Table of Contents

Symbols
A
B
C
D
E
F
G
H
I
K
L
M
N
O
P
Q
R
S
T
U
V
W

index

Symbols

A

configuring   4-12

aaa authentication login default command   4-12

aaa authorization auth-proxy default command   4-12

aaa new-model command   4-12

abbreviating commands, context-sensitive help   1-2

accept dialin command   4-7, 4-9

access control

planning   2-5

undefined packets and   3-55

access control lists

See ACL

access-list (encryption) command   3-30

access-list access-list-number permit tcp host source eq tacacs host destination command   4-12

access-list command   3-53

access-list permit ip host command   3-30

access lists

protecting from spoofing   2-6

special considerations   2-3

violating   2-4

WFQ and   3-44

See also extended access lists

ACL

CBWFQ   3-45

address keyword, using (note)   3-25, 3-28

AH

ESP and (note)   3-32

IP numbers   3-29

arrow keys, on ANSI-compatible terminals (note)   1-2

attaching service policies   3-50

ip auth-proxy name auth-proxy-name http   4-15

authentication, authorization, and accounting

See AAA

authentication command   3-21

authentication header

See AH

authentication proxy

configuring   4-11, 4-14

verifying   4-16

B

bandwidth command   3-42, 3-49

broadcasts, disabling directed   2-6

business scenarios

figure   2-2

overview   2-1

C

description   3-18

features   2-7

carrier protocols (tunneling)   3-8

CBWFQ

configuring   3-45

enabling   3-50

verifying   3-50

CDP, turning off   2-5

CEF support   2-4, 4-5

Certification Authority interoperability

See CA interoperability

changes, saving   1-11

Cisco 7100 series routers

installation assumptions   2-7

ISM features   3-17

Cisco Connection Online   xv, xvi

Cisco Discovery Protocol

See CDP

Cisco Express Forwarding

See CEF support

Cisco IOS firewall authentication proxy

See authentication proxy

Cisco IOS firewalls

See firewalls

Cisco Secure PIX Firewall

locating documentation   3-51

Cisco Secure VPN Client

locating documentation   4-4

Class-Based Weighted Fair Queuing

See CBWFQ

class class-default command   3-49

class command   3-42, 3-49

class map

configuring   3-40

verifying   3-41

class-map command   3-40, 3-47

class-map match-all   3-41

class policy

configuring   3-48

clear crypto sa command   3-37

command   4-15

command modes

command options   1-2

online help   1-2

summary (table)   1-9

understanding   1-8

configuration examples

extranet

business partner router   3-65  to 3-66

headquarters router   3-61  to 3-64

intranet

headquarters router   3-56  to 3-58

remote office router   3-59  to 3-60

remote access

L2TP/IPSec configuration   4-19

PPTP/MPPE configuration   4-17

configuration files

corrupted   1-9

saving changes   1-11

saving to NVRAM   1-11

configuration modes, using   1-9

configuring

AAA   4-12

authentication methods with IKE policies   3-21

authentication proxy   4-11, 4-14

CBWFQ   3-45

class maps   3-40

class policy   3-48

crypto maps   3-32

encryption   3-17, 3-29, 4-10

fair queuing   3-44

firewalls   3-50

GRE tunnels   3-3, 3-9  to 3-11

HTTP server   4-14

IKE policies   3-20

IPSec   4-10

IPSec tunnel mode   3-30

L2TP   4-9

L2TP/IPSec   4-8

MPPE   4-8

NAT   3-13

NBAR   3-40

policy maps   3-42

PPTP   4-7

PPTP/MPPE   4-5

preshared keys   3-23, 3-27

QoS   3-38

virtual templates   4-6, 4-9

console access considerations   2-3

console ports

breaks on   2-5

configuring passwords on   2-5

controller isa command   4-8

crypto access lists

commands (table)   3-30

compatibility   3-33

creating   3-29

extended access lists versus   3-53

verifying   3-30

crypto ipsec transform-set command   3-31

crypto isakmp enable command   3-20

crypto isakmp identity address command   3-24

crypto isakmp key address command   3-25

crypto isakmp key command   3-24, 3-27

crypto map command   3-34

crypto map entries

configuring   3-32

creating   3-34

defining IPSec processing   3-29

verifying   3-35

crypto maps

applying to interfaces   3-36

verifying interface associations   3-38

crypto map s4second command   3-37

customer service and support   xv, xvi

D

defining class maps   3-47

demilitarized zone

See DMZ network description

denial-of-service attacks, directed broadcasts and   2-6

Diffie-Hellman group identifier, specifying   3-21

directed broadcasts

See broadcasts

DMZ network description   3-53

documentation

audience   x

CD-ROM   xvi

conventions   xiv

feedback   xvi

latest version   xi

organization   xi

purpose   ix

related   xii

E

enable password command   2-5

enable secret command   2-5

encapsulating security payload

See ESP

encryption

configuring   3-17, 4-10

description   3-17

tunnels and   3-8

encryption command   3-20

encryption mppe command   4-8

error messages

ICMP Host Unreachable   3-55

ESP

AH and (note)   3-32

IP numbers   3-29

exit command   4-7, 4-10

extended access lists

creating   3-53

description   3-51

verifying   3-54, 3-55

extranet VPN scenario

description   2-2

figure   3-5

physical elements   3-5

physical elements (figure)   3-6, 3-61

physical elements (table)   3-6

F

fair queuing

configuring   3-44

flow-based WFQ   3-44

fast switching support   2-4

firewalls

basic traffic filtering configurations   3-52

benefits   3-51

configuring   3-50

special considerations   2-5

flow classification of packets   3-44

G

See GRE tunnels

global configuration mode, summary   1-9

GRE tunnels

Cisco routers or access servers (note)   3-10

configuring   3-3, 3-9  to 3-10

protocol   3-8

troubleshooting configurations   3-11

verifying   3-11

See also intranet VPN scenario

group command   3-21

H

headquarters network scenario

See intranet VPN scenario

help

command-line interface   1-1

finding command options   1-2

technical support   xv, xvi

help command   1-2

hostname keyword, using (note)   3-25, 3-28

HTTP server

configuring   4-14

I

IKE

description   3-18

keys

See preshared keys

policies

configuration, required   3-21

configuring   3-20

defaults, viewing   3-11

default values (note)   3-20

enabling by default   3-19

identifying   3-20

RSA signatures method requirements   3-22

troubleshooting   3-26

verifying   3-25

viewing   3-25

SAs and   3-33

UDP port   3-29

inside global address   3-14

inside local address   3-14

inside network   3-13

Integrated Service Module

See ISM

interface command   4-15

interface configuration mode, summary   1-10

interface fastethernet command   3-16

interfaces

applying crypto maps   3-36

applying IP access lists   3-54

verifying crypto map associations   3-38

interface serial command   3-44

interface tunnel command   3-9

interface virtual-template number command   4-6

Internet Key Exchange

See IKE

Internet Security Association & Key Management Protocol

See ISAKMP identities

intranet VPN scenario

configuring   3-9

description   2-2, 3-2

figure   3-2

physical elements   3-2

physical elements (figure)   3-3, 3-56

physical elements (table)   3-4

intrusion detection   3-51

ip access-group command   3-54

ip access-list extended command   3-30

IP access lists

applying to interface   3-54

for security   2-3

inbound or outbound   3-54

software checking of   3-55

undefined   3-55

See also extended access lists   3-53

IP addresses

NAT definitions   3-14

nonregistered   3-13

protecting internal   2-6

renumbering   3-13

static translation   3-14

ip auth-proxy auth-cache-time command   4-14

ip auth-proxy auth-proxy-banner command   4-14

ip auth-proxy command   4-15

IP datagrams

in IPSec tunnel mode   3-12

ip http access-class command   4-14

ip http authentication aaa command   4-14

ip http server command   4-14

ip local pool default command   4-6

ip mroute-cache command   4-7

ip nat inside command   3-16

ip nat inside source command   3-16

ip nat outside command   3-16

ip route command   3-10

IPSec

clearing SAs   3-37

configuring   3-29, 4-10

configuring tunnels   3-17

description   3-18

IP unicast frames   3-8

proxies   3-12

special considerations   2-4

IPSec access lists

explicitly permitting traffic (note)   3-29

requirements   3-29

IPSec tunnel mode

configuring   3-30

IP Security Protocol

See IPSec

IP tunneling concepts and terminology (figure)   3-8

IP unicast frames, IPSec and   3-8

ip unnumbered command   4-6

ISAKMP identities, setting   3-25, 3-27

ISM

in Cisco 7100 series routers   3-17

services   3-2, 4-2

K

See preshared keys

L

compatibility   4-5

configuring   4-9

verifying   4-10

L2TP/IPSec

configuring   4-8

Layer 2 Tunneling Protocol

See L2TP

lifetime command   3-21

   4-15

local name command   4-7, 4-10

loopback interfaces

emulating interfaces   2-4

using   3-34

M

match address command   3-34

match-all command   3-41

match-any command   3-41

match class-map command   3-41

match input-interface command   3-48

match not command   3-41

match protocol command   3-41, 3-48

Microsoft Dial-Up Networking   4-4

Microsoft Point-to-Point Compression

See MPPC

Microsoft Point-to-Point Encryption

See MPPE

Microsoft Windows 2000   4-4

Microsoft Windows 95   4-4

Microsoft Windows 98   4-4

Microsoft Windows NT 4.0   4-4

modes

See command modes

mode tunnel command   3-31

Modular QoS Command Line Interface

See MQC

MPPC   4-5

MPPE

configuring   4-8

MQC   3-40

N

address definitions   3-14

configuring   3-13

inside source translation (figure)   3-15

source address translation process   3-15

static translation process   3-16

tunnels and   3-8

verifying static inside source address translation   3-17

NBAR

attaching policy maps to interfaces   3-42

configuring   3-40

configuring class maps   3-40

configuring policy maps   3-42

verifying class map configuration   3-41

verifying policy map configuration   3-43

Network Address Translation

See NAT

network-based application recognition

See NBAR

network management applications

special considerations   2-6

Network Time Protocol

See NTP

no bandwidth command   3-42

no cdp run command   2-5

no class-map command   3-41

no commands   1-10

no ip directed-broadcast command   2-6

no ip source-route command   2-6

no match-all command   3-41

no match-any command   3-41

no police command   3-42

no policy-map command   3-42

no proxy-arp command   2-6

no random-detect command   3-42

no service-policy command   3-43

no service tcp-small-servers command   2-6

no service udp-small-servers command   2-6

no set command   3-42

no shutdown command   3-10

NTP, turning off   2-5

ntp disable command   2-5

NVRAM, saving configuration to   1-11

O

outside local address   3-14

outside network   3-13

P

passenger protocols (tunneling)   3-8

passwords

commands for setting   2-5

port for configuring   2-5

peer default ip address pool default command   4-6

ping command   3-11

PIX Firewall

See Cisco Secure PIX Firewall

Point-to-Point Tunneling Protocol

See PPTP

police bps conform transmit exceed drop command   3-42

policies

See IKE policies

policy-map command   3-42, 3-49

policy maps

configuring   3-42

verifying   3-43

ppp authentication ms-chap command   4-6

ppp encrypt mppe command   4-7

PPTP

configuring   4-7

PPTP/MPPE

configuring   4-5

verifying   4-8

preshared keys

configuring   3-23, 3-27

specifying   3-24, 3-27

priority traffic

See WFQ

privileged EXEC mode, summary   1-9

process switching support   2-4

prompts, system   1-9

protocol l2tp command   4-9

protocol pptp command   4-7

protocols, tunneling   3-8

proxyacl#n command   4-13

Q

characteristics   3-38

configuring   3-38

queue-limit command   3-42, 3-49

R

random-detect command   3-42

Remote Access Dial-In User Service

See RADIUS

remote access VPN scenario

physical elements (table)   4-3

RFC 1631, IP Network Address Translator (NAT)   3-14

Rivest, Shamir, and Adelman

See RSA encrypted nonces method

ROM monitor mode

description   1-9

summary   1-10

RSA encrypted nonces method   3-22

RSA signatures, configuration requirements for IKE   3-22

S

IKE established

crypto map entries, creating   3-33

saving, configuration changes   1-11

scenario description

remote access scenario   4-2

security associations

See SAs

service and support   xv, xvi

service policies

attaching   3-50

service-policy command   3-50

service-policy input command   3-43

service-policy output command   3-43

set ip precedence command   3-42

set peer command   3-35

set qos-group command   3-42

set transform-set command   3-35

show access-lists command   3-30, 3-54

show class-map command   3-41

show crypto ipsec transform-set command   3-32

show crypto isakmp policy command   3-20, 3-25

show crypto map command   3-35

show crypto map interface command   3-38

show interfaces fair-queue command   3-45

show interfaces ip command   3-55

show interfaces serial command   3-45

show interfaces tunnel command   3-11

show ip auth-proxy cache command   4-16

show ip auth-proxy configuration command   4-16

show ip nat translations verbose command   3-17

show policy-map command   3-43

show policy policy-map command   3-50

show running-config command   4-17, 4-19

show version command   3-26

show vpdn session command   4-8

show vpdn tunnel command   4-8, 4-10

source routing, disabling   2-6

spoofing, protecting against   2-6

startup configuration, saving   1-11

static translation, IP addresses   3-14

stub domain, NAT configured on   3-13

subinterface configuration mode, summary   1-10

syslog, special considerations   2-3

T

TACACS+, implementing   2-3

tacacs-server host command   4-12

tacacs-server key command   4-12

tail drop   3-48

technical support   xv, xvi

Telnet access considerations   2-3

template configurations, special considerations   2-3

Terminal Access Controller Access Control System Plus

See TACACS+

traffic priority management

See WFQ

transform sets

crypto map entries and   3-33

defining   3-30

verifying   3-32

transport mode

description   3-12

IPSec (figure)   3-13

transport protocols (tunneling)   3-8

troubleshooting

entering ROM monitor mode at startup   1-9

extended access lists   3-55

GRE tunnels   3-11

IKE policy verification   3-26

syslog message logs for   2-3

tunnel destination command   3-10

tunneling

components   3-8

description   3-7

encryption in   3-8

special considerations   2-4

tunnel mode

configuring   3-29

description   3-12

IPSec (figure)   3-13

tunnel mode gre ip command   3-10

tunnel source command   3-9

U

V

authentication proxy   4-16

CBWFQ   3-50

class maps   3-41

crypto access lists   3-30

crypto map entries   3-35

crypto map interface associations   3-38

extended access lists   3-54, 3-55

GRE tunnel configuration   3-11

IKE policies   3-25

IPSec tunnel mode   3-32

L2TP   4-10

PPTP/MPPE   4-8

static inside source address translation   3-17

transform sets   3-32

WFQ configuration   3-45

Virtual Private Networks

See VPNs

virtual-template command   4-7, 4-10

virtual templates

configuring   4-6, 4-9

virtual terminal ports, protecting   2-5

vpdn-enable command   4-7, 4-9

vpdn-group 1 command   4-7, 4-9

VPNs

configuration assumptions   2-7

See also extranet VPN scenario

See also intranet VPN scenario

W

See WFQ

Weighted Random Early Detection

See WRED

WFQ

configuring   3-44

traffic priority management   3-44

verifying configuration   3-45

Windows 2000

compatibility   4-5

WRED

CBWFQ   3-46

Posted: Mon Mar 6 13:44:59 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.