Table of Contents
Advertisement
Configuration Examples
–
–
–
–
–
–
–
–
–
–
Figure 16-16
Begin by setting the XSR system time via SNTP. This configuration is critical for XSRs which use
time-sensitive certificates.
XSR(config)#sntp-client server 10.120.84.3
XSR(config)#sntp-client poll-interval 60
Add four ACLs to permit IP pool, L2TP and NEM traffic:
XSR(config)#access-list 110 permit ip any 10.120.70.0 0.0.0.255
XSR(config)#access-list 120 permit udp any any eq 1701
XSR(config)#access-list 140 permit ip any 172.16.1.0 0.0.0.255
XSR(config)#access-list 150 permit ip any 192.168.111.0 0.0.0.255
Define IKE Phase I security parameters with the following two policies:
XSR(config)#crypto isakmp proposal xp-soho
XSR(config-isakmp)#hash md5
XSR(config-isakmp)#lifetime 50000
XSR(config)#crypto isakmp proposal p2p
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#lifetime 50000
Configure IKE policy for the remote peer:
XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0
16-28 Configuring Security on the XSR
Terminate Network Extension Mode (NEM) and Client mode tunnels
Terminate remote access L2TP/IPSec tunnels
Terminate PPTP remote access tunnels
Firewall inspection on the public VPN interface (the crypto map interface)
Firewall inspection on the trusted VPN interface (the connection to the corporate
network)
Enable NAT Traversal on the firewall
OSPF routing with the next hop corporate router on the trusted VPN interface
DF bit clear on the public VPN interface to handle large non-fragmentable IP frames
OSPF routing over the multi-point VPN interface for other site-to-site tunnels
Assign the first IP address of the pool to the multi-point VPN interface
XSR Firewall, VPN and OSPF Topology
XSR
Client
XP PC
NEM
Internet
router
Internet
XSR
141.154.196.93
172.16.1.0
96.96.96.0
XSR
FE2
FE1
96.96.96.7
141.154.196.106
10.120.84.0
SSR
10.120.112.0
Advertisement
Table of Contents
Troubleshooting
