User`s guide
258 XSR User’s Guide
VPN Configuration Overview Chapter 11
Configuring the Virtual Private Network
XSR(config)#interface FastEthernet2
XSR(config-if<F2>)#no shutdown
XSR(config-if<F2>)#ip access-group 101 in
XSR(config-if<F2>)#ip access-group 102 out
XSR(config-if<
F2>)#ip address 141.154.196.87 255.255.255.192
If an XSR is configured as a VPN gateway, the external interface (FastEthernet
2, e.g.), can be made more restrictive by only allowing VPN protocols to pass
through and barring all other traffic:
XSR(config)#access-list 100 permit esp any host 192.168.57.7
XSR(config)#access-list 100 permit ah any host 192.168.57.7
XSR(config)#access-list 100 permit udp any eq 500 host
192.168.57.7 eq 500
XSR(config)#access-list 101 permit esp host 192.168.57.7 any
XSR(config)#access-list 101 permit ah host 192.168.57.7 any
XSR(config)#access-list 101 permit udp host 192.168.57.7 eq 500
any eq 500
XSR(config-if<F2>)#interface FastEthernet2
XSR(config-if<F2>)#no shutdown
XSR(config-if<F2>)#ip access-group 100 in
XSR(config-if<F2>)#ip access-group 101 out
The following ACL example is fairly open, configuring the XSR as a VPN
concentrator but allowing internal users access to the Internet. ACLs 101 and
102 are applied to the external interface - FastEthernet 2.
ACLs must be applied to the external interface of the XSR prior to the creation
of a VPN configuration. These ACLs would only be applied to an XSR
configured as a VPN concentrator that would also be used for Internet access.
XSR(config)#access-list 101 permit udp any any eq 500
XSR(config)#access-list 101 permit gre any any
XSR(config)#access-list 101 permit tcp any any established
XSR(config)#access-list 101 permit tcp any any eq 1723
XSR(config)#access-list 101 permit tcp any any eq 1701
XSR(config)#access-list 101 permit tcp any any eq 389
XSR(config)#acc 101 pe ip host <public interface address> any
XSR(config)#access-list 101 deny ip any any
XSR(config)#access-list 102 permit udp any any eq 500