sun Microsystems Remote Procedure Call 113 AUTH Authentication service 117 UUCP-PATH UNIX-to-UNIX Copy Prot
INDEX overview Symbols B-4 packets, displaying -? command ? command C-3 12-7 PVC encapsulation types A-4, C-3 queues B-5 B-8 troubleshooting commands 12-2 to 12-8 ATM adaptation layer A See AAL AAL AAL3/4 AAL5 ATM interface B-5 See ATM B-5 authentication protocols B-5 abbreviating commands access groups See PPP authentication protocols A-6 AutoSecure 11-3 11-2 access lists applying to interfaces 8-4 configuration commands 11-2 configuring for firewalls 8-3, 9-2 descripti
Index configuration example configuring show interface 1-9 stack 1-8 command modes C-8 sysret A-2 to A-4 12-3 C-8 commands tftpdnld C-3, C-5 -? undoing A-6 xmodem C-7 ? C-3 A-4 abbreviating access list command variables A-6 listing 11-2 ATM troubleshooting b TFTP download 12-2 to 12-8 C-4 committed access rate C-3 b flash boot A-4 See CAR C-3 configuration changes C-3 completing making A-4 confreg C-6 context C-8 saving 12-11, A-6 configuration examples copy
Index Fast Ethernet LAN interfaces 1-4 Fast Ethernet WAN interface 1-5 firewall GRE tunnel IKE policy configuration example 1-4 8-4 6-1 loopback interface 3-4, 4-2 description B-5 disaster recovery C-3 C-3 to C-5 DSL signaling protocol 3-1, 3-2 4-6 Dynamic Host Configuration Protocol 1-11 router from PC static routes See DHCP A-1 dynamic routes 1-10 configuration example 5-1 VPDN group number VPNs configuring dir device command 1-6 to 1-8 4-7 VLANs 5-4 dialer interface
Index extended access list, overview hop count, defined B-9 F B-2 I Fast Ethernet LAN interfaces, configuring 1-4 i command Fast Ethernet WAN interface, configuring 1-5, 3-3 IKE policy, configuring filtering C-3 6-3, 7-3 inspection rules See access lists applying to interfaces firewalls configuring access list configuration configuration tasks flowcontrol command fragmentation, PPP frame command 8-4 interleaving, PPP 1-3 B-7 Internet connection, setting up 8-5 IP, overview 8-2
Index loopback interface, configuring 1-6 to 1-8 P low latency queuing packets, ATM, displaying See LFQ PAP 12-7 B-3 parameters, setting up global M 1-4 Password Authentication Protocol meminfo command See PAP C-9 password protection metrics RIP A-4 passwords B-2 mode configuration, applying to crypto map 6-5 modes recovery 12-9 to 12-12 resetting 12-11 setting See command modes A-4 permanent virtual circuit See PVC N permit command NAT ping atm interface command configur
Index protocols ATM RST bits RSVP B-4 Ethernet B-4 network B-2 network interface routing overview B-8 S B-4 to B-5 PPP authentication B-9 B-3 saving configuration changes B-2 to ?? 12-11, A-6 scenarios, network PVC See configuration examples encapsulation types overview B-5 security authentication protocols B-5 security features, configuring B-3 11-1 to 11-4 settings router default Q A-2 standard VT-100 emulation QoS parameters queues, ATM show atm interface command B-7 to
Index troubleshooting commands, ATM 12-2 to 12-8 X xmodem command U UDP port numbers C-7 D-1 to D-2 undoing commands A-6 upgrading software, methods for 12-8 User Datagram Protocol See UDP user EXEC mode A-2, A-3 V variables, command listing VC A-4 B-5 verify DHCP server configuration Easy VPN configuration 5-4 6-10 PPPoE with NAT configuration VLAN configuration 3-8 5-6 viewing default configuration virtual configuration register 1-2 C-5 virtual private dialup network group number,
Index Cisco Secure Router 520 Series Software Configuration Guide IN-8 OL-14210-01
