Cisco PIX 525 Especificaciones Pagina 406
- Pagina / 604
- Tabla de contenidos
- SOLUCIÓN DE PROBLEMAS
- MARCADORES
Valorado. / 5. Basado en revisión del cliente
23-18
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 23 Configuring IPSec and ISAKMP
Configuring IPSec
Using Dynamic Crypto Maps
Dynamic crypto maps can ease IPSec configuration and we recommend them for use in networks where
the peers are not always predetermined. You use dynamic crypto maps for VPN clients (such as mobile
users) and routers that obtain dynamically assigned IP addresses.
Note Use care when using the any keyword in permit command entries in dynamic crypto maps. If it is
possible for the traffic covered by such a permit command entry to include multicast or broadcast traffic,
the access list should include deny command entries for the appropriate address range. Access lists
should also include deny command entries for network and subnet broadcast traffic, and for any other
traffic that IPSec should not protect.
Dynamic crypto maps work only to negotiate SAs with remote peers that initiate the connection. The
security appliance cannot use dynamic crypto maps to initiate connections to a remote peer. With a
dynamic crypto map entry, if outbound traffic matches a permit statement in an access list and the
corresponding security association does not yet exist, the security appliance drops the traffic.
A dynamic crypto map entry is essentially a crypto map entry without all the parameters configured. It
acts as a policy template where the missing parameters are later dynamically configured (as the result of
an IPSec negotiation) to match the peer requirements. Dynamic crypto maps let peers exchange IPSec
traffic with the security appliance even if the security appliance does not have a crypto map entry
specifically configured that meets all the peer requirements.
Note A dynamic crypto map entry requires only the transform-set parameter.
A dynamic crypto map set is included by reference as part of a crypto map set. Any crypto map entries
that reference dynamic crypto map sets should be the lowest priority crypto map entries in the crypto
map set (that is, have the highest sequence numbers) so that the security appliance evaluates other crypto
map entries first. It examines the dynamic crypto map set only when the other (static) map entries do not
match.
Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. A set is a group
of dynamic crypto map entries all with the same dynamic-map-name but each with a different
dynamic-seq-num. If you configure a dynamic crypto map entry, the data flow identity the IPSec peer
proposes should fall within a permit statement for this crypto access list bound to this static crypto map.
Otherwise the security appliance accepts any data flow identity the peer proposes.
You can add one or more dynamic crypto map sets into a crypto map set via crypto map entries that
reference the dynamic crypto map sets. You should set the crypto map entries referencing dynamic maps
to be the lowest priority entries in a crypto map set (that is, use the highest sequence numbers).
Note Use care when using the any keyword in permit entries in dynamic crypto maps. If it is possible for the
traffic covered by such a permit entry to include multicast or broadcast traffic, the access list should
include deny entries for the appropriate address range. Access lists should also include deny entries for
network and subnet broadcast traffic, and for any other traffic that IPSec should not protect.
The procedure for using a crypto dynamic map entry is the same as the basic configuration described in
“Creating a Basic IPSec Configuration,” except that instead of creating a static crypto map entry, you
create a crypto dynamic map entry. You can also combine static and dynamic map entries within a single
crypto map set.
- Configuration Guide 1
- CONTENTS 3
- 2 Getting Started 2-1 4
- 9 Configuring IPv6 9-1 6
- 11 Configuring Failover 11-1 7
- 2 Configuring the Firewall 9
- 14 Applying NAT 14-1 10
- Contents 11
- OL-6721-01 11
- 20 Applying QoS Policies 20-1 13
- 3 Configuring VPN 16
- 4 System Administration 19
- B Sample Configurations B-1 21
- About This Guide 23
- Related Documentation 24
- Document Organization 24
- Part 3: Configuring VPN 25
- Document Conventions 26
- Obtaining Documentation 27
- Documentation Feedback 27
- Submitting a Service Request 28
- Firewall Functional Overview 33
- Security Policy Overview 34
- Stateful Inspection Overview 36
- VPN Functional Overview 37
- Security Context Overview 37
- Security Context Overview 38
- Getting Started 39
- Saving Configuration Changes 41
- Viewing the Configuration 41
- Interface.” 43
- Unsupported Features 46
- Context Configuration Files 46
- Shared Interface Guidelines 51
- Cascading Security Contexts 53
- Restoring Single Context Mode 55
- Configuring Ethernet Settings 57
- Configuring Subinterfaces 58
- Configuring Subinterfaces 60
- Removing a Security Context 65
- Changing the Admin Context 65
- Reloading a Security Context 67
- Monitoring Security Contexts 68
- Viewing Resource Usage 69
- Security Level Overview 71
- Configuring the Interface 72
- Security Level 74
- Configuring Basic Settings 77
- Setting the Hostname 78
- Setting the Domain Name 78
- Setting the Date and Time 78
- Configuring a Static Route 84
- Configuring OSPF 85
- OSPF Overview 86
- Enabling OSPF 87
- Adding a Route Map 88
- Configuring OSPF NSSA 93
- Generating a Default Route 95
- Monitoring OSPF 97
- Restarting the OSPF Process 97
- Configuring RIP 98
- Configuring Multicast Routing 99
- Enabling Multicast Routing 100
- Configuring IGMP Features 100
- Configuring Group Membership 101
- Changing the IGMP Version 103
- Configuring PIM Features 104
- Configuring DHCP 106
- Configuring DHCP Options 108
- Configuring the DHCP Client 110
- Configuring IPv6 111
- Configuring IPv6 Access Lists 114
- The show ipv6 route Command 116
- IPv6 Configuration Example 117
- AAA Overview 119
- About Authentication 120
- About Authorization 120
- About Accounting 120
- Summary of Support 121
- RADIUS Server Support 122
- TACACS+ Server Support 123
- SDI Server Support 124
- NT Server Support 125
- Kerberos Server Support 125
- LDAP Server Support 126
- Local Database Support 126
- Fallback Support 127
- Configuring Failover 133
- Failover System Requirements 134
- The Failover and State Links 135
- State Link 136
- Active/Standby Failover 137
- Understanding Failover 138
- Command Replication 139
- Failover Triggers 140
- Failover Actions 140
- Active/Active Failover 141
- Regular and Stateful Failover 145
- Failover Health Monitoring 146
- Prerequisites 148
- Configuring the Primary Unit 150
- Configuring Failover Criteria 154
- Configure the Primary Unit 157
- Configure the Secondary Unit 159
- Figure 11-1 ASR Example 163
- Configuring Failover 164
- Show Failover—Active/Active 169
- Viewing Monitored Interfaces 173
- Forcing Failover 174
- Disabling Failover 175
- Monitoring Failover 175
- Debug Messages 176
- Configuring the Firewall 185
- Firewall Mode Overview 187
- IP Routing Support 188
- Network Address Translation 188
- Routed Mode Overview 189
- Figure 12-2 Inside to Outside 190
- Transparent Mode Overview 194
- Transparent Firewall Features 195
- Transparent Mode Overview 196
- Access List Overview 203
- Access List Types and Uses 204
- Access List Overview 206
- VPN Access (Extended) 207
- Access List Guidelines 208
- Access Control Implicit Deny 209
- Adding a Standard Access List 215
- Adding Object Groups 216
- Adding a Network Object Group 217
- Adding a Service Object Group 217
- Nesting Object Groups 219
- Displaying Object Groups 221
- Removing Object Groups 221
- Time Range Options 222
- Logging Access List Activity 222
- Access List Logging Overview 223
- access_list_name 224
- Managing Deny Flows 225
- Applying NAT 227
- Introduction to NAT 228
- NAT Control 229
- Chapter 14 Applying NAT 230
- NAT Overview 230
- NAT Types 231
- Static NAT 233
- Static PAT 233
- Figure 14-7 Static PAT 234
- Policy NAT 235
- Mapped Address Guidelines 239
- DNS and NAT 240
- Configuring NAT Control 241
- Using Dynamic NAT and PAT 242
- Global 2: 209.165.201.11 245
- NAT 2: 192.168.1.0/24 245
- Figure 14-19 Dynamic NAT 248
- Figure 14-20 Dynamic PAT 248
- Using Static NAT 251
- Using Static PAT 252
- Bypassing NAT 255
- 209.165.201.1 209.165.201.1 256
- Inside Outside 256
- 209.165.201.2 209.165.201.2 256
- Security 256
- Appliance 256
- Configuring NAT Exemption 257
- NAT Examples 258
- Overlapping Networks 259
- Redirecting Ports 260
- NAT Examples 262
- AAA Performance 269
- Authentication Overview 270
- Applying Filtering Services 281
- Filtering ActiveX Objects 282
- Filtering Java Applets 283
- Filtering Overview 284
- General Procedure 285
- Filtering HTTP URLs 287
- Filtering HTTPS URLs 288
- Filtering FTP Requests 289
- Viewing Caching Statistics 291
- Overview 293
- Class Map Example 296
- Policy Map Procedure 297
- Policy Map Examples 298
- Restrictions 299
- Action Order 301
- Advanced Options 302
- Types of Direction Policies 303
- Implicit Direction Policies 303
- Examples 303
- Service Policy and NAT 306
- Configuring TCP Normalization 310
- Preventing IP Spoofing 311
- Configuring the Fragment Size 313
- Blocking Unwanted Connections 313
- Applying QoS Policies 315
- QoS Concepts 316
- Identifying Traffic for QoS 317
- Classifying Traffic for QoS 318
- Defining a QoS Policy Map 320
- Applying Rate Limiting 320
- Verifying QoS Statistics 322
- Activating the Service Policy 323
- Applying Low Latency Queueing 323
- Configuring Priority Queuing 324
- Sizing the Priority Queue 324
- Reducing Queue Latency 324
- Viewing QoS Statistics 325
- How Inspection Engines Work 328
- Supported Protocols 329
- Managing CTIQBE Inspection 336
- Managing FTP Inspection 340
- Configuring FTP Inspection 341
- Managing GTP Inspection 345
- Managing H.323 Inspection 350
- Limitations and Restrictions 351
- Monitoring H.225 Sessions 354
- Monitoring H.245 Sessions 355
- Monitoring H.323 RAS Sessions 355
- Managing HTTP Inspection 356
- Managing MGCP Inspection 359
- MGCP Inspection Overview 360
- Managing MGCP Inspection 361
- Managing RTSP Inspection 365
- RTSP Inspection Overview 366
- Using RealPlayer 366
- Restrictions and Limitations 367
- Managing SIP Inspection 369
- SCCP Inspection Overview 373
- Supporting Cisco IP Phones 374
- Managing SNMP Inspection 379
- SNMP Inspection Overview 380
- Parameters 383
- Adding a Static ARP Entry 384
- Enabling ARP Inspection 384
- MAC Address Table Overview 385
- Adding a Static MAC Address 385
- Viewing the MAC Address Table 386
- Configuring VPN 387
- Configuring IPSec and ISAKMP 389
- IPSec Overview 390
- Configuring ISAKMP 390
- ISAKMP Overview 391
- Configuring ISAKMP Policies 392
- Enabling IPSec over NAT-T 395
- Enabling IPSec over TCP 395
- Configuring IPSec 399
- Understanding Transform Sets 400
- Defining Crypto Maps 400
- Using Interface Access Lists 401
- Configuring IPSec 402
- Changing IPSec SA Lifetimes 403
- Using Dynamic Crypto Maps 406
- Configuring Client Update 412
- Configuring Client Update 414
- • Group Policies, page 25-10 415
- Tunnel Groups 416
- IPSec Connection Parameters 417
- Configuring Tunnel Groups 418
- Group Policies 424
- Default Group Policy 425
- Configuring Group Policies 426
- ACL name 428
- Configuring Users 440
- Configuring Specific Users 441
- Configuring User Attributes 442
- Configuring Users 446
- Configuring AAA Addressing 448
- Configuring DHCP Addressing 449
- Summary of the Configuration 451
- Configuring Interfaces 452
- Outside Interface 453
- Configuring an Address Pool 454
- Adding a User 454
- Creating a Transform Set 454
- Defining a Tunnel Group 455
- Step 4 Save your changes 456
- Step 3 Save your changes 456
- Configuring LAN-to-LAN VPNs 459
- Configuring an ACL 462
- Step 2 Save your changes 465
- Configuring Certificates 467
- Certificate Scalability 468
- About Key Pairs 468
- About Trustpoints 469
- About CRLs 469
- Certificate Configuration 470
- Configuring Key Pairs 471
- Configuring Trustpoints 472
- Obtaining Certificates 474
- [ certificate data omitted ] 476
- [ PKCS12 data omitted ] 480
- System Administration 483
- Managing System Access 485
- Allowing SSH Access 486
- Using an SSH Client 487
- Changing the Login Password 487
- Recovering from a Lockout 499
- Configuring a Login Banner 500
- Configurations 501
- Entering a New Activation Key 502
- Installation Overview 502
- Viewing Files in Flash Memory 502
- Backing Up the Configuration 506
- Using System Log Messages 509
- Using SNMP 509
- Enabling SNMP 511
- Testing Your Configuration 512
- Performing Password Recovery 517
- Other Troubleshooting Tools 519
- Common Problems 520
- Supported Platforms 523
- Platform Feature Licenses 523
- Platform Feature Licenses 524
- VPN Specifications 526
- Cryptographic Standards 527
- VPN Specifications 528
- Sample Configurations 529
- Figure B-2 Example 2 534
- Figure B-3 Example 3 536
- APPENDIX 545
- Command Modes and Prompts 546
- Syntax Formatting 547
- Abbreviating Commands 547
- Command-Line Editing 547
- Command Completion 547
- Command Help 548
- Filtering show Command Output 548
- Command Output Paging 549
- Adding Comments 549
- Text Configuration Files 550
- Line Order 551
- Passwords 551
- Text Configuration Files 552
- Private Networks 554
- Subnet Masks 554
- Determining the Subnet Mask 555
- Class C-Size Network Address 556
- Class B-Size Network Address 556
- IPv6 Addresses 557
- IPv6 Address Types 558
- Global Address 559
- Site-Local Address 559
- Link-Local Address 559
- Unspecified Address 560
- Loopback Address 560
- Interface Identifiers 560
- Multicast Address 560
- Anycast Address 561
- IPv6 Address Prefixes 562
- Protocols and Applications 563
- TCP and UDP Ports 564
- TCP and UDP Ports 565
- Local Ports and Protocols 566
- ICMP Types 567
- ICMP Types 568
- Numerics 569
- Glossary 570
© 2020, manymanuals.es. Todos los derechos reservados | 0.067 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales