Name: Cisco ASR 1002
Brand: Cisco
Rating: 5 (1 reviews)

To Next Page

To Previous Page

Page 25 of 72

o Destination Port

Traffic matching is done based on a top-down approach in the access list. The first entry that a

packet matches will be the one applied to it. The VPNGW EP requires that the TOE Access

control lists (ACLs) are to be configured to drop all packet flows as the default rule and that

traffic matching the acl be able to be logged. The drop all default rule can be achieved by

including an ACL rule to drop all packets as the last rule in the ACL configuration. The logging

of matching traffic is done by appending the key word “log-input” per the command reference at

the end of the acl statements, as done below.

A privileged authorized administrator may manipulate the ACLs using the commands ip inspect,

access-list, crypto map, and access-group as described in [10]

Access lists must be configured on the TOE to meet the requirements of the VPN Gateway

Extended Package.

Note: These access lists must be integrated with the defined security policy for your TOE

router. Enabling just these access lists with no permits will result in traffic being dropped.

Ensure that your access list entries are inserted above the default deny acl.

In this example, we are assuming that interface GigabitEthernet0/0 is the external interface, and

is assigned an IP address of 10.200.1.1. Interface GigabitEthernet0/1 is the internal interface and

is assigned an IP address of 10.100.1.1.

If remote administration is required, ssh has to be explicitly allowed through either the internal or

external interfaces.

TOE-common-criteria# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

TOE-common-criteria(config)# access-list 199 permit tcp host 10.200.0.1 host

10.200.0.1 eq 22 log-input

To log connections to the Certificate Authority, implement the following acl:.

TOE-common-criteria(config)# access-list 100 permit ip any host [IP of CA] log-

input

TOE-common-criteria(config)# access-list 199 permit ip any host [IP of CA] log-

input

To close ports that don’t need to be open and may introduce additional vulnerabilities,

implement the following acl:.

TOE-common-criteria(config)# access-list 100 deny 132 any any log-input

TOE-common-criteria(config)# access-list 199 deny 132 any any log-input

To explicitly create the default deny acl for traffic with no other match, implement the following

acl:.

TOE-common-criteria(config)# access-list 100 deny any any log-input

TOE-common-criteria(config)# access-list 199 deny any any log-input

Other manuals for Cisco ASR 1002

Replacing120 pages

Hardware Installation Guide702 pages

Quick Start Guide36 pages

Questions and Answers:

Need help?

Do you have a question about the Cisco ASR 1002 and is the answer not in the manual?

Cisco ASR 1002 Specifications

General

Ethernet LAN	Yes
Cabling technology	10/100/1000Base-T(X)
Networking standards	IEEE 802.3
Ethernet LAN data rates	10, 100, 1000 Mbit/s
Ethernet interface type	Gigabit Ethernet
DHCP client	-
Supported network protocols	BGP, GRE, OSPF, DVMRP, EIGRP, IS-IS, IGMPv3, PIM-SM, PIM-SSM
Ethernet LAN (RJ-45) ports	4
Security algorithms	SSH
VPN tunnels quantity	8000
Safety	UL60950-1 CSA, C22.2 No. 60950-1-03, EN 60950-1, IEC 60950-1, AS/NZS 60950.1
Certification	FCC 47CFR15 Class A AS/NZS CISPR 22 CISPR 22 Class A EN55022 Class A ICES-003 Class A VCCI Class A CNS-13438 Class A EN61000-3-2 EN61000-3-3
Internal memory	4096 MB
AC input voltage	85 - 264 V
Power source type	AC
AC input frequency	50 - 60 Hz
Power consumption (typical)	560 W
Operating altitude	0 - 3048 m
Storage temperature (T-T)	0 - 50 °C
Operating temperature (T-T)	0 - 40 °C
Storage relative humidity (H-H)	5 - 95 %
Operating relative humidity (H-H)	5 - 90 %
Product color	Gray
Rack capacity	2U