Foundry Networks AR3202-CL User Manual
Foundry ar-series, Router user guide
Table of contents
Document Outline
- Contents
- Getting Started
- Command Line Interface
- Command Types
- Command Conventions
- CLI Navigation
- Navigation Keys
- # help edit
- key stroke -- action
- ---------- -- ------
- TAB -- command completion
- Esc-B -- go back one word
- Esc-F -- forward one word
- Esc-DEL -- delete one word left to cursor
- BackSpace -- go back and delete one char
- Ctrl-A -- start of line
- Ctrl-B / <- -- go back one char
- Ctrl-D / DEL -- delete a char
- -- go up one level if empty command
- Ctrl-E -- end of line
- Ctrl-F / -# -- forward one char
- Ctrl-K -- delete line ahead of cursor
- Ctrl-L -- refresh line
- Ctrl-N / DN ARROW -- next command in history
- Ctrl-P / UP ARROW -- previous command in history
- Ctrl-U -- delete entire line
- Ctrl-W -- delete one word left to cursor
- #
- Navigation Keys
- Command Help
- Help
- Tree
- # tree
- xcli
- |-- ping
- |-- clear
- | |-- cfg_file
- | |-- arp
- | |-- cfg_log
- | |-- command_log
- | |-- snmp_stats
- | |-- counters
- | | |-- all
- | | |-- ethernet
- | | |-- ethernets
- | | |-- bundle
- | | |-- bundles
- | | |-- avc
- | | |-- avcs
- | | |-- tunnel
- | | |-- tunnels
- | |-- interface
- | | |-- all
- | | |-- ethernet
- Press any key to continue (q : quit) :
- Question Mark Help Screen
- # ?
- NAME
- xcli -- This is root and not a command
- SYNTAX
- COMMANDS
- DESCRIPTION
- COMMANDS -- Any of the following commands can be used
- clear -- access clear commands
- configure -- configure from ( flash / network / terminal )
- debug -- accesses debug commands
- dir -- directory of files in flash
- erase -- access erase filesystem commands
- file -- access file commands
- mtrace -- multicast trace route to source address
- password -- Change the user password
- ping -- invoke ping
- reboot -- reboot the system
- reload -- reboot the system
- save -- save configuration to ( local / network )
- show -- access show commands
- tclsh -- To invoke TCL shell
- telnet -- open a telnet connection
- test -- access test commands
- trace -- trace route to destination address or host name
- write -- write to terminal/network/flash
- #
- Global Commands
- # show configuration
- : Select type of 'configuration' ( Hit Tab )
- # dir
- CONTENTS OF /flash1:
- size date time name
- -------- ------ ------ --------
- 6467513 FEB-04-2004 13:51:22 AR0x_###x
- 6771268 APR-01-2004 11:38:42 AR0x_###y
- 1908 APR-01-2004 11:56:18 system.cfg
- 0 FEB-05-2004 07:12:30 oldsystem.cfg
- 6500329 APR-01-2004 11:49:22 AR0x_###z
- Total bytes: 19741018
- Bytes Free: 12713984
- #
- Policy Commands
- configure policy
- configure policy as_path
- configure policy community_list
- configure policy community_list extended_community
- configure policy community_list standard_community
- configure policy ip_access_list
- configure policy route_map
- configure policy route_map match
- configure policy route_map match as_path
- configure policy route_map match community
- configure policy route_map match ip ip_address
- configure policy route_map set
- configure policy route_map set as_path
- configure policy route_map set community
- configure policy route_map set distance
- configure policy route_map set local_preference
- configure policy route_map set metric
- configure policy route_map set metric_type
- configure policy route_map set origin
- Protocols Overview
- BGP4 Clear Commands
- Generic Routing Commands
- BGP4 Configure Commands
- configure router bgp
- configure router bgp aggregate_address
- configure router bgp always_compare_med
- configure router bgp default_metric
- configure router bgp distance
- configure router bgp group
- configure router bgp group distribute_list
- configure router bgp group filter_list
- configure router bgp group next_hop_self
- configure router bgp group password
- configure router bgp group remove_private_AS
- configure router bgp group route_map
- configure router bgp neighbor
- configure router bgp neighbor advertisement_interval
- configure router bgp neighbor allowbadid
- configure router bgp neighbor default_originate
- configure router bgp neighbor description
- configure router bgp neighbor distribute_list
- configure router bgp neighbor ebgp_multihop
- configure router bgp neighbor filter_list
- configure router bgp neighbor keep
- configure router bgp neighbor logupdown
- configure router bgp neighbor maximum_prefix
- configure router bgp neighbor neighbor_group
- configure router bgp neighbor next_hop_self
- configure router bgp neighbor password
- configure router bgp neighbor route_map
- configure router bgp neighbor timers
- configure router bgp neighbor update_source
- configure router bgp redistribute
- configure router bgp redistribute connected
- configure router bgp redistribute ospf
- configure router bgp redistribute rip
- configure router bgp redistribute static
- BGP4 show Commands
- OSPF Configure Commands
- configure router ospf
- configure router ospf 1583 Compatibility
- configure router ospf area
- configure router ospf area area_type
- configure router ospf area area_type normal
- configure router ospf area area_type nssa
- configure router ospf area area_type nssa no_summary
- configure router ospf area area_type stub
- configure router ospf area area_type stub no_summary
- configure router ospf area default_cost
- configure router ospf area range
- configure router ospf area virtual_link
- configure router ospf area virtual_link authentication
- configure router ospf area virtual_link dead_interval
- configure router ospf area virtual_link hello_interval
- configure router ospf area virtual_link retransmit_interval
- configure router ospf area virtual_link transmit_delay
- configure router ospf distance
- configure router ospf distance ospf
- configure router ospf distance ospf external
- configure router ospf distance ospf non_external
- configure router ospf interface
- configure router ospf interface authentication
- configure router ospf interface cost
- configure router ospf interface dead_interval
- configure router ospf interface hello_interval
- configure router ospf interface neighbor
- configure router ospf interface network
- configure router ospf interface poll_interval
- configure router ospf interface priority
- configure router ospf interface retransmit_interval
- configure router ospf interface transmit_delay
- configure router ospf redistribute
- configure router ospf redistribute bgp
- configure router ospf redistribute connected
- configure router ospf redistribute rip
- configure router ospf redistribute static
- configure router ospf ref_bw
- configure router ospf timers
- OSPF Show Commands
- show ip ospf area
- show ip ospf database
- show ip ospf database all
- show ip ospf database asbr_summary
- show ip ospf database database_summary
- show ip ospf database external
- show ip ospf database network
- show ip ospf database nssa_external
- show ip ospf database router
- show ip ospf database self_originate
- show ip ospf database summary
- show ip ospf global
- show ip ospf interface
- show ip ospf interface all
- show ip ospf interface bundle
- show ip ospf interface ethernet
- show ip ospf neighbor
- show ip ospf neighbor detail
- show ip ospf neighbor id
- show ip ospf neighbor interface
- show ip ospf neighbor interface bundle
- show ip ospf neighbor interface ethernet
- show ip ospf neighbor list
- show ip ospf request_list
- show ip ospf retransmission_list
- show ip ospf virtual_links
- RIP Configure Commands
- configure router rip
- configure router rip default_metric
- configure router rip distance
- configure router rip interface
- configure router rip interface authentication
- configure router rip interface distribute_list
- configure router rip interface metric
- configure router rip interface mode
- configure router rip interface neighbor
- configure router rip interface passive
- configure router rip interface split_horizon
- configure router rip mode
- configure router rip pacing
- configure router rip passive
- configure router rip redistribute
- configure router rip redistribute bgp
- configure router rip redistribute connected
- configure router rip redistribute ospf
- configure router rip redistribute static
- configure router rip timers
- configure router rip timers flush
- configure router rip timers holddown
- configure router rip timers update
- RIP show Commands
- AS Path Regular Expressions
- Multicasting
- Security Features
- Introduction to Security
- Enabling Security Features
- Foundry/configure# system licenses ?
- NAME
- licenses - Configure feature upgrade licenses
- SYNTAX
- licenses license_type
- DESCRIPTION
- license_type -- Specifies the type of feature upgrade license
- The parameter may have any of the following values:
- advance_vpn -- Enable Advance VPN and Firewall License
- Foundry/configure# system licenses advance_vpn
- Enter Security Upgrade License key: 024f3bc296b4ea7265
- Enabling Security Features
- Securing Remote Access Using IPSec VPN
- Access Methods
- Example 1: Securely Managing the Foundry AR1204 Over an IPSec Tunnel
- Router1/configure# interface bundle wan1
- Configuring new bundle
- Router1/configure/interface/bundle wan1# link t1 1
- Router1/configure/interface/bundle wan1# encapsulation ppp
- Router1/configure/interface/bundle wan1# ip address 172.16.0.1 24
- Router1/configure/interface/bundle wan1# crypto untrusted
- Router1/configure/interface/bundle wan1# exit
- Router1/configure# interface ethernet 0
- Configuring existing Ethernet interface
- Router1/configure interface/ethernet 0# ip address 10.0.1.1 24
- Router1/configure/interface/ethernet 0# crypto trusted
- Router1/configure/interface/ethernet 0# exit
- Router1# show crypto interfaces
- Interface Network
- Name Type
- --------- -------
- ethernet0 trusted
- wan1 untrusted
- Router1/configure# ip route 10.0.2.0 24 wan1
- Router1/configure# crypto
- Router1/configure/crypto# ike policy Router2 172.16.0.2
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# local- address 172.16.0.1
- message: Default proposal created with priority1-des-sha1- pre_shared-g1
- message: Key String has to be configured by the user
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# key secretkey
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# proposal 1
- Router1/configure/crypto/ike/policy Router2 172.16.0.2/proposal 1# encryption-al
- algorithm 3des-cbc
- Router1/configure/crypto/ike/policy Router2 172.16.0.2/proposal 1# exit
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# exit
- Router1# show crypto ike policy all
- Policy Peer Mode Transform
- ------ ---- ---- ---------
- Router2 172.16.0.2 Main P1 pre-g1-3des-sha1
- Router1# show crypto ike policy all detail
- Policy name Router2, Local addr 172.16.0.1, Peer addr 172.16.0.2
- Main mode, Response and Initiate, PFS is not enabled, Shared Key is *****
- Local ident 172.16.0.1 (ip-address), Remote Ident 172.16.0.2 (ip- address)
- Proposal of priority 1
- Encryption algorithm: 3des
- Hash Algorithm: sha1
- Authentication Mode: pre-shared-key
- DH Group: group1
- Lifetime in seconds: 86400
- Lifetime in kilobytes: unlimited
- Router1/configure/crypto# ipsec policy Router2 172.16.0.2
- Router1/configure/crypto/ipsec policy Router2 172.16.0.2# match address 172.16.0.1 32 10.0.2.0 24
- message: Default proposal created with
- priority1-esp-3des-sha1-tunnel and activated.
- Router1/configure/crypto# ipsec policy Router2 172.16.0.2# proposal 1
- Router1/configure/crypto# ipsec policy Router2 172.16.0.2/proposal 1# encryption-algorithm aes128...
- Router1/configure/crypto# ipsec policy Router2 172.16.0.2/proposal 1# exit
- Router1/configure/crypto# ipsec policy Router2 172.16.0.2# exit
- Router1# show crypto ipsec policy all
- Policy Peer Match Proto Transform
- ------ ---- ----- ----- ---------
- Router2 172.16.0.2 S 172.16.0.1/32/any Any P1 esp-aes- sha1-tunl
- D 10.0.2.0/24/any
- INRouter2 172.16.0.2 S 10.0.2.0/24/any Any P1 esp-aes- sha1-tunl
- D 172.16.0.1/32/any
- Router1# show crypto ipsec policy all detail
- Policy name Router2 is enabled, Direction is outbound
- Peer Address is 172.16.0.2, Action is Apply
- Key Management is Automatic
- PFS Group is disabled
- Match Address:
- Protocol is Any
- Source ip address (ip/mask/port): (172.16.0.1/255.255.255.255/ any)
- Destination ip address (ip/mask/port): (10.0.2.0/ 255.255.255.0/any)
- Proposal of priority 1
- Protocol: esp
- Mode: tunnel
- Encryption Algorithm: aes128(key length=128 bits)
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Policy name INRouter2 is enabled, Direction is inbound
- Peer Address is 172.16.0.2, Action is Apply
- Key Management is Automatic
- PFS Group is disabled
- Match Address:
- Protocol is Any
- Source ip address (ip/mask/port): (10.0.2.0/255.255.255.0/any)
- Destination ip address (ip/mask/port): (172.16.0.1/ 255.255.255.255/any)
- Proposal of priority 1
- Protocol: esp
- Mode: tunnel
- Encryption Algorithm: aes128(key length=128 bits)
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Router1/configure# firewall internet
- Router1/configure/firewall internet# policy 1000 in service ike self
- Router1/configure/firewall internet/policy 1000 in# exit
- Router1/configure/firewall internet# exit
- Router1/configure# firewall internet
- Router1/configure/firewall internet# policy 1001 in service snmp self
- Router1/configure/firewall internet/policy 1001 in# exit
- Router1/configure/firewall internet# policy 1002 in service telnet self
- Router1/configure/firewall internet/policy 1002 in# exit
- Router1/configure/firewall internet# policy 1003 in protocol icmp self
- Router1/configure/firewall internet/policy 1003 in# exit
- Router1/configure/firewall internet# exit
- Router1# show firewall policy internet
- Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
- R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
- E - Policy Enabled, M - Smtp-Filter
- Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
- --- --- ----------- ---------------- ----------------- ------ --------
- 1000 in any any ike PERMIT SE
- 1001 in any any snmp PERMIT SE
- 1002 in any any telnet PERMIT SE
- 1003 in any any any any icmp PERMIT SE
- 1024 out any any any any any PERMIT SE
- Router1# show firewall policy internet detail
- Policy with Priority 1000 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Service Name is ike
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1001 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Service Name is snmp
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1002 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Service Name is telnet
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1003 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, Protocol is icmp
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1024 is enabled, Direction is outbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Router1/configure/crypto/# exit
- Router1/configure# snmp
- Router1/configure/snmp# community public rw
- Router1/configure/snmp# exit
- Router1# show snmp communities
- Community = public, privilege=rw
- Router1# show crypto ike sa all
- Policy Peer State Bytes Transform
- ------ ---- ----- ----- ---------
- Router2 172.16.0.2 SA_MATURE 2020 pre-g1-3des-sha1
- Router1# show crypto ike sa all detail
- Crypto Policy name: Router2
- Remote ident 172.16.0.2
- Peer Address is 172.16.0.2
- Transform: 3des, sha1, pre-shared-key
- DH Group: group1
- Bytes Processed 2020
- State is SA_MATURE
- Mode is Main
- Remaining Time in Sec: 86084
- Life Time in Sec: 86400, Life Time in Bytes is unlimited
- Router1# show crypto ipsec sa all
- Policy Dest IP Spi Bytes Transform
- ------ ------- --- ----- ---------
- INRouter2 172.16.0.1 0xe8453c2b 256 esp-aes-sha1-tunl
- Router2 172.16.0.2 0xa1f673aa 256 esp-aes-sha1-tunl
- Router1# show crypto ipsec sa all detail
- Crypto Policy name: INRouter2
- Protocol is Any
- Local ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)
- Remote ident(ip/mask/port): (172.16.0.1/255.255.255.255/any)
- Peer Address is 172.16.0.1, PFS Group is disabled
- inbound ESP sas
- Spi: 0xe8453c2b
- Transform: aes128 (key length=128 bits), sha1
- In use settings = {tunnel}
- Bytes Processed 256
- Hard lifetime in seconds 3290, Hard lifetime in kilobytes 413696
- Soft lifetime in seconds 0, Soft lifetime in kilobytes is unlimited
- Crypto Policy name: Router2
- Protocol is Any
- Local ident(ip/mask/port): (172.16.0.1/255.255.255.255/any)
- Remote ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)
- Peer Address is 172.16.0.2, PFS Group is disabled
- outbound ESP sas
- Spi: 0xa1f673aa
- Transform: aes128 (key length=128 bits), sha1
- In use settings = {tunnel}
- Bytes Processed 256
- Hard lifetime in seconds 3290, Hard lifetime in kilobytes 413695
- Soft lifetime in seconds 3200, Soft lifetime in kilobytes 37355
- Example 2: Joining Two Private Networks with an IP Security Tunnel
- Figure1 Tunnel Mode Between Two Foundry Security Gateways - Single Proposals
- Router1/configure/interface/bundle wan1# link t1 1
- Router1/configure/interface/bundle wan1# encapsulation ppp
- Router1/configure/interface/bundle wan1# ip address 172.16.0.1 24
- Router1/configure/interface/bundle wan1# crypto untrusted
- Router1/configure/interface/bundle wan1# exit
- Router1/configure# interface ethernet 0
- Configuring existing Ethernet interface
- Router1/configure interface/ethernet 0# ip address 10.0.1.1 24
- Router1/configure/interface/ethernet 0# crypto trusted
- Router1/configure/interface/ethernet 0# exit
- Router1# show crypto interfaces
- Interface Network
- Name Type
- --------- -------
- ethernet0 trusted
- wan1 untrusted
- Router1/configure# ip route 10.0.2.0 24 wan1
- Router1/configure# crypto
- Router1/configure/crypto# ike policy Router2 172.16.0.2
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# local- address 172.16.0.1
- message: Default proposal created with priority1-des-sha1- pre_shared-g1
- message: Key String has to be configured by the user
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# key secretkey
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# proposal 1
- Router1/configure/crypto/ike/policy Router2 172.16.0.2/proposal 1# encryption-al
- algorithm 3des-cbc
- Router1/configure/crypto/ike/policy Router2 172.16.0.2/proposal 1# exit
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# exit
- Router1# show crypto ike policy all
- Policy Peer Mode Transform
- ------ ---- ---- ---------
- Router2 172.16.0.2 Main P1 pre-g1-3des-sha1
- Router1# show crypto ike policy all detail
- Policy name Router2, Local addr 172.16.0.1, Peer addr 172.16.0.2
- Main mode, Response and Initiate, PFS is not enabled, Shared Key is *****
- Local ident 172.16.0.1 (ip-address), Remote Ident 172.16.0.2 (ip- address)
- Proposal of priority 1
- Encryption algorithm: 3des
- Hash Algorithm: sha1
- Authentication Mode: pre-shared-key
- DH Group: group1
- Lifetime in seconds: 86400
- Lifetime in kilobytes: unlimited
- Router1/configure/crypto# ipsec policy Router2 172.16.0.2
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2# match address 10.0.1.0 24 10.0.2.0 24
- Default proposal created with priority1-esp-3des-sha1-tunnel and activated.
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2# proposal 1
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2/proposal 1# encryption-algorithm aes256-cbc
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2/proposal 1# exit
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2# exit
- Router1# show crypto ipsec policy all
- Policy Peer Match Proto Transform
- ------ ---- ----- ----- ---------
- Router2 172.16.0.2 S 10.0.1.0/24/any Any P1 esp-aes- sha1-tunl
- D 10.0.2.0/24/any
- INRouter2 172.16.0.2 S 10.0.2.0/24/any Any P1 esp-aes- sha1-tunl
- D 10.0.1.0/24/any
- Router1# show crypto ipsec policy all detail
- Policy name Router2 is enabled, Direction is outbound
- Peer Address is 172.16.0.2, Action is Apply
- Key Management is Automatic
- PFS Group is disabled
- Match Address:
- Protocol is Any
- Source ip address (ip/mask/port): (10.0.1.0/255.255.255.0/any)
- Destination ip address (ip/mask/port): (10.0.2.0/ 255.255.255.0/any)
- Proposal of priority 1
- Protocol: esp
- Mode: tunnel
- Encryption Algorithm: aes256(key length=256 bits)
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Policy name INRouter2 is enabled, Direction is inbound
- Peer Address is 172.16.0.2, Action is Apply
- Key Management is Automatic
- PFS Group is disabled
- Match Address:
- Protocol is Any
- Source ip address (ip/mask/port): (10.0.2.0/255.255.255.0/any)
- Destination ip address (ip/mask/port): (10.0.1.0/ 255.255.255.0/any)
- Proposal of priority 1
- Protocol: esp
- Mode: tunnel
- Encryption Algorithm: aes256(key length=256 bits)
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Router1/configure# firewall internet
- Router1/configure/firewall internet# policy 1000 in service ike self
- Router1/configure/firewall internet/policy 1000 in# exit
- Router1/configure/firewall internet# exit
- Router1# show firewall policy internet detail
- Policy with Priority 1000 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Service Name is ike
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1024 is enabled, Direction is outbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Router1/configure# firewall corp
- Router1/configure/firewall corp# policy 1000 in address 10.0.2.0 24 10.0.1.0 24
- Router1/configure/firewall corp/policy 1000 in# exit
- Router1/configure/firewall corp# exit
- Router1# show firewall policy corp
- Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
- R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
- E - Policy Enabled, M - Smtp-Filter
- Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
- --- --- ----------- ---------------- ----------------- ---- -- --------
- 1000 in 10.0.2.0/24 10.0.1.0/24 any any any PERMIT E
- 1022 out any any any any any PERMIT SE
- 1023 in any any any any any PERMIT SE
- 1024 out any any any any any PERMIT E
- Router1# show firewall policy corp detail
- Policy with Priority 1000 is enabled, Direction is inbound
- Action permit, Traffic is transit
- Logging is disable
- Source Address is 10.0.2.0/24, Dest Address is 10.0.1.0/24
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Max-Connections 1024, Connection-Rate is disabled
- Policing is disabled, Bandwidth is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1022 is enabled, Direction is outbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1023 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1024 is enabled, Direction is outbound
- Action permit, Traffic is transit
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Max-Connections 1024, Connection-Rate is disabled
- Policing is disabled, Bandwidth is disabled
- Bytes In 11258, Bytes Out 5813
- Router1# show crypto ike sa all
- Policy Peer State Bytes Transform
- ------ ---- ----- ----- ---------
- Router2 172.16.0.2 SA_MATURE 1796 pre-g1-3des-sha1
- Router1# show crypto ike sa all detail
- Crypto Policy name: Router2
- Remote ident 172.16.0.2
- Peer Address is 172.16.0.2
- Transform: 3des, sha1, pre-shared-key
- DH Group: group1
- Bytes Processed 1796
- State is SA_MATURE
- Mode is Main
- Remaining Time in Sec: 86376
- Life Time in Sec: 86400, Life Time in Bytes is unlimited
- Router1# show crypto ipsec sa all
- Policy Dest IP Spi Bytes Transform
- ------ ------- --- ----- ---------
- INRouter2 172.16.0.1 0xd603a513 256 esp-aes-sha1-tunl
- Router2 172.16.0.2 0xb013de87 256 esp-aes-sha1-tunl
- Router1# show crypto ipsec sa all detail
- Crypto Policy name: INRouter2
- Protocol is Any
- Local ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)
- Remote ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
- Peer Address is 172.16.0.1, PFS Group is disabled
- inbound ESP sas
- Spi: 0xd603a513
- Transform: aes256 (key length=256 bits), sha1
- In use settings = {tunnel}
- Bytes Processed 256
- Hard lifetime in seconds 3560, Hard lifetime in kilobytes 413696
- Soft lifetime in seconds 0, Soft lifetime in kilobytes is unlimited
- Crypto Policy name: Router2
- Protocol is Any
- Local ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
- Remote ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)
- Peer Address is 172.16.0.2, PFS Group is disabled
- outbound ESP sas
- Spi: 0xb013de87
- Transform: aes256 (key length=256 bits), sha1
- In use settings = {tunnel}
- Bytes Processed 256
- Hard lifetime in seconds 3560, Hard lifetime in kilobytes 413695
- Soft lifetime in seconds 3470, Soft lifetime in kilobytes 41492
- Figure1 Tunnel Mode Between Two Foundry Security Gateways - Single Proposals
- Example 3: Joining Two Networks with an IPSec Tunnel using Multiple IPSec Proposals
- Figure2 Tunnel Mode Between Two Foundry Security Gateways - Multiple Proposals
- Router1/configure/interface/bundle wan1# link t1 1
- Router1/configure/interface/bundle wan1# encapsulation ppp
- Router1/configure/interface/bundle wan1# ip address 172.16.0.1 24
- Router1/configure/interface/bundle wan1# crypto untrusted
- Router1/configure/interface/bundle wan1# exit
- Router1/configure# interface ethernet 0
- Configuring existing Ethernet interface
- Router1/configure interface/ethernet 0# ip address 10.0.1.1 24
- Router1/configure/interface/ethernet 0# crypto trusted
- Router1/configure/interface/ethernet 0# exit
- Router1# show crypto interfaces
- Interface Network
- Name Type
- --------- -------
- ethernet0 trusted
- wan1 untrusted
- Router1/configure# ip route 10.0.2.0 24 wan1
- Router1/configure# crypto
- Router1/configure/crypto# ike policy Router2 172.16.0.2
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# local- address 172.16.0.1
- message: Default proposal created with priority1-des-sha1- pre_shared-g1
- message: Key String has to be configured by the user
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# key secretkey
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# proposal 1
- Router1/configure/crypto/ike/policy Router2 172.16.0.2/proposal 1# encryption-al
- gorithm 3des-cbc
- Router1/configure/crypto/ike/policy Router2 172.16.0.2/proposal 1# exit
- Router1/configure/crypto/ike/policy Router2 172.16.0.2# exit
- Router1# show crypto ike policy all
- Policy Peer Mode Transform
- ------ ---- ---- ---------
- Router2 172.16.0.2 Main P1 pre-g1-3des-sha1
- Router1# show crypto ike policy all detail
- Policy name Router2, Local addr 172.16.0.1, Peer addr 172.16.0.2
- Main mode, Response and Initiate, PFS is not enabled, Shared Key is *****
- Local ident 172.16.0.1 (ip-address), Remote Ident 172.16.0.2 (ip- address)
- Proposal of priority 1
- Encryption algorithm: 3des
- Hash Algorithm: sha1
- Authentication Mode: pre-shared-key
- DH Group: group1
- Lifetime in seconds: 86400
- Lifetime in kilobytes: unlimited
- Router1/configure/crypto# ipsec policy Router2 172.16.0.2
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2# match address 10.0.1.0 24 10.0.2.0 24
- Default proposal created with priority1-esp-3des-sha1-tunnel and activated.
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2# proposal 1
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2/proposal 1# encryption-algorithm des-cbc
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2/proposal 1# exit
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2# proposal 2
- Proposal added with priority2-esp-3des-sha1-tunnel.
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2/proposal 2# encryption-algorithm aes256-cbc
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2/proposal 2# exit
- Router1/configure/crypto/ipsec/policy Router2 172.16.0.2# exit
- Router1/configure/crypto# exit
- Router1/configure#
- Router1# show crypto ipsec policy all
- Policy Peer Match Proto Transform
- ------ ---- ----- ----- ---------
- Router2 172.16.0.2 S 10.0.1.0/24/any Any P1 esp-des- sha1-tunl
- D 10.0.2.0/24/any P2 esp- aes-sha1-tunl
- INRouter2 172.16.0.2 S 10.0.2.0/24/any Any P1 esp-des- sha1-tunl
- D 10.0.1.0/24/any P2 esp- aes-sha1-tunl
- Router1# show crypto ipsec policy all detail
- Policy name Router2 is enabled, Direction is outbound
- Peer Address is 172.16.0.2, Action is Apply
- Key Management is Automatic
- PFS Group is disabled
- Match Address:
- Protocol is Any
- Source ip address (ip/mask/port): (10.0.1.0/255.255.255.0/ any)
- Destination ip address (ip/mask/port): (10.0.2.0/ 255.255.255.0/any)
- Proposal of priority 1
- Protocol: esp
- Mode: tunnel
- Encryption Algorithm: des
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Proposal of priority 2
- Protocol: esp
- Mode: tunnel
- Encryption Algorithm: aes256(key length=256 bits)
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Policy name INRouter2 is enabled, Direction is inbound
- Peer Address is 172.16.0.2, Action is Apply
- Key Management is Automatic
- PFS Group is disabled
- Match Address:
- Protocol is Any
- Source ip address (ip/mask/port): (10.0.2.0/255.255.255.0/ any)
- Destination ip address (ip/mask/port): (10.0.1.0/ 255.255.255.0/any)
- Proposal of priority 1
- Protocol: esp
- Mode: tunnel
- Encryption Algorithm: des
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Proposal of priority 2
- Protocol: esp
- Mode: tunnel
- Encryption Algorithm: aes256(key length=256 bits)
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Router1/configure# firewall internet
- Router1/configure/firewall internet# policy 1000 in service ike self
- Router1/configure/firewall internet/policy 1000 in# exit
- Router1/configure/firewall internet# exit
- Router1# show firewall policy internet detail
- Policy with Priority 1000 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Service Name is ike
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1024 is enabled, Direction is outbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Router1/configure# firewall corp
- Router1/configure/firewall corp# policy 1000 in address 10.0.2.0 24 10.0.1.0 24
- Router1/configure/firewall corp/policy 1000 in# exit
- Router1/configure/firewall corp# exit
- Router1# show firewall policy corp
- Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
- R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
- E - Policy Enabled, M - Smtp-Filter
- Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
- --- --- ----------- ---------------- ----------------- ---- -- --------
- 1000 in 10.0.2.0/24 10.0.1.0/24 any any any PERMIT E
- 1022 out any any any any any PERMIT SE
- 1023 in any any any any any PERMIT SE
- 1024 out any any any any any PERMIT E
- Router1# show firewall policy corp detail
- Policy with Priority 1000 is enabled, Direction is inbound
- Action permit, Traffic is transit
- Logging is disable
- Source Address is 10.0.2.0/24, Dest Address is 10.0.1.0/24
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Max-Connections 1024, Connection-Rate is disabled
- Policing is disabled, Bandwidth is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1022 is enabled, Direction is outbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1023 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1024 is enabled, Direction is outbound
- Action permit, Traffic is transit
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Max-Connections 1024, Connection-Rate is disabled
- Policing is disabled, Bandwidth is disabled
- Bytes In 11258, Bytes Out 5813
- Router1# show crypto ike sa all
- Policy Peer State Bytes Transform
- ------ ---- ----- ----- ---------
- Router2 172.16.0.2 SA_MATURE 1796 pre-g1-3des-sha1
- Router1# show crypto ike sa all detail
- Crypto Policy name: Router2
- Remote ident 172.16.0.2
- Peer Address is 172.16.0.2
- Transform: 3des, sha1, pre-shared-key
- DH Group: group1
- Bytes Processed 1796
- State is SA_MATURE
- Mode is Main
- Remaining Time in Sec: 86380
- Life Time in Sec: 86400, Life Time in Bytes is unlimited
- Router1# show crypto ipsec sa all
- Policy Dest IP Spi Bytes Transform
- ------ ------- --- ----- ---------
- INRouter2 172.16.0.1 0x8eabe4b3 256 esp-aes-sha1-tunl
- Router2 172.16.0.2 0xa9a506f9 256 esp-aes-sha1-tunl
- Router1# show crypto ipsec sa all detail
- Crypto Policy name: INRouter2
- Protocol is Any
- Local ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)
- Remote ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
- Peer Address is 172.16.0.1, PFS Group is disabled
- inbound ESP sas
- Spi: 0x8eabe4b3
- Transform: aes256 (key length=256 bits), sha1
- In use settings = {tunnel}
- Bytes Processed 256
- Hard lifetime in seconds 3570, Hard lifetime in kilobytes 413696
- Soft lifetime in seconds 0, Soft lifetime in kilobytes is unlimited
- Crypto Policy name: Router2
- Protocol is Any
- Local ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
- Remote ident(ip/mask/port): (10.0.2.0/255.255.255.0/any)
- Peer Address is 172.16.0.2, PFS Group is disabled
- outbound ESP sas
- Spi: 0xa9a506f9
- Transform: aes256 (key length=256 bits), sha1
- In use settings = {tunnel}
- Bytes Processed 256
- Hard lifetime in seconds 3570, Hard lifetime in kilobytes 413695
- Soft lifetime in seconds 3540, Soft lifetime in kilobytes 20233
- Figure2 Tunnel Mode Between Two Foundry Security Gateways - Multiple Proposals
- Example 4: Supporting Remote User Access
- Router1/configure# interface bundle wan1
- Configuring new bundle
- Router1/configure/interface/bundle wan1# link t1 1
- Router1/configure/interface/bundle wan1# encapsulation ppp
- Router1/configure/interface/bundle wan1# ip address 172.16.0.1 24
- Router1/configure/interface/bundle wan1# crypto untrusted
- Router1/configure/interface/bundle wan1# exit
- Router1/configure# interface ethernet 0
- Configuring existing Ethernet interface
- Router1/configure interface/ethernet 0# ip address 10.0.1.1 24
- Router1/configure/interface/ethernet 0# crypto trusted
- Router1/configure/interface/ethernet 0# exit
- Router1# show crypto interfaces
- Interface Network
- Name Type
- --------- -------
- ethernet0 trusted
- wan1 untrusted
- Router1/configure# crypto
- Router1/configure/crypto# dynamic
- Router1/configure/crypto/dynamic# ike policy sales
- Router1/configure/crypto/dynamic/ike/policy sales# local-address 172.16.0.1
- Router1/configure/crypto/dynamic/ike/policy sales# remote-id email-id [email protected] david
- New user david is added to the group sales
- Default proposal created with priority1-des-sha1-pre_shared-g1
- Key String has to be configured by the user
- Router1/configure/crypto/dynamic/ike/policy sales# remote-id email-id [email protected] mike
- New user mike is added to the group sales
- Router1/configure/crypto/dynamic/ike/policy sales# key secretkeyforsalesusers
- Router1/configure/crypto/dynamic/ike/policy sales# proposal 1
- Router1/configure/crypto/dynamic/ike/policy sales/proposal 1# encryption-algorithm 3des-cbc
- Router1/configure/crypto/dynamic/ike/policy sales/proposal 1# exit
- Router1/configure/crypto/dynamic/ike/policy sales# client authentication radius pap
- Router1/configure/crypto/dynamic/ike/policy sales# exit
- Router1/configure/crypto/dynamic#
- Router1# show crypto dynamic ike policy all
- Policy Remote-id Mode Transform Address-Pool
- ------ --------- ---- --------- ------------
- sales U david@foun... Aggressive P1 pre-g1-3des- sha1
- Router1# show crypto dynamic ike policy all detail
- Policy name sales, User group name sales
- Aggressive mode, Response Only, PFS is not enabled, Shared Key is *****
- Client authentication is Radius(PAP)
- Local addr: 172.16.0.1, Local ident 172.16.0.1 (ip-address)
- Remote idents are [email protected] (email-id), [email protected] (email-id)
- Proposal of priority 1
- Encryption algorithm: 3des
- Hash Algorithm: sha1
- Authentication Mode: pre-shared-key
- DH Group: group1
- Lifetime in seconds: 86400
- Lifetime in kilobytes: unlimited
- Router1/configure/crypto/dynamic# ipsec policy sales
- Router1/configure/crypto/dynamic/ipsec/policy sales# match address 10.0.1.0 24
- Default proposal created with priority1-esp-3des-sha1-tunnel and activated.
- Router1/configure/crypto/dynamic/ipsec/policy sales# proposal 1
- Router1/configure/crypto/dynamic/ipsec/policy sales/proposal 1# encryption-algorithm aes256-cbc
- Router1/configure/crypto/dynamic/ipsec/policy sales/proposal 1# exit
- Router1/configure/crypto/dynamic/ipsec/policy sales# exit
- Router1/configure/crypto/dynamic#
- Router1# show crypto dynamic ipsec policy all
- Policy Match Proto Transform
- ------ ----- ----- ---------
- sales S 10.0.1.0/24/any Any P1 esp-aes-sha1-tunl
- D any/any/any
- INsales S any/any/any Any P1 esp-aes-sha1-tunl
- D 10.0.1.0/24/any
- Router1# show crypto dynamic ipsec policy all detail
- Policy sales is enabled, User group name sales
- Direction is outbound, Action is Apply
- Key Management is Automatic
- PFS Group is disabled
- Match Address:
- Protocol is Any
- Source ip address (ip/mask/port): (10.0.1.0/255.255.255.0/ any)
- Destination ip address (ip/mask/port): (any/any/any)
- Proposal of priority 1
- Protocol: esp
- Mode: tunnel
- Encryption Algorithm: aes256(key length=256 bits)
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Policy INsales is enabled, User group name sales
- Direction is inbound, Action is Apply
- Key Management is Automatic
- PFS Group is disabled
- Match Address:
- Protocol is Any
- Source ip address (ip/mask/port): (any/any/any)
- Destination ip address (ip/mask/port): (10.0.1.0/ 255.255.255.0/any)
- Proposal of priority 1
- Protocol: esp
- Mode: tunnel
- Encryption Algorithm: aes256(key length=256 bits)
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Router1/configure# aaa
- Router1/configure/aaa# radius
- Router1/configure/aaa/radius# primary_server 172.168.2.1
- Primary Radius server configured.
- Router1/configure/aaa/radius# secondary_server 192.168.2.1
- Secondary Radius server configured.
- Router1/configure/aaa/radius# exit
- Router1/configure/aaa# exit
- Router1/configure# firewall internet
- Router1/configure/firewall internet# policy 1000 in service ike self
- Router1/configure/firewall internet/policy 1000 in# exit
- Router1/configure/firewall internet# exit
- Router1# show firewall policy internet
- Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
- R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
- E - Policy Enabled, M - Smtp-Filter
- Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
- --- --- ----------- ---------------- ----------------- ---- -- --------
- 1000 in any any ike PERMIT SE
- 1024 out any any any any any PERMIT SE
- Router1# show firewall policy internet detail
- Policy with Priority 1000 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Service Name is ike
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1024 is enabled, Direction is outbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Router1/configure/firewall corp#
- Router1/configure/firewall corp# policy 1000 in user-group sales address any any 10.0.1.0 24
- Router1/configure/firewall corp/policy 1000 in# exit
- Router1/configure/firewall corp#
- Router1# show firewall policy corp
- Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
- R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
- E - Policy Enabled, M - Smtp-Filter
- Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
- --- --- ----------- ---------------- ----------------- ---- -- --------
- 1000 in any 10.0.1.0/24 any any any PERMIT E
- 1022 out any any any any any PERMIT SE
- 1023 in any any any any any PERMIT SE
- 1024 out any any any any any PERMIT E
- Router1# show firewall policy corp detail
- Policy with Priority 1000 is enabled, Direction is inbound
- Action permit, Traffic is transit
- User Group is sales, Logging is disable
- Source Address is any, Dest Address is 10.0.1.0/24
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Max-Connections 1024, Connection-Rate is disabled
- Policing is disabled, Bandwidth is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1022 is enabled, Direction is outbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1023 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1024 is enabled, Direction is outbound
- Action permit, Traffic is transit
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Max-Connections 1024, Connection-Rate is disabled
- Policing is disabled, Bandwidth is disabled
- Bytes In 11258, Bytes Out 5813
- Router1# show crypto dynamic clients
- Client Address Client Id Policy Advanced
- -------------- --------- ------ --------
- 192.168.107.105 david@abc-corp... sales UserGrp
- Router1# show crypto ike sa all
- Policy Peer State Bytes Transform
- ------ ---- ----- ----- ---------
- sales 192.168.107.105 SA_MATURE 1580 pre-g1-3des-sha1
- Router1# show crypto ike sa all detail
- Crypto Policy name: sales
- Remote ident [email protected]
- Peer Address is 192.168.107.105
- Transform: 3des, sha1, pre-shared-key
- DH Group: group1
- Bytes Processed 1772
- State is SA_MATURE
- Mode is Aggressive
- Life Time in Sec is unlimited, Life Time in Bytes is unlimited
- Router1# show crypto ipsec sa all
- Policy Dest IP Spi Bytes Transform
- ------ ------- --- ----- ---------
- INsales 172.16.0.1 0xf43c5e3b 360 esp-aes-sha1-tunl
- sales 192.168.107.105 0xcfea8435 240 esp-aes-sha1-tunl
- T Router1# show crypto ipsec sa all detail
- Crypto Policy name: INsales
- Protocol is Any
- Local ident(ip/mask/port): (192.168.107.105/255.255.255.255/any)
- Remote ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
- Peer Address is 172.16.0.1, PFS Group is disabled
- inbound ESP sas
- Spi: 0xf43c5e3b
- Transform: aes256 (key length=256 bits), sha1
- In use settings = {tunnel}
- Bytes Processed 360
- Hard lifetime in seconds 28780, Hard lifetime in kilobytes is unlimited
- Soft lifetime in seconds 0, Soft lifetime in kilobytes is unlimited
- Crypto Policy name: sales
- Protocol is Any
- Local ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
- Remote ident(ip/mask/port): (192.168.107.105/255.255.255.255/any)
- Peer Address is 192.168.107.105, PFS Group is disabled
- outbound ESP sas
- Spi: 0xcfea8435
- Transform: aes256 (key length=256 bits), sha1
- In use settings = {tunnel}
- Bytes Processed 240
- Hard lifetime in seconds 28780, Hard lifetime in kilobytes is unlimited
- Soft lifetime in seconds 28690, Soft lifetime in kilobytes is unlimited
- Example 5: Configuring IPSec Remote Access to Corporate LAN with Mode- Configuration Method
- Router1/configure# interface bundle wan1
- Configuring new bundle
- Router1/configure/interface/bundle wan1# link t1 1
- Router1/configure/interface/bundle wan1# encapsulation ppp
- Router1/configure/interface/bundle wan1# ip address 172.16.0.1 24
- Router1/configure/interface/bundle wan1# crypto untrusted
- Router1/configure/interface/bundle wan1# exit
- Router1/configure# interface ethernet 0
- Configuring existing Ethernet interface
- Router1/configure interface/ethernet 0# ip address 10.0.1.1 24
- Router1/configure/interface/ethernet 0# crypto trusted
- Router1/configure/interface/ethernet 0# exit
- Router1# show crypto interfaces
- Interface Network
- Name Type
- --------- -------
- ethernet0 trusted
- wan1 untrusted
- Router1/configure# crypto
- Router1/configure/crypto# dynamic
- Router1/configure/crypto/dynamic# ike policy sales modecfg-group
- Router1/configure/crypto/dynamic/ike/policy sales# local-address 192.168.55.52
- Router1/configure/crypto/dynamic/ike/policy sales# remote-id email [email protected]
- Default proposal created with priority1-des-sha1-pre_shared-g1
- Key String has to be configured by the user
- Default ipsec proposal 'sales' added with priority1-3des-sha1-tunnel
- Router1/configure/crypto/dynamic/ike/policy sales# remote-id email [email protected]
- Router1/configure/crypto/dynamic/ike/policy sales# key secretkeyforsales
- Router1/configure/crypto/dynamic/ike/policy sales# proposal 1
- Router1/configure/crypto/dynamic/ike/policy sales/proposal 1# encryption-algorithm 3des-cbc
- Router1/configure/crypto/dynamic/ike/policy sales/proposal 1# exit
- Router1/configure/crypto/dynamic/ike/policy sales# client configuration
- Router1/configure/crypto/dynamic/ike/policy sales/client/ configuration# address-pool 1 20.1.1.10...
- Router1/configure/crypto/dynamic/ike/policy sales/client/ configuration# exit
- Router1/configure/crypto/dynamic/ike/policy sales# exit
- Router1/configure/crypto/dynamic# exit
- Router1# show crypto dynamic ike policy all
- Policy Remote-id Mode Transform Address-Pool
- ------ --------- ---- --------- ------------
- sales U david@foun... Aggressive P1 pre-g1-3des-sha1 1 S 20.1.1.100
- E 20.1.1.150
- Router1# show crypto dynamic ike policy all detail
- Policy name sales, Modeconfig group
- Aggressive mode, Response Only, PFS is not enabled, Shared Key is *****
- Local addr: 192.168.55.52, Local ident 192.168.55.52 (ip-address)
- Remote idents are [email protected] (email-id), [email protected] (email-id)
- Address Pool:
- Pool# 1: 20.1.1.100 to 20.1.1.150
- Proposal of priority 1
- Encryption algorithm: 3des
- Hash Algorithm: sha1
- Authentication Mode: pre-shared-key
- DH Group: group1
- Lifetime in seconds: 86400
- Lifetime in kilobytes: unlimited
- Router1/configure/crypto#
- Router1/configure/crypto# dynamic
- Router1/configure/crypto/dynamic# ipsec policy sales modecfg-group
- Router1/configure/crypto/dynamic/ipsec/policy sales# match address 10.0.1.0 24
- Router1/configure/crypto/dynamic/ipsec/policy sales# proposal 1
- Router1/configure/crypto/dynamic/ipsec/policy sales/proposal 1# encryption-algorithm aes256-cbc
- Router1/configure/crypto/dynamic/ipsec/policy sales/proposal 1# exit
- Router1/configure/crypto/dynamic/ipsec/policy sales# exit
- Router1/configure/crypto/dynamic# exit
- Router1# show crypto dynamic ipsec policy all
- Policy Match Proto Transform
- ------ ----- ----- ---------
- sales S 10.0.1.0/24/any Any P1 esp-aes-sha1-tunl
- D any/any/any
- Router1# show crypto dynamic ipsec policy all detail
- Policy sales is enabled, Modeconfig Group
- Action is Apply
- Key Management is Automatic
- PFS Group is disabled
- Match Address:
- Protocol is Any
- Source ip address (ip/mask/port): (10.0.1.0/255.255.255.0/ any)
- Destination ip address (ip/mask/port): (any/any/any)
- Proposal of priority 1
- Protocol: esp
- Mode: Tunnel
- Encryption Algorithm: aes256(key length=256 bits)
- Hash Algorithm: sha1
- Lifetime in seconds: 3600
- Lifetime in Kilobytes: 4608000
- Router1/configure# firewall internet
- Router1/configure/firewall internet# policy 1000 in service ike self
- Router1/configure/firewall internet/policy 1000 in# exit
- Router1/configure/firewall internet# exit
- Router1# show firewall policy internet
- Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
- R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
- E - Policy Enabled, M - Smtp-Filter
- Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
- --- --- ----------- ---------------- ----------------- ---- -- --------
- 1000 in any any ike PERMIT SE
- 1024 out any any any any any PERMIT SE
- Router1# show firewall policy internet detail
- Policy with Priority 1000 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Service Name is ike
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1024 is enabled, Direction is outbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Router1/configure# firewall corp
- Router1/configure/firewall corp# policy 1000 in address 20.1.1.100 20.1.1.150 10.0.1.0 24
- Router1/configure/firewall corp/policy 1000 in# exit
- Router1# show firewall policy corp
- Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
- R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
- E - Policy Enabled, M - Smtp-Filter
- Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
- --- --- ----------- ---------------- ----------------- ------ --------
- 1000 in 20.1.1.100 10.0.1.0/24 any any any PERMIT E
- 20.1.1.150
- 1022 out any any any any any PERMIT SE
- 1023 in any any any any any PERMIT SE
- 1024 out any any any any any PERMIT E
- Router1# show firewall policy corp detail
- Policy with Priority 1000 is enabled, Direction is inbound
- Action permit, Traffic is transit
- Logging is disable
- Source Address is 20.1.1.100-20.1.1.150, Dest Address is 10.0.1.0/24
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Max-Connections 1024, Connection-Rate is disabled
- Policing is disabled, Bandwidth is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1022 is enabled, Direction is outbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1023 is enabled, Direction is inbound
- Action permit, Traffic is self
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Bytes In 0, Bytes Out 0
- Policy with Priority 1024 is enabled, Direction is outbound
- Action permit, Traffic is transit
- Logging is disable
- Source Address is any, Dest Address is any
- Source Port is any, Dest Port is any, any
- Schedule is disabled, Ftp-Filter is disabled
- Smtp-Filter is disabled, Http-Filter is disabled
- Rpc-Filter is disabled, Nat is disabled
- Max-Connections 1024, Connection-Rate is disabled
- Policing is disabled, Bandwidth is disabled
- Bytes In 11258, Bytes Out 5813
- Router1# show crypto dynamic clients
- Client Address Client Id Policy Advanced
- -------------- --------- ------ --------
- 192.168.107.105 david@abc-corp... sales:20.1.1.1 ModecfgGrp
- Router1#show crypto ike sa all
- Policy Peer State Bytes Transform
- ------ ---- ----- ----- ---------
- sales 192.168.107.105 SA_MATURE 2052 pre-g1-3des-sha1
- Router1# show crypto ike sa all detail
- Crypto Policy name: sales
- Remote ident [email protected]
- Peer Address is 192.168.107.105
- Transform: 3des, sha1, pre-shared-key
- DH Group: group1
- Bytes Processed 2052
- State is SA_MATURE
- Mode is Aggressive
- Life Time in Sec is unlimited, Life Time in Bytes is unlimited
- Router1# show crypto ipsec sa all
- Policy Dest IP Spi Bytes Transform
- ------ ------- --- ----- ---------
- INsales 172.16.0.1 0xbba97427 840 esp-aes-sha1-tunl
- sales 192.168.107.105 0xcb0e23f3 560 esp-aes-sha1-tunl
- Router1# show crypto ipsec sa all
- Policy Dest IP Spi Bytes Transform
- ------ ------- --- ----- ---------
- INsales 172.16.0.1 0xbba97427 840 esp-aes-sha1-tunl
- sales 192.168.107.105 0xcb0e23f3 560 esp-aes-sha1-tunl
- Router1#
- Router1# show crypto ipsec sa all detail
- Crypto Policy name: INsales
- Protocol is Any
- Local ident(ip/mask/port): (20.1.1.1/255.255.255.255/any)
- Remote ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
- Peer Address is 172.16.0.1, PFS Group is disabled
- inbound ESP sas
- Spi: 0xbba97427
- Transform: aes256 (key length=256 bits), sha1
- In use settings = {tunnel}
- Bytes Processed 840
- Hard lifetime in seconds 28750, Hard lifetime in kilobytes is unlimited
- Soft lifetime in seconds 0, Soft lifetime in kilobytes is unlimited
- Crypto Policy name: sales
- Protocol is Any
- Local ident(ip/mask/port): (10.0.1.0/255.255.255.0/any)
- Remote ident(ip/mask/port): (20.1.1.1/255.255.255.255/any)
- Peer Address is 192.168.107.105, PFS Group is disabled
- outbound ESP sas
- Spi: 0xcb0e23f3
- Transform: aes256 (key length=256 bits), sha1
- In use settings = {tunnel}
- Bytes Processed 560
- Hard lifetime in seconds 28750, Hard lifetime in kilobytes is unlimited
- Soft lifetime in seconds 28720, Soft lifetime in kilobytes is unlimited
- Configuring GRE
- Foundry# configure terminal
- Foundry/configure# interface bundle wan1
- Foundry/configure/interface/bundle wan1# link t1 1
- Foundry/configure/interface/bundle wan1# encapsulation ppp
- Foundry/configure/interface/bundle wan1# ip address 192.168.94.220 255.255.255.0
- Foundry/configure/interface/bundle wan1# exit
- Foundry/configure# interface tunnel t0
- Foundry/configure/interface/tunnel t0# ip 103.1.1.2 24
- Foundry/configure/interface/tunnel t0# tunnel source 192.168.94.220
- Foundry/configure/interface/tunnel t0# tunnel destination 192.168.55.75
- Foundry/configure/interface/tunnel t0# exit
- Foundry/configure# ip route 0.0.0.0 0.0.0.0 192.168.94.254
- Foundry/configure# ip route 40.1.1.0 24 t0
- Foundry# show ip interface t0
- t0 (unit number 5)
- Type: TUNNEL
- Flags: (0x74243) UP, RUNNING, MULTICAST-ROUTE
- Internet Address: 103.1.1.2
- Internet Netmask: 255.255.255.0
- Internet Broadcast: 103.1.1.255
- Maximum Transfer Unit: 1476 bytes
- Source Address: 192.168.94.220
- Destination Address: 192.168.55.75
- Gateway: wan1
- Protocol: GRE
- Mac Address 00:50:52:60:00:00
- Foundry# show interface tunnel t0
- Tunnel: t0 Status: up
- Internet Address: 103.1.1.2 Internet Netmask: 255.255.255.0
- Source Address: 192.168.94.220 Destination Address: 192.168.55.75
- MTU: 1476 bytes Protocol: GRE
- ICMP unreachable: will be sent ICMP redirect: will be sent
- Crypto Snet: not set Protection: policy grecisco key ****
- TTL: 30 Keepalive: disabled
- TOS: not set Path MTU discovery: disabled
- Key Value: not set Checksum: disabled
- Sequence Datagrams: disabled
- Tunnel Statistics:
- Bytes Rx 95112 Bytes Tx 60016
- Packets Rx 860 Packets Tx 499
- Err Packets Rx 0 Output Errs 0
- cisco > config t
- cisco(config)#interface Ethernet2/0
- cisco(config-if)#ip address 192.168.55.75255.255.255.0
- cisco(config-if)#exit
- cisco(config)#interface Tunnel 0
- cisco(config-if)#ip address 103.1.1.1 255.255.255.0
- cisco(config-if)#tunnel source 192.168.55.75
- cisco(config-if)#tunnel destination 192.168.94.220
- cisco(config-if)#exit
- cisco(config)#ip route 0.0.0.0 0.0.0.0 192.168.55.254
- cisco(config)#ip route 10.3.1.0 255.255.255.0 Tunnel0
- Foundry# configure terminal
- Foundry/ configure# interface bundle wan1
- Foundry/ configure/interface/bundle wan1# link t1 1
- Foundry/ configure/interface/bundle wan1# encapsulation ppp
- Foundry/ configure/interface/bundle wan1# ip address 192.168.94.220 255.255.255.0
- Foundry/ configure/interface/bundle wan1# crypto untrusted
- Foundry/ configure/interface/bundle wan1# exit
- Foundry/ configure# interface tunnel t0
- Foundry/ configure/interface/tunnel t0# ip address 103.1.1.2 24
- Foundry/ configure/interface/tunnel t0# tunnel source 192.168.94.220
- Foundry/ configure/interface/tunnel t0# tunnel destination 192.168.55.75
- Foundry/ configure/interface/tunnel t0# tunnel protection grecisco secretkeyfortest
- Foundry/ configure/interface/tunnel t0# crypto untrusted
- Foundry/ configure/interface/tunnel t0# exit
- Foundry/ configure# ip route 0.0.0.0 0.0.0.0 192.168.94.254
- Foundry/ configure# ip route 40.1.1.0 24 t0
- Foundry/ configure > firewall internet
- Foundry/configure/firewall internet# policy 100 in proto gre self
- Foundry/configure/firewall internet/policy 100 in# exit
- Foundry/configure/firewall internet# policy 101 in service ike self
- Foundry/configure/firewall internet/policy 101 in# exit 2
- Foundry configure# firewall corp
- Foundry/configure/firewall corp# policy 100 in self
- Foundry# configure terminal
- Foundry/configure# router routerid 2.2.2.2
- Foundry/configure# router ospf
- Foundry/configure/router/ospf# interface t0 area 0
- Foundry/configure/router/ospf# exit
- cisco > config t
- cisco(config)#router ospf 1
- cisco(config-router)# network 103.1.1.0 0.0.0.255 area 0
- Firewalls
- Firewall Configuration Examples
- Foundry/configure# interface ethernet 0
- Configuring existing Ethernet interface
- Foundry/configure/interface/ethernet 0# ip address 10.2.1.1 24
- Foundry/configure/interface/ethernet 0# exit
- Foundry/configure# interface ethernet 1
- Configuring existing Ethernet interface
- Foundry/configure/interface/ethernet 1# ip address 10.3.1.1 24
- Foundry/configure/interface/ethernet 1# exit
- Foundry/configure# interface bundle wan
- Foundry/configure/interface/bundle wan# link t1 1
- Foundry/configure/interface/bundle wan# encapsulation p
- Foundry/configure/interface/bundle wan# ip address 193.168.94.220 24
- Foundry/configure/interface/bundle wan# exit
- Foundry/configure# firewall corp
- Foundry/configure/firewall corp# interface ethernet0
- Foundry/configure/firewall corp# exit
- Foundry/configure# firewall dmz
- Foundry/configure/firewall dmz# interface ethernet1
- Foundry/configure/firewall dmz# exit
- Foundry/configure# firewall internet
- Foundry/configure/firewall internet# interface wan
- Foundry/configure/firewall internet# exit 2
- Foundry/configure# show firewall interface all
- Interface Map Name
- --------- --------
- ethernet0 corp
- ethernet1 dmz
- wan internet
- Foundry/configure#
- Foundry/configure/firewall corp#
- Foundry/configure/firewall corp#
- Foundry/configure/firewall corp# policy 1024 out
- Foundry/configure/firewall corp/policy 1024 out# exit
- Foundry/configure/firewall corp# policy 1021 in deny
- Foundry/configure/firewall corp/policy 1021 in# exit
- Foundry/configure/firewall corp# object
- Foundry/configure/firewall corp/object# http-filter javadeny deny *.java
- Foundry/configure/firewall corp/object# exit
- Foundry/configure/firewall corp# policy 1024 out nat-ip 193.168.94.220
- Foundry/configure/firewall corp/policy 1024 out# apply-object http- filter javadeny
- Foundry/configure/firewall corp/policy 1024 out# exit
- Foundry/configure/firewall corp# exit
- Foundry/configure# show firewall policy corp
- Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
- R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
- E - Policy Enabled, M - Smtp-Filter
- Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
- --- --- ----------- ---------------- ----------------- ------ --------
- 1021 in any any any any any DENY E
- 1022 out any any any any any PERMIT SE
- 1023 in any any any any any PERMIT SE
- 1024 out any any any any any PERMIT HNE
- Foundry/configure# show firewall object http-filter corp
- Object Name Action Log File Extensions
- ----------- ------ --- ---------------
- javadeny deny no *.java
- Foundry/configure#
- Foundry/configure# firewall dmz
- Foundry/configure/firewall dmz# object
- Foundry/configure/firewall dmz/object# ftp-filter putdeny deny put mkdir
- Foundry/configure/firewall dmz/object# nat-pool ftpsrvr static 10.3.1.100
- Foundry/configure/firewall dmz/object# exit
- Foundry/configure/firewall dmz# policy 100 in address any any 193.168.94.221 32
- Foundry/configure/firewall dmz/policy 100 in# apply-object nat-pool ftpsrvr
- Foundry/configure/firewall dmz/policy 100 in# apply-object ftp-filter putdeny
- Foundry/configure/firewall dmz/policy 100 in# exit
- Foundry/configure/firewall dmz# exit
- Foundry/configure# show firewall policy dmz
- Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter,
- R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging,
- E - Policy Enabled, M - Smtp-Filter
- Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced
- --- --- ----------- ---------------- ----------------- ------ --------
- 100 in any 193.168.94.221/32 any any any PERMIT FNE
- 1022 out any any any any any PERMIT SE
- 1023 in any any any any any PERMIT SE
- 1024 out any any any any any PERMIT E
- Foundry/configure# show firewall object ftp-filter dmz
- Object Name Action Log Commands
- ----------- ------ --- --------
- putdeny deny no put mkdir
- Foundry/configure#
- Foundry/configure# ip route 0.0.0.0 0 wan
- Foundry/configure#
- Foundry/configure# show configuration running
- Please wait... (up to a minute)
- terminal
- exit terminal
- qos
- exit qos
- module t1 1
- alarms
- thresholds
- exit thresholds
- exit alarms
- linemode
- exit linemode
- exit t1
- module t1 2
- alarms
- thresholds
- exit thresholds
- exit alarms
- linemode
- exit linemode
- exit t1
- module t1 3
- alarms
- thresholds
- exit thresholds
- exit alarms
- linemode
- exit linemode
- exit t1
- module t1 4
- alarms
- thresholds
- exit thresholds
- exit alarms
- linemode
- exit linemode
- exit t1
- aaa
- tacacs
- retries 2
- time_out 5
- server_port 49
- exit tacacs
- radius
- exit radius
- exit aaa
- interface ethernet 0
- ip address 10.2.1.1 255.255.255.0
- ip multicast
- mode ospfrip2
- exit multicast
- mtu 4000
- icmp
- exit icmp
- qos
- exit qos
- vrrp_mode 0
- aaa
- exit aaa
- crypto trusted
- exit ethernet
- interface ethernet 1
- ip address 10.3.1.1 255.255.255.0
- ip multicast
- mode ospfrip2
- exit multicast
- mtu 4000
- icmp
- exit icmp
- qos
- exit qos
- vrrp_mode 0
- aaa
- exit aaa
- crypto trusted
- exit ethernet
- interface bundle wan
- link t1 1
- encapsulation ppp
- ip address 193.168.94.220 255.255.255.0
- ip multicast ospfrip2
- red
- exit red
- icmp
- exit icmp
- qos
- exit qos
- aaa
- exit aaa
- crypto untrusted
- exit bundle
- interface console
- aaa
- exit aaa
- exit console
- snmp
- system_id Foundry
- enable_trap
- exit enable_trap
- exit snmp
- hostname Foundry
- log utc
- telnet_banner
- exit telnet_banner
- event
- exit event
- system logging
- no console
- syslog
- host_ipaddr 193.168.94.35
- exit syslog
- exit logging
- ip
- load_balance per_flow
- multicast
- exit multicast
- route 0.0.0.0 0.0.0.0 wan 1
- exit ip
- policy community_list
- exit community_list
- crypto
- exit crypto
- firewall global
- exit firewall
- firewall internet
- interface wan
- policy 1024 out self
- exit policy
- exit firewall
- firewall corp
- interface ethernet0
- object
- http-filter javadeny deny *.java
- exit object
- policy 1021 in deny
- exit policy
- policy 1022 out self
- exit policy
- policy 1023 in self
- exit policy
- policy 1024 out nat-ip 193.168.94.220
- apply-object http-filter javadeny
- exit policy
- exit firewall
- firewall dmz
- interface ethernet1
- object
- nat-pool ftpsrvr static 10.3.1.100 10.3.1.100
- ftp-filter putdeny deny put mkdir
- exit object
- policy 100 in address any any 193.168.94.221 32
- apply-object ftp-filter putdeny
- apply-object nat-pool ftpsrvr
- exit policy
- policy 1022 out self
- exit policy
- policy 1023 in self
- exit policy
- policy 1024 out
- exit policy
- exit firewall
- Foundry/configure#
- Stopping DoS Attacks
- Packet Reassembly
- Foundry# config term
- Foundry/configure# firewall global
- Foundry/configure/firewall global# ip-reassembly
- Foundry/configure/firewall global/ip-reassembly# fragment-count 100
- Foundry/configure/firewall global/ip-reassembly# fragment-size 56
- Foundry/configure/firewall global/ip-reassembly# packet-size 2048
- Foundry/configure/firewall global/ip-reassembly# timeout 20
- Foundry/configure/firewall global/ip-reassembly# exit 2
- Foundry/configure#
- NAT Configurations
- NAT Configuration Examples
- Foundry/configure# firewall corp
- Foundry/configure/firewall corp# object
- Foundry/configure/firewall corp/object# nat-pool addresspoolDyna dynamic 60.1.1.1 60.1.1.2
- Foundry/configure/firewall corp/object# exit
- Foundry/configure/firewall corp# policy 8 out address 10.1.1.1 10.1.1.4 any any
- Foundry/configure/firewall corp/policy 8 out# apply-object nat- pool addresspoolDyna
- Foundry/configure/firewall corp/policy 8 out# exit 2
- Foundry/configure#
- Foundry/configure# firewall corp
- Foundry/configure/firewall corp object
- Foundry/configure/firewall corp/object# nat-pool addresspoolStat static 50.1.1.1 50.1.1.3
- Foundry/configure/firewall corp/object# exit
- Foundry/configure/firewall corp# policy 7 out address 10.1.1.1 10.1.1.3 any any
- Foundry/configure/firewall corp/policy 7 out# apply-object nat- pool addresspoolStat
- Foundry/configure/firewall corp/policy 7 out# exit 2
- Foundry/configure#
- Foundry/configure# firewall corp
- Foundry/configure/firewall corp# policy 2 out address 10.1.1.1 10.1.1.3 any any nat-ip 50.1.1.5
- Foundry/configure/firewall corp/policy 2 out# exit 2
- Foundry/configure#
- Foundry/configure# firewall corp
- Foundry/configure/firewall corp# object
- Foundry/configure/firewall corp/object# nat-pool addresspoolPat pat 50.1.1.5
- Foundry/configure/firewall corp/object# exit
- Foundry/configure/firewall corp# policy 2 out address 10.1.1.1 10.1.1.3 any any
- Foundry/configure/firewall corp/policy 2 out# apply-object nat- pool addresspoolPat
- Foundry/configure/firewall corp/policy 2 out# exit 2
- Firewall Configuration Examples
- Security Protocol Defaults
- Firewall Default Values
- Tunneling Default Values
- Introduction to Security