I recently did a somewhat complex install of a Cisco 2800 Integrated Services Router. I enabled many of the features that come standard in the Advanced IP Services IOS, and thought it would be useful to show what a relatively current configuration would look like.
What made this installation fun was the use of object groups on the 2800 router. That is a new feature in the 12.4.20T version of code that made things interesting. The router has a GUI, but of course everything was set up in command line. I learned some neat things from this install, and based on the experience, I created a clean reference config for discussion purposes. This example is for the NAT and VPN, I will leave the voice configuration for a different example. Also, I did not set up SSL VPN on this box, nor did I use the newer version of firewall – this one is based on CBAC.
NAT on the 2800 can be tricky. Most organizations want both static NAT and dynamic NAT. Static for the servers, and dynamic for the users. It is relatively straightforward to set up both. The problem call from the customer usually comes a week after the install. They call and say, “I can’t send email to some people; I think you set up the firewall wrong.” They are, of course correct. Even though the mail server was given a static NAT, in most default configs it grabs the dynamic NAT interface on the outbound translation, and the reverse DNS lookup of the receiving mail server is unable to validate the IP address, so the mail is treated as spam or rejected.
There is an example on the Cisco web site, but it uses number access lists, which are very confusing after about a week of doing something else. This example uses named access lists. Furthermore, in most places IP addresses and networks are replaced with object groups. Object groups work just about everywhere….except for the split tunnel ACL on the remote access VPN profile. Thank goodness I had a Security CCIE to lean on to figure that one out.
This setup also uses the ip inspect for firewall, and an ACL on the outside interface for inbound connections to the server. So, here is a nice clean example config on how to use the 2800 for firewall, IPSEC VPN, remote access VPN, static and dynamic NAT, using object groups and named Access Control Lists:
version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname PriorityQueueRouter ! boot-start-marker warm-reboot boot-end-marker! card type t1 0 0 card type t1 0 1 security authentication failure rate 3 log security passwords min-length 6 logging message-counter syslog logging buffered 100000 warnings no logging console enable secret 5 0000000000000000000 ! aaa new-model ! ! aaa group server radius MAINSITE_RADIUS server 10.108.60.3 auth-port 1645 acct-port 1646 server 10.108.60.5 auth-port 1645 acct-port 1646 ! aaa authentication login default local aaa authentication login MAINSITE_XAUTH group MAINSITE_RADIUS local aaa authorization console aaa authorization exec default local aaa authorization network MAINSITE_GROUP local ! ! aaa session-id common clock timezone EST -5 clock summer-time EDT recurring network-clock-participate wic 0 network-clock-participate wic 1 network-clock-select 1 T1 0/0/0 network-clock-select 2 T1 0/0/1 network-clock-select 3 T1 0/1/0 network-clock-select 4 T1 0/1/1 ! dot11 syslog no ip source-route ! ! ip cef ! ! no ip domain lookup ip domain name MAINSITE.local ip inspect max-incomplete high 5000 ip inspect max-incomplete low 4500 ip inspect one-minute high 5000 ip inspect one-minute low 4500 ip inspect tcp idle-time 300 ip inspect tcp finwait-time 10 ip inspect tcp max-incomplete host 1000 block-time 0 ip inspect tcp reassembly queue length 1024 ip inspect tcp reassembly timeout 60 ip inspect tcp reassembly memory limit 256000 ip inspect name EXT_FW ssh ip inspect name EXT_FW https ip inspect name EXT_FW ntp ip inspect name EXT_FW tcp ip inspect name EXT_FW dns ip inspect name EXT_FW smtp ip inspect name EXT_FW udp ip inspect name EXT_FW icmp ip inspect name EXT_FW ftp timeout 1200 ip inspect name EXT_FW http ip inspect name EXT_FW sip ip inspect name EXT_FW appleqtc ip inspect name EXT_FW l2tp ip inspect name EXT_FW pptp no ipv6 cef ! multilink bundle-name authenticated ! ! object-group network MGMT_NETWORKS 248.16.2.128 255.255.255.192 ! object-group service MGMT_SERVICE tcp eq 22 ! object-group network DC_SERVERS host 251.222.32.195 ! object-group service DC_SERVICE tcp eq 3389 ! object-group network EXCHANGE_SERVERS host 251.222.32.197 ! object-group service EXCHANGE_SERVICE tcp eq www tcp eq 443 tcp eq smtp tcp eq 993 ! ! object-group network EXTERNAL_SIP_SERVERS host 247.10.98.2 ! object-group network INSIDE_NETWORKS 10.108.0.0 255.255.0.0 ! object-group network INTERNAL_SIP_SERVERS host 251.222.32.206 host 251.222.32.205 ! object-group network OUTSIDE_INTERFACE host 250.1.26.7 ! object-group service PING_SERVICE icmp echo-reply icmp unreachable icmp redirect icmp echo udp eq ntp udp eq domain ! object-group network PRIVATE_NAT_SERVERS host 10.108.80.5 host 10.108.60.6 host 10.108.60.8 host 10.108.60.10 host 10.108.60.12 ! object-group network PUBLIC_NAT_SERVERS host 251.222.32.205 host 251.222.32.195 host 251.222.32.197 host 251.222.32.199 host 251.222.32.201 ! object-group network SERVER_NETWORKS 10.108.60.0 255.255.255.0 10.108.80.0 255.255.255.0 ! object-group network SIP_NETWORKS host 251.222.32.206 host 251.222.32.205 ! object-group service SIP_SERVICE udp eq 5060 tcp eq 5060 ! object-group network VPN_NETWORKS 192.168.50.0 255.255.255.0 10.100.0.0 255.255.0.0 ! object-group service VPN_SERVICE gre esp udp eq isakmp tcp eq 443 udp eq 10000 udp eq non500-isakmp tcp eq 10000 ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp policy 50 encr aes 256 authentication pre-share group 2 crypto isakmp key ********** address 247.94.18.7 ! crypto isakmp client configuration group MAINSITE key ********** dns 10.108.60.3 10.108.60.5 domain MAINSITE.local pool VPNPOOL acl MAINSITE_ACL netmask 255.255.255.0 crypto isakmp profile MAINSITE_VPNCLIENT match identity group MAINSITE client authentication list MAINSITE_XAUTH isakmp authorization list MAINSITE_GROUP client configuration address respond ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set lan2lan esp-aes 256 esp-sha-hmac ! crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-SHA ! ! crypto map VPNMAP 40 ipsec-isakmp set peer 247.94.18.7 set security-association lifetime kilobytes 46080000 set security-association lifetime seconds 28800 set transform-set lan2lan match address TO_REMOTE_ACL crypto map VPNMAP 65535 ipsec-isakmp dynamic DYNMAP ! crypto ctcp port 10000 ! ! controller T1 0/0/0 framing esf linecode b8zs cablelength long 0db channel-group 0 timeslots 1-24 ! controller T1 0/0/1 framing esf linecode b8zs cablelength long 0db channel-group 1 timeslots 1-24 ! controller T1 0/1/0 framing esf linecode b8zs cablelength long 0db channel-group 0 timeslots 1-24 ! controller T1 0/1/1 framing esf linecode b8zs cablelength long 0db channel-group 1 timeslots 1-24 ! ip tcp synwait-time 60 ip tcp path-mtu-discovery ip ssh time-out 60 ip ssh version 2 ! interface Loopback0 ip address 251.222.32.206 255.255.255.255 ! interface Multilink1 ip address 250.1.26.7 255.255.255.252 ip access-group OUTSIDE_IN in ip verify unicast reverse-path ip flow ingress ip nat outside ip inspect EXT_FW out ip virtual-reassembly snmp trap ip verify drop-rate no cdp enable ppp multilink ppp multilink group 1 ppp multilink fragment disable crypto map VPNMAP ! interface GigabitEthernet0/0 ip address 10.108.100.254 255.255.255.0 ip flow ingress ip nat inside ip virtual-reassembly duplex auto speed auto ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial0/0/0:0 no ip address encapsulation ppp ppp multilink ppp multilink group 1 ! interface Serial0/0/1:1 no ip address encapsulation ppp ppp multilink ppp multilink group 1 ! interface Serial0/1/0:0 no ip address encapsulation ppp ppp multilink ppp multilink group 1 ! interface Serial0/1/1:1 no ip address encapsulation ppp ppp multilink ppp multilink group 1 ! ip local pool VPNPOOL 192.168.50.200 192.168.50.250 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Multilink1 ip route 10.108.0.0 255.255.0.0 10.108.100.1 no ip http server ip http authentication aaa ip http secure-server ! ! ip nat inside source route-map DYNAMIC_RMAP interface Multilink1 overload ip nat inside source static 10.108.60.6 64.206.208.195 route-map STATIC_RMAP ip nat inside source static 10.108.60.8 64.206.208.197 route-map STATIC_RMAP ip nat inside source static 10.108.60.10 64.206.208.199 route-map STATIC_RMAP ip nat inside source static 10.108.60.12 64.206.208.201 route-map STATIC_RMAP ip nat inside source static 10.108.80.5 64.206.208.205 route-map STATIC_RMAP ! ip access-list extended MAINSITE_ACL permit ip 10.108.0.0 0.0.255.255 any ! ip access-list extended DYNAMIC_NAT_ACL deny ip any object-group VPN_NETWORKS deny ip object-group PRIVATE_NAT_SERVERS any permit ip 10.108.0.0 0.0.255.255 any ! ip access-list extended OUTSIDE_IN permit object-group PING_SERVICE any object-group OUTSIDE_INTERFACE permit object-group PING_SERVICE any object-group INTERNAL_SIP_SERVERS permit object-group PING_SERVICE any object-group PUBLIC_NAT_SERVERS permit object-group EXCHANGE_SERVICE any object-group EXCHANGE_SERVERS permit object-group SIP_SERVICE object-group EXTERNAL_SIP_SERVERS object-group INTERNAL_SIP_SERVERS permit object-group DC_SERVICE any object-group DC_SERVERS permit object-group VPN_SERVICE any object-group OUTSIDE_INTERFACE permit object-group MGMT_SERVICE object-group MGMT_NETWORKS object-group OUTSIDE_INTERFACE ! ip access-list extended SPLIT_TUNNEL permit ip 10.108.0.0 0.0.255.255 any ! ip access-list extended STATIC_NAT_ACL deny ip any object-group VPN_NETWORKS permit ip 10.108.60.0 0.0.0.255 any permit ip 10.108.0.0 0.0.255.255 any permit ip 10.108.80.0 0.0.0.255 any ! ip access-list extended TO_REMOTE_ACL permit ip 10.108.0.0 0.0.255.255 10.100.0.0 0.0.0.255 ! route-map DYNAMIC_RMAP permit 1 match ip address DYNAMIC_NAT_ACL ! route-map STATIC_RMAP permit 1 match ip address STATIC_NAT_ACL ! radius-server host 10.108.60.3 auth-port 1645 acct-port 1646 key 7 ****************** radius-server host 10.108.60.5 auth-port 1645 acct-port 1646 key 7 ****************** radius-server timeout 2 ! control-plane ! banner login ^CC ******************************************************************************* Unauthorized access and improper use are prohibited. Any activity on the system is subject to monitoring by the company at any time. Anyone who uses the system consents to such monitoring and agrees that the company may use the results of such monitoring without limitation. ******************************************************************************* ^C ! line con 0 exec-timeout 60 0 logging synchronous line aux 0 line vty 0 4 exec-timeout 60 0 logging synchronous line vty 5 15 exec-timeout 60 0 logging synchronous ! scheduler allocate 20000 1000 ntp server 131.144.4.9 ntp server 198.72.72.10 end
____________________________________
Author: Rolf Versluis
Adcap Network Systems – Atlanta and Miami
Great Local Engineers Creating Systems that Work!
Posted at Adcap Tech Tips
Related posts:
Last Updated: June 10th, 2010 |
