[Config] Example config showing wireless, PEAP, GRE, IPSEC etc

Author	All Replies
Manta Premium join:2003-11-04 UK	[Config] Example config showing wireless, PEAP, GRE, IPSEC etc I've got a significant amount of help from people here on various topics - including the wireless involved here - and wanted to post back my config with what I've learned so far. Hopefully it will be useful to some and possibly I might get suggested improvements back. I have trimmed the irrelevant things out - like multiple port-maps entries - and hopefully all the sensitive stuff like passwords and external IPs but I've tried to keep it as complete as possible to be as useful as possible. If I've missed censoring something I should have, please let me know though! I'm quite happy to answer questions on how or why I've done things if people have them. If there's interest in a particular chunk of code, I might try (with somebody's help) to turn it into a FAQ post. Many thanks for everyone's continued support, Gareth version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec show-timezone service timestamps log datetime msec show-timezone service password-encryption ! hostname <hostname> ! boot-start-marker boot-end-marker ! logging buffered 40960 warnings enable secret <secret> ! aaa new-model ! ! aaa group server radius wireless-radius server 10.1.0.2 auth-port 1645 acct-port 1646 ip radius source-interface Vlan1 ! aaa authentication login local-auth local-case aaa authentication login wireless-eap group wireless-radius aaa authentication ppp default local-case ! ! aaa session-id common clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00 ! ! dot11 association mac-list 700 dot11 syslog ! dot11 ssid w-secure vlan 2 authentication open eap wireless-eap authentication key-management wpa ! dot11 ssid w-ps3 vlan 3 authentication open authentication key-management wpa guest-mode wpa-psk ascii <WPA key> ! no ip source-route ip cef ! ! ! ! no ip bootp server no ip domain lookup ip domain name bullet-systems.com ip multicast-routing ip inspect udp idle-time 15 ip inspect tcp idle-time 1800 ip inspect tcp finwait-time 1 ip inspect tcp synwait-time 15 ip inspect name INTERNET-OUT tcp alert on ip inspect name INTERNET-OUT udp alert on ip inspect name INTERNET-OUT http java-list 2 alert on ip inspect name INTERNET-OUT ftp alert on timeout 300 ip inspect name INTERNET-OUT tftp alert on ip inspect name INTERNET-OUT sip alert on ip inspect name INTERNET-OUT rtsp alert on ip ips name INTERNET-OUT ! multilink bundle-name authenticated ! ! username <username> secret <secret> ! ! crypto isakmp policy 20 encr 3des authentication pre-share group 5 crypto isakmp key <preshared key> address <vpn endpoint1> crypto isakmp key <preshared key> address <vpn endpoint2> crypto isakmp invalid-spi-recovery ! ! crypto ipsec transform-set ipsec-tunnel esp-3des esp-sha-hmac ! crypto map vpn-tunnel 100 ipsec-isakmp description A to B IPSec tunnel to carry GRE set peer <endpoint IP> set transform-set ipsec-tunnel set pfs group5 match address adsl-gre ! crypto map vpn-tunnel 110 ipsec-isakmp description A to B via SDSL set peer <endpoint IP set transform-set ipsec-tunnel set pfs group5 match address sdsl-gre ! archive log config hidekeys ! ! ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map match-any voip match ip rtp 9000 20 match access-group name voip ! ! policy-map voip class voip priority 516 class class-default fair-queue ! ! ! ! interface Loopback0 ip address 192.168.1.1 255.255.255.255 ! interface Loopback5 ip address 192.168.1.5 255.255.255.255 ! interface Tunnel0 description Tunnel over ADSL bandwidth 800 ip unnumbered Loopback0 ip load-sharing per-packet ip multicast boundary multicast-boundary ip virtual-reassembly ip tcp adjust-mss 1200 qos pre-classify keepalive 3 3 tunnel source Loopback0 tunnel destination 192.168.1.2 tunnel key 0 tunnel bandwidth transmit 800 ! interface Tunnel5 description Tunnel SDSL bandwidth 800 bandwidth receive 1024 ip unnumbered Loopback5 ip load-sharing per-packet ip multicast boundary multicast-boundary ip virtual-reassembly ip tcp adjust-mss 1200 qos pre-classify keepalive 3 3 tunnel source Loopback5 tunnel destination 192.168.1.6 tunnel key 5 tunnel bandwidth transmit 800 ! ! interface ATM0 no ip address no ip mroute-cache no atm ilmi-keepalive pvc 0/38 ubr 832 encapsulation aal5mux ppp dialer dialer pool-member 1 service-policy output voip ! dsl operating-mode auto ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Dot11Radio0 no ip address ! encryption vlan 2 mode ciphers aes-ccm ! encryption vlan 3 mode ciphers aes-ccm ! ssid w-secure ! ssid w-ps3 ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio0.2 description Wireless VLAN for laptop and trusted machines encapsulation dot1Q 2 ip address 10.2.2.1 255.255.255.0 ip helper-address 10.1.0.2 ip nat inside ip virtual-reassembly ! interface Dot11Radio0.3 description Wireless VLAN for PS3 encapsulation dot1Q 3 ip address 10.2.3.1 255.255.255.0 ip access-group wireless-lockdown in ip helper-address 10.1.0.2 ip pim sparse-dense-mode ip nat inside ip virtual-reassembly ! interface Vlan1 description Local Area Network bandwidth 100000 ip address 10.1.0.1 255.255.255.0 ip access-group ethernet-in in ip nbar protocol-discovery ip pim sparse-dense-mode ip nat inside ip virtual-reassembly hold-queue 100 out ! interface Dialer0 description ADSL line 8192kbps/832kbps bandwidth 8192 ip address negotiated ip access-group internet-in in no ip proxy-arp ip multicast boundary multicast-boundary ip nat outside ip inspect INTERNET-OUT out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp chap hostname <username> ppp chap password <password> crypto map vpn-tunnel ! no ip forward-protocol nd no ip forward-protocol udp domain no ip forward-protocol udp time no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.1.1.0 255.255.255.0 Tunnel0 ip route 10.1.1.0 255.255.255.0 Tunnel5 ! ! no ip http server no ip http secure-server ip nat translation timeout 1800 ip nat translation tcp-timeout 300 ip nat translation finrst-timeout 15 ip nat translation syn-timeout 45 ip nat translation max-entries host 10.1.0.52 1500 ip nat pool used-ip-block <start> <end> prefix-length 29 ip nat pool unused-ip-block <start> <end> prefix-length 29 ip nat inside source list nat-list pool used-ip-block overload ip nat inside source static tcp <inside host> <tcp port> <outside IP> <tcp port> extendable ip nat inside source static udp <inside host> <udp port> <outside IP> <udp port> extendable ! ip access-list standard multicast-boundary deny 239.255.0.0 0.0.255.255 permit any ! ip access-list extended sdsl-gre permit ip host 192.168.1.5 host 192.168.1.6 ! ip access-list extended ethernet-in permit ip any host 192.168.2.2 remark Invalid internet addresses deny ip any 0.0.0.0 0.255.255.255 log deny ip any 127.0.0.0 0.255.255.255 log deny ip any 169.254.0.0 0.0.255.255 log deny ip any 192.0.2.0 0.0.0.255 log deny ip any 192.168.0.0 0.0.255.255 log remark Other permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit tcp any any permit udp any any permit igmp 10.1.0.0 0.0.0.255 any deny ip any any log ! ip access-list extended internet-in permit esp host <vpn endpoint> any permit udp host <vpn endpoint> eq isakmp any eq isakmp remark Invalid internet addresses deny ip 0.0.0.0 0.255.255.255 any log deny ip 10.0.0.0 0.255.255.255 any log deny ip 127.0.0.0 0.255.255.255 any log deny ip 169.254.0.0 0.0.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 192.0.2.0 0.0.0.255 any log deny ip 192.168.0.0 0.0.255.255 any log permit tcp any any eq domain permit udp any any eq domain remark Other permit icmp any any unreachable permit icmp any any time-exceeded permit icmp any any echo-reply permit udp host 158.43.128.33 any eq ntp permit udp host 158.43.128.66 any eq ntp deny ip any any log ! ip access-list extended adsl-gre permit ip host 192.168.1.1 host 192.168.1.2 ! ip access-list extended nat-list deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 permit ip 10.1.0.0 0.0.255.255 any permit ip 10.2.2.0 0.0.0.255 any permit ip 10.2.3.0 0.0.0.255 any ! ip access-list extended voip permit ip any 217.10.79.0 0.0.0.255 permit udp host 10.1.0.2 range 9000 9020 any ! ip access-list extended wireless-lockdown permit tcp 10.2.3.0 0.0.0.255 host 10.1.0.2 eq domain permit udp 10.2.3.0 0.0.0.255 host 10.1.0.2 eq domain permit tcp 10.2.3.0 0.0.0.255 host 10.1.1.2 eq domain permit udp 10.2.3.0 0.0.0.255 host 10.1.1.2 eq domain permit ip 10.2.3.0 0.0.0.255 host 10.1.0.3 permit udp any eq bootpc any eq bootps deny ip 10.2.3.0 0.0.0.255 10.0.0.0 0.255.255.255 log deny ip 10.2.3.0 0.0.0.255 192.168.0.0 0.0.255.255 log permit igmp 10.2.3.0 0.0.0.255 any permit ip 10.2.3.0 0.0.0.255 any ! ip radius source-interface Vlan1 logging history size 100 access-list 1 remark SNMP access access-list 1 permit 10.1.0.2 access-list 1 deny any log ! access-list 2 remark JAVA applet firewall exception list access-list 2 permit 72.5.124.95 access-list 2 permit 85.210.20.0 0.0.0.255 ! ! access-list 700 permit 0123.4567.8901 0000.0000.0000 ! snmp-server community <read-only community name> RO 1 snmp-server contact Me snmp-server chassis-id <id> snmp-server enable traps tty ! ! ! radius-server attribute 32 include-in-access-req format %h radius-server host 10.1.0.2 auth-port 1645 acct-port 1646 key <key> radius-server vsa send accounting ! control-plane ! banner login ^CC Access to this device is only permitted by authorised users All access to this device is logged ^C ! line con 0 logging synchronous login authentication local-auth no modem enable stopbits 1 line aux 0 login authentication local-auth stopbits 1 line vty 0 4 exec-timeout 20 0 logging synchronous login authentication local-auth transport input ssh ! scheduler max-task-time 5000 sntp server 158.43.128.33 sntp server 158.43.128.66 ! ! end
Manta Premium join:2003-11-04 UK	to forum · permalink · · 2009-01-15 17:48:20 ·
aryoba Premium,MVM join:2002-08-22	Re: [Config] Example config showing wireless, PEAP, GRE, IPSEC e Of course we can always have more sample configuration for FAQ However if you don't mind, can you post detail descriptions of the objective of such configuration. I'm sure a lot of people wonder why you configure the router in such a way.
aryoba Premium,MVM join:2002-08-22	to forum · permalink · · 2009-01-17 06:44:05 ·
Manta Premium join:2003-11-04 UK	reply to Manta Sure, I'll try to annotate it when I get a second.
Manta Premium join:2003-11-04 UK	to forum · permalink · · 2009-01-18 14:36:03 ·


Monday, 23-Nov 06:32:03	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF