HostedDB - Dedicated UNIX Servers
index_166
Router Security Configuration Guide UNCLASSIFIED 166 UNCLASSIFIED Version 1.0g Some administrators will want to create tunnels to protect all protocol data flowing between two routers. Others will desire to protect only a subset of the data flow (e.g. all telnet, ftp, and http traffic). The following example displays an access list needed to protect ALL protocol information between the North and Remote routers. Using the any option (e.g. access-list 161 below) for both the source and destination in the access list will force all packets to be IPSec protected. Choosing the any option for the source and destination also eliminates the need for netmasking in the access list. Access lists can be used to improve the granularity of the IPSec tunnels, see Section 4.3 to learn more about access lists.     The syntax for an access list rule, somewhat simplified, is shown below. access-list access-list-number {deny | permit} protocol   source source-wildcard source-options   destination destination-wildcard destination-options auditing-options   The network administrator for the North and Remote routers should enter the IPSec access list into their routers using the following commands in privileged EXEC mode: North# config t Enter configuration commands, one per line. End with CNTL/Z. North(config)# access-list 161 permit ip any any log North(config)# exit North# and Remote# config t Enter configuration commands, one per line. End with CNTL/Z. Remote(config)# access-list 161 permit ip any any log Remote(config)# exit Remote# 2.     Configure the appropriate transform set The Cisco transform set identifies the desired protection mechanisms for building the IPSec tunnel. If the tunnel needs data authentication protection, then choosing either the Authenticated Header (AH) or the Encapsulated Security Payload (ESP) IPSec protocols with either hashing algorithms SHA or MD5 will suffice. If the tunnel you are setting up needs data confidentiality protection, then choose the ESP protocol with either the DES or 3DES encryption algorithms (we highly suggest 3DES). A network administrator could argue that data authentication is not really needed for a protective tunnel between gateway routers since this property is normally obtained by an application behind the router which is pushing data through the tunnel, but adding it can improve defense in depth. In the following example, the ESP protocol is chosen with both data protection and authentication properties applied to all information transmitted between the North and Remote routers.