1. Home
    2. /
  2. Manuals
    3. /
  3. Cisco
    4. /
  4. 870-Series
    5. /
  5. 24
Page 116 / 196 Scroll up to view Page 111 - 115
12-2
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
Chapter 12
Configuring Security Features
Configuring AutoSecure
For information about configuring AAA services and supported security protocols, see the following
sections of the
Cisco IOS Security Configuration Guide
:
Configuring Authentication
Configuring Authorization
Configuring Accounting
Configuring RADIUS
Configuring TACACS+
Configuring Kerberos
Configuring AutoSecure
The AutoSecure feature disables common IP services that can be exploited for network attacks and
enables IP services and features that can aid in the defense of a network when under attack. These IP
services are all disabled and enabled simultaneously with a single command, greatly simplifying security
configuration on your router. For a complete description of the AutoSecure feature, see the
AutoSecure
feature document.
Configuring Access Lists
Access lists (ACLs) permit or deny network traffic over an interface based on source IP address,
destination IP address, or protocol. Access lists are configured as standard or extended. A standard
access list either permits or denies passage of packets from a designated source. An extended access list
allows designation of both the destination and the source, and it allows designation of individual
protocols to be permitted or denied passage. An access list is a series of commands with a common tag
to bind them together. The tag is either a number or a name.
Table 12-1
lists the commands used to
configure access lists.
Table 12-1
Access List Configuration Commands
ACL Type
Configuration Commands
Numbered
Standard
access-list
{
1-99
}{
permit
|
deny
}
source-addr
[
source-mask
]
Extended
access-list
{
100-199
}{
permit
|
deny
}
protocol source-addr
[
source-mask
]
destination-addr
[
destination-mask
]
Named
Standard
ip access-list standard
name
followed by
deny
{
source
|
source-wildcard
|
any
}
Extended
ip access-list extended
name
followed by
{permit
|
deny}
protocol
{
source-addr
[
source-mask
] |
any
}{
destination-addr
[
destination-mask
] |
any
}
Page 117 / 196
12-3
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
Chapter 12
Configuring Security Features
Configuring a CBAC Firewall
Access Groups
A sequence of access list definitions bound together with a common name or number is called an access
group. An access group is enabled for an interface during interface configuration with the following
command:
ip access-group
{
access-list-number
|
access-list-name
}{
in
|
out
}
where
in
|
out
refers to the direction of travel of the packets being filtered.
Guidelines for Creating Access Groups
Use the following guidelines when creating access groups.
The order of access list definitions is significant. A packet is compared against the first access list
in the sequence. If there is no match (that is, if neither a permit nor a deny occurs), the packet is
compared with the next access list, and so on.
All parameters must match the access list before the packet is permitted or denied.
There is an implicit “deny all” at the end of all sequences.
For more complete information on creating access lists, see the “
Access Control Lists: Overview and
Guidelines
” section of the
Cisco IOS Release 12.3 Security Configuration Guide
.
Configuring a CBAC Firewall
Context-Based Access Control (CBAC) lets you configure a stateful firewall where packets are inspected
internally and the state of network connections is monitored. This is superior to static access lists,
because access lists can only permit or deny traffic based on individual packets, not streams of packets.
Also, because CBAC inspects the packets, decisions to permit or deny traffic can be made by examining
application layer data, something static access lists cannot do.
To configure a CBAC firewall, specify which protocols to examine by using the following command in
interface configuration mode:
ip inspect name
inspection-name
protocol
timeout
seconds
When inspection detects that the specified protocol is passing through the firewall, a dynamic access list
is created to allow the passage of return traffic. The
timeout
parameter specifies the length of time the
dynamic access list remains active without return traffic passing through the router. When the timeout
value is reached, the dynamic access list is removed, and subsequent packets (possibly valid ones) are
not permitted.
Use the same inspection name in multiple statements to group them into one set of rules. This set of rules
can be activated elsewhere in the configuration by using the
ip inspect
inspection-name
in
|
out
command when you configure an interface at the firewall.
See
Chapter 8, “Configuring a Simple Firewall,”
for a sample configuration. For additional information
about configuring a CBAC firewall, see the “
Configuring Context-Based Access Control
” section of the
Cisco IOS Release 12.3 Security Configuration Guide
.
Page 118 / 196
12-4
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
Chapter 12
Configuring Security Features
Configuring Cisco IOS Firewall IDS
Configuring Cisco IOS Firewall IDS
Cisco IOS Firewall Intrusion Detection System (IDS) technology enhances perimeter firewall protection
by taking appropriate action on packets and flows that violate the security policy or represent malicious
network activity.
Cisco IOS Firewall IDS identifies 59 of the most common attacks using “signatures” to detect patterns
of misuse in network traffic. It acts as an in-line intrusion detection sensor, watching packets and
sessions as they flow through the router, scanning each to match any of the IDS signatures. When it
detects suspicious activity, it responds before network security can be compromised, logs the event, and,
depending on configuration, sends an alarm, drops suspicious packets, or resets the TCP connection.
For additional information about configuring Cisco IOS Firewall IDS, see the “
Configuring Cisco IOS
Firewall Intrusion Detection System
” section of the
Cisco IOS Release 12.3 Security Configuration
Guide
.
Configuring VPNs
A virtual private network (VPN) connection provides a secure connection between two networks over a
public network such as the Internet. Cisco 850 and Cisco 870 series access routers support site-to-site
VPNs using IP security (IPSec) tunnels and generic routing encapsulation (GRE). Permanent VPN
connections between two peers, or dynamic VPNs using EZVPN or DMVPN which create and tear down
VPN connections as needed, can be configured.
Chapter 6, “Configuring a VPN Using Easy VPN and
an IPSec Tunnel,”
and
Chapter 7, “Configuring VPNs Using an IPSec Tunnel and Generic Routing
Encapsulation,”
show examples of how to configure your router with these features. For more
information about IPSec and GRE configuration, see the “
Configuring IPSec Network Security
” chapter
of the
Cisco IOS Release 12.3 Security Configuration Guide
.
For information about additional VPN configurations supported by Cisco 850 and Cisco 870 series
access routers, see the following feature documents:
EZVPN Server
—Cisco 870 series routers can be configured to act as EZVPN servers, letting
authorized EZVPN clients establish dynamic VPN tunnels to the connected network.
Dynamic Multipoint VPN (DMVPN)
—The DMVPN feature creates VPN tunnels between multiple
routers in a multipoint configuration as needed, simplifying the configuration and eliminating the
need for permanent, point-to-point VPN tunnels.
Page 119 / 196
C H A P T E R
13-1
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
13
Configuring Dial Backup and Remote
Management
The Cisco 800 series access routers support dial-in (for remote management) and dial-out (for dial
backup) capabilities. By allowing you to configure a backup modem line connection, the Cisco 800
series access routers provide protection against WAN downtime. Dial backup is inactive by default,
and must be configured to be active.
Dial backup functions can be configured as follows:
Through the auxiliary port on any Cisco 870 series router
Through the ISDN S/T port on a Cisco 876 with an advanced enterprise
(c870-adventerprisek9-mz) image
Remote management functions can be configured as follows:
Through the auxiliary port on any Cisco 850 or Cisco 870 series router
Through the ISDN S/T port on the Cisco 876 and Cisco 878 routers
Note
The console port and the auxiliary port in the Cisco IOS software configuration are on the same physical
RJ-45 port; therefore, both ports cannot be activated simultaneously, and the command-line interface
(CLI) must be used to enable the desired function.
This chapter contains the following topics:
Dial Backup Feature Activation Methods
Dial Backup Feature Limitations
Configuring Dial Backup and Remote Management Through the Console or Auxiliary Port
Configuring Dial Backup and Remote Management Through the ISDN S/T Port
Dial Backup Feature Activation Methods
Three methods are available to activate the dial backup feature:
Backup Interfaces
Floating Static Routes
Dialer Watch
Page 120 / 196
13-2
Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide
OL-5332-01
Chapter 13
Configuring Dial Backup and Remote Management
Dial Backup Feature Activation Methods
Backup Interfaces
When the router receives an indication that the primary line is down, a backup interface is brought up.
You can configure the backup interface to go down once the primary connection has been restored for a
specified period.
This is accomplished using dial-on-demand routing (DDR). When this is configured, a backup call is
triggered by specified traffic.
Note
Even if the backup interface comes out of standby mode (is brought up), the router does not trigger the
backup call unless it receives the specified traffic for that backup interface.
Configuring Backup Interfaces
Perform these steps to configure your router with a backup interface, beginning in global configuration
mode:
Command
Purpose
Step 1
interface
type number
Example:
Router(config)#
interface atm 0
Router(config-if)#
Enters interface configuration mode for the
interface for which you want to configure backup.
This can be a serial interface, ISDN interface, or
asynchronous interface.
The example shows the configuration of a backup
interface for an ATM WAN connection.
Step 2
backup interface
interface-type
interface-number
Example:
Router(config-if)#
backup
interface bri 0
Router(config-if)#
Assigns an interface as the secondary, or backup
interface.
This can be a serial interface or asynchronous
interface. For example, a serial 1 interface could
be configured to back up a serial 0 interface.
The example shows a Basic Rate Interface
configured as the backup interface for the ATM 0
interface.
Step 3
exit
Example:
Router(config-if)#
exit
Router(config)#
Enters global configuration mode.
Floating Static Routes
Floating static routes provide alternative routes for traffic. Floating static routes are not activated unless
a DDR backup call has been triggered by specified traffic for a backup interface.
Floating static routes are independent of line protocol status. This is an important consideration for
Frame Relay circuits because the line protocol may not go down if the data-link connection identifier
(DLCI) is inactive. Floating static routes are also encapsulation independent.

Rate

4.5 / 5 based on 2 votes.

Popular Cisco Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top