Cisco Router 860, 880 Series User Manual

							 
5-29
Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide
OL-xxxxx-xx
Chapter 5      Configuring Backup Data Lines and Remote Management
  Configuring the Cellular Wireless Interface
 ip virtual-reassembly load-interval 30
 no atm ilmi-keepalive
!interface ATM0.1 point-to-point
 backup interface Cellular0
 ip nat outside ip virtual-reassembly
 pvc 0/35 
  pppoe-client dial-pool-number 2 !
!
interface FastEthernet0!
interface FastEthernet1
!interface FastEthernet2
!
interface FastEthernet3!
interface Cellular0
 ip address negotiated ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache dialer in-band
 dialer idle-timeout 0
 dialer string gsm dialer-group 1
 async mode interactive
 no ppp lcp fast-start ppp chap hostname [email protected]
 ppp chap password 0 B7uhestacr
 ppp ipcp dns request crypto map gsm1
!
interface Vlan1 description used as default gateway address for DHCP clients
 ip address 10.4.0.254 255.255.0.0
 ip nat inside ip virtual-reassembly
!
interface Dialer2 ip address negotiated
 ip mtu 1492
 ip nat outside ip virtual-reassembly
 encapsulation ppp
 load-interval 30 dialer pool 2
 dialer-group 2
 ppp authentication chap callin ppp chap hostname [email protected]
 ppp chap password 0 cisco
 ppp ipcp dns request crypto map gsm1
!
ip local policy route-map track-primary-ifip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer2 track 234
ip route 0.0.0.0 0.0.0.0 Cellular0 254no ip http server
no ip http secure-server 
						

							 
5-30
Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide
OL-xxxxx-xx
Chapter 5      Configuring Backup Data Lines and Remote Management
  Configuring the Cellular Wireless Interface
!!
ip nat inside source route-map nat2cell interface Cellular0 overload
ip nat inside source route-map nat2dsl interface Dialer2 overload!         
ip sla 1
 icmp-echo 209.131.36.158 source-interface Dialer2 timeout 1000
 frequency 2
ip sla schedule 1 life forever start-time nowaccess-list 1 permit any
access-list 2 permit 10.4.0.0 0.0.255.255
access-list 3 permit anyaccess-list 101 permit ip 10.4.0.0 0.0.255.255 any
access-list 102 permit icmp any host 209.131.36.158
access-list 103 permit ip host 166.136.225.89 128.107.0.0 0.0.255.255access-list 103 permit ip host 75.40.113.246 128.107.0.0 0.0.255.255
dialer-list 1 protocol ip list 1
dialer-list 2 protocol ip permit!
!
!route-map track-primary-if permit 10
 match ip address 102
 set interface Dialer2
!route-map nat2dsl permit 10
 match ip address 101
 match interface Dialer2!
route-map nat2cell permit 10
 match ip address 101 match interface Cellular0
!
!control-plane
!
!line con 0
 no modem enable
line aux 0line 3
 exec-timeout 0 0
 script dialer gsm login
 modem InOut
 no execline vty 0 4
 login
!scheduler max-task-time 5000
 
!webvpn cef
end 
						

							 
5-31
Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide
OL-xxxxx-xx
Chapter 5      Configuring Backup Data Lines and Remote Management
  Configuring Cellular Wireless Interface Data Line Backup
Configuring Cellular Wireless Interface Data Line Backup
The Cisco 881 and 888G Integrated Services Routers (ISRs) provide a Third Generation (3G) wireless 
interface for use over Global System for Mobile Communications (GSM) and code division multiple 
access (CDMA) networks. Its primary application is WAN connectivity as a backup data link for critical 
data applications. However, the 3G wireless interface can also function as the primary WAN connection. 
The interface is a 34-mm PCMCIA slot.
Prerequisites for Configuring 3G Wireless Interface
 You must have wireless service from a carrier, and you must have network coverage where your 
router will be physically placed. For a complete list of supported carriers, see the data sheet at the 
following URL:
http://www.cisco.com/go/3g
 You must subscribe to a service plan with a wireless service provider and obtain a SIM card (GSM 
modem only) from the service provider. 
 You must check your LEDs for signal strength as described in Ta b l e 5-2.
 You should be familiar with the Cisco IOS software, beginning with Cisco IOS Release 12.4(15)XZ 
or later for Cisco 3G Wireless support. (See the Cisco IOS documentation.)
 To configure your GSM data profile, you will need the following information from your service 
provider:
 –Username
 –Password
 –Access point name (APN)
 To configure your CDMA data profile for manual activation, you need the following information 
from your service provider: 
 –Master Subsidy Lock (MSL) number 
 –Mobile Directory number (MDN) 
 –Mobile Station Identifier (MSID) 
 –Electronic Serial Number (ESN) 
Ta b l e 5-2 Front Panel LED Signal Strength Indications
LEDLED ColorSignal Strength
3G RSSI1
1. 3G receive signal strength indication
AmberNo service available and no 
RSSI detected
Solid greenHigh RSSI (-69 dBm or higher)
Fast (16 Hz) blinking greenMedium RSSI (-89 to -70 dBm)
Slow (1 Hz) blinking greenLow to medium RSSI (-99 to -90 
dBm), minimum level for a 
reliable connection
OffLow RSSI (less than -100 dBm)  
						

							 
5-32
Cisco 860 and Cisco 880 Series Integrated Services Routers Software Configuration Guide
OL-xxxxx-xx
Chapter 5      Configuring Backup Data Lines and Remote Management
  Configuring Cellular Wireless Interface Data Line Backup 
						

							CH A P T E R
 
6-1
Book Title
OL-xxxxx-xx
6
Configuring Security Features
This chapter provides an overview of authentication, authorization, and accounting (AAA), which is the 
primary Cisco framework for implementing selected security features that can be configured on the 
Cisco
 860 and Cisco 880 series Integrated Services Routers (ISRs).
This chapter contains the following sections:
 Authentication, Authorization, and Accounting, page 6-1
 Configuring AutoSecure, page 6-2
 Configuring Access Lists, page 6-2
 Configuring Cisco IOS Firewall, page 6-3
 Configuring Cisco IOS IPS, page 6-4
 URL Filtering, page 6-4
 Cisco Adaptive Control Technology, page 6-4
 Configuring VPN, page 6-5
Authentication, Authorization, and Accounting
AAA network security services provide the primary framework through which you set up access control 
on your router. Authentication provides the method of identifying users, including login and password 
dialog, challenge and response, messaging support, and, depending on the security protocol you choose, 
encryption. Authorization provides the method for remote access control, including one-time 
authorization or authorization for each service, per-user account list and profile, user group support, and 
support of IP, Internetwork Packet Exchange (IPX), AppleTalk Remote Access (ARA), and Telnet. 
Accounting provides the method for collecting and sending security server information used for billing, 
auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), 
number of packets, and number of bytes.
AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer its security functions. If 
your router is acting as a network access server, AAA is the means through which you establish 
communication between your network access server and your RADIUS, TACACS+, or Kerberos security 
server. 
						

							 
6-2
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring AutoSecure
For information about configuring AAA services and supported security protocols, see the following 
sections of the 
Cisco IOS Release 12.4T Security Configuration Guide at 
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html:
 Configuring Authentication
 Configuring Authorization
 Configuring Accounting
 Configuring RADIUS
 Configuring TACACS+
 Configuring Kerberos
Configuring AutoSecure
The AutoSecure feature disables common IP services that can be exploited for network attacks and 
enables IP services and features that can aid in the defense of a network when under attack. These IP 
services are all disabled and enabled simultaneously with a single command, greatly simplifying security 
configuration on your router. For a complete description of the AutoSecure feature, see the 
AutoSecure 
feature document at 
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/ftatosec.htm.
Configuring Access Lists
Access lists permit or deny network traffic over an interface based on source IP address, destination IP 
address, or protocol. Access lists are configured as standard or extended. A standard access list either 
permits or denies passage of packets from a designated source. An extended access list allows 
designation of both the destination and the source, and it allows designation of individual protocols to 
be permitted or denied passage. 
For more complete information on creating access lists, see the “Access Control Lists: Overview and 
Guidelines” section of the Cisco IOS Release 12.4 Security Configuration Guide at 
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html.
An access list is a series of commands with a common tag to bind them together. The tag is either a 
number or a name. 
Ta b l e 6-1 lists the commands used to configure access lists.
Ta b l e 6-1 Access List Configuration Commands
ACL TypeConfiguration Commands
Numbered
Standardaccess-list {1-99}{permit | deny} source-addr [source-mask]
Extendedaccess-list {100-199}{permit | deny} protocol source-addr 
[source-mask] destination-addr [destination-mask]
Named
Standardip access-list standard name deny {source | source-wildcard | any}
Extendedip access-list extended name {permit | deny} protocol 
{source-addr[source-mask] | any}{destination-addr 
[destination-mask] | any} 
						

							 
6-3
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring Cisco IOS Firewall
To create, refine, and manage access lists, see the following sections of the “Traffic Filtering, Firewalls, 
and Virus Detection” part of the 
Cisco IOS Release 12.4T Security Configuration Guide at 
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html:
 Creating an IP Access List and Applying It to an Interface
 Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
 Refining an IP Access List
 Displaying and Clearing IP Access List Data Using ACL Manageability
Access Groups
An access group is a sequence of access list definitions bound together with a common name or number. 
An access group is enabled for an interface during interface configuration. Use the following guidelines 
when creating access groups.
 The order of access list definitions is significant. A packet is compared against the first access list 
in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is 
compared with the next access list, and so on.
 All parameters must match the access list before the packet is permitted or denied.
 There is an implicit “deny all” at the end of all sequences.
For information on configuring and managing access groups, see the ““Creating an IP Access List to 
Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values” section of the Cisco IOS Release 
12.4T Security Configuration Guide at 
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html:.
Configuring Cisco IOS Firewall
The Cisco IOS Firewall lets you configure a stateful firewall where packets are inspected internally and 
the state of network connections is monitored. Stateful firewall is superior to static access lists, because 
access lists can only permit or deny traffic based on individual packets, not based on streams of packets. 
Also, because Cisco
 IOS Firewall inspects the packets, decisions to permit or deny traffic can be made 
by examining application layer data, which static access lists cannot examine.
To configure a Cisco IOS Firewall, specify which protocols to examine by using the following command 
in interface configuration mode:
ip inspect name inspection-name protocol timeout seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list 
is created to allow the passage of return traffic. The timeout parameter specifies the length of time the 
dynamic access list remains active without return traffic passing through the router. When the timeout 
value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are 
not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules 
can be activated elsewhere in the configuration by using the ip inspect inspection-name in | out 
command when you configure an interface at the firewall.
For additional information about configuring a Cisco IOS Firewall, see the “Cisco IOS Firewall 
Overview” section of the Cisco IOS Release 12.4 Security Configuration Guide at 
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html. 
						

							 
6-4
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring Cisco IOS IPS
The Cisco IOS Firewall may also be configured to provide voice security in Session Initiated Protocol 
(SIP) applications. SIP inspection provides basic inspect functionality (SIP packet inspection and 
detection of pin-hole openings), as well protocol conformance and application security. For more 
information, see 
“Cisco IOS Firewall: SIP Enhancements: ALG and AIC” at 
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_sip_alg_aic.html.
Configuring Cisco IOS IPS
Cisco IOS Intrusion Prevention System (IPS) technology is available on Cisco 880 series ISRs and 
enhances perimeter firewall protection by taking appropriate action on packets and flows that violate the 
security policy or represent malicious network activity.
Cisco IOS IPS identifies attacks using “signatures” to detect patterns of misuse in network traffic. 
Cisco
 IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow 
through the router, scanning each to match known IPS signatures. When Cisco
 IOS IPS detects 
suspicious activity, it responds before network security can be compromised, it logs the event, and, 
depending on configuration, it does one of the following:
 sends an alarm
 drops suspicious packets
 resets the connection
 denies traffic from the source IP address of the attacker for a specified amount of time
 denies traffic on the connection for which the signature was seen for a specified amount of time
For additional information about configuring Cisco IOS IPS, see the “Configuring Cisco IOS Intrusion 
Prevention System (IPS)” section of the Cisco IOS Release 12.4T Security Configuration Guide at 
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html:.
URL Filtering
Cisco 860 series and Cisco 880 series ISRs provide category based URL filtering. The user provisions 
URL filtering on the ISR by selecting categories of websites to be permitted or blocked. An external 
server, maintained by a 3rd party, will be used to check for URLs in each category. Permit and deny 
policies are maintained on the ISR. The service is subscription based, and the URLs in each category are 
maintained by the 3rd party vendor.
For additional information about configuring URL filtering, see Subscription-based Cisco IOS Content 
Filtering at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_url_filtering.html.
Cisco Adaptive Control Technology
Cisco 860 series and Cisco 880 series ISRs support Cisco Adaptive Control Technology (ACT), a 
reliable rapid-response communication mechanism for responding to and controlling security threats on 
a network. ACT incorperates the Threat Information Distribution Protocol (TIDP), which provides a 
rapid and secure mechanism to distribute security threat information, and TIDP Based Mitigation 
Service (TMS), which provides a framework to rapidly and efficiently distribute threat information to 
devices across the network. 
						

							 
6-5
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
For additional information about configuring ACT, see Cisco Adaptive Control Technology (ACT) at 
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_c_act.html.
Configuring VPN
A virtual private network (VPN) connection provides a secure connection between two networks over a 
public network such as the Internet. Cisco 860 and Cisco 880 series ISRs support two types of 
VPNs—site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate 
offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network. 
Two examples are given in this section: remote access VPN and site-to-site VPN.
Remote Access VPN
The configuration of a remote access VPN uses Cisco Easy VPN and an IP Security (IPSec) tunnel to 
configure and secure the connection between the remote client and the corporate network. 
Figure 6-1 
shows a typical deployment scenario.
Figure 6-1 Remote Access VPN Using IPSec Tunnel
1Remote networked users
2VPN client—Cisco 880 series access router
3Router—Providing the corporate office network access
4VPN server—Easy VPN server; for example, a Cisco VPN 3000 concentrator with outside 
interface address 210.110.101.1
5Corporate office with a network address of 10.1.1.1
6IPSec tunnel
2
1
121782
Internet
34
5
6 
						

							 
6-6
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing 
the Cisco
 Unity Client protocol. This protocol allows most VPN parameters, such as internal IP 
addresses, internal subnet masks, DHCP server addresses, Windows Internet Naming Service (WINS) 
server addresses, and split-tunneling flags, to be defined at a VPN server, such as a Cisco VPN 3000 
series concentrator that is acting as an IPSec server. 
A Cisco Easy VPN server–enabled device can terminate VPN tunnels initiated by mobile and remote 
workers who are running Cisco Easy VPN Remote software on PCs. Cisco
 Easy VPN server–enabled 
devices allow remote routers to act as Cisco
 Easy VPN Remote nodes.
The Cisco Easy VPN client feature can be configured in one of two modes—client mode or network 
extension mode. Client mode is the default configuration and allows only devices at the client site to 
access resources at the central site. Resources at the client site are unavailable to the central site. 
Network extension mode allows users at the central site (where the VPN 3000 series concentrator is 
located) to access network resources on the client site.
After the IPSec server has been configured, a VPN connection can be created with minimal configuration 
on an IPSec client, such as a supported Cisco
 880 series ISR. When the IPSec client initiates the VPN 
tunnel connection, the IPSec server pushes the IPSec policies to the IPSec client and creates the 
corresponding VPN tunnel connection. 
NoteThe Cisco Easy VPN client feature supports configuration of only one destination peer. If your 
application requires creation of multiple VPN tunnels, you must manually configure the IPSec VPN and 
Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the 
server. 
Cisco 860 and Cisco 880 series ISRs can be also configured to act as Cisco Easy VPN servers, letting 
authorized Cisco
 Easy VPN clients establish dynamic VPN tunnels to the connected network. For 
information on the configuration of Cisco
 Easy VPN servers see the Easy VPN Server feature document 
at http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html.
Site-to-Site VPN
The configuration of a site-to-site VPN uses IPSec and the generic routing encapsulation (GRE) protocol 
to secure the connection between the branch office and the corporate network. 
Figure 6-2 shows a typical 
deployment scenario.
Figure 6-2 Site-to-Site VPN Using an IPSec Tunnel and GRE
1Branch office containing multiple LANs and VLANs
2Fast Ethernet LAN interface—With address 192.165.0.0/16 (also the inside interface for NAT)
3VPN client—Cisco 860 or Cisco 880 series ISR
121783
Internet
3
1
2457
6
8
9