User`s guide
XSR User’s Guide 351
Chapter 13 Configuration Examples
Configuring Security on the XSR
Write policies permitting RADIUS and all TCp and UDP traffic from remote
VPN networks into the corporate networks:
XSR(config)#ip firewall policy radiusauth f1a trusted radiusauth
allow
XSR(config)#ip firewall policy radiusacct f1a trusted radiusacct
allow
XSR(config)#ip firewall policy ANY_TCP remote trusted ANY_TCP
allow bidirectional
XSR(config)#ip firewall policy ANY_UDP remote trusted ANY_UDP
allow bidirectional
Allow IPSec (protocol 50) traffic from the Internet into the public VPN
interface:
XSR(config)#ip firewall filter ipsec internet vpngateway
protocol-id 50 bidirectional
Allow GRE traffic from the Internet into the public VPN interface:
XSR(config)#ip firewall filter gre internet vpngateway protocol-
id 47 bidirectional
Allow OSPF through the firewall (trusted VPN interface) to the next hop
corporate router:
XSR(config)#ip firewall filter ospf1 f1 ospf protocol-id 89
bidirectional
XSR(config)#ip firewall filter ospf2 ssr ospf protocol-id 89
bidirectional
XSR(config)#ip firewall filter ospf3 f1 ssr protocol-id 89
bidirectional
Permit ICMP traffic to flow from the trusted networks, through the VPN
tunnels, to the remote trusted networks, and back:
XSR(config)#ip firewall filter icmp1 trusted remote protocol-id
1 bidirectional
Allow any IP address on the Internet to send ICMP traffic to the public VPN
interface (the crypto map interface):
XSR(config)#ip firewall filter icmp2 vpngateway internet
protocol-id 1 bidirectional
Load the firewall configuration:
XSR(config)#ip firewall load