serial-number 007462E4 key-string 17C11157 CC640BF3 3DC5B608 C5C60963 C0421A67 D2D7AF70 97728A9A BACA0E07 35288070 AD90A20F 56F1BFE7 D8A4BB68 2C2419E0 26CF8E17 B09CA9A0 3090942E quit ! ! Crypto map for the connection from Eesti to Vancouver-gw, this defines the remote ! peer, and what traffic to encrypt, which is determined by access list 140 ! This gets applied to the tunnel and physical interfaces. ! crypto map Eesti-to-Vancouver 10 set peer VancouverESA match address 140 ! ! Tunnel interface from remote branch (Eesti) to home gateway (Vancouver-gw) ! interface Tunnel100 description network connection back to headquarters (Vancouver) ip unnumbered Ethernet1/0 no ip directed-broadcast tunnel source 207.9.31.1 tunnel destination 207.1.1.1 crypto map Eesti-to-Vancouver Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (62 of 103) [02/02/2001 17.33.17] ! ! Apply the crypto map to the physical interface, ! this is also the outside NAT interface. ! interface Serial0/0 description frame relay connection to ISP ip address 207.9.31.1 255.255.255.240 no ip directed-broadcast ip nat outside encapsulation frame-relay frame-relay lmi-type ansi crypto map Eesti-to-Vancouver ! ! NAT inside interface ! interface Ethernet1/0 description private IP address for remote site ip address 172.26.129.1 255.255.255.0 no ip directed-broadcast ip nat inside ! ! Translate IP addresses matching access list 150 into the IP address ! given to serial interface connected to the ISP Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (63 of 103) [02/02/2001 17.33.17] ip nat inside source list 150 interface Serial0/0 overload ip classless ! default route to ISP ip route 0.0.0.0 0.0.0.0 207.9.31.14 ! ! Routes for the networks inside the corporate intranet that ! the remote needs to access ! ip route 172.26.0.0 255.255.128.0 Tunnel100 ip route 172.20.0.0 255.255.0.0 Tunnel100 ! ! Traffic going to any other destination will take the default route and be ! translated by NAT, access list 150 tells NAT what to translate. ! access-list 150 permit ip 172.26.129.0 0.0.0.255 any ! ! ACL to determine what to be encrypted, ! all packets between the two tunnel endpoints. ! access-list 140 permit gre host 207.9.31.1 host 207.1.1.1 ! line con 0 exec-timeout 2 30 Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (64 of 103) [02/02/2001 17.33.17] login authentication admin ! line vty 0 4 exec-timeout 2 30 login authentication admin L2TP with IPsec The example in Figure 10-9 shows the remote connection of a remote branch office in Toronto and a remote branch office in New York connecting back to the corporate network in Denver. Both connections are done through local ISPs and use the Internet as the way to transport the data back to the corporate network in Denver. Mobile users also have access to the corporate network using local ISP dial-up connections. Figure 10-9: Virtual Dial-In Using L2TP with IPsec The following security policy is defined for this example: The branch office in Toronto is allowed to communicate directly to the Internet but must encrypt all traffic going to the corporate network in Denver. ● All New York branch office traffic must go through the Denver corporate office firewall.● All mobile users use authenticated and private data connections back to the corporate network through ISP collaborate agreements. ● All corporate infrastructure device access is required to be authenticated and authorized for limited access. ● The policy is implemented as follows: The branch office router in Toronto allows the users to talk directly to the Internet while using an IPsec-encrypted tunnel to access the corporate network. The serial interface on the router has been assigned an IP address from the ISP's address space. The Ethernet interface uses a private network address, and NAT is used to translate traffic going to the Internet. This router uses static routing. ● The branch router in New York requires that all traffic, even traffic to the Internet, must go through the corporate firewall. The serial interface on the router has been assigned an IP address ● Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (65 of 103) [02/02/2001 17.33.17] from the ISP's address space; the Ethernet interface uses a private network address. This router uses OSPF routing. There is an agreement between the ISP and the corporation that if a mobile user presents the ISP's NAS with a username in the format username@mkos.name, the PPP session will be transported to the corporation's home gateway for termination. Using L2TP tunneling with IPsec, a secure tunnel is provided from the NAS (isp-nas) to the home gateway (Denver-gw). ● Home Gateway Router Configuration: hostname Denver-gw ! ! In IOS firewall IPsec images "no service tcp & no udp small servers" is the ! default so it does not have to be explicitly defined. ! Turn on timestamps for log and debug information, set to the local time with ! timezone information displayed. ! service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone ! service password-encryption ! no logging console ! ! Enable TACACS+ to authenticate login, enable any PPP sessions, also enable ! accounting start-stop records for EXEC and PPP sessions ! aaa new-model aaa authentication login default tacacs+ enable Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (66 of 103) [02/02/2001 17.33.17] aaa authentication login console none aaa authentication enable default tacacs+ enable aaa authentication ppp default tacacs+ aaa authorization network default tacacs+ aaa accounting exec default start-stop tacacs+ aaa accounting network default start-stop tacacs+ ! enable secret 5 $1$xDvT$sT/TGeGrAwfAKbMr4N1NZ1 enable password 7 02050D480809 ! no ip finger ip domain-name mkos.com ! ! Enable VPDN and tell it to use L2TP. The PPP name of the remote NAS will be ! isp-nas and the local PPP name is Denver-gw. Also for the VPDN, use an ! alternative tacacs+ server. Connections inbound will use virtual-template 1 ! as the basis to create to the actual virtual-access interface. ! vpdn enable ! vpdn aaa override-server 172.20.24.47 vpdn-group 1 accept dialin l2tp virtual-template 1 remote isp-nas Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (67 of 103) [02/02/2001 17.33.17] local name Denver-gw ! ! Define the IPsec transform policy set, (ah-sha-hmac) AH with SHA ! authentication algorithm, (esp-des) ESP with 56-bit DES encryption algorithm, ! (esp-sha-hmac) ESP with SHA authentication algorithm. Because a GRE is used, ! run IPsec in transport rather than tunnel mode. ! crypto ipsec transform-set auth2 ah-sha-hmac esp-des esp-sha-hmac mode transport ! ! IPsec using certificates: The routers must first obtain certificates from ! the Certificate Authority (CA) server. When both peers have valid certificates, ! they automatically exchange RSA public keys as part of the ISAKMP negotiation. ! All that is required is that the routers register with the CA and obtain ! a certificate. A router does not have to keep public RSA keys for all peers ! in the network. ! crypto ca identity vpnnetwork enrollment url http://mkosca crl optional cryto ca certificate chain vpnnetwork certificate 44FC6C531FC3446927E4EE307A806B20 Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (68 of 103) [02/02/2001 17.33.17] ! Certificate is multiple lines of hex digits quit certificate ca 3051DF7169BEE31B821DFE4B3A338E5F ! Certificate of the CA, multiple of lines hex digits quit certificate 52A46D5D10B18A6F51E6BC735A36508C ! Certificate is multiple lines of hex digits quit ! ! The crypto map determines what to encrypt and to what peer to send the traffic. ! An interface can have only one crypto map applied to it. The crypto map below ! is structured into sections, which apply for the different destinations, ! while still being a single crypto map entity. ! crypto map Denver-to-remotes local-address Serial2/0 crypto map Denver-to-remotes 100 ipsec-isakmp set peer 207.9.31.1 set transform-set auth2 match address Denver_gre_Toronto crypto map Denver-to-remotes 200 ipsec-isakmp set peer 207.10.31.1 set transform-set auth2 match address Denver_gre_NewYork Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (69 of 103) [02/02/2001 17.33.17] crypto map Denver-to-remotes 500 ipsec-isakmp set peer 201.1.1.1 set transform-set auth2 match address ISP1_VPDN ! ! Set the timezone and daylight savings time for this router. ! clock timezone PST -8 clock summer-time PDT recurring ! ! Tunnel interface to router Toronto. The tunnel source is specified as an ! interface with a registered IP address. The crypto map is applied to both ! the tunnel and physical interfaces. The IP precedence of packets being ! tunneled are copied into the IP header of the outbound frame. ! This example uses an IP unnumbered tunnel interface. Only packets destined ! for the intranet arrive on this interface because NAT is used at the remote ! for packets destined for the Internet. ! interface Tunnel100 description tunnel to branch router Toronto ip unnumbered FastEthernet5/0 no ip directed-broadcast tunnel source Serial2/0 Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (70 of 103) [02/02/2001 17.33.17] tunnel destination 207.9.31.1 crypto map Denver-to-remotes ! ! Tunnel interface to router New York. The crypto map is applied to both the ! tunnel and physical interfaces. Note that the same crypto map has been used ! on both the tunnels, with different sections of the crypto map applying to each ! tunnel. The IP precedence of packets being tunneled are copied into the IP ! header of the outbound frame. This example uses an IP-numbered tunnel interface ! with OSPF as the routing protocol and routing information authentication ! enabled. The policy for this remote site is that all packets destined to the ! Internet must go through the corporate firewall. This is achieved by using ! policy routing (route-map VPN_InBound). ! interface Tunnel101 description tunnel to branch router NewYork ip address 172.26.123.1 255.255.255.252 no ip directed-broadcast ip ospf message-digest-key 1 md5 7 00071A15075434101F2F ip policy route-map VPN_InBound tunnel source Serial2/0 tunnel destination 207.10.31.1 crypto map Denver-to-remotes ! Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (71 of 103) [02/02/2001 17.33.17] [...]... ah-sha-hmac esp-des esp-sha-hmac mode transport ! crypto ca identity vpnnetwork enrollment url http://mkosca crl optional cryto ca certificate chain vpnnetwork certificate 44FC6C531FC344 692 7E4EE307A806B20 ! Certificate is multiple lines hex digits quit certificate ca 3051DF7169BEE31B821DFE4B3A338E5F http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (82 of 103) [02/02/2001 17.33.17] Securing... prevent packets from private networks leaving by the ISP interface ip access-list extended IntSecurityOut deny ip 127.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192 .168.0.0 0.0.255.255 any http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (87 of 103) [02/02/2001 17.33.17] Securing Dial-In Access permit ip 207 .9. 31.0 0.0.0.255 any !... 207.10.31.14 ! http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (95 of 103) [02/02/2001 17.33.17] Securing Dial-In Access ! ACL to block particular services and networks, inbound from the ISP ip access-list extended IntSecurity permit tcp any any established deny ip 127.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192 .168.0.0 0.0.255.255... deny udp any any eq 20 49 deny tcp any any eq 20 49 deny tcp any any eq sunrpc deny tcp any any eq 87 deny tcp any any eq exec deny tcp any any eq login deny tcp any any eq cmd deny tcp any any eq lpd permit ip any any http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (96 of 103) [02/02/2001 17.33.17] Securing Dial-In Access ! ! ACL prevents packets from private networks from leaving by... any deny ip 192 .168.0.0 0.0.255.255 any deny udp any any eq snmp http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (86 of 103) [02/02/2001 17.33.17] Securing Dial-In Access deny udp any any eq 2000 deny udp any any gt 6000 deny tcp any any gt 6000 deny tcp any any eq 2000 deny udp any any eq tftp deny udp any any eq sunrpc deny udp any any eq 20 49 deny tcp any any eq 20 49 deny tcp any... passive-interface Tunnel100 network 172.26.71.0 0.0.0.3 area 0 network 172.26.120.0 0.0.3.255 area 172.26.120.0 default-information originate area 172.26.120.0 authentication message-digest ! ip classless ! ! Default route to ISP ip route 0.0.0.0 0.0.0.0 207.1.1.2 http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (74 of 103) [02/02/2001 17.33.17] Securing Dial-In Access ! ! Corporate network uses 172.20/24... 1511021F0725 transport input telnet ! ! Configure NTP so that all the routers have the same time in the network ntp clock-period 171 797 70 ntp server 172.26.71.2 end ! Remote Branch Router in New York Configuration: Hostname NewYork ! http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (90 of 103) [02/02/2001 17.33.17] Securing Dial-In Access ! In IOS firewall IPsec images "no service tcp... encrypted ! interface Serial0/0 ip address 207.10.31.1 255.255.255.240 ip access-group IntSecurity in ip access-group IntSecurityOut out no ip directed-broadcast encapsulation frame-relay IETF frame-relay lmi-type ansi crypto map NewYork-to-Denver http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (94 of 103) [02/02/2001 17.33.17] Securing Dial-In Access ! ! Ethernet 1/0 is the remote LAN... bandwidth 44210 crypto map Denver-to-remotes ! ! This interface is connected to the corporate network Web server and to the ! firewall, which is doing NAT for the corporate network' s access to the ! Internet ! interface FastEthernet3/0 description network for Internet traffic http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (72 of 103) [02/02/2001 17.33.17] Securing Dial-In Access ip address... interface to determine what ! should be encrypted ! interface Serial0/0 http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (84 of 103) [02/02/2001 17.33.17] Securing Dial-In Access description frame relay connection to ISP ip address 207 .9. 31.1 255.255.255.240 ip access-group IntSecurity in ip access-group IntSecurityOut out no ip directed-broadcast ip nat outside encapsulation frame-relay . 007462E4 key-string 17C11157 CC640BF3 3DC5B608 C5C6 096 3 C0421A67 D2D7AF70 97 728A9A BACA0E07 35288070 AD90A20F 56F1BFE7 D8A4BB68 2C2419E0 26CF8E17 B09CA9A0 3 090 942E quit ! ! Crypto map for the connection. firewall. access-list 195 permit ip 172.26.121.0 0.0.0.255 any access-list 195 permit ip 172.26.123.0 0.0.0.3 any ! Securing Dial-In Access http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm. Dial-In Access http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm ( 79 of 103) [02/02/2001 17.33.17] snmp-server trap-source Ethernet1/0 snmp-server packetsize 4 096 snmp-server enable traps