Cisco 520 Series Software Configuration Manual Download Page 90 | Manualshive

Page: 90 / 162

background image

8-2

Cisco Secure Router 520 Series Software Configuration Guide

OL-14210-01

Chapter 8 Configuring a Simple Firewall

Figure 8-1

shows a network deployment using PPPoE or PPPoA with NAT and a firewall.

Figure 8-1

Router with Firewall Configured

In the configuration example that follows, the firewall is applied to the outside WAN interface (FE4) and
protects the Fast Ethernet LAN on FE0 by filtering and inspecting all traffic entering the router on the
Fast Ethernet WAN interface FE4. Note that in this example, the network traffic originating from the
corporate network, network address 10.1.1.0, is considered safe traffic and is not filtered.

Configuration Tasks

Perform the following tasks to configure this network scenario:

•

Configure Access Lists

•

Configure Inspection Rules

•

Apply Access Lists and Inspection Rules to Interfaces

A configuration example that shows the results of these configuration tasks is provided in the

“Configuration Example” section on page 8-5

.

1

Multiple networked devices—Desktops, laptop PCs, switches

2

Fast Ethernet LAN interface (the inside interface for NAT)

3

PPPoE or PPPoA client and firewall implementation—Cisco Secure Router 520 Series router

4

Point at which NAT occurs

5

Protected network

6

Unprotected network

7

Fast Ethernet or ATM WAN interface (the outside interface for NAT)

121781

2

3

7

5

6

1

4

«
...
88
89
90
91
92
...
»

Summary of Contents for 520 Series

Page 1: ...s Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Secure Router 520 Series Software Configuration Guide Customer Order Number Text Part Number OL 14210 01 ...

Page 2: ...NSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCDE CCENT Cisco Eos Cisco Lumin Cisco StadiumVision the Cisco logo DCE and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and ...

Page 3: ...ls 1 3 Configuring Basic Parameters 1 3 Configure Global Parameters 1 4 Configure Fast Ethernet LAN Interfaces 1 4 Configure WAN Interfaces 1 4 Configure the Fast Ethernet WAN Interface 1 5 Configure the ATM WAN Interface 1 5 Configure the Wireless Interface 1 6 Configuring a Loopback Interface 1 6 Configuration Example 1 7 Verifying Your Configuration 1 7 Configuring Command Line Access to the Ro...

Page 4: ...terface 4 2 Configure the ATM WAN Interface 4 5 Configure DSL Signaling Protocol 4 6 Configuring ADSL 4 6 Verify the Configuration 4 7 Configure Network Address Translation 4 7 Configuration Example 4 9 Verifying Your Configuration 4 10 C H A P T E R 5 Configuring a LAN with DHCP and VLANs 5 1 Configure DHCP 5 2 Configuration Example 5 4 Verify Your DHCP Configuration 5 4 Configure VLANs 5 5 Assig...

Page 5: ... Map to the Physical Interface 7 7 Configure a GRE Tunnel 7 8 Configuration Example 7 9 C H A P T E R 8 Configuring a Simple Firewall 8 1 Configure Access Lists 8 3 Configure Inspection Rules 8 4 Apply Access Lists and Inspection Rules to Interfaces 8 4 Configuration Example 8 5 C H A P T E R 9 Configuring a Wireless LAN Connection 9 1 Configure the Root Radio Station 9 2 Configure Bridging on VLA...

Page 6: ...Guidelines for Using Debug Commands 12 5 debug atm errors Command 12 6 debug atm events Command 12 6 debug atm packet Command 12 7 Software Upgrade Methods 12 8 Recovering a Lost Password 12 9 Change the Configuration Register 12 9 Reset the Router 12 10 Reset the Password and Save Your Changes 12 11 Reset the Configuration Register Value 12 11 P A R T 4 Reference Information A P P E N D I X A Cis...

Page 7: ...PAP B 3 CHAP B 3 TACACS B 4 Network Interfaces B 4 Ethernet B 4 ATM for DSL B 4 PVC B 5 Dialer Interface B 5 NAT B 5 Easy IP Phase 1 B 6 Easy IP Phase 2 B 6 QoS B 7 IP Precedence B 7 PPP Fragmentation and Interleaving B 7 CBWFQ B 8 RSVP B 8 Low Latency Queuing B 8 Access Lists B 9 C H A P T E R C ROM Monitor C 1 Entering the ROM Monitor C 1 ROM Monitor Commands C 2 Command Descriptions C 3 Disaste...

Page 8: ...FTP Download Command C 5 Configuration Register C 5 Changing the Configuration Register Manually C 6 Changing the Configuration Register Using Prompts C 6 Console Download C 7 Command Description C 7 Error Reporting C 8 Debug Commands C 8 Exiting the ROM Monitor C 9 A P P E N D I X D Common Port Assignments D 1 I N D E X ...

Page 9: ...Documentation and Submitting a Service Request page xvii Objective This guide provides an overview and explains how to install and connect the wireless and nonwireless Cisco Secure Router 520 Series routers For warranty service and support information see the Cisco One Year Limited Hardware Warranty Terms section in the Readme First for Cisco Secure Router 520 Series document that was shipped with...

Page 10: ... network VPN with a secure IP tunnel using the Cisco Easy VPN Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Provides instructions on how to configure a VPN with a secure IP tunnel and generic routing encapsulation GRE Chapter 8 Configuring a Simple Firewall Provides instructions on how to configure a basic firewall on your Cisco router Chapter 9 Configuring a W...

Page 11: ...he end of each warning to locate its translation in the translated safety warnings that accompanied this device Statement 1071 SAVE THESE INSTRUCTIONS Waarschuwing BELANGRIJKE VEILIGHEIDSINSTRUCTIES Dit waarschuwingssymbool betekent gevaar U verkeert in een situatie die lichamelijk letsel kan veroorzaken Voordat u aan enige apparatuur gaat werken dient u zich bewust te zijn van de bij elektrische ...

Page 12: ... Questo simbolo di avvertenza indica un pericolo La situazione potrebbe causare infortuni alle persone Prima di intervenire su qualsiasi apparecchiatura occorre essere al corrente dei pericoli relativi ai circuiti elettrici e conoscere le procedure standard per la prevenzione di incidenti Utilizzare il numero di istruzione presente alla fine di ciascuna avvertenza per individuare le traduzioni del...

Page 13: ...rará el número que le ayudará a encontrar el texto traducido en el apartado de traducciones que acompaña a este dispositivo GUARDE ESTAS INSTRUCCIONES Varning VIKTIGA SÄKERHETSANVISNINGAR Denna varningssignal signalerar fara Du befinner dig i en situation som kan leda till personskada Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanliga f...

Page 14: ...laração fornecido ao final de cada aviso para localizar sua tradução nos avisos de segurança traduzidos que acompanham o dispositivo GUARDE ESTAS INSTRUÇÕES Advarsel VIGTIGE SIKKERHEDSANVISNINGER Dette advarselssymbol betyder fare Du befinder dig i en situation med risiko for legemesbeskadigelse Før du begynder arbejde på udstyr skal du være opmærksom på de involverede risici der er ved elektriske...

Page 15: ...xv Cisco Secure Router 520 Series Software Configuration Guide OL 14210 01 Preface ...

Page 16: ...uments The following documentation is shipped with the product For warranty service and support information see the Readme First for Cisco Secure Router 520 Series document Cisco Regulatory Compliance and Safety Information Roadmap The following Cisco Secure Router 520 Series product documentation is available on Cisco com Cisco Secure Router 520 Series Hardware Installation Guide http www cisco c...

Page 17: ...n see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader application The RSS feeds are a free s...

Page 18: ...xviii Cisco Secure Router 520 Series Software Configuration Guide OL 14210 01 Preface ...

Page 19: ...P A R T 1 Getting Started ...

Page 20: ......

Page 21: ...ion with the Cisco Configuration Assistant Cisco Smart Assist Cisco Monitor Manager and Cisco Monitor Director This chapter provides procedures for configuring the basic parameters of your Cisco router including global parameter settings routing protocols interfaces and command line access using the CLI It also describes the default configuration at startup Note Individual router routers may not s...

Page 22: ...PP password to access your Internet service provider ISP account DNS server IP address and default gateways If you are setting up a connection to a corporate network you and the network administrator must generate and share the following information for the WAN interfaces of the routers PPP authentication type CHAP or PAP PPP client name to access the router PPP password to access the router If yo...

Page 23: ...m one or more of these tasks Configure Global Parameters Configure Fast Ethernet LAN Interfaces Configure WAN Interfaces Configuring a Loopback Interface Configuring Command Line Access to the Router A configuration example is presented with each task to show the network configuration following completion of that task Table 1 1 Supported Interfaces and Associated Port Labels by Router Router Inter...

Page 24: ... Secure Router 520 Ethernet to Ethernet routers have one Fast Ethernet interface for WAN connection The Cisco Secure Router 520 ADSL over POTS and Cisco Secure Router 520 ADSL over ISDN routers have one ATM interface for WAN connection Command Purpose Step 1 configure terminal Example Router enable Router configure terminal Router config Enters global configuration mode when using the console port...

Page 25: ...nly to the Cisco Secure Router 520 ADSL over POTS and Cisco Secure Router 520 ADSL over ISDN routers Command Purpose Step 1 interface type number Example Router config interface fastethernet 4 Router config if Enters the configuration mode for a Fast Ethernet WAN interface on the router Step 2 ip address ip address mask Example Router config if ip address 192 1 12 2 255 255 255 0 Router config if ...

Page 26: ...rface acts as a placeholder for the static IP address and provides default routing information For complete information on the loopback commands see the Cisco IOS Release 12 3 documentation set Command Purpose Step 1 interface type number Example Router config interface atm0 Router config if Identifies and enters the configuration mode for an ATM interface Step 2 ip address ip address mask Example...

Page 27: ...roadcast ip nat outside Verifying Your Configuration To verify that you have properly configured the loopback interface enter the show interface loopback command You should see verification output similar to the following example Router show interface loopback 0 Loopback0 is up line protocol is up Hardware is Loopback Internet address is 200 200 100 1 24 MTU 1514 bytes BW 8000000 Kbit DLY 5000 use...

Page 28: ...nd trip min avg max 1 2 4 ms Configuring Command Line Access to the Router Perform these steps to configure parameters to control access to the router beginning in global configuration mode Command Purpose Step 1 line aux console tty vty line number Example Router config line console 0 Router config line Enters line configuration mode and specifies the type of line This example specifies a console...

Page 29: ...ansport input none default stopbits 1 default line vty 0 4 password secret login Step 5 exit Example Router config line exit Router config Exits line configuration mode and returns to global configuration mode Step 6 line aux console tty vty line number Example Router config line vty 0 4 Router config line Specifies a virtual terminal for remote console access Step 7 password password Example Rout...

Page 30: ...nother device with an IP address of 10 10 10 2 Specifically the packets are sent to the configured PVC You do not need to enter the commands marked default These commands appear automatically in the configuration file generated when you use the show running config command ip classless default ip route 192 168 1 0 255 255 255 0 10 10 10 2 Verifying Your Configuration To verify that you have properl...

Page 31: ... use IP routing protocols such as Routing Information Protocol RIP to learn routes dynamically You can configure either of these routing protocols on your router Configuring RIP Perform these steps to configure the RIP routing protocol on the router beginning in global configuration mode Command Task Step 1 router rip Example Router configure terminal Router config router rip Router config router ...

Page 32: ...nd and look for RIP routes signified by R You should see verification output like the example shown below Router show ip route Codes C connected S static R RIP M mobile B BGP D EIGRP EX EIGRP external i IS IS su IS IS summary L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area candidate default U per user static route o ODR P periodic downloaded static route Gateway of last resort is not set 10 ...

Page 33: ...P A R T 2 Configuring Your Router for Ethernet and DSL Access ...

Page 34: ......

Page 35: ...arios do not address all of the possible network needs instead they provide models on which you can pattern your network You can choose not to use features presented in the examples or you can add or substitute features that better suit your needs Note To verify that a specific feature is compatible with your router you can use the Software Advisor tool You can access this tool at www cisco com Te...

Page 36: ...Router 520 Series Software Configuration Guide OL 14210 01 Chapter 2 Sample Network Deployments Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Chapter 8 Configuring a Simple Firewall ...

Page 37: ...ncrypted filtered and so forth Figure 3 1 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router Figure 3 1 PPP over Ethernet with NAT 1 Multiple networked devices Desktops laptop PCs switches 2 Fast Ethernet LAN interface inside interface for NAT 3 PPPoE client Cisco Secure Router 520 Ethernet to Ethernet router 4 Point at which NAT occurs 5 Fast Ethernet W...

Page 38: ... NAT represented as the dashed line at the edge of the Cisco router signifies two addressing domains and the inside source address The source list defines how the packet travels through the network Configuration Tasks Perform the following tasks to configure this network scenario Configure the Virtual Private Dialup Network Group Number Configure the Fast Ethernet WAN Interfaces Configure the Dial...

Page 39: ...iates the tunnel Step 4 protocol l2tp pppoe Example Router config vpdn req in protocol pppoe Router config vpdn req in Specifies the type of sessions the VPDN subgroup can establish Step 5 exit Example Router config vpdn req in exit Router config vpdn Exits request dialin VPDN group configuration Step 6 exit Example Router config vpdn exit Router config Exits VPDN configuration returning to global...

Page 40: ...et interface and the configuration changes just made to it Step 4 exit Example Router config if exit Router config Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode Command Purpose Command Purpose Step 1 interface dialer dialer rotary group number Example Router config interface dialer 0 Router config if Creates a dialer interface numbered 0 to 255 a...

Page 41: ...er config if Specifies the dialer pool to use to connect to a specific destination subnetwork Step 7 dialer group group number Example Router config if dialer group 1 Router config if Assigns the dialer interface to a dialer group 1 10 Tip Using a dialer group controls access to your router Step 8 exit Example Router config if exit Router config Exits the dialer 0 interface configuration Step 9 di...

Page 42: ...d to one of the addresses specified in the dialer interface 0 The second example shows the addresses permitted by access list acl1 to be translated to one of the addresses specified in the NAT pool pool1 For details about this command and additional parameters that can be set as well as information about enabling static translation see the Cisco IOS IP Command Reference Volume 1 of 4 Addressing an...

Page 43: ...Fast Ethernet WAN interface FE4 to be the outside interface for NAT Step 8 ip nat inside outside Example Router config if ip nat outside Router config if Identifies the specified WAN interface as the NAT outside interface For details about this command and additional parameters that can be set as well as information about enabling static translation see the Cisco IOS IP Command Reference Volume 1 ...

Page 44: ... 1 ip address 192 168 1 1 255 255 255 0 no ip directed broadcast default ip nat inside interface FastEthernet 4 ip address 192 1 12 2 255 255 255 0 no ip directed broadcast default ip nat outside interface dialer 1 ip address negotiated ppp authentication chap dialer pool 1 dialer group 1 dialer list 1 protocol ip permit ip nat inside source list 1 interface dialer 0 overload ip classless default ...

Page 45: ...ter 520 Series Software Configuration Guide OL 14210 01 Chapter 3 Configuring PPP over Ethernet with NAT Configuration Example Dynamic mappings Inside Source Id 1 access list 1 interface Dialer0 refcount 0 Queued Packets 0 ...

Page 46: ...3 10 Cisco Secure Router 520 Series Software Configuration Guide OL 14210 01 Chapter 3 Configuring PPP over Ethernet with NAT Configuration Example ...

Page 47: ...work solution with simplified address handling and straight user verification as with a dial network Figure 4 1 shows a typical deployment scenario with a PPPoA client and NAT configured on the Cisco router This scenario uses a single static IP address for the ATM connection Figure 4 1 PPP over ATM with NAT 1 Small business with multiple networked devices desktops laptop PCs switches 2 Fast Ethern...

Page 48: ...ltiple PPPoA client sessions can be configured on an ATM interface but each session must use a separate dialer interface and a separate dialer pool A PPPoA session is initiated on the client side by the Cisco Secure Router 520 Series router NAT NAT represented as the dashed line at the edge of the Cisco router signifies two addressing domains and the inside source address The source list defines h...

Page 49: ...e of the IP maximum transmission unit MTU The default minimum is 128 bytes The maximum for ATM is 1492 bytes Step 4 encapsulation encapsulation type Example Router config if encapsulation ppp Router config if Sets the encapsulation type to PPP for the data packets being transmitted and received Step 5 ppp authentication protocol1 protocol2 Example Router config if ppp authentication chap Router co...

Page 50: ...ist 1 protocol ip permit Router config Creates a dialer list and associates a dial group with it Packets are then forwarded through the specified interface dialer group For details about this command and additional parameters that can be set see the Cisco IOS Dial Technologies Command Reference Step 10 ip route prefix mask interface type interface number Example Router config ip route 10 10 25 0 2...

Page 51: ...ncapsulation is defined by default Use the encapsulation command to change this as shown in Step 3 The VPI and VCI arguments cannot be simultaneously specified as zero if one is 0 the other cannot be 0 For details about this command and additional parameters that can be set see the Cisco IOS Wide Area Networking Command Reference Step 3 encapsulation aal5auto aal5autoppp virtual template number gr...

Page 52: ... operating mode from the ATM interface configuration mode dsl lom integer dsl enable training log See the Cisco IOS Wide Area Networking Command Reference for details of these commands Step 5 no shutdown Example Router config if atm vc no shutdown Router config if Enables interface and configuration changes just made to the ATM interface Step 6 exit Example Router config if exit Router config Exit...

Page 53: ...ngth Example Router config ip nat pool pool1 192 168 1 0 192 168 2 0 netmask 255 255 255 0 Router config Creates pool of global IP addresses for NAT Step 2 ip nat inside source list access list number interface type number pool name overload Example 1 Router config ip nat inside source list 1 interface dialer 0 overload or Example 2 Router config ip nat inside source list acl1 pool pool1 Enables d...

Page 54: ... just made to the Ethernet interface Step 6 exit Example Router config if exit Router config Exits configuration mode for the Fast Ethernet interface Step 7 interface type number Example Router config interface atm 0 Router config if Enters configuration mode for the ATM WAN interface ATM0 to be the outside interface for NAT Step 8 ip nat inside outside Example Router config if ip nat outside Rout...

Page 55: ...ress of 192 168 1 1 with a subnet mask of 255 255 255 0 NAT is configured for inside and outside Note Commands marked by default are generated automatically when you run the show running config command interface Vlan1 ip address 192 168 1 1 255 255 255 0 ip nat inside ip virtual reassembly default interface ATM0 no ip address ip nat outside ip virtual reassembly no atm ilmi keepalive pvc 8 35 enca...

Page 56: ...5 dialer list 1 protocol ip permit ip route 10 10 25 2 0 255 255 255 dialer 0 Verifying Your Configuration Use the show ip nat statistics command in privileged EXEC mode to verify the PPPoA client with NAT configuration You should see verification output similar to the following example Router show ip nat statistics Total active translations 0 0 static 0 dynamic 0 extended Outside interfaces ATM0 ...

Page 57: ... and Virtual LANs with DHCP Configured on the Cisco Router DHCP DHCP which is described in RFC 2131 uses a client server router for address allocation As an administrator you can configure your Cisco Secure Router 520 Series router to act as a DHCP server providing IP address assignment and other TCP IP oriented configuration information to your workstations DHCP frees you from having to manually ...

Page 58: ... tasks see Chapter 1 Basic Router Configuration Chapter 3 Configuring PPP over Ethernet with NAT and Chapter 4 Configuring PPP over ATM with NAT as appropriate for your router Configure DHCP Perform these steps to configure your router for DHCP operation beginning in global configuration mode Command Purpose Step 1 ip domain name name Example Router config ip domain name smallbiz com Router config...

Page 59: ...tep 6 import all Example Router dhcp config import all Router dhcp config Imports DHCP option parameters into the DHCP portion of the router database Step 7 default router address address2 address8 Example Router dhcp config default router 10 10 10 10 Router dhcp config Specifies up to 8 default routers for a DHCP client Step 8 dns server address address2 address8 Example Router dhcp config dns se...

Page 60: ...parameters imported into the DHCP server database show ip dhcp pool Displays information about the DHCP address pools show ip dhcp server statistics Displays the DHCP server statistics such as the number of address pools bindings and so forth Router show ip dhcp import Address Pool Name dpool1 Router show ip dhcp pool Pool dpool1 Utilization mark high low 100 0 Subnet size first next 0 0 Total add...

Page 61: ...guration mode Step 2 vlan vlan id media type name vlan name Example Router vlan vlan 2 media ethernet name VLAN0002 VLAN 2 added Name VLAN0002 Media type ETHERNET Router vlan vlan 3 media ethernet name red vlan VLAN 3 added Name red vlan Media type ETHERNET Router vlan Adds VLANs with identifiers ranging from 2 to 1001 For details about this command and additional parameters that can be set see th...

Page 62: ... information for all configured VLANs Router vlan database Router vlan show VLAN ISL Id 1 Name default Media Type Ethernet VLAN 802 10 Id 100001 State Operational MTU 1500 Translational Bridged VLAN 1002 Translational Bridged VLAN 1003 VLAN ISL Id 2 Name VLAN0002 Media Type Ethernet VLAN 802 10 Id 100002 State Operational MTU 1500 Command Purpose Step 1 interface switch port id Example Router conf...

Page 63: ...TU 1500 Bridge Type SRB Ring Number 0 Bridge Number 1 Parent VLAN 1005 Maximum ARE Hop Count 7 Maximum STE Hop Count 7 Backup CRF Mode Disabled Translational Bridged VLAN 1 Translational Bridged VLAN 1002 VLAN ISL Id 1004 Name fddinet default Media Type FDDI Net VLAN 802 10 Id 101004 State Operational MTU 1500 Bridge Type SRB Bridge Number 1 STP Type IBM VLAN ISL Id 1005 Name trnet default Media T...

Page 64: ...g a LAN with DHCP and VLANs Configure VLANs VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 1 enet 100001 1500 1002 1003 2 enet 100002 1500 0 0 1002 fddi 101002 1500 1 1003 1003 tr 101003 1500 1005 0 srb 1 1002 1004 fdnet 101004 1500 1 ibm 0 0 1005 trnet 101005 1500 1 ibm 0 0 ...

Page 65: ...nts Two types of VPNs are supported site to site and remote access Site to site VPNs are used to connect branch offices to corporate offices for example Remote access VPNs are used by remote clients to log in to a corporate network The example in this chapter illustrates the configuration of a remote access VPN that uses the Cisco Easy VPN and an IPsec tunnel to configure and secure the connection...

Page 66: ...ss network resources on the client site After the IPsec server has been configured a VPN connection can be created with minimal configuration on an IPsec client such as a supported Cisco Secure Router 520 Series router When the IPsec client initiates the VPN tunnel connection the IPsec server pushes the IPsec policies to the IPsec client and creates the corresponding VPN tunnel connection Note The...

Page 67: ...o configure the Internet Key Exchange IKE policy beginning in global configuration mode Command or Action Purpose Step 1 crypto isakmp policy priority Example Router config crypto isakmp policy 1 Router config isakmp Creates an IKE policy that is used during IKE negotiation The priority is a number from 1 to 10000 with 1 being the highest Also enters the Internet Security Association Key and Manag...

Page 68: ...and enters global configuration mode Command or Action Purpose Command or Action Purpose Step 1 crypto isakmp client configuration group group name default Example Router config crypto isakmp client configuration group rtr remote Router config isakmp group Creates an IKE policy group containing attributes to be downloaded to the remote client Also enters the Internet Security Association Key and M...

Page 69: ...address Example Router config ip local pool dynpool 30 30 30 20 30 30 30 30 Router config Specifies a local address pool for the group For details about this command and additional parameters that can be set see the Cisco IOS Dial Technologies Command Reference Command or Action Purpose Command or Action Purpose Step 1 crypto map map name isakmp authorization list list name Example Router config c...

Page 70: ...outer config aaa authentication login rtr remote local Router config Specifies AAA authentication of selected users at login and specifies the method used This example uses a local authentication database You could also use a RADIUS server for this For details see the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference Step 3 aaa authorization network exec commands leve...

Page 71: ... transform set vpn1 esp 3des esp sha hmac Router cfg crypto trans Defines a transform set an acceptable combination of IPsec security protocols and algorithms See the Cisco IOS Security Command Reference for detail about the valid transforms and combinations Step 2 crypto ipsec security association lifetime seconds seconds kilobytes kilobytes Example Router cfg crypto trans crypto ipsec security a...

Page 72: ...ivity to the Internet Perform these steps to apply a crypto map to an interface beginning in global configuration mode Step 3 reverse route Example Router config crypto map reverse route Router config crypto map Creates source proxy information for the crypto map entry See the Cisco IOS Security Command Reference for details Step 4 exit Example Router config crypto map exit Router config Returns t...

Page 73: ...ration mode Command or Action Purpose Command or Action Purpose Step 1 crypto ipsec client ezvpn name Example Router config crypto ipsec client ezvpn ezvpnclient Router config crypto ezvpn Creates a Cisco Easy VPN remote configuration and enters Cisco Easy VPN remote configuration mode Step 2 group group name key group key Example Router config crypto ezvpn group ezvpnclient key secret password Ro...

Page 74: ... aaa session id common Step 5 exit Example Router config crypto ezvpn exit Router config Returns to global configuration mode Step 6 interface type number Example Router config interface fastethernet 4 Router config if Enters the interface configuration mode for the interface to which you want the Cisco Easy VPN remote configuration applied Note For routers with an ATM WAN interface this command w...

Page 75: ...ool crypto ipsec transform set vpn1 esp 3des esp sha hmac crypto ipsec security association lifetime seconds 86400 crypto dynamic map dynmap 1 set transform set vpn1 reverse route crypto map static map 1 ipsec isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr remote crypto map dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclient connect auto group 2...

Page 76: ...6 12 Cisco Secure Router 520 Series Software Configuration Guide OL 14210 01 Chapter 6 Configuring a VPN Using Easy VPN and an IPsec Tunnel Configuration Example ...

Page 77: ...k The example in this chapter illustrates the configuration of a site to site VPN that uses IPsec and the generic routing encapsulation GRE protocol to secure the connection between the branch office and the corporate network Figure 7 1 shows a typical deployment scenario Figure 7 1 Site to Site VPN Using an IPsec Tunnel and GRE 1 Branch office containing multiple LANs and VLANs 2 Fast Ethernet LA...

Page 78: ...trol lists ACLs are applied to the tunnel interface VPNs VPN configuration information must be configured on both endpoints for example on your Cisco router and at the remote user or on your Cisco router and on another router You must specify parameters such as internal IP addresses internal subnet masks DHCP server addresses and Network Address Translation NAT Configuration Tasks Perform the foll...

Page 79: ...es the encryption algorithm used in the IKE policy The example uses 168 bit Data Encryption Standard DES Step 3 hash md5 sha Example Router config isakmp hash md5 Router config isakmp Specifies the hash algorithm used in the IKE policy The example specifies the Message Digest 5 MD5 algorithm The default is Secure Hash standard SHA 1 Step 4 authentication rsa sig rsa encr pre share Example Router c...

Page 80: ...onfig isakmp group Specifies the IKE pre shared key for the group policy Step 3 dns primary server Example Router config isakmp group dns 10 50 10 1 Router config isakmp group Specifies the primary Domain Name Service DNS server for the group Note You may also want to specify Windows Internet Naming Service WINS servers for the group by using the wins command Step 4 domain name Example Router conf...

Page 81: ... Example Router config aaa authentication login rtr remote local Router config Specifies AAA authentication of selected users at login and specifies the method used This example uses a local authentication database You could also use a RADIUS server for this See the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference for details Step 3 aaa authorization network exec...

Page 82: ...sform set vpn1 esp 3des esp sha hmac Router cfg crypto trans Defines a transform set An acceptable combination of IPsec security protocols and algorithms See the Cisco IOS Security Command Reference for detail about the valid transforms and combinations Step 2 crypto ipsec security association lifetime seconds seconds kilobytes kilobytes Example Router cfg crypto trans crypto ipsec security associ...

Page 83: ... the Internet Perform these steps to apply a crypto map to an interface beginning in global configuration mode Step 3 reverse route Example Router config crypto map reverse route Router config crypto map Creates source proxy information for the crypto map entry See the Cisco IOS Security Command Reference for details Step 4 exit Example Router config crypto map exit Router config Enters global con...

Page 84: ...rs global configuration mode Command or Action Purpose Command or Action Purpose Step 1 interface type number Example Router config interface tunnel 1 Router config if Creates a tunnel interface and enters interface configuration mode Step 2 ip address ip address subnet mask Example Router config if ip address 10 62 1 193 255 255 255 255 Router config if Assigns an address to the tunnel Step 3 tun...

Page 85: ...amic routing or static routes to the tunnel interface must be configured to establish connectivity between the sites See the Cisco IOS Security Configuration Guide for details Step 6 exit Example Router config if exit Router config Exits interface configuration mode and returns to global configuration mode Step 7 ip access list standard extended access list name Example Router config ip access lis...

Page 86: ...figuration address respond Defines the key association and authentication for IPsec tunnel crypto isakmp policy 1 hash md5 authentication pre share crypto isakmp key cisco123 address 200 1 1 1 Defines encryption and transform set for the IPsec tunnel crypto ipsec transform set set1 esp 3des esp md5 hmac Associates all crypto values and peering address for the IPsec tunnel crypto map to_corporate 1...

Page 87: ... for NAT access list 102 permit ip 10 1 1 0 0 0 0 255 any acl 103 defines traffic allowed from the peer for the IPsec tunnel access list 103 permit udp host 200 1 1 1 any eq isakmp access list 103 permit udp host 200 1 1 1 eq isakmp any access list 103 permit esp host 200 1 1 1 any Allow ICMP for debugging but should be disabled because of security implications access list 103 permit icmp any any ...

Page 88: ...7 12 Cisco Secure Router 520 Series Software Configuration Guide OL 14210 01 Chapter 7 Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation Configuration Example ...

Page 89: ... or at most the transport layer permitting or denying the passage of each packet through the firewall However the use of inspection rules in CBAC allows the creation and use of dynamic temporary access lists These dynamic lists allow temporary openings in the configured access lists at firewall interfaces These openings are created when traffic for a specified user session exits the internal netwo...

Page 90: ...ork network address 10 1 1 0 is considered safe traffic and is not filtered Configuration Tasks Perform the following tasks to configure this network scenario Configure Access Lists Configure Inspection Rules Apply Access Lists and Inspection Rules to Interfaces A configuration example that shows the results of these configuration tasks is provided in the Configuration Example section on page 8 5 ...

Page 91: ...rpose Step 1 access list access list number deny permit protocol source source wildcard operator port destination Example Router config access list 103 deny ip any any Router config access list 103 permit host 200 1 1 1 eq isakmp any Router config Creates an access list which prevents Internet initiated traffic from reaching the local inside network of the router and which compares source and dest...

Page 92: ...onfig Defines an inspection rule for a particular protocol Step 2 ip inspect name inspection name protocol Example Router config ip inspect name firewall rtsp Router config ip inspect name firewall h323 Router config ip inspect name firewall netshow Router config ip inspect name firewall ftp Router config ip inspect name firewall sqlnet Router config Repeat this command for each inspection rule th...

Page 93: ...wall inspection is set up for all TCP and UDP traffic as well as specific application protocols as defined by the security policy ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall rtsp ip inspect name firewall h323 ip inspect name firewall netshow ip inspect name firewall ftp ip inspect name firewall sqlnet interface vlan 1 This is the internal home network ip insp...

Page 94: ... 1 1 any eq isakmp access list 103 permit udp host 200 1 1 1 eq isakmp any access list 103 permit esp host 200 1 1 1 any Allow ICMP for debugging but should be disabled because of security implications access list 103 permit icmp any any access list 103 deny ip any any Prevents Internet initiated traffic inbound acl 105 matches addresses for the ipsec tunnel to or from the corporate network access...

Page 95: ...sed management system or Simple Network Management Protocol SNMP This chapter describes how to configure the router using the CLI Use the interface dot11radio global configuration CLI command to place the device into radio configuration mode See the Cisco Access Router Wireless Configuration Guide for more detailed information about configuring these Cisco routers in a wireless LAN application Fig...

Page 96: ...ecure tunnels Configure the Root Radio Station Perform these steps to create and configure the root radio station for your wireless LAN beginning in global configuration mode Command Purpose Step 1 interface name number Example Router config interface dot11radio 0 Router config if Enters interface configuration mode for the radio interface Step 2 broadcast key vlan vlan id change seconds Example R...

Page 97: ...authentication type Example Router config if ssid authentication open Router config if ssid authentication network eap eap_methods Router config if ssid authentication key management wpa Sets the permitted authentication methods for a user attempting access to the wireless LAN More than one method can be specified as shown in the example Step 7 exit Example Router config if ssid exit Router config...

Page 98: ...l Specifies the channel on which communication occurs See the Cisco Access Router Wireless Configuration Guide for available channel numbers Step 12 station role repeater root Example Router config if station role root Router config if Optional Specifies the role of this radio interface You must specify at least one root interface Step 13 exit Example Router config if exit Router config Exits inte...

Page 99: ...roup 1 spanning disabled Router config if Sets other bridge parameters for the bridging interface Step 5 interface name number Example Router config if interface bvi 1 Router config if Enters configuration mode for the virtual bridge interface Step 6 ip address address mask Example Router config if ip address 10 0 1 1 255 255 255 0 Router config if Specifies the address for the virtual bridge inte...

Page 100: ...t1q encapsulation is used on the specified subinterface Step 4 no cdp enable Example Router config subif no cdp enable Router config subif Disables the Cisco Discovery Protocol CDP on the wireless interface Step 5 bridge group number Example Router config subif bridge group 1 Router config subif Assigns a bridge group to the subinterface Note When the bridge group command is enabled the following ...

Page 101: ... group 1 bridge group 1 subscriber loop control bridge group 1 spanning disabled bridge group 1 block unknown source no bridge group 1 source learning no bridge group 1 unicast flooding interface Dot11Radio0 2 encapsulation dot1Q 2 bridge group 2 bridge group 2 subscriber loop control bridge group 2 spanning disabled bridge group 2 block unknown source no bridge group 2 source learning no bridge g...

Page 102: ...Chapter 9 Configuring a Wireless LAN Connection Configuration Example no ip address bridge group 3 bridge group 3 spanning disabled interface BVI1 ip address 10 0 1 1 255 255 255 0 interface BVI2 ip address 10 0 2 1 255 255 255 0 interface BVI3 ip address 10 0 3 1 255 255 255 0 ...

Page 103: ...P A R T 3 Configuring Additional Features and Troubleshooting ...

Page 104: ......

Page 105: ...his part include Chapter 11 Configuring Security Features Chapter 12 Troubleshooting The descriptions contained in these chapters do not describe all of your configuration or troubleshooting needs See the appropriate Cisco IOS configuration guides and command references for additional details Note To verify that a specific feature is compatible with your router you can use the Software Advisor too...

Page 106: ...10 2 Cisco Secure Router 520 Series Software Configuration Guide OL 14210 01 Chapter 10 Additional Configuration Options ...

Page 107: ... services provide the primary framework through which you set up access control on your router Authentication provides the method of identifying users including login and password dialog challenge and response messaging support and depending on the security protocol you choose encryption Authorization provides the method for remote access control including one time authorization or authorization f...

Page 108: ... Access lists ACLs permit or deny network traffic over an interface based on source IP address destination IP address or protocol Access lists are configured as standard or extended A standard access list either permits or denies passage of packets from a designated source An extended access list allows designation of both the destination and the source and it allows designation of individual prot...

Page 109: ...cted internally and the state of network connections is monitored This is superior to static access lists because access lists can only permit or deny traffic based on individual packets not streams of packets Also because CBAC inspects the packets decisions to permit or deny traffic can be made by examining application layer data something static access lists cannot do To configure a CBAC firewal...

Page 110: ...Intrusion Detection System section of the Cisco IOS Release 12 3 Security Configuration Guide Configuring VPNs A virtual private network VPN connection provides a secure connection between two networks over a public network such as the Internet Cisco Secure Router 520 Series routers support site to site VPNs using IP security IPsec tunnels and generic routing encapsulation GRE Permanent VPN connec...

Page 111: ... router using the light blue console port With a connected terminal or PC you can view status messages from the router and enter commands to troubleshoot a problem You can also remotely access the interface Ethernet ADSL or telephone by using Telnet The Telnet option assumes that the interface is up and running Before Contacting Cisco or Your Reseller If you cannot locate the source of a problem c...

Page 112: ...mmands Use the following commands to troubleshoot your ATM interface ping atm interface Command show interface Command show atm interface Command debug atm Commands ping atm interface Command Use the ping atm interface command to determine whether a particular PVC is in use The PVC does not need to be configured on the router to use this command Example 12 1 shows the use of this command to determ...

Page 113: ...interface counters never Input queue 0 75 0 size max drops Total output drops 0 Queueing strategy Per VC Queuing 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 512 packets input 59780 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 1024 CRC 0 frame 0 overrun 0 ignored 0 abort 426 packets output 46282 bytes 0 underruns ...

Page 114: ...subinterface is down possibly because the ATM line has been disconnected by the service provider For Fast Ethernet Interfaces Fast Ethernet n is up line protocol is up The specified Fast Ethernet interface is connected to the network and operating correctly Fast Ethernet n is up line protocol is down The specified Fast Ethernet interface has been correctly configured and enabled but the Ethernet c...

Page 115: ...u might be having on your network The debug commands provide extensive informative displays to help you interpret any possible problems Guidelines for Using Debug Commands Read the following guidelines before using debug commands to ensure appropriate results All debug commands are entered in privileged EXEC mode To view debugging messages on a console enter the logging console debugging command M...

Page 116: ... 32 06 ATM ATM0 2 VC 3 Bad SAP received 4500 01 32 08 ATM ATM0 2 VC 3 Bad SAP received 4500 01 32 10 ATM ATM0 2 VC 3 Bad SAP received 4500 debug atm events Command Use the debug atm events command to display events that occur on the ATM interface processor and to diagnose problems in an ATM network This command provides an overall picture of the stability of the network The no form of this command...

Page 117: ...n 0xA 00 02 57 DSL Using subfunction 0xA 00 02 57 DSL Sent command 0x5 00 03 00 DSL 1 Modem state 0x8 00 03 00 DSL 1 Modem state 0x8 00 03 00 DSL 1 Modem state 0x8 00 03 00 DSL 1 Modem state 0x8 00 03 00 DSL 1 Modem state 0x8 00 03 00 DSL 1 Modem state 0x8 debug atm packet Command Use the debug atm packet command to display all process level ATM packets for both outbound and inbound packets The ou...

Page 118: ...ABCD ABCD ABCD ABCD ABCD ABCD 01 23 48 ABCD ABCD ABCD ABCD ABCD 01 23 48 Table 12 3 describes some of the fields shown in the debug atm packet command output Software Upgrade Methods Several methods are available for upgrading software on the Cisco Secure Router 520 Series routers including Copy the new software image to flash memory over the LAN or WAN while the existing Cisco IOS software image ...

Page 119: ...show version command to display the existing configuration register value shown in bold at the bottom of this output example Router show version Cisco IOS Software SR520 Software SR520 ADVIPSERVICESK9 M Experimental Version 12 4 20070608 212108 rhsu2k p121 190 Copyright c 1986 2007 by Cisco Systems Inc Compiled Fri 08 Jun 07 15 16 by rhsu2k ROM System Bootstrap Version 12 3 8r YI RELEASE SOFTWARE ...

Page 120: ...the router follow these steps Step 1 If break is enabled go to Step 2 If break is disabled turn the router off O wait 5 seconds and turn it on again Within 60 seconds press the Break key The terminal displays the ROM monitor prompt Go to Step 3 Note Some terminal keyboards have a key labeled Break If your keyboard does not have a Break key see the documentation that came with the terminal for inst...

Page 121: ...plete the password recovery process by performing the steps in the following Reset the Password and Save Your Changes section Reset the Password and Save Your Changes To reset your password and save the changes follow these steps Step 1 Enter the configure terminal command to enter global configuration mode Router configure terminal Step 2 Enter the enable secret command to reset the enable secret...

Page 122: ...Recovering a Lost Password Step 3 Enter exit to exit configuration mode Router config exit Note To return to the configuration being used before you recovered the lost enable password do not save the configuration changes before rebooting the router Step 4 Reboot the router and enter the recovered password ...

Page 123: ...P A R T 4 Reference Information ...

Page 124: ......

Page 125: ...e to Go Next If you are already familiar with Cisco IOS software go to one of the following chapters Chapter 1 Basic Router Configuration Chapter 2 Sample Network Deployments One of the configuration topic chapters described in Chapter 10 Additional Configuration Options Configuring the Router from a PC You can configure your router from a PC connected through the console port using terminal emula...

Page 126: ... Global Configuration Mode section later in this chapter Understanding Command Modes This section describes the Cisco IOS command mode structure Each command mode supports specific Cisco IOS commands For example you can use the interface type number command only from global configuration mode The following Cisco IOS command modes are hierarchical When you begin a router session you are in user EXE...

Page 127: ...ould be protected with a password as described in Enable Secret Passwords and Enable Passwords later in this chapter Global configuration Enter the configure command from privileged EXEC mode Router config To exit to privileged EXEC mode enter the exit or end command or press Ctrl Z To enter interface configuration mode enter the interface command Use this mode to configure parameters that apply t...

Page 128: ...or more commands Enable Secret Passwords and Enable Passwords By default the router ships without password protection Because many privileged EXEC commands are used to set operating parameters you should password protect these commands to prevent unauthorized use Router configuration Enter one of the router commands followed by the appropriate keyword for example router rip from global configurati...

Page 129: ...rcase and lowercase alphanumeric characters In both cases a number cannot be the first character Spaces are also valid password characters for example two words is a valid password Leading spaces are ignored trailing spaces are recognized Entering Global Configuration Mode To make any configuration changes to your router you must be in global configuration mode This section describes how to enter ...

Page 130: ... system reload or power outage This example shows how to use this command to save your changes Router copy running config startup config Destination filename startup config Table A 3 Common CLI Error Messages Error Message Meaning How to Get Help Ambiguous command show con You did not enter enough characters for your router to recognize the command Reenter the command followed by a question mark w...

Page 131: ... begin to configure your router Remember You can use the question mark and arrow keys to help you enter commands Each command mode restricts you to a set of commands If you are having difficulty entering a command check the prompt and then enter the question mark for a list of available commands You might be in the wrong command mode or using the wrong syntax If you want to disable a feature enter...

Page 132: ...A 8 Cisco Secure Router 520 Series Software Configuration Guide OL 14210 01 Appendix A Cisco IOS Software Basic Skills Where to Go Next ...

Page 133: ... ADSL is a technology that allows both data and voice to be transmitted over the same line It is a packet based network technology that allows high speed transmission over twisted pair copper wire on the local loop last mile between a network service provider NSP central office and the customer site or on local loops created within either a building or a campus The benefit of ADSL over a serial or...

Page 134: ... transmitting data In contrast a connection oriented protocol exchanges control information with the remote computer to verify that it is ready to receive data before sending it When the handshaking is successful the computers have established a connection IP relies on protocols in other layers to establish the connection if connection oriented services are required Internet Packet Exchange IPX ex...

Page 135: ...ffice Cisco router is connected to a corporate office Cisco router After the PPP link is established the remote office router repeatedly sends a configured username and password until the corporate office router accepts the authentication PAP has the following characteristics The password portion of the authentication is sent across the link in clear text not scrambled or encrypted PAP provides no...

Page 136: ...ements and the IEEE 802 3 specification was developed in 1980 based on the original Ethernet technology Under the Ethernet CSMA CD media access process any host on a CSMA CD LAN can access the network at any time Before sending data CSMA CD hosts listen for traffic on the network A host wanting to send data waits until it detects no traffic before it transmits Ethernet allows any host on the netwo...

Page 137: ...nts of the data The only requirement is that data be sent to the ATM subsystem of the router in a manner that follows the specific AAL format Dialer Interface A dialer interface assigns PPP features such as authentication and IP address assignment method to a PVC Dialer interfaces are used when configuring PPP over ATM Dialer interfaces can be configured independently of any physical interface and...

Page 138: ...AT functionality within Cisco IOS software IP addresses on the remote LAN are invisible to the Internet The Easy IP Phase 1 feature combines NAT and PPP IPCP With NAT the router translates the nonregistered IP addresses used by the LAN devices into the globally unique IP address used by the dialer interface The ability of multiple LAN devices to use the same globally unique IP address is known as ...

Page 139: ...rnet service provider or an enterprise network IP Precedence You can partition traffic in up to six classes of service using IP Precedence two others are reserved for internal network use The queuing technologies throughout the network can then use this signal to expedite handling Features such as policy based routing and committed access rate CAR can be used to set precedence based on extended ac...

Page 140: ...rred high volume traffic streams share the remaining capacity obtaining equal or proportional bandwidth RSVP RSVP enables routers to reserve enough bandwidth on an interface to ensure reliability and quality performance RSVP allows end systems to request a particular QoS from the network Real time voice traffic requires network consistency Without consistent QoS real time traffic can experience ji...

Page 141: ...ate session filtering by using the established keyword with the permit command The established keyword filters TCP packets based on whether the ACK or RST bits are set Set ACK or RST bits indicate that the packet is not the first in the session and the packet therefore belongs to an established session This filter criterion would be part of an access list applied permanently to an interface ...

Page 142: ...B 10 Cisco Secure Router 520 Series Software Configuration Guide OL 14210 01 Appendix B Concepts Access Lists ...

Page 143: ...or runs the router This appendix contains the following sections Entering the ROM Monitor ROM Monitor Commands Command Descriptions Disaster Recovery with TFTP Download Configuration Register Console Download Debug Commands Exiting the ROM Monitor Entering the ROM Monitor To use the ROM monitor you must be using a terminal or PC that is connected to the router over the console port Perform these s...

Page 144: ... module format Format a filesystem format filessystem frame print out a selected stack frame fsck Check filesystem consistency fsck filesystem help monitor builtin command help history monitor command history meminfo main memory information mkdir Create dir s mkdir dirnames more Concatenate type file s cat filenames rename Rename a file rename old_name new_name repeat repeat a monitor command rese...

Page 145: ...because it erases all existing data in flash memory before downloading a new software image to the router Table C 1 Commonly Used ROM Monitor Commands Command Description help or Displays a summary of all available ROM monitor commands Displays information about command syntax for example rommon 16 dis usage dis addr length The output for this command is slightly different for the xmodem download ...

Page 146: ...ds before using the tftpdnld command Variable Command IP address of the router IP_ADDRESS ip_address Subnet mask of the router IP_SUBNET_MASK ip_address IP address of the default gateway of the router DEFAULT_GATEWAY ip_address IP address of the TFTP server from which the software will be downloaded TFTP_SERVER ip_address Name of the file that will be downloaded to the router TFTP_FILE filename Va...

Page 147: ...ns to download the new file If you mistakenly entered yes you can enter Ctrl C or Break to stop the transfer before the flash memory is erased Configuration Register The virtual configuration register is in nonvolatile RAM NVRAM and has the same functionality as other Cisco routers You can view or modify the virtual configuration register from either the ROM monitor or the operating system softwar...

Page 148: ...er the contents by describing the meaning of each bit In either case the new virtual configuration register value is written into NVRAM but does not take effect until you reset or reboot the router The following display shows an example of entering the confreg command rommon 7 confreg Configuration Summary enabled are console baud 9600 boot the ROM Monitor do you wish to change the configuration y...

Page 149: ...le port Command Description The following are the syntax and descriptions for the xmodem console download command xmodem cyrx destination_file_name Follow these steps to run Xmodem Step 1 Move the image file to the local drive where Xmodem will execute Step 2 Enter the xmodem command c Optional Performs the download using 16 bit cyclic redundancy check CRC 16 error checking to validate packets Def...

Page 150: ...ame 04 FP 0x80005fac PC 0x80008064 Frame 05 FP 0x80005fc4 PC 0xfff03d70 context Displays processor context for example rommon 7 context CPU context of the most recent exception PC 0x801111b0 MSR 0x00009032 CR 0x53000035 LR 0x80113694 CTR 0x801065e4 XER 0xa0006d36 DAR 0xffffffff DSISR 0xffffffff DEC 0xffffffff TBU 0xffffffff TBL 0xffffffff IMMR 0xffffffff R0 0x00000000 R1 0x80005ea8 R2 0xffffffff R...

Page 151: ...in memory starts at 0x10000 size 40896KB IO packet memory size 5 percent of main memory NVRAM size 32KB Exiting the ROM Monitor You must set the configuration register to a value from 0x2 to 0xF for the router to boot a Cisco IOS image from flash memory upon startup or reloading The following example shows how to reset the configuration register and cause the router to boot a Cisco IOS image store...

Page 152: ...C 10 Cisco Secure Router 520 Series Software Configuration Guide OL 14210 01 Appendix C ROM Monitor Exiting the ROM Monitor ...

Page 153: ...b entry 7 ECHO Echo 9 DISCARD Discard 11 USERS Active users 13 DAYTIME Daytime 15 NETSTAT Who is up or NETSTAT 17 QUOTE Quote of the day 19 CHARGEN Character generator 20 FTP DATA File Transfer Protocol data 21 FTP File Transfer Protocol 23 TELNET Terminal connection 25 SMTP Simple Mail Transport Protocol 37 TIME Time 39 RLP Resource Location Protocol 42 NAMESERVER Hostname server 43 NICNAME Who i...

Page 154: ...h Service 119 NNTP Usenet Network News Transfer Protocol 123 NTP Network Time Protocol 126 SNMP Simple Network Management Protocol 137 NETBIOS NS NetBIOS name service 138 NETBIOS DGM NetBIOS datagram service 139 NETBIOS SSN NetBIOS session service 161 SNMP Simple Network Management Protocol 162 SNMP TRAP Simple Network Management Protocol traps 512 rexec UNIX remote execution control 513 TCP rlogi...

Page 155: ...ADSL ATM errors displaying 12 6 events displaying 12 6 interface configuring basic parameters 1 6 interface configuring for PPPoA 4 5 overview B 4 packets displaying 12 7 PVC encapsulation types B 5 queues B 8 troubleshooting commands 12 2 to 12 8 ATM adaptation layer See AAL ATM interface See ATM authentication protocols See PPP authentication protocols AutoSecure 11 2 B b command C 3 b flash com...

Page 156: ...OM monitor C 2 to C 3 ROM monitor debugging C 8 C 9 show atm interface 12 5 show dsl interface atm 4 7 show interface 12 3 stack C 8 sysret C 8 tftpdnld C 3 C 5 undoing A 6 xmodem C 7 command variables listing A 4 TFTP download C 4 committed access rate See CAR configuration changes making A 5 saving 12 11 A 6 configuration examples command line access 1 9 DHCP server 5 4 dynamic routes 1 12 PPPoA...

Page 157: ...12 5 debug atm errors command 12 6 debug atm events command 12 6 12 7 debug atm packet command 12 7 debug commands ROM monitor C 8 C 9 default configuration viewing 1 2 DHCP configuring DHCP server 5 2 IP address assignment 5 1 DHCP and Easy IP Phase 2 B 6 DHCP server configuration example 5 4 configuring router as 5 1 verify configuration 5 4 dialer interface configuring 3 4 4 2 description B 5 d...

Page 158: ...ing up 1 4 GRE tunnel configuration example 7 9 configuring 7 8 group policy configuring 6 4 7 4 H handshake defined B 2 three way B 3 two way B 3 help command C 3 help with commands A 4 hop count defined B 2 I i command C 3 IKE policy configuring 6 3 7 3 inspection rules applying to interfaces 8 4 configuring 8 4 interface configuration mode A 3 interface port labels table 1 3 interleaving PPP B ...

Page 159: ...g defined B 6 P packets ATM displaying 12 7 PAP B 3 parameters setting up global 1 4 Password Authentication Protocol See PAP password protection A 4 passwords recovery 12 9 to 12 12 resetting 12 11 setting A 4 permanent virtual circuit See PVC permit command B 9 ping atm interface command 12 2 Point to Point Protocol See PPP policy based routing B 7 policy lookup enabling 6 6 7 4 7 5 port assignm...

Page 160: ...ing Information Protocol See RIP routing protocol overview B 2 to RST bits B 9 RSVP B 8 S saving configuration changes 12 11 A 6 scenarios network See configuration examples security authentication protocols B 3 security features configuring 11 1 to 11 4 settings router default A 2 standard VT 100 emulation A 2 show atm interface command 12 5 show dsl interface atm command 4 7 show interface comma...

Page 161: ...rify DHCP server configuration 5 4 Easy VPN configuration 6 10 PPPoE with NAT configuration 3 8 VLAN configuration 5 6 viewing default configuration 1 2 virtual configuration register C 5 virtual private dialup network group number configuring 3 2 VLANs configuring 5 1 verify configuration 5 6 VPDN group number configuring 3 2 VPNs configuration example 6 10 configuration tasks 6 2 7 2 configuring...

Page 162: ...Index IN 8 Cisco Secure Router 520 Series Software Configuration Guide OL 14210 01 ...

Reviews:

No comments

Related manuals for 520 Series

Brand: Jabra Pages: 5

Brand: JH Audio Pages: 20

Brand: Jabra Pages: 4

Brand: HiRO Pages: 6

Brand: Asus Pages: 112

Brand: Asus Pages: 46

Brand: Asus Pages: 61

Brand: Asus Pages: 45

REPUBLIC OF GAMERS ROG DELTAS CORE

Brand: Asus Pages: 2

Brand: Asus Pages: 76

Brand: Asus Pages: 43

Brand: Asus Pages: 44

ROG Fusion II 300

Brand: Asus Pages: 46

Rog Fusion II 500

Brand: Asus Pages: 45

Brand: Asus Pages: 48

ROG Strix Fusion 300

Brand: Asus Pages: 44

TUF GAMING H5 LITE

Brand: Asus Pages: 44

REPUBLIC OF GAMERS ROG Delta

Brand: Asus Pages: 4

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands