Table of Contents
Advertisement
•
Enter crypto key master generate in Global configuration mode.
Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the
key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to
compromise the key. There are situations where you may want to keep the key, for example, to
save the user database off-line in order to later download it to the XSR. In order to encrypt the
user database, you need the same master key, indicating the key designation with the master
key specify command. Be aware that if the XSR is inoperable and you press the Default button
(on the XSR 1800 Series only), the master key is erased and you must generate a new one.
ACL Configuration Rules
Consider a few general rules when configuring ACLs on the XSR:
•
Typically, two ACL sets are written, one to filter IPSec/IKE traffic (defined in crypto maps),
and a simple set to filter non-IPSec traffic.
•
When crypto maps and ACLs are configured on the same interface, the XSR gives precedence
to the crypto map, which is always consulted before the ACL for both inbound and outbound
traffic. If IPSec encrypts or decrypts packets by virtue of a crypto map configuration, then the
ACL is ignored.
•
ACLs entered independently are uni-directional but are used in a bi-directional fashion when
later associated with a crypto map through the
information on the command, refer to the CLI Reference Guide.
•
A total of 500 ACL entries are permitted by the XSR with 64 MBytes of RAM installed (99 ACL
limit for IKE/IPSec).
Configuring ACLs
Three simple ACL examples illustrating various CLI options are detailed below. Other crypto map
ACLs, defined in greater detail, are configured later in this chapter.
The first ACL example is fairly restrictive. It configures ACL 101 to permit IKE (UDP port 500),
GRE, and TCP traffic on any internal host to pass to host 192.168.2.17 (denying all other traffic)
and ACL 102 to permit the same type of traffic on that host to connect to any address (denying all
other traffic).
The commands on FastEthernet port 2 set ACL 101 to filter inbound traffic, and ACL 102 to filter
outbound traffic. Some commands are abbreviated.
XSR(config)#access-list 101 permit udp any host 192.168.2.17 eq 500
XSR(config)#access-list 101 permit gre any host 192.168.2.17
XSR(config)#access-list 101 permit tcp any host 192.168.2.17 established
XSR(config)#access-list 101 deny ip any any
XSR(config)#access-list 102 permit udp host 192.168.2.17 any eq 500
XSR(config)#access-list 102 permit gre host 192.168.2.17 any
XSR(config)#access-list 102 permit tcp host 192.168.2.17 any eq 80
XSR(config)#access-list 102 permit ip host 192.168.2.17 any
XSR(config)#access-list 102 deny ip any any
XSR(config)#interface FastEthernet2
XSR(config-if<F2>)#no shutdown
XSR(config-if<F2>)#ip access-group 101 in
XSR(config-if<F2>)#ip access-group 102 out
match address <acl #>
VPN Configuration Overview
command. For more
XSR User's Guide 14-21
Advertisement
Table of Contents
Troubleshooting
