index_166
Router Security Configuration Guide
UNCLASSIFIED
166
UNCLASSIFIED
Version 1.0g
Some administrators will want to create tunnels to protect all protocol data flowing
between two routers. Others will desire to protect only a subset of the data flow (e.g.
all telnet, ftp, and http traffic). The following example displays an access list needed
to protect ALL protocol information between the North and Remote routers. Using
the any option (e.g. access-list 161 below) for both the source and destination in the
access list will force all packets to be IPSec protected. Choosing the any option for
the source and destination also eliminates the need for netmasking in the access list.
Access lists can be used to improve the granularity of the IPSec tunnels, see Section
4.3 to learn more about access lists.
The syntax for an access list rule, somewhat simplified, is shown below.
access-list access-list-number {deny | permit} protocol
source source-wildcard source-options
destination destination-wildcard destination-options
auditing-options
The network administrator for the North and Remote routers should enter the IPSec
access list into their routers using the following commands in privileged EXEC
mode:
North# config t
Enter configuration commands, one per line. End with CNTL/Z.
North(config)# access-list 161 permit ip any any log
North(config)# exit
North#
and
Remote# config t
Enter configuration commands, one per line. End with CNTL/Z.
Remote(config)# access-list 161 permit ip any any log
Remote(config)# exit
Remote#
2. Configure the appropriate transform set
The Cisco transform set identifies the desired protection mechanisms for building the
IPSec tunnel. If the tunnel needs data authentication protection, then choosing either
the Authenticated Header (AH) or the Encapsulated Security Payload (ESP) IPSec
protocols with either hashing algorithms SHA or MD5 will suffice. If the tunnel you
are setting up needs data confidentiality protection, then choose the ESP protocol
with either the DES or 3DES encryption algorithms (we highly suggest 3DES). A
network administrator could argue that data authentication is not really needed for a
protective tunnel between gateway routers since this property is normally obtained by
an application behind the router which is pushing data through the tunnel, but adding
it can improve defense in depth. In the following example, the ESP protocol is
chosen with both data protection and authentication properties applied to all
information transmitted between the North and Remote routers.