Download Print this page

Cisco 520-T1 - Small Business Pro SR Secure Router Software Configuration Manual

Software guide
Hide thumbs

Advertisement

Cisco Secure Router 520 Series Software
Configuration Guide
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Customer Order Number:
Text Part Number: OL-14210-01

Advertisement

loading

  Related Manuals for Cisco 520-T1 - Small Business Pro SR Secure Router

  Summary of Contents for Cisco 520-T1 - Small Business Pro SR Secure Router

  • Page 1 Cisco Secure Router 520 Series Software Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: Text Part Number: OL-14210-01...
  • Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
  • Page 3: Table Of Contents

    Configuring Command-Line Access to the Router Configuration Example Configuring Static Routes 1-10 Configuration Example 1-10 Verifying Your Configuration 1-10 Configuring Dynamic Routes 1-11 Configuring RIP 1-11 Configuration Example 1-12 Verifying Your Configuration 1-12 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 4 C H A P T E R Configure the IKE Policy Configure Group Policy Information Apply Mode Configuration to the Crypto Map Enable Policy Lookup Configure IPsec Transforms and Protocols Configure the IPsec Crypto Method and Parameters Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 5 C H A P T E R Configuring Security Features 11-1 C H A P T E R Authentication, Authorization, and Accounting 11-1 Configuring AutoSecure 11-2 Configuring Access Lists 11-2 Access Groups 11-3 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 6 A P P E N D I X Configuring the Router from a PC Understanding Command Modes Getting Help Enable Secret Passwords and Enable Passwords Entering Global Configuration Mode Using Commands Abbreviating Commands Undoing Commands Command-Line Error Messages Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 7 Access Lists ROM Monitor C H A P T E R Entering the ROM Monitor ROM Monitor Commands Command Descriptions Disaster Recovery with TFTP Download TFTP Download Command Variables Required Variables Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 8 Changing the Configuration Register Using Prompts Console Download Command Description Error Reporting Debug Commands Exiting the ROM Monitor Common Port Assignments A P P E N D I X N D E X Cisco Secure Router 520 Series Software Configuration Guide viii OL-14210-01...
  • Page 9: Preface

    This guide provides an overview and explains how to install and connect the wireless and nonwireless Cisco Secure Router 520 Series routers. For warranty, service, and support information, see the “Cisco One-Year Limited Hardware Warranty Terms” section in the Readme First for Cisco Secure Router 520 Series document that was shipped with your router. Audience This guide is intended for network administrators whose backgrounds vary from having little or no experience in configuring routers to having a high level of experience.
  • Page 10: Organization

    Chapter 5, “Configuring a LAN with DHCP Provides instructions on how to configure your and VLANs” Cisco router with multiple VLANs and to have it act as a DHCP server. Chapter 6, “Configuring a VPN Using Easy Provides instructions on how to configure a virtual VPN and an IPsec Tunnel”...
  • Page 11: Conventions

    Tämä varoitusmerkki merkitsee vaaraa. Tilanne voi aiheuttaa ruumiillisia vammoja. Ennen kuin käsittelet laitteistoa, huomioi sähköpiirien käsittelemiseen liittyvät riskit ja tutustu onnettomuuksien yleisiin ehkäisytapoihin. Turvallisuusvaroitusten käännökset löytyvät laitteen mukana toimitettujen käännettyjen turvallisuusvaroitusten joukosta varoitusten lopussa näkyvien lausuntonumeroiden avulla. SÄILYTÄ NÄMÄ OHJEET Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 12 Utilize o número da instrução fornecido ao final de cada aviso para localizar sua tradução nos avisos de segurança traduzidos que acompanham este dispositivo. GUARDE ESTAS INSTRUÇÕES Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 13 Använd det nummer som finns i slutet av varje varning för att hitta dess översättning i de översatta säkerhetsvarningar som medföljer denna anordning. SPARA DESSA ANVISNINGAR Cisco Secure Router 520 Series Software Configuration Guide xiii OL-14210-01...
  • Page 14 Brug erklæringsnummeret efter hver advarsel for at finde oversættelsen i de oversatte advarsler, der fulgte med denne enhed. GEM DISSE ANVISNINGER Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 15 Preface Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 16: Related Documentation

    Preface Related Documentation The Cisco Secure Router 520 Series product is shipped with a minimal set of printed documentation. Additional product documentation is available on Cisco.com. In addition to the Cisco Secure Router 520 Series Software Configuration Guide (this document), the Cisco Secure Router 520 Series documentation set includes the following documents.
  • Page 17: Obtaining Documentation And Submitting A Service Request

    Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
  • Page 18 Preface Cisco Secure Router 520 Series Software Configuration Guide xviii OL-14210-01...
  • Page 19: Getting Started

    A R T Getting Started...
  • Page 21: Chapter 1 Basic Router Configuration

    C H A P T E R Basic Router Configuration The Cisco Secure Router 520 Series routers are designed for small businesses with up to 50 users and teleworkers who want secure connectivity to corporate LANs and to the Internet. These routers provide advanced security features that include secure Virtual Private Network (VPN) access and comprehensive threat defense with Cisco IOS Firewall, Intrusion Prevention Solution (IPS), and URL filtering.
  • Page 22: Viewing The Default Configuration

    Network Address Translation has been assigned. To view the default configuration, follow these steps: Use the default username cisco and the default password cisco to enter the privileged EXEC mode. Step 1 Use the show running-config command to view the initial configuration.
  • Page 23: Interface Port Labels

    • Configuring a Loopback Interface • Configuring Command-Line Access to the Router • A configuration example is presented with each task to show the network configuration following completion of that task. Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 24: Configure Global Parameters

    Example: Router(config)# no ip domain-lookup Router(config)# For complete information on the global parameter commands, see the Cisco IOS Release 12.3 documentation set. Configure Fast Ethernet LAN Interfaces The Fast Ethernet LAN interfaces on your router are automatically configured as part of the default VLAN and as such, they are not configured with individual addresses.
  • Page 25: Configure The Fast Ethernet Wan Interface

    Configure the ATM WAN Interface • Configure the Fast Ethernet WAN Interface This procedure applies only to the Cisco Secure Router 520 Ethernet-to-Ethernet routers. Perform these steps to configure the Fast Ethernet interface, beginning in global configuration mode: Command Purpose...
  • Page 26: Configure The Wireless Interface

    The loopback interface acts as a placeholder for the static IP address and provides default routing information. For complete information on the loopback commands, see the Cisco IOS Release 12.3 documentation set. Cisco Secure Router 520 Series Software Configuration Guide...
  • Page 27: Configuration Example

    Internet address is 200.200.100.1/24 MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation LOOPBACK, loopback not set Last input never, output never, output hang never Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 28: Configuring Command-Line Access To The Router

    Example: the interval value. Router(config-line)# exec-timeout 5 30 Router(config-line)# This example shows a timeout of 5 minutes and 30 seconds. Entering a timeout of 0 0 specifies never to time out. Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 29 EXEC mode. Example: Router(config-line)# end Router# For complete information about the command line commands, see the Cisco IOS Release 12.3 documentation set. Configuration Example The following configuration shows the command-line access commands. You do not need to input the commands marked “default.” These commands appear automatically in the configuration file generated when you use the show running-config command.
  • Page 30: Configuration Example

    EXEC mode. Example: Router(config)# end Router# For complete information on the static routing commands, see the Cisco IOS Release 12.3 documentation set. For more general information on static routing, see Appendix B, “Concepts.” Configuration Example In the following configuration example, the static route sends out all IP packets with a destination IP address of 192.168.1.0 and a subnet mask of 255.255.255.0 on the Fast Ethernet interface to another...
  • Page 31: Configuring Dynamic Routes

    Changes in dynamic routes are shared with other routers in the network. The Cisco routers can use IP routing protocols, such as Routing Information Protocol (RIP), to learn routes dynamically. You can configure either of these routing protocols on your router.
  • Page 32: Verifying Your Configuration

    EXEC mode. Example: Router(config-router)# end Router# For complete information on the dynamic routing commands, see the Cisco IOS Release 12.3 documentation set. For more general information on RIP, see Appendix B, “Concepts.” Configuration Example The following configuration example shows RIP version 2 enabled in IP network 10.0.0.0 and 192.168.1.0.
  • Page 33: Configuring Your Router For Ethernet And Dsl Access

    A R T Configuring Your Router for Ethernet and DSL Access...
  • Page 35: Chapter 2 Sample Network Deployments

    To verify that a specific feature is compatible with your router, you can use the Software Advisor tool. Note You can access this tool at www.cisco.com > Technical Support & Documentation > Tools & Resources with your Cisco username and password.
  • Page 36 Chapter 2 Sample Network Deployments Chapter 7, “Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation” • Chapter 8, “Configuring a Simple Firewall” • Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 37: Chapter 3 Configuring Ppp Over Ethernet With Nat

    Point at which NAT occurs Fast Ethernet WAN interface (outside interface for NAT) Cable modem or other server (for example, a Cisco 6400 server) that is connected to the Internet PPPoE session between the client and a PPPoE server Cisco Secure Router 520 Series Software Configuration Guide...
  • Page 38: Configuration Example

    NAT (represented as the dashed line at the edge of the Cisco router) signifies two addressing domains and the inside source address. The source list defines how the packet travels through the network.
  • Page 39: Configure The Fast Ethernet Wan Interfaces

    Router(config)# Configure the Fast Ethernet WAN Interfaces In this scenario, the PPPoE client (your Cisco router) communicates over a 10/100 Mbps-Ethernet interface on both the inside and the outside. Perform these steps to configure the Fast Ethernet WAN interfaces, starting in global configuration...
  • Page 40: Configure The Dialer Interface

    Ethernet is 1492 bytes. Example: Router(config-if)# ip mtu 1492 Router(config-if)# Step 4 encapsulation encapsulation-type Sets the encapsulation type to PPP for the data packets being transmitted and received. Example: Router(config-if)# encapsulation ppp Router(config-if)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 41: Configure Network Address Translation

    Packets are then forwarded through the access-group} specified interface dialer group. For details about this command and additional Example: parameters that can be set, see the Cisco IOS Dial Router(config)# dialer-list 1 protocol ip Technologies Command Reference. permit Router(config)#...
  • Page 42 Router(config)# ip nat inside source list parameters that can be set, as well as information acl1 pool pool1 about enabling static translation, see the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services. Step 3 interface type number...
  • Page 43 Note Chapter 1, “Basic Router Configuration,” for information on configuring a loopback interface. For complete information on the NAT commands, see the Cisco IOS Release 12.3 documentation set. For more general information on NAT concepts, see Appendix B, “Concepts.” Cisco Secure Router 520 Series Software Configuration Guide...
  • Page 44: Configuration Example

    Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: FastEthernet4 Inside interfaces: Vlan1 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 45 Chapter 3 Configuring PPP over Ethernet with NAT Configuration Example Dynamic mappings: -- Inside Source [Id: 1] access-list 1 interface Dialer0 refcount 0 Queued Packets: 0 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 46 Chapter 3 Configuring PPP over Ethernet with NAT Configuration Example Cisco Secure Router 520 Series Software Configuration Guide 3-10 OL-14210-01...
  • Page 47: Chapter 4 Configuring Ppp Over Atm With Nat

    Figure 4-1 shows a typical deployment scenario with a PPPoA client and NAT configured on the Cisco router. This scenario uses a single static IP address for the ATM connection. Figure 4-1 PPP over ATM with NAT Small business with multiple networked devices—desktops, laptop PCs, switches...
  • Page 48: Configure The Dialer Interface

    ATM interface, but each session must use a separate dialer interface and a separate dialer pool. A PPPoA session is initiated on the client side by the Cisco Secure Router 520 Series router. NAT (represented as the dashed line at the edge of the Cisco router) signifies two addressing domains and the inside source address.
  • Page 49 Authentication Protocol (CHAP). Router(config-if)# ppp authentication chap For details about this command and additional Router(config-if)# parameters that can be set, see the Cisco IOS Security Command Reference. Step 6 dialer pool number Specifies the dialer pool to use to connect to a specific destination subnetwork.
  • Page 50 Packets are then forwarded through the access-group} specified interface dialer group. For details about this command and additional Example: parameters that can be set, see the Cisco IOS Dial Router(config)# dialer-list 1 protocol ip Technologies Command Reference. permit Router(config)#...
  • Page 51: Configure The Atm Wan Interface

    3. The VPI and VCI arguments cannot be simultaneously specified as zero; if one is 0, the other cannot be 0. For details about this command and additional parameters that can be set, see the Cisco IOS Wide-Area Networking Command Reference. Step 3 encapsulation {aal5auto | aal5autoppp...
  • Page 52: Configure Dsl Signaling Protocol

    DSL signaling must be configured on the ATM interface for connection to your ISP. The Cisco Secure Router 520 ADSL-over-POTS routers support ADSL signaling over POTS and the Cisco Secure Router 520 ADSL-over-ISDN routers support ADSL signaling over ISDN. To configure the DSL signaling protocol, see the “Configuring ADSL”...
  • Page 53: Verify The Configuration

    For details about this command and additional acl1 pool pool1 parameters that can be set, as well as information about enabling static translation, see the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services. Step 3 interface type number...
  • Page 54 For details about this command and additional Router(config-if)# ip nat inside parameters that can be set, as well as information Router(config-if)# about enabling static translation, see the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services. Step 5 no shutdown Enables the configuration changes just made to the Ethernet interface.
  • Page 55: Configuration Example

    Note Chapter 1, “Basic Router Configuration,” for information on configuring the loopback interface. For complete information on NAT commands, see the Cisco IOS Release 12.3 documentation set. For more general information on NAT concepts, see Appendix B, “Concepts.” Configuration Example The following configuration example shows a portion of the configuration file for a client in the PPPoA scenario described in this chapter.
  • Page 56: Verifying Your Configuration

    Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id: 1] access-list 1 interface Dialer0 refcount 0 Queued Packets: 0 Cisco Secure Router 520 Series Software Configuration Guide 4-10 OL-14210-01...
  • Page 57: Chapter 5 Configuring A Lan With Dhcp And Vlans

    DHCP, which is described in RFC 2131, uses a client/server router for address allocation. As an administrator, you can configure your Cisco Secure Router 520 Series router to act as a DHCP server, providing IP address assignment and other TCP/IP-oriented configuration information to your workstations.
  • Page 58: Configure Dhcp

    Note Network Registrar database. VLANs The Cisco Secure Router 520 Series routers support four Fast Ethernet ports on which you can configure VLANs. VLANs enable networks to be segmented and formed into logical groups of users, regardless of the user’s physical location or LAN connection.
  • Page 59 Specifies the domain name for a DHCP client. Example: Router(dhcp-config)# domain-name cisco.com Router(dhcp-config)# Step 10 exit Exits DHCP configuration mode, and enters global configuration mode. Example: Router(dhcp-config)# exit Router(config)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 60: Configuration Example

    Router# show ip dhcp server statistics Memory usage 15419 Address pools Database agents Automatic bindings Manual bindings Expired bindings Malformed messages Secure arp entries Message Received BOOTREQUEST DHCPDISCOVER DHCPREQUEST DHCPDECLINE DHCPRELEASE DHCPINFORM Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 61: Configure Vlans

    VLAN 3 added: Name: red-vlan Media type: ETHERNET Router(vlan)# Step 3 exit Updates the VLAN database, propagates it throughout the administrative domain, and returns to privileged EXEC mode. Example: Router(vlan)# exit Router# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 62: Assign A Switch Port To A Vlan

    VLAN 802.10 Id: 100001 State: Operational MTU: 1500 Translational Bridged VLAN: 1002 Translational Bridged VLAN: 1003 VLAN ISL Id: 2 Name: VLAN0002 Media Type: Ethernet VLAN 802.10 Id: 100002 State: Operational MTU: 1500 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 63 STP Type: IBM Router# show vlan-switch VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- default active Fa0, Fa1, Fa3 VLAN0002 active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 64 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ enet 100001 1500 1002 1003 enet 100002 1500 1002 fddi 101002 1500 1003 1003 tr 101003 1500 1005 1002 1004 fdnet 101004 1500 1005 trnet 101005 1500 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 65: Chapter 6 Configuring A Vpn Using Easy Vpn And An Ipsec Tunnel

    The example in this chapter illustrates the configuration of a remote access VPN that uses the Cisco Easy VPN and an IPsec tunnel to configure and secure the connection between the remote client and the corporate network.
  • Page 66 After the IPsec server has been configured, a VPN connection can be created with minimal configuration on an IPsec client, such as a supported Cisco Secure Router 520 Series router. When the IPsec client initiates the VPN tunnel connection, the IPsec server pushes the IPsec policies to the IPsec client and creates the corresponding VPN tunnel connection.
  • Page 67: Configure The Ike Policy

    The examples shown in this chapter refer only to the endpoint configuration on the Note Cisco Secure Router 520 Series router. Any VPN connection requires both endpoints be configured properly to function. See the software configuration documentation as needed to configure VPN for other router models.
  • Page 68: Configure Group Policy Information

    (DNS) server for the group. Example: You may also want to specify Windows Note Router(config-isakmp-group)# dns 10.50.10.1 Internet Naming Service (WINS) servers Router(config-isakmp-group)# for the group by using the wins command. Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 69: Apply Mode Configuration To The Crypto Map

    Configures the router to reply to mode [initiate | respond] configuration requests from remote clients. Example: Router(config)# crypto map dynmap client configuration address respond Router(config)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 70: Enable Policy Lookup

    During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers. When such a transform set is found, it is selected and applied to the protected traffic as a part of both peers’ configurations. Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 71: Configure The Ipsec Crypto Method And Parameters

    Router(config)# crypto dynamic-map dynmap 1 Router(config-crypto-map)# Step 2 set transform-set transform-set-name Specifies which transform sets can be used with [transform-set-name2...transform-set-name6] the crypto map entry. Example: Router(config-crypto-map)# set transform-set vpn1 Router(config-crypto-map)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 72: Apply The Crypto Map To The Physical Interface

    Command or Action Purpose Step 1 interface type number Enters the interface configuration mode for the interface to which you want the crypto map applied. Example: Router(config)# interface fastethernet 4 Router(config-if)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 73: Create An Easy Vpn Remote Configuration

    DNS server available for 192.168.100.1 hostname resolution. Router(config-crypto-ezvpn)# Step 4 mode {client | network-extension | network Specifies the VPN mode of operation. extension plus} Example: Router(config-crypto-ezvpn)# mode client Router(config-crypto-ezvpn)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 74: Verifying Your Easy Vpn Configuration

    Router(config-crypto-ezvpn)# exit Router(config)# Step 6 interface type number Enters the interface configuration mode for the interface to which you want the Cisco Easy VPN remote configuration applied. Example: Router(config)# interface fastethernet 4 For routers with an ATM WAN interface, Note Router(config-if)# this command would be interface atm 0.
  • Page 75 2 key secret-password mode client peer 192.168.100.1 interface fastethernet 4 crypto ipsec client ezvpn ezvpnclient outside crypto map static-map interface vlan 1 crypto ipsec client ezvpn ezvpnclient inside Cisco Secure Router 520 Series Software Configuration Guide 6-11 OL-14210-01...
  • Page 76 Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Configuration Example Cisco Secure Router 520 Series Software Configuration Guide 6-12 OL-14210-01...
  • Page 77: Chapter 7 Configuring Vpns Using An Ipsec Tunnel And Generic Routing Encapsulation

    Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation The Cisco Secure Router 520 Series routers support the creation of virtual private networks (VPNs). Cisco routers and other broadband devices provide high-performance connections to the Internet, but many applications also require the security of VPN connections which perform a high level of authentication and which encrypt the data between two particular endpoints.
  • Page 78: Configure The Ike Policy

    VPN configuration information must be configured on both endpoints; for example, on your Cisco router and at the remote user, or on your Cisco router and on another router. You must specify parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, and Network Address Translation (NAT).
  • Page 79: Configure The Ike Policy

    Specifies the lifetime, 60–86400 seconds, for an IKE security association (SA). Example: Router(config-isakmp)# lifetime 480 Router(config-isakmp)# Step 7 exit Exits IKE policy configuration mode, and enters global configuration mode. Example: Router(config-isakmp)# exit Router(config)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 80: Configure Group Policy Information

    [low-ip-address [high-ip-address]] For details about this command and additional parameters that can be set, see the Cisco IOS Dial Example: Technologies Command Reference. Router(config)# ip local pool dynpool 30.30.30.20 30.30.30.30 Router(config)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 81: Enable Policy Lookup

    During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers. When such a transform set is found, it is selected and applied to the protected traffic as a part of both peers’ configurations. Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 82: Configure The Ipsec Crypto Method And Parameters

    Router(config)# crypto dynamic-map dynmap 1 Router(config-crypto-map)# Step 2 set transform-set transform-set-name Specifies which transform sets can be used with [transform-set-name2...transform-set-name6] the crypto map entry. Example: Router(config-crypto-map)# set transform-set vpn1 Router(config-crypto-map)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 83: Apply The Crypto Map To The Physical Interface

    Command or Action Purpose Step 1 interface type number Enters interface configuration mode for the interface to which you want to apply the crypto map. Example: Router(config)# interface fastethernet 4 Router(config-if)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 84: Configure A Gre Tunnel

    GRE tunnel. Example: Router(config-if)# tunnel source fastethernet 0 Router(config-if)# Step 4 tunnel destination default-gateway-ip-address Specifies the destination endpoint of the router for the GRE tunnel. Example: Router(config-if)# tunnel destination 192.168.101.1 Router(config-if)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 85: Configuration Example

    0 cisco interface tunnel 1 ip address 10.62.1.193 255.255.255.252 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 86 ! acl 103 permits IPsec traffic from the corp. router as well as ! denies Internet-initiated traffic inbound. ip access-group 103 in ip nat outside no cdp enable crypto map to_corporate ! Applies the IPsec tunnel to the outside interface. Cisco Secure Router 520 Series Software Configuration Guide 7-10 OL-14210-01...
  • Page 87 103 deny ip any any ! Prevents Internet-initiated traffic inbound. ! acl 105 matches addresses for the IPsec tunnel to or from the corporate network. access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 no cdp run Cisco Secure Router 520 Series Software Configuration Guide 7-11 OL-14210-01...
  • Page 88 Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configuration Example Cisco Secure Router 520 Series Software Configuration Guide 7-12 OL-14210-01...
  • Page 89: Chapter 8 Configuring A Simple Firewall

    C H A P T E R Configuring a Simple Firewall The Cisco Secure Router 520 Series routers support network traffic filtering by means of access lists. The routers also support packet inspection and dynamic temporary access lists by means of Context-Based Access Control (CBAC).
  • Page 90 Router with Firewall Configured Multiple networked devices—Desktops, laptop PCs, switches Fast Ethernet LAN interface (the inside interface for NAT) PPPoE or PPPoA client and firewall implementation—Cisco Secure Router 520 Series router Point at which NAT occurs Protected network Unprotected network...
  • Page 91: Configure Access Lists

    VPN tunnel. Example: Router(config)# access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 Router(config)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 92: Configure Inspection Rules

    Assigns the set of firewall inspection rules to the inside interface on the router. Example: Router(config-if)# ip inspect firewall in Router(config-if)# Step 3 exit Returns to global configuration mode. Example: Router(config-if)# exit Router(config)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 93: Configuration Example

    4! FE4 is the outside or Internet-exposed interface. ! acl 103 permits IPsec traffic from the corp. router ! as well as denies Internet-initiated traffic inbound. ip access-group 103 in Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 94 103 deny ip any any ! Prevents Internet-initiated traffic inbound. ! acl 105 matches addresses for the ipsec tunnel to or from the corporate network. access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 no cdp run Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 95: Chapter 9 Configuring A Wireless Lan Connection

    VLAN 1 VLAN 2 In the configuration example that follows, a remote user is accessing the Cisco Secure Router 520 Series router using a wireless connection. Each remote user has his own VLAN. Cisco Secure Router 520 Series Software Configuration Guide...
  • Page 96: Configure The Root Radio Station

    [EAP-TLS], or Protected Extensible Authentication Protocol [PEAP]) can use the access point. This command is not supported on Note bridges. See the Cisco IOS Commands for Access Points and Bridges for more details. Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 97 [retries | threshold] (Optional) Specifies the Request to Send (RTS) threshold or the number of times to send a request before determining the wireless LAN is Example: unreachable. Router(config-if)# rts threshold 2312 Router(config-if)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 98: Configure Bridging On Vlans

    Enters interface configuration mode. We want to set up bridging on the VLANs, so Example: the example enters the VLAN interface Router(config)# interface vlan 1 configuration mode. Router(config-if)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 99: Configure Radio Station Subinterfaces

    Enters subinterface configuration mode for the root station interface. Example: Router(config)# interface dot11radio 0.1 Router(config-subif)# Step 2 description string Provides a description of the subinterface for the administrative user. Example: Router(config-subif)# description Cisco open Router(config-subif)# Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 100: Configuration Example

    The following configuration example shows a portion of the configuration file for the wireless LAN scenario described in the preceding sections. bridge irb interface Dot11Radio0 no ip address broadcast-key vlan 1 change 45 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 101 3 block-unknown-source no bridge-group 3 source-learning no bridge-group 3 unicast-flooding interface Vlan1 no ip address bridge-group 1 bridge-group 1 spanning-disabled interface Vlan2 no ip address bridge-group 2 bridge-group 2 spanning-disabled interface Vlan3 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 102 Configuring a Wireless LAN Connection Configuration Example no ip address bridge-group 3 bridge-group 3 spanning-disabled interface BVI1 ip address 10.0.1.1 255.255.255.0 interface BVI2 ip address 10.0.2.1 255.255.255.0 interface BVI3 ip address 10.0.3.1 255.255.255.0 Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 103: Configuring Additional Features And Troubleshooting

    A R T Configuring Additional Features and Troubleshooting...
  • Page 105: Chapter 10 Additional Configuration Options

    To verify that a specific feature is compatible with your router, you can use the Software Advisor tool. Note You can access this tool at www.cisco.com > Technical Support & Documentation > Tools & Resources with your Cisco username and password.
  • Page 106 Chapter 10 Additional Configuration Options Cisco Secure Router 520 Series Software Configuration Guide 10-2 OL-14210-01...
  • Page 107: Chapter 11 Configuring Security Features

    Configuring Security Features This chapter gives an overview of authentication, authorization, and accounting (AAA), the primary Cisco framework for implementing selected security features that can be configured on the Cisco Secure Router 520 Series routers. Individual router models may not support every feature described throughout this guide. Features not Note supported by a particular router are indicated whenever possible.
  • Page 108: Configuring Autosecure

    Standard ip access-list standard name followed by deny {source | source-wildcard | any} Extended ip access-list extended name followed by {permit | deny} protocol {source-addr[source-mask] | any}{destination-addr [destination-mask] | any} Cisco Secure Router 520 Series Software Configuration Guide 11-2 OL-14210-01...
  • Page 109: Access Groups

    For more complete information on creating access lists, see the “Access Control Lists: Overview and Guidelines” section of the Cisco IOS Release 12.3 Security Configuration Guide. Configuring a CBAC Firewall Context-Based Access Control (CBAC) lets you configure a stateful firewall where packets are inspected internally and the state of network connections is monitored.
  • Page 110: Configuring Cisco Ios Firewall Ids

    Cisco IOS Firewall IDS identifies 59 of the most common attacks using “signatures” to detect patterns of misuse in network traffic. It acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures.
  • Page 111: Chapter 12 Troubleshooting

    Type of software and version number • Date you received the hardware • Brief description of the problem • Brief description of the steps you have taken to isolate the problem • Cisco Secure Router 520 Series Software Configuration Guide 12-1 OL-14210-01...
  • Page 112: Adsl Troubleshooting

    • The DSLAM supports discrete multi-tone (DMT) Issue 2. • The ADSL cable that you connect to the Cisco router must be 10BASE-T Category 5, unshielded twisted-pair (UTP) cable. Using regular telephone cable can introduce line errors. ATM Troubleshooting Commands Use the following commands to troubleshoot your ATM interface.
  • Page 113: Show Interface Command

    MTU 1500 bytes, BW 100000 Kbit, DLY 100000 usec, reliability 255/255. txload 1/255, rxload 1/255 Encapsulation PPP, loopback not set Keepalive set (10 sec) DTR is pulsed for 5 seconds on reset LCP Closed Cisco Secure Router 520 Series Software Configuration Guide 12-3 OL-14210-01...
  • Page 114 If you are having problems with the specified • dialer interface, this can mean it is not operating, possibly because the interface has been brought down with the shutdown command, or the ADSL cable is disconnected. Cisco Secure Router 520 Series Software Configuration Guide 12-4 OL-14210-01...
  • Page 115: Show Atm Interface Command

    ATM interface Interface number. Always 0 for the Cisco Secure Router 520 Series router. AAL enabled Type of AAL enabled. The Cisco Secure Router 520 Series routers support AAL5. Maximum VCs Maximum number of virtual connections this interface supports. Current VCCs Number of active virtual channel connections (VCCs).
  • Page 116: Debug Atm Errors Command

    00:02:57: DSL: Received response: 0x26 00:02:57: DSL: Unexpected response 0x26 00:02:57: DSL: Send ADSL_OPEN command. 00:02:57: DSL: Using subfunction 0xA 00:02:57: DSL: Using subfunction 0xA 00:02:57: DSL: Sent command 0x5 Cisco Secure Router 520 Series Software Configuration Guide 12-6 OL-14210-01...
  • Page 117: Debug Atm Packet Command

    ATM interface or subinterface number. vcd vcd-number(Optional) Number of the virtual circuit designator (VCD). vc vpi/vci numberVPI/VCI value of the ATM PVC. Cisco Secure Router 520 Series Software Configuration Guide 12-7 OL-14210-01...
  • Page 118: Software Upgrade Methods

    • Copy the new software image to flash memory over the LAN or WAN while the existing Cisco IOS software image is operating. Copy the new software image to flash memory over the LAN while the boot image (ROM monitor) •...
  • Page 119: Recovering A Lost Password

    Recovering a lost password is only possible when you are connected to the router through the console Note port. These procedures cannot be performed through a Telnet session. See the “Hot Tips” section on Cisco.com for additional information on replacing enable secret passwords. Change the Configuration Register...
  • Page 120: Reset The Router

    Chapter 12 Troubleshooting Recovering a Lost Password Cisco SR520W-ADSL (MPC8272) processor (revision 0x100) with 118784K/12288K bytes of memory. Processor board ID FOC09171CB7 MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10 4 FastEthernet interfaces 1 ATM interface 1 802.11 Radio 128K bytes of non-volatile configuration memory.
  • Page 121: Reset The Password And Save Your Changes

    Enter the configure terminal command to enter global configuration mode: Step 1 Router# configure terminal Enter the configure register command and the original configuration register value that you recorded. Step 2 Router(config)# config-reg value Cisco Secure Router 520 Series Software Configuration Guide 12-11 OL-14210-01...
  • Page 122 To return to the configuration being used before you recovered the lost enable password, do not Note save the configuration changes before rebooting the router. Reboot the router, and enter the recovered password. Step 4 Cisco Secure Router 520 Series Software Configuration Guide 12-12 OL-14210-01...
  • Page 123: Reference Information

    A R T Reference Information...
  • Page 125: Appendix

    A P P E N D I X Cisco IOS Software Basic Skills Understanding how to use Cisco IOS software can save you time when you are configuring your router. If you need a refresher, take a few minutes to read this appendix.
  • Page 126: Appendix A Cisco Io Software Basic Skill

    Cisco IOS commands. For example, you can use the interface type number command only from global configuration mode. The following Cisco IOS command modes are hierarchical. When you begin a router session, you are in user EXEC mode. User EXEC •...
  • Page 127 • To exit to privileged from global EXEC mode, enter the configuration mode. end command, or press Ctrl-Z. To enter subinterface • configuration mode, specify a subinterface with the interface command. Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 128: Getting Help

    Enable Secret Passwords and Enable Passwords By default, the router ships without password protection. Because many privileged EXEC commands are used to set operating parameters, you should password-protect these commands to prevent unauthorized use. Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 129: Entering Global Configuration Mode

    Enter the configure terminal command to enter global configuration mode: Router# configure terminal Router(config)# You can now make changes to your router configuration. Using Commands This section provides some tips about entering Cisco IOS commands at the command-line interface (CLI). Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 130: Abbreviating Commands

    RAM (NVRAM) so that they are not lost if there is a system reload or power outage. This example shows how to use this command to save your changes: Router# copy running-config startup-config Destination filename [startup-config]? Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 131: Summary

    Building configuration... Router# Summary Now that you have reviewed some Cisco IOS software basics, you can begin to configure your router. Remember: You can use the question mark (?) and arrow keys to help you enter commands. •...
  • Page 132 Appendix A Cisco IOS Software Basic Skills Where to Go Next Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 133: Appendix

    Concepts This appendix contains conceptual information that may be useful to Internet service providers or network administrators when they configure Cisco routers. To review some typical network scenarios, Chapter 2, “Sample Network Deployments.” For information on additional details or configuration topics, see Chapter 10, “Additional Configuration Options.”...
  • Page 134: Appendix B Concept

    You can also configure triggered extensions to RIP so that routing updates are sent only when the routing database is updated. For more information on triggered extensions to RIP, see the Cisco IOS Release 12.3 documentation set. Cisco Secure Router 520 Series Software Configuration Guide...
  • Page 135: Ppp Authentication Protocols

    PAP uses a two-way handshake to verify the passwords between routers. To illustrate how PAP works, imagine a network topology in which a remote office Cisco router is connected to a corporate office Cisco router. After the PPP link is established, the remote office router repeatedly sends a configured username and password until the corporate office router accepts the authentication.
  • Page 136: Tacacs

    TACACS+ also provides support for separate modular authentication, authorization, and accounting (AAA) facilities that are configured at individual routers. Network Interfaces This section describes the network interface protocols that Cisco Secure Router 520 Series routers support. The following network interface protocols are supported: Ethernet •...
  • Page 137: Pvc

    An AAL segments upper-layer information into cells at the transmitter and reassembles the cells at the receiver. Cisco routers support the AAL5 format, which provides a streamlined data transport service that functions with less overhead and affords better error detection and correction capabilities than AAL3/4.
  • Page 138: Easy Ip (Phase 1

    WAN interface IP address from a central server and to enable all remote hosts to access the Internet using this single registered IP address. Because Easy IP (Phase 1) uses existing port-level multiplexed NAT functionality within Cisco IOS software, IP addresses on the remote LAN are invisible to the Internet.
  • Page 139: Qos

    Interleaving provides the delay bounds for delay-sensitive voice packets on a slow link that is used for other best-effort traffic. Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 140: Cbwfq

    PPP to define how data is managed; RSVP or IP Precedence is used to give priority to voice packets. There are two levels of queuing: ATM queues and Cisco IOS queues. CBWFQ is applied to Cisco IOS queues. A first-in-first-out (FIFO) Cisco IOS queue is automatically created when a PVC is created. If you use CBWFQ to create classes and attach them to a PVC, a queue is created for each class.
  • Page 141: Access Lists

    ACK or RST bits are set. (Set ACK or RST bits indicate that the packet is not the first in the session and the packet therefore belongs to an established session.) This filter criterion would be part of an access list applied permanently to an interface. Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 142 Appendix B Concepts Access Lists Cisco Secure Router 520 Series Software Configuration Guide B-10 OL-14210-01...
  • Page 143: Rom Monitor

    You can use the ROM monitor to perform certain configuration tasks, such as recovering a lost password or downloading software over the console port. If there is no Cisco IOS software image loaded on the router, the ROM monitor runs the router.
  • Page 144: Rom Monitor Commands

    Reboots the router with the new configuration register value. The router remains in ROM monitor and does not boot the Cisco IOS software. As long as the configuration value is 0x0, you must manually boot the operating system from the console. See the boot command in the “Command...
  • Page 145: Command Descriptions

    Cisco IOS software, you can load new software while in ROM monitor mode. This section describes how to load a Cisco IOS software image from a remote TFTP server to the router flash memory. Use the tftpdnld command only for disaster recovery, because it erases all existing data in flash memory before downloading a new software image to the router.
  • Page 146: Tftp Download Command Variables

    2—Detailed progress is displayed during the file download process; for example: • Initializing interface. • Interface link state up. ARPing for 1.4.0.1 • ARP reply for 1.4.0.1 received. MAC address 00:00:0c:07:ac:01 • Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 147: Using The Tftp Download Command

    The virtual configuration register is in nonvolatile RAM (NVRAM) and has the same functionality as other Cisco routers. You can view or modify the virtual configuration register from either the ROM monitor or the operating system software. Within the ROM monitor, you can change the configuration register by entering the register value in hexadecimal format, or by allowing the ROM monitor to prompt you for the setting of each bit.
  • Page 148: Changing The Configuration Register Manually

    9600 boot: the ROM Monitor do you wish to change the configuration? y/n [n]: You must reset or power cycle for new config to take effect Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 149: Console Download

    Note must use the ROM monitor dnld command. If you are using a PC to download a Cisco IOS image over the router console port at 115,200 bps, ensure Note that the PC serial port is using a 16550 universal asynchronous transmitter/receiver (UART). If the PC serial port is not using a 16550 UART, we recommend using a speed of 38,400 bps or less when downloading a Cisco IOS image over the console port.
  • Page 150: Error Reporting

    Debug Commands Most ROM monitor debugging commands are functional only when Cisco IOS software has crashed or is halted. If you enter a debugging command and Cisco IOS crash information is not available, you see the following error message: “xxx: kernel context state is invalid, can not proceed.”...
  • Page 151: Exiting The Rom Monitor

    NVRAM size: 32KB Exiting the ROM Monitor You must set the configuration register to a value from 0x2 to 0xF for the router to boot a Cisco IOS image from flash memory upon startup or reloading. The following example shows how to reset the configuration register and cause the router to boot a Cisco IOS image stored in flash memory: rommon 1 >...
  • Page 152 Appendix C ROM Monitor Exiting the ROM Monitor Cisco Secure Router 520 Series Software Configuration Guide C-10 OL-14210-01...
  • Page 153: Appendix

    Time Resource Location Protocol NAMESERVER Hostname server NICNAME Who is LOGIN Login Host Protocol DOMAIN Domain name server BOOTPS Bootstrap Protocol Server BOOTPC Bootstrap Protocol Client TFTP Trivial File Transfer Protocol Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 154 UNIX remote execution (control) TCP—rlogin TCP—UNIX remote login UDP—rwho UDP—UNIX broadcast name service TCP—rsh TCP—UNIX remote shell UDP—syslog UDP—system log Printer UNIX line printer remote spooling Routing Information Protocol Timed Time server Cisco Secure Router 520 Series Software Configuration Guide OL-14210-01...
  • Page 155: I N D E X

    Cisco IOS Firewall IDS 11-4 errors, displaying 12-6 Cisco IOS queues events, displaying 12-6 class-based weighted fair queuing interface, configuring basic parameters See CBWFQ interface, configuring for PPPoA command-line access to router Cisco Secure Router 520 Series Software Configuration Guide IN-1 OL-14210-01...
  • Page 156 ROM monitor DHCP server C-2 to C-3 ROM monitor debugging C-8, C-9 dialer interface show atm interface dynamic routes 12-5 1-11, 1-12 show dsl interface atm Easy VPN Cisco Secure Router 520 Series Software Configuration Guide IN-2 OL-14210-01...
  • Page 157 12-7 debug commands, ROM monitor error reporting, ROM monitor C-8, C-9 default configuration, viewing errors, ATM, displaying 12-6 DHCP Ethernet configuring DHCP server events, ATM, displaying 12-6 Cisco Secure Router 520 Series Software Configuration Guide IN-3 OL-14210-01...
  • Page 158 6-4, 7-4 LAN with DHCP and VLANs, configuring 5-1 to 5-8 handshake defined three-way line configuration mode two-way Link Control Protocol help command See LCP help with commands Cisco Secure Router 520 Series Software Configuration Guide IN-4 OL-14210-01...
  • Page 159 RAM PPPoE See NVRAM client NVRAM, saving changes to configuration example configuring verifying your configuration prerequisites, for configuration overloading, defined privileged EXEC commands, accessing privileged EXEC mode A-2, A-3 Cisco Secure Router 520 Series Software Configuration Guide IN-5 OL-14210-01...
  • Page 160 See also console download router configuration mode transform set, configuring Routing Information Protocol translation See RIP See NAT routing protocol overview triggered extensions to RIP B-2 to ?? Cisco Secure Router 520 Series Software Configuration Guide IN-6 OL-14210-01...
  • Page 161 VLANs configuring verify configuration VPDN group number, configuring VPNs configuration example 6-10 configuration tasks 6-2, 7-2 configuring 6-1, 7-1, 11-4 WAN interface, configuring 1-4, 3-3 wireless LAN configuration example Cisco Secure Router 520 Series Software Configuration Guide IN-7 OL-14210-01...
  • Page 162 Index Cisco Secure Router 520 Series Software Configuration Guide IN-8 OL-14210-01...