Cisco OL-6426-02 User Manual

Page 1

Cisco 1800 Series Integrated Services Router (Fixed) Software Installation Guide

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

Last Revised: February 19, 2014 Text Part Number: OL-6426-02

Page 2

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If the equipment causes interference to radio or television reception, which can be determined by turning the equipment off and on, users are encouraged to try to correct the interference by using one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

Modifications to this product not authorized by Cisco could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco 1800 Series Integrated Services Router (Fixed) Software Installation Guide

Page 3

Preface 11

Audience 1-11

Organization 1-12

Conventions 1-13

Notes, Cautions, and Timesavers 1-13 Command Conventions 1-13

Preface

This software configuration guide provides instructions for using the Cisco command-line interface (CLI) to configure features of the following Cisco 1800 series integrated services fixed-configuration routers:

• Cisco 1801, Cisco 1802, and Cisco 1803 DSL Access Routers

• Cisco 1811 and Cisco 1812 Ethernet Access Routers

Audience

This preface describes the intended audience, the organization of this guide, and the text and command conventions used throughout the guide. The preface includes the following topics:

• Audience

• Organization

• Conventions

• Related Documents

• Obtaining Documentation

• Documentation Feedback

• Obtaining Technical Assistance

• Obtaining Additional Publications and Information

This guide is intended for network administrators whose backgrounds vary from having no or little experience in configuring routers to having a high level of experience. You can use this guide in the following situations:

• You have configured the software by using the Cisco Router Web Setup tool, and you want to

configure additional advanced software features by using the command-line interface (CLI).

• You want to configure the software using only the CLI.

OL-6426-02

Note We strongly recommend that network administrators with minimal familiarity with Cisco routers use the

Cisco Router and Security Device Manager (SDM)—a web-based configuration tool that allows you to configure LAN and WAN interfaces, routing, Network Address Translation (NAT), firewalls, VPNs, and other features on your router. To obtain the SDM release notes and other SDM documentation, go to

http://www.cisco.com/go/sdm and click the Technical Documentation link.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Page 12

Organization

See the “Organization” section of this preface to help you decide which chapters contain the information you need to configure your router.

Organization

Table 1 lists the topics covered by this guide.

Table 1 Document Organization

Chapter Title Description

Chapter 1 Basic Router Configuration Describes how to configure basic router features and

interfaces.

Chapter 2 Sample Network Deployments Provides a road map for possible network deployments.

Chapter 3 Configuring PPP over Ethernet with NAT Provides instructions on how to configure PPPoE with

Network Address Translation (NAT) on your Cisco router.

Chapter 4 Configuring PPP over ATM with NAT Provides instructions on how to configure PPPoA with

Network Address Translation (NAT) on your Cisco router.

Chapter 5 Configuring a LAN with DHCP and VLANs Provides instructions on how to configure your Cisco router

with multiple VLANs and to act as a DHCP server.

Chapter 6 Configuring a VPN Using Easy VPN and an

IPSec Tunnel

Chapter 7 Configuring VPNs Using an IPSec Tunnel

and Generic Routing Encapsulation

Chapter 8 Configuring a Simple Firewall Provides instructions on how to configure a basic firewall on

Chapter 9 Configuring a Wireless LAN Connection Provides instructions on how to configure a wireless LAN.

Chapter 10 Sample Configuration Presents a summary configuration example showing features

Chapter 11 Additional Configuration Options Provides a road map for Part 3.

Chapter 12 Configuring Security Features Explains basic configuration of Cisco IOS security features,

Chapter 13 Configuring Dial Backup and Remote

Management

Chapter 14 Troubleshooting Provides information on identifying and solving problems,

Appendix A Cisco IOS Software Basic Skills Explains what you need to know about Cisco IOS software

Appendix B Concepts Provides general concept explanations of features.

Appendix C ROM Monitor Describes the use of the ROM Monitor (ROMMON) utility.

Appendix D Common Port Assignments Describes the currently assigned Transmission Control

Index

Provides instructions on how to configure a virtual private network (VPN) with a secure IP tunnel using the Cisco Easy VPN.

Provides instructions on how to configure a VPN with a secure IP tunnel and generic routing encapsulation (GRE).

your Cisco router.

configured in the preceding chapters of this part of the guide.

including firewall and VPN configuration.

Provides instructions on how to configure your Cisco router for dial backup and remote management.

such as how to recover a lost software password.

before you begin to configure it.

Protocol (TCP) and User Datagram Protocol (UDP) port numbers.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 13

Conventions

This guide uses the conventions described in the following sections for instructions and information.

Notes, Cautions, and Timesavers

Notes, cautions and time-saving tips use the following conventions and symbols:

Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in

this guide.

Caution This caution symbol means reader be careful. In this situation, you might do something that could result

in equipment damage or loss of data.

Conventions

Timesaver This symbol means the described action saves time.

Command Conventions

Table 2 describes the command syntax used in this guide.

Table 2 Command Syntax Conventions

Convention Description

boldface Commands and keywords.

italic Command input that is supplied by you.

[ ] Optional keywords and default responses to system

{x | x | x} A choice of keywords (represented by x) appears in

^ or Ctrl Represents the key labeled Control. For example,

screen font

boldface screen font

prompts appear within square brackets.

braces separated by vertical bars. You must select one.

when you read ^D or Ctrl-D, you should hold down the Control key while you press the D key.

Examples of information displayed on the screen.

Examples of information that you must enter.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Page 14

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/univercd/home/home.htm

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 15

Documentation DVD

Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.

Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.

Cisco Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

Cisco Marketplace:

http://www.cisco.com/go/marketplace/

Ordering Documentation

You can find instructions for ordering documentation at this URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm

Documentation Feedback

You can order Cisco documentation in these ways:

• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from

the Ordering tool:

http://www.cisco.com/en/US/partner/ordering/

• Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Documentation Feedback

You can send comments about technical documentation to bug-doc@cisco.com.

You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:

Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you can perform these tasks:

• Report security vulnerabilities in Cisco products.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 16

Obtaining Technical Assistance

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

A current list of security advisories and notices for Cisco products is available at this URL:

http://www.cisco.com/go/psirt

If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:

• Emergencies— security-alert@cisco.com

• Nonemergencies— psirt@cisco.com

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive

information that you send to Cisco. PSIRT can work from encrypted information that is compatible with PGP versions 2.x through 8.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:

http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:

http://www.cisco.com/techsupport

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 17

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting

a web or phone request for service. You can access the CPI tool from the Cisco Technical Support Website by clicking the Tools & Resources link under Documentation & Tools. Choose Cisco Product

Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by product ID

or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:

Obtaining Technical Assistance

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.

Severity 1 (S1)—Your network is “down,” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Page 18

Obtaining Additional Publications and Information

Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources.

• Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit

Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Pack et magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:

http://www.cisco.com/packet

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• World-class networking training is available from Cisco. You can view current offerings at

this URL:

http://www.cisco.com/en/US/learning/index.html

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 19

ART

Getting Started

Page 20

Page 21

CHA PTER

Basic Router Configuration

This chapter provides procedures for configuring the basic parameters of your Cisco router, including global parameter settings, routing protocols, interfaces, and command-line access. It also describes the default configuration on startup. Note that individual router models may not support every feature described throughout this guide. Features not supported by a particular router are indicated whenever possible.

This chapter contains the following sections:

• Interface Port Labels

• Viewing the Default Configuration

• Information Needed for Configuration

• Configuring Basic Parameters

• Configuring Static Routes

• Configuring Dynamic Routes

• Configuring Enhanced IGRP

Each section includes a configuration example and verification steps, as available.

For complete information on how to access global configuration mode, see the “Entering Global

Configuration Mode” section in Appendix A, “Cisco IOS Basic Skills.” For more information on the

commands used in the following tables, see the Cisco IOS Release 12.3 documentation set.

Interface Port Labels

Table 1-1 lists the interfaces supported for each router and their associated port labels on the equipment.

Table 1-1 Supported Interfaces and Associated Port Labels by Cisco Router

Router Interface Port Label

Cisco 1801 Fast Ethernet LANs SWITCH and FE8–FE5 (top), FE x and

FE4–FE1 (bottom)

Fast Ethernet WANs FE0

ATM WAN ADSLoPOTS

Wireless LAN LEFT, RIGHT/PRIMARY

BRI ISDN S/T

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-1

Page 22

Viewing the Default Configuration

Table 1-1 Supported Interfaces and Associated Port Labels by Cisco Router (continued)

Router Interface Port Label

Cisco 1802 Fast Ethernet LANs SWITCH and FE8–FE5 (top), FE x and

Cisco 1803 Fast Ethernet LANs SWITCH and FE8–FE5 (top), FE x and

Cisco 1811 Fast Ethernet LANs SWITCH and FE9–FE6 (top), FE x and

Cisco 1812 Fast Ethernet LANs SWITCH and FE9–FE6 (top), FE x and

Chapter 1 Basic Router Configuration

FE4–FE1 (bottom)

Fast Ethernet WANs FE0

ATM WAN ADSLoISDN

Wireless LAN LEFT, RIGHT/PRIMARY

BRI ISDN S/T

FE4–FE1 (bottom)

Fast Ethernet WANs FE0

ATM WAN G . SH D SL

Wireless LAN LEFT, RIGHT/PRIMARY

BRI ISDN S/T

FE5–FE2 (bottom)

Fast Ethernet WANs FE0–FE1

Wireless LAN LEFT, RIGHT/PRIMARY

USB 1–0

V. 9 2 M OD EM

FE5–FE2 (bottom)

Fast Ethernet WANs FE0–FE1

Wireless LAN LEFT, RIGHT/PRIMARY

BRI ISDN S/T

USB 1–0

Viewing the Default Configuration

When you first boot up your Cisco router, some basic configuration has already been performed. All of the LAN and WAN interfaces have been created, console and VTY ports are configured, and the inside interface for Network Address Translation has been assigned. Use the show running-config command to view the initial configuration, as shown in Example 1-1.

Note If you are unable to view the initial configuration and you get a No Password Set error message, you

must reset the initial password. For details, see the “Recovering a Lost Password” section in Chapter 14,

“Troubleshooting”.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-2

OL-6426-02

Page 23

Chapter 1 Basic Router Configuration

Example 1-1 Cisco 1812 Default Configuration on Startup

version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ! ip cef ! ip ips po max-events 100 no ftp-server write-enable ! interface BRI0 no ip address shutdown ! interface FastEthernet0 no ip address shutdown duplex auto speed auto ! interface FastEthernet1 no ip address shutdown duplex auto speed auto ! interface FastEthernet2 no ip address shutdown ! interface FastEthernet3 no ip address shutdown ! interface FastEthernet4 no ip address shutdown ! interface FastEthernet5 no ip address shutdown ! interface FastEthernet6 no ip address shutdown ! interface FastEthernet7 no ip address shutdown !

Viewing the Default Configuration

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-3

Page 24

Information Needed for Configuration

interface FastEthernet8 no ip address shutdown ! interface FastEthernet9 no ip address shutdown ! interface Vlan1 no ip address ! ip classless ! no ip http server no ip http secure-server ! control-plane ! line con 0 line aux 0 line vty 0 4 ! no scheduler allocate end

Chapter 1 Basic Router Configuration

Information Needed for Configuration

You need to gather some or all of the following information, depending on your planned network scenario, prior to configuring your network

• If you are setting up an Internet connection, gather the following information:

–

Point-to-Point Protocol (PPP) client name that is assigned as your login name

–

PPP authentication type: Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP)

–

PPP password to access your Internet service provider (ISP) account

–

DNS server IP address and default gateways

• If you are setting up a connection to a corporate network, you and the network administrator must

generate and share the following information for the WAN interfaces of the routers:

–

PPP authentication type: CHAP or PAP

–

PPP client name to access the router

–

PPP password to access the router

• If you are setting up IP routing:

–

Generate the addressing scheme for your IP network.

–

Determine the IP routing parameter information, including IP address, and ATM permanent virtual circuits (PVCs). These PVC parameters are typically virtual path identifier (VPI), virtual circuit identifier (VCI), and traffic shaping parameters.

1-4

–

Determine the number of PVCs that your service provider has given you, along with their VPIs and VCIs.

–

For each PVC determine the type of AAL5 encapsulation supported. It can be one of the following:

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 25

Chapter 1 Basic Router Configuration

AAL5SNAP—This can be either routed RFC 1483 or bridged RFC 1483. For routed RFC 1483, the service provider must provide you with a static IP address. For bridged RFC 1483, you may use DHCP to obtain your IP address, or you may obtain a static IP address from your service provider.

AAL5MUX PPP—With this type of encapsulation, you need to determine the PPP-related configuration items.

• If you plan to connect over an ADSL or G.SHDSL line:

–

Order the appropriate line from your public telephone service provider.

For ADSL lines—Ensure that the ADSL signaling type is DMT (also called ANSI T1.413) or DMT Issue 2.

For G.SHDSL lines—Verify that the G.SHDSL line conforms to the ITU G.991.2 standard and supports Annex A (North America) or Annex B (Europe).

Once you have collected the appropriate information, you can perform a full configuration on your router, beginning with the tasks in the “Configuring Basic Parameters” section.

Configuring Basic Parameters

To configure the router, perform one or more of these tasks:

• Configure Global Parameters

• Configure Fast Ethernet LAN Interfaces

• Configure WAN Interfaces

• Configuring a Loopback Interface

• Configuring Command-Line Access to the Router

A configuration example is presented with each task to show the network configuration following completion of that task.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-5

Page 26

Configuring Basic Parameters

Configure Global Parameters

Perform these steps to configure selected global parameters for your router:

Command Purpose

Step 1

configure terminal

Example:

Router> enable Router# configure terminal Router(config)#

Chapter 1 Basic Router Configuration

Enters global configuration mode, when using the console port.

If you are connecting to the router using a remote terminal, use the following:

telnet router name or address Login: login id Password: ********* Router> enable

Step 2

Step 3

Step 4

hostname name

Example:

Router(config)# hostname Router Router(config)#

enable secret password

Specifies the name for the router.

Specifies an encrypted password to prevent unauthorized access to the router.

Example:

Router(config)# enable secret cr1ny5ho Router(config)#

no ip domain-lookup

Disables the router from translating unfamiliar words (typos) into IP addresses.

Example:

Router(config)# no ip domain-lookup Router(config)#

For complete information on the global parameter commands, see the Cisco IOS Release 12.3 documentation set.

Configure Fast Ethernet LAN Interfaces

The Fast Ethernet LAN interfaces on your router are automatically configured as part of the default VLAN and as such, they are not configured with individual addresses. Access is afforded through the VLAN. You may assign the interfaces to other VLANs if desired. For more information about creating VLANs, see Chapter 5, “Configuring a LAN with DHCP and VLANs.”

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-6

OL-6426-02

Page 27

Chapter 1 Basic Router Configuration

Configure WAN Interfaces

The Cisco 1811 and Cisco 1812 routers each have two Fast Ethernet interfaces for WAN connection. The Cisco 1801, Cisco 1802, and Cisco 1803 routers each have one ATM interface for WAN connection.

Based on the router model you have, configure the WAN interface(s) using one of the following procedures:

• Configure the Fast Ethernet WAN Interface

• Configure the ATM WAN Interface

Configure the Fast Ethernet WAN Interface

This procedure applies only to the Cisco 1811 and Cisco 1812 router models. Perform these steps to configure the Fast Ethernet interfaces, beginning in global configuration mode.

Command Purpose

Step 1

interface type number

Example:

Router(config)#interface fastethernet 0 Router(config-int)#

Configuring Basic Parameters

Enters the configuration mode for a Fast Ethernet WAN interface on the router.

Note Fast Ethernet WAN ports are numbered

0–1 on the Cisco 1800 series routers.

Step 2

ip address ip-address mask

Sets the IP address and subnet mask for the specified Fast Ethernet interface.

Example:

Router(config-int)# ip address 192.1.12.2

255.255.255.0

Router(config-int)#

Step 3

no shutdown

Enables the Ethernet interface, changing its state from administratively down to administratively up.

Exits interface configuration mode and returns

Step 4

Example:

Router(config-int)# no shutdown Router(config-int)#

exit

to global configuration mode.

Example:

Router(config-int)# exit Router(config)#

Repeat these steps for the other Fast Ethernet WAN interface if desired.

Note Due to a limitation on the internal transceiver of the on-board layer-3 Fast Ethernet interfaces available

on Cisco 1812 Ethernet Access Routers, configuring the interface with a speed of 10 Mbps may cause some CRC errors to appear on the interface. This is an expected behavior of the Cisco 1812 routers on-board layer-3 Fast Ethernet interface.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-7

Page 28

Configuring Basic Parameters

Configure the ATM WAN Interface

This procedure applies only to the Cisco 1801, Cisco 1802, and Cisco 1803 models.

Perform these steps to configure the ATM interface, beginning in global configuration mode:

Command Purpose

Step 1

For the Cisco 1803 only:

controller dsl 0 mode atm exit

Example:

Router(config)# controller dsl 0 Router(config-controller)# mode atm Router(config-controller)# exit Router(config)#

Chapter 1 Basic Router Configuration

For routers using the G.SHDSL signaling, perform these commands. Ignore this step for routers using ADSL signaling.

Step 2

Step 3

Step 4

Step 5

interface type number

Example:

Router(config)# interface atm0 Router(config-int)#

ip address ip-address mask

Example:

Router(config-int)# ip address

200.200.100.1 255.255.255.0

Router(config-int)#

no shutdown

Example:

Router(config-int)# no shutdown Router(config-int)#

exit

Example:

Router(config-int)# exit Router(config)#

Enters interface configuration mode.

Sets the IP address and subnet mask for the ATM interface.

Enables the ATM 0 interface.

Exits interface configuration mode and returns to global configuration mode.

1-8

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 29

Chapter 1 Basic Router Configuration

Configure the Wireless Interface

The wireless interface enables connection to the router through a wireless LAN connection. For more information about configuring a wireless connection, see Chapter 9, “Configuring a Wireless LAN

Connection” and the Cisco Access Router Wireless Configuration Guide.

Configuring a Loopback Interface

The loopback interface acts as a placeholder for the static IP address and provides default routing information.

For complete information on the loopback commands, see the Cisco IOS Release 12.3 documentation set.

Perform these steps to configure a loopback interface:

Command Purpose

Step 1

interface type number

Configuring Basic Parameters

Enters interface configuration mode.

Example:

Router(config)# interface Loopback 0 Router(config-int)#

Step 2

Step 3

ip address ip-address mask

Example:

Router(config-int)# ip address 10.108.1.1

255.255.255.0

Router(config-int)#

exit

Example:

Router(config-int)# exit Router(config)#

Configuration Example

The loopback interface in this sample configuration is used to support Network Address Translation (NAT) on the virtual-template interface. This configuration example shows the loopback interface configured on the Fast Ethernet interface with an IP address of 200.200.100.1/24, which acts as a static IP address. The loopback interface points back to virtual-template1, which has a negotiated IP address.

! interface loopback 0 ip address 200.200.100.1 255.255.255.0 (static IP address) ip nat outside ! interface Virtual-Template1 ip unnumbered loopback0 no ip directed-broadcast ip nat outside

Sets the IP address and subnet mask for the loopback interface.

Exits configuration mode for the loopback interface and returns to global configuration mode.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-9

Page 30

Configuring Basic Parameters

Verifying Your Configuration

To verify that you have properly configured the loopback interface, enter the show interface loopback command. You should see verification output similar to the following example.

Router# show interface loopback 0 Loopback0 is up, line protocol is up Hardware is Loopback Internet address is 200.200.100.1/24 MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation LOOPBACK, loopback not set Last input never, output never, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/0, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out

Chapter 1 Basic Router Configuration

Another way to verify the loopback interface is to ping it:

Router# ping 200.200.100.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.200.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Configuring Command-Line Access to the Router

Perform these steps to configure parameters to control access to the router, beginning in global configuration mode:

Command Purpose

Step 1

Step 2

line [aux | console | tty | vty] line-number

Example:

Router(config)# line console 0 Router(config)#

password password

Example:

Router(config)# password 5dr4Hepw3 Router(config)#

Enters line configuration mode, and specifies the type of line.

This example specifies a console terminal for access.

Specifies a unique password for the console terminal line.

1-10

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 31

Chapter 1 Basic Router Configuration

Command Purpose

Step 3

Example:

Router(config)# login Router(config)#

Configuring Basic Parameters

Enables password checking at terminal session login.

Step 4

Step 5

Step 6

Step 7

exec-timeout minutes [seconds]

Example:

Router(config)# exec-timeout 5 30 Router(config)#

line [aux | console | tty | vty] line-number

Example:

Router(config)# line vty 0 4 Router(config)#

password password

Example:

Router(config)# password aldf2ad1 Router(config)#

Example:

Router(config)# login Router(config)#

Sets the interval that the EXEC command interpreter waits until user input is detected. The default is 10 minutes. Optionally, add seconds to the interval value.

This example shows a timeout of 5 minutes and 30 seconds. Entering a timeout of 0 0 specifies never to time out.

Specifies a virtual terminal for remote console access.

Specifies a unique password for the virtual terminal line.

Enables password checking at the virtual terminal session login.

OL-6426-02

Step 8

end

Exits line configuration mode, and returns to privileged EXEC mode.

Example:

Router(config)# end Router#

For complete information about the command line commands, see the Cisco IOS Release 12.3 documentation set.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-11

Page 32

Configuring Static Routes

Configuration Example

The following configuration shows the command-line access commands.

You do not need to input the commands marked “default.” These commands appear automatically in the configuration file generated when you use the show running-config command.

! line con 0 exec-timeout 10 0 password 4youreyesonly login transport input none (default) stopbits 1 (default) line vty 0 4 password secret login !

Configuring Static Routes

Chapter 1 Basic Router Configuration

Step 1

Step 2

Static routes provide fixed routing paths through the network. They are manually configured on the router. If the network topology changes, the static route must be updated with a new route. Static routes are private routes, unless they are redistributed by a routing protocol. Configuring static routes on the Cisco 1800 series routers is optional.

Perform these steps to configure static routes, beginning in global configuration mode:

Command Purpose

ip route prefix mask {ip-address | interface-type interface-number [ip-address]}

Example:

Router(config)# ip route 192.168.1.0

255.255.0.0 10.10.10.2

Router(config)#

end

Specifies the static route for the IP packets.

For details about this command and additional parameters that can be set, see the Cisco IOS IP

Command Reference, Volume 2 of 4: Routing Protocols.

Exits router configuration mode, and enters privileged EXEC mode.

Example:

Router(config)# end Router#

For complete information on the static routing commands, see the Cisco IOS Release 12.3 documentation set. For more general information on static routing, see Appendix B, “Concepts.”

1-12

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 33

Chapter 1 Basic Router Configuration

Configuration Example

In the following configuration example, the static route sends out all IP packets with a destination IP address of 192.168.1.0 and a subnet mask of 255.255.255.0 on the Fast Ethernet interface to another device with an IP address of 10.10.10.2. Specifically, the packets are sent to the configured PVC.

You do not need to enter the commands marked “(default).” These commands appear automatically in the configuration file generated when you use the show running-config command.

! ip classless (default) ip route 192.168.1.0 255.255.255.0 10.10.10.2!

Verifying Your Configuration

To verify that you have properly configured static routing, enter the show ip route command and look for static routes signified by the “S.”

You should see verification output similar to the following example.

Router# show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Configuring Dynamic Routes

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets C 10.108.1.0 is directly connected, Loopback0 S* 0.0.0.0/0 is directly connected, FastEthernet0

Configuring Dynamic Routes

In dynamic routing, the network protocol adjusts the path automatically, based on network traffic or topology. Changes in dynamic routes are shared with other routers in the network.

The Cisco routers can use IP routing protocols, such as Routing Information Protocol (RIP) or Enhanced Interior Gateway Routing Protocol (EIGRP), to learn routes dynamically. You can configure either of these routing protocols on your router.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-13

Page 34

Configuring Dynamic Routes

Configuring RIP

Perform these steps to configure the RIP routing protocol on the router, beginning in global configuration mode:

Step 1

Command Task

router rip

Example:

Router> configure terminal Router(config)# router rip Router(config-router)#

Enters router configuration mode, and enables RIP on the router.

Chapter 1 Basic Router Configuration

Step 2

Step 3

Step 4

Step 5

version {1 | 2}

Example:

Router(config-router)# version 2 Router(config-router)#

network ip-address

Example:

Router(config-router)# network 192.168.1.1 Router(config-router)# network 10.10.7.1 Router(config-router)#

no auto-summary

Example:

Router(config-router)# no auto-summary Router(config-router)#

end

Example:

Router(config-router)# end Router#

Specifies use of RIP version 1 or 2.

Specifies a list of networks on which RIP is to be applied, using the address of the network of directly connected networks.

Disables automatic summarization of subnet routes into network-level routes. This allows subprefix routing information to pass across classful network boundaries.

Exits router configuration mode, and enters privileged EXEC mode.

1-14

For complete information on the dynamic routing commands, see the Cisco IOS Release 12.3 documentation set. For more general information on RIP, see Appendix B, “Concepts.”

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 35

Chapter 1 Basic Router Configuration

Configuration Example

The following configuration example shows RIP version 2 enabled in IP network 10.0.0.0 and

192.168.1.0.

Execute the show running-config command from privileged EXEC mode to see this configuration.

! router rip version 2 network 10.0.0.0 network 192.168.1.0 no auto-summary !

Verifying Your Configuration

To verify that you have properly configured RIP, enter the show ip route command and look for RIP routes signified by “R.” You should see a verification output like the example shown below.

Configuring Enhanced IGRP

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets C 10.108.1.0 is directly connected, Loopback0 R 3.0.0.0/8 [120/1] via 2.2.2.1, 00:00:02, Ethernet0/0

Configuring Enhanced IGRP

Perform these steps to configure Enhanced IGRP (EIGRP), beginning in global configuration mode:

Command Purpose

Step 1

router eigrp as-number

Example:

Router(config)# router eigrp 109 Router(config)#

Enters router configuration mode, and enables EIGRP on the router. The autonomous-system number identifies the route to other EIGRP routers and is used to tag the EIGRP information.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-15

Page 36

Configuring Enhanced IGRP

Command Purpose

Step 2

network ip-address

Example:

Router(config)# network 192.145.1.0 Router(config)# network 10.10.12.115 Router(config)#

Chapter 1 Basic Router Configuration

Specifies a list of networks on which EIGRP is to be applied, using the IP address of the network of directly connected networks.

Step 3

end

Example:

Router(config-router)# end Router#

For complete information on the IP EIGRP commands, see the Cisco IOS Release 12.3 documentation set. For more general information on EIGRP concepts, see Appendix B, “Concepts.”

Configuration Example

The following configuration example shows the EIGRP routing protocol enabled in IP networks

192.145.1.0 and 10.10.12.115. The EIGRP autonomous system number is assigned as 109.

Execute the show running-config command from privileged EXEC mode to see this configuration.

! router eigrp 109

network 192.145.1.0

network 10.10.12.115

Exits router configuration mode, and enters privileged EXEC mode.

Verifying Your Configuration

To verify that you have properly configured IP EIGRP, enter the show ip route command, and look for EIGRP routes indicated by “D.” You should see verification output similar to the following example.

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets C 10.108.1.0 is directly connected, Loopback0 D 3.0.0.0/8 [90/409600] via 2.2.2.1, 00:00:02, Ethernet0/0

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

1-16

OL-6426-02

Page 37

ART

Configuring Your Router for Ethernet and DSL Access

Page 38

Page 39

CHA PTER

Sample Network Deployments

This part of the software configuration guide presents a variety of possible Ethernet- and Digital Subscriber Line (DSL)-based network configurations using Cisco 1800 series routers. Each scenario is described with a network topology, a step-by-step procedure that is used to implement the network configuration, and a configuration example that shows the results of the configuration. The Cisco 1811 and Cisco 1812 router models can be used in the Ethernet-based scenarios and the Cisco 1801, Cisco 1802, and Cisco 1803 router models can be used in the DSL-based scenarios.

The first network scenario provides a simple network configuration: point-to-point protocol (PPP) over the WAN interface with Network Address Translation (NAT). Each successive scenario builds on the previous scenario by configuring another key feature.

The scenarios do not address all of the possible network needs; instead, they provide models on which you can pattern your network. You can choose not to use features presented in the examples, or you can add or substitute features that better suit your needs.

To verify that a specific feature is compatible with your router, you can use the Software Advisor tool. You can access this tool at www.cisco.com > Technical Support & Documentation > Tools & Resources with your Cisco username and password.

For Ethernet-Based Network Deployments

Use the following configuration examples to assist you in configuring your router for Ethernet-based networks.

• Chapter 3, “Configuring PPP over Ethernet with NAT”

• Chapter 5, “Configuring a LAN with DHCP and VLANs”

• Chapter 6, “Configuring a VPN Using Easy VPN and an IPSec Tunnel”

• Chapter 7, “Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation”

• Chapter 8, “Configuring a Simple Firewall”

For DSL-Based Network Deployments

Use the following configuration examples to assist you in configuring your router for DSL-based networks.

• Chapter 4, “Configuring PPP over ATM with NAT”

• Chapter 5, “Configuring a LAN with DHCP and VLANs”

• Chapter 6, “Configuring a VPN Using Easy VPN and an IPSec Tunnel”

• Chapter 7, “Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation”

• Chapter 8, “Configuring a Simple Firewall”

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

2-1

Page 40

Chapter 2 Sample Network Deployments

2-2

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 41

Internet

CHA PTER

Configuring PPP over Ethernet with NAT

The Cisco 1811 and Cisco 1812 integrated services fixed-configuration routers support Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT).

Multiple PCs can be connected to the LAN behind the router. Before the traffic from these PCs is sent to the PPPoE session, it can be encrypted, filtered, and so forth. Figure 3-1 shows a typical deployment scenario with a PPPoE client and NAT configured on the Cisco router.

Figure 3-1 PPP over Ethernet with NAT

1 Multiple networked devices—desktops, laptop PCs, switches

2 Fast Ethernet LAN interface (inside interface for NAT)

3 PPPoE client—Cisco 1811 or Cisco 1812 integrated services router

4 Point at which NAT occurs

5 Fast Ethernet WAN interface (outside interface for NAT)

OL-6426-02

6 Cable modem or other server (for example, a Cisco 6400 server) that is connected to the Internet

7 PPPoE session between the client and a PPPoE server

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

3-1

Page 42

Configure the Virtual Private Dialup Network Group Number

PPPoE

The PPPoE Client feature on the router provides PPPoE client support on Ethernet interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoE client sessions can be configured on an Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.

A PPPoE session is initiated on the client side by the Cisco 1800 series router. An established PPPoE client session can be terminated in one of two ways:

• By entering the clear vpdn tunnel pppoe command. The PPPoE client session terminates, and the

PPPoE client immediately tries to reestablish the session. This also occurs if the session has a timeout.

• By entering the no pppoe-client dial-pool number command to clear the session. The PPPoE client

does not attempt to reestablish the session.

NAT

NAT (represented as the dashed line at the edge of the Cisco router) signifies two addressing domains and the inside source address. The source list defines how the packet travels through the network.

Configuration Tasks

Perform the following tasks to configure this network scenario:

Chapter 3 Configuring PPP over Ethernet with NAT

• Configure the Virtual Private Dialup Network Group Number

• Configure the Fast Ethernet WAN Interfaces

• Configure the Dialer Interface

• Configure Network Address Translation

An example showing the results of these configuration tasks is shown in the section “Configuration

Example.”

Configure the Virtual Private Dialup Network Group Number

Configuring a virtual private dialup network (VPDN) enables multiple clients to communicate through the router by way of a single IP address.

Complete the following steps to configure a VPDN, starting from the global configuration mode. See the

“Configure Global Parameters” section on page 1-6 for details about entering this mode.

Command or Action Purpose

Step 1

vpdn enable

Example:

Router(config)# vpdn enable Router(config-vpdn)#

Enables VPDN on the router.

3-2

Step 2

vpdn group name

Creates and associates a VPDN group with a customer or VPDN profile.

Example:

Router(config-vpdn)# vpdn group 1 Router(config-vpdn-grp)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 43

Chapter 3 Configuring PPP over Ethernet with NAT

Command or Action Purpose

Step 3

request-dialin

Example:

Router(config-vpdn-grp)# request-dialin Router(config-vpdn-grp)#

Configure the Fast Ethernet WAN Interfaces

Creates a request-dialin VPDN subgroup, indicating the dialing direction, and initiates the tunnel.

Step 4

Step 5

Step 6

Step 7

initiate to ip ip-address

Example:

Router(config-vpdn-grp)# initiate to

192.168.1.1

Router(config-vpdn-grp)#

protocol {l2f | l2tp | pppoe | any}

Example:

Router(config-vpdn-grp)# protocol pppoe Router(config-vpdn-grp)#

exit

Example:

Router(config-vpdn-grp)# exit Router(config-vpdn)#

exit

Example:

Router(config-vpdn)# exit Router(config)#

Specifies the address to which requests are tunneled.

For details about this command and additional parameters that can be set, see the Cisco IOS Dial

Technologies Command Reference.

Specifies the type of sessions the VPDN subgroup can establish.

Exits VPDN group configuration.

Exits VPDN configuration, returning to global configuration mode.

Configure the Fast Ethernet WAN Interfaces

In this scenario, the PPPoE client (your Cisco router) communicates over a 10/100-Mbps Ethernet interface on both the inside and the outside.

Note The Cisco 1800 series integrated services fixed-configuration routers have a hardware limitation on the

Fast Ethernet ports FE0 and FE1. In half-duplex mode, when traffic reaches or exceeds 100% capacity (equal to or greater than 5 Mbps in each direction), the interface experiences excessive collisions and resets every second. To avoid this problem, you must limit the traffic capacity to less than 100%.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

3-3

Page 44

Configure the Fast Ethernet WAN Interfaces

Perform these steps to configure the Fast Ethernet WAN interfaces, starting in global configuration mode:

Command Purpose

Step 1

interface type number

Example:

Router(config)#interface fastethernet 0 Router(config-if)#

Chapter 3 Configuring PPP over Ethernet with NAT

Enters interface configuration mode for a Fast Ethernet WAN interface.

The Cisco 1800 integrated services routers have two Fast Ethernet WAN interfaces. You can use these steps to configure one or both of them.

Step 2

Step 3

Step 4

pppoe-client dial-pool-number number

Example:

Router(config-if)# pppoe-client dial-pool-number 1

Router(config-if)#

no shutdown

Example:

Router(config-if)# no shutdown Router(config-if)#

exit

Example:

Router(config-if)# exit Router(config)#

Configures the PPPoE client and specifies the dialer interface to use for cloning.

Enables the Fast Ethernet interface and the configuration changes just made to it.

Exits configuration mode for the Fast Ethernet interface and returns to global configuration mode.

3-4

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 45

Chapter 3 Configuring PPP over Ethernet with NAT

Configure the Dialer Interface

The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. The dialer interface is also used for cloning virtual access. Multiple PPPoE client sessions can be configured on a Fast Ethernet interface, but each session must use a separate dialer interface and a separate dialer pool.

Complete the following steps to configure a dialer interface for one of the Fast Ethernet LAN interfaces on the router, starting in global configuration mode.

Command Purpose

Step 1

interface dialer dialer-rotary-group-number

Example:

Router(config)# interface dialer 0 Router(config-if)#

Configure the Dialer Interface

Creates a dialer interface (numbered 0–255), and enters interface configuration mode.

Step 2

Step 3

Step 4

Step 5

ip address negotiated

Example:

Router(config-if)# ip address negotiated Router(config-if)#

ip mtu bytes

Example:

Router(config-if)# ip mtu 1492 Router(config-if)#

encapsulation encapsulation-type

Example:

Router(config-if)# encapsulation ppp Router(config-if)#

ppp authentication {protocol1 [protocol2...]}

Example:

Router(config-if)# ppp authentication chap Router(config-if)#

Specifies that the IP address for the interface is obtained through PPP/IPCP (IP Control Protocol) address negotiation.

Sets the size of the IP maximum transmission unit (MTU). The default minimum is 128 bytes. The maximum for Ethernet is 1492 bytes.

Sets the encapsulation type to PPP for the data packets being transmitted and received.

Sets the PPP authentication method to Challenge Handshake Authentication Protocol (CHAP).

For details about this command and additional parameters that can be set, see the Cisco IOS

Security Command Reference.

OL-6426-02

Step 6

dialer pool number

Example:

Router(config-if)# dialer pool 1 Router(config-if)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Specifies the dialer pool to use to connect to a specific destination subnetwork.

3-5

Page 46

Configure the Dialer Interface

Command Purpose

Step 7

dialer-group group-number

Example:

Router(config-if)# dialer group 1 Router(config-if)#

Chapter 3 Configuring PPP over Ethernet with NAT

Assigns the dialer interface to a dialer group (1–10).

Tip Using a dialer group controls access to

your router.

Step 8

Step 9

Step 10

exit

Example:

Router(config-if)# exit Router(config)#

dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group}

Example:

Router(config)# dialer-list 1 protocol ip permit

Router(config)#

ip route prefix mask {interface-type interface-number}

Example:

Router(config)# ip route 10.10.25.2

0.255.255.255 dialer 0

Router(config)#

Exits the dialer 0 interface configuration.

Creates a dialer list and associates a dial group with it. Packets are then forwarded through the specified interface dialer group.

For details about this command and additional parameters that can be set, see the Cisco IOS Dial

Technologies Command Reference.

Sets the IP route for the default gateway for the dialer 0 interface.

For details about this command and additional parameters that can be set, see the Cisco IOS IP

Command Reference, Volume 2; Routing Protocols.

3-6

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 47

Chapter 3 Configuring PPP over Ethernet with NAT

Configure Network Address Translation

Network Address Translation (NAT) translates packets from addresses that match a standard access list, using global addresses allocated by the dialer interface. Packets that enter the router through the inside interface, packets sourced from the router, or both are checked against the access list for possible address translation. You can configure NAT for either static or dynamic address translations.

Perform these steps to configure the outside Fast Ethernet WAN interface with dynamic NAT, beginning in global configuration mode:

Command Purpose

Step 1

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Example:

Router(config)# ip nat pool pool1

192.168.1.0 192.168.2.0 netmask 0.0.0.255

Router(config)#

Creates pool of global IP addresses for NAT.

Configure Network Address Translation

Step 2

Step 3

Step 4

ip nat inside source {list access-list-number} {interface type number | pool name} [overload]

Example 1:

Router(config)# ip nat inside source list 1 interface dialer 0 overload

Example 2:

Router(config)# ip nat inside source list acl1 pool pool1

interface type number

Example:

Router(config)# interface vlan 1 Router(config-if)#

ip nat {inside | outside}

Example:

Router(config-if)# ip nat inside Router(config-if)#

Enables dynamic translation of addresses on the inside interface.

The first example shows the addresses permitted by the access list 1 to be translated to one of the addresses specified in the dialer interface 0.

The second example shows the addresses permitted by access list acl1 to be translated to one of the addresses specified in the NAT pool pool1.

For details about this command and additional parameters that can be set, as well as information about enabling static translation, see the

Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services.

Enters configuration mode for the VLAN (on which the Fast Ethernet LAN interfaces reside) to be the inside interface for NAT.

Identifies the specified VLAN interface as the NAT inside interface.

For details about this command and additional parameters that can be set, as well as information about enabling static translation, see the

Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

3-7

Page 48

Configure Network Address Translation

Command Purpose

Step 5

no shutdown

Example:

Router(config-if)# no shutdown Router(config-if)#

Chapter 3 Configuring PPP over Ethernet with NAT

Enables the configuration changes just made to the Ethernet interface.

Step 6

Step 7

Step 8

Step 9

exit

Example:

Router(config-if)# exit Router(config)#

interface type number

Example:

Router(config)#interface fastethernet 0 Router(config-if)#

ip nat {inside | outside}

Example:

Router(config-if)# ip nat outside Router(config-if)#

no shutdown

Example:

Router(config-if)# no shutdown Router(config-if)#

Exits configuration mode for the Fast Ethernet interface.

Enters configuration mode for the Fast Ethernet WAN interface (FE0 or FE1) to be the outside interface for NAT.

Identifies the specified WAN interface as the NAT outside interface.

For details about this command and additional parameters that can be set, as well as information about enabling static translation, see the

Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services.

Enables the configuration changes just made to the Ethernet interface.

3-8

Step 10

exit

Exits configuration mode for the Fast Ethernet interface.

Example:

Router(config-if)# exit Router(config)#

Step 11

Note If you want to use NAT with a virtual-template interface, you must configure a loopback interface. See

access-list access-list-number {deny | permit} source [source-wildcard]

Example:

Router(config)# access-list 1 permit

192.168.1.0 0.0.0.255

Defines a standard access list indicating which addresses need translation.

Note All other addresses are implicitly denied.

Chapter 1, “Basic Router Configuration,” for information on configuring a loopback interface.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 49

Chapter 3 Configuring PPP over Ethernet with NAT

For complete information on the NAT commands, see the Cisco IOS Release 12.3 documentation set. For more general information on NAT concepts, see Appendix B, “Concepts.”

Configuration Example

The following configuration example shows a portion of the configuration file for the PPPoE scenario described in this chapter.

The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside and outside.

Note Since the VLAN interface is on LAN, we have used a private IP address.

Note Commands marked by “(default)” are generated automatically when you run the show running-config

command.

Configuration Example

! vpdn enable vpdn-group 1 request-dialin protocol pppoe ! interface vlan 1 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast (default) ip nat inside ! interface FastEthernet 0 ip address 192.1.12.2 255.255.255.0 no ip directed-broadcast (default) ip nat outside ! interface dialer 1 ip address negotiated ppp authentication chap dialer pool 1 dialer-group 1 ! dialer-list 1 protocol ip permit ip nat inside source list 1 interface dialer 1 overload ip classless (default) ip route 10.10.25.2 0.255.255.255 dialer 1 !

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

3-9

Page 50

Configuration Example

Verifying Your Configuration

Use the show ip nat statistics command in privileged EXEC mode to verify NAT configuration. You should see verification output similar to the following example:

Router# show ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: FastEthernet4 Inside interfaces: Vlan1 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings:

-- Inside Source [Id: 1] access-list 1 interface Dialer0 refcount 0 Queued Packets: 0

Chapter 3 Configuring PPP over Ethernet with NAT

3-10

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 51

BETA DRAFT - CISCO CONFIDENTIAL

121753

92340

ISP

CHA PTER

Configuring PPP over ATM with NAT

The Cisco 1801, Cisco 1802, and Cisco 1803 access routers support Point-to-Point Protocol over Asynchronous Transfer Mode (PPPoA) clients and network address translation (NAT).

Multiple PCs can be connected to the LAN behind the router. Before traffic from the PCs is sent to the PPPoA session, it can be encrypted, filtered, and so forth. PPP over ATM provides a network solution with simplified address handling and straight user verification like a dial network. Figure 4-1 shows a typical deployment scenario with a PPPoA client and NAT configured on the Cisco router. This scenario uses a single static IP address for the ATM connection.

Figure 4-1 PPP over ATM with NAT

1 Small business with multiple networked devices—desktops, laptop PCs, switches

2 Fast Ethernet LAN interface (inside interface for NAT, 192.168.1.1/24)

3 PPPoA Client—Cisco 1801, Cisco 1802, or Cisco 1803 router

4 Point at which NAT occurs

OL-6426-02

5 ATM WAN interface (outside interface for NAT)

6 PPPoA session between the client and a PPPoA server at the ISP

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

4-1

Page 52

Chapter 4 Configuring PPP over ATM with NAT

BETA DRAFT - CISCO CONFIDENTIAL

In this scenario, the small business or remote user on the Fast Ethernet LAN can connect to an Internet Service Provider (ISP) using the following protocols on the WAN connection:

• Asymmetric digital subscriber line (ADSL) over plain old telephone service (POTS) using the

Cisco 1801 router

• ADSL over integrated services digital network (ISDN) using the Cisco 1802 router

• Single-pair high-speed digital subscriber line (G.SHDSL) using the Cisco 1803 router

The Fast Ethernet interface carries the data packet through the LAN and off-loads it to the PPP connection on the ATM interface. The ATM traffic is encapsulated and sent over the ADSL, ISDN, or G.SHDSL lines. The dialer interface is used to connect to the ISP.

PPPoA

The PPPoA Client feature on the router provides PPPoA client support on ATM interfaces. A dialer interface must be used for cloning virtual access. Multiple PPPoA client sessions can be configured on an ATM interface, but each session must use a separate dialer interface and a separate dialer pool.

A PPPoA session is initiated on the client side by the Cisco 1800 series router.

NAT

Configuration Tasks

Perform the following tasks to configure this network scenario:

• Configure the Dialer Interface

• Configure the ATM WAN Interface

• Configure DSL Signaling Protocol

• Configure Network Address Translation

An example showing the results of these configuration tasks is shown in the section “Configuration

Example.”

4-2

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 53

Chapter 4 Configuring PPP over ATM with NAT

BETA DRAFT - CISCO CONFIDENTIAL

Configure the Dialer Interface

The dialer interface indicates how to handle traffic from the clients, including, for example, default routing information, the encapsulation protocol, and the dialer pool to use. It is also used for cloning virtual access. Multiple PPPoA client sessions can be configured on an ATM interface, but each session must use a separate dialer interface and a separate dialer pool.

Perform these steps to configure a dialer interface for the ATM interface on the router, starting in global configuration mode.

Command Purpose

Step 1

interface dialer dialer-rotary-group-number

Example:

Router(config)# interface dialer 0 Router(config-if)#

Configure the Dialer Interface

Creates a dialer interface (numbered 0–255), and enters into interface configuration mode.

Step 2

Step 3

Step 4

Step 5

Step 6

ip address negotiated

Example:

Router(config-if)# ip address negotiated Router(config-if)#

ip mtu bytes

Example:

Router(config-if)# ip mtu 4470 Router(config-if)#

encapsulation encapsulation-type

Example:

Router(config-if)# encapsulation ppp Router(config-if)#

ppp authentication {protocol1 [protocol2...]}

Example:

Router(config-if)# ppp authentication chap Router(config-if)#

dialer pool number

Example:

Router(config-if)# dialer pool 1 Router(config-if)#

Specifies that the IP address for the dialer interface is obtained through PPP/IPCP (IP Control Protocol) address negotiation.

Sets the size of the IP maximum transmission unit (MTU). The default minimum is 128 bytes. The maximum for ATM is 4470 bytes.

Sets the encapsulation type to PPP for the data packets being transmitted and received.

Sets the PPP authentication method.

The example applies the Challenge Handshake Authentication Protocol (CHAP).

For details about this command and additional parameters that can be set, see the Cisco IOS

Security Command Reference.

Specifies the dialer pool to use to connect to a specific destination subnetwork.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

4-3

Page 54

Configure the Dialer Interface

Command Purpose

Step 7

dialer-group group-number

Example:

Router(config-if)# dialer-group 1 Router(config-if)#

Chapter 4 Configuring PPP over ATM with NAT

BETA DRAFT - CISCO CONFIDENTIAL

Assigns the dialer interface to a dialer group (1–10).

Tip Using a dialer group controls access to

your router.

Step 8

Step 9

Step 10

exit

Example:

Router(config-if)# exit Router(config)#

dialer-list dialer-group protocol protocol-name {permit | deny | list access-list-number | access-group}

Example:

Router(config)# dialer-list 1 protocol ip permit

Router(config)#

ip route prefix mask {interface-type interface-number}

Example:

Router(config)# ip route 10.10.25.0

255.255.255.0 dialer 0

Router(config)#

Exits the dialer 0 interface configuration.

Creates a dialer list and associates a dial group with it. Packets are then forwarded through the specified interface dialer group.

For details about this command and additional parameters that can be set, see the Cisco IOS Dial

Technologies Command Reference.

Sets the IP route for the default gateway for the dialer 0 interface.

For details about this command and additional parameters that can be set, see the Cisco IOS IP

Command Reference, Volume 1 of 4: Routing Protocols.

4-4

Repeat these steps for any additional dialer interfaces or dialer pools needed.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 55

Chapter 4 Configuring PPP over ATM with NAT

BETA DRAFT - CISCO CONFIDENTIAL

Configure the ATM WAN Interface

Perform these steps to configure the ATM interface, beginning in global configuration mode.

Command Purpose

Step 1

Step 2

interface type number

Example:

Router(config)# interface atm 0 Router(config-if)#

pvc vpi/vci

Example:

Router(config-if)# pvc 8/35 Router(config-if-atm-vc)#

Configure the ATM WAN Interface

Enters interface configuration mode for the ATM interface (labeled ADSLoPOTS or G.SHDSL on the back of your router).

Note This interface was initially configured

during basic router configuration. See

“Configure WAN Interfaces” section on page 1-7.

Creates an ATM PVC for each end node (up to ten) with which the router communicates. Enters ATM virtual circuit configuration mode.

When a PVC is defined, AAL5SNAP encapsulation is defined by default. Use the encapsulation command to change this, as shown in Step 3. The VPI and VCI arguments cannot be simultaneously specified as zero; if one is 0, the other cannot be 0.

Step 3

Step 4

encapsulation {aal5auto | aal5autoppp virtual-template number [group group-name] | aal5ciscoppp virtual-template number | aal5mux protocol | aal5nlpid | aal5snap}

Example:

Router(config-if-atm-vc)# encapsulation aal5mux ppp dialer

Router(config-if-atm-vc)#

dialer pool-member number

Example:

Router(config-if-atm-vc)# dialer pool-member 1

Router(config-if-atm-vc)#

For details about this command and additional parameters that can be set, see the Cisco IOS

Wide-Area Networking Command Reference.

Specifies the encapsulation type for the PVC and points back to the dialer interface.

For details about this command and additional parameters that can be set, see the Cisco IOS

Wide-Area Networking Command Reference.

Specifies the ATM interface as a member of a dialer profile dialing pool. The pool number must be in the range of 1–255.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

4-5

Page 56

Configure DSL Signaling Protocol

BETA DRAFT - CISCO CONFIDENTIAL

Command Purpose

Step 5

no shutdown

Example:

Router(config-if-atm-vc)# no shutdown Router(config-if)#

Chapter 4 Configuring PPP over ATM with NAT

Enables interface and configuration changes just made to the ATM interface.

Step 6

exit

Example:

Router(config-if)# exit Router(config)#

Configure DSL Signaling Protocol

DSL signaling must be configured on the ATM interface for connection to your ISP. The Cisco 1801 supports ADSL signaling over POTS, the Cisco 1802 supports ADSL signaling over ISDN, and the Cisco 1803 supports SHDSL signaling.

Based on the router you are configuring, see one of the following sections to configure the appropriate DSL signaling protocol.

• Configuring ADSL

• Configuring SHDSL

Configuring ADSL

The default configuration for ADSL signaling is shown in Tab le 4- 1.

Exits configuration mode for the ATM interface.

4-6

Table 4-1 Default ADSL Configuration

Attribute Description Default Value

Operating mode Specifies the operating mode of the digital

subscriber line (DSL) for an ATM interface.

• ADSL over POTS—ANSI or ITU full

rate, or automatic selection.

• ADSL over ISDN—ITU full rate, ETSI,

or automatic selection.

Loss of margin Specifies the number of times a loss of margin

may occur.

Training log Toggles between enabling the training log and

disabling the training log.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Auto

Disabled

OL-6426-02

Page 57

Chapter 4 Configuring PPP over ATM with NAT

BETA DRAFT - CISCO CONFIDENTIAL

If you wish to change any of these settings, use one of the following commands in global configuration mode.

• dsl operating-mode (from the ATM interface configuration mode)

• dsl lom integer

• dsl enable-training-log

See the Cisco IOS Wide-Area Networking Command Reference for details of these commands.

Verify the Configuration

You can verify that the configuration is set the way you want using the show dsl interface atm 0 command from privileged EXEC mode.

Configuring SHDSL

Complete the following steps to configure the DSL controller in your router to use SHDSL signaling, beginning in global configuration mode.

Configure DSL Signaling Protocol

Step 1

Step 2

Step 3

Step 4

Command Purpose

controller dsl port

Enters the configuration mode for the DSL controller.

Example:

Router(config)# controller dsl 0 Router(config-controller)#

line-term {co | cpe}

Specifies if the DSL line is terminated at a central office (CO) or at customer premises equipment

Example:

Router(config-controller)# line-term co Router(config-controller)#

exit

(CPE).

Exits controller configuration mode, returning to global configuration mode.

Example:

Router(config-controller)# exit Router(config)#

mode protocol

Specifies the mode of the DSL controller and enters controller configuration mode.

Example:

Router(config)# mode atm Router(config-controller)#

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

4-7

Page 58

Configure DSL Signaling Protocol

BETA DRAFT - CISCO CONFIDENTIAL

Command Purpose

Step 5

line-mode {4-wire enhanced | 4-wire standard | 2-wire}

Example:

Router(config-controller)# line-mode 4-wire standard

Router(config-controller)#

Chapter 4 Configuring PPP over ATM with NAT

Specifies whether this DSL connection is operating in 2-wire, 4-wire standard, or 4-wire enhanced mode.

Note line mode 4-wire will default to 4-wire

enhanced mode.

Step 6

ignore-error-duration number

Specifies how long, 15 to 30 seconds, to ignore errors.

Example:

Router(config-controller)#

ignore-error-duration 15

Router(config-controller)#

Step 7

exit

Exits controller configuration mode, returning to global configuration mode.

Example:

Router(config-controller)# exit Router(config)#

Note If you are integrating your Cisco router into a European network, please use one of the following

commands:

For CO mode, use the dsl dsl-mode shdsl symmetric annex {A | B | B-ANFP} command to choose annex B or B-ANFP.

For CPE mode, use the dsl dsl-mode shdsl symmetric annex {A | A-B | A-B-ANFP | B | B-ANFP} to choose any option except option A.

The router uses annex A by default (United States).

Verify the Configuration

You can verify that the configuration is set the way you want using the show controllers dsl command from privileged EXEC mode.

Router# show controllers dsl 0 DSL 0 controller UP SLOT 0: Globespan xDSL controller chipset Line Mode: Four Wire Standard Mode DSL mode: SHDSL Annex A Frame mode: Utopia Configured Line rate: Auto Line Re-activated 6 times after system bootup LOSW Defect alarm: ACTIVE CRC per second alarm: ACTIVE Line termination: CPE

Current 15 min CRC: 0

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

4-8

OL-6426-02

Page 59

Chapter 4 Configuring PPP over ATM with NAT

BETA DRAFT - CISCO CONFIDENTIAL

Current 15 min LOSW Defect: 0 Current 15 min ES Defect: 0 Current 15 min SES Defect: 0 Current 15 min UAS Defect: 33287

Previous 15 min CRC Defect: 0 Previous 15 min LOSW Defect: 0 Previous 15 min ES Defect: 0 Previous 15 min SES Defect: 0 Previous 15 min UAS Defect: 0

Line-0 status Chipset Version: 0 Firmware Version: A388 Modem Status: Data, Status 1 Last Fail Mode: No Failure status:0x0 Line rate: 2312 Kbps Framer Sync Status: In Sync Rcv Clock Status: In the Range Loop Attenuation: 341.1450 dB Transmit Power: 7.5 dB Receiver Gain: 22.5420 dB SNR Sampling: 36.8590 dB Dying Gasp: Present

Configure Network Address Translation

Perform these steps to configure the outside ATM WAN interface with dynamic NAT, beginning in global configuration mode:

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

4-9

Page 60

Configure Network Address Translation

BETA DRAFT - CISCO CONFIDENTIAL

Command Purpose

Step 1

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Example:

Router(config)# ip nat pool pool1

192.168.1.0 192.168.2.0 netmask 0.0.0.255

Router(config)#

Chapter 4 Configuring PPP over ATM with NAT

Creates pool of global IP addresses for NAT.

Step 2

Step 3

Step 4

Step 5

ip nat inside source {list access-list-number} {interface type number | pool name} [overload]

Example 1:

Router(config)# ip nat inside source list 1 interface dialer 0 overload

Example 2:

Router(config)# ip nat inside source list acl1 pool pool1

interface type number

Example:

Router(config)# interface vlan 1 Router(config-if)#

ip nat {inside | outside}

Example:

Router(config-if)# ip nat inside Router(config-if)#

no shutdown

Example:

Router(config-if)# no shutdown Router(config-if)#

Enables dynamic translation of addresses on the inside interface.

The first example shows the addresses permitted by the access list 1 to be translated to one of the addresses specified in the dialer interface 0.

The second example shows the addresses permitted by access list acl1 to be translated to one of the addresses specified in the NAT pool pool1.

For details about this command and additional parameters that can be set, as well as information about enabling static translation, see the Cisco

IOS IP Command Reference, Volume 1 of 4: Addressing and Services.

Enters configuration mode for the VLAN (on which the Fast Ethernet LAN interfaces [FE2–FE9] reside) to be the inside interface for NAT.

Applies NAT to the Fast Ethernet LAN interface as the inside interface.

For details about this command and additional parameters that can be set, as well as information about enabling static translation, see the Cisco

IOS IP Command Reference, Volume 1 of 4: Addressing and Services.

Enables the configuration changes just made to the Ethernet interface.

4-10

Step 6

exit

Exits configuration mode for the Fast Ethernet interface.

Example:

Router(config-if)# exit Router(config)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 61

Chapter 4 Configuring PPP over ATM with NAT

BETA DRAFT - CISCO CONFIDENTIAL

Command Purpose

Step 7

interface type number

Example:

Router(config)#interface fastethernet 0 Router(config-if)#

Configuration Example

Enters configuration mode for the ATM WAN interface (FE0 or FE1) to be the outside interface for NAT.

Step 8

Step 9

Step 10

Step 11

ip nat {inside | outside}

Example:

Router(config-if)# ip nat outside Router(config-if)#

no shutdown

Example:

Router(config-if)# no shutdown Router(config-if)#

exit

Example:

Router(config-if)# exit Router(config)#

access-list access-list-number {deny | permit} source [source-wildcard]

Example:

Router(config)# access-list 1 permit

192.168.1.0 0.0.0.255

Identifies the specified WAN interface as the NAT outside interface.

For details about this command and additional parameters that can be set, as well as enabling static translation, see the Cisco IOS IP Command

Reference, Volume 1 of 4: Addressing and Services.

Enables the configuration changes just made to the Ethernet interface.

Exits configuration mode for the ATM interface.

Defines a standard access list permitting addresses that need translation.

Note All other addresses are implicitly denied.

Note If you want to use NAT with a virtual-template interface, you must configure a loopback interface. See

Chapter 1, “Basic Router Configuration,” for information on configuring the loopback interface.

For complete information on NAT commands, see the Cisco IOS Release 12.3 documentation set. For more general information on NAT concepts, see Appendix B, “Concepts.”

Configuration Example

The following configuration example shows a portion of the configuration file for a client in the PPPoA scenario described in this chapter.

The VLAN interface has an IP address of 192.168.1.1 with a subnet mask of 255.255.255.0. NAT is configured for inside and outside.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

4-11

Page 62

Configuration Example

Note Commands marked by “(default)” are generated automatically when you run the show running-config

Chapter 4 Configuring PPP over ATM with NAT

BETA DRAFT - CISCO CONFIDENTIAL

command.

! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly (default) ! interface ATM0 no ip address ip nat outside ip virtual-reassembly no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface Dialer0 ip address negotiated ip mtu 1492 encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap ! ip classless (default) ! ip nat pool pool1 192.168.1.0 192.168.2.0 netmask 0.0.0.255 ip nat inside source list 1 interface Dialer0 overload ! access-list 1 permit 192.168.1.0 0.0.0.255 dialer-list 1 protocol ip permit

ip route 10.10.25.2 0.255.255.255 dialer 0 !

Verifying Your Configuration

Use the show ip nat statistics command in privileged EXEC mode to verify the PPPoA client with NAT configuration. You should see verification output similar to the following example:

Router# show ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: ATM0 Inside interfaces: Vlan1 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings:

-- Inside Source [Id: 1] access-list 1 interface Dialer0 refcount 0 Queued Packets: 0

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

4-12

OL-6426-02

Page 63

CHA PTER

Configuring a LAN with DHCP and VLANs

The Cisco 1800 series integrated services fixed-configuration routers support clients on both physical LANs and virtual LANs (VLANs). The routers can use the Dynamic Host Configuration Protocol (DHCP) to enable automatic assignment of IP configurations for nodes on these networks. Other interfaces and configurations of the VLANs are described in the “Switch Port Configurations” section

on page 5-7.

1 Fast Ethernet LAN (with multiple networked devices)

2 Router and DHCP server—Cisco 1800 series integrated services router—connected to the Internet

3 VLAN 1

4 VLAN 2

DHCP

DHCP, which is described in RFC 2131, uses a client/server model for address allocation. As an administrator, you can configure your Cisco 1800 integrated services fixed-configuration router to act as a DHCP server, providing IP address assignment and other TCP/IP-oriented configuration information to your workstations. DHCP frees you from having to manually assign an IP address to each client.

OL-xxxxx-xx

When you configure a DHCP server, you must configure the server properties, policies, and DHCP options.

Note Whenever you change server properties, you must reload the server with the configuration data from the

Network Registrar database.

VLANs

The Cisco 1800 series integrated services routers (fixed) support eight Fast Ethernet ports on which you can configure VLANs. See the “Switch Port Configurations” section on page 5-7 for a description of the interfaces and features that can be configured on the switch ports and a link to a document containing the configuration procedures.

VLANs enable networks to be segmented and formed into logical groups of users, regardless of the user’s physical location or LAN connection.

Configuration Tasks

Perform the following tasks to configure this network scenario:

• Configure DHCP

Book Title

5-1

Page 64

Configure DHCP

• Configure VLANs

Note The procedures in this chapter assume you have already configured basic router features as well as

PPPoE or PPPoA with NAT. If you have not performed these configurations tasks, see Chapter 1, “Basic

Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” and Chapter 4, “Configuring PPP over ATM with NAT” as appropriate for your router. See the Cisco IOS IP

Configuration Guide to assign an IP address to the ports.

Configure DHCP

Perform these steps to configure your router for DHCP operation, beginning in global configuration mode:

Command Purpose

Step 1

ip domain name name

Example:

Router(config)# ip domain name smallbiz.com Router(config)#

Chapter 5 Configuring a LAN with DHCP and VLANs

Identifies the default domain that the router uses to complete unqualified hostnames (names without a dotted-decimal domain name).

Step 2

Step 3

Step 4

Step 5

ip name-server server-address1 [server-address2...server-address6]

Example:

Router(config)# ip name-server 192.168.11.12 Router(config)#

ip dhcp excluded-address low-address [high-address]

Example:

Router(config)# ip dhcp excluded-address

192.168.9.0

ip dhcp pool name

Example:

Router(config)# ip dhcp pool dpool1 Router(config-dhcp)#

network network-number [mask | prefix-length]

Example:

Router(config-dhcp)# network 10.10.0.0

255.255.255.0

Router(config-dhcp)#

Specifies the address of one or more Domain Name System (DNS) servers to use for name and address resolution.

Specifies IP addresses that the DHCP server should not assign to DHCP clients. In this example, we are excluding the router address.

Creates a DHCP address pool on the router and enters DHCP pool configuration mode. The name argument can be a string or an integer.

Defines subnet number (IP) address for the DHCP address pool, optionally including the mask.

5-2

Book Title

OL-xxxxx-xx

Page 65

Chapter 5 Configuring a LAN with DHCP and VLANs

Command Purpose

Step 6

import all

Example:

Router(config-dhcp)# import all Router(config-dhcp)#

Configure DHCP

Imports DHCP option parameters into the DHCP portion of the router database.

Step 7

Step 8

Step 9

Step 10

default-router address [address2...address8]

Example:

Router(config-dhcp)# default-router 10.1.1.1 Router(config-dhcp)#

dns-server address [address2...address8]

Example:

Router(config-dhcp)# dns-server 192.168.35.2 Router(config-dhcp)#

domain-name domain

Example:

Router(config-dhcp)# domain-name cisco.com Router(config-dhcp)#

exit

Example:

Router(config-dhcp)# exit Router(config)#

Specifies up to 8 default routers for a DHCP client.

Specifies up to 8 DNS servers available to a DHCP client.

Specifies the domain name for a DHCP client.

Exits DHCP configuration mode, and enters global configuration mode.

Configuration Example

The following configuration example shows a portion of the configuration file for the DCHP configuration described in this chapter.

ip dhcp excluded-address 192.168.9.0 ! ip dhcp pool dpool1 import all network 10.10.0.0 255.255.255.0 default-router 10.10.10.10 dns-server 192.168.35.2 domain-name cisco.com ! ip domain name smallbiz.com ip name-server 192.168.11.12

OL-xxxxx-xx

Book Title

5-3

Page 66

Configure DHCP

Verify Your DHCP Configuration

Use the following commands to view your DHCP configuration.

• show ip dhcp import—Displays the optional parameters imported into the DHCP server database.

• show ip dhcp pool—Displays information about the DHCP address pools.

• show ip dhcp server statistics—Displays the DHCP server statistics, such as the number of address

pools, bindings, and so forth.

Router# show ip dhcp import

Address Pool Name: dpool1

Router# show ip dhcp pool

Pool dpool1 : Utilization mark (high/low) : 100 / 0 Subnet size (first/next) : 0 / 0 Total addresses : 254 Leased addresses : 0 Pending event : none 1 subnet is currently in the pool : Current index IP address range Leased addresses

10.10.0.1 10.10.0.1 - 10.10.0.254 0

Chapter 5 Configuring a LAN with DHCP and VLANs

Router# show ip dhcp server statistics Memory usage 15419 Address pools 1 Database agents 0 Automatic bindings 0 Manual bindings 0 Expired bindings 0 Malformed messages 0 Secure arp entries 0

Message Received BOOTREQUEST 0 DHCPDISCOVER 0 DHCPREQUEST 0 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 0

Message Sent BOOTREPLY 0 DHCPOFFER 0 DHCPACK 0 DHCPNAK 0 Router#

5-4

Book Title

OL-xxxxx-xx

Page 67

Chapter 5 Configuring a LAN with DHCP and VLANs

Configure VLANs

Perform these steps to configure VLANs on your router, beginning in global configuration mode:

Command Purpose

Step 1

Step 2

Step 3

vlan ?

Example:

Router# config t Router(config)#vlan ?

WORD ISL VLAN IDs 1-4094 accounting VLAN accounting configuration ifdescr VLAN subinterface ifDescr

Router(config)#vlan

ISL VLAN ID

Example:

Router(config)#vlan 2 Router(config-vlan)#

exit

Example:

Router(config-vlan)#exit Router(config)#

Configure VLANs

Enters VLAN configuration mode.

Adds VLANs, with identifiers ranging from 1- 4094.

For details about this command and additional parameters that can be set, see the Cisco IOS

Switching Services Command Reference.

Updates the VLAN database, propagates it throughout the administrative domain, and returns to global configuration mode.

Verify Your VLAN Configuration

Use the following commands to view your VLAN configuration.

• show—Entered from VLAN database mode. Displays summary configuration information for all

configured VLANs.

• show vlan-switch—Entered from privileged EXEC mode. Displays detailed configuration

information for all configured VLANs.

Router# vlan database Router(vlan)# show VLAN ISL Id: 1 Name: default Media Type: Ethernet VLAN 802.10 Id: 100001 State: Operational MTU: 1500 Translational Bridged VLAN: 1002 Translational Bridged VLAN: 1003

VLAN ISL Id: 1002 Name: fddi-default Media Type: FDDI VLAN 802.10 Id: 101002 State: Operational MTU: 1500 Bridge Type: SRB

OL-xxxxx-xx

Book Title

5-5

Page 68

Configure VLANs

Chapter 5 Configuring a LAN with DHCP and VLANs

Translational Bridged VLAN: 1 Translational Bridged VLAN: 1003

VLAN ISL Id: 1003 Name: token-ring-default Media Type: Token Ring VLAN 802.10 Id: 101003 State: Operational MTU: 1500 Bridge Type: SRB Ring Number: 0 Bridge Number: 1 Parent VLAN: 1005 Maximum ARE Hop Count: 7 Maximum STE Hop Count: 7 Backup CRF Mode: Disabled Translational Bridged VLAN: 1 Translational Bridged VLAN: 1002

VLAN ISL Id: 1004 Name: fddinet-default Media Type: FDDI Net VLAN 802.10 Id: 101004 State: Operational MTU: 1500 Bridge Type: SRB Bridge Number: 1 STP Type: IBM

VLAN ISL Id: 1005 Name: trnet-default Media Type: Token Ring Net VLAN 802.10 Id: 101005 State: Operational MTU: 1500 Bridge Type: SRB Bridge Number: 1 STP Type: IBM

Router# show vlan-switch

VLAN Name Status Ports

---- -------------------------------- --------- ------------------------------1 default active Fa0, Fa1, Fa2, Fa3 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ -----1 enet 100001 1500 - - - - - 1002 1003 1002 fddi 101002 1500 - - - - - 1 1003 1003 tr 101003 1500 1005 0 - - srb 1 1002 1004 fdnet 101004 1500 - - 1 ibm - 0 0 1005 trnet 101005 1500 - - 1 ibm - 0 0 Router#

5-6

Book Title

OL-xxxxx-xx

Page 69

Chapter 5 Configuring a LAN with DHCP and VLANs

Accounting VLAN

Engineering VLAN

Switching

router

230551

VLAN 2

VLAN1

VLAN3

VLAN 1

IP phones

Voice VLAN

VLAN 3

Switch Port Configurations

The 8 high speed Ethernet ports on the Cisco 1800 (fixed) integrated router supports 8 VLANs per port. To configure and verify VLANs on the switch ports see the the “Configure VLANs” section on page 5-5 and the “Verify Your VLAN Configuration” section on page 5-5.

Figure 5-1 VLAN Configuration on the Cisco 1800 (Fixed) Router Showing Three VLAN

Segments

Switch Port Configurations

OL-xxxxx-xx

Other procedures for configuring the switch ports, including configuration examples and information on the features and interfaces are in the Cisco HWIC-4ESW and HWIC-9ESW EtherSwitch Interface Cards document on Cisco.com. See this document to configure the switch ports. The configuration procedures described in this document are listed below.

Book Title

5-7

Page 70

Switch Port Configurations

• Configuring VLANs (required)

• Configuring VLAN Trunking Protocol (optional)

• Configuring 802.1x Authentication (required)

• Configuring Spanning Tree on a VLAN (required)

• Configuring Layer 2 Interfaces (required)

• Configuring MAC Table Manipulation (required)

• Configuring the Switched Port Analyzer (required)

• Configuring Power Management on the Interfaces (optional)

• IP Multicast Layer 3 Switching (required)

• Configuring Per-Port Storm Control (optional)

• Configuring Fallback Bridging (optional)

• Configuring Separate Voice and Data Submits (optional)

• Configuring IGMP Snooping (optional)

This section briefly describes the features and interfaces that can be configured on the VLANs assigned to the switch ports and any differences between the configurations for the HWIC-4ESW and HWIC-9ESW and the configuration of the switch ports.

Chapter 5 Configuring a LAN with DHCP and VLANs

VLAN Trunking Protocol (VTP)

VLAN Trunking Protocol(VTP) supports three types of VTP modes – server, client and transparent modes. In VTP server mode, you create, modify and delete VLANs and specify other configuration parameters such as the VTP version for the entire VTP domain. VTP clients behave the same way as VTP servers, but you cannot create, change or delete VLANs on a VTP client. A VTP transparent switch does not advertise its’ VLAN configuration, and does not synchronize its VLAN configuration based on received advertisements.

802.1x Authentication

The switch port determines whether a client is granted access to the network. In the default setting, the port is in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1x packets. When a client has successfully authenticated, the port changes to the authorized state, allowing all traffic for the client to flow normally.

If a client that does not support 802.1x is connected to an unauthorized 802.1x port, the switch requests the client’s identity. In this situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network.

The 802.1x protocol supports authentication and full authentication, authorization, and accounting [AAA] and RADIUS modes with port VLAN ID (PVID) and voice VLAN ID (VVID); and with VLAN assignment with guest VLAN single and multi-host support on the Cisco 1800 (fixed) Configuration Series.

5-8

Note These security features are not supported on the switch ports: Security Access Control Lists, IP Access

Control Lists (IP- ACLs) for Layer 2 ports, and VLAN ACLs Virtual ACLs.

Book Title

OL-xxxxx-xx

Page 71

Chapter 5 Configuring a LAN with DHCP and VLANs

Layer 2 Interfaces

The integrated switch ports support Layer 2 switching across Ethernet ports based on Cisco IOS Catalyst Software. They support simultaneous, parallel connections between Layer 2 Ethernet segments. Switched connections between Ethernet segments last only for the duration of the packet. Different connections can be made for different segments for the next packet. You can configure a range of Layer 2 interfaces, define a range macro, set the interface speed, set the duplex mode, and add a description for the interface.

MAC Table Manipulation

The MAC table is configured to provide port security. The switch ports use the MAC address tables to forward traffic between the ports. All MAC addresses in the address table are associated with one or more ports. The MAC tables include the following types of addresses:

• Dynamic address–the source MAC address that the switch learns and then drops when not in use.

• Secure address–manually entered unicast address that is usually associated with a secured port.

Secure addresses do not age.

• Static address–manually entered unicast or multicast address that does not age and that is not lost

when the switch resets.

Switch Port Configurations

The Cisco 1800 (Fixed) Configuration Series supports 100 secure and static MAC addresses. General MAC addresses are supported for 50 users.

Maximum Switched Virtual Interfaces (SVIs)

A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging function in the router. Only one SVI can be associated with a VLAN; it is necessary to configure an SVI for a VLAN only when you wish to route between VLANs, when you wish to configure fallback-bridge nonroutable protocols between VLANs, or when you wish to provide IP host connectivity. Eight SVI interfaces are supported on each port of the fixed router

Switched Port Analyzer (SPAN)

You can configure SPAN sessions using parameters that specify the type of network traffic to monitor. SPAN sessions allow you to monitor traffic in one or more interfaces and allow you to send ingress traffic, egress traffic or both to one destination interface.

You can enable spanning tree on a per-VLAN basis and configure various spanning tree features. All frames have 802.1q tags.

IP Multicast Switching

OL-xxxxx-xx

Multicast switching is Layer 3 switching. To configure Multicast switching, the maximum number of configured VLANs must be less than or equal to 242. The maximum number of multicast groups is equal to to the maximum number of VLANs.

You can configure your router to enable multi-cast switching globally, enable IP Protocol Independent Multicast (PIM) on a Layer 3 interface, and verify the Multicast Layer 3 switching information.

Book Title

5-9

Page 72

Switch Port Configurations

Note Per-Port enabling and disabling of unknown multicast and unicast packets is not supported on the Cisco

1800 (Fixed) configuration router.

Per-Port Storm Control

You can use these per-port storm control techniques to block the forwarding of unnecessary, flooded traffic.

Fallback Bridging

With Fallback Bridging, the switch bridges together two or more VLANs or routed ports, essentially connecting multiple VLANs within one bridge domain.

To configure Fallback Bridging for a set of SVIs, the SVIs must be assigned to bridge groups. All bridges in the same group belong to the same bridge domain. Each SVI can be assigned to only one bridge group.

Chapter 5 Configuring a LAN with DHCP and VLANs

Separate Voice and Data Subnets

For ease of network administration and increased scalability, network managers can configure the switch ports to support Cisco IP phones such that the voice and data traffic reside on separate subnets.

IGMP Snooping

By default, IGMP Snooping is globally enabled on the switch ports. When globally enabled or disabled, it is also enabled or disabled on all VLAN interfaces. It can be enabled and disabled on a per-VLAN basis.

Note All of the procedures for configuring the switch ports, including configuration examples and information

on the features and interfaces are in the Cisco HWIC-4ESW and HWIC-9ESW EtherSwitch Interface

Cards document on Cisco.com. See this document to configure the switch ports.

5-10

Book Title

OL-xxxxx-xx

Page 73

BETA DRAFT - CISCO CONFIDENTIAL

121782

Internet

CHA PTER

Configuring a VPN Using Easy VPN and an IPSec Tunnel

The Cisco 1800 series integrated services fixed-configuration routers support the creation of Virtual Private Networks (VPNs).

Cisco routers and other broadband devices provide high-performance connections to the Internet, but many applications also require the security of VPN connections which perform a high level of authentication and which encrypt the data between two particular endpoints.

Two types of VPNs are supported—site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network.

The example in this chapter illustrates the configuration of a remote access VPN that uses the Cisco Easy VPN and an IPSec tunnel to configure and secure the connection between the remote client and the corporate network. Figure 6-1 shows a typical deployment scenario.

Figure 6-1 Remote Access VPN Using IPSec Tunnel

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

6-1

Page 74

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

BETA DRAFT - CISCO CONFIDENTIAL

1 Remote, networked users

2 VPN client—Cisco 1800 series integrated services router

3 Router—Providing the corporate office network access

4 VPN server—Easy VPN server; for example, a Cisco VPN 3000 concentrator with outside

interface address 192.168.101.1

5 Corporate office with a network address of 10.1.1.1

6 IPSec tunnel

Cisco Easy VPN

The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing the Cisco Unity Client protocol. This protocol allows most VPN parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, WINS server addresses, and split-tunneling flags, to be defined at a VPN server, such as a Cisco VPN 3000 series concentrator that is acting as an IPSec server.

An Easy VPN server–enabled device can terminate VPN tunnels initiated by mobile and remote workers who are running Cisco Easy VPN Remote software on PCs. Easy VPN server–enabled devices allow remote routers to act as Easy VPN Remote nodes.

The Cisco Easy VPN client feature can be configured in one of two modes—client mode or network extension mode. Client mode is the default configuration and allows only devices at the client site to access resources at the central site. Resources at the client site are unavailable to the central site. Network extension mode allows users at the central site (where the VPN 3000 series concentrator is located) to access network resources on the client site.

After the IPSec server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a supported Cisco 1800 integrated services router. When the IPSec client initiates the VPN tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection.

6-2

Note The Cisco Easy VPN client feature supports configuration of only one destination peer. If your

application requires creation of multiple VPN tunnels, you must manually configure the IPSec VPN and Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the server.

Configuration Tasks

Perform the following tasks to configure your router for this network scenario:

• Configure the IKE Policy

• Configure Group Policy Information

• Apply Mode Configuration to the Crypto Map

• Enable Policy Lookup

• Configure IPSec Transforms and Protocols

• Configure the IPSec Crypto Method and Parameters

• Apply the Crypto Map to the Physical Interface

• Create an Easy VPN Remote Configuration

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 75

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

BETA DRAFT - CISCO CONFIDENTIAL

An example showing the results of these configuration tasks is shown in the section “Configuration

Example.”

Note The procedures in this chapter assume that you have already configured basic router features as well as

PPPoE or PPPoA with NAT, DCHP and VLANs. If you have not performed these configurations tasks, see Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,”

Chapter 4, “Configuring PPP over ATM with NAT,” and Chapter 5, “Configuring a LAN with DHCP and VLANs” as appropriate for your router.

Configure the IKE Policy

Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global configuration mode:

Command or Action Purpose

Step 1

Step 2

crypto isakmp policy priority

Example:

Router(config)# crypto isakmp policy 1 Router(config-isakmp)#

encryption {des | 3des | aes | aes 192 | aes 256}

Example:

Router(config-isakmp)# encryption 3des Router(config-isakmp)#

Configure the IKE Policy

Creates an IKE policy that is used during IKE negotiation. The priority is a number from 1 to 10000, with 1 being the highest.

Also enters the Internet Security Association Key and Management Protocol (ISAKMP) policy configuration mode.

Specifies the encryption algorithm used in the IKE policy.

The example specifies 168-bit data encryption standard (DES).

OL-6426-02

Step 3

Step 4

Step 5

hash {md5 | sha}

Example:

Router(config-isakmp)# hash md5 Router(config-isakmp)#

authentication {rsa-sig | rsa-encr | pre-share}

Example:

Router(config-isakmp)# authentication pre-share

Router(config-isakmp)#

group {1 | 2 | 5}

Example:

Router(config-isakmp)# group 2 Router(config-isakmp)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Specifies the hash algorithm used in the IKE policy.

The example specifies the Message Digest 5 (MD5) algorithm. The default is Secure Hash standard (SHA-1).

Specifies the authentication method used in the IKE policy.

The example specifies a pre-shared key.

Specifies the Diffie-Hellman group to be used in an IKE policy.

6-3

Page 76

Configure Group Policy Information

BETA DRAFT - CISCO CONFIDENTIAL

Command or Action Purpose

Step 6

lifetime seconds

Example:

Router(config-isakmp)# lifetime 480 Router(config-isakmp)#

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

Specifies the lifetime, 60–86400 seconds, for an IKE security association (SA).

Step 7

exit

Example:

Router(config-isakmp)# exit Router(config)#

Configure Group Policy Information

Perform these steps to configure the group policy, beginning in global configuration mode:

Command or Action Purpose

Step 1

Step 2

crypto isakmp client configuration group {group-name | default}

Example:

Router(config)# crypto isakmp client configuration group rtr-remote

Router(config-isakmp-group)#

key name

Example:

Router(config-isakmp-group)# key secret-password

Router(config-isakmp-group)#

Exits IKE policy configuration mode, and enters global configuration mode.

Creates an IKE policy group containing attributes to be downloaded to the remote client.

Also enters the Internet Security Association Key and Management Protocol (ISAKMP) group policy configuration mode.

Specifies the IKE pre-shared key for the group policy.

6-4

Step 3

dns primary-server

Specifies the primary Domain Name System (DNS) server for the group.

Step 4

Example:

Router(config-isakmp-group)# dns 10.50.10.1 Router(config-isakmp-group)#

domain name

Note You may also want to specify Windows

Specifies group domain membership.

Example:

Router(config-isakmp-group)# domain company.com

Router(config-isakmp-group)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Internet Naming Service (WINS) servers for the group by using the wins command.

OL-6426-02

Page 77

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

BETA DRAFT - CISCO CONFIDENTIAL

Command or Action Purpose

Step 5

exit

Example:

Router(config-isakmp-group)# exit Router(config)#

Apply Mode Configuration to the Crypto Map

Exits IKE group policy configuration mode, and enters global configuration mode.

Step 6

ip local pool {default | poolname} [low-ip-address [high-ip-address]]

Example:

Router(config)# ip local pool dynpool

30.30.30.20 30.30.30.30

Router(config)#

Specifies a local address pool for the group.

For details about this command and additional parameters that can be set, see the Cisco IOS Dial

Technologies Command Reference.

Apply Mode Configuration to the Crypto Map

Perform these steps to apply mode configuration to the crypto map, beginning in global configuration mode:

Command or Action Purpose

Step 1

crypto map map-name isakmp authorization list list-name

Example:

Router(config)# crypto map dynmap isakmp authorization list rtr-remote

Router(config)#

Applies mode configuration to the crypto map and enables key lookup (IKE queries) for the group policy from an authentication, authorization, and accounting (AAA) server.

OL-6426-02

Step 2

crypto map tag client configuration address [initiate | respond]

Example:

Router(config)# crypto map dynmap client configuration address respond

Router(config)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Configures the router to reply to mode configuration requests from remote clients.

6-5

Page 78

Enable Policy Lookup

BETA DRAFT - CISCO CONFIDENTIAL

Enable Policy Lookup

Perform these steps to enable policy lookup through AAA, beginning in global configuration mode:

Command or Action Purpose

Step 1

aaa new-model

Example:

Router(config)# aaa new-model Router(config)#

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

Enables the AAA access control model.

Step 2

Step 3

Step 4

aaa authentication login {default | list-name} method1 [method2...]

Example:

Router(config)# aaa authentication login rtr-remote local

Router(config)#

aaa authorization {network | exec | commands

level | reverse-access | configuration} {default | list-name} [method1 [method2...]]

Example:

Router(config)# aaa authorization network rtr-remote local

Router(config)#

username name {nopassword | password password | password encryption-type encrypted-password}

Example:

Router(config)# username Cisco password 0 Cisco

Router(config)#

Specifies AAA authentication of selected users at login, and specifies the method used.

This example uses a local authentication database. You could also use a RADIUS server for this. For details, see the Cisco IOS Security Configuration

Guide and Cisco IOS Security Command Reference.

Specifies AAA authorization of all network-related service requests, including PPP, and specifies the method of authorization.

This example uses a local authorization database. You could also use a RADIUS server for this. For details, see the Cisco IOS Security Configuration

Guide and Cisco IOS Security Command Reference.

Establishes a username-based authentication system.

This example implements a username of Cisco with an encrypted password of Cisco.

Configure IPSec Transforms and Protocols

A transform set represents a certain combination of security protocols and algorithms. During IKE negotiation, the peers agree to use a particular transform set for protecting data flow.

During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers. When such a transform set is found, it is selected and applied to the protected traffic as a part of both peers’ configurations.

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

6-6

OL-6426-02

Page 79

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

BETA DRAFT - CISCO CONFIDENTIAL

Perform these steps to specify the IPSec transform set and protocols, beginning in global configuration mode:

Command or Action Purpose

Step 1

crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]

Example:

Router(config)# crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

Router(config)#

Configure the IPSec Crypto Method and Parameters

Defines a transform set—an acceptable combination of IPSec security protocols and algorithms.

See the Cisco IOS Security Command Reference for detail about the valid transforms and combinations.

Step 2

Note With manually established security associations, there is no negotiation with the peer, and both sides

crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

Example:

Router(config)# crypto ipsec security-association lifetime seconds 86400

Router(config)#

Specifies global lifetime values used when IPSec security associations are negotiated.

See the Cisco IOS Security Command Reference for details.

must specify the same transform set.

Configure the IPSec Crypto Method and Parameters

A dynamic crypto map policy processes negotiation requests for new security associations from remote IPSec peers, even if the router does not know all the crypto map parameters (for example, IP address).

Perform these steps to configure the IPSec crypto method, beginning in global configuration mode:

Command or Action Purpose

Step 1

crypto dynamic-map dynamic-map-name dynamic-seq-num

Creates a dynamic crypto map entry and enters crypto map configuration mode.

OL-6426-02

Step 2

Example:

Router(config)# crypto dynamic-map dynmap 1 Router(config-crypto-map)#

set transform-set transform-set-name

[transform-set-name2...transform-set-name6]

Example:

Router(config-crypto-map)# set transform-set vpn1

Router(config-crypto-map)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

See the Cisco IOS Security Command Reference for more detail about this command.

Specifies which transform sets can be used with the crypto map entry.

6-7

Page 80

Apply the Crypto Map to the Physical Interface

BETA DRAFT - CISCO CONFIDENTIAL

Command or Action Purpose

Step 3

reverse-route

Example:

Router(config-crypto-map)# reverse-route Router(config-crypto-map)#

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

Creates source proxy information for the crypto map entry.

See the Cisco IOS Security Command Reference for details.

Step 4

Step 5

exit

Example:

Router(config-crypto-map)# exit Router(config)#

crypto map map-name seq-num [ipsec-isakmp]

Returns to global configuration mode.

Creates a crypto map profile.

[dynamic dynamic-map-name] [discover] [profile profile-name]

Example:

Router(config)# crypto map static-map 1 ipsec-isakmp dynamic dynmap

Router(config)#

Apply the Crypto Map to the Physical Interface

The crypto maps must be applied to each interface through which IP Security (IPSec) traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites. However, the public interface still allows the rest of the traffic to pass and provides connectivity to the Internet.

Perform these steps to apply a crypto map to an interface, beginning in global configuration mode:

6-8

Command or Action Purpose

Step 1

interface type number

Enters the interface configuration mode for the interface to which you want the crypto map

Example:

Router(config)# interface fastethernet 0 Router(config-if)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

applied.

OL-6426-02

Page 81

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

BETA DRAFT - CISCO CONFIDENTIAL

Command or Action Purpose

Step 2

crypto map map-name

Example:

Router(config-if)# crypto map static-map Router(config-if)#

Create an Easy VPN Remote Configuration

Applies the crypto map to the interface.

See the Cisco IOS Security Command Reference for more detail about this command.

Step 3

exit

Returns to global configuration mode.

Example:

Router(config-crypto-map)# exit Router(config)#

Create an Easy VPN Remote Configuration

The router acting as the IPSec remote router must create an Easy VPN remote configuration and assign it to the outgoing interface.

Perform these steps to create the remote configuration, beginning in global configuration mode:

Command or Action Purpose

Step 1

Step 2

crypto ipsec client ezvpn name

Example:

Router(config)# crypto ipsec client ezvpn ezvpnclient

Router(config-crypto-ezvpn)#

group group-name key group-key

Example:

Router(config-crypto-ezvpn)# group ezvpnclient key secret-password

Router(config-crypto-ezvpn)#

Creates a Cisco Easy VPN remote configuration, and enters Cisco Easy VPN remote configuration mode.

Specifies the IPSec group and IPSec key value for the VPN connection.

OL-6426-02

Step 3

Step 4

peer {ipaddress | hostname}

Example:

Router(config-crypto-ezvpn)# peer

192.168.100.1

Router(config-crypto-ezvpn)#

mode {client | network-extension | network extension plus}

Example:

Router(config-crypto-ezvpn)# mode client Router(config-crypto-ezvpn)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Specifies the peer IP address or hostname for the VPN connection.

Note A hostname can be specified only when

the router has a DNS server available for hostname resolution.

Specifies the VPN mode of operation.

6-9

Page 82

Verifying Your Easy VPN Configuration

BETA DRAFT - CISCO CONFIDENTIAL

Command or Action Purpose

Step 5

exit

Example:

Router(config-crypto-ezvpn)# exit Router(config)#

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

Returns to global configuration mode.

Step 6

interface type number

Example:

Router(config)# interface fastethernet 0 Router(config-if)#

Step 7

crypto ipsec client ezvpn name [outside | inside]

Example:

Router(config-if)# crypto ipsec client ezvpn ezvpnclient outside

Router(config-if)#

Step 8

exit

Example:

Router(config-crypto-ezvpn)# exit Router(config)#

Verifying Your Easy VPN Configuration

Router# show crypto ipsec client ezvpn Tunnel name :ezvpnclient Inside interface list:vlan 1 Outside interface:fastethernet 0 Current State:IPSEC_ACTIVE Last Event:SOCKET_UP Address:8.0.0.5 Mask:255.255.255.255 Default Domain:cisco.com

Enters interface configuration mode.

Note For routers with an ATM WAN interface,

this command would be interface atm 0.

Assigns the Cisco Easy VPN remote configuration to the WAN interface, causing the router to automatically create the NAT or PAT and access list configuration needed for the VPN connection.

Returns to global configuration mode.

Configuration Example

The following configuration example shows a portion of the configuration file for the VPN and IPSec tunnel described in this chapter.

! aaa new-model ! aaa authentication login rtr-remote local aaa authorization network rtr-remote local aaa session-id common ! username Cisco password 0 Cisco

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

6-10

OL-6426-02

Page 83

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

BETA DRAFT - CISCO CONFIDENTIAL

! crypto isakmp policy 1

encryption 3des authentication pre-share group 2

lifetime 480 ! crypto isakmp client configuration group rtr-remote

key secret-password

dns 10.50.10.1 10.60.10.1

domain company.com

pool dynpool ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac ! crypto ipsec security-association lifetime seconds 86400 ! crypto dynamic-map dynmap 1

set transform-set vpn1

reverse-route ! crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond

Configuration Example

crypto ipsec client ezvpn ezvpnclient

connect auto

group 2 key secret-password

mode client

peer 192.168.100.1 !

interface fastethernet 0

crypto ipsec client ezvpn ezvpnclient outside

crypto map static-map ! interface vlan 1

crypto ipsec client ezvpn ezvpnclient inside !

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

6-11

Page 84

Configuration Example

Chapter 6 Configuring a VPN Using Easy VPN and an IPSec Tunnel

BETA DRAFT - CISCO CONFIDENTIAL

6-12

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 85

BETA DRAFT - CISCO CONFIDENTIAL

Internet

2 4 5 7

CHA PTER

Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

The Cisco 1800 series integrated services fixed-configuration routers support the creation of virtual private networks (VPNs).

The example in this chapter illustrates the configuration of a site-to-site VPN that uses IPSec and the generic routing encapsulation (GRE) protocol to secure the connection between the branch office and the corporate network. Figure 7-1 shows a typical deployment scenario.

Figure 7-1 Site-to-Site VPN Using an IPSec Tunnel and GRE

1 Branch office containing multiple LANs and VLANs

2 Fast Ethernet LAN interface—With address 192.165.0.0/16 (also the inside interface for NAT)

3 VPN client—Cisco 1800 series integrated services router

4 Fast Ethernet or ATM interface—With address 200.1.1.1 (also the outside interface for NAT)

5 LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1

6 VPN client—Another router, which controls access to the corporate network

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

7-1

Page 86

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

BETA DRAFT - CISCO CONFIDENTIAL

7 LAN interface—Connects to the corporate network, with inside interface address of 10.1.1.1

8 Corporate office network

9 IPSec tunnel with GRE

GRE Tunnels

GRE tunnels are typically used to establish a VPN between the Cisco router and a remote device that controls access to a private network, such as a corporate network. Traffic forwarded through the GRE tunnel is encapsulated and routed out onto the physical interface of the router. When a GRE interface is used, the Cisco router and the router that controls access to the corporate network can support dynamic IP routing protocols to exchange routing updates over the tunnel, and to enable IP multicast traffic. Supported IP routing protocols include Enhanced Interior Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP), Intermediate System-to-Intermediate System (IS-IS), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP).

Note When IP Security (IPSec) is used with GRE, the access list for encrypting traffic does not list the desired

end network and applications, but instead refers to the permitted source and destination of the GRE tunnel in the outbound direction. All packets forwarded to the GRE tunnel are encrypted if no further access control lists (ACLs) are applied to the tunnel interface.

VPNs

VPN configuration information must be configured on both endpoints; for example, on your Cisco router and at the remote user, or on your Cisco router and on another router. You must specify parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, and Network Address Translation (NAT).

Configuration Tasks

Perform the following tasks to configure this network scenario:

• Configure a VPN

• Configure a GRE Tunnel

An example showing the results of these configuration tasks is shown in the section “Configuration

Example.”

Note The procedures in this chapter assume that you have already configured basic router features as well as

Chapter 4, “Configuring PPP over ATM with NAT,” and Chapter 5, “Configuring a LAN with DHCP and VLANs,” as appropriate for your router.

7-2

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 87

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

BETA DRAFT - CISCO CONFIDENTIAL

Configure a VPN

Perform the following tasks to configure a VPN over an IPSec tunnel:

• Configure the IKE Policy

• Configure Group Policy Information

• Enable Policy Lookup

• Configure IPSec Transforms and Protocols

• Configure the IPSec Crypto Method and Parameters

• Apply the Crypto Map to the Physical Interface

Configure the IKE Policy

Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global configuration mode:

Configure a VPN

Step 1

Step 2

Step 3

Step 4

Command or Action Purpose

crypto isakmp policy priority

Creates an IKE policy that is used during IKE negotiation. The priority is a number from 1 to

Example:

Router(config)# crypto isakmp policy 1 Router(config-isakmp)#

10000, with 1 being the highest.

Also enters Internet Security Association Key and Management Protocol (ISAKMP) policy configuration mode.

encryption {des | 3des | aes | aes 192 | aes 256}

Specifies the encryption algorithm used in the IKE policy.

Example:

Router(config-isakmp)# encryption 3des Router(config-isakmp)#

hash {md5 | sha}

The example uses 168-bit Data Encryption Standard (DES).

Specifies the hash algorithm used in the IKE policy.

Example:

Router(config-isakmp)# hash md5 Router(config-isakmp)#

authentication {rsa-sig | rsa-encr | pre-share}

The example specifies the Message Digest 5 (MD5) algorithm. The default is Secure Hash standard (SHA-1).

Specifies the authentication method used in the IKE policy.

Example:

Router(config-isakmp)# authentication pre-share

Router(config-isakmp)#

The example uses a pre-shared key.

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

7-3

Page 88

Configure a VPN

Step 5

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

BETA DRAFT - CISCO CONFIDENTIAL

Command or Action Purpose

group {1 | 2 | 5}

Example:

Router(config-isakmp)# group 2 Router(config-isakmp)#

Specifies the Diffie-Hellman group to be used in the IKE policy.

Step 6

lifetime seconds

Example:

Router(config-isakmp)# lifetime 480 Router(config-isakmp)#

Step 7

exit

Example:

Router(config-isakmp)# exit Router(config)#

Configure Group Policy Information

Perform these steps to configure the group policy, beginning in global configuration mode:

Command or Action Purpose

Step 1

crypto isakmp client configuration group {group-name | default}

Example:

Router(config)# crypto isakmp client configuration group rtr-remote

Router(config-isakmp-group)#

Specifies the lifetime, 60–86400 seconds, for an IKE security association (SA).

Exits IKE policy configuration mode, and enters global configuration mode.

Creates an IKE policy group that contains attributes to be downloaded to the remote client.

Also enters Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode.

7-4

Step 2

key name

Specifies the IKE pre-shared key for the group policy.

Example:

Router(config-isakmp-group)# key secret-password

Router(config-isakmp-group)#

Step 3

dns primary-server

Specifies the primary Domain Name Service (DNS) server for the group.

Example:

Router(config-isakmp-group)# dns 10.50.10.1 Router(config-isakmp-group)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Note You may also want to specify Windows

Internet Naming Service (WINS) servers for the group by using the wins command.

OL-6426-02

Page 89

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

BETA DRAFT - CISCO CONFIDENTIAL

Command or Action Purpose

Step 4

domain name

Example:

Router(config-isakmp-group)# domain company.com

Router(config-isakmp-group)#

Configure a VPN

Specifies group domain membership.

Step 5

exit

Example:

Router(config-isakmp-group)# exit Router(config)#

Step 6

ip local pool {default | poolname} [low-ip-address [high-ip-address]]

Example:

Router(config)# ip local pool dynpool

30.30.30.20 30.30.30.30

Router(config)#

Enable Policy Lookup

Perform these steps to enable policy lookup through AAA, beginning in global configuration mode:

Command or Action Purpose

Step 1

aaa new-model

Exits IKE group policy configuration mode, and enters global configuration mode.

Specifies a local address pool for the group.

For details about this command and additional parameters that can be set, see the Cisco IOS Dial

Technologies Command Reference.

Enables the AAA access control model.

OL-6426-02

Step 2

Example:

Router(config)# aaa new-model Router(config)#

aaa authentication login {default | list-name} method1 [method2...]

Example:

Router(config)# aaa authentication login rtr-remote local

Router(config)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Specifies AAA authentication of selected users at login, and specifies the method used.

This example uses a local authentication database. You could also use a RADIUS server for this. See the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference for details.

7-5

Page 90

Configure a VPN

Step 3

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

BETA DRAFT - CISCO CONFIDENTIAL

Command or Action Purpose

aaa authorization {network | exec | commands

level | reverse-access | configuration} {default | list-name} [method1 [method2...]]

Example:

Router(config)# aaa authorization network rtr-remote local

Router(config)#

Specifies AAA authorization of all network-related service requests, including PPP, and the method used to do so.

This example uses a local authorization database. You could also use a RADIUS server for this. See the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference for details.

Step 4

username name {nopassword | password password | password encryption-type encrypted-password}

Example:

Router(config)# username Cisco password 0 Cisco

Router(config)#

Configure IPSec Transforms and Protocols

A transform set represents a certain combination of security protocols and algorithms. During IKE negotiation, the peers agree to use a particular transform set for protecting data flow.

Perform these steps to specify the IPSec transform set and protocols, beginning in global configuration mode:

Command or Action Purpose

Step 1

crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]

Example:

Router(config)# crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

Router(config)#

Establishes a username-based authentication system.

This example implements a username of Cisco with an encrypted password of Cisco.

Defines a transform set—An acceptable combination of IPSec security protocols and algorithms.

See the Cisco IOS Security Command Reference for detail about the valid transforms and combinations.

7-6

Step 2

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}

Example:

Router(config)# crypto ipsec security-association lifetime seconds 86400

Router(config)#

Specifies global lifetime values used when negotiating IPSec security associations.

See the Cisco IOS Security Command Reference for details.

OL-6426-02

Page 91

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

BETA DRAFT - CISCO CONFIDENTIAL

Note With manually established security associations, there is no negotiation with the peer, and both sides

must specify the same transform set.

Configure the IPSec Crypto Method and Parameters

Perform these steps to configure the IPSec crypto method, beginning in global configuration mode:

Command or Action Purpose

Step 1

crypto dynamic-map dynamic-map-name dynamic-seq-num

Example:

Router(config)# crypto dynamic-map dynmap 1 Router(config-crypto-map)#

Creates a dynamic crypto map entry, and enters crypto map configuration mode.

See the Cisco IOS Security Command Reference for more detail about this command.

Configure a VPN

Step 2

Step 3

Step 4

Step 5

set transform-set transform-set-name

[transform-set-name2...transform-set-name6]

Example:

Router(config-crypto-map)# set transform-set vpn1

Router(config-crypto-map)#

reverse-route

Example:

Router(config-crypto-map)# reverse-route Router(config-crypto-map)#

exit

Example:

Router(config-crypto-map)# exit Router(config)#

crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]

Specifies which transform sets can be used with the crypto map entry.

Creates source proxy information for the crypto map entry.

See the Cisco IOS Security Command Reference for details.

Enters global configuration mode.

Creates a crypto map profile.

OL-6426-02

Example:

Router(config)# crypto map static-map 1 ipsec-isakmp dynamic dynmap

Router(config)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

7-7

Page 92

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configure a GRE Tunnel

BETA DRAFT - CISCO CONFIDENTIAL

Apply the Crypto Map to the Physical Interface

The crypto maps must be applied to each interface through which IPSec traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites. However, the public interface still allows the rest of the traffic to pass and provides connectivity to the Internet.

Perform these steps to apply a crypto map to an interface, beginning in global configuration mode:

Command or Action Purpose

Step 1

interface type number

Example:

Router(config)# interface fastethernet 0 Router(config-if)#

Enters interface configuration mode for the interface to which you want to apply the crypto map.

Step 2

Step 3

crypto map map-name

Example:

Router(config-if)# crypto map static-map Router(config-if)#

exit

Example:

Router(config-if)# exit Router(config)#

Configure a GRE Tunnel

Perform these steps to configure a GRE tunnel, beginning in global configuration mode:

Command or Action Purpose

Step 1

interface type number

Example:

Router(config)# interface tunnel 1 Router(config-if)#

Applies the crypto map to the interface.

See th e Cisco IOS Security Command Reference for more detail about this command.

Enters global configuration mode.

Creates a tunnel interface and enters interface configuration mode.

7-8

Step 2

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

ip address ip-address mask

Example:

Router(config-if)# 10.62.1.193

255.255.255.252

Router(config-if)#

Assigns an address to the tunnel.

OL-6426-02

Page 93

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

BETA DRAFT - CISCO CONFIDENTIAL

Command or Action Purpose

Step 3

tunnel source interface-type number

Example:

Router(config-if)# tunnel source fastethernet 2

Router(config-if)#

Configure a GRE Tunnel

Specifies the source endpoint of the router for the GRE tunnel.

Step 4

Step 5

Step 6

Step 7

tunnel destination default-gateway-ip-address

Example:

Router(config-if)# tunnel destination

192.168.101.1

Router(config-if)#

crypto map map-name

Example:

Router(config-if)# crypto map static-map Router(config-if)#

exit

Example:

Router(config-if)# exit Router(config)#

ip access-list {standard | extended} access-list-name

Example:

Router(config)# ip access-list extended vpnstatic1

Router(config-acl)#

Specifies the destination endpoint of the router for the GRE tunnel.

Assigns a crypto map to the tunnel.

Note Dynamic routing or static routes to the

tunnel interface must be configured to establish connectivity between the sites. See the Cisco IOS Security Configuration

Guide for details.

Exits interface configuration mode, and returns to global configuration mode.

Enters ACL configuration mode for the named ACL that is used by the crypto map.

OL-6426-02

Step 8

Step 9

permit protocol source source-wildcard destination destination-wildcard

Example:

Router(config-acl)# permit gre host

192.168.100.1 host 192.168.101.1

Router(config-acl)#

exit

Example:

Router(config-acl)# exit Router(config)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Specifies that only GRE traffic is permitted on the outbound interface.

Returns to global configuration mode.

7-9

Page 94

Configuration Example

BETA DRAFT - CISCO CONFIDENTIAL

Configuration Example

The following configuration example shows a portion of the configuration file for a VPN using a GRE tunnel scenario described in the preceding sections.

! aaa new-model ! aaa authentication login rtr-remote local aaa authorization network rtr-remote local aaa session-id common ! username cisco password 0 cisco ! interface tunnel 1

ip address 10.62.1.193 255.255.255.252

tunnel source fastethernet 2

tunnel destination interface 192.168.101.1

ip route 20.20.20.0 255.255.255.0 tunnel 1

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

crypto isakmp policy 1

encryption 3des authentication pre-share

group 2 ! crypto isakmp client configuration group rtr-remote

key secret-password

dns 10.50.10.1 10.60.10.1

domain company.com

pool dynpool ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac ! crypto ipsec security-association lifetime seconds 86400 ! crypto dynamic-map dynmap 1

set transform-set vpn1

reverse-route ! crypto map static-map 1 ipsec-isakmp dynamic dynmap crypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond ! crypto isakmp policy 1 ! defines the key association and authentication for ipsec tunnel. hash md5 authentication pre-share crypto isakmp key cisco123 address 200.1.1.1 ! ! crypto ipsec transform-set set1 esp-3des esp-md5-hmac ! defines encryption and transform set for the ipsec tunnel. ! crypto map to_corporate 1 ipsec-isakmp ! associates all crypto values and peering address for the ipsec tunnel. set peer 200.1.1.1 set transform-set set1 match address 105 ! !! interface vlan 1 ! VLAN 1 is the internal home network

7-10

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 95

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

BETA DRAFT - CISCO CONFIDENTIAL

ip address 10.1.1.1 255.255.255.0 ip nat inside ip inspect firewall in ! inspection examines outbound traffic

crypto map static-map

no cdp enable ! interface fastethernet 0! FE0 is the outside or internet exposed interface ip address 210.110.101.21 255.255.255.0 ip access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as denies internet initiated traffic inbound. ip nat outside no cdp enable crypto map to_corporate ! applies the ipsec tunnel to the outside interface. ! ip nat inside source list 102 interface Ethernet1 overload ! utilize nat overload in order to make best use of the single address provided by the isp. ip classless ip route 0.0.0.0 0.0.0.0 210.110.101.1 no ip http server ! ! ! acl 102 associated addresses used for nat. access-list 102 permit ip 10.1.1.0 0.0.0.255 any ! acl 103 defines traffic allowed from the peer for the ipsec tunnel. access-list 103 permit udp host 200.1.1.1 any eq isakmp access-list 103 permit udp host 200.1.1.1 eq isakmp any access-list 103 permit esp host 200.1.1.1 any access-list 103 permit icmp any any ! allow icmp for debugging but should be disabled due to security implications. access-list 103 deny ip any any ! prevents internet initiated traffic inbound. ! acl 105 matches addresses for the ipsec tunnel to/from the corporate network. access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 no cdp run

Configuration Example

OL-6426-02

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

7-11

Page 96

Configuration Example

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

BETA DRAFT - CISCO CONFIDENTIAL

7-12

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 97

BETA DRAFT - CISCO CONFIDENTIAL

121781

5 6

CHA PTER

Configuring a Simple Firewall

The Cisco 1800 integrated services routers support network traffic filtering by means of access lists. The router also supports packet inspection and dynamic temporary access lists by means of Context-Based Access Control (CBAC).

Basic traffic filtering is limited to configured access list implementations that examine packets at the network layer or, at most, the transport layer, permitting or denying the passage of each packet through the firewall. However, the use of inspection rules in CBAC allows the creation and use of dynamic temporary access lists. These dynamic lists allow temporary openings in the configured access lists at firewall interfaces. These openings are created when traffic for a specified user session exits the internal network through the firewall. The openings allow returning traffic for the specified session (that would normally be blocked) back through the firewall.

See the Cisco IOS Security Configuration Guide, Release 12.3, for more detailed information on traffic filtering and firewalls.

Figure 8-1 shows a network deployment using PPPoE or PPPoA with NAT and a firewall.

Figure 8-1 Router with Firewall Configured

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

8-1

Page 98

Chapter 8 Configuring a Simple Firewall

BETA DRAFT - CISCO CONFIDENTIAL

1 Multiple networked devices—Desktops, laptop PCs, switches

2 Fast Ethernet LAN interface (the inside interface for NAT)

3 PPPoE or PPPoA client and firewall implementation—Cisco 1811/1812 or Cisco 1801/1802/1803

series integrated services router, respectively

4 Point at which NAT occurs

5 Protected network

6 Unprotected network

7 Fast Ethernet or ATM WAN interface (the outside interface for NAT)

In the configuration example that follows, the firewall is applied to the outside WAN interface (FE0) on the Cisco 1811 or Cisco 1812 and protects the Fast Ethernet LAN on FE2 by filtering and inspecting all traffic entering the router on the Fast Ethernet WAN interface FE1. Note that in this example, the network traffic originating from the corporate network, network address 10.1.1.0, is considered safe traffic and is not filtered.

Configuration Tasks

Perform the following tasks to configure this network scenario:

• Configure Access Lists

• Configure Inspection Rules

• Apply Access Lists and Inspection Rules to Interfaces

An example showing the results of these configuration tasks is shown in the section “Configuration

Example.”

Note The procedures in this chapter assume that you have already configured basic router features as well as

PPPoE or PPPoA with NAT. If you have not performed these configurations tasks, see Chapter 1, “Basic

Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” and Chapter 4, “Configuring PPP over ATM with NAT,” as appropriate for your router. You may have also configured

DHCP, VLANs, and secure tunnels.

8-2

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Page 99

Chapter 8 Configuring a Simple Firewall

BETA DRAFT - CISCO CONFIDENTIAL

Configure Access Lists

Perform these steps to create access lists for use by the firewall, beginning in global configuration mode:

Command Purpose

Step 1

access-list access-list-number {deny | permit} protocol source source-wildcard [operator [port]] destination

Example:

Router(config)# access-list 103 permit host

200.1.1.1 eq isakmp any

Router(config)#

Configure Access Lists

Creates an access list which prevents Internetinitiated traffic from reaching the local (inside) network of the router, and which compares source and destination ports.

See the Cisco IOS IP Command Reference,

Volume 1 of 4: Addressing and Services for

details about this command.

Step 2

access-list access-list-number {deny | permit} protocol source source-wildcard destination destination-wildcard

Example:

Router(config)# access-list 105 permit ip

10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255

Router(config)#

Configure Inspection Rules

Perform these steps to configure firewall inspection rules for all TCP and UDP traffic, as well as specific application protocols as defined by the security policy, beginning in global configuration mode:

Command or Action Purpose

Step 1

ip inspect name inspection-name protocol

Example:

Router(config)# ip inspect name firewall tcp Router(config)#

Creates an access list that allows network traffic to pass freely between the corporate network and the local networks through the configured VPN tunnel.

Defines an inspection rule for a particular protocol.

OL-6426-02

Step 2

ip inspect name inspection-name protocol

Example:

Router(config)# ip inspect name firewall rtsp Router(config)# ip inspect name firewall h323 Router(config)# ip inspect name firewall

netshow

Router(config)# ip inspect name firewall ftp Router(config)# ip inspect name firewall

sqlnet

Router(config)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

Repeat this command for each inspection rule that you wish to use.

8-3

Page 100

Chapter 8 Configuring a Simple Firewall

Apply Access Lists and Inspection Rules to Interfaces

BETA DRAFT - CISCO CONFIDENTIAL

Apply Access Lists and Inspection Rules to Interfaces

Perform these steps to apply the ACLs and inspection rules to the network interfaces, beginning in global configuration mode:

Command Purpose

Step 1

interface type number

Example:

Router(config)# interface vlan 1 Router(config-if)#

Enters interface configuration mode for the inside network interface on your router.

Step 2

Step 3

Step 4

Step 5

ip inspect inspection-name {in | out}

Example:

Router(config-if)# ip inspect firewall in Router(config-if)#

exit

Example:

Router(config-if)# exit Router(config)#

interface type number

Example:

Router(config)# interface fastethernet 0 Router(config-if)#

ip access-group {access-list-number | access-list-name} {in | out}

Example:

Router(config-if)# ip access-group 103 in Router(config-if)#

Assigns the set of firewall inspection rules to the inside interface on the router.

Returns to global configuration mode.

Enters interface configuration mode for the outside network interface on your router.

Assigns the defined ACLs to the outside interface on the router.

8-4

Step 6

exit

Returns to global configuration mode.

Example:

Router(config-if)# exit Router(config)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Cisco OL-6426-02 User Manual

Cisco 1800 Series Integrated Services Router (Fixed) Software Installation Guide

CONTENTS

Preface

Audience

Organization

Conventions

Notes, Cautions, and Timesavers

Command Conventions

Related Documents

Obtaining Documentation

Cisco.com

Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Obtaining Technical Assistance

Reporting Security Problems in Cisco Products

Cisco Technical Support Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information

Getting Started

Basic Router Configuration

Interface Port Labels

Viewing the Default Configuration

Information Needed for Configuration

Configuring Basic Parameters

Configure Global Parameters

Configure Fast Ethernet LAN Interfaces

Configure WAN Interfaces

Configure the Fast Ethernet WAN Interface

Configure the ATM WAN Interface

Configure the Wireless Interface

Configuring a Loopback Interface

Configuration Example

Verifying Your Configuration

Configuring Command-Line Access to the Router

Configuring Static Routes

Configuration Example

Configuration Example

Verifying Your Configuration

Configuring Dynamic Routes

Configuring RIP

Configuration Example

Verifying Your Configuration

Configuring Enhanced IGRP

Configuration Example

Verifying Your Configuration

Configuring Your Router for Ethernet and DSL Access

Sample Network Deployments

Configuring PPP over Ethernet with NAT

Configure the Virtual Private Dialup Network Group Number

Configure the Fast Ethernet WAN Interfaces

Configure the Dialer Interface

Configure Network Address Translation

Configuration Example

Verifying Your Configuration

Configuring PPP over ATM with NAT

Configure the Dialer Interface

Configure the ATM WAN Interface

Configure DSL Signaling Protocol

Configuring ADSL

Verify the Configuration

Configuring SHDSL

Verify the Configuration

Configure Network Address Translation

Configuration Example

Verifying Your Configuration

Configuring a LAN with DHCP and VLANs

Configure DHCP

Configuration Example

Verify Your DHCP Configuration

Configure VLANs

Verify Your VLAN Configuration

Switch Port Configurations

VLAN Trunking Protocol (VTP)

802.1x Authentication

Layer 2 Interfaces

MAC Table Manipulation