Allied Telesis

Helpful Configuration
Scripts for the

AR Router Series
Revision History
Autho
r
Revision Date Modifications
ST 5.8.4 5 March 2001 E 5.!" Correction to fire#all rule 1 interface
E !.$" %ire#all rule 2 an& $ re'o(e&" rule 4 renu')ere& to 2"
rule $ *internal +nonat,- a&&e&
E !.4" Hea&ing a&.uste&" /ote a&.uste&" %ire#all rule $ a&&e&
E !.5" Hea&ing a&.uste&" Co''ents a&.uste&
E !.!" T#o 0ate#a1s ea'ple a&&e&
E !.2" 34Sec Testing notes a&&e&
ST 5.8.5 15 March 2001 E !.$" A&& +isa, para'eter to associate ipsec polic1 #ith
specific isa6'p polic1. Create separate isa6'p policies
for re'office an& roa'ing 74/ clients. Rena'e isa6'p
policies on (pn client.
A&&e& specific configuration for router 8
E !.!" A&& +isa, para'eter to associate ipsec polic1 #ith
specific isa6'p polic1. Create separate isa6'p policies
for re'office an& roa'ing 74/ clients. Rena'e isa6'p
policies on (pn client.
ST 5.8.! $ April 2001 E !.$" +sen&notif1, para'eter a&&e&
E !.$.19 !.4.19 !.2" 74/ Client interface &efine& as +&ialup,
E !.5" Re'o(e& ppp0 on site A. Mo&ifie& A:S; pinhole
&etails. Correcte& eth0 a&&ress at site 8.
E !.! )eco'es E !.2
E !.! inserte&" 34Sec an& %ire#all through t#o /AT gate#a1s
*eg< A:S;-
ST 5.8.2 5 April 2001 E 5.!" %ire#all :M= 'o&ifie& to &ual polic1 fire#all
E !.2" +re'oteip, para'eter a&&e& to fire#all rule 1
E !.59 !.2" +sen&notif1, para'eter a&&e&
E !.!" Rena'e& 34S an& 3SA polic1 na'es" >se +isa,
para'eter in 34S polic1" A&& 3nternet 34S polic1
E !.8" /otes eten&e& to gi(e )asic initial &e)ugging 'o&es.
E !.$9 !.49 !.5" Secoff user an& secure&ela1 &efine&
T? 5.8.8 4 @ul1 A 24 Septe')er
2002
E 1.4 Change& file na'es for section
E 1.4 A&&e& lin6 to tftp ser(er soft#are
E 1.5 A&&e& client licences" :elete& Manual 6e1 generation
E 4.2 A&&e& C3RB43R an& MT> settings
E 4.$ :elete&
E 5.1.$ %ire#all A >:4 (i&eoB(oice perfor'ance settings
E 5.$ :elete&
E 5.2 :elete&
E !.1 :elete& SA configuration &etails an& ip settings
E !.2 :elete& SA configuration &etails an& ip settings
E !.$ 8ol&e& sections an& re'o(e& rna'e in routerBclient
E !.4 >p&ate& for >:4 74/ client
T? 05B08B05 01B02B04 Ea'ples using Ca&& pppD0 o(erDs1nE change& to eth1
:elete& 'ost of the 3S:/Bppp ea'ples
E $.1 A&&e& 444FE ea'ple
E 2.1.$ A&&e& 3S:/ settings for teleco' B telstraclear
AT3 are 'anufacturers of the AR router an& are specialists in ;a1er $ s#itches an& secure net#or6ing &e(ices. More
&etaile& infor'ation on the AR pro&ucts is a(aila)le on AT3,s ?orl& ?i&e ?e) site ###.allie&teles1n.net.nG
:ocu'ent tet )1 Mathe# @ur1 A AT3 Technical Consultant9 Ta1lor ?il6ins H AT3 /et#or6 Engineer
an& Sha1le Tas6er A /et#or6 Engineer9 ATR Custo'er Ser(ices 0roup
Allie& Teles1n offers technical assistance in partnership #ith our authorise& &istri)utors an& resellers. %or technical
assistance9 please contact the authorise& &istri)utor or reseller in 1our area. 4lease refer to http<BB###.allie&teles1n.net.nGB
for a list of Authorise& :istri)utors
AT3 /= Support site.
http<BB###.allie&teles1n.net.nGB
Specifications su).ect to change #ithout notice.
AT3 /= ;t&
Contents
1.Iuic6 Co''an& Reference................................................................................................................5
1.1.Configurations...............................................................................................................................5
1.2.%iling9 Re)oots9 an& %eature ;icences.........................................................................................5
1.$.Co''an& Actions.........................................................................................................................5
1.4.>pgra&e 4rocess..........................................................................................................................!
1.5.0enerating an Encr1ption Je1......................................................................................................!
2.444 o(er ::S for 3nternet */AT to SMT4 Ser(er- an& 4ri(ate net#or6s.......................................... 2
2.1.444 o(er 3S:/ 3nternet Access...................................................................................................8
2.1.1.Ea'ple 2.5 #ith 2 8 channels al#a1s up.............................................................................5
2.1.2.Ea'ple 2.5 #ith CiscoKs at the 3S4......................................................................................5
2.1.$.3S:/ territor1 for Teleco' B Telstraclear...............................................................................5
$.444FE .............................................................................................................................................. 10
$.1.444FE an& %ire#all (ia TelstraclearB?ooshB ?ire& Countr1 *3H>0-....................................... 10
4. Ti'e :i(ision Mulipleing *T:M- .....................................................................................................12
5.%ra'e Rela1......................................................................................................................................12
5.1.Stan&ar& %ra'e Rela1 for ;M3 RE7 1........................................................................................1$
5.2.Stan&ar& %ra'e Rela1 3S4 Access............................................................................................14
5.$.Stan&ar& %ra'e Rela1 3S4 Access #ith fire#all an& :M=.........................................................15
5.4.;ogical interfacing to %ra'e Rela19 3nternet connection (ia 3S4 #ith 4ri(ate /et#or6.............. 1!
5.4.1.FS4% on the pri(ate net#or69 4.4 continue&.......................................................................12
!.Si'ple %ire#all o(er Ethernet #ith internal 'ail ser(er ....................................................................15
!.1.2.43/03/09 E'ail notification9 accounting9 an& logging........................................................20
!.1.$.3nternet Access to %ire#all Router.......................................................................................20
!.1.4.>:4 7i&eo lin6 through fire#all perfor'ance t#ea6........................................................... 20
!.2.4ri(ate %ra'e Rela1 #ith %ire#all on 3S4 3nternet 47C.............................................................21
!.$.%ire#all o(er Ethernet #ith 4ri(ate 34 a&&esses onl1 on the ;A/..............................................22
!.4.%ire#all #ith A:S;......................................................................................................................2$
!.5.%ire#all o(er 444 #ith a :M= ;A/............................................................................................24
2.74/....................................................................................................................................................25
2.1.0RE Tunnel9 /AT9 an& 3nternet..................................................................................................25
!.2.;2T4 Tunnel9 %ire#all an& 3nternet.............................................................................................2!
2.2.34Sec *#ith 3SAJM4-9 %ire#all9 an& 74/ Client.........................................................................22
2.2.1.34Sec Client option for Ea'ple !.$....................................................................................28
2.$.34Sec *#ith Manual Je1- an& %ire#all #ith /AT &e(ice *eg< A:S;-9 plus 74/ Client*#ith
Manual Je1-......................................................................................................................................28
2.$.1.34Sec Client option for Ea'ple !.4....................................................................................$1
2.4. 34Sec L 3SAJM4 *#ith ;2T4- an& %ire#all router9 )ehin& /AT &e(ice *eg<A:S;-...................$2
2.5.34Sec an& %ire#all through t#o /AT gate#a1s *eg< A:S;-.......................................................$5
2.!.T#o 0ate#a1s" %ire#all #ith 34Sec an& 3SAJM4 to 74/ Client L Re'ote Fffice....................$2
2.2./otes on 34Sec Testing an& 7erification....................................................................................40
Allied Telesyn router helpful configs
1.Quick Command Reference
1.1.Configurations
Task Command
Sho the log
7ie# the current release an& patch
Sho the s1ste' 3nfor'ation
Sa(e the current configuration
Change the )oot configuration file
?hat is the current configuration file
Sho the current RAM configuration
Sho log
Sho install
Sho s1s
Create configDMconfigN.cfg
Set confDMconfigN.cfg
Sho conf
Sho conf &1n
Sho conf &1nDMsu) sectionN
1.2.Filing, Reboots, and Feature icences
Task Command
Sho file contents in %;ASH or /7S
Sho files
To E&it a file
?ar' )oot the router
Iuic6 )oot *for appl1ing ne# configurations-
Ena)le a ne# feature licence
Sho fiDMfile.etN
Sho fi
E&it Mfile.etN
Restart re)oot
Restart router
Ena)le featureDMfeatureN passDMpass#or&N
1.!.Command Actions
To config To Remo"e from Configuration To "ie# and modify
A&&
Create
Acti(ate
Ena)le
:elete
:estro1
:eacti(ate
:isa)le
Sho
Set
Reset
4urge
Allie& Teles1n router helpful configs 4age 5
Allie& Teles1n router helpful configs
1.$.%pgrade &rocess
To loa& the file on the router 1ou nee& a tri(ial ftp ser(er soft#are. A #in&o#s (ersion is a(ali)le here
Allie& Teles1n tftp ser(er
%pgrade process Commands
Ma6e space9 &elete the ol& files
;oa& files
Appl1 a Help file
Sa(e the config
Ena)le the release licence
Set the current release an& patch file
?ar' )oot the router
:el fiDMol&file.etN
;oa& fiDMfile.reGN &estDflash ser(DMser(er ipN
;oa& fiDMfile.paGN &estDflash ser(DMser(er ipN
;oa& fiDMfile.hlpN &estDflash ser(DMser(er ipN
Set helpDMhelpN.hlp
Create confDMcurrent configN
Ena)le relDMrelease.reGN nu'DMreleaseN passDMpass#or&N
Set instDpref relDMrelease.reGN patDMpatch.paGN
Restart re)oot
1.'.(enerating an )ncryption *ey
Chec6 ;ist for Encr1tion
1- :o 1ou ha(e full client licences to generate 6e1sO
2- $:ES licence *eport per'it-
$- EMACBE4AC Encr1ption Car&O
Task Command
A&& securit1 le(el user
Jeep securit1 officer access for 10
Minutes
Turn on Securit1 at )oth en&s
Create the 3SAJM4 6e1
7ie# the 6e1 an&
Enter the 3SAJM4 6e1 at the other en&
Allo# re'ote Securit1 officer access an&
Specif1 re'ote 34 a&&ress ranges
A&& userDsecoff passDsecoff pri(Dsecurit1
Set user secure&ela1D!00
Ena)le s1ste' securit1
At router KAKNCreate enco 6e1D1 t1peDgen ran&o'
At router KAKNSho enco 6e1D1
*tip< cop1 an& paste this 6e1 to router 8-
At router K8KNCreate enco 6e1D1 t1peDgen
(alDMrouter +A, 6e1N
Ena)le user rso
A&& user rso ipDMre'ote access ipN 'as6DM'as6N
2.&&& o"er ++, for -nternet ./AT to
,0T& ,er"er1 and &ri"ate net#orks
C ent reC FM A R 30 0
A cces sR ou t er ;A/ ?A/ SPST EM
; 3/
J
T Q R Q C o ll
Site A
192.168.10.0
200.200.200.0/30

Internet
Private NAT Public
C ent reC FM A R 30 0
A cces sR ou t er ;A/ ?A/ SP STEM
; 3/ J
T Q R Q C o ll
192.168.20.0
192.168.254.0
ppp0
ppp0
Site B
ppp1
Mai l Ser ver
192.168.10.2
/ote< 8e a#are that #ith 'an1 3nternet 4ro(i&ers it 'a1 )e 'ore suita)le to turn ;IR *lin6 Rualit1 reporting- off on 444
lin6s9 an& instea& use ;C4 Echo Request an& Echo Reply 'essages to &eter'ine lin6 Rualit1 *echoDon-. Si'pl1 a&&
+lRrDoff echoDon, to the 444 creation co''an&.
Router A Router 2
#
# PPP Configuration
#
create ppp=0 over=syn0
#
# IP Configuration
#
enable ip
add ip int=eth0 ip=192.16.10.1
add ip int=ppp1 ip=192.16.2!".1
add ip int=ppp0 ip=200.200.200.1 #as$=2!!.2!!.2!!.2!2
add ip route=0.0.0.0 ne%t=0.0.0.0 int=ppp0
enable ip nat
enable ip nat log=all
add ip nat ip=192.16.0.0 #as$=2!!.2!!.0.0
gblip=200.200.200.1
add ip nat ip=192.16.10.2 #as$=2!!.2!!.2!!.2!! port=s#tp
gblip=200.200.200.1 gblport=s#tp proto=tcp
#
# PPP Configuration
#
#
# IP Configuration
#
enable ip

2.1.&&& o"er -,+/ -nternet Access
CentreCFM AR300
Acce ss Rout er ;A/ ?A/ SPS TEM
; 3 / J
TQ R Q C ol l
Site A
192.168.10.0

Internet
Private NAT Public

ISD
D!na"ic IP
Router A
#
# &yste# Configuration
set sys territory='countrycode(
#
# I&)* Configuration
add isdn call=internet nu#=12+"! prec=out
#
# PPP Configuration
# *ote, 2
nd
- channel on de#and
create ppp=0 over=isdn.internet idle=60 bap=off ipre/=on user='userna#e( pass='pass0ord(
add ppp=0 over=isdn.internet type=de#and
#
# IP Configuration
enable ip
enable ip re#
add ip int=ppp0 ip=0.0.0.0
enable ip nat
add ip nat ip=192.16.10.0 #as$=2!!.2!!.2!!.0 gblint=ppp0
2.1.1.)3ample 2.' #ith 2 2 channels al#ays up
/ote< So'e 3S:/ pro(i&ers an& Bor 3S4 pro(i&ers charge per 'inute an& this option 'a1 not
)e affor&a)le. This alternati(e is inten&e& #here an affor&a)le fie& 'onthl1 charge account
has )een offere& )1 3S:/ an& 3S4 pro(i&ers.
/ote< 8e a#are that #ith 'an1 3nternet 4ro(i&ers it 'a1 )e 'ore suita)le to turn ;IR *lin6 Rualit1 reporting- off on
444 lin6s9 an& instea& use ;C4 Echo Request an& Echo Reply 'essages to &eter'ine lin6 Rualit1 *echoDon-.
Si'pl1 a&& +lRrDoff echoDon, to the 444 creation co''an&.
-,+/ 4 &&& Configuration modifications for 2 2 channels al#ays up
#
# I&)* Configuration
#
add isdn call=internet nu#=12+"! prec=out $eepup=on
#
# PPP Configuration
# *ote, *o idle para#eter1 user and pass0ord re/uired if going into an I&P
create ppp=0 over=isdn.internet nu#=2 bap=off 2user='userna#e( pass0ord='pass0ord(3
2.1.2.)3ample 2.' #ith Cisco5s at the -,&
&&& Configuration modifications for Cisco at the -,&
#
# PPP Configuration
# *ote, 2
nd
- channel on de#and
create ppp=0 over=isdn.internet idle=60 bap=off l/r=off echo=on user='user na#e(
pass='pass0ord(
add ppp=0 over=isdn.internet type=de#and
2.1.!.-,+/ territory for Telecom 6 Telstraclear
-,+/ settings for Telecom 6 Telstraclear
#
# I&)* settings for 4eleco#
set syste# territory=ne05ealand
#
# I&)* settings for 4elstraclear
set syste# territory=europe
!.&&&7)
!.1.&&&7) and Fire#all "ia Telstraclear68oosh6
8ired Country .-9%(1
/ote H 4ro1 arp 'ust )e turne& off on a 4u)lic Share& Ethernet /et#or6
Router A
create ppp#0 i$le#999999 %ver#et&0'A(
)et ppp#0 ipre*ue)t#%n u)erna"e#+te)t,i)p.c%.n-+ pa)).%r$#+te)t+
)et ppp#0 %ver#et&0'A( l*r#%// ec&%#10
enable ip
enable ip re"%te
a$$ ip int#ppp0 ip#0.0.0.0 "a)0#0.0.0.0
a$$ ip int#vlan1 ip#10.0.0.1 "a)0#255.255.255.0
a$$ ip int#et&0 ip#1.1.1.1 "a)0#255.255.255.0
)et ip int#et&0 pr%1!#%//
a$$ ip r%u#0.0.0.0 "a)0#0.0.0.0 int#ppp1 ne1t#0.0.0.0
enable /ire.all
create /ire.all p%lic!#+ppp%e+
enable /ire.all p%lic!#+ppp%e+ ic"p2/#all
a$$ /ire.all p%lic!#+ppp%e+ int#vlan1 t!pe#private
a$$ /ire.all p%lic!#+ppp%e+ int#ppp0 t!pe#public
a$$ /ire.all p%li#+ppp%e+ nat#en&ance$ int#vlan1 3blin#ppp0
$. Time +i"ision 0uliple3ing .T+01
'.Frame Relay
Router A Router A .Continued1
#
# P6I configuration
# Note:"CRC" mode may need to be set to "off" or
# "checking" for the link to become active
# depending on the Telco configuration
# Note : RJ 4 !inouts for !R" devices aren#t
# standardi$ed% check your NT& if using RJ 4'
# termination
set pri=0 #ode=td#
set pri=0 crc=reporting
#
# 4)7 configuration
#
create td# group=site8b interface=pri0 slots=1
create td# group=site8c interface=pri0 slots=6.9
#
# PPP Configuration
#
create ppp=1 over=td#.site8b idle=60 co#p=on
create ppp=2 over=td#.site8c idle=60 co#p=on
#
# IP Configuration
#
enable ip
#as$=2!!.2!!.2!!.2!2
add ip int=ppp2 ip=192.16.2!".!
#as$=2!!.2!!.2!!.2!2
Router 2
#
# PPP Configuration
#
#
# IP Configuration
# Note: Router C change eth and ppp "! address
enable ip

CentreCFM AR300
Access Router ;A/ ?A/ SPSTEM
;3/ J
TQ RQ Coll
Site A
A4 395
192.168.10.0
192.168.254.0/30
5DM
Mail Server
192.168.10.2
192.168.254.4/30
Site 6
Site B
CentreCFM AR300
;3/ J
TQ RQ Coll
CentreCFM AR300
;3/ J
TQ RQ Coll
192.168.2.0
192.168.1.0
ppp1
ppp2
2M P4I
'.1.,tandard Frame Relay for 0- R): 1
*So'eti'es referre& to as CciscoE ;M3 t1pe-

Site A
192.168.1.0
Site 6
Site B
192.168.3.0
192.168.2.0
Site D
7ra"e
4ela!
8Me)&e$9
CentreCFM AR300
Access Rout er ;A/ ?A/ SPS TEM
;3/ J
TQ RQ Col l
CentreCFM AR300
;3/ J
TQ RQ Col l
CentreCFM AR300
Access Router ;A/ ?A/ SPS TEM
;3/ J
T Q RQ Co ll
CentreCFM AR300
;3/ J
T Q RQ Co ll
192.168.4.0
192.168.254.4 192.168.254.3
192.168.254.2
192.168.254.1
D:6#101
D:6#103
D:6#102
D:6#104
Router A
#
# :ra#e 6elay Configuration
# *ote, -y default ;7I is set to <;7Irev1< 0hich is the sa#e as <cisco< ;7I type.
create fr=0 over=syn0
#
# IP Configuration
#
enable ip
add ip int=fr0 ip=192.16.2!".1
add ip route=192.16.2.0 ne%t=0.0.0.0 #as$=2!!.2!!.2!!.0 int=fr0 dlc=102
add ip route=192.16.+.0 ne%t=0.0.0.0 #as$=2!!.2!!.2!!.0 int=fr0 dlc=10+
add ip route=192.16.".0 ne%t=0.0.0.0 #as$=2!!.2!!.2!!.0 int=fr0 dlc=10"
Router 2, C, and + must ha"e the ip addresses and routes changed appropriately
To use R-& instead, remo"e the static routes and add the follo#ing lines
(dd ip rip int)fr* dlc)+*,
(dd ip rip int)fr* dlc)+*-
(dd ip rip int)fr* dlc)+*4
*;M3 Re( 1 is &efault ;M3 for Teleco' /e# =ealan&-
Allie& Teles1n router helpful configs 4age 1$
'.2.,tandard Frame Relay -,& Access
The fra'e net#or6 in /= uses a MT> of 1500 this nee&s to )e altere& on the routers )ecause the
&efault is 1!00.
Router A
# &yn
# set syn to the speed the telco is providing eg 17bit =102"000
set syn=syn0 speed=20"000
#
# 4o =Pac$et shape> set the CI6;I7I4 to the PI6 supplied.
set fr=0 dlc=102 cir=102"000 cirli#it=yes
#
# Interfaces
set int=fr0 #tu=1!00
#
# IP Configuration
enable ip
add ip int=fr0 ip=200.200.200.1 #as$=2!!.2!!.2!!.2!2
add ip route=0.0.0.0 ne%t=0.0.0.0 #as$=0.0.0.0 int=fr0 dlc=102
enable ip nat
add ip nat ip=192.16.10.0 #as$=2!!.2!!.2!!.0 gblip=200.200.200.1
add ip nat ip=192.16.10.2 #as$=2!!.2!!.2!!.2!! port=s#tp gblip=200.200.200.1 gblport=s#tp
proto=tcp

C3RD5126
43RD10246

Site A
192.168.10.0
7ra"e
4ela!
CentreCFM AR300
AccessRouter
; A / ?A / S P S T E M
; 3/ J
T Q R Q C o ll

D:6#102
Internet
Mail Server
192.168.10.2
200.200.200.1
'.!.,tandard Frame Relay -,& Access #ith
fire#all and +0;

Site A
192.168.10.0
7ra"e
4ela!
CentreCFM AR300
AccessRouter
; A / ?A / S P S T E M
; 3/ J
T Q R Q C o ll

D:6#102
Internet
Mail Server
192.168.10.2
200.200.200.1
The fra'e net#or6 in /= uses a MT> of 1500 this nee&s to )e altere& on the routers )ecause the &efault is 1!00.
Router A
# set syn to the speed the telco is providing eg 17bit =102"000
set syn=syn0 speed=20"000
# 4o =Pac$et shape> set the CI6;I7I4 to the PI6 supplied.
set fr=0 dlc=102 cir=102"000 cirli#it=yes
# Interfaces
set int=fr0 #tu=1!00
# IP Configuration
enable ip
add ip int=fr0 ip=200.200.200.1 #as$=2!!.2!!.2!!.2!2
add ip int=eth1 ip=210.1.1.1 #as$=2!!.2!!.2!!.2!2
add ip route=0.0.0.0 ne%t=0.0.0.0 #as$=0.0.0.0 int=fr0 dlc=102
#:ire0all
enable fire0all
create fire0all poli=#ain
add fire0all poli=#ain int=eth0 type=private
add fire0all poli=#ain int=eth1 type=public
add fire0all poli=#ain int=fr0 type=public
add fire0all poli=#ain nat=enhanced int=eth0 gblint=fr0
create fire0all poli=d#5
add fire0all poli=d#5 int=eth0 type=public
add fire0all poli=d#5 int=eth1 type=private
add fire0all poli=d#5 int=fr0 type=public
add fire0all poli=d#5 ru=1 ac=allo0 int=fr0 ip=210.1.1.2 prot=tcp port=2!
add fire0all poli=d#5 ru=100 ac=allo0 int=eth0 prot=all
C3RD5126
43RD10246
'.$.ogical interfacing to Frame Relay, -nternet
connection "ia -,& #ith &ri"ate /et#ork
D:6#102

Site A
192.168.1.0
Site 6
Site B
192.168.3.0
192.168.2.0
CentreCFM AR300
;3 / J
TQ RQ Co ll
CentreCFM AR300
;3 /J
TQ RQ Col l
CentreCFM AR300
;3 /J
TQ RQ Col l
200.200.200.1/30
192.168.254.2
192.168.254.1
D:6#101

Internet
D:6#104
200.200.200.2/30
D:6#103
Mail Server
192.168.1.2
Router A
#
add fr=0 li=1 type=ptp
add fr=0 li=2
set fr=0 dlc=102 li=2
set fr=0 dlc=10+ li=2
set fr=0 dlc=10" li=1
#
# IP Configuration
#
enable ip
add ip int=fr0.2 ip=192.16.2!".1
add ip int=fr0.1 ip=200.200.200.1 #as$=2!!.2!!.2!!.2!2
add ip route=0.0.0.0 ne%t=0.0.0.0 #as$=0.0.0.0 int=fr0.1 dlc=10"
add ip route=192.16.2.0 ne%t=192.16.2!".2 #as$=2!!.2!!.2!!.0 int=fr0.2 dlc=102
add ip route=192.16.+.0 ne%t=192.16.2!".+ #as$=2!!.2!!.2!!.0 int=fr0.2 dlc=10+
enable ip nat
add ip nat ip=192.16.0.0 #as$=2!!.2!!.0.0 gblip=200.200.200.1
add ip nat ip=192.16.1.2 #as$=2!!.2!!.2!!.2!! port=s#tp gblip=200.200.200.1 gblport=s#tp
proto=tcp
Router 2 and C #ould remain configured as in e3ample $.1 .no FR-s1
Allie& Teles1n router helpful configs 4age 1!
'.$.1.7,&F on the pri"ate net#ork, $.$ continued
Router A . First remo"e the 2 static routes to the pri"ate net#ork sites, lea"e default route
#
add fr=0 li=+ type=ptp
set fr=0 dlc=10+ li=+
#
# IP Configuration
#
enable ip
add ip int=fr0.2 ip=192.16.2!".1 #as$=2!!.2!!.2!!.2!2
add ip int=fr0.+ ip=192.16.2!".! #as$=2!!.2!!.2!!.2!2
add ip int=fr0.1 ip=200.200.200.1 #as$=2!!.2!!.2!!.2!2
enable ip nat
add ip nat ip=192.16.0.0 #as$=2!!.2!!.0.0 gblip=200.200.200.1
add ip nat ip=192.16.1.2 #as$=2!!.2!!.2!!.2!! port=s#tp gblip=200.200.200.1 gblport=s#tp proto=tcp
#
# ?&P: Configuration
#
set ospf routerid=192.16.2!".1 ase%ternal=on
add ospf area=bac$bone stubarea=off su##ary=send
add ospf range=192.16.2!".0 area=bac$bone #as$=2!!.2!!.2!!.0
add ospf interface=fr0.2 area=bac$bone
add ospf interface=fr0.+ area=bac$bone
enable ospf
Router 2
#
#
# IP Configuration
#
enable ip
add ip int=fr0.1 ip=192.16.2!".2 #as$=2!!.2!!.2!!.2!2
#
#
set ospf routerid=192.16.2!".2 ase%ternal=on
enable ospf
Router C
#
#
# IP Configuration
#
enable ip
add ip int=fr0.1 ip=192.16.2!".+ #as$=2!!.2!!.2!!.2!2
add ip int=eth0 ip=192.16.+.1
#
#
set ospf routerid=192.16.2!".+ ase%ternal=on
enable ospf
Firewall Configs
<.,imple Fire#all o"er )thernet #ith
internal mail ser"er
CentreCFM AR300
;3/ J
TQ RQ Coll
Site A
192.168.10.0

Internet
Private Firewall Public
200.200.200.0/30
Mail Server
192.168.10.2
Router A
#
# IP Configuration
#
enable ip
set ip int=eth1 pro%y=off
add ip route=0.0.0.0 ne%t=200.200.200.2 #as$=0.0.0.0 int=eth1
#
# :ire0all Configuration
# To enable out going ping see e.ample '+'+
enable fire0all
enable fire0all notify=port1#anager port=0
create fire0all policy=<#ain<
add fire0all policy=<#ain< int=eth0 type=private
add fire0all policy=<#ain< int=eth1 type=public
add fire0all poli=<#ain< nat=enhanced int=eth0 gblin=ppp0 gblip=200.200.200.1
add fire0all poli=<#ain< ru=1 ac=allo int=eth1 prot=tcp po=2! ip=192.16.10.2
gblip=200.200.200.1 gblport=2!
<.1.2.&-/(-/( 9 )mail notification, accounting, and logging
Router A
set #ail host=#ydo#ain.#ail.co#
set ip na#eserve=100.100.100.100
#
#
# Ping is bloc$ed by default1 to enable outgoing ping responses bac$ in
enable fire/all policy)main icmp0for/ard)ping
enable fire0all policy=<#ain< accounting
enable fire0all policy=<#ain< log=indeny
enable fire0all notify=port1#anager1#ail port=0 toDitS'anagerTsupport.co..u
# ?r if no *a#e server defined
enable fire0all notify=port1#anager1#ail port=0 toDitS'anagerTU152.1!8.10.23
<.1.!.-nternet Access to Fire#all Router
Router A=
#
#:ire0all
# Note' (l/ays include a remote user ip address to maintain relatively secure access
add fire0all poli=<#ain< ru=2 ac=allo int=ppp0 prot=tcp po=2+ ip=192.16.10.1
gblip=200.200.200.1 gblport=2+ re#='re#ote #anager ip address(
<.1.$.%+& :ideo link through fire#all performance t#eak
Are 1ou ha(ing pro)le's #ith >:4 )ase& 7i&eo conferencing or >:4 )ase& encr1pte& lin6 throughputO 3f 1ou ha(e a
fire#all setup it coul& )e &etecting the pac6ets as part of a >:4 attac6 an& throttling the )an&#i&th causing .itter9 no (oice
an& generall1 slo# perfor'ance.
Router A=
#
#:ire0all
# @llo0 higher A)P rate.
set fire/all poli)1main1 attack)udpattack det)+**
set fire/all poli)main udptime)+
<.2.&ri"ate Frame Relay #ith Fire#all on -,&
-nternet &:C
D:6#102

Site A
192.168.1.0
Site 6
Site B
192.168.3.0
192.168.2.0
CentreCFM AR300
;3 / J
TQ RQ Co ll
CentreCFM AR300
;3 /J
TQ RQ Col l
CentreCFM AR300
;3 /J
TQ RQ Col l
200.200.200.1/30
192.168.254.2
192.168.254.1
D:6#101

Internet
D:6#104
200.200.200.2/30
D:6#103
Mail Server
192.168.1.2
Router A
#
add fr=0 li=2
set fr=0 dlc=10+ li=2
#
# IP Configuration
#
enable ip
add ip int=fr0.2 ip=192.16.2!".1
add ip int=fr0.1 ip=200.200.200.1 #as$=2!!.2!!.2!!.2!2
add ip route=192.16.2.0 ne%t=192.16.2!".2 #as$=2!!.2!!.2!!.0 int=fr0.2 dlc=102
add ip route=192.16.+.0 ne%t=192.16.2!".+ #as$=2!!.2!!.2!!.0 int=fr0.2 dlc=10+
#
# 4o enable out going ping see e%a#ple !.1.1
enable fire0all
add fire0all policy=<#ain< int=fr0.2 type=private
add fire0all policy=<#ain< int=fr0.1 type=public
add fire0all poli=<#ain< nat=enhanced int=eth0 gblin=fr0.1 gblip=200.200.200.1
add fire0all poli=<#ain< nat=enhanced int=fr0.2 gblin=fr0.1 gblip=200.200.200.1
add fire0all poli=<#ain< ru=1 ac=allo int=fr0.1 prot=tcp po=2! ip=192.16.1.2
gblip=200.200.200.1 gblport=2!
Router 2 and C #ould be configured #ithout ogical interfaces as in e3ample $.1
#ith a default route
<.!.Fire#all o"er )thernet #ith &ri"ate -& addesses
only on the A/
Router A
#
# IP Configuration
#
enable ip
#
enable fire0all
add fire0all poli=<#ain< nat=enhanced int=eth0 gblin=eth1 gblip=200.200.200.1.200.200.200.+
add fire0all poli=<#ain< ru=1 ac=allo int=eth1 prot=tcp po=2! ip=192.16.10.2 g
blip=200.200.200.2 gblp=2!
add fire0all poli=<#ain< ru=2 ac=allo int=eth1 prot=tcp po=0 ip=192.16.10.+ g
blip=200.200.200.+ gblp=0
CentreCFM AR300
;3 /J
TQ R Q C oll
Site A
192.168.10.0

Internet
200.200.200.0/30
;eb Server
192.168.10.3
Mail Server
192.168.10.2
Internet Address
Mail Server
200.200.200.2
;eb Server
200.200.200.3
<.$.Fire#all #ith A+,
Router A
#
# IP Configuration
#
enable ip
#
enable fire0all
add fire0all poli=<#ain< nat=enhanced int=eth0 gblin=eth1 gblip=192.16.1.1
add fire0all poli=<#ain< ru=1 ac=allo int=eth1 prot=tcp po=2! ip=192.16.10.2 gblip=192.16.1.1
gblp=2!
add fire0all poli=<#ain< ru=2 ac=allo int=eth1 prot=tcp po=0 ip=192.16.10.+ gblip=192.16.1.1
gblp=0
A:S;
43/Hole e(er1thing through to outsi&e
Router interface
*>:49 TC4-

CentreCFM AR300
Ac c e s s R o u te r ; A / ?A / S P S T E M
; 3/J
T Q R Q Co ll
Site A
192.168.10.0

Internet
200.200.200.1/30
;eb Server
192.168.10.3
Mail Server
192.168.10.2
Transit Address
Mail Server
192.168.1.1
;eb Server
192.168.1.1
Internet Address
Mail Server
200.200.200.1
;eb Server
200.200.200.1
A:S;
192.168.1.0/24
NAT NAT
192.168.1.2
192.168.1.1
<.'.Fire#all o"er &&& #ith a +0; A/

CentreCFM AR300
Ac c e s s Ro u te r ; A / ?A / S P S T E M
; 3 /J T Q RQ Co
ll
Site A
<ut 3%in3 ;eb acce)) %ut
192.168.0.0 .it& A5

Internet
200.2.2.1
Mail Server
208.10.10.20
192.168.0.1
208.10.10.1
Router A
enable ip
add ip rou=0.0.0.0 #as$=0.0.0.0 int=ppp0 ne%t=0.0.0.0
enable fire0all
create fire0all policy=<;@*<
enable fire0all policy=<;@*< ic#p8f=ping
add fire0all policy=<;@*< int=eth0 type=private
add fire0all policy=<;@*< int=ppp0 type=public
add fire0all policy=<;@*< int=eth1 type=public
add fire0all poli=<;@*< nat=enhanced int=eth0 gblin=ppp0 gblip=20.10.10.1
create fire0all policy=<)7B<
enable fire0all policy=<)7B< ic#p8f=ping
add fire0all policy=<)7B< int=eth1 type=private
add fire0all policy=<)7B< int=ppp0 type=public
add fire0all policy=<)7B< int=eth0 type=public
# @llo0 access fro# Internet to Ceb server Ddo#ain registered 20.10.10.20E
add fire0all poli=<)7B< ru=1 ac=allo int=ppp0 prot=tcp po=0 ip=20.10.10.20
# @llo0 any access to )7B fro# eth0 ;@*
add fire0all poli=<)7B< ru=100 ac=allo int=eth0 prot=@;;
>.:&/
>.1.(R) Tunnel, /AT, and -nternet
*4referre& ea'ple uses ;2T4 #ith fire#all. Refer ea'ple !.2-
Router A .Router 2, re"erse -& addresses as per diagram abo"e1
#
# F6G
#
enable gre
add gre=1 sour=192.16.10.0 s#as$=2!!.2!!.2!!.0 dest=192.16.20.0 d#as$=2!!.2!!.2!!.0
target=222.222.222.1
#
# IP
#*ote, *@4 #ust be on for this configuration to 0or$ correctly
enable ip
@dd ip int=eth0 ip=192.16.10.1 #as$=2!!.2!!.2!!.0
@dd ip int=eth1 ip=200.200.200.1
add ip rou=0.0.0.0 ne%t=200.200.200.2 int=eth1
set ip int=eth0 gre=1
enable ip nat
add ip nat ip=192.16.10.0 #as$=2!!.2!!.2!!.0 gblip=200.200.200.1
CentreCFM AR300
;3/ J
T Q RQ Coll
Site B
192.168.10.0 192.168.20.0
CentreCFM AR300
Acce ss Rout er ;A/ ?A/ SPSTEM
;3/ J
T Q RQ Coll

Site A
Internet
Acce))
200.200.200.1 222.222.222.1
:irtual Tunnel
<.2.2T& Tunnel, Fire#all and -nternet
Router A .Router 2, re"erse -& addresses as per diagram abo"e1
#
# ;24P Configuration
enable l2tp
enable l2tp server=both
add l2tp call=<tunnel< re#=<tunnel< ip=222.222.222.1 ty=virtual prec=in
set l2tp call=<tunnel< pass=secret
set l2tp pass=secret
#
# ppp configuration
# *ote, 4unnel is PPP10
create ppp=10 over=tnl.tunnel idle=999999999
#
# IP
#
enable ip
@dd ip int=eth0 ip=192.16.10.1 #as$=2!!.2!!.2!!.0
@dd ip int=eth1 ip=200.200.200.1
add ip rou=0.0.0.0 ne%t=200.200.200.2 int=eth1
add ip rou=192.16.20.0 ne%t=0.0.0.0 int=ppp10
#
# :ire0all
enable fire0all
add fire0all policy=<#ain< int=ppp10 type=private
add fire0all poli=<#ain< nat=enhanced int=eth0 gblin=eth1 gblip=200.200.200.1
add fire poli=#ain ru=1 int=eth1 action=allo0 ip=200.200.200.1 proto=udp port=1901
set fire poli=#ain ru=1 gblip=200.200.200.1 gblp=1901 re#oteip=222.222.222.1
Allie& Teles1n router helpful configs 4age 2!
CentreCFMAR300
;3/J
TQ RQ Coll
Site B
192.168.10.0 192.168.20.0
CentreCFMAR300
;3/J
TQ RQ Coll

Site A
Internet
Acce))
200.200.200.1 222.222.222.1
:irtual Tunnel
192.168.1.1 192.168.1.2
>.2.-&,ec .#ith -,A*0&1, Fire#all, and :&/ Client
This configuration illustrates t#o 34Sec tunnels9 allo#ing for a re'ote office9 a re'ote 74/ client
*roa'ing user-9 an& 3nternet access. The :&/ client may use dynamic ip address. This
e3ample is not suitable behind a /ATing de"ice .eg= A+,1.
the intro&uction of the %ire#all CnonatE action sho#n in this ea'ple.
Router A
set user securedelay=600
add user=secoff pass='your pass0ord( priv=sec
# ppp configuration
# optional set ppp=0 over=syn0 l/r=off echo=on
enable ip
@dd ip int=eth0 ip=192.16.10.1 #as$=2!!.2!!.2!!.0
@dd ip int=ppp0 ip=200.200.200.1
# :ire0all
enable fire
create fire poli=#ain
add fire poli=#ain int=eth0 type=private
add fire poli=#ain int=ppp0 type=public
add fire poli=#ain nat=enhanced int=eth0 gblint=ppp0
add fire poli=#ain rule=1 int=ppp0 action=allo0 ip=200.200.200.1 prot=udp port=!00 gblip=200.200.200.1
gblpo=!00
add fire poli=#ain rule=2 int=ppp0 action=nonat prot=all ip=192.16.10.1.192.16.10.2!" encap=ipsec
# 6ule + for internally initiated HP* traffic to 6e#ote ?ffice
add fire0all poli=#ain ru=+ ac=nonat int=eth0 prot=all ip=192.16.10.1.192.16.10.2!"
set fire0all poli=#ain ru=+ re#oteip=192.16.20.1.192.16.20.2!"
# IP&ec
# Includes HP* client configuration for user =6oa#ing1>
ena ipsec
create ips sas=1 prot=esp hasha=null encalg=des $ey#=isa$#p
create ips sas=2 prot=ah #ode=tunn hasha=sha $ey#=isa$#p
create ips bundle=1 $ey#=isa$#p string=>1 and 2>
create ips pol=isa$#p int=ppp0 act=per#it lpo=!00 rpo=!00
create ips pol=re#office int=ppp0 act=ipsec $ey=isa$#p bund=1 peer=222.222.222.1 isa=re#office
set ips pol=re#office lad=192.16.10.0 l#as$=2!!.2!!.2!!.0 rad=192.16.20.0 r#as$=2!!.2!!.2!!.0
create ips pol=roa#ing1 int=ppp0 act=ipsec $ey=isa$#p bund=1 peer=dyna#ic isa=roa#ing1
set ips pol=roa#ing1 lad=192.16.10.0 l#a=2!!.2!!.2!!.0
create ips pol=internet int=ppp0 act=per#it
# I&@I7P
# *ote, Ase &ection 1.! to enable syste# security and generate an Gncryption Iey of type FG*G6@; on
# router @ and -
# 4his e%a#ple uses the sa#e net0or$ $ey for all I&@I7P G%changes
cre isa pol=re#office peer=222.222.222.1 hashalg=sha $ey=1
set isa pol=re#office senddeletes=on setco##itbit=on sendnotify=on
# ?nly one policy is re/uired for all dial up users.
cre isa pol=roa#ing1 peer=any hashalg=sha $ey=1 #ode=aggressive
set isa pol=roa#ing1 senddeletes=on setco##itbit=on sendnotify=on
enable isa$#p
# ?ptional authentication of re#ote sites to be done at the head office using a A@) or 6adius &erver
#set isa pol=roa#ing1 %auth=server %authtype=generic
#add radius server=192.16.10.2!" secret=secret
# ?6 add user=boblogin pass=bobpass
Router 2

CentreCFM AR300 Ac c e s s R o u te r ; A/ ?A/ S PST E M
; 3 / J T Q RQ
Co l
l
Site B
192.168.10.0 192.168.20.0
CentreCFM AR300 A c c e s s R o u te r ; A/ ?A / S PS T EM
; 3
/J T Q R Q Co l l

Site A
200.200.200.1 222.222.222.1
:irtual Tunnel
Internet Acce))
D!na"ic IP =P 6lient
4%a"in3 >)er
set sys na#e=re#office
enable ip
# :ire0all
enable fire0all
add fire0all policy=<#ain< int=ppp0 type=public
add fire0all poli=<#ain< nat=enhanced int=eth0 gblin=ppp0
add fire0all poli=<#ain< ru=1 ac=allo int=ppp0 prot=udp po=!00 ip=222.222.222.1 gblip=222.222.222.1
gblp=!00
add fire0all poli=<#ain< ru=2 ac=non int=ppp0 prot=@;; ip=192.16.20.1.192.16.20.2!" enc=ips
# 6ule + for internally initiated HP* traffic to Jead ?ffice
add fire0all poli=<#ain< ru=+ ac=non int=eth0 prot=@;; ip=192.16.20.1.192.16.20.2!"
set fire0all poli=<#ain< ru=+ re#=192.16.10.1.192.16.10.2!"
create ipsec sas=1 $ey=isa$#p prot=esp enc=des hasha=null
create ipsec sas=2 $ey=isa$#p #ode=tunnel prot=ah hasha=sha
create ipsec bund=1 $ey=isa$#p string=<1 and 2<
create ipsec pol=isa$#p int=ppp0 act=per#it lpo=!00 rpo=!00
create ipsec pol=<re#office< int=ppp0 ac=ipsec $ey=isa$#p bund=1 peer=200.200.200.1 isa=re#office
set ipsec pol=<re#office< lad=192.16.20.0 l#a=2!!.2!!.2!!.0 rad=192.16.10.0 r#as=2!!.2!!.2!!.0
create ipsec pol=<internet< int=ppp0 ac=per#it
enable ipsec
# I&@I7P
# *ote, Ase &ection 1.! to enable syste# security and generate an Gncryption Iey of type FG*G6@; on
# router @ and -
create isa$#p pol=re#office hashalg=sha pe=200.200.200.1 $ey=1
set isa$#p pol=re#office sendd=true setc=true sendnotify=on
enable isa$#p
>.2.1.-&,ec Client option for )3ample <.!
-&,ec Client Configuration for %ser ?Roaming1@
#
#I&@I7P
create enco $ey=1 type=gen val='net0or$ $ey for I&@I7P G%cahnge(
create isa pol=roa#ing1 peer=200.200.200.1 hashalg=sha $ey=1 #ode=aggressive
set isa pol=roa#ing1 senddeletes=on setco##itbit=on sendnotify=on
# IP&ec
# Includes HP* client configuration for user =6oa#ing1>
create ips pol=isa$#p int=dialup act=per#it lpo=!00 rpo=!00
create ips pol=roa#ing1 int=dialup act=ipsec $ey=isa$#p bund=1 peer=200.200.200.1
set ips pol=roa#ing1 rad=192.16.10.0 r#a=2!!.2!!.2!!.0
create ips pol=internet int=dialup act=per#it
>.!.-&,ec .#ith 0anual *ey1 and Fire#all #ith
/AT de"ice .eg= A+,1, plus :&/ Client
.#ith 0anual *ey1
This configuration illustrates t#o 34Sec tunnels9 allo#ing for a re'ote office9 a re'ote 74/ client
*roa'ing user-9 an& 3nternet access.
/ote< >se the Manual Je1 option to get through a /ATing &e(ice *eg< A:S;- )et#een
routers9 or use e3ample <.' .2T&1.
(
CentreCFM AR300 A c c e s s Ro u te r ; A / ?A / S P S T E M
; 3/J T Q R Q C o ll
Site B
192.168.10.0
192.168.20.0

Site A
200.200.200.1
A:S;
192.168.1.254
192.168.1.253
NAT
D!na"ic IP
=P 6lient
4%a"in3 >)er
A:S;
Pin&%le =P p%rt)
8>DP 2?46@ >DP 5009
192.168.30.2'3
Site 6
Internet
%teA Pin&%le) >DP 500 c%rrectl!
Manual 0e!) )%"eti"e) re*uire$
)%"eti"e) $ue t% p%%r pin&%lin3 %/ >DP
500 %n )%"e ADS: r%uter).
222.222.222.1
2
te)t
Router A
# IP
#
enable ip
@dd ip int=eth0 ip=192.16.10.1
@dd ip int=eth1 ip=192.16.1.2!+
add ip rou=0.0.0.0 ne%t=192.16.1.2!" int=eth1
# :ire0all
enable fire
create fire poli=#ain
add fire poli=#ain int=eth0 type=private
add fire poli=#ain int=eth1 type=public
add fire poli=#ain nat=enhanced int=eth0 gblint=eth1
add fire0all poli=#ain ru=1 ac=allo int=eth1 prot=udp po=!00 ip=200.200.200.1 gblip=200.200.200.1
gblpo=!00
add fire0all poli=#ain ru=2 ac=allo int=eth1 prot=udp po=29"6 ip=200.200.200.1 gblip=200.200.200.1
gblpo=29"6
add fire poli=#ain rule=+ int=eth1 action=nonat ip=192.16.10.1.192.16.10.2!" prot=all encap=ipsec
# 6ule " for internally initiated HP* traffic to 6e#ote ?ffice
add fire0all poli=#ain ru=" ac=nonat int=eth0 prot=all ip=192.16.10.1.192.16.10.2!"
set fire0all poli=#ain ru=" re#oteip=192.16.20.1.192.16.20.2!"
add fire0all poli=#ain ru=! ac=nonat int=eth0 prot=all ip=192.16.10.1.192.16.10.2!"
set fire0all poli=#ain ru=! re#oteip=192.16.+0.2.192.16.+0.+
# IP&ec
# Includes HP* client configuration for user =6oa#ing1>. 4he sa#e $ey is used for the re#ote office
# and the re#ote HP* client PC DlaptopE.
# *ote, Ase &ection 1.! to enable syste# security and generate an Gncryption Iey of type )G& on
# router @ for KPc1L M KPc2L and type =general> for isa$#p.
# 7anual $ey e%a#ples are included because so#e adsl #ode#s pinholes do not support isa$#p correctly.
create ipsec sas=1 $ey=isa$#p prot=esp enc=des hasha=sha
create ipsec sas=+ $ey=#anual prot=esp enc=des hasha=sha enc$ey=1 inspi=1!!9 outspi=1!!9
create ipsec sas=" $ey=#anual prot=esp enc=des hasha=sha enc$ey=1 inspi=1!! outspi=1!!
create ipsec bund=1 $ey=isa$#p string=<1<
create ipsec bund=+ $ey#=#anual string=<+<
create ipsec bund=" $ey#=#anual string=<"<
cre ips pol=udptunn int=eth1 act=per#it lpo=29"6
create ipsec pol=isa$#p int=eth1 ac=per#it
set ipsec pol=isa$#p lp=!00 rp=!00
create ips pol=re#office int=eth1 act=ipsec $ey=isa$#p bund=1 peer=222.222.222.1 isa=global
set ipsec poli=re#office udpt=46AG udph=46AG
create ipsec pol=roa#ing1 int=eth1 act=ipsec bund=1 peer=any $ey#=isa$#p isa=global
set ipsec pol=roa#ing1 lad=192.16.10.0 l#a=2!!.2!!.2!!.0 rad=192.16."0.1
set ipsec poli=roa#ing1 udpt=46AG udph=46AG
create ipsec pol=pc1 int=eth1 act=ipsec bund=+ peer=any $ey#=#anual
set ipsec pol=pc1 lad=192.16.10.0 l#a=2!!.2!!.2!!.0 rad=192.16.+0.2
set ipsec poli=pc1 udpt=46AG udph=46AG
create ipsec pol=pc2 int=eth1 act=ipsec bund=" peer=any $ey#=#anual
set ipsec pol=pc2 lad=192.16.10.0 l#a=2!!.2!!.2!!.0 rad=192.16.+0.+
set ipsec poli=pc2 udpt=46AG udph=46AG
create ips pol=internet int=eth1 act=per#it
ena ipsec
create isa$#p pol=global pe=any #ode=aggressive $ey=2
set isa$#p pol=global sendd=true sendn=true setc=true
set isa$#p pol=global hear=both localid=headoffice re#oteid=re#ote
enable isa$#p
>.!.1.-&,ec Client option for )3ample <.$
-&,ec Client Configuration for %ser ?,ite2@ .-sakmp key1
add fire poli=vpn rule=1 action=nat nattype=enhanced int=all prot=all gblip=192.16.20.1
re#oteip=192.16.10.1.192.16.10.2!"
create enco $ey=1 type=gen val='router @ . nu#ber 2 $ey(
#
# IP&ec
# Includes HP* client configuration for user -ob
create ips sas=1 prot=esp hasha=sha encalg=des $ey#=isa$#p enc$ey=1 isa$#p=global
create ips bundle=1 $ey#=isa$#p string=1
create ips pol=roa#ing1 int=all act=ipsec $ey=isa$#p bund=1 peer=200.200.200.1
set ips pol=roa#ing1 rad=192.16.10.0 r#a=2!!.2!!.2!!.0 lad=192.16.20.1
r#as$=2!!.2!!.2!!.2!!
set ipsec poli=roa#ing1 udpt=46AG udph=46AG
create ips pol=internet int=all act=per#it
create isa$#p pol=global pe=200.200.200.1 #ode=aggressive $ey=2
set isa$#p pol=global sendd=true sendn=true setc=true
set isa$#p pol=global hear=both localid=re#ote re#oteid=headoffice
>.$. -&,ec 4 -,A*0& .#ith 2T&1 and Fire#all
router, behind /AT de"ice .eg=A+,1
This configuration illustrates an 34Sec tunnel o(er ;2T4 to a re'ote office9 an& allo#s for 3nternet
access.
/ote< This solution uses %ire#all #ith /AT an& 34Sec9 supporte& fro' release 1.5.$. ;2T4 is
use& to Tunnel 3SAJM4B34Sec through /AT process )et#een routers *eg< A:S;-. This is NOT
an IPec client solution!
Router A

Site B
192.168.10.0
192.168.20.0
CentreCFM AR300 A c c e s s R o u te r ; A / ?A / S P S T E M
; 3/ J
T Q R Q C o ll

Site A
Internet
Acce))
200.200.200.1
222.222.222.1
:irtual Tunnel
A:S;
192.168.1.254
192.168.1.253
NAT
192.168.5.1 192.168.5.2
CentreCFM AR300 A c c e s s R o u te r ; A / ?A / S P S T E M
; 3/ J
T Q R Q C o ll
A:S;
43/Hole >:4 port 1201 *;2T4- through to Router interface.
#
enable l2tp
set l2tp pass=secret
#
# ppp configuration
#
# IP
#
enable ip
@dd ip int=eth0 ip=192.16.10.1 #as$=2!!.2!!.2!!.0
@dd ip int=eth1 ip=192.16.1.2!+
add ip int=ppp10 ip=192.16.!.1
#
# :ire0all
enable fire0all
add fire0all poli=<#ain< nat=enhanced int=eth0 gblin=eth1 gblip=192.16.1.2!+
add fire poli=#ain ru=1 int=eth1 action=allo0 ip=192.16.1.2!+ proto=udp po=1901
set fire poli=#ain ru=1 gblip=192.16.1.2!+ gblp=1901 re#=222.222.222.1
#
# IP&ec
ena ipsec
create ips pol=tunnel int=ppp10 act=ipsec $ey=isa$#p bund=1 peer=192.16.!.2
set ips pol=tunnel lad=192.16.10.0 l#as$=2!!.2!!.2!!.0 rad=192.16.20.0 r#as$=2!!.2!!.2!!.0
#
#I&@I7P
# *ote, Ase &ection 1.! to enable syste# security and generate an Gncryption Iey of type FG*G6@;
# on router @ and -
cre isa pol=$eys peer=192.16.!.2 hashalg=sha $ey=1
set isa pol=$eys senddeletes=on setco##itbit=on sendnotify=on
enable isa$#p
Router 2
#
enable l2tp
set l2tp pass0ord=<secret<
#
# ppp configuration
#
# IP
#
enable ip
@dd ip int=eth0 ip=192.16.20.1 #as$=2!!.2!!.2!!.0
@dd ip int=ppp0 ip=222.222.222.1
add ip int=ppp10 ip=192.16.!.2
#
# :ire0all
enable fire0all
add fire0all policy=<#ain< int=ppp0 type=public
add fire0all poli=<#ain< nat=enhanced int=eth0 gblin=ppp0 gblip=222.222.222.1
add fire poli=#ain ru=1 int=ppp0 action=allo0 ip=222.222.222.1 proto=udp po=1901
set fire poli=#ain ru=1 gblip=222.222.222.1 gblp=1901 re#=200.200.200.1
#
# IP&ec
#
ena ipsec
create ips pol=tunnel int=ppp10 act=ipsec $ey=isa$#p bund=1 peer=192.16.!.1
set ips pol=tunnel lad=192.16.20.0 l#as$=2!!.2!!.2!!.0 rad=192.16.10.0 r#as$=2!!.2!!.2!!.0
#
#I&@I7P
# on router @ and -
cre isa pol=$eys peer=192.16.!.1 hashalg=sha $ey=1
set isa pol=$eys senddeletes=on setco##itbit=on sendnotify=on
enable isa$#p
>.'.-&,ec and Fire#all through t#o /AT
gate#ays .eg= A+,1
This configuration illustrates an 34Sec tunnel through t#o /ATing &e(ices *eg< /ATing A:S;
gate#a1 &e(ices-. 3t uses release 2.2.19 #hich allo#s 3SAJM4 through /ATing &e(ices #ithout
the nee& of ;2T49 )ecause of the intro&uction of the +locali&, an& +re'otei&, para'eters. 3t also
allo#s for 3nternet access.
A future (ersion of this ea'ple #ill also acco''o&ate 74/ clients9 using a ne# release (ersion
of the 74/ client.
Router A
set sys na#e=<Jead ?ffice<
# IP
#
enable ip
add ip int=eth0 ip=192.16.10.1 #as$=2!!.2!!.2!!.0
add ip int=eth1 ip=192.16.1.2!+
# :ire0all
enable fire
create fire policy=<#ain<
add fire policy=<#ain< int=eth0 type=private
add fire policy=<#ain< int=eth1 type=public
add fire poli=<#ain< nat=enhanced int=eth0 gblin=eth1
add fire poli=<#ain< ru=1 int=eth1 action=allo0 ip=192.16.1.2!+ prot=udp port=!00
gblip=192.16.1.2!+ gblpo=!00
add fire poli=<#ain< ru=2 int=eth1 action=nonat prot=all ip=192.16.10.1.192.16.10.2!" encap=ipsec
add fire poli=<#ain< ru=+ int=eth0 action=nonat prot=all ip=192.16.10.1.192.16.10.2!"
set fire poli=<#ain< ru=+ re#oteip=192.16.20.1.192.16.20.2!"
# IP&ec
#
ena ipsec
create ips bundle=1 $ey#=isa$#p string=<1<
create ips pol=isa$#p int=eth1 act=per#it lpo=!00
create ips pol=re#office int=eth1 act=ipsec $ey=isa$#p bund=1 peer=200.200.200.2 isa=re#office
#
#I&@I7P
# on router @ and -
set isa pol=re#office senddeletes=on setco##itbit=on sendnotify=on localid=headoffice
re#oteid=re#ote1
enable isa$#p
Router 2

CentreCFM AR300
A c c e s s R o u te r ; A / ?A / S P S T E M
; 3/ J
T Q R Q C o ll
Site B
192.168.10.0 192.168.20.0
CentreCFM AR300
; 3/ J
T Q R Q C o ll
Site A Internet Acce))
200.200.200.1
192.168.2.253
:irtual Tunnel
192.168.1.254
192.168.1.253
NAT
8oth A:S; units<
PIB%le t&r%u3& t% 4%uter inter/ace
8>DP 500@ CSP D50E9
/ATing
A:S;
200.200.200.2
192.168.2.254
/ATing
A:S;
NAT
set sys na#e=<6e#ote ?ffice<
#
# IP
#
enable ip
add ip int=eth0 ip=192.16.20.1 #as$=2!!.2!!.2!!.0
add ip int=eth1 ip=192.16.2.2!+
#
# :ire0all
enable fire
create fire policy=<#ain<
add fire policy=<#ain< int=eth0 type=private
add fire policy=<#ain< int=eth1 type=public
add fire poli=<#ain< nat=enhanced int=eth0 gblin=eth1
add fire poli=<#ain< ru=1 int=eth1 action=allo0 ip=192.16.2.2!+ prot=udp port=!00
gblip=192.16.2.2!+ gblpo=!00
add fire poli=<#ain< ru=2 int=eth1 action=nonat prot=all ip=192.16.20.1.192.16.20.2!" encap=ipsec
add fire poli=<#ain< ru=+ int=eth0 action=nonat prot=all ip=192.16.20.1.192.16.20.2!"
set fire poli=<#ain< ru=+ re#oteip=192.16.10.1.192.16.10.2!"
#
# IP&ec
#
ena ipsec
create ips bundle=1 $ey#=isa$#p string=<1<
create ips pol=isa$#p int=eth1 act=per#it lpo=!00
#
#I&@I7P
# on router @ and -
set isa pol=re#office senddeletes=on setco##itbit=on sendnotify=on localid=re#ote1
re#oteid=headoffice
enable isa$#p
>.<.T#o (ate#aysA Fire#all #ith -&,ec and
-,A*0& to :&/ Client 4 Remote 7ffice
This ea'ple is inten&e& for net#or6s #here there is an eisting &efault gate#a1 *)ehin& a +&irt1
;A/,- #hich nee&s to re'ain in ser(ice. An Allie& Teles1n router is intro&uce& as an alternati(e
gate#a19 inten&e& onl1 for pro(i&ing the 34Sec 74/ tunnels.
The ne# 74/ 0ate#a1 Router &efines the &efault gate#a1 router as a static R34 neigh)our to
a&(ertise a route to the &1na'ic a&&ress of the roa'ing 74/ client.
Router A .Allied Telesyn :&/ (ate#ay router1
Allie& Teles1n router helpful configs 4age $2

CentreCF
M
AR30
0
A c c e s s R o u te r ; A
/
?A
/
S P S T E
M
; 3
/
J
T
Q
R
Q
Co ll
Remote Office
192.168.10.1
192.168.20.0
CentreCFM AR300
; 3
/ J
T Q R Q C o l l
Main Office
200.200.200.13
222.222.222.1
Internet
D!na"ic IP
CentreCF
M
AR30
0
A c c e s s R o u te r ; A
/
?A
/
S P S T E
M
; 3
/J
TQ
RQ
Co ll
Cent reCF
M
AR30
0
A c c e s s R o u te r ; A /
?A /
S P S T E M
; 3
/J
T
Q
R
Q
Co ll
200.200.200.12
200.200.200 .14
=P 6lient
4%a"in3 >)er
=irtual IPSec
tunnel)
192.168.10.254
VPN Gateway Router
(Firewall)
Eistin! "efault Gateway
(Firewall)
Pri#ate Office $AN
(Protected)
Office %"irty& $AN
('n(rotected)
Valid Internet addresses
Office Main Gateway
(Not NATin!)
set syste# na#e=<HP* Fate0ay<
add user=boblogin pass=bobpass
add user=re#office pass=re#office
enable ip
add ip int=eth1 ip=200.200.200.1+ #as$=2!!.2!!.2!!.2"0
add ip rou=0.0.0.0 #as$=0.0.0.0 int=eth1 ne%t=200.200.200.1"
add ip route te#plate=vpnclient int=eth1 ne%t=200.200.200.1"
# 6IP is used to advertise a host specific route of the HP* client to the default gate0ay
add ip rip int=eth0 ip=192.16.10.2!" send=rip2
enable fire0all
create fire0all policy=#ain
add fire0all policy=#ain int=eth0 type=private
add fire0all policy=#ain int=eth1 type=public
add fire0all poli=#ain nat=enhanced int=eth0 gblin=eth1
add fire0all poli=#ain ru=1 ac=allo int=eth1 prot=udp po=!00 ip=200.200.200.1+
gblip=200.200.200.1+ gblpo=!00
add fire0all poli=#ain ru=2 ac=non int=eth1 prot=@;; ip=192.16.10.1.192.16.10.2!" enc=ips
# 6ule + for internally initiated HP* traffic to 6e#ote ?ffice
set enco s0 stacchannels=0
create ipsec sas=2 $ey=isa$#p prot=ah #ode=tunn hasha=sha
create ipsec pol=<isa$#p< int=eth1 ac=per#it
set ipsec pol=<isa$#p< lp=!00 rp=!00
create ipsec pol=<roa#ing1< int=eth1 ac=ipsec $ey=isa$#p bund=1 peer=)N*@7IC
iproutete#plate=vpnclient isa=roa#ing1
set ipsec pol=<roa#ing1< lad=192.16.10.0 l#a=2!!.2!!.2!!.0 rna#e=roa#ing1
create ipsec pol=<internet< int=eth1 ac=per#it
enable ipsec
#
#I&@I7P
# on router @ and -
create isa$#p pol=re#office pe=222.222.222.1 hashalg=sha $ey=1
set isa$#p pol=re#office sendd=true setc=true
create isa$#p pol=roa#ing1 pe=any hashalg=sha $ey=1
set isa$#p pol=roa#ing1 sendd=true setc=true sendnotify=on
set isa pol=roa#ing1 %auth=server %authtype=generic
enable isa$#p
)3isting +efault (ate#ay Router
Configured to receive 6IP. 4he address of the HP* Fate0ay 6outer D192.16.10.1E is configured as
the only trusted static 6IP neighbour. @lso configure static route for re#ote office subnet
D192.16.20.0E1 using HP* Fate0ay 6outer as ne%t hop.
)3ample of :&/ Client
cre enco $ey=1 type=gen val=12+"!6990
cre isa$#p policy=roa#ing1 hashalg=sha peer=200.200.200.1+ $ey=1
set isa$#p policy=roa#ing1 senddeletes=on setco##itbit=on
set isa$#p policy=roa#ing1 %auth=client %authna#e=boblogin %authpass=bobpass
cre ipsec sas=1 $ey#=isa$#p prot=esp encal=des hasha=null
cre ipsec sas=2 $ey#=isa$#p prot=ah #ode=tunnel hasha=sha
cre ipsec bund=1 $ey=isa$#p string=<1 and 2<
cre ipsec pol=per#it int=dialup act=per#it lpo=!00 rpo=!00
cre ipsec poli=roa#ing1 int=dialup act=ipsec $ey=isa$#p bundle=1 peer=200.200.200.1+
set ipsec poli=roa#ing1 lna=roa#ing1 rad=192.16.10.0 r#as=2!!.2!!.2!!.0
cre ipsec poli=internet int=dialup act=per#it
Router 2 .Remote 7ffice Router1
set syste# na#e=<6e#ote ?ffice<
# optional set ppp=0 over=syn0 l/r=off echo=on
enable ip
add ip int=ppp0 ip=222.222.222.1 #as$=2!!.2!!.2!!.0
enable fire0all
create fire0all policy=#ain
add fire0all policy=#ain int=eth0 type=private
add fire0all policy=#ain int=ppp0 type=public
add fire0all poli=#ain nat=enhanced int=eth0 gblin=ppp0
add fire0all poli=#ain ru=1 ac=allo int=ppp0 prot=udp po=!00 ip=222.222.222.1 gblip=222.222.222.1
gblpo=!00
add fire0all poli=#ain ru=2 ac=non int=ppp0 prot=@;; ip=192.16.20.1.192.16.20.2!" enc=ips
# 6ule + for internally initiated HP* traffic to 7ain ?ffice
set enco s0 stacchannels=0
create ipsec sas=2 $ey=isa$#p prot=ah #ode=tunn hasha=sha
create ipsec pol=<isa$#p< int=ppp0 ac=per#it
set ipsec pol=<isa$#p< lp=!00 rp=!00
create ips pol=#ainoffice int=ppp0 act=ipsec $ey=isa$#p bund=1 peer=200.200.200.1+ isa=#ainoffice
set ips pol=#ainoffice lad=192.16.20.0 l#as$=2!!.2!!.2!!.0 rad=192.16.10.0 r#as$=2!!.2!!.2!!.0
create ipsec pol=<internet< int=ppp0 ac=per#it
enable ipsec
#
#I&@I7P
# on router @ and -
create isa$#p pol=#ainoffice peer=200.200.200.1+ hashalg=sha $ey=1
set isa$#p pol=#ainoffice sendd=true setc=true sendnotify=on
set isa pol=#ainoffice %auth=client %authna#e=re#office %authpass=re#office
enable isa$#p
>.>./otes on -&,ec Testing and :erification
Testing of an -&,ec tunnel.
The follo#ing are precautions to testing through 34Sec tunnels<
The +ip local, ip a&&ress is )est left at &efault. 3f +ip local, is set to an a&&ress other &efault9 this 'a1
in(ali&ate 3SAJM4 negotiation.
:o not epect to test sen&ing traffic through the 34Sec tunnel )1 pinging fro' 34Sec router to 34Sec
router. Pou 'ust test )et#een hosts or ser(ers )ehin& the 34Sec router gate#a1s *;A/ to ;A/-9 to
ensure this traffic #ill 'atch the 34Sec tunnel polic1 a&&ress selectors.
:erification of an -&,ec tunnel.
3t is goo& practice to confir' that traffic is )eing encr1pte&. A goo& initial chec6 is to o)ser(e the
3SAJM4 negotiation entries in the s1ste' log *+sh log,-. This 3SAJM4 chec6 is onl1 (ali& if 1ou are
using 3SAJM4 *ie< not 'anual 6e1s-. There #ill )e se(eral phases of negotiation9 an& the1 shoul&
in&icate successful co'pletion. 3f 1ou can see no negotiation entries in the log9 or if 1ou onl1 see an
initial start an& no co'plete& phases9 then this suggests a configuration error9 or no 3SAJM4
negotition recei(e& fro' the peer. Chec6ing +sh fire e(ent, #ill allo# 1ou to see #hat traffic has )een
recei(e& fro' the peer9 an& if it has )een allo#e& )1 the fire#all.
Confir'ation that traffic is actuall1 )eing encr1pte& is )est seen )1 using a counter co''an& such as
SH 34SEC 4F;3DT>//E; CF>/T. E(er1 ti'e 1ou ping a set of 5 pings9 the Cout4rocess:oneE
counters *in the Fut)oun& 4ac6et 4rocessing Counters section- shoul& incre'ent )1 5. Also9 the
echo repl1 traffic shoul& cause the Cin4rocess:oneE counters *in the 3n)oun& 4ac6et 4rocessing
Counters section- to incre'ent )1 5.
It is important that the IPSec policies be configured in the correct order.

3f 1ou ha(e a Cper'itE 34Sec 4olic1 #ith open polic1 a&&ress selectors9 *inten&e& to allo#
unencr1pte& 3nternet access-9 then this polic1 'ust )e configure& last H after the ACT3F/D34SEC
4F;3C3ES. Fther#ise this 4er'it 4olic1 #ill process all traffic an& no traffic #ill )e encr1pte&. The
or&er of the 34Sec policies can )e chec6e& )1 the SH 34SEC 4F;3 co''an&. 3n the output of this
co''an&9 each polic1 is assigne& a position nu')er.
Troubleshooting of an -&,ec tunnel.
3f pro)le's continue9 then 3SAJM4 an& 34Sec &e)ugging 'o&es 'a1 )e use&. Turning on all &e)ug 'o&es is rather
(er)ose9 so #e reco''en& )asic 3SAJM4 &e)ugging initiall1. The routine )elo# also illustrates a 'etho& to easil1 &isa)le
the &e)ugging 'o&e after testing.
+&is isa6'p &e)ugDall, *This 'a1 gi(e an error9 )ut our intention is to ha(e this co''an& in the co''an& )uffer-
+ena isa6'p &e)ugDstate, *This shoul& allo# 1ou to see if 3SAJM4 is operating-
3f 'ore &etail is nee&e& then issue this co''an& +ena isa6'p &e)ugDtrace,
To &isa)le &e)ugging after 1our test9 si'pl1 press up arro# once *or t#ice- to recall the &isa)le co''an&9 then press
enter. *7TA100 arro#s 'a1 nee& to )e ena)le&-.
3f the )asic 3SAJM4 &e)ugging 'o&es to not re(eal a pro)le' to 1ou9 then all &e)ugging 'o&es shoul& )e ena)le& an&
capture& to a tet file an& sent to 1our support centre. 4lease capture the &e)ugging output fro' the router atte'pting to
initiate 34Sec an& 3SAJM4 )1 using +ena ipsec poliDtunnel &e)ugDall, an& +ena isa6'p &e)ugDall,. Also capture +sh log, to
sho# 3SAJM4 log entries *as 'entione& a)o(e-9 an& capture +sh fire e(ent, an& +sh &e)ug,. %or#ar& all this &e)ugging to
1our local technical support for anal1sis. Pour local support center also ha(e access to a&(ance& support centers if
necessar1. *Allie& Teles1n offers technical assistance in partnership #ith our authorise& &istri)utors an& resellers. %or
technical assistance9 please contact the authorise& &istri)utor or reseller in 1our area-. 4lease refer to
http<BB###.allie&teles1n.co.nGBsupportBsupport.ht'l for a list of Authorise& :istri)utor L Reseller
AT3
1

Allied Telesis

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Allied Telesis

Caricato da

Copyright:

Formati disponibili

Helpful Configuration

Scripts for the

Potrebbero piacerti anche