beautypg.com

Enterasys Networks Security Router X-PeditionTM User Manual

Page 414

background image

Configuration Examples

16-28 Configuring Security on the XSR

Terminate Network Extension Mode (NEM) and Client mode tunnels

Terminate remote access L2TP/IPSec tunnels

Terminate PPTP remote access tunnels

Firewall inspection on the public VPN interface (the crypto map interface)

Firewall inspection on the trusted VPN interface (the connection to the corporate
network)

Enable NAT Traversal on the firewall

OSPF routing with the next hop corporate router on the trusted VPN interface

DF bit clear on the public VPN interface to handle large non-fragmentable IP frames

OSPF routing over the multi-point VPN interface for other site-to-site tunnels

Assign the first IP address of the pool to the multi-point VPN interface

Figure 16-16 XSR Firewall, VPN and OSPF Topology

Begin by setting the XSR system time via SNTP. This configuration is critical for XSRs which use
time-sensitive certificates.

XSR(config)#sntp-client server 10.120.84.3
XSR(config)#sntp-client poll-interval 60

Add four ACLs to permit IP pool, L2TP and NEM traffic:

XSR(config)#access-list 110 permit ip any 10.120.70.0 0.0.0.255
XSR(config)#access-list 120 permit udp any any eq 1701
XSR(config)#access-list 140 permit ip any 172.16.1.0 0.0.0.255
XSR(config)#access-list 150 permit ip any 192.168.111.0 0.0.0.255

Define IKE Phase I security parameters with the following two policies:

XSR(config)#crypto isakmp proposal xp-soho
XSR(config-isakmp)#hash md5
XSR(config-isakmp)#lifetime 50000
XSR(config)#crypto isakmp proposal p2p
XSR(config-isakmp)#authentication pre-share
XSR(config-isakmp)#lifetime 50000

Configure IKE policy for the remote peer:

XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0

XSR

172.16.1.0

Internet

Internet

router

SSR

XP PC

Client

141.154.196.93

96.96.96.7

96.96.96.0

141.154.196.106

FE1

FE2

10.120.84.0

10.120.112.0

NEM

XSR

XSR

6
4
2

7
5
3

CM/1
PS2

PS1

CM

2

1

2

1

8

7

6

5

4

3

2

1

8

7

6

5

4

3

2

1

8

7

6

5

4

3

2

1

8

7

6

5

4

3

2

1

8

7

6

5

4

3

2

1

SSR-CM-2

CONTROL MODULE

10/100BASE-TX

SSR-HTX12-08

10/100BASE-TX

SSR-HTX12-08

10/100BASE-TX

SSR-HTX12-08

10/100BASE-TX

SSR-HTX12-08

1000BASE-LX

SSR-GLX19-02

SSR-8

SSR-8

1000BASE-SX

SSR-GSX11-02

100BASE-FX

SSR-HFX11-08

SSR-PS-8

100-125~5A

200-240~3A

50-60 Hz

PWR

SSR-PS-8

100-125~5A

200-240~3A

50-60 Hz

PWR

See also other documents in the category Enterasys Networks Hardware: