Cisco - Access-Dial Technical Tips
Access-Dial Technical Tips
● Asynchronous Connectivity ● Modems
● ISDN ● Dial on Demand Routing (DDR)
● Point-to-Point Protocol (PPP)
● Authentication, Authorization, and Accounting
(AAA)
● T1/E1 ● VPDN
● General ● Access Products
Access Related Links
● Access DSL ● Access VPN and Cisco Secure
● Broadband Cable ● Access Dial Top Issues
● Technology Support Page ● Product Support Page
Asynchronous Connectivity
This section includes terminals, async interfaces, comm/terminal servers, and aux/console port connections.
● Sample Configurations
❍ Configuring a Comm/Terminal Server for Router Console Access
❍ Setting up a Comm/Terminal Server for Sun Console Access
(1 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
❍ Printing to a Comm Server on IBM AIX
❍ How to Tunnel Async Data
❍ AUX Back-to-Back
❍ Sample Configuration - DDR Auxport Dial Backup
❍ Configuring EXEC Callback

❍ Async-PPP Callback Between an Access Server and a PC
❍ DNIS and Modem Pooling With a PRI Line
❍ WINS/DHCP on an AS5200
❍ VTY Async Sample Configuration
❍ Cisco Access Dial Configuration Cookbook

● Tech Notes
❍ Modem-Router Connection Guide
❍ Attaching a US Robotics Modem to the Console Port of a Cisco Router
❍ Cabling Guide for RJ-45 Console and AUX Ports
❍ Console Port Problem on Cisco 2500
❍ How Async Lines are Numbered in Cisco 3600 Series Routers
❍ Using service tcp-keepalives to Clear Hung Telnet Sessions
❍ TN3270 on an AS5200
❍ Characters Supported in Dialer String (V.25bis)
● Troubleshooting
❍ Dialup Technology: Troubleshooting Techniques
● FAQs
❍ RTS and DTR: Why They Might Toggle
❍ Interfacing TAs and V.25bis
Return to
Top of Page
Modems
This section includes information on using external modems, and internal modems, such as Microcom, MICA,
and Nextport.
● Sample Configurations
❍ Configuring Modem Connectivity with a Cisco 3640 BRI
❍ Async Backup with Dialer Profiles
❍ Configuring DDR to Backup an Async Connection
❍ DNIS and Modem Pooling With a PRI Line
❍ DNIS and Modem Pooling Using a CAS T1 Line
❍ Modem-Pooling With DNIS
(2 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
❍ Router-to-Router Async Multilink PPP
❍ Async Multilink PPP Dialup from Microsoft Windows® Clients

❍ Configuring EXEC Callback

❍ Async-PPP Callback Between an Access Server and a PC
❍ Cisco Access Dial Configuration Cookbook
● Tech Notes
❍ Modem-Router Connection Guide
❍ Attaching a US Robotics Modem to the Console Port of a Cisco Router
❍ Configuring Modem Recovery
❍ Overview of General Modem and NAS Line Quality
❍ Configuring Client Modems to Work with Cisco Access Servers
❍ Client Modem Firmware Overview
❍ MICA Modem States and Disconnect Reasons
❍ Comparing NextPort SPE Commands to MICA Modem Commands
❍ Dialup Technology: Overviews and Explanations
❍ Windows 95 with CHAP Authentication
● Troubleshooting
❍ Dialup Technology: Troubleshooting Techniques
❍ Using Customer Dial-in Lab to test your connection
❍ Testing Async DDR into the San Jose Dial-in Lab
● FAQs
❍ Dialout Utility Frequently Asked Questions
Return to
Top of Page
ISDN
This section covers Integrated Services Digital Network (ISDN) technologies such as Basic Rate Interface (BRI)
and Primary Rate Interface (PRI)
● Sample Configurations
❍ Configuring ISDN DDR with Dialer Profiles
❍ Sample Configuration - BRI Rotary Group
❍ Configuring ISDN BRI using the ip unnumbered Command

❍ Static Routes over Unnumbered BRI Interfaces
❍ Dial-on-demand Routing (DDR) with Easy IP
❍ Configuring Easy IP
❍ BRI-to-BRI Connection using Data Over Voice
(3 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
❍ Configuring ISDN BRI to PRI using Multilink PPP to Aggregate Physical Interfaces
❍ Snapshot Routing over ISDN
❍ Basic AS5200 with Two PRIs
❍ Basic AS5300 with Four PRIs
❍ AS5300 Supporting ISDN v.120 Calls
❍ AS5300 Supporting ISDN v.120 Calls with a Virtual Template
❍ Configuring NFAS with Four T1s
❍ DDR Backup using BRIs and the backup interface Command

❍ Configuring BRI Backup Interface with Dialer Profiles
❍ Configuring BRI-to-BRI Dialup with DDR Dialer Maps


❍ Configuring DDR Backup using BRIs and Dialer Watch
❍ Configuring ISDN Backup for Frame Relay
❍ Configuring Frame Relay Backup
❍ Scalable ISDN Backup Strategy for Large OSPF Networks
❍ Backup Bridging over ISDN
❍ Time-Based ISDN/Async (Legacy) DDR
❍ PPP Callback Over ISDN
❍ ISDN Authentication and Callback with Caller ID
❍ Bridging Across ISDN
❍ ISDN Sample Configuration -Bridging
❍ PPP Half-Bridging

❍ Cisco IOS™ Router to Ascend Access Server
❍ Sample Configuration- AppleTalk
❍ AppleTalk over ISDN with DDR
❍ Cisco Access Dial Configuration Cookbook
● Tech Notes
❍ Dialup Technology: Overviews and Explanations
❍ ISDN Debug Information
❍ Configuring the Basic Rate Interface (BRI) for ISDN in Germany
❍ Configuring ISDN for Australia
❍ Configuring the Basic Rate Interface (BRI) for ISDN Leased Lines in Spain (NOVACOM)
❍ Capabilities of Typical ISDN Switches
❍ ISDN Glossary
● Troubleshooting
❍ Dialup Technology: Troubleshooting Techniques
❍ Using the show isdn status Command for BRI Troubleshooting
❍ Troubleshooting ISDN BRI Layer 1
❍ Troubleshooting ISDN BRI Layer 2
❍ Troubleshooting ISDN BRI SPIDs
❍ Understanding debug isdn q931 Disconnect Cause Codes
(4 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
❍ T1 Troubleshooting Flowcharts
❍ T1 PRI Troubleshooting
❍ Troubleshooting ISDN and DDR
❍ Troubleshooting ISDN Connections
● FAQs
❍ What is the Difference Between ISDN Point-to-Point and ISDN Multipoint on an AT&T 5ESS
Switch?
❍ Why Doesn't OSPF Form Adjacency on a PRI, BRI or Dialer Interface?
❍ SETUP_ACK Workaround

Return to
Top of Page
Dial on Demand Routing (DDR)
Articles found here cover using DDR for on-demand dial connectivity, backup to a WAN link and callback.
● Sample Configurations
❍ Configuring ISDN DDR with Dialer Profiles
❍ AS5300 Dialing out with ISDN/Async (Outbound DDR)
❍ Dial-on-demand Routing (DDR) with Easy IP
❍ Easy IP
❍ ISDN DDR Using HDLC Encapsulation
❍ Async Backup with Dialer Profiles
❍ Configuring BRI Backup Interface with Dialer Profiles
❍ Configuring DDR Backup using BRIs and Dialer Watch
❍ DDR Backup using BRIs and the backup interface Command
❍ Configuring BRI-to-BRI Dialup with DDR Dialer Maps

❍ Configuring ISDN DDR Backup for Frame Relay
❍ Configuring Frame Relay Backup
❍ Configuring DDR to Backup an Async Connection
❍ DDR Auxport Dial Backup
❍ Backup Bridging over ISDN
❍ Configuring Dialer Profiles to Bridge using ISDN
❍ Bridging with Dialer Profiles
❍ Configuring EXEC Callback

❍ AUX Back-to-Back
❍ Snapshot Routing
(5 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
❍ Using Floating Static Routes and Dial-on-Demand Routing

❍ Time-Based ISDN/Async (Legacy) DDR
❍ AppleTalk over ISDN with DDR
❍ Cisco Access Dial Configuration Cookbook
● Tech Notes
❍ Dialup Technology: Overviews and Explanations
❍ Multilink PPP for DDR - Basic Configuration and Verification
❍ Restrictions for the dialer max-link 1Command and MPPP
❍ Evaluating Backup Interfaces, Floating Static Routes, and Dialer Watch for DDR Backup
❍ Deciding and Preparing to Configure DDR
❍ Dialer Profiles Operation
● Troubleshooting
❍ Dialup Technology: Troubleshooting Techniques
❍ Troubleshooting ISDN and DDR
❍ Using Customer Dial-in Lab to test your connection
❍ Testing Async DDR into the San Jose Dial-in Lab
● FAQs
❍ Snapshot Routing: Frequently Asked Questions
Return to
Top of Page
Point-to-Point Protocol (PPP)
This section covers normal PPP dialup, Multlink PPP, Multichassis MPPP, and PPP Callback.
● Sample Configurations
❍ Configuring PPP Dial-up
❍ Cisco CHAP/PAP Call-in
❍ AS5300 Configured for MLP on Async and ISDN
❍ Async Multilink PPP Dialup from Microsoft Windows® Clients
❍ Router-to-Router Async Multilink PPP
❍ Multilink PPP on Back-to-back Routers with Multiple Serial Interfaces
❍ Inverse MUX Application using Multilink PPP
❍ Multilink Via Virtual-Template on Two Serial Interfaces

❍ Multilink PPP Across Two Serial Physical-layer Async Interfaces
❍ Multichassis Multilink PPP with AS5300s
❍ Multichassis Multilink PPP with Cisco AS5300s and an Offload Server
❍ Configuring L2TP Multihop to Perform MMPPP in the LNS
❍ Sample Configuration - APPN over PPP Multilink
(6 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
❍ Async-PPP Callback Between an Access Server and a PC
❍ PPP Callback with Local Authentication
❍ PPP Callback Over ISDN
❍ PPP Callback with RADIUS
❍ PPP Callback with TACACS+
❍ PPP Half-Bridging
❍ How to Setup PPP Idle Timeout For Async Using RADIUS
❍ Access Server Dial-In IP/PPP Configuration With Dedicated V.120 PPP
❍ Cisco Access Dial Configuration Cookbook
● Tech Notes
❍ Dialup Technology: Overviews and Explanations
❍ PPP Authentication Using the ppp chap hostname and ppp authentication chap callin
Commands
❍ Common Problems in Debugging RADIUS, PAP and CHAP
❍ CHAP or ARAP With TACACS+:Interoperability Problems With One-Time Password Systems
❍ Multilink PPP for DDR - Basic Configuration and Verification
❍ How to Speed Up the Addition of ISDN B Channels to a Multilink PPP Bundle
❍ Criteria for Naming Multilink PPP Bundles
❍ Restrictions for the dialer max-link 1Command with Multilink PPP
❍ Microsoft Windows 2000 PCs with MPPP Connections Experience Low Throughput
❍ Multichassis Multilink PPP (MMP)
❍ Access Server Dial-In IP/PPP Configuration With Dedicated V.120 PPP
❍ Connecting 3Com to Cisco via PPP

❍ Stampede for PC Dialin Access
❍ PPP Per-User Timeouts
❍ Virtual Access PPP Features in Cisco IOS
● Troubleshooting
❍ Dialup Technology: Troubleshooting Techniques
❍ Troubleshooting Async Multilink PPP Operations
❍ Using Customer Dial-in Lab to test your connection
❍ Testing Async DDR into the San Jose Dial-in Lab
● FAQs
❍
Return to Top of Page
Authentication, Authorization, and Accounting (AAA)
This section covers configuring the Access Servers (NAS) for router-based(local) AAA and Server-based AAA
(7 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
(Radius and Tacacs+). However it does not cover specific Radius and Tacacs+ server configuration issues.
● Sample Configurations
❍ Implementing Local AAA
❍ Implementing Server-Based AAA
❍ Basic RADIUS
❍ Advanced RADIUS
❍ Radius Dial-Up Sample Config
❍ Basic TACACS+
❍ Advanced TACACS+
❍ TACACS+ Dial-Up Sample Config
❍ Configuring Large Scale Dialout Using TACACS+
❍ Implementing Server-Based AAA Accounting
❍ AAA Device Configuration Samples
❍ How To Apply Access Lists to Dial Interfaces with a RADIUS Server
❍ How to Setup PPP Idle Timeout For Async Using RADIUS

● Tech Notes
❍ PPP Per-User Timeouts
❍ Using AAA Server to Manage IP Pools in a Network Access Server
❍ TACACS+ and RADIUS Comparison
❍ Double Authentication Design and Implementation Guide
❍ RADIUS/TACACS+ Technical Tips
● Troubleshooting
❍ Diagnosing and Troubleshooting AAA Operations
❍ Common Problems in Debugging RADIUS, PAP and CHAP
● FAQs
❍
Return to Top of Page
T1/E1
This section covers configuring and troubleshooting T1s and E1s
● Sample Configurations
❍ Configuring ISDN BRI to PRI using Multilink PPP to Aggregate Physical Interfaces
❍ ISDN NFAS Primary and Backup D Channel
❍ Configuring NFAS with Four T1s
❍ DNIS and Modem Pooling With a PRI Line
❍ Cisco Access Dial Configuration Cookbook
(8 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
● Tech Notes
❍ Dialup Technology: Overviews and Explanations
❍ E1 R2 Signaling Theory
❍ E1 R2 Customization with the cas-custom Command
❍ Understanding the show controller e1 Command
❍ Configuring Cisco Integrated Data Service Unit/Channel Service Unit (DSU/CSU) Modules and
WAN Interface Cards
● Troubleshooting

❍ T1 Troubleshooting Flowcharts
❍ T1 Layer 1 Troubleshooting
❍ T1 Alarm Troubleshooting
❍ T1 Error Events Troubleshooting
❍ T1 PRI Troubleshooting
❍ Loopback Tests for T1/56K Lines
❍ E1 Troubleshooting Flowcharts
❍ E1 Layer 1 Troubleshooting
❍ E1 Alarm Troubleshooting
❍ E1 Error Events Troubleshooting
❍ E1 PRI Troubleshooting
❍ E1 R2 Signaling Configuration and Troubleshooting
❍ Hard Plug Loopback Tests for E1 Lines
❍ Dialup Technology: Troubleshooting Techniques
● FAQs
❍ Line Coding Information
Return to Top of Page
Virtual Private Dialup Networks (VPDN)
This section covers configuring L2TP and L2F VPDN using Radius, Tacacs+ and router-based authentication.
● Sample Configurations
❍ Configuring a Basic Virtual Private Dialup Network (VPDN)
❍ Advanced Virtual Private Dialup Network
❍ Advanced Virtual Private Dialup Network Configuration
❍ Detailed Scenario for Access VPDN Dial-in Using L2TP
❍ Configuring Virtual Private Dialup Networks
❍ How-To Configure RADIUS Authentication for VPDNs
❍ How-To Configure TACACS+ Authentication for VPDNs
(9 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
❍ How-To Configure Layer 2 Tunnel Protocol Authentication with RADIUS

❍ How-To Configure Layer 2 Tunnel Protocol Authentication with TACACS+
❍ Basic Dial-in VPDN Configuration Using VPDN Groups
❍ Dial-in VPDN Configuration Using VPDN Groups and TACACS+
❍ Configuring L2TP Multihop to Perform MMPPP in the LNS
❍ Configuring L2TP Multihop to Perform Several Hops from the NAS to the LNS
❍ Cisco Access Dial Configuration Cookbook
● Tech Notes
❍ Adding Multiple Cisco AV-Pairs to a User Profile
❍ Understanding Virtual Private Dialup Network (VPDNs)
❍ Domain Stripping Hack
❍ Layer 2 Tunnel Protocol
❍ Security Technical Tips: Internetworking
● Troubleshooting
❍
●
FAQs
❍
Return to Top of Page
General
● Changing the IP Address on the Media Gateway Access Controller
● The Alias
● Floating Static Route to a Null Interface
● Using service tcp-keepalives to Clear Hung Telnet Sessions
● Troubleshooting Access Lists on Dial Interfaces
● Connecting a Windows 95 Client to a Windows NT Server through a Cisco Router
● WINS/DHCP on an AS5200
● PPP Half-Bridging
● Suppressing Messages on Async Lines
● Dialout Utility Frequently Asked Questions
● TN3270 on an AS5200

Return to
Top of Page
Access Products
(10 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
For general information not specific to access-dial technologies concerning these and other Cisco Routers, refer
to the Router Issues main index page
● 700 Series
● 1000
Series
● 1600 Series ● 1700 Series ● 2500 Series
● 2600
Series
● 3600
Series
● AS5200/5300 ● AS5350/AS5400 ● AS5800
● Network
Modules
● WAN
Interface
Cards
(WICs)
● IOS Installation
and Upgrade
● Boot Failure
Recovery
● Password
Recovery
700 Series
● Cisco 700 Not Responding to Cisco Fast Step Version 1

● Cisco 700 Connectivity Problems
● Cisco 700 Series Frequently Asked Questions
● Configuring the Cisco 753 and Cisco 1004 to Dial In to a Cisco AS5200 Access Server
1000 Series
● Enabling the IPX Option on the Cisco 1020
● Accessing the EXEC of the Cisco 1020
1600 Series
● Troubleshooting the 1600
● Wan Interface Cards
1700 Series
●
2500 Series
● Cisco 2509-2512 Cab-Octal Pinouts
(11 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
● Console Port Problem on Cisco 2500
● Configuring Integrated Data Service Unit/Channel Service Unit (DSU/CSU) Modules and WAN
Interface Cards
2600 Series
● Wan Interface Cards (WICs)
3600 Series
● How Async Lines are Numbered in Cisco 3600 Series Routers
● Configuring Modem Connectivity with a Cisco 3640 BRI
● Wan Interface Cards
AS5200/AS5300 Series
● Commissioning the Cisco AS5300 Hardware
● Cisco AS5x00 Case Study for Basic IP Modem Services
AS5350/AS5400 Series
● Commissioning the Cisco AS5400 Hardware
● Cisco AS5x00 Case Study for Basic IP Modem Services

● Comparing NextPort SPE Commands to MICA Modem Commands
AS5800 Series
● Commissioning the Cisco AS5800 Hardware
● Cisco AS5x00 Case Study for Basic IP Modem Services
● Cisco IOS Software Commands for Cisco AS5800 Hardware Inspection
Network Modules
● Performance Maximums of the 4T
WICs
● Configuring Integrated Data Service Unit/Channel Service Unit (DSU/CSU) Modules and WAN
Interface Cards
● WAN Interface Cards for the Cisco 3600 Series
(12 of 13) [5/6/2001 7:30:58 PM]
Cisco - Access-Dial Technical Tips
● WAN Interface Cards for the Cisco 1600 Series
Return to
Top of Page

All contents are Copyright © 1992 2001 Cisco Systems Inc. All rights reserved. Important Notices and Privacy Statement.
(13 of 13) [5/6/2001 7:30:58 PM]
Cisco - Security Technical Tips

Security Technical Tips
This page provides tips directly from Cisco's Technical Assistance Center (TAC) engineers to help you
with security issues.
Products
● Cisco Centri Firewall (EOL)
● IOS Firewall (formerly Cisco Secure Integrated Software)
● Cisco Secure Intrusion Detection System (formerly NetRanger)
● Cisco Secure PIX Firewall
● Cisco Secure Policy Manager (formerly Cisco Security Manager)

● Cisco Secure Scanner (formerly NetSonar)
● Cisco VPN 3000 Concentrator
● Cisco VPN 5000 Concentrator
● Cisco VPN General Information
● CiscoSecure ACS for Windows
● CiscoSecure ACS UNIX
Technologies
● IPSec
● Kerberos
● RADIUS
● TACACS
● TACACS+
● XTACACS
Helpful Information
(1 of 13) [5/6/2001 7:31:36 PM]
Cisco - Security Technical Tips
● Security FAQs
● Related Links
Cisco Centri Firewall (EOL)
● Step-by-step Configuration for Centri Firewall Exposed Services
● Cisco Centri Firewall Frequently Asked Questions, Part 1
● Cisco Centri Firewall product information
● End of Life Plan
IOS Firewall (formerly Cisco Secure Integrated
Software)
● How NAT Works
● Cisco Secure Integrated Software Configuration Cookbook
● Benefits and Limitations of Context-Based Access Control: Using Cisco Secure Integrated
Software (formerly Cisco IOS
®

Firewall)
● Using the Cisco IOS Firewall to Deny Java Applets
● Context-based Access Control: Introduction and Configuration
● Lock and Key Sample Configuration
● RFC 2267 - Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP
Source Address Spoofing
Cisco Secure Intrusion Detection System (formerly
NetRanger)
● Cisco Secure Intrusion Detection System Product Support Pages
● Cisco Secure IDS - Configuring/Troubleshooting Email Notifications
● Password Recovery Procedure for the Cisco Secure IDS (formerly NetRanger®) Sensor
● Cisco Secure IDS - Excluding False Positive Alarms
● Interpreting Cisco Secure IDS Log Files
● Using the Cisco Secure IDS Sensor COM Port for Console Access
● Cisco Secure IDS Documentation
(2 of 13) [5/6/2001 7:31:36 PM]
Cisco - Security Technical Tips
● Cisco Secure Intrusion Detection product literature
Cisco Secure PIX Firewall
● Cisco Secure PIX Firewall Series Support Pages
● PIX Top Issues
● Troubleshoot the PIX Firewall using Troubleshooting Assistant
● Configuring the PIX Firewall with Mail Server Access on Inside Network

● Configuring the PIX Firewall with Mail Server Access on Outside Network

● Configuring the PIX Firewall with Mail Server Access on DMZ Network

● Sample Configuration: IPSec Tunnel - Cisco Secure PIX Firewall to Checkpoint 4.1 Firewall


● Configuring and Troubleshooting the Cisco Secure PIX Firewall with a Single Internal Network

● How Failover Works on the Cisco Secure PIX Firewall

● Upgrading Cisco Secure PIX Firewall Software

● Cisco Secure PIX Firewall Frequently Asked Questions
● Using SNMP with the Cisco Secure PIX Firewall
● Cisco PIX Firewall Manager: Frequently Asked Questions
● PIX Firewall: When to Use the nat, global, static, or conduit Commands
● PIX Password Recovery
● How to Allow ICMP Pings through a Firewall in Versions 4.2 and Later of the PIX Firewall
● Addressing an Unregistered Network Using RFC-1918
● Clarification of static and conduit Syntax in PIX Versions 4.1.x and 4.2.x
● Establishing Connectivity Through Cisco PIX Firewalls
● Maximizing Network Security Using a PIX
● PIX Firewall established Command
● PIX Performance Issues Caused by IDENT Protocol (Port 113)
● Poor or Intermittent FTP/HTTP Performance Through a PIX
● Recommended Initial Configuration for the nat 0 Statement
● Setting Up PIX Syslog
● Testing the PIX Firewall mailhost Command
● Cisco's PIX Firewall Series and Stateful Firewall Security (White Paper)
● Sample Configuration: Cisco Secure PIX Firewall and VPN Clients Using PPTP, MPPE and
(3 of 13) [5/6/2001 7:31:37 PM]
Cisco - Security Technical Tips
IPSec

● Sample Configuration: PIX to PIX and VPN Client 1.1


● Sample Configuration: PIX to PIX to PIX IPSec (Hub and Spoke)
● Sample Configuration: PIX to PIX to PIX IPSec (Fully Meshed)
● Sample Configuration: IPSec Tunnel Through Firewall with NAT
● Cisco PIX 5.1-to-VPN Wild-card, Pre-shared, Mode Configuration with Extended Authentication
● How to Add AAA Authentication (Xauth) to PIX IPSec 5.2 and 5.3

● Sample Configuration: Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

● How To Perform Authentication, Authorization, and Accounting of Users Through the PIX (5.2
and 5.3)

● How To Perform Authentication and Enabling on the Cisco Secure PIX Firewall (5.2 and 5.3)

● Cisco Secure PIX Firewall with a Single Internal Network

● Cisco Secure PIX Firewall with Two Internal Networks

● Cisco Secure PIX Firewall with Three Internal Networks

● Sample Configuration: Cisco VPN 3000 Concentrator to PIX Firewall
● How-to Configure the Cisco Secure PIX Firewall to Use PPTP
● PIX Firewall with Mail Server Access

● Configuring PIX 5.1.x: TACACS+ and RADIUS
● Configuring PIX 5.0.x: TACACS+ and RADIUS
● PIX, TACACS+, and RADIUS Sample Configuration: 4.4.x
● PIX, TACACS+, and RADIUS Sample Configuration: 4.3.x
● PIX, TACACS+, and RADIUS Sample Configuration: 4.2.x
● Cisco PIX-to-VPN Wild-card, Pre-shared, Mode Configuration
● Terminating IPSec Tunnels on Multiple Cisco Secure PIX Firewall Interfaces with Xauth

● Configuring IPSec - Router to PIX: Using the nat 0 access-list Command
● IPSec: Simple PIX-to-PIX VPN Configuration
● IPSec Between Cisco Secure PIX Firewall 5.1 and a VPN Client with Extended Authentication
● PIX-to-VPN Client Wild-card, Pre-shared, No Mode Configuration
● Tunneling IP Multicast Packets through a PIX Firewall
● Sample Configuration: Using the Cisco PIX Firewall
(4 of 13) [5/6/2001 7:31:37 PM]
Cisco - Security Technical Tips
Cisco Secure Policy Manager (formerly Cisco
Security Manager)
● Cisco Secure Policy Manager Product Support Pages
● Archiving and Rollback Procedures for Cisco Secure Policy Manager 2.x

● Cisco Secure Policy Manager product information
● Documentation
Cisco Secure Scanner (formerly NetSonar)
● Cisco Secure Scanner Product Support Pages
● Cisco NetSonar License Problem
Cisco VPN 3000 Concentrator
● Configuring IPSec - Cisco VPN 3000 Client to Cisco VPN 3000 Concentrator
● Configuring an IPSec Tunnel - Cisco VPN 3000 Concentrator to Checkpoint 4.1 Firewall
● Sample Configuration: Cisco VPN 3000 Concentrator - Blocking with Filters and RADIUS Filter
Assignment

● Using Cisco Secure ACS for Windows 2.5 with the VPN 3000 Concentrator

● How to Configure the VPN 3000 Concentrator PPTP with Funk RADIUS Authentication
● How to Configure the VPN 3000 Concentrator PPTP with Cisco Secure ACS for Windows 2.5
RADIUS Authentication
● How to Configure the VPN 3000 Concentrator PPTP with Local Authentication

● Sample Configuration: Cisco VPN 3000 Concentrator Series Group Lock Feature
● How to Configure the Cisco VPN 3000 Client to VPN 3000 Concentrator with Microsoft
Windows NT Domain Authentication
● Sample Configuration: VPN 3000 Client to Concentrator with IPSec SDI Authentication
● How to Configure the VPN 3000 Concentrator with Microsoft Certificates
● Configuring the Cisco VPN 3000 Concentrator and the Network Associates PGP Client
● NAT Transparent Mode for IPSec
● How to Manage the VPN 3000 Concentrator from the Public Network
● Sample Configuration: Cisco VPN 3000 Concentrator to Cisco IOS
(5 of 13) [5/6/2001 7:31:37 PM]
Cisco - Security Technical Tips
● Sample Configuration: Cisco VPN 3000 Concentrator to PIX Firewall
● Using a Microsoft Windows 2000 Client to Connect to the Cisco VPN 3000 Concentrator
● Monitoring Cisco VPN Concentrators 2.1.3 and Earlier Over a LAN-to-LAN Session
● When is PPTP Encryption Supported on a Cisco VPN 3000 Concentrator?
● Configuring the Cisco VPN 3000 Concentrator for Microsoft Windows 2000 Support
● Cisco VPN 3000 Concentrator Vendor Specific Attributes: User and Group Attributes
● Using RADIUS with Cisco VPN 3000 Products
● Renegotiating LAN-to-LAN Configurations Between Cisco VPN 3000 Concentrators and Cisco
IOS or PIX Devices
● What is VRRP?
● Cisco VPN 3000 Concentrator FAQs
● How to Configure the Cisco VPN 3000 Concentrator with MS RADIUS
● How Cisco 3000 Concentrator Clients are Authenticated on the Concentrator and How the
Concentrator Uses User and Group Attributes
● How to Configure IPSec Clients to Authenticate to and Receive Addresses from a Funk RADIUS
Server
● Installing Digital Certificates on the Cisco VPN Concentrator
● What Does the "Unable to Notify Service of Security Parameters" Error Message Mean?
Cisco VPN 5000 Concentrator

● Configuring an IPSec Tunnel - Cisco VPN 5000 Concentrator to Checkpoint 4.1 Firewall
● Cisco VPN 5000 Concentrator: Migrating from STEP to IKE Clients
● How to Authenticate VPN 5000 Client to the VPN 5000 Concentrator with Cisco Secure ACS for
Windows 2.5 (RADIUS)

● How To Configure the Cisco VPN 5000 Client to the Cisco VPN 5000 Concentrator with SDI
Authentication

● How To Configure the Cisco VPN 5000 Client to the Cisco VPN 5000 Concentrator with Cisco
Secure UNIX (RADIUS) Authentication
● Sample Configuration: Cisco VPN 5000 Client to the Cisco VPN 5000 Concentrator with Local
Authentication
● Sample Configuration: Cisco VPN 5000 Concentrator to Cisco Secure PIX Firewall

● Cisco VPN 5001/5002/5008 Aggressive-Mode Site-to-Site Setup Guide: Command Line Version
● Setting Up the Cisco VPN 5000 Concentrator Initially and for IPSec Main-Mode LAN-to-LAN
VPN Connectivity
(6 of 13) [5/6/2001 7:31:37 PM]
Cisco - Security Technical Tips
● Setting Up the Cisco VPN 5000 Concentrator Initially and for Remote Client Access
● Sample Configuration: Router-to-VPN 500x Concentrator LAN-to-LAN Tunnel
● Virtual Private Networks and Internet Key Exchange for the Cisco VPN 5000 Concentrator
Series
Cisco VPN General Information
● VPN Top Issues
● VPN Clients with Microsoft Routing Problems
● Which VPN Solution is Right for You?
CiscoSecure ACS for Windows
● CiscoSecure ACS for Windows Product Support Pages
● Setting Up the User-Changeable Password Utility in CiscoSecure ACS for Windows 2.6


● Configuring CiscoSecure ACS 2.6 for Windows Router PPTP Authentication

● Using CiscoSecure ACS NT 2.5 with the VPN 3000 Concentrator

● How-To Configure Layer 2 Tunnel Protocol Authentication with TACACS+
● How-To Configure Layer 2 Tunnel Protocol Authentication with RADIUS
● CiscoSecure ACS NT: Command-line TACACS+ and RADIUS Debugging
● How to Assign Privilege Levels with TACACS+ and RADIUS
● CiscoSecure NT: Configuring Large Scale Dialout Using TACACS+
● Obtaining CiscoSecure for Windows NT Version and AAA Debug Information
CiscoSecure UNIX
● CiscoSecure ACS UNIX Product Support Pages
● Using AAA Server to Manage IP Pools in a Network Access Server
● How-To Configure Layer 2 Tunnel Protocol Authentication with TACACS+
● How-To Configure Layer 2 Tunnel Protocol Authentication with RADIUS
● How to Assign Privilege Levels with TACACS+ and RADIUS
● CiscoSecure: How to Setup PPP Idle Timeout For Async Using RADIUS
● Configuring CSU for UNIX (Solaris)
● CiscoSecure UNIX & SDI
(7 of 13) [5/6/2001 7:31:37 PM]
Cisco - Security Technical Tips
● CiscoSecure Compatibility
● AAA privilege-level 15 Command Authorization
● CiscoSecure 1.x for First-time Users
● CiscoSecure 2.x for First-time Users (TACACS+)
● Configuring TACACS+ and Cisco Secure Cisco Secure Sample Configurations
● CiscoSecure 1.x Dial-up Sample Configuration
● Using ISQL to View the CiscoSecure 2.0 Database
● Configuring TACACS+ and Cisco Secure Router and NAS Sample TACACS+ Configurations

● Configuring TACACS+ and Cisco Secure RADIUS Daemon Sample TACACS+ Configuration
● Supporting One-time Passwords on ISDN
● TokenCaching Design and Implementation Guide
Technologies
IPSec
● IP Security (IPSec) Support Page
● Configuring IPSec Between a Microsoft Windows 2000 Server and a Cisco Device
● Cisco Secure VPN Client: Troubleshooting with View Log
● Configuring and Troubleshooting Cisco's Proprietary Network-Layer Encryption:
Part I: Background information and basic Network-Layer Encryption configuration.
Part II: IP Security (IPSec) and Internet Security Association and Key Management
Protocol (ISAKMP).
● An Introduction to IP Security (IPSec) Encryption
● Configuring an IPSec Tunnel - Cisco Router to Checkpoint Firewall 4.1
● Sample Configuration: IPSec/GRE with NAT
● Sample Configuration: IPSec - Cisco Secure VPN Client to Central Router Controlling Access
● Sample Configuration: IPSec with Routing Protocols Using GRE Tunneling
● Sample Configuration: IPSec Tunnel through Firewall with NAT
● Configuring Router to Router IPSec (Pre-shared Keys) on GRE Tunnel with CBAC and NAT
● Sample Configuration: VPN 3000 Client to Concentrator with IPSec SDI Authentication
● Sample Configuration: IPSec Router-to-Router, Pre-shared, NAT Overload Between Private
Networks
● Sample Configuration: IPSec Router-to-Router, Pre-shared, NAT Overload Between a Private and
a Public Network
● Configuring IPSec Manual Keying between Routers
(8 of 13) [5/6/2001 7:31:37 PM]
Cisco - Security Technical Tips
● Sample Configuration: IP Security Tunnel End-point Discovery
● Configuring a Router IPSec Tunnel Private-to-Private Network with NAT and Static
● Sample Configuration: Router Mode-config, Wild-card, Pre-shared Keys, no NAT

● Sample Configuration: IPSec - Wild-card Pre-shared Keys with Cisco Secure VPN Client and No-
mode Config
● Sample Configuration: IPSec Router-to-Router Fully Meshed
● Sample Configuration: IPSec Router-to-Router Hub and Spoke
● Sample Configuration: IPSec Router-to-Router with NAT Overload and Cisco Secure VPN Client
● Sample Configuration: Router-to-Router - Dynamic to Static IPSec with NAT
● Sample Configuration: GRE and IPSec with IPX Routing
● Terminating IPSec Tunnels on Multiple Cisco Secure PIX Firewall Interfaces with Xauth
● Configuring IPSec - Router to PIX: Using the nat 0 access-list Command
● IPSec: Simple PIX-to-PIX VPN Configuration
● IPSec Between Cisco Secure PIX Firewall 5.1 and a VPN Client with Extended Authentication
● IPSec Over Cable Sample Configurations and Debugs
● IPSec Between Three Routers Using Private Addresses
● PIX-to-VPN Client Wild-card, Pre-shared, No Mode Configuration
● Sample Configuration: Router to VPN Client, Mode-config, Wild-card Pre-shared Key with NAT
● Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec
Kerberos
● Troubleshooting and Configuring Kerberos V5 Client Support
● Kerberos: An Authentication Service for Open Network Systems
RADIUS
● RADIUS Support Page
● How To Apply Access Lists to Dial Interfaces with a RADIUS Server
● Troubleshooting Access Lists on Dial Interfaces
● How-To Configure Layer 2 Tunnel Protocol Authentication with RADIUS
● Common Problems in Debugging RADIUS, PAP and CHAP
● Debugging HTTP Authentication
● CiscoSecure ACS NT: Command-line TACACS+ and RADIUS Debugging
● How to Assign Privilege Levels with TACACS+ and RADIUS
● How to Configure the Cisco VPN 3000 Concentrator with MS RADIUS
● Decoding a Sniffer-trace of RADIUS Transaction

(9 of 13) [5/6/2001 7:31:37 PM]
Cisco - Security Technical Tips
● CiscoSecure: How to Setup PPP Idle Timeout For Async Using RADIUS
● How Does RADIUS Work?
● Radius for First-time Users
● TACACS+ and RADIUS Comparison
● Domain Stripping Hack
● RADIUS Support in Cisco IOS Software (White Paper)
● The RADIUS Protocol (Product Bulletin)
● RADIUS Sample Configurations from the Cisco AAA Implementation Case Study

● Configuring TACACS+ and RADIUS Extended Authentication with VPN Client
● Sample Configuration: PPP Callback with RADIUS
● How To Configure RADIUS Authentication for VPDNs
● PIX, TACACS+, and RADIUS Sample Configuration: 5.1.x
● PIX, TACACS+, and RADIUS Sample Configuration: 5.0.x
● PIX, TACACS+, and RADIUS Sample Configuration: 4.4.x
● PIX, TACACS+, and RADIUS Sample Configuration: 4.3.x
● PIX, TACACS+, and RADIUS Sample Configuration: 4.2.x
● Sample Configuration: RADIUS Authentication for HTTP Server Users
● Radius Dial-up Sample Configuration
● Configuring TACACS+ and CiscoSecure RADIUS Daemon Sample TACACS+ Configuration
TACACS
● TACACS and XTACACS are Considered End-of-Maintenance
● Troubleshoot TACACS, XTACACS, and TACACS+ server issues using Troubleshooting
Assistant
● Timeout Commands: tacacs-server login-timeout and timeout login response
● The TACACS Authentication Protocols
● TACACS Password Recovery Techniques
● Domain Stripping Hack

TACACS+
● TACACS+ Support Page
● Troubleshoot TACACS, XTACACS, and TACACS+ server issues using Troubleshooting
Assistant
● Configuring TACACS+, RADIUS, and Kerberos on Catalyst Switches
● Troubleshooting Access Lists on Dial Interfaces
(10 of 13) [5/6/2001 7:31:37 PM]
Cisco - Security Technical Tips
● Common Problems in Debugging TACACS+, PAP and CHAP
● Debugging HTTP Authentication
● CiscoSecure ACS NT: Command-line TACACS+ and RADIUS Debugging
● How to Assign Privilege Levels with TACACS+ and RADIUS
● CHAP or ARAP With TACACS+: Interoperability Problems With One-Time Password Systems
● The TACACS+ Protocol
● TACACS+ for First-Time Users
● TACACS+ and RADIUS Comparison
● Single-User Network Access Security TACACS+ (White Paper)
● TACACS+ Sample Configurations from the Cisco AAA Implementation Case Study

● Configuring TACACS+ and RADIUS Extended Authentication with VPN Client
● Sample Configuration: PPP Callback with TACACS+
● How-To Configure TACACS+ Authentication for VPDNs
● How-To Configure Layer 2 Tunnel Protocol Authentication with TACACS+
● Configuring PIX 5.1.x: TACACS+ and RADIUS
● Configuring PIX 5.0.x: TACACS+ and RADIUS
● PIX, TACACS+, and RADIUS Sample Configuration: 4.4.x
● PIX, TACACS+, and RADIUS Sample Configuration: 4.3.x
● PIX, TACACS+, and RADIUS Sample Configuration: 4.2.x
● How To Apply Access Lists to Dial Interfaces with a TACACS+ Server
● Sample Configuration: TACACS+ Authentication for HTTP Server Users

● CiscoSecure NT: Configuring Large Scale Dialout Using TACACS+
● TACACS+ Dial-Up Sample Configuration
● Configuring TACACS+ on the Catalyst 1900 and 2820
● Configuring TACACS+ on Catalyst 2900XL/3500XL Switches
● Configuring Callback with TACACS+
● Configuring and Troubleshooting TACACS+ Freeware Daemon and CiscoSecure 1.X
● Configuring TACACS+ and CiscoSecure Router and NAS Sample TACACS+ Configurations
● Configuring TACACS+ and CiscoSecure RADIUS Daemon Sample TACACS+ Configuration
● Configuring TACACS+ and CiscoSecure CiscoSecure Sample Configurations
● CiscoSecure 2.x for First-time Users (TACACS+)
XTACACS
● TACACS and XTACACS are Considered End-of-Maintenance
● XTACACS for First-time Users
● XTACACS Dial-Up Sample Configuration
(11 of 13) [5/6/2001 7:31:37 PM]
Cisco - Security Technical Tips
Security FAQs
● Cisco Centri Firewall Frequently Asked Questions, Part 1
● Cisco PIX Firewall Manager: Frequently Asked Questions
● Cisco Secure PIX Firewall Frequently Asked Questions
● Cisco VPN 3000 Concentrator FAQs
Related Links
● Access Lists
Tips on increasing security on IP networks; blocking a Telnet session from a Cisco router; TCP/IP
firewalls; and Novell extended access lists.
● Cisco IOS
®
Software Password Encryption Facts
Understand the security model behind Cisco password encryption, and the security limitations of
that encryption.

● Cisco Product Security Incident Response
This document describes bug reporting and incident response procedures—specifically, what to
do if you are under active security attack or you believe that you are about to be attacked, if you
have a security problem with a Cisco product, if you want to obtain technical security information
about a Cisco product, or if you have additional questions about an announced security issue with
a Cisco product. The role of the Cisco Product Security Incident Response Team (PSIRT) in
handling security incidents is explained.
● Improving Security on Cisco Routers
This document is an informal discussion of some Cisco configuration settings that network
administrators should consider changing on their routers, especially on their border routers, in
order to improve security. This document is about basic, "boilerplate" configuration items that are
almost universally applicable in IP networks, and about a few unexpected items of which you
should be aware.
● Security Advisories
Advisories, field notices, and reference information about security-related notifications
(12 of 13) [5/6/2001 7:31:37 PM]