Cisco 7100 Series VPN Configuration Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
Preface This preface describes the purpose, objectives, audience, organization, and conventions of the Cisco 7100 Series VPN Configuration Guide.
Audience The intranet and extranet business scenarios introduced in this guide include specific tasks and configuration examples. The examples are the recommended methods for configuring the specified tasks. Although they are typically the easiest or the most straightforward method, they are not the only methods of configuring the tasks. If you know of another configuration method not presented in this guide, you can use it.
Organization Organization The major sections of this guide are as follows: Chapter Title Description 1 Using Cisco IOS Software Provides helpful tips for understanding and configuring Cisco IOS software using the command-line interface (CLI). 2 Before You Begin Provides an overview of the business scenarios covered in this guide, items you should consider before configuring a VPN on your Cisco 7100 series router, and the assumptions this guide makes.
Related Documentation Related Documentation Your Cisco 7100 series router and the Cisco IOS software running on it contain extensive features and functionality, which are documented in the following resources: • For Cisco 7100 series hardware installation and initial software configuration information, refer to the following publications: — Cisco 7100 Series VPN Router Quick Start Guide — Cisco 7100 Series VPN Router Installation and Configuration Guide • For international agency compliance, safety, an
Related Documentation — For information on setting up quality of service (QoS), refer to the Quality of Service Solutions Configuration Guide and Quality of Service Solutions Command Reference publications. — For information on encryption, refer to the Security Configuration Guide and the Security Command Reference publications. — For information on interfaces, refer to the Cisco IOS Interface Configuration Guide and the Cisco IOS Interface Command Reference publications.
Conventions Conventions Command descriptions use the following conventions: Convention Description boldface font Commands and keywords are in boldface. italic font Arguments for which you supply values are in italics. [ ] Elements in square brackets are optional. {x | y | z} Alternative keywords are grouped in braces and separated by vertical bars. [x | y | z] Optional alternative keywords are grouped in brackets and separated by vertical bars. string A nonquoted set of characters.
Cisco Connection Online Convention Description Caution This symbol means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data. Cisco Connection Online Cisco Connection Online (CCO) is Cisco Systems’ primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Documentation CD-ROM Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco’s Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.
C H A PT E R 1 Using Cisco IOS Software This chapter provides helpful tips for understanding and configuring Cisco IOS software using the command-line interface (CLI) and contains the following sections: • • • • Getting Help, page 1-2 Understanding Command Modes, page 1-8 Using the no and default Forms of Commands, page 1-11 Saving Configuration Changes, page 1-11 For an overview of Cisco IOS software configuration, refer to the Configuration Fundamentals Configuration Guide.
Getting Help Getting Help Entering a question mark (?) at the system prompt displays a list of commands available for each command mode. You can also get a list of any command’s associated keywords and arguments with the context-sensitive help feature. To get help specific to a command mode, a command, a keyword, or an argument, use one of the following commands: Command Purpose help Obtain a brief description of the help system in any command mode.
Finding Command Options Finding Command Options This section provides an example of how to display syntax for a command. The syntax can consist of optional or required keywords. To display keywords for a command, enter a question mark (?) at the configuration prompt, or after entering part of a command followed by a space. The Cisco IOS software displays a list of keywords available along with a brief description of the keywords.
Getting Help Table 1-1 How to Find Command Options (continued) Command Comment Router(config)# controller t1 ? <0-3> Controller unit number Router(config)# controller t1 1 Router(config-controller)# Enter controller configuration mode by specifying the T1 controller that you want to configure using the controller t1 global configuration command. Enter a ? to display what you must enter next on the command line. In this example, you must enter a controller unit number from 0 to 3.
Finding Command Options Table 1-1 How to Find Command Options (continued) Command Comment Router(config-controller)# cas-group ? <0-23> Channel number Router(config-controller)# cas-group Enter the command that you want to configure for the controller. In this example, the cas-group command is used. Enter a ? to display what you must enter next on the command line. In this example, you must enter a channel number from 0 to 23.
Getting Help Table 1-1 How to Find Command Options (continued) Command Comment Router(config-controller)# cas-group 1 timeslots ? <1-24> List of timeslots which comprise the cas-group Router(config-controller)# cas-group 1 timeslots After you enter the timeslots keyword, enter a ? to display what you must enter next on the command line. In this example, you must enter a list of timeslots from 1 to 24.
Finding Command Options Table 1-1 How to Find Command Options (continued) Command Comment Router(config-controller)# cas-group 1 timeslots 1-24 type ? e&m-fgb E & M Type II FGB e&m-fgd E & M Type IIFGD e&m-immediate-start E & M Immediate Start fxs-ground-start FXS Ground Start fxs-loop-start FXS Loop Start sas-ground-start SAS Ground Start sas-loop-start SAS Loop Start Router(config-controller)# cas-group 1 timeslots 1-24 type In this example, the type keyword is entered.
Understanding Command Modes Table 1-1 How to Find Command Options (continued) Command Comment Router(config-controller)# cas-group 1 timeslots 1-24 type e&m-fgb dtmf ? dnis DNIS addr info provisioned service Specify the type of service Router(config-controller)# cas-group 1 timeslots 1-24 type e&m-fgb dtmf In this example, the dtmf keyword is entered. After you enter the dtmf keyword, enter a ? to display what you must enter next on the command line.
Summary of Main Command Modes The configuration modes allow you to make changes to the running configuration. If you later save the configuration, these commands are stored across router reboots. To get to the various configuration modes, you must start at global configuration mode. From global configuration mode, you can enter interface configuration mode, subinterface configuration mode, and a variety of protocol-specific modes.
Understanding Command Modes Table 1-2 Command Mode Interface configuration Subinterface configuration ROM monitor Summary of Main Command Modes (continued) Access Method Prompt Exit Method From global configuration mode, enter by specifying an interface with an interface command. Router(config-if)# To exit to global configuration mode, use the exit command. From interface configuration mode, specify a subinterface with an interface command.
Using the no and default Forms of Commands Using the no and default Forms of Commands Almost every configuration command also has a no form. In general, use the no form to disable a function. Use the command without the keyword no to reenable a disabled function or to enable a function that is disabled by default. For example, IP routing is enabled by default. To disable IP routing, specify the no ip routing command and specify ip routing to reenable it.
Saving Configuration Changes 1-12 Cisco 7100 Series VPN Configuration Guide
C H A PT E R 2 Before You Begin This chapter provides an overview of the business scenarios covered in this guide, items you should consider before attempting to configure a Virtual Private Network (VPN) on your Cisco 7100 series router, and the assumptions this guide makes.
Overview of Business Scenarios In each scenario, a tunnel is constructed, encryption is applied on the tunnel, and different traffic types (for example, IP, User Datagram Protocol [UDP], and Transmission Control Protocol [TCP]) are either permitted or denied access to the tunnel. This controls the level of access the remote office and business partner have to the corporate intranet, and secures the data exchanged between the sites.
Considerations Considerations The following are considerations to observe when configuring a VPN on your Cisco 7100 series router: • Syslog—Set up a syslog host, such as a CiscoWorks Essentials Workstation, and configure all the routers in the network to use the syslog host. Logging all syslog messages from the routers allows you to determine when significant events, like configuration changes, occurred.
Considerations — Be careful not to violate access control lists. You can configure a tunnel with a source and destination that are not restricted by firewall routers. — Routing protocols that make their decisions based solely on hop count will often prefer a tunnel over a multipoint real link. A tunnel might appear to be a one-hop, point-to-point link and have the lowest-cost path, but may actually cost more.
Considerations — Think about access control before you connect a console port to the network in any way, including attaching a modem to the port. Be aware that a break on the console port might give total control of the firewall, even with access control configured. — Apply access lists and password protection to all virtual terminal ports. Use access lists to limit who can Telnet into your router.
Considerations — Normally, you should disable directed broadcasts for all applicable protocols on your firewall and on all your other routers. For IP, use the no ip directed-broadcast command. Rarely, some IP networks do require directed broadcasts; if this is the case, do not disable directed broadcasts. Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because every denial-of-service packet sent is broadcast to every host on a subnet.
Assumptions Assumptions This guide assumes the following: • You have successfully installed, powered on, and initially configured your Cisco 7100 series router for network connectivity based on the procedures explained in the Cisco 7100 Series VPN Router Installation and Configuration Guide. • You are configuring a service provider transparent VPN, whereby the tunnel endpoints are outside of the service provider network (on the headquarters and remote site routers).
Assumptions On CCO, follow this path: Service and Support: Technical Documents: Documentation Home Page: Cisco Product Documentation: Network Management On the Documentation CD-ROM, follow this path: Documentation CD Home Page: Cisco Product Documentation: Network Management • You have identified the Cisco IOS Firewall features that you plan to configure on your Cisco 7100 series router.
C H A PT E R 3 Intranet VPN Business Scenario This chapter explains the basic tasks for configuring an IP-based, intranet Virtual Private Network (VPN) on a Cisco 7100 series router using generic routing encapsulation (GRE) as the tunneling protocol. Only basic security, Cisco IOS weighted fair queuing (WFQ), and extended access lists for basic traffic filtering are configured.
Scenario Description Scenario Description Figure 3-1 shows a headquarters network providing a remote office access to the corporate intranet. In this scenario, the headquarters and remote office are connected through a secure GRE tunnel that is established over an IP infrastructure (the Internet). Employees in the remote office are able to access internal, private web pages and perform various IP-based network tasks.
Scenario Description Figure 3-2 Intranet VPN Scenario Physical Elements Headquarters router (hq-sanjose) Tunnel interface 0 172.17.3.3/24 Fast Ethernet 0/0 10.1.3.3/24 Remote office router (ro-rtp) GRE tunnel Tunnel interface 1 172.17.3.6/24 Fast Ethernet 0/0 10.1.4.2/24 Internet Private corporate server 10.1.3.6/24 Public Web server 10.1.6.5/24 Serial 1/0 172.17.2.5/24 23245 Fast Ethernet 0/1 10.1.6.4/24 Serial 1/0 172.17.2.4/24 PC A 10.1.4.
Step 1—Configuring the Tunnel Table 3-1 Physical Elements Headquarters Network Remote Office Network Site Hardware WAN IP Address Ethernet IP Address Site Hardware WAN IP Address Ethernet IP Address hq-sanjose Serial interface 1/0: 172.17.2.4 255.255.255.0 Fast Ethernet Interface 0/0: 10.1.3.3 255.255.255.0 ro-rtp Serial interface 1/0: 172.17.2.5 255.255.255.0 Fast Ethernet Interface 0/0: 10.1.4.2 255.255.255.0 Tunnel interface 0: 172.17.3.3 255.255.255.0 Tunnel interface 1: 172.17.3.
Step 1—Configuring the Tunnel Figure 3-3 IP Tunneling Terminology and Concepts Normal packet 802.3 802.2 Payload Tunnel packet IP GRE Payload 24217 Ethernet Passenger protocol Encapsulation protocol Transport protocol GRE is capable of handling the transportation of multiprotocol and IP multicast traffic between two sites, which only have IP unicast connectivity. The importance of using tunnels in a VPN environment is based on the fact that IPSec encryption only works on IP unicast frames.
Step 1—Configuring the Tunnel Configuring the Tunnel Interface, Source, and Destination To configure a GRE tunnel between the headquarters and remote office routers, you must configure a tunnel interface, source, and destination on the headquarters and remote office routers. To do this, complete the following steps starting in global configuration mode.
Verifying the Tunnel Interface, Source, and Destination Step Command Purpose 5 hq-sanjose(config)# interface tunnel 0 hq-sanjose(config-if)# no shutdown %LINK-3-UPDOWN: Interface Tunnel0, changed state to up Bring up the tunnel interface.1 6 hq-sanjose(config-if)# exit hq-sanjose(config)# ip route 10.1.4.0 255.255.255.0 tunnel 0 Exit back to global configuration mode and configure traffic from the remote office’s network through the tunnel.
Step 2—Configuring Quality of Service Queueing strategy:fifo Output queue 0/0, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 29 packets output, 2348 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out •
Step 2—Configuring Quality of Service You configure QoS features throughout a network to provide for end-to-end QoS delivery. The following three components are necessary to deliver QoS across a heterogeneous network: • QoS within a single network element, which includes queuing, scheduling, and traffic shaping features. • QoS signaling techniques for coordinating QoS from end-to-end between network elements.
Step 2—Configuring Quality of Service Configuring Weighted Fair Queuing WFQ provides traffic priority management that automatically sorts among individual traffic streams without requiring that you first define access lists. WFQ can also manage duplex data streams such as those between pairs of applications, and simplex data streams such as voice or video. There are two categories of WFQ sessions: high bandwidth and low bandwidth.
Verifying Weighted Fair Queuing Verifying Weighted Fair Queuing To verify the configuration: • Enter the show interfaces serial 1/0 fair-queue EXEC command to see information on the interface that is configured for WFQ. hq-sanjose# show interfaces serial 1/0 fair-queue Serial1/0 queue size 0 packets output 35, drops 0 WFQ: global queue limit 401, local queue limit 200 • Enter the show interfaces serial 1/0 EXEC command to verify the queuing for the interface is WFQ.
Step 3—Configuring Encryption IPSec is a framework of open standards, developed by the Internet Engineering Task Force (IETF), that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec.
Configuring IKE Policies Note This section only contains basic configuration information for enabling encryption services on the GRE tunnel configured in the “Step 1—Configuring the Tunnel” section on page 3-4. Refer to the “IP Security and Encryption” part of the Security Configuration Guide and the Security Command Reference publications for detailed configuration information on IPSec, IKE, and CA.
Step 3—Configuring Encryption Creating Policies To create an IKE policy, complete the following steps starting in global configuration mode: Step Command Purpose 1 hq-sanjose(config)# crypto isakmp policy 1 Enter config-isakmp command mode and identify the policy to create. (Each policy is uniquely identified by the priority number you assign.) This example configures policy 1.
Configuring IKE Policies Additional Configuration Required for IKE Policies Depending on which authentication method you specify in your IKE policies, you need to complete an additional companion configuration before IKE and IPSec can successfully use the IKE policies.
Step 3—Configuring Encryption • Preshared keys authentication method: If you specify preshared keys as the authentication method in a policy, you must configure these preshared keys as described in the following section “Configuring Preshared Keys.” If RSA encryption is configured and signature mode is negotiated, the peer will request both signature and encryption keys. Basically, the router will request as many keys as the configuration will support.
Configuring IKE Policies Step Command Purpose 2 hq-sanjose(config)# crypto isakmp key 12345 address 172.17.2.5 At the local peer: Specify the shared key the headquarters router will use with the remote office router. This example configures the shared key 12345 to be used with the remote peer 172.17.2.5 (serial interface 1/0 on the remote office router).
Step 3—Configuring Encryption Verifying IKE Policies To verify the configuration: • Enter the show crypto isakmp policy EXEC command to see the default policy and any default values within configured policies.
Configuring IPSec Bridging software. X.25 software, Version 3.0.0. SuperLAT software copyright 1990 by Meridian Technology Corp). TN3270 Emulation software. 3 FastEthernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 125K bytes of non-volatile configuration memory. 40960K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes). 8192K bytes of Flash internal SIMM (Sector size 256K).
Step 3—Configuring Encryption Setting Global Lifetimes for IPSec Security Associations You can change the global lifetime values which are used when negotiating new IPSec SAs. (These global lifetime values can be overridden for a particular crypto map entry). These lifetimes only apply to security associations established using IKE. Manually established security associations do not expire. There are two lifetimes: a “timed” lifetime and a “traffic-volume” lifetime.
Configuring IPSec Creating Crypto Access Lists Crypto access lists are used to define which IP traffic will be protected by crypto and which traffic will not be protected by crypto. (These access lists are not the same as regular access lists, which determine what traffic to forward or block at an interface.) For example, you can create access lists to protect all IP traffic between the headquarters router and remote office router or Telnet traffic between the headquarters router and remote office router.
Step 3—Configuring Encryption Defining Transform Sets A transform set represents a certain combination of security protocols and algorithms. During the IPSec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow. You can specify multiple transform sets, and then specify one or more of these transform sets in a crypto map entry.
Configuring IPSec Step Command Purpose 2 hq-sanjose(cfg-crypto-trans)# mode transport Change the mode associated with the transform set. The mode setting is only applicable to traffic whose source and destination addresses are the IPSec peer addresses; it is ignored for all other traffic. (All other traffic is in tunnel mode only.) This example configures transport mode for the transport set proposal1. 3 hq-sanjose(cfg-crypto-trans)# exit hq-sanjose(config)# Exit back to global configuration mode.
Step 3—Configuring Encryption Note In IPSec transport mode, only the IP payload is encrypted, and the original IP headers are left intact. (See Figure 3-4.) This mode has the advantage of adding only a few bytes to each packet. It also allows devices on the public network to see the final source and destination of the packet. This capability allows you to enable special processing (for example, QoS) in the intermediate network based on the information in the IP header.
Configuring IPSec Figure 3-4 IPSec in Tunnel and Transport Modes IP HDR Tunnel mode Data Encrypted IP HDR IP HDR Data 23246 New IP HDR IPSec HDR Data Transport mode IP HDR IPSec HDR Data Encrypted Verifying Transform Sets To verify the configuration: • Enter the show crypto ipsec transform-set EXEC command to see the type of transform set configured on the router.
Step 3—Configuring Encryption Configuring Crypto Maps Crypto map entries created for IPSec pull together the various parts used to set up IPSec SAs, including: • • • • Which traffic should be protected by IPSec (per a crypto access list). • What IPSec security should be applied to this traffic (selecting from a list of one or more transform sets). • • Whether SAs are manually established or are established via IKE. The granularity of the flow to be protected by a set of SAs.
Configuring Crypto Maps When two peers try to establish a SA, they must each have at least one crypto map entry that is compatible with one of the other peer’s crypto map entries. For two crypto map entries to be compatible, they must at least meet the following criteria: • The crypto map entries must contain compatible crypto access lists (for example, mirror image access lists).
Step 3—Configuring Encryption Creating Crypto Map Entries To create a crypto map entry that will use IKE to establish the SAs, complete the following steps starting in global configuration mode: Step Command Purpose 1 hq-sanjose(config)# crypto map s1first local-address serial 1/0 Create the crypto map and specify a local address (physical interface) to be used for the IPSec traffic.
Configuring Crypto Maps Step Command Purpose 5 hq-sanjose(config-crypto-map)# set transform-set proposal1 Specify which transform sets are allowed for this crypto map entry. List multiple transform sets in order of priority (highest priority first). This example specifies transform set proposal1, which was configured in the “Defining Transform Sets” section on page 3-22. 6 hq-sanjose(config-crypto-map)# exit hq-sanjose(config)# Exit back to global configuration mode.
Step 3—Configuring Encryption Tips If you have trouble, make sure you are using the correct IP addresses. Applying Crypto Maps to Interfaces You need to apply a crypto map set to each interface through which IPSec traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all the interface’s traffic against the crypto map set and to use the specified policy during connection or SA negotiation on behalf of traffic to be protected by crypto.
Configuring Crypto Maps Step Command Purpose 7 hq-sanjose# clear crypto sa In privileged EXEC mode, clear the existing IPSec SAs so that any changes are used immediately. (Manually established SAs are reestablished immediately.) Note Using the clear crypto sa command without parameters clears out the full SA database, which clears out active security sessions. You may also specify the peer, map, or entry keywords to clear out only a subset of the SA database.
Step 4—Configuring Cisco IOS Firewall Features Verifying Crypto Map Interface Associations To verify the configuration: • Enter the show crypto map interface serial 1/0 EXEC command to see the crypto maps applied to the interface. hq-sanjose# show crypto map interface serial 1/0 Crypto Map "s1first" 1 ipsec-isakmp Peer = 172.17.2.5 Extended IP access list 101 access-list 101 permit gre host 172.17.2.4 host 172.17.2.5 Current peer:172.17.2.
Step 4—Configuring Cisco IOS Firewall Features You can use Cisco IOS Firewall features to configure your Cisco IOS router as: • • • • An Internet firewall or part of an Internet firewall A firewall between groups in your internal network A firewall providing secure connections to or from branch offices A firewall between your company’s network and your company’s partners’ networks Cisco IOS Firewall features provides the following benefits: • • • Protects internal networks from intrusion Monitors traf
Step 4—Configuring Cisco IOS Firewall Features Refer to the “Traffic Filtering and Firewalls” part of the Security Configuration Guide and the Security Command Reference for advanced firewall configuration information.
Creating Extended Access Lists Using Access List Numbers Creating Extended Access Lists Using Access List Numbers To create an extended access list that denies and permits certain types of traffic, complete the following steps starting in global configuration mode: Step Command Purpose 1 hq-sanjose(config)# access-list 102 deny tcp any any Define access list 102 and configure the access list to deny all TCP traffic.
Step 4—Configuring Cisco IOS Firewall Features Applying Access Lists to Interfaces After you create an access list, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces.
Verifying Extended Access Lists Are Applied Correctly Verifying Extended Access Lists Are Applied Correctly To verify the configuration: • Enter the show ip interface serial 1/0 EXEC command to confirm the access list is applied correctly (inbound and outbound) on the interface. hq-sanjose# show ip interface serial 1/0 Serial1/0 is up, line protocol is up Internet address is 172.17.2.4 Broadcast address is 255.255.255.255 Address determined by setup command Peer address is 172.17.2.
Comprehensive Configuration Examples ! hostname hq-sanjose ! boot system flash bootflash: boot bootldr bootflash:c7100-boot-mz.120-1.1.T boot config slot0:hq-sanjose-cfg-small no logging buffered ! crypto isakmp policy 1 authentication pre-share lifetime 84600 crypto isakmp key 12345 address 172.17.2.5 ! crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac mode transport ! ! crypto map s1first local-address Serial1/0 crypto map s1first 1 ipsec-isakmp set peer 172.17.2.
Headquarters Router Configuration interface Serial1/0 ip address 172.17.2.4 255.255.255.0 no ip directed-broadcast no ip mroute-cache no keepalive fair-queue 64 256 0 framing c-bit cablelength 10 dsu bandwidth 44210 clock source internal no cdp enable crypto map s1first ! ip route 10.1.4.0 255.255.255.0 Tunnel0 ! access-list 101 permit gre host 172.17.2.4 host 172.17.2.
Comprehensive Configuration Examples Remote Office Router Configuration ro-rtp# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname ro-rtp ! boot system flash bootflash: boot bootldr bootflash:c7100-boot-mz.120-1.1.T boot config slot0:ro-rtp-cfg-small no logging buffered ! crypto isakmp policy 1 authentication pre-share lifetime 84600 crypto isakmp key 12345 address 172.
Remote Office Router Configuration interface FastEthernet0/0 ip address 10.1.4.2 255.255.255.0 no ip directed-broadcast no keepalive full-duplex no cdp enable ! interface Serial1/0 ip address 172.17.2.5 255.255.255.0 no ip directed-broadcast no ip mroute-cache no keepalive fair-queue 64 256 0 framing c-bit cablelength 10 dsu bandwidth 44210 clock source internal no cdp enable crypto map s1first ! ip route 10.1.3.0 255.255.255.0 Tunnel1 ip route 10.1.6.0 255.255.255.
Comprehensive Configuration Examples 3-42 Cisco 7100 Series VPN Configuration Guide
C H A PT E R 4 Extranet VPN Business Scenario This chapter explains the basic tasks for configuring an IP-based, extranet Virtual Private Network (VPN) on a Cisco 7100 series router using IP Security Protocol (IPSec) as the tunneling protocol. Only Network Address Translation (NAT), basic security, Cisco IOS weighted fair queuing (WFQ), and extended access lists for basic traffic filtering are configured.
Scenario Description Scenario Description The extranet scenario introduced in Figure 4-1 builds on the intranet scenario introduced in Chapter 3, “Intranet VPN Business Scenario,” by providing a business partner access to the same headquarters network.
Scenario Description The IPSec tunnel between the two sites is configured on the second serial interface in chassis slot 2 (serial 2/0) of the headquarters router and the first serial interface in chassis slot 1 (serial 1/0) of the business partner router. Fast Ethernet interface 0/0 of the headquarters router is still connected to a private corporate server and Fast Ethernet interface 0/1 is connected to a public Web server.
Step 1—Configuring Network Address Translation Table 4-1 lists the scenario’s physical elements. Table 4-1 Physical Elements Headquarters Network Business Partner Network Site Hardware WAN IP Address Ethernet IP Address Site Hardware WAN IP Address Ethernet IP Address hq-sanjose Serial interface 2/0: 172.16.2.2 255.255.255.0 Fast Ethernet Interface 0/0: 10.1.3.3 255.255.255.0 bus-ptnr Serial interface 1/0: 172.16.2.7 255.255.255.0 Fast Ethernet Interface 0/0: 10.1.5.2 255.255.255.
Step 1—Configuring Network Address Translation 2 Verifying Static Inside Source Address Translation Static translation establishes a one-to-one mapping between your internal local address and an inside global address. Static translation is useful when a host on the inside must be accessible by a fixed address from the outside.
Step 1—Configuring Network Address Translation NAT Inside Source Translation Inside 10.1.1.2 Outside 5 DA 10.1.1.1 Internet SA 10.1.1.1 1 Inside 10.1.1.1 4 10.2.2.2 3 SA 10.2.2.2 24713 Figure 4-3 Outside interface interface 2 Host B 10.6.7.3 NAT table Inside local IP address Inside global IP address 10.1.1.2 10.1.1.1 10.2.2.3 10.2.2.2 The following process describes inside source address translation, as shown in Figure 4-3: 1 The user at Host 10.1.1.1 opens a connection to Host B.
Configuring Static Inside Source Address Translation 5 When the router receives the packet with the inside global IP address, it performs a NAT table lookup by using the inside global address as a key. It then translates the address to the inside local address of Host 10.1.1.1 and forwards the packet to Host 10.1.1.1. 6 Host 10.1.1.1 receives the packet and continues the conversation. The router performs Steps 2 through 5 for each packet.
Step 1—Configuring Network Address Translation Verifying Static Inside Source Address Translation To verify the configuration: • Enter the show ip nat translations verbose EXEC command to see the global and local address translations and to confirm static translation is configured. hq-sanjose# show ip nat translations verbose Pro Inside global Inside local Outside local global --- 10.2.2.2 10.1.6.
Step 2—Configuring Encryption and an IPSec Tunnel Step 2—Configuring Encryption and an IPSec Tunnel For the ISM in slot 5 of Cisco 7100 series routers to provide encryption and IPSec tunneling services, you must complete the following steps: 1 Configuring a Different Shared Key Note The headquarters router and business partner router configured in this chapter use the same Internet Key Exchange (IKE) policy and priority number—policy 1— that was configured in the “Configuring IKE Policies” section on pa
Step 2—Configuring Encryption and an IPSec Tunnel Configuring a Different Shared Key Because preshared keys were specified as the authentication method for policy 1 in the “Configuring IKE Policies” section on page 3-13, (the policy that will also be used on the business partner router) complete the following tasks at the headquarters router as well as the business partner router: 1 Set each peer’s Internet Security Association & Key Management Protocol (ISAKMP) identity.
Configuring IPSec and IPSec Tunnel Mode Step Command Purpose 3 bus-ptnr(config)# crypto isakmp key 67890 address 172.17.2.4 At the remote peer: Specify the shared key to be used with the local peer. This is the same key you just specified at the local peer. This example configures the shared key 67890 to be used with the local peer 172.16.2.2 (serial interface 2/0 on the headquarters router). Note Set an ISAKMP identity whenever you specify preshared keys.
Step 2—Configuring Encryption and an IPSec Tunnel 5 Defining Transform Sets and Configuring IPSec Tunnel Mode 6 Verifying Transform Sets and IPSec Tunnel Mode Note IKE uses User Datagram Protocol (UDP) port 500. The IPSec encapsulating security payload (ESP) and authentication header (AH) protocols use IP protocol numbers 50 and 51. Ensure that your access lists are configured so that IP protocol 50, 51, and UDP port 500 traffic is not blocked at interfaces used by IPSec.
Configuring IPSec and IPSec Tunnel Mode Verifying Crypto Access Lists To verify the configuration: • Enter the show access-lists 111 EXEC command to see access list’s attributes. hq-sanjose# show access-lists 111 Extended IP access list 111 permit ip host 10.2.2.2 host 10.1.5.3 Tips If you have trouble, make sure you are specifying the correct access list number.
Step 2—Configuring Encryption and an IPSec Tunnel Step Command Purpose 2 hq-sanjose(cfg-crypto-trans)# mode tunnel Change the mode associated with the transform set. The mode setting is only applicable to traffic whose source and destination addresses are the IPSec peer addresses; it is ignored for all other traffic. (All other traffic is in tunnel mode only.) This example configures tunnel mode for the transport set proposal4, which creates an IPSec tunnel between the IPSec peer addresses.
Configuring IPSec and IPSec Tunnel Mode Note In IPSec tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPSec proxy. That is, the router performs encryption on behalf of the hosts. The source’s router encrypts packets and forwards them along the IPSec tunnel. The destination’s router decrypts the original IP datagram and forwards it on to the destination system.
Step 2—Configuring Encryption and an IPSec Tunnel Figure 4-4 IPSec in Tunnel and Transport Modes IP HDR Tunnel mode Data Encrypted IP HDR IP HDR Data 23246 New IP HDR IPSec HDR Data Transport mode IP HDR IPSec HDR Data Encrypted Verifying Transform Sets and IPSec Tunnel Mode To verify the configuration: • Enter the show crypto ipsec transform-set EXEC command to see the type of transform set configured on the router.
Configuring Crypto Maps Configuring Crypto Maps For IPSec to succeed between two IPSec peers, both peers’ crypto map entries must contain compatible configuration statements. When two peers try to establish a security association (SA), they must each have at least one crypto map entry that is compatible with one of the other peer’s crypto map entries.
Step 2—Configuring Encryption and an IPSec Tunnel Creating Crypto Map Entries To create crypto map entries that will use IKE to establish the SAs, complete the following steps starting in global configuration mode: Step Command Purpose 1 hq-sanjose(config)# crypto map s4second local-address serial 2/0 Create the crypto map and specify a local address (physical interface) to be used for the IPSec traffic.
Configuring Crypto Maps Step Command Purpose 5 hq-sanjose(config-crypto-map)# set transform-set proposal4 Specify which transform sets are allowed for this crypto map entry. List multiple transform sets in order of priority (highest priority first). This example specifies transform set proposal4, which was configured in the “Defining Transform Sets and Configuring IPSec Tunnel Mode” section on page 4-13.
Step 2—Configuring Encryption and an IPSec Tunnel Tips If you have trouble, make sure you are using the correct IP addresses. Applying Crypto Maps to Interfaces You need to apply a crypto map set to each interface through which IPSec traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all the interface’s traffic against the crypto map set and to use the specified policy during connection or SA negotiation on behalf of traffic to be protected by crypto.
Configuring Crypto Maps For redundancy, you could apply the same crypto map set to more than one interface. The default behavior is as follows: • • Each interface will have its own piece of the SA database. The IP address of the local interface will be used as the local address for IPSec traffic originating from or destined to that interface. If you apply the same crypto map set to multiple interfaces for redundancy purposes, you need to specify an identifying interface.
Step 3—Configuring Quality of Service Step 3—Configuring Quality of Service Cisco IOS QoS service models, features, and sample configurations are explained in detail in the Quality of Service Solutions Configuration Guide and the Quality of Service Solutions Command Reference. Refer to these two publications as you plan and implement a QoS strategy for your VPN, because there are various QoS service models and features that you can implement on your VPN.
Verifying Weighted Fair Queuing Verifying Weighted Fair Queuing To verify the configuration: • Enter the show interfaces serial 2/0 fair-queue EXEC command to see information on the interface that is configured for WFQ. hq-sanjose# show interfaces serial 2/0 fair-queue Serial2/0 queue size 0 packets output 35, drops 0 WFQ: global queue limit 401, local queue limit 200 • Enter the show interfaces serial 2/0 EXEC command to verify the queuing for the interface is WFQ.
Step 4—Configuring Cisco IOS Firewall Features Refer to the “Traffic Filtering and Firewalls” part of the Security Configuration Guide and the Security Command Reference for advanced firewall configuration information.
Step 4—Configuring Cisco IOS Firewall Features Verifying Extended Access Lists To verify the configuration: • Enter the show access-lists 112 EXEC command to display the contents of the access list. hq-sanjose# show access-list 112 Extended IP access list 112 deny tcp any any deny udp any any permit ip host 10.2.2.2 host 10.1.5.3 Applying Access Lists to Interfaces After you create an access list, you can apply it to one or more interfaces.
Step 4—Configuring Cisco IOS Firewall Features For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an “ICMP Host Unreachable” message.
Comprehensive Configuration Examples Comprehensive Configuration Examples Following are comprehensive sample configurations for the headquarters router and remote business partner router. Headquarters Router Configuration hq-sanjose# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname hq-sanjose ! boot system flash bootflash: boot bootldr bootflash:c7100-boot-mz.120-1.1.
Comprehensive Configuration Examples set peer 172.16.2.7 set transform-set proposal4 match address 111 ! interface Tunnel0 bandwidth 180 ip address 172.17.3.3 255.255.255.0 no ip directed-broadcast tunnel source 172.17.2.4 tunnel destination 172.17.2.5 crypto map s1first ! interface FastEthernet0/0 ip address 10.1.3.3 255.255.255.0 no ip directed-broadcast no keepalive full-duplex no cdp enable ! interface FastEthernet0/1 ip address 10.1.6.4 255.255.255.
Headquarters Router Configuration no keepalive fair-queue 64 256 0 framing c-bit cablelength 10 dsu bandwidth 44210 clock source internal no cdp enable crypto map s4second ! router bgp 10 network 10.2.2.2 mask 255.255.255.0 network 172.16.2.0 mask 255.255.255.0 ! ip route 10.1.4.0 255.255.255.0 Tunnel0 ! ip nat inside source static 10.1.6.5 10.2.2.2 ! access-list 101 permit gre host 172.17.2.4 host 172.17.2.
Comprehensive Configuration Examples Business Partner Router Configuration bus-ptnr# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname bus-ptnr ! boot system flash bootflash: boot bootldr bootflash:c7100-boot-mz.120-1.1.
Business Partner Router Configuration fair-queue 64 256 0 framing c-bit cablelength 10 dsu bandwidth 44210 clock source internal no cdp enable crypto map s4second ! router bgp 10 network 10.1.5.0 mask 255.255.255.0 network 172.16.2.0 mask 255.255.255.0 ! access-list 111 permit ip host 10.1.5.3 host 10.2.2.2 access-list 112 deny tcp any any access-list 112 deny udp any any access-list 112 permit ip host 10.1.5.3 host 10.2.2.
Comprehensive Configuration Examples 4-32 Cisco 7100 Series VPN Configuration Guide
I N D E X Symbols ? command B 1-2 A abbreviating commands, context-sensitive help 1-2 access control planning 2-5 undefined packets and 3-36, 4-26 access groups, IP 4-26 access list numbers, using 4-24 access lists protecting from spoofing 2-5 special considerations 2-3 violating 2-4 WFQ and 3-10 See also crypto access lists See also extended access lists See also IP access lists access-list (encryption) command 3-21, 4-12 access-list (IP extended) command 4-24 access-list command 3-35 access-list permit
business partner router 4-30 to 4-31 headquarters router 4-27 to 4-29 intranet headquarters router 3-37 to 3-39 remote office router 3-40 to 3-41 configuration files corrupted 1-9 saving changes 1-11 saving to NVRAM 1-11 configuration modes, using 1-9 configuring authentication methods with IKE policies crypto maps 3-26, 4-17 encryption 3-11, 3-19, 4-11 extended access lists 4-24 fair queuing 3-10, 4-22 firewalls 3-32, 4-23 GRE tunnel destinations 3-6 tunnel interfaces 3-6 tunnel modes 3-6 tunnel sources 3-
documentation audience viii CD-ROM xiv conventions xii feedback xiv latest version ix organization ix purpose vii related x E edge routers, QoS functions 3-9 enable password command 2-4 enable secret command 2-4 encapsulating security payload See ESP encryption configuring 4-9 description 3-11 tunnels and 3-5 encryption command 3-14 error messages ICMP Host Unreachable 3-36, 4-26 ESP AH and (note) 4-14 description 3-23 IP numbers 3-19, 4-12 extended access lists creating 3-35, 4-24 description 3-33 verifyi
I ICMP Host Unreachable message 3-36, 4-26 IKE description 3-12 keys See keys, preshared 3-16, 4-10 policies configuration, required 3-15 configuring 3-14 default values (note) 3-13 defaults, viewing 3-7 enabling by default 3-13 identifying 3-14 requirements 3-15 requirements, RSA signatures method 3-15 troubleshooting 3-18 verifying 3-18 viewing 3-18 SAs and 4-17 UDP port 3-19, 4-12 inside global address 4-5 inside local address 4-5 inside network 4-4 Integrated Service Module See ISM interface configurati
tunnels configuring 4-9 verifying SA global lifetimes 3-20 IPSec access lists explicitly permitting traffic (note) 4-12 requirements 3-19, 4-12 IPSec tunnel mode configuring 4-13 IPSec, IP unicast frames and 3-5 ISAKMP identities, setting 3-17, 4-10 ISM configuring encryption services 3-12 in Cisco 7100 series routers 3-11 services 3-2 K keys preshared configuring 3-16, 4-10 specifying 3-16, 4-10 secret 3-20 L lifetime command 3-14 lifetime values changing 3-20 default 3-20 verifying 3-20 loopback interfa
O See RADIUS RFC 1631, IP Network Address Translator (NAT) ROM monitor mode description 1-9 summary 1-10 RSA encrypted nonces method 3-15 RSA signatures, configuration requirements for IKE 3-15 outside global address 4-5 outside local address 4-5 outside network 4-4 P packets, flow classification 3-10 passenger protocols (tunneling) 3-4 passwords commands for setting 2-4 port for configuring 2-4 ping command 3-8 policies See IKE policies priority traffic See WFQ privileged EXEC mode, summary 1-9 process
show interfaces tunnel command 3-7 show ip nat translations verbose command show version command 3-18 source routing, disabling 2-5 spoofing, protecting against 2-5 startup configuration, saving 1-11 static translation, IP addresses 4-5 stub domain, NAT configured on 4-4 subinterface configuration mode, summary syslog, special considerations 2-3 4-8 1-10 T Tab key, command completion 1-2 TACACS+, implementing 2-3 technical support xiii Telnet access considerations 2-3 template configurations, special con
See also intranet VPN scenario W weighted fair queuing See WFQ WFQ configuring fair queuing 3-10 traffic priority management 3-10 verifying configuration 3-11 Index 8 Cisco 7100 Series VPN Configuration Guide
