Tài liệu Access-Dial Technical Tips pdf

Cisco - Access-Dial Technical Tips❍ Router-to-Router Async Multilink PPP ❍ Async Multilink PPP Dialup from Microsoft Windows® Clients ❍ Configuring EXEC Callback ❍ Async-PPP Callback Bet

Trang 1

Cisco - Access-Dial Technical Tips

Access-Dial Technical Tips

● Asynchronous Connectivity ● Modems

● ISDN ● Dial on Demand Routing (DDR)

● Point-to-Point Protocol (PPP) ● Authentication, Authorization, and Accounting

(AAA)

● General ● Access Products

Access Related Links

● Access DSL ● Access VPN and Cisco Secure

● Broadband Cable ● Access Dial Top Issues

● Technology Support Page ● Product Support Page

Asynchronous Connectivity

This section includes terminals, async interfaces, comm/terminal servers, and aux/console port connections

● Sample Configurations

❍ Configuring a Comm/Terminal Server for Router Console Access

❍ Setting up a Comm/Terminal Server for Sun Console Access

http://www.cisco.com/warp/public/471/index.shtml (1 of 13) [5/6/2001 7:30:58 PM]

Trang 2

❍ Printing to a Comm Server on IBM AIX

❍ How to Tunnel Async Data

❍ AUX Back-to-Back

❍ Sample Configuration - DDR Auxport Dial Backup

❍ Configuring EXEC Callback

❍ Async-PPP Callback Between an Access Server and a PC

❍ DNIS and Modem Pooling With a PRI Line

❍ WINS/DHCP on an AS5200

❍ VTY Async Sample Configuration

❍ Cisco Access Dial Configuration Cookbook

● Tech Notes

❍ Modem-Router Connection Guide

❍ Attaching a US Robotics Modem to the Console Port of a Cisco Router

❍ Cabling Guide for RJ-45 Console and AUX Ports

❍ Console Port Problem on Cisco 2500

❍ How Async Lines are Numbered in Cisco 3600 Series Routers

❍ Using service tcp-keepalives to Clear Hung Telnet Sessions

❍ RTS and DTR: Why They Might Toggle

❍ Interfacing TAs and V.25bis

Return to Top of Page

Modems

This section includes information on using external modems, and internal modems, such as Microcom, MICA, and Nextport.

❍ Configuring Modem Connectivity with a Cisco 3640 BRI

❍ Async Backup with Dialer Profiles

❍ Configuring DDR to Backup an Async Connection

❍ DNIS and Modem Pooling Using a CAS T1 Line

❍ Modem-Pooling With DNIS

Trang 3

❍ Router-to-Router Async Multilink PPP

❍ Async Multilink PPP Dialup from Microsoft Windows® Clients

● Tech Notes

❍ Modem-Router Connection Guide

❍ Attaching a US Robotics Modem to the Console Port of a Cisco Router

❍ Configuring Modem Recovery

❍ Overview of General Modem and NAS Line Quality

❍ Configuring Client Modems to Work with Cisco Access Servers

❍ Client Modem Firmware Overview

❍ MICA Modem States and Disconnect Reasons

❍ Comparing NextPort SPE Commands to MICA Modem Commands

❍ Dialup Technology: Overviews and Explanations

❍ Windows 95 with CHAP Authentication

● Troubleshooting

❍ Dialup Technology: Troubleshooting Techniques

❍ Using Customer Dial-in Lab to test your connection

❍ Testing Async DDR into the San Jose Dial-in Lab

● FAQs

❍ Dialout Utility Frequently Asked Questions

ISDN

This section covers Integrated Services Digital Network (ISDN) technologies such as Basic Rate Interface (BRI) and Primary Rate Interface (PRI)

❍ Configuring ISDN DDR with Dialer Profiles

❍ Sample Configuration - BRI Rotary Group

❍ Configuring ISDN BRI using the ip unnumbered Command

❍ Static Routes over Unnumbered BRI Interfaces

❍ Dial-on-demand Routing (DDR) with Easy IP

❍ Configuring Easy IP

❍ BRI-to-BRI Connection using Data Over Voice

Trang 4

❍ Configuring ISDN BRI to PRI using Multilink PPP to Aggregate Physical Interfaces

❍ Snapshot Routing over ISDN

❍ Basic AS5200 with Two PRIs

❍ Basic AS5300 with Four PRIs

❍ AS5300 Supporting ISDN v.120 Calls

❍ AS5300 Supporting ISDN v.120 Calls with a Virtual Template

❍ Configuring NFAS with Four T1s

❍ DDR Backup using BRIs and the backup interface Command

❍ Configuring BRI Backup Interface with Dialer Profiles

❍ Configuring BRI-to-BRI Dialup with DDR Dialer Maps

❍ Configuring DDR Backup using BRIs and Dialer Watch

❍ Configuring ISDN Backup for Frame Relay

❍ Configuring Frame Relay Backup

❍ Scalable ISDN Backup Strategy for Large OSPF Networks

❍ Backup Bridging over ISDN

❍ Time-Based ISDN/Async (Legacy) DDR

❍ PPP Callback Over ISDN

❍ ISDN Authentication and Callback with Caller ID

❍ Bridging Across ISDN

❍ ISDN Sample Configuration -Bridging

❍ PPP Half-Bridging

❍ Cisco IOS™ Router to Ascend Access Server

❍ Sample Configuration- AppleTalk

❍ AppleTalk over ISDN with DDR

● Tech Notes

❍ ISDN Debug Information

❍ Configuring the Basic Rate Interface (BRI) for ISDN in Germany

❍ Configuring ISDN for Australia

❍ Configuring the Basic Rate Interface (BRI) for ISDN Leased Lines in Spain (NOVACOM)

❍ Capabilities of Typical ISDN Switches

❍ ISDN Glossary

❍ Using the show isdn status Command for BRI Troubleshooting

❍ Troubleshooting ISDN BRI Layer 1

❍ Troubleshooting ISDN BRI Layer 2

❍ Troubleshooting ISDN BRI SPIDs

❍ Understanding debug isdn q931 Disconnect Cause Codes

Trang 5

❍ T1 Troubleshooting Flowcharts

❍ T1 PRI Troubleshooting

❍ Troubleshooting ISDN and DDR

❍ Troubleshooting ISDN Connections

Dial on Demand Routing (DDR)

Articles found here cover using DDR for on-demand dial connectivity, backup to a WAN link and callback.

❍ Configuring ISDN DDR with Dialer Profiles

❍ AS5300 Dialing out with ISDN/Async (Outbound DDR)

❍ Dial-on-demand Routing (DDR) with Easy IP

❍ Easy IP

❍ ISDN DDR Using HDLC Encapsulation

❍ Async Backup with Dialer Profiles

❍ Configuring BRI Backup Interface with Dialer Profiles

❍ Configuring DDR Backup using BRIs and Dialer Watch

❍ DDR Backup using BRIs and the backup interface Command

❍ Configuring BRI-to-BRI Dialup with DDR Dialer Maps

❍ Configuring ISDN DDR Backup for Frame Relay

❍ Configuring Frame Relay Backup

❍ Configuring DDR to Backup an Async Connection

❍ DDR Auxport Dial Backup

❍ Backup Bridging over ISDN

❍ Configuring Dialer Profiles to Bridge using ISDN

❍ Bridging with Dialer Profiles

❍ AUX Back-to-Back

❍ Snapshot Routing

Trang 6

❍ Using Floating Static Routes and Dial-on-Demand Routing

❍ Time-Based ISDN/Async (Legacy) DDR

❍ AppleTalk over ISDN with DDR

● Tech Notes

❍ Multilink PPP for DDR - Basic Configuration and Verification

❍ Restrictions for the dialer max-link 1 Command and MPPP

❍ Evaluating Backup Interfaces, Floating Static Routes, and Dialer Watch for DDR Backup

❍ Deciding and Preparing to Configure DDR

❍ Dialer Profiles Operation

❍ Troubleshooting ISDN and DDR

● FAQs

❍ Snapshot Routing: Frequently Asked Questions

Point-to-Point Protocol (PPP)

This section covers normal PPP dialup, Multlink PPP, Multichassis MPPP, and PPP Callback.

❍ Configuring PPP Dial-up

❍ Cisco CHAP/PAP Call-in

❍ AS5300 Configured for MLP on Async and ISDN

❍ Async Multilink PPP Dialup from Microsoft Windows® Clients

❍ Router-to-Router Async Multilink PPP

❍ Multilink PPP on Back-to-back Routers with Multiple Serial Interfaces

❍ Inverse MUX Application using Multilink PPP

❍ Multilink Via Virtual-Template on Two Serial Interfaces

❍ Multilink PPP Across Two Serial Physical-layer Async Interfaces

❍ Multichassis Multilink PPP with AS5300s

❍ Multichassis Multilink PPP with Cisco AS5300s and an Offload Server

❍ Configuring L2TP Multihop to Perform MMPPP in the LNS

❍ Sample Configuration - APPN over PPP Multilink

Trang 7

❍ PPP Callback with Local Authentication

❍ PPP Callback Over ISDN

❍ PPP Callback with RADIUS

❍ PPP Callback with TACACS+

❍ PPP Half-Bridging

❍ How to Setup PPP Idle Timeout For Async Using RADIUS

❍ Access Server Dial-In IP/PPP Configuration With Dedicated V.120 PPP

● Tech Notes

❍ PPP Authentication Using the ppp chap hostname and ppp authentication chap callin

Commands

❍ Common Problems in Debugging RADIUS, PAP and CHAP

❍ CHAP or ARAP With TACACS+:Interoperability Problems With One-Time Password Systems

❍ Multilink PPP for DDR - Basic Configuration and Verification

❍ How to Speed Up the Addition of ISDN B Channels to a Multilink PPP Bundle

❍ Criteria for Naming Multilink PPP Bundles

❍ Restrictions for the dialer max-link 1 Command with Multilink PPP

❍ Microsoft Windows 2000 PCs with MPPP Connections Experience Low Throughput

❍ Multichassis Multilink PPP (MMP)

❍ Access Server Dial-In IP/PPP Configuration With Dedicated V.120 PPP

❍ Connecting 3Com to Cisco via PPP

❍ Stampede for PC Dialin Access

❍ PPP Per-User Timeouts

❍ Virtual Access PPP Features in Cisco IOS

❍ Troubleshooting Async Multilink PPP Operations

● FAQs

❍

Authentication, Authorization, and Accounting (AAA)

This section covers configuring the Access Servers (NAS) for router-based(local) AAA and Server-based AAA

Trang 8

(Radius and Tacacs+) However it does not cover specific Radius and Tacacs+ server configuration issues

❍ Implementing Local AAA

❍ Implementing Server-Based AAA

❍ TACACS+ Dial-Up Sample Config

❍ Configuring Large Scale Dialout Using TACACS+

❍ Implementing Server-Based AAA Accounting

❍ AAA Device Configuration Samples

❍ How To Apply Access Lists to Dial Interfaces with a RADIUS Server

❍ How to Setup PPP Idle Timeout For Async Using RADIUS

● Tech Notes

❍ PPP Per-User Timeouts

❍ Using AAA Server to Manage IP Pools in a Network Access Server

❍ TACACS+ and RADIUS Comparison

❍ Double Authentication Design and Implementation Guide

❍ RADIUS/TACACS+ Technical Tips

❍ Diagnosing and Troubleshooting AAA Operations

❍ Common Problems in Debugging RADIUS, PAP and CHAP

❍ Configuring ISDN BRI to PRI using Multilink PPP to Aggregate Physical Interfaces

❍ ISDN NFAS Primary and Backup D Channel

❍ Configuring NFAS with Four T1s

Trang 9

● Tech Notes

❍ E1 R2 Signaling Theory

❍ E1 R2 Customization with the cas-custom Command

❍ Understanding the show controller e1 Command

❍ Configuring Cisco Integrated Data Service Unit/Channel Service Unit (DSU/CSU) Modules and WAN Interface Cards

❍ E1 R2 Signaling Configuration and Troubleshooting

❍ Hard Plug Loopback Tests for E1 Lines

● FAQs

❍ Line Coding Information

Virtual Private Dialup Networks (VPDN)

This section covers configuring L2TP and L2F VPDN using Radius, Tacacs+ and router-based authentication.

❍ Configuring a Basic Virtual Private Dialup Network (VPDN)

❍ Advanced Virtual Private Dialup Network

❍ Advanced Virtual Private Dialup Network Configuration

❍ Detailed Scenario for Access VPDN Dial-in Using L2TP

❍ Configuring Virtual Private Dialup Networks

❍ How-To Configure RADIUS Authentication for VPDNs

❍ How-To Configure TACACS+ Authentication for VPDNs

Trang 10

❍ How-To Configure Layer 2 Tunnel Protocol Authentication with RADIUS

❍ How-To Configure Layer 2 Tunnel Protocol Authentication with TACACS+

❍ Basic Dial-in VPDN Configuration Using VPDN Groups

❍ Dial-in VPDN Configuration Using VPDN Groups and TACACS+

❍ Configuring L2TP Multihop to Perform MMPPP in the LNS

❍ Configuring L2TP Multihop to Perform Several Hops from the NAS to the LNS

● Tech Notes

❍ Adding Multiple Cisco AV-Pairs to a User Profile

❍ Understanding Virtual Private Dialup Network (VPDNs)

❍ Domain Stripping Hack

❍ Layer 2 Tunnel Protocol

❍ Security Technical Tips: Internetworking

● Changing the IP Address on the Media Gateway Access Controller

● The cisco-nas@external.cisco.com Alias

● Floating Static Route to a Null Interface

● Using service tcp-keepalives to Clear Hung Telnet Sessions

● Troubleshooting Access Lists on Dial Interfaces

● Connecting a Windows 95 Client to a Windows NT Server through a Cisco Router

● WINS/DHCP on an AS5200

● PPP Half-Bridging

● Suppressing Messages on Async Lines

● Dialout Utility Frequently Asked Questions

● TN3270 on an AS5200

Access Products

Trang 11

For general information not specific to access-dial technologies concerning these and other Cisco Routers, refer

to the Router Issues main index page

● Network

Modules

● WAN Interface Cards (WICs)

● IOS Installation and Upgrade

● Boot Failure Recovery

● Password Recovery

700 Series

● Cisco 700 Not Responding to Cisco Fast Step Version 1

● Cisco 700 Connectivity Problems

● Cisco 700 Series Frequently Asked Questions

● Configuring the Cisco 753 and Cisco 1004 to Dial In to a Cisco AS5200 Access Server

1000 Series

● Enabling the IPX Option on the Cisco 1020

● Accessing the EXEC of the Cisco 1020

Trang 12

● Console Port Problem on Cisco 2500

● Configuring Integrated Data Service Unit/Channel Service Unit (DSU/CSU) Modules and WAN Interface Cards

2600 Series

● Wan Interface Cards (WICs)

3600 Series

● How Async Lines are Numbered in Cisco 3600 Series Routers

● Configuring Modem Connectivity with a Cisco 3640 BRI

● Wan Interface Cards

AS5200/AS5300 Series

● Commissioning the Cisco AS5300 Hardware

● Cisco AS5x00 Case Study for Basic IP Modem Services

AS5350/AS5400 Series

● Comparing NextPort SPE Commands to MICA Modem Commands

AS5800 Series

● Cisco IOS Software Commands for Cisco AS5800 Hardware Inspection

Trang 13

● WAN Interface Cards for the Cisco 1600 Series

Trang 14

Cisco - Security Technical Tips

Security Technical Tips

This page provides tips directly from Cisco's Technical Assistance Center (TAC) engineers to help you with security issues

Products

● Cisco Centri Firewall (EOL)

● IOS Firewall (formerly Cisco Secure Integrated Software)

● Cisco Secure Intrusion Detection System (formerly NetRanger)

● Cisco Secure PIX Firewall

● Cisco Secure Policy Manager (formerly Cisco Security Manager)

● Cisco Secure Scanner (formerly NetSonar)

● Cisco VPN 3000 Concentrator

● Cisco VPN 5000 Concentrator

● Cisco VPN General Information

● CiscoSecure ACS for Windows

● CiscoSecure ACS UNIX

Trang 15

● Security FAQs

● Related Links

Cisco Centri Firewall (EOL)

● Step-by-step Configuration for Centri Firewall Exposed Services

● Cisco Centri Firewall Frequently Asked Questions, Part 1

● Cisco Centri Firewall product information

● End of Life Plan

IOS Firewall (formerly Cisco Secure Integrated

Software)

● How NAT Works

● Cisco Secure Integrated Software Configuration Cookbook

● Benefits and Limitations of Context-Based Access Control: Using Cisco Secure Integrated

Software (formerly Cisco IOS® Firewall)

● Using the Cisco IOS Firewall to Deny Java Applets

● Context-based Access Control: Introduction and Configuration

● Lock and Key Sample Configuration

● RFC 2267 - Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing

Cisco Secure Intrusion Detection System (formerly

NetRanger)

● Cisco Secure Intrusion Detection System Product Support Pages

● Cisco Secure IDS - Configuring/Troubleshooting Email Notifications

● Password Recovery Procedure for the Cisco Secure IDS (formerly NetRanger®) Sensor

● Cisco Secure IDS - Excluding False Positive Alarms

● Interpreting Cisco Secure IDS Log Files

● Using the Cisco Secure IDS Sensor COM Port for Console Access

● Cisco Secure IDS Documentation

Trang 16

● Cisco Secure Intrusion Detection product literature

Cisco Secure PIX Firewall

● Cisco Secure PIX Firewall Series Support Pages

● PIX Top Issues

● Troubleshoot the PIX Firewall using Troubleshooting Assistant

● Configuring the PIX Firewall with Mail Server Access on Inside Network

● Configuring the PIX Firewall with Mail Server Access on Outside Network

● Configuring the PIX Firewall with Mail Server Access on DMZ Network

● Sample Configuration: IPSec Tunnel - Cisco Secure PIX Firewall to Checkpoint 4.1 Firewall

● Configuring and Troubleshooting the Cisco Secure PIX Firewall with a Single Internal Network

● How Failover Works on the Cisco Secure PIX Firewall

● Upgrading Cisco Secure PIX Firewall Software

● Cisco Secure PIX Firewall Frequently Asked Questions

● Using SNMP with the Cisco Secure PIX Firewall

● Cisco PIX Firewall Manager: Frequently Asked Questions

● PIX Firewall: When to Use the nat, global, static, or conduit Commands

● PIX Password Recovery

● How to Allow ICMP Pings through a Firewall in Versions 4.2 and Later of the PIX Firewall

● Addressing an Unregistered Network Using RFC-1918

● Clarification of static and conduit Syntax in PIX Versions 4.1.x and 4.2.x

● Establishing Connectivity Through Cisco PIX Firewalls

● Maximizing Network Security Using a PIX

● PIX Firewall established Command

● PIX Performance Issues Caused by IDENT Protocol (Port 113)

● Poor or Intermittent FTP/HTTP Performance Through a PIX

● Recommended Initial Configuration for the nat 0 Statement

● Setting Up PIX Syslog

● Testing the PIX Firewall mailhost Command

● Cisco's PIX Firewall Series and Stateful Firewall Security (White Paper)

● Sample Configuration: Cisco Secure PIX Firewall and VPN Clients Using PPTP, MPPE and

Trang 17

IPSec

● Sample Configuration: PIX to PIX and VPN Client 1.1

● Sample Configuration: PIX to PIX to PIX IPSec (Hub and Spoke)

● Sample Configuration: PIX to PIX to PIX IPSec (Fully Meshed)

● Sample Configuration: IPSec Tunnel Through Firewall with NAT

● Cisco PIX 5.1-to-VPN Wild-card, Pre-shared, Mode Configuration with Extended Authentication

● How to Add AAA Authentication (Xauth) to PIX IPSec 5.2 and 5.3

● Sample Configuration: Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

● How To Perform Authentication, Authorization, and Accounting of Users Through the PIX (5.2 and 5.3)

● How To Perform Authentication and Enabling on the Cisco Secure PIX Firewall (5.2 and 5.3)

● Cisco Secure PIX Firewall with a Single Internal Network

● Cisco Secure PIX Firewall with Two Internal Networks

● Cisco Secure PIX Firewall with Three Internal Networks

● Sample Configuration: Cisco VPN 3000 Concentrator to PIX Firewall

● How-to Configure the Cisco Secure PIX Firewall to Use PPTP

● PIX Firewall with Mail Server Access

● Configuring PIX 5.1.x: TACACS+ and RADIUS

● PIX, TACACS+, and RADIUS Sample Configuration: 4.4.x

● Cisco PIX-to-VPN Wild-card, Pre-shared, Mode Configuration

● Terminating IPSec Tunnels on Multiple Cisco Secure PIX Firewall Interfaces with Xauth

● Configuring IPSec - Router to PIX: Using the nat 0 access-list Command

● IPSec: Simple PIX-to-PIX VPN Configuration

● IPSec Between Cisco Secure PIX Firewall 5.1 and a VPN Client with Extended Authentication

● PIX-to-VPN Client Wild-card, Pre-shared, No Mode Configuration

● Tunneling IP Multicast Packets through a PIX Firewall

● Sample Configuration: Using the Cisco PIX Firewall

Trang 18

Cisco Secure Policy Manager (formerly Cisco

Security Manager)

● Cisco Secure Policy Manager Product Support Pages

● Archiving and Rollback Procedures for Cisco Secure Policy Manager 2.x

● Cisco Secure Policy Manager product information

● Documentation

Cisco Secure Scanner (formerly NetSonar)

● Cisco Secure Scanner Product Support Pages

● Cisco NetSonar License Problem

Cisco VPN 3000 Concentrator

● Configuring IPSec - Cisco VPN 3000 Client to Cisco VPN 3000 Concentrator

● Configuring an IPSec Tunnel - Cisco VPN 3000 Concentrator to Checkpoint 4.1 Firewall

● Sample Configuration: Cisco VPN 3000 Concentrator - Blocking with Filters and RADIUS Filter Assignment

● Using Cisco Secure ACS for Windows 2.5 with the VPN 3000 Concentrator

● How to Configure the VPN 3000 Concentrator PPTP with Funk RADIUS Authentication

● How to Configure the VPN 3000 Concentrator PPTP with Cisco Secure ACS for Windows 2.5 RADIUS Authentication

● How to Configure the VPN 3000 Concentrator PPTP with Local Authentication

● Sample Configuration: Cisco VPN 3000 Concentrator Series Group Lock Feature

● How to Configure the Cisco VPN 3000 Client to VPN 3000 Concentrator with Microsoft

Windows NT Domain Authentication

● Sample Configuration: VPN 3000 Client to Concentrator with IPSec SDI Authentication

● How to Configure the VPN 3000 Concentrator with Microsoft Certificates

● Configuring the Cisco VPN 3000 Concentrator and the Network Associates PGP Client

● NAT Transparent Mode for IPSec

● How to Manage the VPN 3000 Concentrator from the Public Network

● Sample Configuration: Cisco VPN 3000 Concentrator to Cisco IOS

Trang 19

● Sample Configuration: Cisco VPN 3000 Concentrator to PIX Firewall

● Using a Microsoft Windows 2000 Client to Connect to the Cisco VPN 3000 Concentrator

● Monitoring Cisco VPN Concentrators 2.1.3 and Earlier Over a LAN-to-LAN Session

● When is PPTP Encryption Supported on a Cisco VPN 3000 Concentrator?

● Configuring the Cisco VPN 3000 Concentrator for Microsoft Windows 2000 Support

● Cisco VPN 3000 Concentrator Vendor Specific Attributes: User and Group Attributes

● Using RADIUS with Cisco VPN 3000 Products

● Renegotiating LAN-to-LAN Configurations Between Cisco VPN 3000 Concentrators and Cisco IOS or PIX Devices

● What is VRRP?

● Cisco VPN 3000 Concentrator FAQs

● How to Configure the Cisco VPN 3000 Concentrator with MS RADIUS

● How Cisco 3000 Concentrator Clients are Authenticated on the Concentrator and How the

Concentrator Uses User and Group Attributes

● How to Configure IPSec Clients to Authenticate to and Receive Addresses from a Funk RADIUS Server

● Installing Digital Certificates on the Cisco VPN Concentrator

● What Does the "Unable to Notify Service of Security Parameters" Error Message Mean?

Cisco VPN 5000 Concentrator

● Configuring an IPSec Tunnel - Cisco VPN 5000 Concentrator to Checkpoint 4.1 Firewall

● Cisco VPN 5000 Concentrator: Migrating from STEP to IKE Clients

● How to Authenticate VPN 5000 Client to the VPN 5000 Concentrator with Cisco Secure ACS for Windows 2.5 (RADIUS)

● How To Configure the Cisco VPN 5000 Client to the Cisco VPN 5000 Concentrator with SDI Authentication

● How To Configure the Cisco VPN 5000 Client to the Cisco VPN 5000 Concentrator with Cisco Secure UNIX (RADIUS) Authentication

● Sample Configuration: Cisco VPN 5000 Client to the Cisco VPN 5000 Concentrator with Local Authentication

● Sample Configuration: Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

● Cisco VPN 5001/5002/5008 Aggressive-Mode Site-to-Site Setup Guide: Command Line Version

● Setting Up the Cisco VPN 5000 Concentrator Initially and for IPSec Main-Mode LAN-to-LAN VPN Connectivity

Trang 20

● Setting Up the Cisco VPN 5000 Concentrator Initially and for Remote Client Access

● Sample Configuration: Router-to-VPN 500x Concentrator LAN-to-LAN Tunnel

● Virtual Private Networks and Internet Key Exchange for the Cisco VPN 5000 Concentrator Series

Cisco VPN General Information

● VPN Top Issues

● VPN Clients with Microsoft Routing Problems

● Which VPN Solution is Right for You?

CiscoSecure ACS for Windows

● CiscoSecure ACS for Windows Product Support Pages

● Setting Up the User-Changeable Password Utility in CiscoSecure ACS for Windows 2.6

● Configuring CiscoSecure ACS 2.6 for Windows Router PPTP Authentication

● Using CiscoSecure ACS NT 2.5 with the VPN 3000 Concentrator

● How-To Configure Layer 2 Tunnel Protocol Authentication with TACACS+

● How-To Configure Layer 2 Tunnel Protocol Authentication with RADIUS

● CiscoSecure ACS NT: Command-line TACACS+ and RADIUS Debugging

● How to Assign Privilege Levels with TACACS+ and RADIUS

● CiscoSecure NT: Configuring Large Scale Dialout Using TACACS+

● Obtaining CiscoSecure for Windows NT Version and AAA Debug Information

CiscoSecure UNIX

● CiscoSecure ACS UNIX Product Support Pages

● Using AAA Server to Manage IP Pools in a Network Access Server

● CiscoSecure: How to Setup PPP Idle Timeout For Async Using RADIUS

● Configuring CSU for UNIX (Solaris)

● CiscoSecure UNIX & SDI

Trang 21

● CiscoSecure Compatibility

● AAA privilege-level 15 Command Authorization

● CiscoSecure 1.x for First-time Users

● CiscoSecure 2.x for First-time Users (TACACS+)

● Configuring TACACS+ and Cisco Secure Cisco Secure Sample Configurations

● CiscoSecure 1.x Dial-up Sample Configuration

● Using ISQL to View the CiscoSecure 2.0 Database

● Configuring TACACS+ and Cisco Secure Router and NAS Sample TACACS+ Configurations

● Configuring TACACS+ and Cisco Secure RADIUS Daemon Sample TACACS+ Configuration

● Supporting One-time Passwords on ISDN

● TokenCaching Design and Implementation Guide

Technologies

IPSec

● IP Security (IPSec) Support Page

● Configuring IPSec Between a Microsoft Windows 2000 Server and a Cisco Device

● Cisco Secure VPN Client: Troubleshooting with View Log

● Configuring and Troubleshooting Cisco's Proprietary Network-Layer Encryption:

Part I : Background information and basic Network-Layer Encryption configuration

Part II : IP Security (IPSec) and Internet Security Association and Key Management Protocol (ISAKMP)

● An Introduction to IP Security (IPSec) Encryption

● Configuring an IPSec Tunnel - Cisco Router to Checkpoint Firewall 4.1

● Sample Configuration: IPSec/GRE with NAT

● Sample Configuration: IPSec - Cisco Secure VPN Client to Central Router Controlling Access

● Sample Configuration: IPSec with Routing Protocols Using GRE Tunneling

● Sample Configuration: IPSec Tunnel through Firewall with NAT

● Configuring Router to Router IPSec (Pre-shared Keys) on GRE Tunnel with CBAC and NAT

● Sample Configuration: VPN 3000 Client to Concentrator with IPSec SDI Authentication

● Sample Configuration: IPSec Router-to-Router, Pre-shared, NAT Overload Between Private Networks

● Sample Configuration: IPSec Router-to-Router, Pre-shared, NAT Overload Between a Private and

a Public Network

● Configuring IPSec Manual Keying between Routers

Trang 22

● Sample Configuration: IP Security Tunnel End-point Discovery

● Configuring a Router IPSec Tunnel Private-to-Private Network with NAT and Static

● Sample Configuration: Router Mode-config, Wild-card, Pre-shared Keys, no NAT

● Sample Configuration: IPSec - Wild-card Pre-shared Keys with Cisco Secure VPN Client and mode Config

No-● Sample Configuration: IPSec Router-to-Router Fully Meshed

● Sample Configuration: IPSec Router-to-Router Hub and Spoke

● Sample Configuration: IPSec Router-to-Router with NAT Overload and Cisco Secure VPN Client

● Sample Configuration: Router-to-Router - Dynamic to Static IPSec with NAT

● Sample Configuration: GRE and IPSec with IPX Routing

● Terminating IPSec Tunnels on Multiple Cisco Secure PIX Firewall Interfaces with Xauth

● Configuring IPSec - Router to PIX: Using the nat 0 access-list Command

● IPSec: Simple PIX-to-PIX VPN Configuration

● IPSec Between Cisco Secure PIX Firewall 5.1 and a VPN Client with Extended Authentication

● IPSec Over Cable Sample Configurations and Debugs

● IPSec Between Three Routers Using Private Addresses

● PIX-to-VPN Client Wild-card, Pre-shared, No Mode Configuration

● Sample Configuration: Router to VPN Client, Mode-config, Wild-card Pre-shared Key with NAT

● Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

Kerberos

● Troubleshooting and Configuring Kerberos V5 Client Support

● Kerberos: An Authentication Service for Open Network Systems

RADIUS

● RADIUS Support Page

● How To Apply Access Lists to Dial Interfaces with a RADIUS Server

● Common Problems in Debugging RADIUS, PAP and CHAP

● Debugging HTTP Authentication

● How to Configure the Cisco VPN 3000 Concentrator with MS RADIUS

● Decoding a Sniffer-trace of RADIUS Transaction

Trang 23

● CiscoSecure: How to Setup PPP Idle Timeout For Async Using RADIUS

● How Does RADIUS Work?

● Radius for First-time Users

● TACACS+ and RADIUS Comparison

● Domain Stripping Hack

● RADIUS Support in Cisco IOS Software (White Paper)

● The RADIUS Protocol (Product Bulletin)

● RADIUS Sample Configurations from the Cisco AAA Implementation Case Study

● Configuring TACACS+ and RADIUS Extended Authentication with VPN Client

● Sample Configuration: PPP Callback with RADIUS

● How To Configure RADIUS Authentication for VPDNs

● Sample Configuration: RADIUS Authentication for HTTP Server Users

● Radius Dial-up Sample Configuration

● Configuring TACACS+ and CiscoSecure RADIUS Daemon Sample TACACS+ Configuration

TACACS

● TACACS and XTACACS are Considered End-of-Maintenance

● Troubleshoot TACACS, XTACACS, and TACACS+ server issues using Troubleshooting

Assistant

● Timeout Commands: tacacs-server login-timeout and timeout login response

● The TACACS Authentication Protocols

● TACACS Password Recovery Techniques

● Domain Stripping Hack

TACACS+

● TACACS+ Support Page

● Troubleshoot TACACS, XTACACS, and TACACS+ server issues using Troubleshooting

Assistant

● Configuring TACACS+, RADIUS, and Kerberos on Catalyst Switches

Trang 24

● Common Problems in Debugging TACACS+, PAP and CHAP

● Debugging HTTP Authentication

● CHAP or ARAP With TACACS+: Interoperability Problems With One-Time Password Systems

● The TACACS+ Protocol

● TACACS+ for First-Time Users

● TACACS+ and RADIUS Comparison

● Single-User Network Access Security TACACS+ (White Paper)

● TACACS+ Sample Configurations from the Cisco AAA Implementation Case Study

● Configuring TACACS+ and RADIUS Extended Authentication with VPN Client

● Sample Configuration: PPP Callback with TACACS+

● How-To Configure TACACS+ Authentication for VPDNs

● How To Apply Access Lists to Dial Interfaces with a TACACS+ Server

● Sample Configuration: TACACS+ Authentication for HTTP Server Users

● CiscoSecure NT: Configuring Large Scale Dialout Using TACACS+

● TACACS+ Dial-Up Sample Configuration

● Configuring TACACS+ on the Catalyst 1900 and 2820

● Configuring TACACS+ on Catalyst 2900XL/3500XL Switches

● Configuring Callback with TACACS+

● Configuring and Troubleshooting TACACS+ Freeware Daemon and CiscoSecure 1.X

● Configuring TACACS+ and CiscoSecure Router and NAS Sample TACACS+ Configurations

● Configuring TACACS+ and CiscoSecure RADIUS Daemon Sample TACACS+ Configuration

● Configuring TACACS+ and CiscoSecure CiscoSecure Sample Configurations

● CiscoSecure 2.x for First-time Users (TACACS+)

XTACACS

● TACACS and XTACACS are Considered End-of-Maintenance

● XTACACS for First-time Users

● XTACACS Dial-Up Sample Configuration

Trang 25

Security FAQs

● Cisco Centri Firewall Frequently Asked Questions, Part 1

● Cisco PIX Firewall Manager: Frequently Asked Questions

● Cisco Secure PIX Firewall Frequently Asked Questions

● Cisco VPN 3000 Concentrator FAQs

Related Links

● Access Lists

Tips on increasing security on IP networks; blocking a Telnet session from a Cisco router; TCP/IP firewalls; and Novell extended access lists

● Cisco IOS® Software Password Encryption Facts

Understand the security model behind Cisco password encryption, and the security limitations of that encryption.

● Cisco Product Security Incident Response

This document describes bug reporting and incident response procedures—specifically, what to

do if you are under active security attack or you believe that you are about to be attacked, if you have a security problem with a Cisco product, if you want to obtain technical security information about a Cisco product, or if you have additional questions about an announced security issue with

a Cisco product The role of the Cisco Product Security Incident Response Team (PSIRT) in handling security incidents is explained

● Improving Security on Cisco Routers

This document is an informal discussion of some Cisco configuration settings that network

administrators should consider changing on their routers, especially on their border routers, in order to improve security This document is about basic, "boilerplate" configuration items that are almost universally applicable in IP networks, and about a few unexpected items of which you should be aware

● Security Advisories

Advisories, field notices, and reference information about security-related notifications

Trang 26

● Troubleshooting Security

This chapter explains several security products used to protect the network These products include scanning software (CiscoSecure Scanner), intrusion detection software (CiscoSecure Intrusion Detection System), and firewall software (PIX) This chapter will assist you in debugging the security products installed in your network You should be familiar with the software products for which you are trying to debug

Trang 27

Sample Configuration: IPSec - Cisco Secure VPN Client to Central Router Controlling Access

Sample Configuration: IPSec - Cisco

Secure VPN Client to Central Router

Controlling Access

Introduction

The following configuration would not be commonly used, but was designed to allow CiscoSecure VPN Client IPSec tunnel termination on a central router As the tunnel comes up, the PC receives its IP address from the central router's IP address pool (in our example, the router is named "moss"), then the pool traffic can reach the local network behind moss or be routed and encrypted to the network behind the outlying router (in our example, the router is named "carter") In addition, traffic from private network 10.13.1.X to 10.1.1.X is encrypted; the routers are doing NAT overload

Hardware and Software Versions

This configuration was developed and tested using the software and hardware versions below

● Cisco IOS Software Release 12.1.5.T (c3640-io3s56i-mz.121-5.T)

● CiscoSecure VPN Client 1.1

Network Diagram

http://www.cisco.com/warp/public/707/oddconfig.html (1 of 7) [5/6/2001 7:31:49 PM]

Trang 28

Configurations

moss Configuration

Trang 29

Version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

crypto isakmp key cisco123 address 99.99.99.1

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local RTP-POOL

!

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!

crypto dynamic-map rtp-dynamic 20

set transform-set rtpset

!

crypto map rtp client configuration address initiate

crypto map rtp client configuration address respond

!crypto map sequence for network to network traffic

crypto map rtp 1 ipsec-isakmp

set peer 99.99.99.1

set transform-set rtpset

match address 115

! - crypto map sequence for VPN Client network traffic

crypto map rtp 10 ipsec-isakmp dynamic rtp-dynamic

Trang 30

ip local pool RTP-POOL 192.168.1.0 192.168.1.254

ip nat pool ETH20 172.18.124.154 172.18.124.154 netmask 255.255.255.0

ip nat inside source route-map nonat pool ETH20 overload

! - Include traffic in encryption process

access-list 115 permit ip 10.13.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 115 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255 route-map nonat permit 10

Trang 31

! - crypto map sequence for network-to-network traffic

crypto map rtp 1 ipsec-isakmp

Trang 32

ip nat pool ETH00 99.99.99.1 99.99.99.1 netmask 255.255.255.0

ip nat inside source route-map nonat pool ETH00 overload

! - Include traffic in encryption process

access-list 115 permit ip 10.1.1.0 0.0.0.255 10.13.1.0 0.0.0.255 access-list 115 permit ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255 route-map nonat permit 10

Before issuing debug commands, please see Important Information on Debug Commands

● debug crypto ipsec - Shows the IPSec negotiations of phase 2.

● debug crypto isakmp - Shows the ISAKMP negotiations of phase 1.

Trang 33

● debug crypto engine - Shows the traffic that is encrypted.

● clear crypto isakmp - Clears the security associations related to phase 1.

● clear crypto sa - Clears the security associations related to phase 2.

● show crypto ipsec sa - Shows the phase 2 security associations.

● show crypto isakmp sa - Shows the phase 1 security associations.

Related Information

● Configuring IPSec Network Security

● Configuring Internet Key Exchange Security Protocol

● VPN Top Issues

● IPSec Support Page

● Cisco Secure VPN Client Support Pages

● IPSec Technical Tips

Trang 34

Cisco - Configuring IPSec Between Three Routers Using Private Addresses

Configuring IPSec Between Three Routers

Using Private Addresses

● Private networks behind each router: 192.168.1.0, 192.168.2.0, and 192.168.3.0

● Route statements to get the private addresses to the IPSec tunnels

Note: Encryption technology is subject to export controls You are responsible for knowing the law regarding export of

encryption technology See the Bureau of Export Adminstration home page for more information If you have any

questions regarding export control, please send email to export@cisco.com

Hardware and Software Versions

This configuration was developed and tested using the software and hardware versions below

● Cisco IOS® Software Version 12.0.6(5)T or later

● Cisco routers configured with IPSec

Network Diagram

Click on the components in the topology below to view their configurations

http://www.cisco.com/warp/public/707/30.html (1 of 8) [5/6/2001 7:32:19 PM]

Trang 35

Router 1 Configuration

Current configuration:

!

version 12.0

Trang 36

crypto isakmp key xxxxxx1234 address 100.228.202.154

crypto isakmp key xxxxxx1234 address 200.154.17.130

crypto map combined local-address Serial0

crypto map combined 20 ipsec-isakmp

Trang 37

service password-encryption

!

hostname router2

!

enable secret 5 aaaaa

enable password 7 aaaaaaa

crypto ipsec transform-set encrypt-des esp-des

crypto ipsec transform-set 1600_box esp-des

!

crypto map combined local-address Ethernet1

set peer 100.232.202.210

set transform-set 1600_box

match address 105

Trang 38

route-map nonat permit 10

Trang 39

Current configuration:

!

version 12.0

no service password-encryption

!

hostname ROUTER3

!

logging buffered 4096 debugging

enable secret 5 aaaaa

enable password aaaaa

crypto ipsec transform-set encrypt-des esp-des

crypto ipsec transform-set 1600_box esp-des

!

crypto map combined local-address Serial0

Trang 40

Debug and Verification Tips

● show crypto engine connections active - Shows encrypted and decrypted packets between IPSec peers.

● show crypto isakmp sa - View all current IKE security associations (SAs) at a peer

● show crypto ipsec sa - View the settings used by current [IPSec] security associations.

Note: The following debugs must be running on both IPSec routers (peers) Clearing security associations must be done on

both peers

● debug crypto isakmp - Displays errors during Phase 1.

● debug crypto ipsec - Displays errors during Phase 2.

Tiêu đề	Access-Dial Technical Tips
Trường học	Cisco Systems
Chuyên ngành	Networking
Thể loại	technical tips
Năm xuất bản	2001
Thành phố	San Jose

Định dạng
Số trang	127
Dung lượng	578,13 KB