Enterasys Networks Security Router X-PeditionTM User Manual

Page 418

Advertising
background image

Configuration Examples

16-32 Configuring Security on the XSR

Define service to support IPSec NAT traversal (Release 7.0 or later):

XSR(config)#ip firewall service ietfNatT eq 4500 gt 1023 udp

Define service for ISAKMP:

XSR(config)#ip firewall service ike eq 500 gt 499 udp

Define service for L2TP tunnels:

XSR(config)#ip firewall service l2tp eq 1701 eq 1701 udp

Define service for RADIUS authentication:

XSR(config)#ip firewall service radiusauth gt 1023 eq 1645 udp

Define service for RADIUS accounting:

XSR(config)#ip firewall service radiusacct gt 1023 eq 1646 udp

Write policies allowing traffic through the public VPN interface (crypto map) including enabling
NAT Traversal:

XSR(config)#ip firewall policy nattraversal internet vpngateway nattraversal
allow bidirectional
XSR(config)#ip firewall policy PPTP internet vpngateway PPTP allow bidirectional
XSR(config)#ip firewall policy ike internet vpngateway ike allow bidirectional
XSR(config)#ip firewall policy l2tp internet vpngateway l2tp allow bidirectional
XSR(config)#ip firewall policy ietfNatT internet vpngateway ietfNatT allow
bidirectional

Allow HTTP and LDAP CRL retrieval out of the public VPN interface:

XSR(config)#ip firewall policy pki vpngateway internet HTTP allow
XSR(config)#ip firewall policy ldap vpngateway internet LDAP allow

Write policies permitting RADIUS and all TCP and UDP traffic from remote VPN networks into
the corporate networks:

XSR(config)#ip firewall policy radiusauth f1a trusted radiusauth allow
XSR(config)#ip firewall policy radiusacct f1a trusted radiusacct allow
XSR(config)#ip firewall policy ANY_TCP remote trusted ANY_TCP allow bidirectional
XSR(config)#ip firewall policy ANY_UDP remote trusted ANY_UDP allow bidirectional

Allow IPSec (protocol 50) traffic from the Internet into the public VPN interface:

XSR(config)#ip firewall filter ipsec internet vpngateway protocol-id 50
bidirectional

Allow GRE traffic from the Internet into the public VPN interface:

XSR(config)#ip firewall filter gre internet vpngateway protocol-id 47
bidirectional

Allow OSPF through the firewall (trusted VPN interface) to the next hop corporate router:

XSR(config)#ip firewall filter ospf1 f1 ospf protocol-id 89 bidirectional
XSR(config)#ip firewall filter ospf2 ssr ospf protocol-id 89 bidirectional
XSR(config)#ip firewall filter ospf3 f1 ssr protocol-id 89 bidirectional

Permit ICMP traffic to flow from the trusted networks, through the VPN tunnels, to the remote
trusted networks, and back:

XSR(config)#ip firewall filter icmp1 trusted remote protocol-id 1 bidirectional

Allow any IP address on the Internet to send ICMP traffic to the public VPN interface (the crypto
map interface):

XSR(config)#ip firewall filter icmp2 vpngateway internet protocol-id 1 bi

Advertising
Popular Brands
Popular manuals