Cisco ROUTER-SDM-CD User Manual

User guide

Table of Contents

Quick Links

Download this manual

Cisco Router and Security Device

Manager User's Guide

2.5

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel:

408 526-4000

800 553-NETS (6387)

Fax:

408 527-0883

Customer Order Number:

Text Part Number: OL-4015-12

Table of Contents

Troubleshooting

Summary of Contents for Cisco ROUTER-SDM-CD

Page 1 Cisco Router and Security Device Manager User’s Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: Text Part Number: OL-4015-12...
Page 2 LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
How Do I Enable or Disable an Interface? How Do I View the IOS Commands I Am Sending to the Router? How Do I Launch the Wireless Application from Cisco SDM? How Do I Configure an Unsupported WAN Interface? How Do I Enable or Disable an Interface?
Page 4 LAN Wizard: 802.1x Authentication (VLAN or Ethernet) 802.1x Exception List 802.1x Authentication on Layer 3 Interfaces Edit 802.1x Authentication How Do I ... How Do I Configure 802.1x Authentication on More Than One Ethernet Port? Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 5 Configuring an ISDN Connection ISDN Connection Reference ISDN Wizard Welcome Window IP Address: ISDN BRI or Analog Modem Switch Type and SPIDs Dial String Configuring an Aux Backup Connection Aux Backup Connection Reference Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 6 Add Dynamic DNS Method Wireless Association Edit Switch Port Application Service General Select Ethernet Configuration Type Connection: VLAN Subinterfaces List Add or Edit BVI Interface Add or Edit Loopback Interface Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 7 Connection: ISDN BRI Connection: Analog Modem Connection: (AUX Backup) Authentication SPID Details Dialer Options Backup Configuration Delete Connection Connectivity Testing and Troubleshooting Wide Area Application Services Configuring a WAAS Connection WAAS Reference Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 8 How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? How Do I Configure NAT on an Unsupported Interface? How Do I Configure NAT Passthrough for a Firewall? Cisco Router and Security Device Manager 2.5 User’s Guide viii OL-4015-12...
Page 9 Cisco SDM Warning: Inspection Rule Cisco SDM Warning: Firewall Edit Firewall Policy Add a New Rule Add Traffic Application Inspection URL Filter Quality of Service Inspect Parameter Select Traffic Delete Rule Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 10 Create Site to Site VPN Site-to-Site VPN Wizard View Defaults VPN Connection Information IKE Proposals Transform Set Traffic to Protect Summary of the Configuration Spoke Configuration Secure GRE Tunnel (GRE-over-IPSec) GRE Tunnel Information Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 11 How Do I Configure a VPN After I Have Configured a Firewall? How Do I Configure NAT Passthrough for a VPN? Easy VPN Remote Creating an Easy VPN Remote Connection Create Easy VPN Remote Reference Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 12 Add or Edit Easy VPN Remote: Interfaces and Connections Add or Edit Easy VPN Remote: Identical Addressing Easy VPN Remote: Add a Device Enter SSH Credentials XAuth Login Window Other Procedures Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 13 Cisco Tunneling Control Protocol Summary Browser Proxy Settings Editing Easy VPN Server Connections Edit Easy VPN Server Reference Edit Easy VPN Server Add or Edit Easy VPN Server Connection Cisco Router and Security Device Manager 2.5 User’s Guide xiii OL-4015-12...
Page 14 Select Routing Protocol Routing Information Dynamic Multipoint VPN (DMVPN) Spoke Wizard DMVPN Network Topology Specify Hub Information Spoke GRE Tunnel Interface Configuration Cisco SDM Warning: DMVPN Dependency Edit Dynamic Multipoint VPN (DMVPN) Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 15 Associate Crypto Map with this IPSec Policy IPSec Profiles Add or Edit IPSec Profile Add or Edit IPSec Profile and Add Dynamic Crypto Map Transform Set Add or Edit Transform Set IPSec Rules Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 16 CA Server Certificate Enrollment Status Cut and Paste Wizard Welcome Enrollment Task Enrollment Request Continue with Unfinished Enrollment Import CA certificate Import Router Certificate(s) Digital Certificates Trustpoint Information Certificate Details Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 17 Restore CA Server Edit CA Server Settings: General Tab Edit CA Server Settings: Advanced Tab Manage CA Server: CA Server Not Configured Manage Certificates Pending Requests Revoked Certificates Revoke Certificate Cisco Router and Security Device Manager 2.5 User’s Guide xvii OL-4015-12...
Page 18 Enable Cisco Secure Desktop Common Internet File System Enable Clientless Citrix Summary Editing SSL VPN Connections Editing SSL VPN Connection Reference Edit SSL VPN SSL VPN Context Designate Inside and Outside Interfaces Cisco Router and Security Device Manager 2.5 User’s Guide xviii OL-4015-12...
Page 19 Learn More About Split Tunneling How do I verify that my Cisco IOS SSL VPN is working? How do I configure a Cisco IOS SSL VPN after I have configured a firewall? Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 20 Contents How do I associate a VRF instance with a Cisco IOS SSL VPN context? SSL VPN Enhancements SSL VPN Reference SSL VPN Context: Access Control Lists Add or Edit Application ACL Add ACL Entry Action URL Time Range Add or Edit Action URL Time Range Dialog...
Page 21 Disable IP Mask Reply Disable IP Unreachables on NULL Interface Enable Unicast RPF on Outside Interfaces Enable Firewall on All of the Outside Interfaces Set Access Class on HTTP Server Service Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 22 Basic NAT Wizard: Connection Summary Advanced NAT Wizard: Welcome Advanced NAT Wizard: Connection Add IP Address Advanced NAT Wizard: Networks Add Network Advanced NAT Wizard: Server Public IP Addresses Cisco Router and Security Device Manager 2.5 User’s Guide xxii OL-4015-12...
Page 23 Create IPS: SDF Location Create IPS: Signature File Create IPS: Configuration File Location and Category Add or Edit a Config Location Directory Selection Signature File Create IPS: Summary Create IPS: Summary Cisco Router and Security Device Manager 2.5 User’s Guide xxiii OL-4015-12...
Page 24 Add or Edit an Event Action Filter Edit IPS: Signatures Edit IPS: Signatures Edit Signature File Selection Assign Actions Import Signatures Add, Edit, or Clone Signature Cisco Security Center IPS-Supplied Signature Definition Files Security Dashboard Cisco Router and Security Device Manager 2.5 User’s Guide xxiv OL-4015-12...
Page 25 Interface Selection Queuing for Outbound Traffic Add a New Traffic Class Policing for Outbound Traffic QoS Policy Generation QoS Configuration Summary Editing QoS Policies Edit QoS Policy Reference Edit QoS Policy Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 26 Choose an Exception Policy Add Exception Policy Agentless Host Policy Configuring NAC for Remote Access Modify Firewall Details Window Summary of the configuration Edit NAC Tab NAC Components Exception List Window Cisco Router and Security Device Manager 2.5 User’s Guide xxvi OL-4015-12...
Page 27 User Accounts: Configure User Accounts for Router Access Add or Edit a Username View Password vty Settings Edit vty Lines Configure Management Access Policies Add or Edit a Management Policy Management Access Error Messages DHCP Configuration Cisco Router and Security Device Manager 2.5 User’s Guide xxvii OL-4015-12...
Page 28 Add or Edit Port Map Entry Zone-Based Policy Firewall Zone Window Add or Edit a Zone Zone-Based Policy General Rules Zone Pairs Add or Edit a Zone Pair Add a Zone Select a Zone Cisco Router and Security Device Manager 2.5 User’s Guide xxviii OL-4015-12...
Page 29 Cisco Common Classification Policy Language Policy Map Policy Map Windows Add or Edit a QoS Policy Map Associate a Policy Map to Interface Add an Inspection Policy Map Layer 7 Policy Map Cisco Router and Security Device Manager 2.5 User’s Guide xxix OL-4015-12...
Page 30 Response Header Response Header Fields HTTP Response Body HTTP Response Status Line Request/Response Header Criteria HTTP Request/Response Header Fields Request/Response Body Request/Response Protocol Violation Add or Edit an IMAP Class Map Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 31 Import URL List URL Filter Servers Add or Edit a URL Filter Server URL Filtering Precedence Configuration Management Manually Editing the Configuration File Config Editor Reset to Factory Defaults Cisco Router and Security Device Manager 2.5 User’s Guide xxxi OL-4015-12...
Page 32 Meanings of the Permit and Deny Keywords Services and Ports More About NAT Static Address Translation Scenarios Dynamic Address Translation Scenarios Reasons that Cisco SDM Cannot Edit a NAT Rule More About VPN Cisco.com Resources More about VPN Connections and IPSec Policies More About IKE...
Page 33 SSL VPN Components SSL VPN Context User Sessions URL Mangling Port Forwarding CIFS Full Tunnel User List Traffic Status Netflow Top Talkers Top Protocols Top Talkers Application/Protocol Traffic NAC Status Cisco Router and Security Device Manager 2.5 User’s Guide xxxiii OL-4015-12...
Page 34 Reset to Factory Defaults File Management Rename New Folder Save SDF to PC Exit Unable to perform squeeze flash Edit Menu Commands Preferences View Menu Commands Home Configure Monitor Cisco Router and Security Device Manager 2.5 User’s Guide xxxiv OL-4015-12...
Page 35 Security Audit USB Token PIN Settings Wireless Application Update Cisco SDM CCO Login Help Menu Commands Help Topics Cisco SDM on CCO Hardware/Software Matrix About this router... About Cisco SDM Cisco Router and Security Device Manager 2.5 User’s Guide xxxv OL-4015-12...
Page 36 Contents Cisco Router and Security Device Manager 2.5 User’s Guide xxxvi OL-4015-12...
Page 37: Home Page
Available/Total Memory Cisco SDM Version Available RAM/Total The version of Cisco Router and Security Device Manager (Cisco SDM) software that is currently running on the router. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 38 If you do not see feature information described in this help topic on the home Note page, the Cisco IOS image does not support the feature. For example, if the router is running a Cisco IOS image that does not support security features, the Firewall Policy, VPN, and Intrusion Prevention sections do not appear on the home page.
Page 39 Untrusted (n) DMZ (n) Active—A firewall The number of The number of The number of is in place. trusted (inside) untrusted (outside) DMZ interfaces. interfaces. interfaces. Inactive—No firewall is in place. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 40 The type of VPN The name of the IPSec A description of the interface with a connection configured policy associated with connection. configured VPN on the interface. the VPN connection. connection Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 41 Dynamic Lists any dynamic No. of IPS-enabled The number of router Routing interfaces routing protocols interfaces on which IPS Protocols that are configured has been enabled. on the router. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 42 Routing Prevention SDF Version The version of SDF files on this router. Security A link to the IPS Dashboard Security Dashboard, where the top-ten signatures can be viewed and deployed. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 43: Creating A New Connection
C H A P T E R Creating a New Connection The Cisco SDM connection wizards guide you LAN and WAN configurations, and check the information that you enter against the existing configuration, warning you of any problems. This chapter contains the following sections: Creating a New Connection •...
Page 44: New Connection Reference
The following topic describes the screen referred to in this chapter: • Create Connection Create Connection This window allows you to create new LAN and WAN connections. You cannot use Cisco SDM to create WAN connections for Cisco 7000 series Note routers. Field Reference Table 2-1 describes the fields in this screen.
Page 45: Additional Procedures
If the router has radio interfaces but you do not see a Wireless radio button, you are not logged on as an Cisco SDM Administrator. If you need to use the wireless application, go to the Cisco SDM Tools menu and choose Wireless Application.
Page 46: How Do I Configure A Static Route
Step 9 How Do I View Activity on My LAN Interface? You can view activity on a LAN interface by using the Monitor mode in Cisco SDM. Monitor mode can display statistics about the LAN interface, including the number of packets and bytes that have been sent or received by the interface, and the number of send or receive errors that have occurred.
Page 47: How Do I Enable Or Disable An Interface
How Do I View the IOS Commands I Am Sending to the Router? If you are completing a Wizard to configure a feature, you can view the Cisco IOS commands that you are sending to the router when you click Finish.
Page 48: How Do I Launch The Wireless Application From Cisco Sdm
If you are editing a configuration, the Deliver window is displayed when you click OK in the dialog window. In this window you can view the Cisco IOS commands that you are sending to the router .
Page 49: How Do I Enable Or Disable An Interface
Choose the data item(s) you want to view by checking the associated check Step 4 box(es). You can view up to four statistics at a time. Click Show Details to see statistics for all selected data items. Step 5 Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 50: How Do I Configure Nat On A Wan Interface
Add or Edit Static Address Translation Rule: Outside to Inside • Add or Edit Dynamic Address Translation Rule: Inside to Outside • Add or Edit Dynamic Address Translation Rule: Outside to Inside • Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 51: How Do I Configure Nat On An Unsupported Interface
How Do I Configure NAT on an Unsupported Interface? Cisco SDM can configure Network Address Translation (NAT) on an interface type unsupported by Cisco SDM. Before you can configure the firewall, you must first use the router to configure the interface. The interface must have, at a minimum, an IP address configured, and it must be working.
Page 52 ... button to browse the list of rules and choose the rule that you want to use to identify IP traffic from that list. Cisco Router and Security Device Manager 2.5 User’s Guide 2-10...
Page 53: Interface
Choose the radio interface and click Edit. In the Connections tab, you can change the IP address or bridging information. If you want to change other wireless parameters, click Launch Wireless Application. Cisco Router and Security Device Manager 2.5 User’s Guide 2-11 OL-4015-12...
Page 54 Chapter 2 Creating a New Connection Additional Procedures Cisco Router and Security Device Manager 2.5 User’s Guide 2-12 OL-4015-12...
Page 55: Lan Wizard
WAN interfaces. The list includes interfaces that have already been configured. When you configure an interface as a LAN interface, Cisco SDM inserts the description text $ETH-LAN$ in the configuration file so that it recognizes the interface as a LAN interface in the future.
Page 56: Ethernet Configuration
Configure To configure an interface you have selected, click Configure. If the interface has not been configured before, Cisco SDM will take you through the LAN Wizard to help you configure it. If the interface has been given a configuration using Cisco SDM, Cisco SDM displays an Edit window enabling you to change configuration settings.
Page 57: Lan Wizard: Ip Address And Subnet Mask
Field Reference Table 3-3 IP Address and Subnet Mask Element Description Enable DHCP Server To configure the router as a DHCP server on this interface, click Yes. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 58: Lan Wizard: Dhcp Address Pool
LAN. To set these properties for the router, click Additional Tasks on the Cisco SDM category bar, click DHCP, and configure these settings in the DHCP Pools window.
Page 59: Lan Wizard: Vlan Mode
Single Device. If this switch port will be connected to a port on a network device, such as another switch, that is a trunking mode, select Network Device. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 60: Lan Wizard: Switch Port
The other part of the bridge must be configured using the Wireless Application. The IP address and Subnet mask fields under New VLAN are disabled when this box is checked. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 61: Irb Bridge
Launching the Wireless Application After completing this LAN configuration, do the following to launch the Wireless Application and complete the bridging configuration. Select Wireless Application from the Cisco SDM Tools menu. The Wireless Step 1 Application opens in a separate browser window.
Page 62: Bvi Configuration
When a client logs off the network, the address it was using is returned to the pool for use by another host. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 63: Irb For Ethernet
No. You will still be able to configure it as a regular routing interface. Layer 3 Ethernet Configuration Cisco SDM supports Layer 3 Ethernet configuration on routers with installed 3750 switch modules. You can create VLAN configurations and designate router Ethernet interfaces as DHCP servers.
Page 64: 802.1Q Configuration
IP Address and Subnet Mask Element Description VLAN ID (1-4094) Enter a VLAN ID number from 1 to 4094. Cisco SDM displays a message telling you to enter a different VLAN ID if the ID that you enter is already in use. Native VLAN If you do not want the VLAN to use 802.1Q tagging, check Native VLAN.
Page 65: Configure Gigabit Ethernet Interface
To save this configuration to the router’s running configuration and leave this wizard: Click Finish. Cisco SDM saves the configuration changes to the router’s running configuration. Although the changes take effect immediately, they will be lost if the router is turned off.
Page 66 Chapter 3 LAN Wizard Summary Cisco Router and Security Device Manager 2.5 User’s Guide 3-12 OL-4015-12...
Page 67: 802.1X Authentication
However, before you can enable 802.1x on any interface, AAA must be enabled on your Cisco IOS router. If you attempt to use the LAN wizard before AAA is enabled, a window appears asking if you want to enable AAA. If you choose to enable AAA, then the 802.1x configuration screens will appear as part of the LAN...
Page 68: Advanced Options
Multiple mode allows for any number of clients to have access once a single client has been authenticated. Ports on Cisco 85x and Cisco 87x routers can be set only to multiple host mode. Note Single mode is disabled for these routers.
Page 69 The default setting is 30 seconds. Supplicant Reply Timeout Enter the time, in seconds, that your Cisco IOS router waits for a reply from an 802.1x client before timing out its connection to that client. Values must be in the range of 1–65535 seconds.
Page 70: Lan Wizard: Radius Servers For 802.1X Authentication
The source IP address in the RADIUS packets sent from the router must be configured as the NAD IP address in the Cisco ACS version 3.3 or later. If you choose Router chooses source, the source IP address in the RADIUS packets will be the address of interface through which the RADIUS packets exit the router.
Page 71 Chapter 4 802.1x Authentication LAN Wizard: RADIUS Servers for 802.1x Authentication Cisco IOS software allows a single RADIUS source interface to be configured on Note the router. If the router already has a configured RADIUS source and you choose a different source, the source IP address placed in the packets sent to the RADIUS server changes to the IP address of the new source, and may not match the NAD IP address configured on the Cisco ACS.
Page 72: Edit 802.1X Authentication (Switch Ports)
Multiple mode allows for any number of clients to have access once a single client has been authenticated. Ports on Cisco 87x routers can be set only to multiple host mode. Single mode is Note disabled for these routers.
Page 73: Lan Wizard: 802.1X Authentication (Vlan Or Ethernet)
Ethernet) This window allows you to enable 802.1x authentication on the Ethernet port you selected for configuration using the LAN wizard. For Cisco 87x routers, this window is available for configuring a VLAN with 802.1x authentication. Before configuring 802.1x on VLAN, be sure that 802.1x is not configured on any Note VLAN switch ports.
Page 74: 802.1X Exception List
802.1x authentication while allowing them to use the VPN tunnel. Exempt Cisco IP phones from 802.1x authentication Check Exempt Cisco IP phones from 802.1x authentication to exempt Cisco IP phones from 802.1x authentication while allowing them to use the VPN tunnel. 802.1x Exception List An exception list exempts certain clients from 802.1x authentication while...
Page 75: 802.1X Authentication On Layer 3 Interfaces
Ethernet ports. Interfaces Table The Interfaces table has the following columns: Interface—Displays the name of the Ethernet or VLAN interface. 802.1x Authentication—Indicates whether 802.1x authentication is enabled for the Ethernet port. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 76: Edit 802.1X Authentication
802.1x Exception List. Exempt Cisco IP phones from 802.1x authentication Check Exempt Cisco IP phones from 802.1x authentication to exempt Cisco IP phones from 802.1x authentication while allowing them to use the VPN tunnel. Apply Changes Click Apply Changes for the changes you made to take effect.
Page 77: How Do I
Ethernet Port? Once you configure 802.1x authentication on an interface, the LAN wizard will no longer display any 802.1x options for Ethernet ports because Cisco SDM uses the 802.1x configuration globally. For configuring switches, the LAN wizard will continue to display the 802.1x Note options.
Page 78 Chapter 4 802.1x Authentication How Do I ... Cisco Router and Security Device Manager 2.5 User’s Guide 4-12 OL-4015-12...
Page 79: Configuring Wan Connections
If you want to review the IOS CLI commands that you send to the router when Step 1 you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router.
Page 80: Ethernet Wan Connection Reference
WAN Wizard Interface Welcome Window This window lists the types of connections you can configure for this interface using Cisco SDM. If you need to configure another type of connection for this interface, you can do so using the CLI.
Page 81: Select Interface
Check the box next to the interface that you want to use for this connection. If you are configuring an Ethernet interface, Cisco SDM inserts the description text $ETH-WAN$ in the configuration file so that it will recognize the interface as a WAN interface in the future.
Page 82: Encapsulation: Pppoe
PPPoE encapsulation. Uncheck this box if your service provider does not use PPPoE. This check box will not be available if your router is running a version of Cisco IOS that does not support PPPoE encapsulation.
Page 83: Summary
Element Description Test the connectivity after Check this box if you want Cisco SDM to test the connection you configuring have configured after it delivers the commands to the router. Cisco SDM will test the connection and report results in another window.
Page 84: Configuring A Serial Connection
Next Hop Address If your service provider has given you a next-hop IP address to use, enter the IP address in this field. If you leave this field blank, Cisco SDM will use the WAN interface that you are configuring as the next-hop interface.
Page 85: Serial Connection Reference
Chapter 5 Configuring WAN Connections Configuring a Serial Connection Cisco SDM displays the Summary screen when you have completed the Step 7 configuration. Review the configuration. If you need to make changes, click Back to return to the screen in which you need to make changes, then return to the Summary screen.
Page 86 IP Address: Serial with HDLC or Frame Relay Choose the method that the WAN interface will use to obtain an IP address. If Frame Relay encapsulation is used, Cisco SDM creates a subinterface, and the IP address is assigned to the subinterface Cisco SDM creates.
Page 87: Authentication
Your service provider or network administrator may use a Challenge Handshake Authentication Protocol (CHAP) password or a Password Authentication Protocol (PAP) password to secure the connection between the devices. This password secures both incoming and outgoing access. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 88: Configure Lmi And Dlci
PAP authentication. Password Enter the password exactly as given to you by your service provider. Passwords are case sensitive. For example, the password cisco is not the same as Cisco. Confirm Password Reenter the same password that you entered in the previous box.
Page 89: Configure Clock Settings
The default. This setting allows the router to detect which LMI type is being used by communicating with the switch and to then use that type. If autosense fails, the router will use the Cisco LMI type. DLCI Enter the DLCI in this field. This number must be unique among all DLCIs used on this interface.
Page 90 FDL. The default is none. If T1 or E1 framing is set to sf, Cisco SDM will set FDL to none and make this field read-only. Line Build Out (LBO) This field is used to configure the line build out (LBO) of the link.
Page 91: Configuring A Dsl Connection
If you want to review the IOS CLI commands that you send to the router when Step 1 you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router.
Page 92: Dsl Connection Reference
Chapter 5 Configuring WAN Connections Configuring a DSL Connection Cisco SDM displays the Summary screen when you have completed the Step 7 configuration. Review the configuration. If you need to make changes, click Back to return to the screen in which you need to make changes, then return to the Summary screen.
Page 93 Click the Dynamic DNS button to configure dynamic DNS. IP Address: ATM with RFC 1483 Routing Choose the method that the WAN interface will use to obtain an IP address. Cisco Router and Security Device Manager 2.5 User’s Guide 5-15 OL-4015-12...
Page 94: Ip Address: Atm With Rfc 1483 Routing
In this window, choose the type of encapsulation that the WAN link will use. Ask your service provider or network administrator which type of encapsulation is used for this link. The interface type determines the types of encapsulation available. Cisco Router and Security Device Manager 2.5 User’s Guide 5-16 OL-4015-12...
Page 95 Cisco SDM supports autodetect on SB106, SB107, Cisco Note 836, and Cisco 837 routers. However if you are configuring a Cisco 837 router and the router is running Cisco IOS Release 12.3(8)T or 12.3(8.3)T, the autodetect feature is not supported.
Page 96: Pvc
VPI, all cells on that particular virtual path are switched regardless of the VCI. An ATM switch may route according to VCI, VPI, or both VCI and VPI. Cisco Router and Security Device Manager 2.5 User’s Guide 5-18 OL-4015-12...
Page 97 Cisco IOS Default Values The values shown in the following table are Cisco IOS defaults. Cisco SDM will not overwrite these values if they have been changed during a prior configuration, but if your router has not been previously configured, these are the values that will...
Page 98: Configuring An Isdn Connection
If you want to review the IOS CLI commands that you send to the router when Step 1 you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router.
Page 99: Isdn Wizard Welcome Window
• ISDN Wizard Welcome Window PPP is the only type of encoding supported over an ISDN BRI by Cisco SDM. IP Address: ISDN BRI or Analog Modem Choose the method that the ISDN BRI or analog modem interface will use to obtain an IP address.
Page 100: Switch Type And Spids
ISDN BRI for Norway NET3, Australia NET3, and New Zealand NET3switch types; ETSI-compliant switch types for Euro-ISDN E-DSS1 signaling system vn3—French ISDN BRI switches – For Japan: • ntt—Japanese NTT ISDN switches – Cisco Router and Security Device Manager 2.5 User’s Guide 5-22 OL-4015-12...
Page 101: Dial String
This is the phone number that the ISDN BRI or analog modem interface will dial whenever a connection is made. The dial string is provided to you by your service provider. Cisco Router and Security Device Manager 2.5 User’s Guide 5-23 OL-4015-12...
Page 102: Configuring An Aux Backup Connection
If you want to review the IOS CLI commands that you send to the router when Step 1 you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router.
Page 103: Aux Backup Welcome Window
• primary WAN interface. The Aux dial-backup option is not shown if any of the following conditions exist: The router is not using a Cisco IOS image that supports the Aux dial-backup • feature. A primary WAN interface is not configured.
Page 104: Backup Configuration: Primary Interface And Next Hop Ip Addresses
Prerequisites Note the following prerequisites: • The primary interface must be configured for site-to-site VPN. The Cisco IOS image on your router must support the SAA ICMP Echo • Enhancement feature. Backup Configuration: Primary Interface and Next Hop IP Addresses...
Page 105: Backup Configuration: Hostname Or Ip Address To Be Tracked
Step 1 If you want to review the IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router.
Page 106: Analog Modem Connection Reference
Click Next to go to the subsequent screens to configure the connection. Step 6 Cisco SDM displays the Summary screen when you have completed the Step 7 configuration. Review the configuration. If you need to make changes, click Back to return to the screen in which you need to make changes, then return to the Summary screen.
Page 107: Configuring A Cable Modem Connection
If you want to review the IOS CLI commands that you send to the router when Step 1 you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router.
Page 108: Select Interface
Summary The Summary screen shows the configuration you are sending to the router. Cisco SDM configures a cable modem connection as a DHCP client. The following lines show cable modem connection with no NAT or static route configuration...
Page 109 Element Description Test the connectivity after Check this box if you want Cisco SDM to test the connection you configuring have configured after it delivers the commands to the router. Cisco SDM will test the connection and report results in another window.
Page 110 Chapter 5 Configuring WAN Connections Configuring a Cable Modem Connection Cisco Router and Security Device Manager 2.5 User’s Guide 5-32 OL-4015-12...
Page 111: Edit Interface/Connection
Click Add to create a new loopback or tunnel interface. If the Cisco IOS image on the router supports Virtual Template Interfaces (VTI), the context menu contains an option to add a VTI.
Page 112 If the test fails, information about why the test may have failed is given, along with the steps you need to take to correct the problem. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 113 If Cisco SDM is running on a Cisco 7000 family router, you will be able to create a connection only on Ethernet and Fast Ethernet interfaces. IP Address This column can contain the following types of IP addresses: The configured IP address of the interface.
Page 114 If the named item has a configured value, it is displayed in this column. Why Are Some Interfaces or Connections Read-Only? There are many conditions that can prevent Cisco SDM from modifying a previously configured interface or subinterface. For reasons why a previously configured serial interface or subinterface may •...
Page 115: Connection: Ethernet For Irb
Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 116: Connection: Ethernet For Routing
Enter the IP address of the DHCP server that will provide addresses to devices on the LAN. Dynamic DNS Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 117: Existing Dynamic Dns Methods
Chapter 6 Edit Interface/Connection Connection: Ethernet for Routing This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 118 > Router Properties > Edit > Domain, or if you want to override the configured domain name. When updating the interface IP address, the dynamic DNS method sends the domain name along with the interface’s new IP address. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 119: Wireless
Any packet that the rule does not permit is dropped and will not be routed to another interface. When you apply a rule to the inbound Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 120 You can use the chosen interface in a VPN by associating it with an IPsec policy. IPsec Policy The configured IPsec policy associated with this interface. To associate the interface with an IPsec policy, choose the policy from this list. Cisco Router and Security Device Manager 2.5 User’s Guide 6-10 OL-4015-12...
Page 121: Nat
Outside. If you have chosen an interface that cannot be used in a NAT configuration, such as a logical interface, this field is disabled and contains the value Not Supported. Cisco Router and Security Device Manager 2.5 User’s Guide 6-11 OL-4015-12...
Page 122: Edit Switch Port
Choose the speed to match the network to which the switch port will be connected. Or choose auto to allow for the speed to be automatically set to the optimal value. Cisco Router and Security Device Manager 2.5 User’s Guide 6-12...
Page 123: Application Service
Netflow statistics for the interface can be monitored by going to Monitor > Interface Status. Netflow top talkers and top protocols can be monitored by going to Monitor > Traffic Status > Top N Traffic Flows. Cisco Router and Security Device Manager 2.5 User’s Guide 6-13 OL-4015-12...
Page 124: General
In this field you can enter a short description of the interface configuration. This description is visible in the Edit Interfaces and Connections window. A description, such as “Accounting” or “Test Net 5,” can help other Cisco SDM users understand the purpose of the configuration.
Page 125 LANs with an equal security level, and only when necessary. IP Route Cache-Flow This option enables the Cisco IOS Netflow feature. Using Netflow, you can determine packet distribution, protocol distribution, and current flows of data on the router. This information is useful for certain tasks, such as searching for the source of a spoofed IP address attack.
Page 126: Select Ethernet Configuration Type
LAN interface or as a WAN interface. When you configure an interface using Cisco SDM, you designate it as an inside or outside interface, and Cisco SDM adds a descriptive comment to the configuration file based on your designation.
Page 127: Connection: Vlan
ID, IP address and mask, and a description, if one was entered. For example, if the router had the interface FastEthernet1, and the subinterfaces FastEthernet1.3 and FastEthernet1.5 are configured, this window might contain the following display Cisco Router and Security Device Manager 2.5 User’s Guide 6-17 OL-4015-12...
Page 128: Add Or Edit Bvi Interface
This window enables you to add a loopback interface to the chosen interface. IP Address Choose whether the loopback interface is to have no IP address or a static IP address. Cisco Router and Security Device Manager 2.5 User’s Guide 6-18 OL-4015-12...
Page 129: Connection: Virtual Template Interface
Tunnel Mode Choose IPSec-IPv4. Connection: Ethernet LAN Use this window to configure the IP address DHCP properties of an Ethernet interface that you want to use as a LAN interface. Cisco Router and Security Device Manager 2.5 User’s Guide 6-19 OL-4015-12...
Page 130: Connection: Ethernet Wan
Click this option if the connection must use Point-to-Point Protocol over Ethernet (PPPoE) encapsulation. Your service provider can tell you whether the connection uses PPPoE. When you configure a PPPoE connection, a dialer interface is automatically created. Cisco Router and Security Device Manager 2.5 User’s Guide 6-20 OL-4015-12...
Page 131 WAN interface IP address changes. Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 132: Connection: Ethernet Properties
Available with PPPoE encapsulation and with no encapsulation. If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server that will assign addresses. Cisco Router and Security Device Manager 2.5 User’s Guide 6-22 OL-4015-12...
Page 133 Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 134: Connection: Ethernet With No Encapsulation
Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 135: Connection: Adsl
If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and re-create it using the value you need. Cisco Router and Security Device Manager 2.5 User’s Guide 6-25 OL-4015-12...
Page 136 ADSL line to train in the ANSI T1.413 Issue 2 • mode. itu-dmt—Configure the ADSL line to train in the ITU G.992.1 mode. • Cisco Router and Security Device Manager 2.5 User’s Guide 6-26 OL-4015-12...
Page 137 Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 138: Connection: Adsl Over Isdn
The virtual circuit identifier (VCI) is used in ATM switching and routing to identify a particular connection within a path that your connection may share with other connections. Obtain this value from your service provider. Cisco Router and Security Device Manager 2.5 User’s Guide 6-28 OL-4015-12...
Page 139 Operating Mode Choose the mode that the ADSL line should use when training. If the Cisco IOS release you are running on the router does not support all five Note operating modes, you will see options only for the operating modes supported by your Cisco IOS release.
Page 140: Connection: G.shdsl
Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 141 If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and re-create it using the value you need. Cisco Router and Security Device Manager 2.5 User’s Guide 6-31 OL-4015-12...
Page 142 Internet or your organization’s WAN. Equipment Type Choose one of the values below: Customer premises equipment. If the encapsulation type is PPPoE, CPE is automatically chosen and the field is disabled. Cisco Router and Security Device Manager 2.5 User’s Guide 6-32 OL-4015-12...
Page 143 Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 144: Connection: Cable Modem
If you enter a decimal value, the bit value is automatically updated. If you enter a bit value, the decimal value is automatically updated. Cisco Router and Security Device Manager 2.5 User’s Guide 6-34 OL-4015-12...
Page 145: Configure Dsl Controller
Configure DSL Controller Cisco SDM supports the configuration of the Cisco WIC-1SHDSL-V2. This WIC supports TI, E1, or a G.SHDSL connection over an ATM interface. Cisco SDM only supports a G.SHDSL connection using the ATM interface. This window lets you set the controller mode on the WIC to ATM, enabling a G.SHDSL connection, and lets you create or edit DSL controller information for the G.SHDSL...
Page 146 A higher dB setting causes the modem to restrict noise, potentially resulting in a connection of higher quality but lower throughput. Snext Choose the Self near-end crosstalk (Snext) sound-to-noise ratio margin in the form of decibels. Cisco Router and Security Device Manager 2.5 User’s Guide 6-36 OL-4015-12...
Page 147: Add A G.shdsl Connection
If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and recreate it using the value you need. Cisco Router and Security Device Manager 2.5 User’s Guide 6-37 OL-4015-12...
Page 148 If you select this option, you must specify from the drop down list the Ethernet interface whose address you want to use. Description Enter a description of this connection that makes it easy to recognize and manage. Cisco Router and Security Device Manager 2.5 User’s Guide 6-38 OL-4015-12...
Page 149 Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interface’s IP address changes. This feature appears only if supported by your Cisco server’s IOS. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 150: Connection: Serial Interface, Frame Relay Encapsulation
If you chose IP unnumbered, the interface will share an IP address that has already been assigned to another interface. Choose the interface whose IP address this interface is to share. Cisco Router and Security Device Manager 2.5 User’s Guide 6-40 OL-4015-12...
Page 151 ITU-T Q.933 Annex A. Autosense Default. This setting allows the router to detect which LMI type is used by the switch and then use that type. If autosense fails, the router will use the Cisco LMI type. Use IETF Frame Relay Encapsulation Check this check box to use Internet Engineering Task Force (IETF) encapsulation.
Page 152 WAN interface IP address changes. Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 153: Connection: Serial Interface, Ppp Encapsulation
Subnet Bits Alternatively, enter the network bits to specify how many bits in the IP address provide the network address. Authentication Click if you need to enter CHAP authentication information. Cisco Router and Security Device Manager 2.5 User’s Guide 6-43 OL-4015-12...
Page 154 WAN interface IP address changes. Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 155: Connection: Serial Interface, Hdlc Encapsulation
In most cases, clock settings should not be changed from the default values. If you know that your requirements are different from the defaults, click and adjust the clock settings in the window displayed. Cisco Router and Security Device Manager 2.5 User’s Guide 6-45 OL-4015-12...
Page 156: Add Or Edit Gre Tunnel
Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 157 Enter the maximum transmission unit (MTU) size. If you want the size adjusted to a lower value when the adjustment would avoid packet fragmentation, click Adjust MTU to avoid fragmentation. Bandwidth Click to specify the bandwidth for this tunnel in kilobytes. Cisco Router and Security Device Manager 2.5 User’s Guide 6-47 OL-4015-12...
Page 158: Connection: Isdn Bri
Edit Interface/Connection Connection: ISDN BRI Connection: ISDN BRI Complete these fields if you are configuring an ISDN BRI connection. Because Cisco SDM supports only PPP encapsulation over an ISDN BRI connection, the encapsulation shown is not editable. Encapsulation chosen. ISDN Switch Type Choose the ISDN switch type.
Page 159 Specify an IP address, complete the fields below. IP Address Enter the IP address for this point-to-point subinterface. Obtain this value from your network administrator or service provider. For more information, see Addresses and Subnet Masks. Cisco Router and Security Device Manager 2.5 User’s Guide 6-49 OL-4015-12...
Page 160 Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 161: Connection: Analog Modem
Edit Interface/Connection Connection: Analog Modem Connection: Analog Modem Complete these fields if you are configuring an analog modem connection. Because Cisco SDM supports only PPP encapsulation over an analog modem connection, the encapsulation shown is not editable. Encapsulation chosen. Remote Phone Number Enter the phone number of the destination of the analog modem connection.
Page 162 Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 163: Connection: (Aux Backup)
Complete these fields if you are configuring an asynchronous dial-up connection using the console port to double as an AUX port on a Cisco 831 or 837 router. Once you enter the information in this window, click Backup Details and enter dial-backup information, which is required for this type of connection.
Page 164 Click if you need to enter CHAP authentication information. Dynamic DNS Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. Cisco Router and Security Device Manager 2.5 User’s Guide 6-54 OL-4015-12...
Page 165: Authentication
Chapter 6 Edit Interface/Connection Authentication This feature appears only if supported by the Cisco IOS release on your router. Note To choose a dynamic DNS method to use, do one of the following: Enter the name of an existing dynamic DNS method.
Page 166: Spid Details
Enter the SPID to the first BRI B channel provided to you by your ISP. SPID2 Enter the SPID to the second BRI B channel provided to you by your ISP. Cisco Router and Security Device Manager 2.5 User’s Guide 6-56 OL-4015-12...
Page 167: Dialer Options
Idle timeout Enter the number of seconds that are allowed to pass before an idle connection (one that has no traffic passing over it) is terminated. Cisco Router and Security Device Manager 2.5 User’s Guide 6-57 OL-4015-12...
Page 168 Enter a number between 1 and 255, where 255 equals 100 percent of bandwidth on the first connection being utilized. Data Direction Cisco SDM supports Multilink PPP only for outbound network traffic. Cisco Router and Security Device Manager 2.5 User’s Guide 6-58...
Page 169: Backup Configuration
Specify an infrequently contacted destination as the site to be tracked. Track Object Number This is a read-only field that displays an internal object number generated and used by Cisco SDM for tracking the connectivity to the remote host. Cisco Router and Security Device Manager 2.5 User’s Guide 6-59...
Page 170: Delete Connection
This is known as the next hop IP address. If you do not enter next hop IP addresses, Cisco SDM will configure static routes using the interface name. Note that when you back up a multipoint...
Page 171 Connections. Click the connection in the Interface List, and then click Edit. Click the Association tab, then in the VPN group, in the IPSec Policy field, click None. Cisco Router and Security Device Manager 2.5 User’s Guide 6-61 OL-4015-12...
Page 172: Connectivity Testing And Troubleshooting
Connectivity Testing and Troubleshooting This window allows you to test a configured connection by pinging a remote host. If the ping fails, Cisco SDM reports the probable cause and suggests actions you can take to correct the problem. Which connection types can be tested? Cisco SDM can troubleshoot ADSL, G.SHDSL V1 and G.SHDSL V2...
Page 173 When Cisco SDM troubleshoots a connection, it performs a more extensive check than the basic ping test. If the router fails a test, Cisco SDM performs additional checks so it can provide you with the possible reasons for failure. For example, if Layer 2 status is down, Cisco SDM attempts to determine the reason(s), reports them, and recommends actions you can take to rectify the problem.
Page 174 Specify the server name to ping to test WAN interface. Automatically determined by SDM Cisco SDM pings its default host to test WAN interface. Cisco SDM detects the router's statically configured DNS servers, and dynamically imported DNS servers. Cisco SDM pings these servers, and if successful pings exit through the interface under test, Cisco SDM reports success.
Page 175 Test is successful. Test failed. Reason This box provides the possible reason(s) for the WAN interface connection failure. Recommended action(s) This box provides a possible action/solution to rectify the problem. Cisco Router and Security Device Manager 2.5 User’s Guide 6-65 OL-4015-12...
Page 176 Click Save Report button to save the test report in HTML format. This button will be active only when test is in progress or when the testing is complete. Cisco Router and Security Device Manager 2.5 User’s Guide 6-66 OL-4015-12...
Page 177: Wide Area Application Services
C H A P T E R Wide Area Application Services Cisco’s Wide Area Application Services (WAAS) is a WAN optimization and application acceleration solution that enables branch office server consolidation, improves performance for centralized applications, and provides remote users with LAN-like access to applications, storage, and content across the WAN.
Page 178: Configuring A Waas Connection
WAAS. Complete the following steps to configure a WAAS connection: If you want to review the Cisco IOS CLI commands that you send to the router Step 1 when you complete the configuration, go to the Cisco SDM toolbar, and click Edit >...
Page 179: Waas Reference
Choose the interface on which you want to send the registration request. The interface that you choose must have a route to the WAAS CM network. Click OK. Cisco SDM displays a username and password dialog box. Enter the username and password required to login to the CM.
Page 180: Nm Waas
WAAS configuration screens. From this screen, Cisco SDM allows you to log in to the WAAS Central Manager (CM) so that you can register the edge WAE, and view the registration status sent by the CM.
Page 181 Active—The Edge is registered with the WAAS • central manager. Cisco SDM displays a green icon when the Edge WAE is registered. Inactive—The Edge WAE is not registered with the • WAAS central manager. Cisco SDM displays a red icon when the Edge WAE is not registered.
Page 182: Integrated Service Engine
Table 7-2 Integrated Service Engine Tab Element Description Router IP Address IP Address Enter the IP address of the router interface that is to redirect traffic to the WAAS service module. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 183: Wccp
WCCP Configure WCCP settings in this screen. WCCP settings specify the router interfaces that redirect traffic to the WAAS NM, and information about the WAAS Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 184: Central Manager Registration
Enter the IP Address of the WAAS Central Manager. Primary Interface Choose the router interface on which the registration request should be sent. The interface must have a route to the WAAS Central Manager’s network. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 185: Create Firewall
• configure a firewall. Basic Firewall Click this if you want Cisco SDM to create a firewall using default rules. The use case scenario shows a typical network configuration in which this kind of firewall is used. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 186 Chapter 8 Create Firewall Advanced Firewall Click this if you want Cisco SDM to lead you through the steps of configuring a firewall. You have the option to create a network, and to specify an inspection rule. The use case scenario shown when you select this option shows you a typical configuration for an Internet of firewall.
Page 187 Advanced Firewall. Selected Task. If your router has multiple inside and Cisco SDM will show you the default inspection rule and outside interfaces, and you want to allow you to use it in the firewall. Or, you can create your configure a DMZ, you should select this own inspection rule.
Page 188: Basic Firewall Configuration Wizard
Check this box if you want users outside the firewall to be able to access the router using Cisco SDM. The wizard will display a screen that allows you to specify a host IP address or a network address. The firewall will be modified to allow access to the address you specify.
Page 189: Configuring Firewall For Remote Access
You can specify the router interfaces to use for remote management access and the hosts from which administrators can log on to Cisco SDM to manage the router. The firewall will be modified to allow secure remote access from the host or network that you specify.
Page 190: Advanced Firewall Dmz Service Configuration
Check this box if you want users outside the firewall to be able to access the router using Cisco SDM. The wizard will display a screen that allows you to specify a host IP address or a network address. The firewall will be modified to allow access to the address you specify.
Page 191: Dmz Service Configuration
End IP Address Enter the last IP address in the range; for example, 172.20.1.254. If NAT is enabled, you must enter the NAT-translated address. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 192: Application Security Configuration
Application Security Configuration Cisco SDM provides preconfigured application security policies that you can use to protect the network. Use the slider bar to select the security level that you want and to view a description of the security it provides.
Page 193: Domain Name Server Configuration
Check the Filter HTTP Request through URL Filter Server box to enable URL filtering by URL filter servers. URL Filter Server Type Cisco SDM supports the Secure Computing and Websense URL filter servers. Choose either Secure Computing or Websense to specify the type of URL filter server on the network.
Page 194: Zpf Inside Zones
WAN. Inside (trusted) Check Inside (trusted) next to the interface name if you are using the interface to connect to the or other trusted network. Cisco Router and Security Device Manager 2.5 User’s Guide 8-10 OL-4015-12...
Page 195: Summary
The summary screen uses plain-language to describe the configuration. You can view the CLI commands that Cisco SDM delivers to the router by going to Edit > Prefereences, and checking Preview commands before delivering to router. Inside (trusted) Interface(s) Cisco SDM lists the router’s logical and physical interfaces that you designated...
Page 196 Outside (untrusted) Interface(s) Cisco SDM lists the router logical and physical interfaces that you designated as outside interfaces in this wizard session, along with their IP addresses. Underneath, plain-language descriptions are given for each configuration statement applied to the outside interfaces.
Page 197: Sdm Warning: Sdm Access
CLI commands you that are delivering to the router. SDM Warning: SDM Access This window appears when you have indicated that Cisco SDM should be able to access the router from outside interfaces. It informs you that you must ensure that SSH and HTTPS are configured, and that at least one of the interfaces designated as outside be configured with a static IP address.
Page 198 Check HTTPS and SSH to allow those protocols. Step 6 Click OK to close the dialog. Step 7 Click Apply Changes in the window that displays management access policies. Step 8 Cisco Router and Security Device Manager 2.5 User’s Guide 8-14 OL-4015-12...
Page 199: How Do I
To configure access rules for generating log entries: From the left frame, select Additional Tasks. Step 1 In the Additional Tasks tree, click ACL Editor, and then click Access Rules. Step 2 Cisco Router and Security Device Manager 2.5 User’s Guide 8-15 OL-4015-12...
Page 200 The table shows each router log entry generated by the firewall, including the time and the reason that the log entry was generated. Cisco Router and Security Device Manager 2.5 User’s Guide 8-16 OL-4015-12...
Page 201: How Do I Configure A Firewall On An Unsupported Interface
After you have configured the unsupported interface using the CLI, you canuse Cisco SDM to configure the firewall. The unsupported interface will appear as “Other” in the fields listing the router interfaces. How Do I Configure a Firewall After I Have Configured a VPN?
Page 202: How Do I Permit Specific Traffic Through A Dmz Interface
Step 8 server(s). From the Service field, select TCP. Step 9 In the Port field, enter 80 or www. Step 10 Click Next>. Step 11 Click Finish. Step 12 Cisco Router and Security Device Manager 2.5 User’s Guide 8-18 OL-4015-12...
Page 203: How Do I Modify An Existing Firewall To Permit Traffic From A New Network Or Host
How Do I Configure NAT on an Unsupported Interface? Cisco SDM can configure Network Address Translation (NAT) on an interface type unsupported by Cisco SDM. Before you can configure the firewall, you must first use the router to configure the interface. The interface must have, at a minimum, an IP address configured, and it must be working.
Page 204: How Do I Configure Nat Passthrough For A Firewall
How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? In order to permit traffic through your firewall to a VPN concentrator, you must create or modify access rules that permit the traffic. To create these rules: Cisco Router and Security Device Manager 2.5 User’s Guide 8-20 OL-4015-12...
Page 205 • • Protocol UDP, Source Port 500, Destination Port 500 Protocol IP, IP Protocol ESP • Protocol UDP, Source Port 10000, Destination Port 10000 • Click OK. Step 16 Cisco Router and Security Device Manager 2.5 User’s Guide 8-21 OL-4015-12...
Page 206: How Do I Associate A Rule With An Interface
How Do I... How Do I Associate a Rule with an Interface? If you use the Cisco SDM Firewall wizard, the access and inspection rules that you create are automatically associated with the interface for which you created the firewall. If you are creating a rule in Additonal Tasks/ACL Editor, you can...
Page 207: How Do I Delete A Rule That Is Associated With An Interface
How Do I Delete a Rule That Is Associated with an Interface? Cisco SDM does not allow you to delete a rule that is associated with an interface; you must first remove the association between the rule and the interface, and then delete the access rule.
Page 208 DMZ. If you do not have a DMZ network, you can still permit specified types of outside traffic onto your network, using the Firewall Policy feature. Configure a firewall using the Firewall wizard. Step 1 Cisco Router and Security Device Manager 2.5 User’s Guide 8-24 OL-4015-12...
Page 209 Create the entries you need in the rule entry dialog.You must click Add for each Step 5 entry you want to create. The entries you create will appear in the entry list in the Service area. Step 6 Cisco Router and Security Device Manager 2.5 User’s Guide 8-25 OL-4015-12...
Page 210 Chapter 8 Create Firewall How Do I... Cisco Router and Security Device Manager 2.5 User’s Guide 8-26 OL-4015-12...
Page 211: Network
Wizard is the easiest way to apply access rules and inspection rules to the inside and outside interfaces you identify, and will allow you to configure a DMZ interface and specify the services that should be allowed onto the DMZ network. Cisco Router and Security Device Manager 2.5 User’s Guide OL-4015-12...
Page 212 For a use case example, see Firewall Policy Use Case Scenario. If the router is using a Cisco IOS image that does not support the Firewall feature Note set, only the Services area will be displayed, and you will only be able to create access control entries.
Page 213: Choose A Traffic Flow
Traffic flow refers to traffic that enters the router on a specified interface (the from interface) and exits the router on a specified interface (the to interface). The Cisco SDM traffic-flow display controls are located in a row at the top of the Edit Firewall Policy/ACL window.
Page 214: Examine The Traffic Diagram And Choose A Traffic Direction
Firewall Policy Edit Firewall Policy/ACL Cisco SDM displays interfaces that have IP addresses in alphabetical order in both the From and To drop-down lists. By default, Cisco SDM chooses the first interface in the From list, and the second interface in the To list. Use the From and To drop-down lists to choose a different traffic flow.
Page 215 A magnifying glass indicates that an inspection rule is being applied. A firewall icon in the router indicates that a firewall has been applied to the Originating traffic flow. Cisco SDM displays a firewall icon if the following sets of criteria are met: There is an inspection rule applied to Originating traffic on the •...
Page 216: Make Changes To Access Rules
An icon placed on the To interface traffic line indicates a rule filtering traffic outbound from the router. If you place the mouse over this icon, Cisco SDM will display the names of the rules that have been applied.
Page 217 Firewall Policy Edit Firewall Policy/ACL Service Area Header Fields Firewall Feature If the Cisco IOS image that the router is using supports the Availability Firewall feature, this field contains the value Available. Access Rule The name or number of the access rule whose entries are being displayed.
Page 218 Click to paste an entry on the clipboard to the chosen rule. You will be prompted to specify whether you want to paste the entry before or after the currently chosen entry. If Cisco SDM determines that an identical entry already exists in the access rule, it displays the Add an Extended Rule Entry window so that you can modify the entry.
Page 219 If there is an existing standard rule that filters the returning traffic flow to which you are applying the firewall, Cisco SDM informs you that it will convert the standard access rule to an extended rule. Service Area Entry Fields The following table describes the icons and other data in the Service Area entries.
Page 220: Make Changes To Inspection Rules
Firewall Policy window description see Edit Firewall Policy/ACL. Make Changes to Inspection Rules The Applications area appears if the Cisco IOS image running on the router supports CBAC Inspection rules. The Applications area displays the inspection rule entries that are filtering the traffic flow, and is updated whenever a new traffic flow is chosen.
Page 221 Cisco SDM default inspection rule, or you can create and add a custom inspection rule. If you add the Cisco SDM default inspection rule to a traffic flow with no inspection rule, it will be associated with the inbound traffic to the From interface.
Page 222: Add App-Name Application Entry
To return to the main Firewall Policy window description see Edit Firewall Policy/ACL. Add App-Name Application Entry Use this window to add an application entry that you want the Cisco IOS firewall to inspect. Alert Action Choose one of the following: default-on—Leave as default.
Page 223: Add Fragment Application Entry
Edit Firewall Policy/ACL window, and you can specify Alert, Audit, and Timeout settings. A fragment entry sets the maximum number of unreassembled packets that the router should accept before dropping them. Cisco Router and Security Device Manager 2.5 User’s Guide 9-13 OL-4015-12...
Page 224: Add Or Edit Http Application Entry
Use this window to add an http application to the inspection rule. Alert Action Choose one of the following: default-on—Leave as default. Default value is on. • on—Enable alert. • off—Disable alert. • Cisco Router and Security Device Manager 2.5 User’s Guide 9-14 OL-4015-12...
Page 225: Java Applet Blocking
• Do Not Block (Permit)—Permit Java applets from this network or host. Block (Deny)—Deny Java applets from this network or host. • Host/Network Specify the network or the host. Cisco Router and Security Device Manager 2.5 User’s Guide 9-15 OL-4015-12...
Page 226: Cisco Sdm Warning: Inspection Rule
To interface. Two inspection rules may not harm the functioning of the router, but they may be unnecessary. Cisco SDM allows you to keep the inspection rules the way they are, to remove the inspection rule on the From interface, or to remove the inspection rule on the To interface.
Page 227: Cisco Sdm Warning: Firewall
Keep inspection rule name on <interface-name> outbound and dissociate • inspection rule name on <interface-name> inbound—Cisco SDM will keep one inspection rule, and dissociate the rule from the other interface. Before you make a selection and click OK, you may want to click Cancel, then determine if you need to add entries to the inspection rule you want to retain.
Page 228 + button to the left of the policy name. An expanded view of a firewall policy might look similar to the following: Traffic Classification Action Rule Options Source Destination Service clients-servers-policy (clients to servers) Permit Firewall Cisco Router and Security Device Manager 2.5 User’s Guide 9-18 OL-4015-12...
Page 229 In the Add a Rule screen, specify the source zone by clicking the button to the Step 2 right of the Source Zone field and selecting an existing zone or creating a new zone. Cisco Router and Security Device Manager 2.5 User’s Guide 9-19 OL-4015-12...
Page 230 Flow Diagram for that policy. The Rule Flow Diagram displays the source zone on the right of the router icon, and the destination zone on the left of the icon. Cisco Router and Security Device Manager 2.5 User’s Guide 9-20...
Page 231: Add A New Rule
You can add multiple entries for the source and destination networks, and you can edit an existing entriy by selecting it and clicking Edit. Cisco Router and Security Device Manager 2.5 User’s Guide 9-21 OL-4015-12...
Page 232: Add Traffic
Choose Include to include this traffic in the rule. Choose Exclude to have this traffic excluded from the rule. Cisco Router and Security Device Manager 2.5 User’s Guide 9-22 OL-4015-12...
Page 233 Choose Create to configure a new policy map. Choose Select to apply an existing policy map to the traffic. The policy map name appears in the field when you are done. Cisco Router and Security Device Manager 2.5 User’s Guide 9-23 OL-4015-12...
Page 234: Inspect Parameter
If you do make changes, you can change the name of the class map if you do not want your changes to apply to other policies that use the original class map. Cisco Router and Security Device Manager 2.5 User’s Guide 9-24 OL-4015-12...
Page 235: Delete Rule
Click the node for the type of class map that you are deleting. Step 2 Select the name of the class map that was displayed in the View Details window Step 3 and click Delete. Cisco Router and Security Device Manager 2.5 User’s Guide 9-25 OL-4015-12...
Page 236 Click the node for the type of ACL that you are deleting. Step 2 Select the name or number of the ACL that was displayed in the View Details Step 3 window and click Delete. Cisco Router and Security Device Manager 2.5 User’s Guide 9-26 OL-4015-12...
Page 237: Application Security
The application security drawers enable you to quickly navigate to the application security area in which you need to make changes. Cisco Router and Security Device Manager 2.5 User’s Guide 10-1 OL-4015-12...
Page 238 Applications/Protocols for more information. URL Filtering Drawer Click to add a list of URLs that you want the application security policy to filter. You can also add filtering servers. Cisco Router and Security Device Manager 2.5 User’s Guide 10-2 OL-4015-12...
Page 239: No Application Security Policy
No Application Security Policy Cisco SDM displays this window when you click the Application Security tab, but no Application Security policy is configured on the router. You can create a policy from this window, and view the global settings that provide default values for the parameters that you can set when you create policies.
Page 240: E-Mail
Global Settings Global settings provide the default timouts, thresholds, and other values for policy parameters. Cisco SDM provides defaults for each parameter, and you can change each value to define a new default that will apply unless overridden for a specific application or protocol.
Page 241: Instant Messaging
The SDM_HIGH profile blocks IM applications. If the router uses the SDM_HIGH profile, and it does not block IM applications, those applications may have connected to a new server that is not specified in the profile. To enable Cisco Router and Security Device Manager 2.5 User’s Guide 10-5 OL-4015-12...
Page 242: Peer-To-Peer Applications
IM applications are able to communicate over nonnative protocol ports, such Note • as HTTP, and through their native TCP and UDP ports. Cisco SDM configures block and permit actions based on the native port for the application, and always blocks communication conducted over HTTP ports.
Page 243: Url Filtering
Peer-to-peer applications are able to communicate over nonnative protocol Note • ports, such as HTTP, and through their native TCP and UDP ports. Cisco SDM configures block and permit actions based on the native port for the application, and always blocks communication conducted over HTTP ports.
Page 244: Http
Check if you want Cisco SDM to examine HTTP traffic for packets that are generated by tunneling applications. Use the Permit, Block, and Alarm controls to specify the action that you want Cisco SDM to take when it encounters this type of traffic.
Page 245: Header Options
HTTP servers to fetch URLs, web pages, and perform other actions. To learn about the buttons and drawers available in the Application Security tab, click Application Security Windows. Cisco Router and Security Device Manager 2.5 User’s Guide 10-9 OL-4015-12...
Page 246: Content Options
Use the permit, block, and alarm controls to specify the action the router takes if requests cannot be matched with responses, and when it encounters an unknown content type. Cisco Router and Security Device Manager 2.5 User’s Guide 10-10 OL-4015-12...
Page 247 RFC 1951, DEFLATE Compressed Data Format Specification version 1.3. gzip checkbox The encoding format produced by the GNU zip (“gzip”) program. Identity checkbox Default encoding, which indicates that no encoding has been performed. Cisco Router and Security Device Manager 2.5 User’s Guide 10-11 OL-4015-12...
Page 248: Applications/Protocols
Example: If you want to display all Cisco applications, click the Applications branch folder, and then click the Cisco folder. You will see applications like clp, cisco-net-mgmt, and cisco-sys.
Page 249: Timeouts And Thresholds For Inspect Parameter Maps And Cbac
Global Timer values can be specified in seconds, minutes, or hours. TCP Connection Timeout Value Amount of time to wait for a connection to be established. The default value is 30 seconds. Cisco Router and Security Device Manager 2.5 User’s Guide 10-13 OL-4015-12...
Page 250 The default value is 400 sessions. High Start deleting new connections when the number of new connections exceeds this value. The default value is 500 sessions Cisco Router and Security Device Manager 2.5 User’s Guide 10-14 OL-4015-12...
Page 251 400 sessions for Cisco IOS releases older than 12.4(11)T. When a Low value is not explicitly set, Cisco IOS will stop deleting new sessions when the number of sessions drops to 400. For Cisco IOS release 12.4(11)T and later, the default value is unlimited.
Page 252: Associate Policy With An Interface
• • on—Generate an audit trail when traffic of this type is encountered. off—Do not generate an audit trail when traffic of this type is encountered. • Cisco Router and Security Device Manager 2.5 User’s Guide 10-16 OL-4015-12...
Page 253: Permit, Block, And Alarm Controls
Block to deny traffic. If you want an alarm to be sent to the log when this type of traffic is encountered, check Send Alarm. The Send Alarm control is not used in all windows. Cisco Router and Security Device Manager 2.5 User’s Guide 10-17 OL-4015-12...
Page 254 Chapter 10 Application Security Applications/Protocols Logging must be enabled for Application Security to send alarms to the log. For more information go to this link: Application Security Log. Cisco Router and Security Device Manager 2.5 User’s Guide 10-18 OL-4015-12...
Page 255: Site-To-Site Vpn
VPNs can encrypt traffic sent over these lines and authenticate peers before any traffic is sent. You can let Cisco Router and Security Device Manager (Cisco SDM) guide you through a simple VPN configuration by clicking the VPN icon. When you use the Wizard in the Create Site-to-Site VPN tab, Cisco SDM provides default values for some configuration parameters in order to simplify the configuration process.
Page 256 You may want to configure a GRE tunnel if you need to connect networks that use different LAN protocols, or if you need to send routing protocols over the connection to the remote system. Cisco Router and Security Device Manager 2.5 User’s Guide 11-2 OL-4015-12...
Page 257 How Do I Configure a VPN After I Have • Configured a Firewall? How Do I Configure NAT Passthrough for a • VPN? How Do I Configure a DMVPN Manually? • Cisco Router and Security Device Manager 2.5 User’s Guide 11-3 OL-4015-12...
Page 258: Site-To-Site Vpn Wizard
Site-to-Site VPN Wizard You can have Cisco SDM use default settings for most of the configuration values, or you can let Cisco SDM guide you in configuring a VPN. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 259: View Defaults
View Defaults This window displays the default Internet Key Exchange (IKE) policy, transform set, and IPSec rule that Cisco SDM will use to configure a Quick Setup site-to-site VPN. If you need a different configuration than this window shows, check Step-by-Step wizard so that you can define configuration values.
Page 260: Vpn Connection Information
Click this button if the VPN peers use a pre-shared key to authenticate connections from each other. This key must be the same on each side of the VPN connection. Cisco Router and Security Device Manager 2.5 User’s Guide 11-6 OL-4015-12...
Page 261 Choose the interface on the router that will be the source of the traffic on this VPN connection. All traffic coming through this interface whose destination IP address is in the subnet specified in the Destination area will be encrypted. Cisco Router and Security Device Manager 2.5 User’s Guide 11-7 OL-4015-12...
Page 262: Ike Proposals
This window lists all the Internet Key Exchange (IKE) policies that have been configured on the router. If no user-defined policies have been configured, the windows lists the Cisco SDM default IKE policy. IKE policies govern the way that devices in a authenticate themselves.
Page 263 Create Site to Site VPN Encryption Cisco SDM supports a variety of encryption types, listed in order of security. The more secure an encryption type is, the more processing time it requires. Not all routers support all encryption types. Unsupported types will not Note •...
Page 264 VPN connection is using. Type Either Cisco SDM Default or User Defined. If no User Defined policies have been created on the router, this window will show the default IKE policy. To add or edit an IKE policy: If you want to add an IKE policy that is not included in this list, click Add and create the policy in the window displayed.
Page 265: Transform Set
Site-to-Site VPN Create Site to Site VPN Transform Set This window lists the Cisco SDM-default transform sets and the additional transform sets that have been configured on this router. These transform sets will be available for use by the or DMVPN. A...
Page 266 Add a transform set to the router’s Click Add, and create the transform set in the Add Transform configuration. Set window. Then click Next to continue VPN configuration. Cisco Router and Security Device Manager 2.5 User’s Guide 11-12 OL-4015-12...
Page 267: Traffic To Protect
Select a transform set, and click Edit. Then, edit the transform set in the Edit Transform Set window. After editing the transform set, click Next to continue VPN configuration. Cisco SDM Default transform sets are read only and cannot be edited. Associate additional transform sets Select one transform set in this window, and complete the with this VPN.
Page 268: Summary Of The Configuration
Spoke Configuration If you have configured a DMVPN hub, you can have Cisco SDM generate a procedure that will assist you or other administrators in configuring DMVPN spokes. The procedure explains which options to select in the wizard, and what information to enter in spoke configuration windows.
Page 269: Spoke Configuration
To save this configuration to the router’s running configuration and leave this wizard: Click Finish. Cisco SDM saves the configuration changes to the router’s running configuration. The changes will take effect immediately, but will be lost if the router is turned off.
Page 270: Secure Gre Tunnel (Gre-Over-Ipsec)
Generic routing encapsulation (GRE) is a tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment.
Page 271: Vpn Authentication Information
Question marks (?) and spaces must not be used in the pre-shared key. Cisco Router and Security Device Manager 2.5 User’s Guide 11-17 OL-4015-12...
Page 272: Backup Gre Tunnel Information
If the router stops receiving keepalive packets on the primary tunnel, then traffic is sent through the backup tunnel. Cisco Router and Security Device Manager 2.5 User’s Guide 11-18 OL-4015-12...
Page 273: Routing Information
Select a dynamic routing protocol if this router is being used in a large deployment with a large number of networks in the GRE over IPSec VPN. Select static routing if a small number of networks will participate in the VPN. Cisco Router and Security Device Manager 2.5 User’s Guide 11-19 OL-4015-12...
Page 274: Static Routing Information
Routing window. Check this box if you want to specify a static route for the tunnel, and select one of the following: Cisco Router and Security Device Manager 2.5 User’s Guide 11-20 OL-4015-12...
Page 275 Cisco SDM creates a default static route entry with the tunnel interface as the next hop. If a default route already exists, Cisco SDM modifies that route to use the tunnel interface as the next hop, replacing the interface that was originally there, and creates a new static entry to the tunnel destination network that specifies the interface in the original default route as the next hop.
Page 276: Select Routing Protocol
Enabled with split tunneling. Enter the IP address of the network at the other end of the tunnel. Cisco SDM will create a static route entry for the packets with a destination address in that network. This field is disabled when Tunnel all traffic is selected.
Page 277: Summary Of Configuration
To save this configuration to the router’s running configuration and leave this wizard: Click Finish. Cisco SDM saves the configuration changes to the router’s running configuration. The changes will take effect immediately, but will be lost if the router is turned off.
Page 278 When a connection contains multiple peers, their IP addresses or host names are separated by commas. Multiple peers might be configured to provide alternative routing paths for the VPN connection. Cisco Router and Security Device Manager 2.5 User’s Guide 11-24 OL-4015-12...
Page 279 Click to test a selected VPN tunnel.The results of the test will be shown in another window. Clear Connection Button Click to reset an established connection to a remote peer. This button is disabled if you have selected a dynamic site-to-site VPN tunnel. Cisco Router and Security Device Manager 2.5 User’s Guide 11-25 OL-4015-12...
Page 280: Add New Connection
VPN connection to the local router. This button is disabled if you have selected a dynamic site-to-site VPN tunnel. Any previously configured VPN connections detected by Cisco SDM that do not Note use ISAKMP crypto maps will appear as read-only entries in the VPN connection table and cannot be edited.
Page 281: Crypto Map Wizard: Welcome
Then click OK in this window. Have Cisco Router and Security Device Check the Use Add Wizard box, and click OK. Cisco SDM Manager (Cisco SDM) help you add a will guide you in creating a new crypto map, and will new crypto map to this connection.
Page 282: Crypto Map Wizard: Summary Of The Configuration
Click this button, and then click OK to retain the tunnel definition but remove its association with the interface. You will be able to associate this definition with another router interface if you wish. Cisco Router and Security Device Manager 2.5 User’s Guide 11-28 OL-4015-12...
Page 283: Ping
Select the IP address or host name of the peer device to see the IPSec policy configured for the tunnel to that device. The policy appears in the box under the peer IP address. Cisco Router and Security Device Manager 2.5 User’s Guide 11-29 OL-4015-12...
Page 284: Cisco Sdm Warning: Nat Rules With Acl
VPN connections from functioning properly if it changes source IP addresses so that they don’t match the IPSec rule configured for the VPN. To prevent this from happening, Cisco SDM can convert these to NAT rules that use route maps. Route maps specify subnets that should not be translated.
Page 285: How Do I
From the left frame, select VPN. Select Create a Site-to-Site VPN . Step 2 Click Launch the Selected Task. Step 3 The VPN Wizard starts. Click Quick Setup. Step 4 Click Next>. Step 5 Cisco Router and Security Device Manager 2.5 User’s Guide 11-31 OL-4015-12...
Page 286 Step 7 You can enter the same IP address that you entered when you created the initial VPN connection. This indicates that this second VPN connection should use the Cisco Router and Security Device Manager 2.5 User’s Guide 11-32 OL-4015-12...
Page 287: After Configuring A Vpn, How Do I Configure The Vpn On The Peer Router
To generate a template configuration for the peer VPN router: From the left frame, select VPN. Step 1 Step 2 Select Site-to-Site VPN. in the VPN tree, and then click the Edit tab. Cisco Router and Security Device Manager 2.5 User’s Guide 11-33 OL-4015-12...
Page 288: How Do I Edit An Existing Vpn Tunnel
From the left frame, select VPN. Step 1 Select Site-to-Site VPN. in the VPN tree, and then click the Edit tab. Step 2 Click the connection that you want to edit. Step 3 Cisco Router and Security Device Manager 2.5 User’s Guide 11-34 OL-4015-12...
Page 289: How Do I Confirm That My Vpn Is Working
How Do I Confirm That My VPN Is Working? You can verify that your connection is working by using the Monitor mode in Cisco SDM. If your VPN connection is working, Monitor mode will display the VPN connection by identifying the source and destination peer IP addresses.
Page 290: How Do I Configure A Backup Peer For My Vpn
To add additional peers, repeat Step 4 through Step 8. Step 8 How Do I Accommodate Multiple Devices with Different Levels of VPN Support? To add multiple transform sets to a single crypto map: Cisco Router and Security Device Manager 2.5 User’s Guide 11-36 OL-4015-12...
Page 291: How Do I Configure A Vpn On An Unsupported Interface
“Up.” After you have configured the unsupported interface using the CLI, you can use Cisco SDM to configure your VPN connection. The unsupported interface will appear in the fields that require you to choose an interface for the VPN connection.
Page 292: How Do I Configure A Vpn After I Have Configured A Firewall
Cisco SDM, you will receive a warning message informing you that Cisco SDM will configure NAT so that it does not translate VPN traffic. You must accept the message so that Cisco SDM will create the necessary ACLs to protect your VPN traffic from translation.
Page 293 In the Description field, enter a short description of the network or host. Step 13 Click OK. Step 14 The new rule now appears in the Access Rules table. Cisco Router and Security Device Manager 2.5 User’s Guide 11-39 OL-4015-12...
Page 294 Chapter 11 Site-to-Site VPN How Do I... Cisco Router and Security Device Manager 2.5 User’s Guide 11-40 OL-4015-12...
Page 295: Easy Vpn Remote
Cisco Unity Client Protocol, which allows most VPN parameters to be defined at a Cisco IOS Easy VPN server. This server can be a dedicated VPN device, such as a Cisco VPN 3000 concentrator or a Cisco PIX Firewall or a Cisco IOS router that supports the Cisco Unity Client Protocol.
Page 296: Creating An Easy Vpn Remote Connection
If you want to review the IOS CLI commands that you send to the router when Step 1 you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.
Page 297: Create Easy Vpn Remote Reference
If you checked Preview commands before delivering to router in the Edit Step 11 Preferences screen, the Cisco IOS CLI commands that you are sending are displayed. Click OK to send the configuration to the router, or click Cancel to discard it.
Page 298 Creating an Easy VPN Remote Connection Create Easy VPN Remote Cisco SDM allows you to configure your router as a client to an Easy VPN server or concentrator. Your router must be running a Cisco IOS software image that supports Easy VPN Phase II. The Create Easy VPN Remote tab enables you to launch the Easy VPN Remote wizard.
Page 299 This wizard guides you through the configuration of an Easy VPN Remote Phase II Client. If the router is not running a Cisco IOS image that supports Easy VPN Remote Note Phase II or later, you will not be able to configure an Easy VPN client.
Page 300 To change the IP address information for a device, choose an entry and click Edit. Delete To remove an entry for an accessible device, choose the entry and click Delete. Cisco Router and Security Device Manager 2.5 User’s Guide 12-6 OL-4015-12...
Page 301 This IP address must be in the same subnet as the device global IP addresses. Cisco SDM creates a NAT rule to translate IP addresses of devices that do not need to be reached from other networks to this IP address, and assigns this IP address to a new loopback interface.
Page 302 Edit Easy VPN Remote window. Interface List In the Interfaces list, choose the outside interface that connects to the Easy VPN server or concentrator. Cisco 800 routers do not support the use of interface E 0 as Note the outside interface. Connection Settings Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 303 (LAN side) traffic is detected. The option for traffic-based activation appears only if Note supported by the Cisco IOS image on your router. Easy VPN Remote Wizard: Server Information The information entered in this window identifies the Easy VPN tunnel, the Easy VPN server or concentrator that the router will connect to, and the way you want traffic to be routed in the VPN.
Page 304 Easy VPN Server 2 The Easy VPN Server 2 field appears when the Cisco IOS image on the router supports Easy VPN Remote Phase III. This field does not appear when the Cisco IOS image does not support Easy VPN Remote Phase III.
Page 305 (ping, Telnet, and Secure Shell). This mode is known as Network Extension Plus If the router is not running a Cisco IOS image that supports Note Easy VPN Remote Phase IV or later, you will not be able to set Network Extension Plus.
Page 306 Reenter the key to confirm its accuracy. User Authentication User authentication (XAuth) appears in this window if the Cisco IOS image on the router supports Easy VPN Remote Phase III. If user authentication does not appear, it must be configured from the router command-line interface.
Page 307 This window shows you the Easy VPN configuration that you have created, and it allows you to save the configuration. A summary similar to the following appears: Easy VPN tunnel name:test1 Easy VPN server: 222.28.54.7 Group: myCompany Key: 1234 Cisco Router and Security Device Manager 2.5 User’s Guide 12-13 OL-4015-12...
Page 308: Administering Easy Vpn Remote Connections
Administering Easy VPN Remote Connections Use Cisco SDM to edit Easy VPN Remote connection settings, reset connections, and delete connections. You can use the Easy VPN Remote Edit screens to create an Easy VPN Remote connection, but it is recommended that you use the wizard to do so.
Page 309: Editing An Existing Easy Vpn Remote Connection
Follow these steps to create a new Easy VPN Remote connection: On the Cisco SDM toolbar, click Configure. Step 1 On the Cisco SDM category bar, click VPN. Step 2 Cisco Router and Security Device Manager 2.5 User’s Guide 12-15 OL-4015-12...
Page 310: Deleting An Easy Vpn Remote Connection
In the VPN tree, choose Easy VPN Remote. Step 3 Click the Edit Easy VPN Remote tab. Step 4 Select the Easy VPN Remote connection that you want to reset. Step 5 Cisco Router and Security Device Manager 2.5 User’s Guide 12-16 OL-4015-12...
Page 311: Connecting To An Easy Vpn Server
Select an ACL. To enter the subnets manually, click the Add button and enter the subnet address Step 3 and mask. Cisco SDM will generate an ACL automatically. The subnets you enter must not be directly connected to the router. Note To add an existing ACL, enter its name or choose it from the drop-down list.
Page 312: Administering Easy Vpn Remote Reference
The list of connections displays information about the configured Easy VPN Remote connections. Cisco Router and Security Device Manager 2.5 User’s Guide 12-18 OL-4015-12...
Page 313 Test Tunnel Choose an Easy VPN Remote connection, and click Test Tunnel to send data through the VPN tunnel. Cisco SDM displays a message indicating the results of the test. Connect or Disconnect or Login The name of this button changes based on the status of the chosen Easy VPN Remote connection.
Page 314 This button is labeled Login if all of the following are true: The Easy VPN server or concentrator being connected to uses • XAuth. The XAuth response is set to be requested from Cisco SDM or • the router console. The tunnel is waiting for XAuth credentials (the connection has •...
Page 315: Authentication
Easy VPN Server The names or IP addresses of the Easy VPN servers or concentrators. If the Cisco IOS image on your router supports Easy VPN Remote Phase III, you can identify two Easy VPN servers or concentrators during configuration using Cisco SDM.
Page 316 If XAuth is enabled, the Item Value column shows one of the following about how the XAuth credentials are sent: They must be entered from Cisco SDM or the router console. • They must be entered from a PC browser when browsing.
Page 317 VPN parameters to be defined at a VPN remote access server. This server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol.
Page 318 Group Name] Enter the IPSec group name. The group name must match the group name defined on the VPN concentrator or server. Obtain this information from your network administrator. Cisco Router and Security Device Manager 2.5 User’s Guide 12-24 OL-4015-12...
Page 319 Use this Window to configure your router as an Easy VPN client. Your router must have a connection to an Easy VPN concentrator or server on the network. This window appears if the Cisco IOS image on your router supports Easy VPN Note Client Phase IV.
Page 320 VPN parameters to be defined on a VPN remote access server. This server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol.
Page 321 This IP address can be used for connecting to your router remotely. for remote management and troubleshooting (ping, Telnet, and Secure Shell). This mode is called Network Extension Plus. Cisco Router and Security Device Manager 2.5 User’s Guide 12-27 OL-4015-12...
Page 322 VPN parameters to be defined on a VPN remote access server. This server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol.
Page 323 You can specify up to ten Easy VPN servers by IP address or hostname, and you can order the list to specify which servers the router will attempt to connect to first. Cisco Router and Security Device Manager 2.5 User’s Guide 12-29...
Page 324 Outside Interface Toward Server Choose the interface that has the connection to the Easy VPN server or Concentrator or concentrator. Cisco 800 routers do not support the use of interface E 0 as Note the outside interface. Inside Interfaces Specify the inside interfaces to include in this Easy VPN configuration.
Page 325 Reenter Key Reenter the new key to confirm accuracy. If the values in the New Key and Reenter Key fields are not the same, Cisco SDM prompts you to reenter the key values. This field only appears if Preshared Key is chosen...
Page 326 Description From PC Choose From PC if you will enter the credentials in a web browser window. This option appears only if supported by the Cisco IOS Note image on your router. From this router Choose From this router if you will enter the credentials from the router command line interface or from Cisco SDM.
Page 327 Add or Edit Easy VPN Remote: Easy VPN Client Phase III Authentication This window appears if the Cisco IOS image on your router supports Easy VPN Client Phase III. If the image supports Easy VPN Client Phase II, a different window appears.
Page 328 From PC Choose From PC if you will enter the credentials in a web browser window. This option appears only if supported by the Cisco IOS Note image on your router. From this router Choose From this router if you will enter the credentials from the router command line interface or from Cisco SDM.
Page 329: Add Or Edit Easy Vpn Remote: Interfaces And Connections
Reenter Password Reenter the new password to confirm accuracy. If the values in the New Password and Reenter Password fields are not the same, Cisco SDM prompts you to reenter the password values. Add or Edit Easy VPN Remote: Interfaces and Connections Identify the inside and outside interfaces, and specify how the VPN tunnel is brought up in this screen.
Page 330 Edit Easy VPN Remote window. Interface list In the Interfaces list, choose the outside interface that connects to the Easy VPN server or concentrator. Cisco 800 routers do not support the use of interface E 0 as Note the outside interface Virtual Tunnel Interface Check this option if you want to use a Virtual Tunnel Interface (VTI) for this connection.
Page 331: Add Or Edit Easy Vpn Remote: Identical Addressing
Loopback Interface Loopback Interface Click the down arrow to select an existing loopback interface. If no loopback interfaces are configured, click Add. Cisco Router and Security Device Manager 2.5 User’s Guide 12-37 OL-4015-12...
Page 332 To remove an entry for an accessible device, choose the entry and click Delete. Warning Messages Cisco SDM displays a warning message when you click OK if it detects any of the following problems: • There are no devices added.
Page 333: Easy Vpn Remote: Add A Device
If the router uses Secure Shell (SSH), you must to enter the SSH login and password the first time you establish the connection. Use this window to enter SSH or Telnet login information. Cisco Router and Security Device Manager 2.5 User’s Guide 12-39 OL-4015-12...
Page 334: Xauth Login Window
Click the Edit Easy VPN Remote tab and choose the connection that you want Step 3 to edit. Click Edit. Step 4 The Edit Easy VPN Remote window appears. Cisco Router and Security Device Manager 2.5 User’s Guide 12-40 OL-4015-12...
Page 335: How Do I Configure A Backup For An Easy Vpn Connection
Choose an ISDN, async, or analog modem interface from the list of configured Step 3 interfaces. Click the Edit button. Step 4 Click the Backup tab and configure the backup for an Easy VPN Remote Step 5 connection. Cisco Router and Security Device Manager 2.5 User’s Guide 12-41 OL-4015-12...
Page 336 Chapter 12 Easy VPN Remote Other Procedures When you have finished configuring the backup, click OK. Step 6 Cisco Router and Security Device Manager 2.5 User’s Guide 12-42 OL-4015-12...
Page 337: Easy Vpn Server
C H A P T E R Easy VPN Server The Easy VPN Server feature introduces server support for the Cisco VPN Client Release 3.x and later software clients and Cisco VPN hardware clients. The feature allows a remote end user to communicate using IP Security (IPSec) with anyCisco IOS Virtual Private Network (VPN) gateway.
Page 338 Complete these steps to configure an Easy VPN Server connection using the Easy VPN Server wizard: If you want to review the Cisco IOS CLI commands that you send to the router Step 1 when you complete the configuration, go to the Cisco SDM toolbar, and click Edit >...
Page 339: Create An Easy Vpn Server Reference
Add or Edit Browser Proxy Settings • User Authentication (XAuth) • Client Update • Add or Edit Client Update Entry • Cisco Tunneling Control Protocol • • Summary Browser Proxy Settings • Cisco Router and Security Device Manager 2.5 User’s Guide 13-3 OL-4015-12...
Page 340: Create An Easy Vpn Server
If you choose an interface that is already configured with a site-to-site IPSec policy, Cisco SDM displays a message that an IPSec policy already exists on the interface. Cisco SDM uses the existing IPSec policy to configure the Easy VPN Server.
Page 341: Group Authorization And Group Policy Lookup
Easy VPN Server Creating an Easy VPN Server Connection If the chosen interface is part of an Easy VPN Remote, GREoIPSec, or DMVPN interface, Cisco SDM displays a message to choose another interface. Field Reference Table 13-2 describes the fields in this screen.
Page 342: User Authentication (Xauth)
RADIUS server or a local database or on both. An AAA login authentication method list is used to decide the order in which user authentication details should be searched. Cisco Router and Security Device Manager 2.5 User’s Guide 13-6 OL-4015-12...
Page 343: User Accounts For Xauth
User Accounts for XAuth Add an account for a user you want to authenticate after IKE has authenticated the device. Cisco Router and Security Device Manager 2.5 User’s Guide 13-7 OL-4015-12...
Page 344: Add Radius Server
Add a RADIUS Server Fields Element Description Add a new RADIUS server. Edit Edit an already exiting RADIUS server configuration. Ping Ping an already existing RADIUS server or newly configured RADIUS server. Cisco Router and Security Device Manager 2.5 User’s Guide 13-8 OL-4015-12...
Page 345: Group Authorization: User Group Policies
The minimum time allowed is 1 minute. Disconnecting idle VPN tunnels can help the Easy VPN Server run more efficiently by reclaiming unused resources. Cisco Router and Security Device Manager 2.5 User’s Guide 13-9 OL-4015-12...
Page 346: General Group Information
Maximum Connections Allowed Specify the maximum number of client connections to the Easy VPN Server from this group. Cisco SDM supports a maximum of 5000 connections per group. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 347: Dns And Wins Configuration
Internet. For example, all traffic sourced from the client is sent to the destination subnet through the VPN tunnel. You can also specify which groups of ACLs represent protected subnets for split tunneling. Cisco Router and Security Device Manager 2.5 User’s Guide 13-11 OL-4015-12...
Page 348: Client Settings
This window allows you to configure additional attributes for security policy such as adding or removing a backup server, Firewall Are-U-There, and Include-Local-LAN. Note Some of the features described below appear only if supported by your Cisco server’s IOS release. Cisco Router and Security Device Manager 2.5 User’s Guide 13-12...
Page 349 The following are URL examples for downloading an upgrade file called sdm.exe: http://username:password@www.cisco.com/go/vpn/sdm.exe • https://username:password@www.cisco.com/go/vpn/sdm.exe • ftp://username:password@www.cisco.com/go/vpn/sdm.exe • tftp://username:password@www.cisco.com/go/vpn/sdm.exe • scp://username:password@www.cisco.com/go/vpn/sdm.exe • rcp://username:password@www.cisco.com/go/vpn/sdm.exe • Cisco Router and Security Device Manager 2.5 User’s Guide 13-13 OL-4015-12...
Page 350 In these examples, username is the site username and password is the site password. Enter the version number of the file in the Version field. The version number must be in the range 1 to 32767. Cisco Router and Security Device Manager 2.5 User’s Guide 13-14 OL-4015-12...
Page 351: Choose Browser Proxy Settings
Choose Browser Proxy Settings From the drop-down list, choose the browser proxy settings you want to associate with the group. Field Reference Table 13-12 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 13-15 OL-4015-12...
Page 352: Add Or Edit Browser Proxy Settings
You want to manually configure a proxy server for clients in this group. If you choose this option, complete the procedure for manually configuring a proxy server in this help topic. Cisco Router and Security Device Manager 2.5 User’s Guide 13-16 OL-4015-12...
Page 353: User Authentication (Xauth)
IOS release. Maximum Logins Allowed Per Specify the maximum number of connections a user can establish at User a time. Cisco SDM supports a maximum of ten logins per user. Cisco Router and Security Device Manager 2.5 User’s Guide 13-17 OL-4015-12...
Page 354: Client Update
Send Update button. Group clients meeting the client update criteria are sent the notification. The client update window is available only if supported by your Cisco server’s Note IOS release.
Page 355: Add Or Edit Client Update Entry
The following are URL examples for downloading an upgrade file called vpnclient-4-6.exe: http://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe • https://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe • ftp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe • tftp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe • scp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe • rcp://username:password@www.cisco.com/go/vpn/vpnclient-4.6.exe • cns: • xmodem: • ymodem: • null: • Cisco Router and Security Device Manager 2.5 User’s Guide 13-19 OL-4015-12...
Page 356: Cisco Tunneling Control Protocol
Enter the revision number of the latest update. You can enter multiple revision numbers by separating them with commas, for example, 4.3,4.4,4.5. Do not use any spaces. Cisco Tunneling Control Protocol Cisco Tunneling Control Protocol (cTCP) enables VPN clients to operate in environments where standard protocol (port 50) or protocol...
Page 357: Summary
This window lists browser proxy settings, showing how they are configured. You can add, edit, or delete browser proxy settings. Use the group policies configuration to associate browser proxy settings with client groups. Cisco Router and Security Device Manager 2.5 User’s Guide 13-21 OL-4015-12...
Page 358 Edit the specified browser proxy settings. Delete Button Delete the specified browser proxy settings. Browser proxy settings associated with one or more group policies can not be deleted before those associations are removed. Cisco Router and Security Device Manager 2.5 User’s Guide 13-22 OL-4015-12...
Page 359: Editing Easy Vpn Server Connections
Editing Easy VPN Server Connections To edit an Easy VPN Server connection, complete these steps: If you want to review the Cisco IOS CLI commands that you send to the router Step 1 when you complete the configuration, go to the Cisco SDM toolbar, and click Edit >...
Page 360: Edit Easy Vpn Server
The router is configured to initiate connections with Easy VPN Remote clients. Respond • The router is configured to wait for requests from Easy VPN Remote clients before establishing connections. Cisco Router and Security Device Manager 2.5 User’s Guide 13-24 OL-4015-12...
Page 361: Add Or Edit Easy Vpn Server Connection
Choose the method list to use for group policy lookup from this list. Lookup Method lists are configured by clicking Additional Tasks on the Cisco SDM taskbar, and then clicking the AAA node. Enable User Authentication Check this checkbox if you want to require users to authenticate themselves.
Page 362: Restrict Access
Choose the method list to use for user authentication from this list. Authentication Method lists are configured by clicking Additional tasks on the Cisco SDM taskbar, and then clicking the AAA node. Mode Configuration Check Initiate if you want the router to initiate connections with Easy VPN Remote clients.
Page 363 The Details window is a list of feature settings and their values for the chosen group policy. Feature settings are displayed only if they are supported by your Cisco router’s IOS release, and apply only to the chosen group. The following feature settings may appear in the list: Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 364 Maximum Logins—The maximum number of connections a • user can establish simultaneously. Cisco SDM supports a maximum of 10 simultaneous logins per user. XAuth Banner—The text message shown to clients during • XAuth requests. Cisco Router and Security Device Manager 2.5 User’s Guide 13-28 OL-4015-12...
Page 365: Ip Pools
Depending upon the area of Cisco SDM you are working in, Add, Edit, and Delete buttons may be available, and the name of the window varies depending on the area of Cisco SDM you are working in. You can use these to manage local IP pools on the router.
Page 366: Add Ip Address Range
10.10.10.1 to 10.10.10.254, enter 10.10.10.1. End IP Address Enter the highest IP address in the range. For example, if you are defining a range between 10.10.10.1 to 10.10.10.254, enter 10.10.10.254. Cisco Router and Security Device Manager 2.5 User’s Guide 13-30 OL-4015-12...
Page 367: Enhanced Easy Vpn
A virtual template interface must be unnumbered to a router interface to obtain an IP address. Cisco recommends that you unnumber the virtual template interface to a loopback address for greatest flexibility. To do this, click Unnumbered to new loopback interface and enter an IP address and subnet mask for the loopback interface.
Page 368: Radius Servers
The source IP address in the RADIUS packets sent from the router must be configured as the NAD IP address in the Cisco Access Control Server (ACS) version 3.3 or later. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 369 Select a server entry and click Edit to change the information the router has for that server. Ping Select a server entry and click Ping to test the connection between the router and the RADIUS server. Cisco Router and Security Device Manager 2.5 User’s Guide 14-3 OL-4015-12...
Page 370: Group Authorization And Group User Policies
The Easy VPN server obtains the username from the client’s digital certificate. This option is displayed under the following conditions: The router runs a Cisco IOS 12.4(4)T or later image. • You choose digital certificate authentication in the policy •...
Page 371: Add Or Edit Easy Vpn Server: General Tab
IP version 4 IPSec tunnel. Description You can enter a description that administrators in you network will find useful when changing configurations or troubleshooting the network. Cisco Router and Security Device Manager 2.5 User’s Guide 14-5 OL-4015-12...
Page 372: Add Or Edit Easy Vpn Server: Ike Tab
If all the local groups are used in other IKE profiles, SDM informs you that all groups have been selected. Delete—Choose a group and click Delete to remove it from the • list. Cisco Router and Security Device Manager 2.5 User’s Guide 14-6 OL-4015-12...
Page 373 Click Add to create a policy in the displayed dialog and use it in this IKE policy. Cisco Router and Security Device Manager 2.5 User’s Guide 14-7 OL-4015-12...
Page 374: Add Or Edit Easy Vpn Server: Ipsec Tab
The Easy VPN server obtains the username from the client’s digital certificate. This option is displayed under the following conditions: The router runs a Cisco IOS 12.4(4)T or later image. • You choose digital certificate authentication in the policy •...
Page 375 768-bit Diffie-Hellman prime modulus group is used to encrypt • the PFS request. group2—The 1024-bit Diffie-Hellman prime modulus group is used to • encrypt the PFS request. Cisco Router and Security Device Manager 2.5 User’s Guide 14-9 OL-4015-12...
Page 376: Create Virtual Tunnel Interface
Cisco SDM currently supports the IPSec-IPv4 tunnel mode and it is selected. Select Zone This field appears when the router runs a Cisco IOS image that supports Zone-Policy Based Firewall (ZPF), and a zone has been configured on the router.
Page 377: Dmvpn
GRE over IPSec tunnel. IPSec traffic is routed through the hub to the spokes in the network. Cisco SDM allows you to configure your router as a primary or a secondary DMVPN hub, or as a spoke router in a DMVPN network.
Page 378: Dynamic Multipoint Vpn (Dmvpn) Hub Wizard
The dynamic routing protocol to use to send routing updates to the DMVPN, • and the autonomous system (AS) number (for EIGRP), or process ID (for OSPF) that should be used. Cisco Router and Security Device Manager 2.5 User’s Guide 15-2 OL-4015-12...
Page 379: Type Of Hub
Chapter 15 DMVPN Dynamic Multipoint VPN Cisco SDM’s Configure Spoke feature enables you to create a text file that contains the information that spoke administrators need about the hub’s configuration. This feature is available from the Summary window of this wizard.
Page 380: Hub Gre Tunnel Interface Configuration
Confirm Pre-Shared Key Reenter the key for confirmation. If the values in this field and the Pre-Shared Key field do not match, Cisco SDM prompts you to reenter them. Hub GRE Tunnel Interface Configuration Multipoint Generic Routing Encapsulation (mGRE) is used in a...
Page 381: Advanced Configuration For The Tunnel Interface
Dynamic Multipoint VPN Advanced Button Cisco SDM provides default values for advanced tunnel settings. However, the hub administrator must decide on the tunnel settings and give them to the personnel administering spoke routers so that they can make matching settings.
Page 382: Primary Hub
Enter the IP address of the interface on the primary hub that is used for this tunnel. This should be a static IP address. Obtain this information from the hub administrator. Cisco Router and Security Device Manager 2.5 User’s Guide 15-6 OL-4015-12...
Page 383: Select Routing Protocol
Route. For more information on OSPF parameters, see Add or Edit an OSPF Route. Please select the version of RIP to enable Specify RIP version 1 or version 2. Cisco Router and Security Device Manager 2.5 User’s Guide 15-7 OL-4015-12...
Page 384 OSPF Area ID for tunnel network Enter a new OSPF area ID for the network. This area ID is for the tunnel network. Cisco SDM automatically adds the tunnel network to this process using this area Private networks advertised using < protocol-name>...
Page 385: Dynamic Multipoint Vpn (Dmvpn) Spoke Wizard
Also you should have all the information about the hub you need before you begin. A hub administrator who uses Cisco SDM to configure the hub can generate a text file that contains the hub information spoke administrators need.
Page 386: Specify Hub Information
You can examine supported interfaces in Interfaces and Connections to determine if a dialup connection, such as an ISDN or Async connection has been configured for the physical interface you selected. Cisco Router and Security Device Manager 2.5 User’s Guide 15-10 OL-4015-12...
Page 387: Cisco Sdm Warning: Dmvpn Dependency
This window appears when the interface you have chosen for the DMVPN tunnel source has a configuration that prevents its use for DMVPN. Cisco SDM informs you of the conflict and gives you the option of allowing Cisco SDM to modify the configuration so that the conflict is removed.
Page 388: Edit Dynamic Multipoint Vpn (Dmvpn)
IPSec, and ISAKMP traffic is allowed through the firewall. View Details Click this button to view the access control entries that Cisco SDM will add to the access rule if you select Allow GRE, IPSec, and ISAKMP traffic through the firewall.
Page 389 The IPSec profile that the tunnel uses. The IPSec profile defines the transform sets that are used to encrypt traffic on the tunnel. Cisco SDM supports the use of only IPSec profiles to define encryption in a DMVPN. If you want to use crypto-maps, configure the DMVPN using the CLI.
Page 390: General Panel
IPSec Profile Select a configured IPSec profile for this tunnel. The IPSec profile defines the transform sets that are used to encrypt traffic on this tunnel. Cisco Router and Security Device Manager 2.5 User’s Guide 15-14 OL-4015-12...
Page 391: Nhrp Panel
DMVPN. In this way, a spoke can establish a connection to the hub to send traffic and receive next hop information to directly connect to all other spokes in the DMVPN. NHRP Panel Use this panel to provide NHRP configuration parameters. Cisco Router and Security Device Manager 2.5 User’s Guide 15-15 OL-4015-12...
Page 392: Nhrp Map Configuration
Click Delete to remove a selected map configuration. NHRP Map Configuration Use this window to create or edit a mapping between IP and NBMA addresses. Cisco Router and Security Device Manager 2.5 User’s Guide 15-16 OL-4015-12...
Page 393: Routing Panel
Statically configure the IP-to-NMBA address mapping of IP destinations connected to an NBMA network. Click this button if you are configuring a spoke in a fully meshed network. Cisco SDM treats backup hubs as spokes to primary hubs, so also click this if you are configuring a backup hub.
Page 394 Leave it unchecked to disable split horizon. Turning off split horizon allows the router to advertise the routes that it has learned from the tunnel interface out the same interface. Cisco Router and Security Device Manager 2.5 User’s Guide 15-18 OL-4015-12...
Page 395: How Do I Configure A Dmvpn Manually
To configure a DMVPN connection: In the VPN tree, click the Dynamic Multipoint VPN branch. Step 1 Click Edit Dynamic Multipoint VPN (DMVPN). Step 2 Click Add. Step 3 Cisco Router and Security Device Manager 2.5 User’s Guide 15-19 OL-4015-12...
Page 396 In the Routing window, select the routing protocol that you specified in DMVPN Step 2 configuration, and click Edit. Add the network numbers that you want to advertise. Step 3 Cisco Router and Security Device Manager 2.5 User’s Guide 15-20 OL-4015-12...
Page 397: Vpn Global Settings
Aggressive Mode is disabled.The Aggressive Mode feature allows you to specify RADIUS tunnel attributes for an IPSec peer and to initiate an IKE aggressive mode negotiation with the tunnel attributes. Cisco Router and Security Device Manager 2.5 User’s Guide 16-1 OL-4015-12...
Page 398 IKE Keepalive value. IPSec Security Association (SA) The amount of time after which IPSec security associations (SAs) Lifetime (Sec) will expire and be regenerated. The default is 3600 seconds (1 hour). Cisco Router and Security Device Manager 2.5 User’s Guide 16-2 OL-4015-12...
Page 399: Vpn Global Settings: Ike
IPSec peer and to initiate an IKE aggressive mode negotiation with the tunnel attributes. Identity (of this router) This field specifies the way the router will identify itself. Select either IP address or host name. Cisco Router and Security Device Manager 2.5 User’s Guide 16-3 OL-4015-12...
Page 400: Vpn Global Settings: Ipsec
Dead Peer Detection (DPD) enables a router to detect a dead peer and, if detected, delete the IPSec and IKE security associations with that peer. The Enable Dead Peer Detection checkbox is disabled when the Cisco IOS image that the router is using does not support DPD.
Page 401: Vpn Global Settings: Easy Vpn Server
4,608,000 kilobytes. VPN Global Settings: Easy VPN Server Make global settings for Easy VPN server connections in this screen. Field Reference Table 16-2 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 16-5 OL-4015-12...
Page 402: Vpn Key Encryption Settings
A sample set of entries follows: WGP-1, WGP-2, ACCTG, CSVC The router must use Cisco IOS 12.4(4)T or later for this part of the screen to be displayed. VPN Key Encryption Settings The VPN Key Encryption Settings window appears if the Cisco IOS image on your router supports Type 6 encryption, also referred to as VPN key encryption.
Page 403 Confirm Master Key Reenter the master key in this field for confirmation. If the values in this field and in the New Master Key field do not match, Cisco SDM prompts you to reenter the key. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 404 Chapter 16 VPN Global Settings VPN Global Settings Cisco Router and Security Device Manager 2.5 User’s Guide 16-8 OL-4015-12...
Page 405: Ip Security
IPSec. Cisco SDM lets you configure IPSec transform sets, rules, and policies. Use the IPSec tree to go to the IPSec configuration windows that you want to use.
Page 406 Manual—IKE will not be used to establish the IPSec security associations for • protecting the traffic specified by this crypto map entry. Cisco SDM does not support the creation of manual crypto maps. Cisco SDM treats as read-only any manual crypto maps that have been created using the command-line interface (CLI).
Page 407: Add Or Edit Ipsec Policy
The name of this IPSec policy. This name can be any set of alphanumeric characters. It may be helpful to include the peer names in the policy name, or to include other information that will be meaningful to you. Cisco Router and Security Device Manager 2.5 User’s Guide 17-3 OL-4015-12...
Page 408 IPSec policy. If you want to add a crypto map, click Add. If you want Cisco SDM to guide you through the process, check Use Add Wizard, and then click Add.
Page 409: Add Or Edit Crypto Map: General
IPSec policy. Sequence Number A number that, along with the IPSec policy name, is used to identify a connection. Cisco SDM generates a sequence number automatically. You can enter your own sequence number if you wish. Security Association Lifetime IPSec security associations use shared keys.
Page 410: Add Or Edit Crypto Map: Peer Information
Add a peer to the Current List. Enter the IP address or host name of the peer, and click Add. Remove a peer from the Current List. Select the peer, and click Remove. Cisco Router and Security Device Manager 2.5 User’s Guide 17-6 OL-4015-12...
Page 411: Add Or Edit Crypto Map: Transform Sets
Note • transform sets will not appear in the window. Not all IOS images support all the transform sets that Cisco SDM supports. • Transform sets unsupported by the IOS image will not appear in the window. If hardware encryption is turned on, only those transform sets supported by •...
Page 412 Add Crypto Map. The Transform Set tab allows you to that the router can offer a transform set add and order transform sets. that the peer will agree to use. Cisco Router and Security Device Manager 2.5 User’s Guide 17-8 OL-4015-12...
Page 413: Add Or Edit Crypto Map: Protecting Traffic
For more information, see IP Addresses and Subnet Masks. All traffic from this source subnet that has a destination IP address on the destination subnet will be encrypted. Cisco Router and Security Device Manager 2.5 User’s Guide 17-9 OL-4015-12...
Page 414 IPSec rules must be extended rules, not standard rules. If the number or name you Note enter identifies a standard rule, Cisco SDM will display a warning message when you click OK. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 415: Dynamic Crypto Map Sets
Use these buttons to manage the crypto maps in the window. If you try to delete a crypto map set associated with an IPSec policy, Cisco SDM prevents you from doing so. You must disassociate the crypto map from the policy before deleting it.
Page 416: Associate Crypto Map With This Ipsec Policy
The name of the IPSec profile. Transform Set The transform sets used in this profile. Description A description of the IPSec profile. Click to add a new IPSec profile. Cisco Router and Security Device Manager 2.5 User’s Guide 17-12 OL-4015-12...
Page 417: Add Or Edit Ipsec Profile
If you want to associate an profile with this IPSec profile, choose an existing profile from the list. If an IKE profile has already been associated, this field is read only. Cisco Router and Security Device Manager 2.5 User’s Guide 17-13 OL-4015-12...
Page 418: Add Or Edit Ipsec Profile And Add Dynamic Crypto Map
PFS request. Add or Edit IPSec Profile and Add Dynamic Crypto Map Use this window to add or to edit an IPSec profile, or to add a dynamic crypto map. Cisco Router and Security Device Manager 2.5 User’s Guide 17-14 OL-4015-12...
Page 419: Transform Set
When that transform set is found, it is selected and applied to the protected traffic as part of both peers’ IPSec security associations. Name Name given to the transform set. Cisco Router and Security Device Manager 2.5 User’s Guide 17-15 OL-4015-12...
Page 420 The column will contain one of the following values: AH-MD5-HMAC—Message Digest 5. • AH-SHA-HMAC—Security Hash Algorithm. • Cisco Router and Security Device Manager 2.5 User’s Guide 17-16 OL-4015-12...
Page 421 Cisco SDM Default transform sets are read-only and Note cannot be edited. Delete an existing transform set. Select the transform set, and click Delete. Cisco SDM Default transform sets are read-only and Note cannot be deleted. Cisco Router and Security Device Manager 2.5 User’s Guide 17-17 OL-4015-12...
Page 422: Add Or Edit Transform Set
Note • transform sets will not appear in the screen. Not all IOS images support all the transform sets that Cisco SDM supports. • Transform sets unsupported by the IOS image will not appear in the screen. If hardware encryption is turned on, only those transform sets supported by •...
Page 423 Check this box if you want the router to provide Authentication Header (AH) data and address integrity. The authentication header will not be encrypted. Integrity Algorithm Select one of the following: AH_MD5_HMAC—Message Digest 5. • AH_SHA_HMAC—Security Hash Algorithm. • Cisco Router and Security Device Manager 2.5 User’s Guide 17-19 OL-4015-12...
Page 424: Ipsec Rules
IPSec rules contain IP address and type-of-service information. Packets that match the criteria specified in the rule are encrypted. Packets that do not match the criteria are sent unencrypted. Name/Num The name or number of this rule. Cisco Router and Security Device Manager 2.5 User’s Guide 17-20 OL-4015-12...
Page 425 If present, the wildcard mask specifies the portions of the IP address that the destination IP address must match. Service The type of traffic that the packet must contain. Cisco Router and Security Device Manager 2.5 User’s Guide 17-21 OL-4015-12...
Page 426 Select the rule in the rule list, and click Edit. Then, delete the entry in the rule window displayed. Apply an IPSec rule to an interface. Apply the rule in the interface configuration window. Cisco Router and Security Device Manager 2.5 User’s Guide 17-22 OL-4015-12...
Page 427: Internet Key Exchange
IKE establishes session keys (and associated cryptographic and networking configuration) between two hosts across the network. Cisco SDM lets you create IKE policies that will protect the identities of peers during authentication. Cisco SDM also lets you create pre-shared keys that peers exchange.
Page 428: Ike Policies
Click the IKE Policy node on the VPN tree. IKE Policies for more information. Cisco SDM provides a default IKE policy, but there is no guarantee that the peer has the same policy. You should configure other IKE policies so that the router is able to offer an IKE policy that the peer can accept.
Page 429 Default IKE policies are read only. They cannot be edited. Remove an IKE policy from the Choose the IKE policy that you want to remove, and click router’s configuration. Remove. Cisco Router and Security Device Manager 2.5 User’s Guide 18-3 OL-4015-12...
Page 430: Add Or Edit Ike Policy
Encryption The type of encryption that should be used to communicate this IKE policy. Cisco SDM supports a variety of encryption types, listed in order of security. The more secure an encryption type, the more processing time it requires.
Page 431 2, but requires more processing time. If your router does not support group5, it will not appear in the list. Note • Easy VPN servers do not support D-H Group 1. • Cisco Router and Security Device Manager 2.5 User’s Guide 18-5 OL-4015-12...
Page 432: Ike Pre-Shared Keys
10 bits are for the host part of the address. Pre-Shared Key The pre-shared key is not readable in Cisco SDM windows. If you need to examine the pre shared key, go to View->Running Config. This will display the running configuration.
Page 433: Add Or Edit Pre Shared Key
This field appears if you selected “Hostname” in the Peer field. Enter the peer’s host name. There must be a DNS server on the network capable of resolving the host name to an IP address. Cisco Router and Security Device Manager 2.5 User’s Guide 18-7 OL-4015-12...
Page 434: Ike Profiles
For more information on ISAKMP profiles, and how they are configured using the Cisco IOS CLI, go to Cisco.com and follow this path: Products and Services > Cisco IOS Software > Cisco IOS Security > Cisco IOS IPSec > Product Literature > White Papers > ISAKMP Profile Overview...
Page 435: Add Or Edit An Ike Profile
IKE connection parameters are to apply. Match criteria can currently be applied to VPN groups. Group is automatically chosen in the Match Identity Type field. Cisco Router and Security Device Manager 2.5 User’s Guide 18-9 OL-4015-12...
Page 436 Initiate—Choose Initiate if the Easy VPN server is to initiate mode configuration requests. Both—Choose Both if the Easy VPN server is to both initiate • and respond to mode configuration requests. Cisco Router and Security Device Manager 2.5 User’s Guide 18-10 OL-4015-12...
Page 437 2 to 60 seconds. Dead peer discovery helps manage connections without administrator intervention, but it generates additional packets that both peers must process in order to maintain the connection. Cisco Router and Security Device Manager 2.5 User’s Guide 18-11 OL-4015-12...
Page 438 The Easy VPN server obtains the username from the client’s digital certificate. This option is displayed under the following conditions: The router runs a Cisco IOS 12.4(4)T or later image. • You choose digital certificate authentication in the policy •...
Page 439: Public Key Infrastructure
A link is provided next to the alert text so that you can go to that part of Cisco SDM and complete the configuration. If Cisco SDM does not discover missing configurations, this box does not appear.
Page 440: Welcome To The Scep Wizard
Launch the selected task button Click to begin the wizard for the type of enrollment that you selected. If Cisco SDM has detected a required task that must be performed before enrollment can begin, this button is disabled. Once the task is completed, the button is enabled.
Page 441: Certificate Authority (Ca) Information
Certificate Wizards After the wizard completes and the commands are delivered to the router, Cisco SDM attempts to contact the CA server. If the CA server is contacted, Cisco SDM displays a message window with the server’s digital certificate. Certificate Authority (CA) Information Provide information to identify the CA server in this window.
Page 442: Advanced Options
Any information that you specify be included in the certificate request will be placed in the certificate, and be viewable by any party to whom the router sends the certificate. Cisco Router and Security Device Manager 2.5 User’s Guide 19-4 OL-4015-12...
Page 443 Check this box if you want Cisco SDM to include the router’s fully qualified domain name in the certificate request. If the Cisco IOS image running on the router does not support this feature, this Note box is disabled.
Page 444: Other Subject Attributes
Enter the country in which the router or the organization is located. Email (e) Enter the email address to be included in the router certificate. If the Cisco IOS image running on the router does not support this attribute, this Note field is disabled.
Page 445: Rsa Keys
Generate separate key pairs for encryption and signature By default, Cisco SDM creates a general purpose key pair that is used for both encryption and signature. If you want Cisco SDM to generate separate key pairs for encrypting and signing documents, check this box.
Page 446: Summary
If you are performing an SCEP enrollment After the commands are delivered to the router, Cisco SDM attempts to contact the CA server. If the CA server is contacted, Cisco SDM displays a message window with the server’s digital certificate.
Page 447: Ca Server Certificate
CA Server Certificate CA Server Certificate Cisco SDM displays the digital fingerprint of the CA server’s certificate. If you wish to continue the enrollment process, you must accept this certificate. If you do not accept the certificate, the enrollment does not proceed CA server’s certificate’s finger print is:...
Page 448: Enrollment Task
CA to obtain your certificate. Save: Browse for the directory on the PC that you want to save the enrollment request text file in, enter a name for the file, and click Save. Cisco Router and Security Device Manager 2.5 User’s Guide 19-10 OL-4015-12...
Page 449: Continue With Unfinished Enrollment
Import router certificate(s) Choose this option to import a certificate for your router saved on your PC. After you import the router certificate, Cisco SDM will report on the status of the enrollment process. You must import the CA server’s certificate before you import the router’s Note certificate.
Page 450: Import Ca Certificate
The router will generate an enrollment request that you can save to the PC and send to the CA. Cisco SDM generates a base-64 encoded PKCS#10 enrollment request. Import CA certificate If you have the CA server certificate on your hard disk, you can browse for it and import it to your router in this window.
Page 451: Digital Certificates
Click to delete the selected trustpoint. Deleting a trustpoint destroys all certificates received from the associated certificate authority. Check Revocation Button Click to check whether the selected certificate has been revoked. Cisco SDM displays a dialog in which you select the method to use to check for revocation. Revocation Check Revocation Check, CRL Only for more information.
Page 452 Signature—CA certificates are signature certificates. • Serial Number The serial number of the certificate Issuer The name of the CA that issued the certificate. Cisco Router and Security Device Manager 2.5 User’s Guide 19-14 OL-4015-12...
Page 453: Trustpoint Information
• OCSP—Contact an Online Certificate Status Protocol server to determine the status of a certificate. CRL—Certificate revocation is checked using a certificate revocation list. • Cisco Router and Security Device Manager 2.5 User’s Guide 19-15 OL-4015-12...
Page 454: Revocation Check, Crl Only
Ron Rivest, Adi Shamir, and Leonard Adelman. The RSA system is the most commonly used encryption and authentication algorithm, and is included as a part of Cisco IOS. To use the RSA system, a network host Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 455: Generate Rsa Key Pair
RSA keys configured on your router Name The key name. Key names are automatically assigned by Cisco SDM. The "HTTPS_SS_CERT_KEYPAIR" and "HTTPS_SS_CERT_KEYPAIR.serve shown as Read-Only. Similarly, any key that is locked/encrypted on the rou displayed with icons that indicate their status.
Page 456: Usb Token Credentials
This window appears when you add or delete credentials, such as an RSA key pair or digital certificates, that have been saved on a USB token. For the deletion to take place, you must provide the USB token name and PIN. Cisco Router and Security Device Manager 2.5 User’s Guide 19-18 OL-4015-12...
Page 457: Usb Tokens
This window allows you to configure USB token logins. This window also displays a list of configured USB token logins. When a USB token is connected to your Cisco router, Cisco SDM uses the matching login to log in to the token. Click Add to add a new USB token login.
Page 458: Add Or Edit Usb Token
IKE credentials is made. Secondary Config File Displays the configuration file that Cisco SDM attempts to find on the USB token. The configuration file can be a CCCD file or a .cfg file.
Page 459 Reenter the new PIN to confirm it. Maximum PIN Retries Choose the maximum number of times Cisco SDM will attempt to log in to the USB token with the given PIN. If Cisco SDM is unsuccessful after trying for the number specified, it will stop trying to log in to the USB token.
Page 460: Open Firewall
This area lists the exit interfaces and ACL names, and allows you to select which firewalls that you want Cisco SDM to modify. Select the firewalls that you want Cisco SDM to modify in the Action column. Cisco SDM will modify them to allow SCEP or DNS traffic from the server to the router.
Page 461: Open Firewall Details
Public Key Infrastructure Open Firewall Details Button Click this button to view the access control entry that Cisco SDM would add to the firewall if you allow the modification. Open Firewall Details This window displays the access control entry (ACE) that Cisco SDM would add to a firewall to enable various types of traffic to reach the router.
Page 462 Chapter 19 Public Key Infrastructure Open Firewall Cisco Router and Security Device Manager 2.5 User’s Guide 19-24 OL-4015-12...
Page 463: Certificate Authority Server
CA server, it alerts you to them in this box. A link is provided next to the alert text so that you can go to that part of Cisco SDM Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 464: Prerequisite Tasks For Pki Configurations
Chapter 20 Certificate Authority Server Create CA Server and complete the configuration. If Cisco SDM does not discover missing configurations, this box does not appear. Possible prerequisite tasks are described Prerequisite Tasks for PKI Configurations. Create Certificate Authority (CA) Server Click this button to create a server on the router.
Page 465: Ca Server Wizard: Welcome
Certificate Revocation List Distribution Point (CDP) server. CA Server Wizard: Certificate Authority Information Enter basic information about the server that you are configuring in this window. Cisco Router and Security Device Manager 2.5 User’s Guide 20-3 OL-4015-12...
Page 466 HTTP server, will reduce the performance impact on the Cisco IOS router hosting the CA server. If the checking device cannot connect to the CDP, as a backup it will use SCEP to fetch the CRL from the CA server.
Page 467: Advanced Options
• without conflict. This is the default. names—In addition to the information given by the minimal option, this • includes the serial number and subject name of each certificate. Cisco Router and Security Device Manager 2.5 User’s Guide 20-5 OL-4015-12...
Page 468 CRL—The Certificate Revocation List for certificates issued by the CA • server. Lifetime is entered in hours, in the range 1–336. If no value is entered, a CRL expires after 168 hours (one week). Cisco Router and Security Device Manager 2.5 User’s Guide 20-6 OL-4015-12...
Page 469: Ca Server Wizard: Rsa Keys
Type By default, Cisco SDM creates a general purpose key pair that is used for both encryption and signature. If you want Cisco SDM to generate separate key pairs for encrypting and signing documents, choose Usage Keys. Cisco SDM will generate usage keys for encryption and signature.
Page 470: Open Firewall
Organization Unit (ou):IT Support Organization (o):Acme Enterprises State (st):CA Country (c):US ------------------------------------------------------------ Advanced CA Server Configuration ------------------------------------------------------------ Database URL:nvram: Database Archive:pem Database Username:bjones Database Password:********* ------------------------------------------------------------ RSA Keys: ------------------------------------------------------------ Cisco Router and Security Device Manager 2.5 User’s Guide 20-8 OL-4015-12...
Page 471: Manage Ca Server
If the CA server is running, the word Running and a green icon is displayed. If the CA server is not running, the word Stopped and a red icon is displayed. Cisco Router and Security Device Manager 2.5 User’s Guide 20-9...
Page 472 Enter the backup location in the displayed dialog. Uninstall Server Click to uninstall the CA server from your Cisco IOS router. All of the CA server configuration and data will be removed. If you backed up the CA server before uninstalling it, you can restore its data only after you create a new CA server.
Page 473: Backup Ca Server
You can edit settings for the server by clicking Edit CA server settings before restoration. You must provide the name, file format, URL to the database, and passphrase in order to back up the server or edit server settings. Cisco Router and Security Device Manager 2.5 User’s Guide 20-11 OL-4015-12...
Page 474: Edit Ca Server Settings: General Tab
Edit general CA server configuration settings in this window. You cannot change the name of the CA server. For information on the settings that you can change, CA Server Wizard: Certificate Authority Information. Cisco Router and Security Device Manager 2.5 User’s Guide 20-12 OL-4015-12...
Page 475: Edit Ca Server Settings: Advanced Tab
Click Select All to select all outstanding certificate requests. When all certificate requests are selected, clicking Grant grants all requests. Clicking Reject when all certificate requests are selected rejects all the requests.. Cisco Router and Security Device Manager 2.5 User’s Guide 20-13 OL-4015-12...
Page 476 In case it is ever necessary to revoke a certificate, you should obtain the certificate ID from the administrator of the client that the certificate was issued for. The client administrator can determine the certificate ID by entering the Cisco IOS command sh crypto pki cert Delete Click Delete to remove the certificate enrollment request from the database.
Page 477: Revoked Certificates
February 6, 2007, the revocation date is displayed as 00:41:20 UTC Feb 6 2007. Revoke Certificate Click Revoke Certificate to display a dialog that allows you to enter the ID of the certificate that you want to revoke. Cisco Router and Security Device Manager 2.5 User’s Guide 20-15 OL-4015-12...
Page 478: Revoke Certificate
It may be necessary to obtain the ID of the certificate to be revoked from the administrator of the client for which the certificate was granted. See Pending Requests for information on how the client administrator can determine the certificate ID. Cisco Router and Security Device Manager 2.5 User’s Guide 20-16 OL-4015-12...
Page 479: Cisco Ios Ssl Vpn
• application support through its dynamically downloaded SSL VPN client software for Cisco IOS SSL VPN. With the Full tunnel Client for Cisco IOS SSL VPN, we delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that allows network layer connectivity access to virtually any application.
Page 480: Cisco Ios Ssl Vpn Links On Cisco.com
If you want to review the IOS CLI commands that you send to the router when Step 1 you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.
Page 481: Create An Ssl Vpn Connection Reference
In the Create SSL VPN tab, complete any recommended tasks that are displayed Step 5 by clicking the link for the task. Cisco SDM either completes the task for you, or displays the necessary configuration screens for you to make settings in.
Page 482 Summary • Create SSL VPN You can use Cisco IOS SSL VPN wizards to create a new Cisco IOS SSL VPN or to add new policies or features to an existing Cisco IOS SSL VPN. Click Cisco IOS SSL VPN to get an overview of the features that Cisco SDM supports.
Page 483 Select this option to create a new Cisco IOS SSL VPN configuration. This wizard enables you to create a Cisco IOS SSL VPN with one user policy and a limited set of features. After you complete this wizard, you can use the other wizards to configure addition policies and features for the Cisco IOS SSL VPN.
Page 484: Persistent Self-Signed Certificate
Length of RSA Key Cisco SDM places the value 512 in this field. You can specify a longer key, such as 1024, if you want to do so. The key length should be a multiple of 64.
Page 485: Welcome
IP Address and Name Fields Use these fields to create the URL that users will enter to access the Cisco IOS SSL VPN portal. The IP address list contains the IP addresses of all configured router interfaces, and all existing Cisco IOS SSL VPN gateways. You can use the IP address of a router interface if it is a public address that the intended clients can reach, or you can use another public IP address that the clients can reach.
Page 486: User Authentication
Review the information area at the bottom of the window to learn which URL to use. Cisco SDM places a shortcut to this URL on the desktop of your PC that you can use to access Cisco SDM in the future.
Page 487 Creating an SSL VPN Connection External AAA server Button Click if you want the router to use an AAA server to authenticate Cisco IOS SSL VPN users. The router will use the AAA servers that are listed in this window. If there are no AAA servers configured, you can configure them in this window.
Page 488: Configure Intranet Websites
Add or edit the information for a Cisco IOS SSL VPN link in this window. Label The label appears in the portal that is displayed when users log in to the Cisco IOS SSL VPN. For example, might use the label Payroll calendar if you are providing a link to the calendar showing paid holidays and paydays.
Page 489: Customize Ssl Vpn Portal
ACL that is applied to it. Click Modify to allow Cisco SDM to add entries to the ACL to allow SSL traffic to pass through the firewall. Click Details to view the entry that Cisco SDM adds. The entry will be one similar to the one already shown.
Page 490: User Policy
Creating an SSL VPN Connection User Policy This window allows you to choose an existing Cisco IOS SSL VPN and add a new policy to it. For example, you might have created a Cisco IOS SSL VPN named Corporate, and you want to define intranet access for a new group of users that you name Engineering.
Page 491: Select The Ssl Vpn User Group
This area displays the IP addresses of the WINS servers that this policy is configured to use. Select the SSL VPN User Group Choose the Cisco IOS SSL VPN and associated user group for which you want to configure advanced services in this window. SSL VPN Choose the Cisco IOS SSL VPN that the user group is associated with from this list.
Page 492: Add Or Edit A Server
Port on Client PC Cisco SDM enters a number in this field, beginning with the number 3000. Each time you add an entry, Cisco SDM increments the number by 1. Use the entries that Cisco SDM has placed in this field.
Page 493: Full Tunnel
If the software install bundle is not already installed, there must be sufficient Note memory in router flash for Cisco SDM to install it after you complete this wizard. Enable Full Tunnel Checkbox Check to allow the router to download the full tunnel client software to the user’s PC, and to enable the other fields in this window.
Page 494: Locating The Install Bundle For Cisco Sdm
If this field is empty, you must locate the install bundle so that Cisco SDM can load it onto the router primary device, or download the software install bundle from Cisco.com by clicking on the Download latest... link at the bottom of the window.
Page 495 CCO username and password when prompted to do so. Download the package to the PC. In the Cisco IOS SSL VPN wizard, click the ... button to the right of the Location field, choose My Computer in the Select Location window that is displayed, and navigate to the directory in which you placed the file.
Page 496: Enable Cisco Secure Desktop
Finish. Enable Cisco Secure Desktop The router can install Cisco Secure Desktop on the user PC when the user logs in to the Cisco IOS SSL VPN. Web transactions can leave cookies, browser history files, e-mail attachments, and other files on the PC after the user logs out. Cisco Secure Desktop create a secure partition on the desktop and uses a Department of Defense algorithm to remove the files after the session terminates.
Page 497: Common Internet File System
Click Locating the Install Bundle for Cisco SDM to learn how to locate the Cisco Secure Desktop software install bundle, and supply a path to it for Cisco Cisco SDM to use. Common Internet File System Common Internet File System (CIFS) allows clients to remotely browse, access, and create files on Microsoft Windows-based file servers using a web browser interface.
Page 498: Summary
Editing SSL VPN Connections To edit an SSL VPN connection, complete the following tasks: If you want to review the Cisco IOS CLI commands that you send to the router Step 1 when you complete the configuration, go to the Cisco SDM toolbar, and click Edit >...
Page 499: Editing Ssl Vpn Connection Reference
Add or Edit a URL List • Context: Cisco Secure Desktop • SSL VPN Gateways • Add or Edit a SSL VPN Gateway • Packages • Install Package • Cisco Router and Security Device Manager 2.5 User’s Guide 21-21 OL-4015-12...
Page 500 The following information is displayed for each context. Name The name of the Cisco IOS SSL VPN context. If you created the context in the Cisco IOS SSL VPN wizard, the name is the string that you entered in the IP Address and Name window.
Page 501 You can modify the settings that you see by clicking Edit in the top part of the window. SSL VPN Context Use this window to add or edit a Cisco IOS SSL VPN context. Field Reference Table 21-1 describes the fields in this screen.
Page 502 IP address. Domain If you have a domain for this context, enter it in this field. Cisco IOS SSL VPN users will be able to use this domain name when accessing the portal, instead of an IP address. An example is mycompany.com.
Page 503: Select A Gateway
Designate Inside and Outside Interfaces An ACL that is applied to an interface on which a Cisco IOS SSL VPN connection is configured may block the SSL traffic. Cisco SDM can automatically modify the ACL to allow this traffic to pass through the firewall. However, you must indicate...
Page 504: Context: Group Policies
Cisco IOS SSL VPN Editing SSL VPN Connections Context: Group Policies This window displays the group policies configured for the chosen Cisco IOS SSL VPN context. Use the Add, Edit, and Delete buttons to manage these group policies. For each policy, this window shows the name of the policy and whether the policy is the default group policy.
Page 505: Group Policy: Clientless Tab
The Citrix software must be installed on one or more servers on a network that the router can reach. Enter information if you want Cisco IOS SSL VPN clients to be able to use Clientless Citrix.
Page 506 When you enable CIFS, the options that follow are enabled. Read Click Read to allow group members to read files. Write Click Write to allow group members to make changes to files. Cisco Router and Security Device Manager 2.5 User’s Guide 21-28 OL-4015-12...
Page 507: Group Policy: Thin Client Tab
Click Enable Thin Client (Port Forwarding) and specify a port forward list to enable this feature. At least one port forward list must be configured for the Cisco IOS SSL VPN context under which this group policy is configured. View To examine the port forwarding list you have chosen, click View.
Page 508 Enable Full Tunnel connections by choosing Enable from the list. If you want to require Full Tunnel connections, choose Required. If you choose Required, Clientless and Thin Client communication will work only if the Cisco IOS SSL VPN client software is successfully installed on the client PC.
Page 509: Advanced Tunnel Options
Click Exclude Local LANs to explicitly exclude from encryption client traffic destined for LANs that the router is connected to. If there are networked printers on these LANs, you must use this option. Cisco Router and Security Device Manager 2.5 User’s Guide 21-31 OL-4015-12...
Page 510 Split DNS If you want Cisco IOS SSL VPN clients to use the DNS server in the corporate network only to resolve specific domains, you can enter those domains in this area. They should be domains within the corporate intranet. Separate each entry with a semicolon and do not use carriage returns.
Page 511: Dns And Wins Servers
DNS and WINS Servers Enter the IP addresses for the corporate DNS and WINS servers that will be sent to Cisco IOS SSL VPN clients. Cisco IOS SSL VPN clients will use these servers to access hosts and services on the corporate intranet.
Page 512 If you have a logo that you want to display on the portal, click the ... button to browse for it on your PC. It is saved to router flash after you click OK, and will appear in the upper-left corner of the portal. Cisco Router and Security Device Manager 2.5 User’s Guide 21-34 OL-4015-12...
Page 513: Select Color
Context: NetBIOS Name Server Lists View all the NetBIOS name server lists that are configured for the selected Cisco IOS SSL VPN context in this window. CIFS uses NetBIOS servers to display the corporate Microsoft Windows file system to Cisco IOS SSL VPN users.
Page 514: Add Or Edit An Nbns Server
Port forward lists reveal TCP application services to Cisco IOS SSL VPN clients. The upper part of the window displays the port forward lists configured for the selected context.
Page 515: Add Or Edit A Url List
After a Cisco IOS SSL VPN session is terminated, Cisco Secure Desktop removes the data using a Department of Defense sanitation algorithm. Click Enable Cisco Secure Desktop to allow all users of this context to download and use Cisco Secure Desktop. This window displays a message if the install bundle for this software is not found on the router.
Page 516: Add Or Edit A Ssl Vpn Gateway
Details of SSL VPN Gateway This area of the window displays configuration details about the gateway selected in the upper part of the window, and the names of the Cisco IOS SSL VPN contexts that are configured to use this gateway.
Page 517: Packages
Follow the steps described in the window to download the install bundles from Cisco.com to your PC, and then copy them from your PC to the router. If you need to obtain any of the install bundles, start with Step 1 by clicking on the link to the download site.
Page 518: Install Package
How do I verify that my Cisco IOS SSL VPN is working? • How do I configure a Cisco IOS SSL VPN after I have configured a firewall? • How do I associate a VRF instance with a Cisco IOS SSL VPN context? •...
Page 519 These resources are available when configuring Cisco IOS SSL VPN group policies. A Cisco IOS SSL VPN context can support multiple group policies. A Cisco IOS SSL VPN context can be associated with only one gateway. Cisco IOS SSL VPN Gateways A Cisco IOS SSL VPN gateway provides a reachable IP address and certificate for one or more Cisco IOS SSL VPN contexts.
Page 520 IP address reachability must be taken into account. Cisco IOS SSL VPN Policies Cisco IOS SSL VPN group policies allow you to accommodate the needs of different groups of users. A group of engineers working remotely needs access to different network resources than sales personnel working in the field.
Page 521 IP Address: 172.16.5.5 Cisco SDM creates a gateway named “gateway_1” that uses the IP address 172.16.5.5 and Router_Certificate. This Name: Asia gateway can be associated with other Cisco IOS SSL VPN Check Enable secure SDM access contexts. through 192.168.1.1. Users will access the Cisco IOS SSL VPN portal by Certificate: Router_Certificate entering http://172.16.5.5/Asia.
Page 522 User adds one user account to the existing “sdm_vpn_xauth_ml_1.” This list will be displayed in the list. Cisco IOS SSL VPN Contexts window when the user completes the wizard. Those users listed in the User Authentication window are the members of this authentication list, and will be governed by policy_1.
Page 523 Split DNS: Disabled Install Full Tunnel Client: Enabled When this configuration is delivered, the router has one Cisco IOS SSL VPN context named Asia, one gateway named gateway_1, and one group policy named policy_1. This is displayed in the Edit SSL VPN window as shown in the...
Page 524: Learn More About Port Forwarding Servers
Edit. Learn More about Port Forwarding Servers Port forwarding enables a remote Cisco IOS SSL VPN user to connect to static ports on servers with private IP addresses on the corporate intranet. For example, you can configure port forwarding on a router to give remote users Telnet access to a server on the corporate intranet.
Page 525: Learn More About Group Policies
127.0.0.1 port 3001. The portal applet listening on that port and IP address gets this request and sends it over the Cisco IOS SSL VPN tunnel to the gateway. The gateway router forwards it to the server at 10.0.0.100, and sends return traffic back to the PC.
Page 526: Learn More About Split Tunneling
805eeaea.html#wp1396461 Learn More About Split Tunneling When a Cisco IOS SSL VPN connection is set up with a remote client, all traffic that the client sends and receives may travel through the Cisco IOS SSL VPN tunnel, including traffic that is not on the corporate intranet. This can degrade network performance.
Page 527: How Do I Verify That My Cisco Ios Ssl Vpn Is Working
Cisco IOS SSL VPN traffic that you will create. This must be done on a separate PC if the PC you use to test the Cisco IOS SSL VPN context is not in a network from which you can access Cisco SDM. Go to Monitor > VPN Status >...
Page 528: How Do I Configure A Cisco Ios Ssl Vpn After I Have Configured A Firewall
VPN. You can associate a VRF instance or name with a Cisco IOS SSL VPN context by going to Configure > VPN > SSL VPN > Edit SSL VPN. Select the context that you want to associate a VRF instance to and click Edit.
Page 529: Ssl Vpn Enhancements
You can create Application ACLs to control access to specific URLs. This window displays the Application ACLs created for the selected context, and enables you to edit existing ACLs and create new ones. Cisco Router and Security Device Manager 2.5 User’s Guide 22-1 OL-4015-12...
Page 530: Add Or Edit Application Acl
The range or periods of time that this ACL is in effect. Add or Edit Application ACL Create or edit an application ACL in this window. Cisco IOS SSL VPN uses application ACLs to specify permitted and denied URLs. One ACL can consist of multiple entries.
Page 531: Add Acl Entry
Permit—Allow access to the URL in this entry. • Deny—Deny access to the URL in this entry is denied. • To have this ACL entry apply to any URL, click Any. Cisco Router and Security Device Manager 2.5 User’s Guide 22-3 OL-4015-12...
Page 532: Action Url Time Range
To create a time range entry, click Add, and create the entry in the displayed dialog. Edit To edit an entry, select the entry, and click Edit. Make changes to the entry in the displayed dialog. Cisco Router and Security Device Manager 2.5 User’s Guide 22-4 OL-4015-12...
Page 533: Add Or Edit Action Url Time Range Dialog
Create or edit a time range entry in this dialog. A time range entry can consist of multiple subentries. Field Reference Table 22-5 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 22-5 OL-4015-12...
Page 534: Add Or Edit Absolute Time Range Entry
Add or Edit Absolute Time Range Entry Create or edit an absolute time range entry in this window. The time range can have a start date, and end date, or both. Cisco Router and Security Device Manager 2.5 User’s Guide 22-6 OL-4015-12...
Page 535: Add Or Edit Periodic Time Range Entry
Create or edit a periodic time range entry in this window. You can specify which days to include in the range, and starting and ending days and times. Field Reference Table 22-7 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 22-7 OL-4015-12...
Page 536 Enter the starting time in 24-hour format. For example, entering 13:00 specifies a starting time of 1:00 p.m. End Time Enter the ending time in 24-hour format. For example, entering 23:59 specifies an ending time of 11:59 p.m. Cisco Router and Security Device Manager 2.5 User’s Guide 22-8 OL-4015-12...
Page 537: Vpn Troubleshooting
C H A P T E R VPN Troubleshooting Cisco SDM can troubleshoot VPN connections that you have configured. Cisco SDM reports the success or failure of the connection tests, and when tests have failed, recommends actions that you can take to correct connection problems.
Page 538 This box provides the possible reason(s) for the VPN tunnel failure. Recommended action(s) This box provides a possible action/solution to rectify the problem. Close Button Click this button to close the window. Cisco Router and Security Device Manager 2.5 User’s Guide 23-2 OL-4015-12...
Page 539: Vpn Troubleshooting: Specify Easy Vpn Client
The Basic testing is not done or has not completed successfully. • The IOS image does not support the required debugging commands. • The view used to launch Cisco SDM does not have root privileges. • What Do You Want to Do? If you want to: Do this: Troubleshoot the VPN connection.
Page 540: Vpn Troubleshooting: Generate Traffic
VPN Troubleshooting: Generate Traffic This window allows you to generate site-to-site VPN or Easy VPN traffic for debugging. You can allow Cisco SDM to generate VPN traffic or you can generate VPN traffic yourself. VPN traffic on this connection is defined as This area lists current VPN traffic on the interface.
Page 541: Vpn Troubleshooting: Generate Gre Traffic
VPN Troubleshooting: Generate GRE Traffic Have SDM generate VPN Traffic Select this option if you want Cisco SDM to generate VPN traffic on the interface for debugging. Cisco SDM will not generate VPN traffic when the VPN tunnel traffic is from...
Page 542: Cisco Sdm Warning: Sdm Will Enable Router Debugs
VPN Troubleshooting Cisco SDM Warning: SDM will enable router debugs... Have SDM generate VPN Traffic Select this option if you want Cisco SDM to generate VPN traffic on the interface for debugging. Enter the remote tunnel IP address Enter the IP address of the remote GRE tunnel. Do not use the address of the remote interface.
Page 543: Security Audit
Once determined, the Security Audit wizard will make the necessary changes to the router configuration to fix those problems. To have Cisco SDM perform a security audit and then fix the problems it has found: In the left frame, select Security Audit. Step 1 Click Perform Security Audit.
Page 544 The Security Audit Report Card screen appears, showing a list of possible security problems. Check the Fix it boxes next to any problems that you want Cisco Router and Step 7 Security Device Manager (Cisco SDM) to fix. For a description of the problem and a list of the Cisco IOS commands that will be added to your configuration, click the problem description to display a help page about that problem.
Page 545 Set Users • Enable Telnet Settings • Enable NetFlow Switching • Disable IP Redirects • Disable IP Proxy ARP • Disable IP Directed Broadcast • Disable MOP Service • Cisco Router and Security Device Manager 2.5 User’s Guide 24-3 OL-4015-12...
Page 546: Welcome Page
This column displays a check box for each interface listed in the Interface column. Check the check box for each interface that connects to a network outside of your network, such as the Internet. Cisco Router and Security Device Manager 2.5 User’s Guide 24-4 OL-4015-12...
Page 547: Report Card Page
Fix It Page This page displays the configuration changes recommended in the Report Card page. Use the Select an Option list to display the security problems Cisco SDM can fix, or the security configurations Cisco SDM can undo. Select an Option: Fix the security problems The Report Card screen displays a list of recommended configuration changes that will make your router and network more secure.
Page 548: Disable Finger Service
When this option is selected, Cisco SDM displays the security configurations that it can undo. To have Cisco SDM undo all the security configurations, click Undo All. To specify a security configuration that you want to undo, check the Undo box next to it.
Page 549: Disable Pad Service
Disable TCP Small Servers Service Security Audit disables small services whenever possible. By default, Cisco devices running Cisco IOS version 11.3 or earlier offer the “small services”: echo, chargen, and discard. (Small services are disabled by default in Cisco IOS software version 12.0 and later.) These services, especially their User Datagram...
Page 550: Disable Udp Small Servers Service
Internet information from a centrally maintained server upon startup, including downloading Cisco IOS software. As a result, BOOTP can potentially be used by an attacker to download a copy of a router’s Cisco IOS software. In addition, the BOOTP service is vulnerable to DoS attacks; therefore it should be disabled or filtered via a firewall for this reason as well.
Page 551: Disable Ip Identification Service
It is dangerous to allow any system on a directly connected segment to learn that the router is a Cisco device and to determine the model number and the Cisco IOS software version being run. This information may be used to design attacks against the router.
Page 552: Disable Ip Source Route
Disabling IP source routing will cause a Cisco router to never forward an IP packet that carries a source routing option.
Page 553: Enable Tcp Keepalives For Inbound Telnet Sessions
The configuration that will be delivered to the router to enable time stamps and sequence numbers is as follows: service timestamps debug datetime localtime show-timezone msec service timestamps log datetime localtime show-timeout msec Cisco Router and Security Device Manager 2.5 User’s Guide 24-11 OL-4015-12...
Page 554: Enable Ip Cef
Fix It Page service sequence-numbers Enable IP CEF Security Audit enables Cisco Express Forwarding (CEF) or Distributed Cisco Express Forwarding (DCEF) whenever possible. Because there is no need to build cache entries when traffic starts arriving at new destinations, CEF behaves more predictably than other modes when presented with large volumes of traffic addressed to many destinations.
Page 555: Set Authentication Failure Rate To Less Than 3 Retries
This configuration change will require every password on the router, including the user, enable, secret, console, AUX, tty, and vty passwords, to be at least six characters in length. This configuration change will be made only if the Cisco IOS version running on your router supports the minimum password length feature.
Page 556: Set Banner
The configuration that will be delivered to the router to enable and configure logging is as follows, replacing <log buffer size> and <logging server ip address> with the appropriate values that you enter into Security Audit: Cisco Router and Security Device Manager 2.5 User’s Guide 24-14 OL-4015-12...
Page 557: Set Enable Secret Password
Security Audit will configure the enable secret Cisco IOS command for more secure password protection whenever possible. The enable secret command is used to set the password that grants privileged administrative access to the Cisco IOS system. The enable secret command uses a much more secure encryption algorithm (MD5) to protect that password than the older enable password command.
Page 558: Set Scheduler Interval
CPU processes for activities other than network switching, such as management processes. The configuration that will be delivered to the router to set the scheduler allocate percentage is as follows: scheduler allocate 4000 1000 Cisco Router and Security Device Manager 2.5 User’s Guide 24-16 OL-4015-12...
Page 559: Set Users
Security Audit enables NetFlow switching whenever possible. NetFlow switching is a Cisco IOS feature that enhances routing performance while using Access Control Lists (ACLs) and other features that create and enhance network security. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 560: Disable Ip Redirects
ARP requests, making ARP queries available across multiple LAN segments. Because it breaks the LAN security barrier, proxy ARP should be used only between two LANs with an equal security level, and only when necessary. Cisco Router and Security Device Manager 2.5 User’s Guide 24-18 OL-4015-12...
Page 561: Disable Ip Directed Broadcast
The configuration that will be delivered to the router to disable IP directed broadcasts is as follows: no ip directed-broadcast This fix can be undone. To learn how, click Undoing Security Audit Fixes. Cisco Router and Security Device Manager 2.5 User’s Guide 24-19 OL-4015-12...
Page 562: Disable Mop Service
ICMP supports IP traffic by relaying information about paths, routes, and network conditions. ICMP mask reply messages are sent when a network devices must know the subnet mask for a particular subnetwork Cisco Router and Security Device Manager 2.5 User’s Guide 24-20 OL-4015-12...
Page 563: Disable Ip Unreachables On Null Interface
0 no ip unreachables This fix can be undone. To learn how, click Undoing Security Audit Fixes. Cisco Router and Security Device Manager 2.5 User’s Guide 24-21 OL-4015-12...
Page 564: Enable Unicast Rpf On Outside Interfaces
Enable Firewall on All of the Outside Interfaces If the Cisco IOS image running on the router includes the Firewall feature set, then Security Audit will enable Context-Based Access Control (CBAC) on the router whenever possible. CBAC, a component of the Cisco IOS Firewall feature set, filters packets based on application-layer information, such as what kinds of commands are being executed within the session.
Page 565: Set Access Class On Http Server Service
To enable CBAC, Security Audit will use Cisco SDM’s Create Firewall screens to generate a firewall configuration.
Page 566: Enable Ssh For Access To The Router
<std-acl-num> Enable SSH for Access to the Router If the Cisco IOS image running on the router is a crypto image (an image that uses 56-bit Data Encryption Standard (DES) encryption and is subject to export restrictions), then Security Audit will implement the following configurations to...
Page 567: Configuration Summary Screen
Report Card screen. Cisco SDM and Cisco IOS AutoSecure AutoSecure is a Cisco IOS feature that, like Cisco SDM, lets you more easily configure security features on your router, so that your network is better protected. Cisco SDM implements almost all of the configurations that AutoSecure affords.
Page 568 Enable Firewall on All of the Outside Interfaces • AutoSecure Features Not Implemented in Cisco SDM The following AutoSecure features are not implemented in this version of Cisco SDM: Disabling NTP—Based on input, AutoSecure will disable the Network Time •...
Page 569: Security Configurations Cisco Sdm Can Undo
Enable SSH for Access to the Router—Cisco SDM will enable and configure • SSH on crypto Cisco IOS images, but unlike AutoSecure, it will not enable Service Control Point (SCP) or disable other access and file transfer services, such as FTP.
Page 570: Undoing Security Audit Fixes
Undoing Security Audit Fixes Cisco SDM can undo this security fix. If you want Cisco SDM to remove this security configuration, run the Security Audit wizard. In the Report Card window, select the option Undo Security Configurations, place a check mark next to this configuration and other configurations that you want to undo, and click Next>.
Page 571: Configure User Accounts For Telnet/Ssh Page
Click a user account in the table to select it, and click this button to display the Edit a User Account screen, letting you edit the username and password of the selected account. Cisco Router and Security Device Manager 2.5 User’s Guide 24-29 OL-4015-12...
Page 572: Enable Secret And Banner Page
Enter the new enable secret in this field. Re-enter New Password Re-enter the new enable secret in this field for verification. Login Banner Enter the text banner that you want configured on your router. Cisco Router and Security Device Manager 2.5 User’s Guide 24-30 OL-4015-12...
Page 573: Logging Page
A log message severity level is shown as a number from 1 through 7, with lower numbers indicating more severe events. The descriptions of each of the severity levels are as follows: 0 - emergencies – System unusable 1- alerts – Cisco Router and Security Device Manager 2.5 User’s Guide 24-31 OL-4015-12...
Page 574 Error conditions 4 - warnings – Warning conditions 5 - notifications – Normal but significant condition 6 - informational – Informational messages only 7 - debugging – Debugging messages Cisco Router and Security Device Manager 2.5 User’s Guide 24-32 OL-4015-12...
Page 575: Routing
Optional This area shows whether a distance metric has been entered, and whether or not the route has been designated as a permanent route. Cisco Router and Security Device Manager 2.5 User’s Guide 25-1 OL-4015-12...
Page 576 If SDM detects a previously configured static route entry with “tag” or • “name” options, that entry will be read-only. If you are configuring a Cisco 7000 router, and the interface used for a next • hop is unsupported, that route will be marked as read only.
Page 577: Add Or Edit Ip Static Route
Add or Edit IP Static Route Use this window to add or edit a static route. Destination Network Enter the destination network address information in these fields. Cisco Router and Security Device Manager 2.5 User’s Guide 25-3 OL-4015-12...
Page 578 Check this box to make this static route entry a permanent route. Permanent routes are not deleted even if the interface is shut down or the router is unable to communicate with the next router. Cisco Router and Security Device Manager 2.5 User’s Guide 25-4 OL-4015-12...
Page 579: Add Or Edit An Rip Route
The values are RIP version 1, RIP version 2, and Default. Select the version supported by the Cisco IOS image that the router is running. When you select version 1, the router sends version 1 RIP packets and can receive version 1 packets.
Page 580 Click Add to provide an IP address, network mask, and area number in the IP address window. Edit Click Edit to edit the IP address, network mask, or area number in the IP address window. Cisco Router and Security Device Manager 2.5 User’s Guide 25-6 OL-4015-12...
Page 581: Add Or Edit Eigrp Route
Click Add to add a destination network IP address to the Network list. Delete Select an IP address, and click Delete to remove an IP address from the Network list. Cisco Router and Security Device Manager 2.5 User’s Guide 25-7 OL-4015-12...
Page 582 Chapter 25 Routing Add or Edit EIGRP Route Cisco Router and Security Device Manager 2.5 User’s Guide 25-8 OL-4015-12...
Page 583: Network Address Translation
Internet (or the outside), and your network has hosts and servers, and the servers must be accessible to outside hosts (hosts on the Internet). Look at the sample diagram that appears to the right when you choose Advanced NAT. Cisco Router and Security Device Manager 2.5 User’s Guide 26-1 OL-4015-12...
Page 584: Basic Nat Wizard: Welcome
The list shows the following information for each network: IP address range allocated to the network • • Network LAN interface Comments entered about the network • Cisco Router and Security Device Manager 2.5 User’s Guide 26-2 OL-4015-12...
Page 585: Summary
Network Address Translation Wizards To remove a network from the NAT configuration, uncheck its check box. If Cisco SDM detects a conflict between the NAT configuration and an existing Note VPN configuration for the WAN interface, it will inform you with a dialog box after you click Next.
Page 586: Advanced Nat Wizard: Connection
Remove that network from the NAT configuration by unchecking its check box. The list shows the following information for each network: IP address range allocated to the network • Network LAN interface • Cisco Router and Security Device Manager 2.5 User’s Guide 26-4 OL-4015-12...
Page 587: Add Network
To add a network not directly connected to your router to the list, click Add Networks. If Cisco SDM does not allow you to place a check mark next to a network for Note which you want to configure a NAT rule, the interface associated with the network has already been designated as a NAT interface.
Page 588: Add Or Edit Address Translation Rule
Advanced NAT Wizard: Connection). Type of Server Choose one of the following server types from the drop-down menu: Web server • An HTTP host serving HTML and other WWW-oriented pages. Cisco Router and Security Device Manager 2.5 User’s Guide 26-6 OL-4015-12...
Page 589: Advanced Nat Wizard: Acl Conflict
Advanced NAT Wizard: ACL Conflict If this window appears, Cisco SDM has detected a conflict between the NAT configuration and an existing ACL on the WAN interface. This ACL may be part of a firewall configuration, a VPN configuration, or the configuration of another feature.
Page 590: Details
This button is not displayed with all feature conflicts. Details This window lists the changes Cisco SDM will make to the NAT configuration to resolve conflicts between NAT and another feature configured on the same interface.
Page 591 IP address to one public or global address. If you wanted to provide static translation to ten private addresses, you would create a separate static rule for each address. Cisco Router and Security Device Manager 2.5 User’s Guide 26-9 OL-4015-12...
Page 592 If you want to use an existing NAT rule as a template for the new rule, choose the rule, click Clone selected entry on Add, and then click Add. Cisco Router and Security Device Manager 2.5 User’s Guide 26-10 OL-4015-12...
Page 593 Many conditions cause previously configured NAT rules to appear as read-only in Note the Network Address Translation Rules list. Read-only NAT rules are not editable. For more information, see the help topic Reasons that Cisco SDM Cannot Edit a Rule. Cisco Router and Security Device Manager 2.5 User’s Guide 26-11 OL-4015-12...
Page 594: Designate Nat Interfaces
Enter the number of seconds after which connections to servers time out. ICMP Timeout Enter the number of seconds after which Internet Control Message Protocol (ICMP) flows time out. The default is 60 seconds. Cisco Router and Security Device Manager 2.5 User’s Guide 26-12 OL-4015-12...
Page 595: Edit Route Map
Cisco SDM may create route maps to prevent NAT from translating IP addresses that you want to be preserved. Although Cisco SDM only creates route maps to limit the action of NAT, route maps can be used for other purposes as well. If route maps have been created using the CLI, they will be visible in this window as well.
Page 596: Edit Route Map Entry
Seq No. The sequence number of the route map. Action Route maps created by Cisco SDM are configured with the permit keyword. If this field contains the value deny, the route map was created using the CLI. Access Lists The access lists that specify the traffic to which this route map applies.
Page 597: Address Pools
Network Address Translation Network Address Translation Rules Action Either permit or deny. Route maps created by Cisco SDM are configured with the permit keyword. If this field contains the value deny, the route map was created using the CLI. Access Lists This area shows the access lists associated with this entry.
Page 598: Add Or Edit Address Pool
Choose the pool entry, click Delete, and confirm deletion in the Warning box displayed. If Cisco SDM detects a previously configured NAT address pool that uses the Note “type” keyword, that address pool will be read-only and cannot be edited.
Page 599: Add Or Edit Static Address Translation Rule: Inside To Outside
If you create a NAT rule that would translate addresses of devices that are part of Note a VPN, Cisco SDM will prompt you to allow it to create a route map that protects those addresses from being translated by NAT. If NAT is allowed to translate addresses of devices on a VPN, their translated addresses will not match the IPSec rule used in the IPSec policy, and traffic will be sent unencrypted.
Page 600 Network Mask If you want Cisco SDM to translate the addresses of a subnet, enter the mask for that subnet. Cisco SDM determines the network and subnet number and the set of addresses needing translation from the IP address and mask that you supply.
Page 601 IP address that you want to use in the translation in this field. The network mask entered in the Translate from Interface area will be used to calculate the remaining inside global addresses. Cisco Router and Security Device Manager 2.5 User’s Guide 26-19 OL-4015-12...
Page 602: Add Or Edit Static Address Translation Rule: Outside To Inside
If you create a NAT rule that would translate addresses of devices that are part of Note a VPN, Cisco SDM will prompt you to allow it to create a route map that protects those addresses from being translated by NAT. If NAT is allowed to translate Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 603 VPN, their translated addresses will not match the IPSec rule used in the IPSec policy, and traffic will be sent unencrypted. You can view route maps created by Cisco SDM or created using the CLI by clicking the View Route Maps button in the NAT window.
Page 604 Network Mask If you want Cisco SDM to translate the addresses in a remote subnet, enter the mask for that subnet. Cisco SDM determines the network and subnet number and the set of addresses needing translation from the IP address and mask that you supply.
Page 605: Add Or Edit Dynamic Address Translation Rule: Inside To Outside
Internet or other outside network. When an address is no longer in use, it is returned to the address pool to be dynamically assigned to another device later. Cisco Router and Security Device Manager 2.5 User’s Guide 26-23 OL-4015-12...
Page 606 If you create a NAT rule that would translate addresses of devices that are part of Note a VPN, Cisco SDM will prompt you to allow it to create a route map that protects those addresses from being translated by NAT. If NAT is allowed to translate addresses of devices on a VPN, their translated addresses will not match the IPSec rule used in the IPSec policy, and traffic will be sent unencrypted.
Page 607 Address Pool to choose or create an address pool. Configuration Scenarios Click Dynamic Address Translation Scenarios for examples that illustrate how the fields in this window are used. Cisco Router and Security Device Manager 2.5 User’s Guide 26-25 OL-4015-12...
Page 608: Add Or Edit Dynamic Address Translation Rule: Outside To Inside
If you create a NAT rule that would translate addresses of devices that are part of Note a VPN, Cisco SDM will prompt you to allow it to create a route map that protects those addresses from being translated by NAT. If NAT is allowed to translate addresses of devices on a VPN, their translated addresses will not match the IPSec rule used in the IPSec policy, and traffic will be sent unencrypted.
Page 609 This area shows the interfaces from which packets with translated addresses exit the router. It also provides fields for specifying the translated address. Inside Interface(s) If you choose From outside to inside, this area contains the designated inside interfaces. Cisco Router and Security Device Manager 2.5 User’s Guide 26-27 OL-4015-12...
Page 610: How Do I
Add or Edit Dynamic Address Translation Rule: Outside to Inside • Add or Edit Static Address Translation Rule: Outside to Inside • Cisco Router and Security Device Manager 2.5 User’s Guide 26-28 OL-4015-12...
Page 611: How Do I Configure Nat With One Lan And Multiple Wans
Each time you add a new address translation rule using the directions in one of these sections, choose the same LAN interface and a new WAN interface. Repeat this procedure for all WAN interfaces that you want to configure with address translation rules. Cisco Router and Security Device Manager 2.5 User’s Guide 26-29 OL-4015-12...
Page 612 Chapter 26 Network Address Translation How Do I . . . Cisco Router and Security Device Manager 2.5 User’s Guide 26-30 OL-4015-12...
Page 613: Cisco Ios Ips
IPS Tabs Use the tabs at the top of the IPS window to go to the area where you need to work. Create IPS—Click to go to the IPS Rule wizard to create a new Cisco IOS IPS • rule.
Page 614: Create Ips
Cisco IOS IPS Create IPS IPS Rules A Cisco IOS IPS rule specifies an interface, the type and direction of traffic that it is to examine, and the location of the signature definition file (SDF) that the router uses. Create IPS In this window you can launch the IPS Rule wizard.
Page 615: Create Ips: Welcome
Click Next to begin configuring a Cisco IOS IPS rule. Create IPS: Select Interfaces Choose the interfaces on which you want to apply the Cisco IOS IPS rule by specifying whether the rule is to be applied to inbound traffic or outbound traffic.
Page 616: Create Ips: Signature File
CLI, you must still provide a public key in this screen. After you have completed the Cisco IOS IPS Rule Wizard, you can go to Edit IPS > Global Settings. In the Global Settings screen, you can click Edit in the Edit IPS Prerequisites area, and then click Public Key to display the Public Key dialog.
Page 617: Create Ips: Configuration File Location And Category
Click the button to the right of the Config Location field to display a dialog that allows you to specify a location. After you enter information in that dialog, Cisco SDM displays the path to the location in this field.
Page 618: Add Or Edit A Config Location
For example, if you want to specify the URL http://172.27.108.5/ips-cfg, enter 172.27.108.5/ips-cfg. Do not include the protocol in the path that you enter. Cisco SDM adds the Note protocol automatically. If you enter the protocol, Cisco SDM displays an error message.
Page 619: Directory Selection
Specify Signature File on Flash If the signature file is located on router flash memory, click the button to the right of the field. Cisco SDM displays the signature file names of the correct format for you to choose. Specify Signature File using URL If the signature file is located on a remote system, select the protocol to be used, and enter the path to the file.
Page 620: Create Ips: Summary
Chapter 27 Cisco IOS IPS Create IPS Create IPS: Summary Here is an example of a Cisco IOS IPS summary display on a router running a Cisco IOS release earlier than 121.4(11)T. Selected Interface: FastEthernet 0/1 IPS Scanning Direction: Both Signature Definition File Location: flash//sdmips.sdf...
Page 621: Edit Ips
Cisco IOS IPS Edit IPS In this example, the Cisco IOS IPS policy is applied to the FastEthernet 0/0 and the FastEthernet 0/1 interfaces. The signature file is located on the PC. The config location is on router flash memory, in a directory named configloc.
Page 622: Edit Ips: Ips Policies
Click to enable Cisco IOS IPS on the specified interface. You can specify the traffic directions to which Cisco IOS IPS is to be applied, and the ACLs used to define the type of traffic you want to examine. See...
Page 623 Cisco IOS IPS rules from that interface. Disable All Button Click to disable Cisco IOS IPS on all interfaces on which it has been enabled. If you disable Cisco IOS IPS on an interface to which it has been applied, Cisco SDM dissociates any Cisco IOS IPS rules from that interface.
Page 624 Off—VFR is disabled. • Cisco IOS IPS cannot identify the contents of IP fragments, nor can it gather port information from the fragment in order to match it with a signature. Therefore, fragments can pass through the network without being examined or without dynamic access control list (ACL) creation.
Page 625: Enable Or Edit Ips On An Interface
Both, Inbound, and Outbound Buttons Use these buttons to specify whether you are going to enable Cisco IOS IPS on both inbound and outbound traffic, only inbound traffic, or only outbound traffic. Inbound Filter (Optional) Enter the name or number of the access rule that specifies the inbound traffic to be examined.
Page 626: Edit Ips: Global Settings
Edit IPS: Global Settings This window allows you to view and configure global settings for Cisco IPS. This help topic describes the information that you may see if the running Cisco IOS image is earlier than version 12.4(11)T.
Page 627 Use Built-in Signatures (as backup)—If Cisco IOS • IPS does not find signatures or fails to load them from the specified locations, it can use the Cisco IOS built-in signatures to enable Cisco IOS IPS. This option is enabled by default.
Page 628: Edit Global Settings
Edit Global Settings Edit settings that affect the overall operation of Cisco IOS IPS in this window, in the Syslog and SDEE and Global Engine tabs. Enable Syslog Notification (Syslog and SDEE Tab) Check this checkbox to enable the router to send alarm, event, and error messages to a syslog server.
Page 629: Add Or Edit A Signature Location
Edit IPS Use Built-in Signatures (as backup) (Global Engine Tab) If Cisco IOS IPS does not find or fails to load signatures from the specified locations, it can use the Cisco IOS built-in signatures to enable Cisco IOS IPS. This option is enabled by default.
Page 630: Edit Ips: Sdee Messages
Autosave Check this option if you want the router to automatically save the SDF if the router crashes. This eliminates the need for you to reconfigure Cisco IOS IPS with this SDF when the router comes back up. Edit IPS: SDEE Messages...
Page 631: Sdee Message Text
Available description. Refresh Button Click to check for new SDEE messages. Close Button Click to close the SDEE Messages window. SDEE Message Text This topic lists possible SDEE messages. Cisco Router and Security Device Manager 2.5 User’s Guide 27-19 OL-4015-12...
Page 632 Cisco IOS IPS Edit IPS IDS Status Messages Error Message ENGINE_BUILDING: %s - %d signatures - %d of %d engines Triggered when Cisco IOS IPS begins building the signature Explanation microengine (SME). Error Message ENGINE_BUILD_SKIPPED: %s - there are no new signature...
Page 633 Explanation after an SDF file is loaded. One message is sent for each failed engine. This means that the Cisco IOS IPS engine failed to import signatures for the specified engine in the message. Insufficient memory is the most probable cause of this problem.
Page 634: Edit Ips: Global Settings
Deny Action on IPS Interface—We recommend this when the router is • performing load balancing. When enabled, this option causes Cisco IOS IPS to enable ACLs on Cisco IOS IPS interfaces instead of enabling them on the interfaces from which attack traffic came. Edit IPS Prerequisites Table This table displays the information about how the router is provisioned for Cisco IOS IPS.
Page 635: Edit Global Settings
• Global Engine Tab • Syslog and SDEE Tab The Syslog and SDEE dialog displayed when the router uses a Cisco IOS 12.4(11)T or later image allows you to configure syslog notification and parameters for SDEE subscriptions, events and messages.
Page 636: Edit Ips Prerequisites
This option is applicable if signature actions are configured to “denyAttackerInline” or “denyFlowInline.” By default, Cisco IOS IPS applies ACLs to the interfaces from which attack traffic came, and not to Cisco IOS IPS interfaces. Enabling this option causes Cisco IOS IPS to apply the ACLs directly to the Cisco IOS IPS interfaces, and not to the interfaces that originally received the attack traffic.
Page 637: Add Public Key
If you want to remove the category configuration, click Delete Category. Public Key Tab This dialog displays the public keys configured for Cisco IOS IPS. You can add keys or delete keys from this dialog. To add a key, click Add and configure the key in the dialog displayed.
Page 638 PC, specify the file that you want Cisco SDM to download, and specify the location where the file will be saved. Signature Package in use displays the version that the Cisco IOS IPS is currently using. A CCO login is required to download signature files and obtain other information from the Cisco.com the Cisco IOS IPS web pages.
Page 639: Edit Ips: Seap Configuration
To begin configuration, click on one of the buttons under the SEAP Configuration button. You can configure SEAP settings for Cisco IOS IPS when the router runs Cisco IOS 12.4(11)T and later releases. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 640: Edit Ips: Seap Configuration: Target Value Rating
When you have entered the information that you want in the Target Value Rating window, click Apply Changes. The Apply Changes button is disabled when there are no changes to send to the router. Cisco Router and Security Device Manager 2.5 User’s Guide 27-28 OL-4015-12...
Page 641: Add Target Value Rating
If an event occurs and its RR falls within the range that you defined, the action is added to the event. Event action overrides are a way to add event actions globally without having to configure each signature individually. Cisco Router and Security Device Manager 2.5 User’s Guide 27-29 OL-4015-12...
Page 642 Edit IPS Use Event Action Overrides Check the Use Event Action Overrides box to enable Cisco IOS IPS to use event action overrides. You can add and edit event action overrides whether or not they are enabled on the router.
Page 643: Add Or Edit An Event Action Override
Cisco IOS IPS adds the override specified by the Event Action. For example, if Deny Connection Inline is assigned a RR range of 90-100, and an event with an RR of 95 occurs, Cisco IOS IPS responds by denying the connection inline.
Page 644: Edit Ips: Seap Configuration: Event Action Filters
The Event Action Filters window displays the configured event action filters, and allows you to reorder the filters list so that Cisco IOS IPS processes the filters in the order that you want.
Page 645 When you have entered the information that you want in this window, click Apply Changes. The Apply Changes button is disabled when there are no changes to send to the router. Cisco Router and Security Device Manager 2.5 User’s Guide 27-33 OL-4015-12...
Page 646: Add Or Edit An Event Action Filter
ID in that range. If you enter a range, use a dash (-) to separate the upper and lower bounds of the range. For example, enter 70-200 Cisco Router and Security Device Manager 2.5 User’s Guide 27-34 OL-4015-12...
Page 647 Ctrl key when you choose additional events. All the events that you choose for this filter will be listed in the Event Action Filters window. Cisco Router and Security Device Manager 2.5 User’s Guide 27-35 OL-4015-12...
Page 648: Edit Ips: Signatures
Edit IPS Stop on Match If you want the Cisco IOS IPS to stop when an event matches this event action filter, click Yes. If you want the Cisco IOS IPS to evaluate matching events against the other remaining filters, click No.
Page 649 Click to import a signature definition file from the PC or from the router. When you have specified the file, Cisco IOS IPS displays the signatures available in the file, and you can choose the ones that you want to import to the router. For more...
Page 650 You can display and monitor TrendMicro OPACL signatures, but you cannot edit, Note delete, enable, or disable them. If a TrendMicro OPACL signature is specified, the Edit, Delete, Enable and Disable buttons are disabled. The Cisco Incident Control Server assumes control of these signatures. Enable Click Enable to enable the specified signature.
Page 651 Severity level of the event. Severity levels are informational, low, medium, and high Engine Engine to which the signature belongs. Right-click Context Menu If you right-click a signature, Cisco SDM displays a context menu with the following options: Cisco Router and Security Device Manager 2.5 User’s Guide 27-39 OL-4015-12...
Page 652 Signatures marked for deletion remain active in the Cisco IOS IPS configuration until you click Apply Changes. If you exit the Signatures window and disable Cisco IOS IPS, the marked signatures will be deleted if Cisco IOS IPS is re-enabled.
Page 653 Event Action Filters window. Stop on Match If you want the Cisco IOS IPS to stop when an event matches this event action filter, click Yes. If you want the Cisco IOS IPS to evaluate matching events against the other remaining filters, click No.
Page 654 Cisco IOS IPS prevents intrusion by comparing traffic against the signatures of known attacks. Cisco IOS images that support Cisco IOS IPS have built-in signatures that Cisco IOS IPS can use, and you can also have Cisco IOS IPS import signatures for the router to use when examining traffic. Imported signatures are stored in a signature definition file (SDF).
Page 655 You can only import signatures from the router if the router has a DOS-based file Note system. SDFs are available from Cisco. Click the following URL to download an SDF from Cisco.com (requires login): http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup Cisco maintains an alert center that provides information on emerging threats. See Cisco Security Center for more information.
Page 656 Signatures that are set to import and are identical to deployed signatures will not Note be imported and will not appear in the signature list. The signature list can be filtered using the selection controls. Cisco Router and Security Device Manager 2.5 User’s Guide 27-44 OL-4015-12...
Page 657 Retired signatures are not compiled. Engine Engine to which the signature belongs. Right-click Context Menu If you right-click a signature, Cisco SDM displays a context menu with the following options: Actions—Click to choose the actions to be taken when the signature is •...
Page 658: Edit Signature
This help topic describes the Edit Signatures window displayed when the router runs Cisco IOS 12.4(11)T and later releases. Signature ID The unique numerical value assigned to this signature. This value allows the Cisco IOS IPS to identify a particular signature. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 659 The signature description includes the signature name and release, any alert notes available from the Cisco Security Center, user comments, and other information. Engine signature engine associated with this signature. One commonly-used engine is named Atomic IP. Cisco Router and Security Device Manager 2.5 User’s Guide 27-47 OL-4015-12...
Page 660 The summary mode is changed dynamically to adapt to the current alert volume. For example, you can configure the signature to Fire All, but after a certain threshold is reached, it starts summarizing. Cisco Router and Security Device Manager 2.5 User’s Guide 27-48 OL-4015-12...
Page 661: File Selection
The left side of window displays an expandible tree representing the directory system on your Cisco router flash memory and on USB devices connected to that router. The right side of the window displays a list of the names of the files and directories found in the directory that is specified in the left side of the window.
Page 662: Assign Actions
• deny-attacker-inline—Create an ACL that denies all traffic from the IP • address considered to be the source of the attack by the Cisco IOS IPS system. Same as denyAttackerInline. deny-connection-inline—Drop the packet and all future packets on this TCP •...
Page 663: Import Signatures
Replace button to replace the already configured signatures. Merge Button Replace Button for more information. Click the Apply Changes button in the Edit IPS window to deploy the imported Step 4 signatures. Cisco Router and Security Device Manager 2.5 User’s Guide 27-51 OL-4015-12...
Page 664 The signature list area has these columns: Sig ID—Unique numerical value assigned to this signature. This value allows • Cisco IOS IPS to identify a particular signature. Cisco Router and Security Device Manager 2.5 User’s Guide 27-52 OL-4015-12...
Page 665: Add, Edit, Or Clone Signature
The following fields are in the Add, Edit, and Clone Signature windows. SIGID—Unique numerical value assigned to this signature. This value • allows Cisco IOS IPS to identify a particular signature. Cisco Router and Security Device Manager 2.5 User’s Guide 27-53...
Page 666 Enabled—Identifies whether or not the signature is enabled. A signature • must be enabled in order for Cisco IOS IPS to protect against the traffic specified by the signature. EventAction—Actions Cisco IOS IPS will take if this signature is triggered.
Page 667: Cisco Security Center
RAM is 127 MB or less. The • attack-drop.sdf file contains 82 signatures. If your router runs Cisco IOS version 12.4(11)T or later, you must use an SDF file that has a name of the format sigv5-SDM-Sxxx.zip; for example, sigv5-SDM-S260.zip.
Page 668: Security Dashboard
Security Dashboard The Security Dashboard allows you to keep your router updated with signatures for the latest security threats. You must have Cisco IOS IPS configured on your router before you can deploy signatures using the Security Dashboard. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 669 Security Dashboard Top Threats Table The Top Threats table displays the latest top threats from Cisco if the status of the associated signatures indicates that they are available for deployment or are under investigation. Some of the top threats in the table are associated with signatures that can be deployed to your router.
Page 670 SDF must have a name with the format sigv5-SDM-Sxxx.zip; for example, sigv5-SDM-S260.zip The location of a Cisco IOS SDF file you choose is shown in the SDF file location field. The SDF file location field is read-only. After the first time you download a Cisco IOS SDF file, Cisco SDM remembers the location of the file.
Page 671: Ips Migration
Step 4 router. A warning is shown if any of the chosen signatures are not found in the Cisco IOS file. However, all found signatures can still be deployed. After being deployed on your router, the signatures are automatically enabled and added to the router active signatures list.
Page 672: Migration Wizard: Choose The Ios Ips Backup Signature File
If you used Cisco SDM to make changes, Cisco SDM saves them in a file named sdmips.sdf, which it saves to router flash memory.
Page 673 -Xmx256m Click OK in the Java Runtime Settings dialog. Step 5 Step 6 Click Apply in the Java Control Panel, and then click OK. Restart Cisco SDM. Step 7 Cisco Router and Security Device Manager 2.5 User’s Guide 27-61 OL-4015-12...
Page 674 Chapter 27 Cisco IOS IPS Java Heap Size Cisco Router and Security Device Manager 2.5 User’s Guide 27-62 OL-4015-12...
Page 675: Network Module Management
You can use Telnet for this session. IDS Network Module Control Buttons Cisco SDM enables you to issue a number of basic commands to the IDS Network Module from this window. Reload Click to reload the IDS network module operating system.
Page 676 Click to start the IDM software on the IDS module. When you launch the IDM software, Cisco SDM displays a dialog box that asks you for the IP address of the IDS module’s external Fast Ethernet interface. When Cisco SDM obtains the correct address, it opens an IDM window.
Page 677: Ids Sensor Interface Ip Address
SDM cannot detect this IP address, and enables you to supply one without leaving Cisco SDM to do so. If the IDS network module has been configured with a static IP address, or configured as IP unnumbered to another interface with an IP address, this window will not appear.
Page 678: Ip Address Determination
Use Cisco SDM last known IP Address Click to have Cisco SDM use the IP address that it used the last time that the management application for this network module was run. If the IP address of module has not been changed since the management application was last run, and you do not want Cisco SDM to attempt discovery of the address, use this option.
Page 679: Ids Nm Configuration Checklist
Specify If you know the network module’s IP address, choose this option, and enter the address. Cisco SDM will remember the address, and you can select Use SDM last known IP Address the next time you start the network module.
Page 680 Yes to enable IP CEF on the router. IDS NM Initial Setup If this row contains an X icon in the Action column, Cisco SDM has detected that the IDS Network Module’s default IP address has not been changed.
Page 681: Ids Nm Interface Monitoring Configuration
Feature Unavailable This window appears when you try to configure a feature that the Cisco IOS image on your router does not support. If you want to use this feature, obtain a Cisco IOS image from Cisco.com that supports it.
Page 682 Chapter 28 Network Module Management Switch Module Interface Selection Cisco Router and Security Device Manager 2.5 User’s Guide 28-8 OL-4015-12...
Page 683: Quality Of Service
Creating a QoS Policy Complete these steps to create a QoS policy: If you want to review the Cisco IOS CLI commands that you send to the router Step 1 when you complete the configuration, go to the Cisco SDM toolbar, and click Edit >...
Page 684: Create A Qos Policy Reference
If you checked Preview commands before delivering to router in the Edit Step 8 Preferences screen, the Cisco IOS CLI commands that you are sending are displayed. Click Deliver to send the configuration to the router, or click Cancel to discard it. If you did not make this setting, clicking Finish sends the configuration to the router.
Page 685 Easy VPN clients, and interfaces with an existing QoS policy are not included. If the router Cisco IOS image release is 12.4(11)T or later, virtual template tunnel interfaces may appear in this list. If you choose a VTI interface, you will be able to configure shaping and queuing parameters.
Page 686 IP phones and switches add DSCP markings to packets. Configuring DSCP on the router allows these markings to be used to classify traffic. If the Cisco IOS image on the router does not support DSCP marking, this option will not appear.
Page 687 Remove To remove a traffic class from this list that you have created, select the list and click Remove. Cisco SDM default classes cannot be removed. Add a New Traffic Class Add a new traffic class in this screen.
Page 688 Bandwidth Percentage Enter the bandwidth percentage that you want to give to the class. Cisco SDM displays a message if you enter a value that causes the total percentage value of all traffic types other than best effort to exceed 75%. If that occurs, lower the percentage value.
Page 689 Committed Information Rate (CIR) Enter the CIR for each traffic class. The bandwidth of the link is listed at the bottom of the screen. Cisco SDM displays a message if any entered value causes the total to exceed the link bandwidth.
Page 690 (NBAR or DSCP), the policy name, and several of the QoS classes created. Interface: FastEthernet0/0 Classification: DSCP Policy Name: SDM-QoS-Policy-1 Policy Details ---------------------------------------------------------------------- Class Name: SDM-Voice-1 ---------------------------------------------------------------------- Enabled: Yes Cisco Router and Security Device Manager 2.5 User’s Guide 29-8 OL-4015-12...
Page 691: Editing Qos Policies
Editing QoS Policies Complete these steps to edit a QoS policy: If you want to review the Cisco IOS CLI commands that you send to the router Step 1 when you complete the configuration, go to the Cisco SDM toolbar, and click Edit >...
Page 692: Edit Qos Policy Reference
If you checked Preview commands before delivering to router in the Edit Step 8 Preferences screen, the Cisco IOS CLI commands that you are sending are displayed. Click Deliver to send the configuration to the router, or click Cancel to discard it. If you did not make this setting, clicking Finish sends the configuration to the router.
Page 693 The Cut button is disabled when a read-only Qos class is selected. Copy To copy class information, select the class and click Copy. The Copy button is disabled when a read-only Qos class is selected. Cisco Router and Security Device Manager 2.5 User’s Guide 29-11 OL-4015-12...
Page 694 If this icon appears next to the QoS class, it is read-only, and it cannot be edited, deleted, or moved to another position in the class list. Class Name The name of the QoS class. Cisco SDM predefines names for QoS classes. Cisco Router and Security Device Manager 2.5 User’s Guide 29-12...
Page 695: Add Class For The New Policy
• dropped, or No if it is not to be dropped. Add Class for the New Policy Add a traffic class for a new QoS policy in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 29-13 OL-4015-12...
Page 696: Add Service Policy To Class
Edit. Then, add or modify entries for type in the displayed dialog. Add Service Policy to Class In this screen, add an existing service policy to a QoS class. Cisco Router and Security Device Manager 2.5 User’s Guide 29-14 OL-4015-12...
Page 697: Associate Or Disassociate The Qos Policy
This column lists the router interfaces. To choose an interface to which you want to associate the QoS policy, check the box next to the interface name. If you select the interface Cisco SDM uses to communicate Note with the router, you cause the connection between SDM and the router to be dropped.
Page 698 Classification box—You cannot specify classification criteria. • Action box—You cannot specify that traffic be dropped. • Additionally, you can only specify that Fair Queuing be used. Cisco Router and Security Device Manager 2.5 User’s Guide 29-16 OL-4015-12...
Page 699 Access Rule, and then click Edit. In the dialog that appears, you can choose an existing ACL, create a new one, or clear existing associations if you are editing a QoS class. Cisco Router and Security Device Manager 2.5 User’s Guide 29-17 OL-4015-12...
Page 700: Edit Match Dscp Values
Values column on the left, and click the top double-arrowhead button to add it to the Selected DSCP Values column. To remove a value from the Selected DSCP Values column, choose the value and click the bottom double-arrowhead button. Cisco Router and Security Device Manager 2.5 User’s Guide 29-18 OL-4015-12...
Page 701: Edit Match Protocol Values
If you want to clear existing rule associations, you can choose None (clear associations). Configure Policing In this screen, configure policing for a QoS policy. Field Reference Table 29-13 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 29-19 OL-4015-12...
Page 702: Configure Shaping
Optional parameters are enabled when you choose the Set DSCP Transmit action. The options displayed are the available DSCP markings. Configure Shaping In this screen, configure shaping for a QoS policy. Cisco Router and Security Device Manager 2.5 User’s Guide 29-20 OL-4015-12...
Page 703: Configure Queuing
You can choose the following queuing methods: LLQ— Low Latency Queuing • CBWFQ—Class-Based Weighted Fair Queuing • Fair Queue—Weighted Fair Queuing (WFQ) • Field Reference Table 29-15 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 29-21 OL-4015-12...
Page 704 Random Detect. Fair Queue Chosen Queue Limit Enter the number of packets to allow in the queue. Random Detect To enable Weighted Random Early Detection (WRED), click Random Detect. Cisco Router and Security Device Manager 2.5 User’s Guide 29-22 OL-4015-12...
Page 705: Network Admission Control
You use the Create NAC tab and NAC wizard to create a NAC policy and associate it with an interface. After you create the NAC policy, you can edit it by clicking Edit NAC and choosing it in the policy list. Cisco Router and Security Device Manager 2.5 User’s Guide 30-1 OL-4015-12...
Page 706: Other Tasks In A Nac Implementation
Other Tasks in a NAC Implementation A full NAC implementation includes the following configuration steps: Install and configure the Cisco Trust Agent (CTA) software on network hosts. Step 1 This provides hosts with a posture agent capable of responding to EAPoUDP queries by the router.
Page 707: Welcome
Create NAC Tab Install and configure the posture validation and remediation server. Step 3 If you are a registered Cisco.com user, you can download Cisco Trust Agent (CTA) software from the following link: http://www.cisco.com/cgi-bin/tablebuild.pl/cta The document at the following link explains how to install and configure CTA software on a host.
Page 708: Nac Policy Servers
• Cisco Secure ACS server to handle hosts without an installed posture agent, you can do so. When the Cisco Secure ACS server receives a packet from an agentless host, it responds by sending the agentless host policy. Configuring an agentless host policy is useful when there are agentless hosts that are dynamically addressed, such as DHCP clients.
Page 709 RADIUS client source. Note Cisco IOS software allows a single RADIUS source interface to be configured on the router. If the router already has a configured RADIUS source and you choose...
Page 710: Interface Selection
The window displays the names of the ACLs applied to inbound and to outbound traffic on this interface. If an inbound ACL is already present on the interface, Cisco SDM uses that ACL for NAC by adding appropriate permit statements for EAPoUDP traffic. If the IP address of the interface on which NAC is being applied were 192.55.22.33, a...
Page 711: Nac Exception List
NAC policy server, and then reconfigure NAC on the router to use Strict Validation, by changing the ACL applied to the interface to deny ip any any using the Cisco SDM Firewall Policy feature. NAC Exception List You can identify hosts that must be allowed to bypass the NAC validation process.
Page 712: Choose An Exception Policy
• MAC Address—Choose this if you want to identify the host by its MAC • address. Cisco IP Phone—Choose this if you want to include the Cisco IP phones on • the network in the exception list. Specify Address Field If you choose IP Address or MAC Address as the host type, enter the address in this field.
Page 713: Add Exception Policy
A remediation URL might look like the following: http://172.23.44.9/update Redirect URLs are usually of the form , or http://URL https://URL. Cisco Router and Security Device Manager 2.5 User’s Guide 30-9 OL-4015-12...
Page 714: Agentless Host Policy
Check this box to enable Cisco SDM remote management on the named interface. Host/Network Address Fields If you want Cisco SDM to modify the ACL to allow Cisco SDM traffic from a single host, choose Host Address and enter the IP address of a host. Choose Network Address and enter the address of a network and a subnet mask to allow Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 715: Modify Firewall
ACL that is blocking it. If you want Cisco SDM to modify the ACL to allow the traffic listed, check the Modify box in the appropriate row. If you want to see the entry that Cisco SDM will add to the ACL, click the Details button.
Page 716: Summary Of The Configuration
You can use the Back button to return to any wizard screen to change information. Click Finish to deliver the configuration to the router. Cisco Router and Security Device Manager 2.5 User’s Guide 30-12 OL-4015-12...
Page 717: Edit Nac Tab
Default values for EAPoUDP timeout settings are preconfigured, but you can change the settings. This button is disabled if there is no NAC policy configured on the router. Cisco Router and Security Device Manager 2.5 User’s Guide 30-13 OL-4015-12...
Page 718: Nac Components
Edit NAC Tab Agentless Host Policy Button If a policy for agentless hosts exists on the Cisco Secure ACS server, the router can use that policy to handle hosts without installed posture agents. This method of handling agentless hosts can be used when such hosts do not have static IP addresses.
Page 719: Exception Policies Window
Configure the timeout values the router is to use for EAPoUDP communication with network hosts. The default, minimum, and maximum values for all settings are shown in the following table. Cisco Router and Security Device Manager 2.5 User’s Guide 30-15 OL-4015-12...
Page 720 Enter the number of seconds that the router should wait between queries to the posture agent on the host. Reset to Defaults Button Click this button to reset all NAC timeouts to their default values. Cisco Router and Security Device Manager 2.5 User’s Guide 30-16 OL-4015-12...
Page 721: Configure A Nac Policy
The first deny statement exempts traffic with a destination of port 53 (domain), and the second statement exempts traffic with a destination of port 80 (www). The permit statement ending the ACL ensures that posture validation occurs. Cisco Router and Security Device Manager 2.5 User’s Guide 30-17 OL-4015-12...
Page 722: How Do I
How Do I Configure a NAC Policy Server? The router must have a connection to a Cisco Secure Access Control Server (ACS) running ACS software version 3.3. The ACS must be configured to use the RADIUS protocol in order to implement NAC.
Page 723: Router Properties
Enter the name you want to give the router in this field. Domain Enter the domain name for your organization. If you do not know the domain name, obtain it from your network administrator. Cisco Router and Security Device Manager 2.5 User’s Guide 31-1 OL-4015-12...
Page 724: Date And Time: Clock Properties
The enable secret password allows you to control who is able to enter configuration commands on this router. We strongly recommend that you set an enable secret password. The password will not be readable in the Cisco SDM Device Properties window, and it will appear in encrypted form in the router configuration file.
Page 725: Date And Time Properties
Date and Time: Clock Properties Date/Time You can see the router date and time settings on the right side of the Cisco SDM status bar. The time and date settings in this part of the Clock Properties window are not updated.
Page 726: Ntp
Date and Time: Clock Properties You must make the Time Zone and Daylight Savings settings on the PC before Note starting Cisco SDM so that Cisco SDM will receive the correct settings when you click Synchronize. Edit Date and Time Use this area to set the date and time manually.
Page 727: Add Or Edit Ntp Server Details
IP Address Enter or edit the IP address of an NTP server. Prefer Click this box if this is to be the preferred NTP server. Cisco Router and Security Device Manager 2.5 User’s Guide 31-5 OL-4015-12...
Page 728: Sntp
Cisco SDM will add statements to permit port 123 traffic on this interface. If the existing rule is a standard access rule, Cisco SDM changes it to an extended rule in order to be able to specify traffic type and destination.
Page 729: Add An Ntp Server
Cisco SDM will add statements to permit port 123 traffic on this interface. If the existing rule was a standard access rule, Cisco SDM changes it to an extended rule in order to be able to specify traffic type and destination.
Page 730 For example, if you choose notifications (5), Cisco Router and Security Device Manager 2.5 User’s Guide 31-8 OL-4015-12...
Page 731: Snmp
If you want system messages to be logged to the router buffer, check the Logging Buffer check box in the dialog that Cisco SDM displays when you click Edit, then enter the buffer size in the Buffer Size field. The larger the buffer, the more entries can be stored before the oldest ones are deleted to make room for new entries.
Page 732: Netflow Talkers
In this window you can Netflow top talkers. Enable Top Talkers Check the Enable Top Talkers check box to enable monitoring of the top talkers on the interfaces that have Netflow configured. Cisco Router and Security Device Manager 2.5 User’s Guide 31-10 OL-4015-12...
Page 733: Router Access
Top Talkers Set the number of top talkers in the Top Talkers number box. Choose a number in the range 1–200. Cisco SDM will track and record data on up to the number of top talkers that you set. Cache Timeout Set the timeout, in milliseconds, for the top-talkers cache in the Cache timeout number box.
Page 734: Add Or Edit A Username
View Name If a CLI view has been associated with the user account, the view name appears in this column. Views define the user’s access to Cisco SDM based on the user’s role. Click Associate a View with the user for more information.
Page 735 This field is displayed when you are setting up user accounts for router access. It may not be visible if you are working in a different area of Cisco SDM. Check the Associate a View with the user option if you want to restrict user access to a specific view.
Page 736: View Password
SDM_Monitor—A user associated with the view type SDM_Monitor can • monitor all features supported by Cisco SDM. The user is not able to deliver configurations using Cisco SDM. The user is able to navigate the various areas of Cisco SDM, such as Interfaces and Connections, Firewall, and VPN.
Page 737: Vty Settings
To use SSH as an input or output protocol, you must enable it by clicking SSH in Note the Additional Tasks tree and generating an RSA key. Edit vty Lines This window lets you edit virtual terminal (vty) settings on your router. Cisco Router and Security Device Manager 2.5 User’s Guide 31-15 OL-4015-12...
Page 738 Inbound Enter the name or number of the access rule you want to filter inbound traffic, or click the button and browse for the access rule. Cisco Router and Security Device Manager 2.5 User’s Guide 31-16 OL-4015-12...
Page 739: Configure Management Access Policies
For more information on this format, and on how IP addresses and subnet masks are used, see IP Addresses and Subnet Masks. Management Interface The router interface over which management traffic will flow. Cisco Router and Security Device Manager 2.5 User’s Guide 31-17 OL-4015-12...
Page 740 SSH—Specified hosts can use Secure Shell to access the router CLI. • HTTP—Specified hosts can use Hypertext Transfer Protocol to access the • router. If Cisco SDM is specified, either HTTP or HTTPS must also be specified. HTTPS—Specified hosts can use Hypertext Transfer Protocol Secure to •...
Page 741: Add Or Edit A Management Policy
Specify the management protocols allowed for the host or network. Allow SDM Check to allow the specified host or network to access Cisco SDM. When you check this box, the following protocols are automatically checked: Telnet, SSH, HTTP, HTTPS, and RCP. Checking this option does not prevent you from allowing additional protocols.
Page 742: Management Access Error Messages
Router Properties vty Settings If you want to make users employ secure protocols when logging in to Cisco SDM, check Allow secure protocols only. When you check this box, the following protocols are automatically checked: SSH, HTTPS, RCP. If you then check a nonsecure protocol such as Telnet, Cisco SDM unchecks Allow secure protocols only.
Page 743 SDM Warning: SDM Not Allowed This message is displayed if you still have not configured a Explanation management access policy to allow a host or network to access Cisco SDM on this router. You must provide such a policy in order to make Cisco Recommended Action SDM on this router accessible.
Page 744: Ssh
The SSH server in Cisco IOS software will work with publicly and commercially available SSH clients. This feature is disabled if the router is not using an IPsec DES or 3DES Cisco IOS release, and if the SSH branch of the Additional Tasks tree does not appear.
Page 745: Dhcp Configuration
DHCP Pool Range—Range of IP addresses that can be granted to clients. Default Router IP Address—If the router has an IP address in the same • subnet as the DHCP pool, it is shown here. Cisco Router and Security Device Manager 2.5 User’s Guide 31-23 OL-4015-12...
Page 746 Click this button to see the IP addresses leased by the specified pool. If a DHCP pool contains any parameters other than pool network, IP address range, lease time, DNS servers, WINS servers, domain name, and default router, Cisco SDM shows this pool as read-only. If a pool contains a discontinuous range of IP addresses, it also is shown as read-only.
Page 747: Add Or Edit Dhcp Pool
Chapter 31 Router Properties DHCP Configuration Add or Edit DHCP Pool Add or edit a DHCP pool in this window. You cannot edit Cisco SDM-default pools. DHCP Pool Name Provide a name for the DHCP pool in this field. DHCP Pool Network Enter the network from which the IP addresses in the pool will be taken, for example, 192.168.233.0.
Page 748: Dhcp Bindings
Type of MAC address is one of the following: Ethernet • Client has a hardware address. IEEE802 • Client has a hardware address. <None> • Client has a client identifier. Cisco Router and Security Device Manager 2.5 User’s Guide 31-26 OL-4015-12...
Page 749: Add Or Edit Dhcp Binding
DHCP pool available to the client. Do not enter an address in use by another DHCP binding. Mask Enter the mask used for the host IP address. Identifier From the drop-down menu, choose a method for identifying the client with a MAC address. Cisco Router and Security Device Manager 2.5 User’s Guide 31-27 OL-4015-12...
Page 750: Dns Properties
Enter the IP addresses of the DNS servers that you want the router to send DNS requests to. Click the Add, Edit, or Delete buttons to administer DNS IP address information. Dynamic DNS Methods This window shows a list of dynamic DNS methods. Cisco Router and Security Device Manager 2.5 User’s Guide 31-28 OL-4015-12...
Page 751: Add Or Edit Dynamic Dns Method
DNS method. Some dynamic DNS methods are read-only. These were configured in the Cisco IOS software through the CLI, and cannot be edited or deleted. To make these read-only methods editable, use the CLI to change the internal cache or host group options to HTTP or IETF.
Page 752 IETF is a dynamic DNS method type that updates a DNS server with changes to the associated interface’s IP address. If using IETF, configure a DNS server for the router in Configure > Additional Tasks > DNS. Cisco Router and Security Device Manager 2.5 User’s Guide 31-30 OL-4015-12...
Page 753: Acl Editor
Rules define how the router will respond to a particular kind of traffic. Using Cisco SDM, you can create access rules that cause the router to block certain types of traffic while permitting other types, NAT rules that define the traffic that is to...
Page 754 Cisco SDM Default Rules These rules are predefined rules that are used by Cisco SDM wizards and that you can apply in the Additional Tasks>ACL Editor windows. No. of Rules The number of rules of this type.
Page 755: Useful Procedures For Access Rules And Firewalls
Firewall Rules window—Rules that can specify source and destination • addresses, type of traffic, and whether the traffic should be permitted or denied. Cisco Router and Security Device Manager 2.5 User’s Guide 32-3 OL-4015-12...
Page 756 The upper portion of the screen lists the access rules that have been configured on this router. This list does not contain Cisco SDM default rules. To view Cisco SDM default rules, click the SDM Default Rules branch of the Rules tree.
Page 757 Meanings of the Permit and Deny Keywords to learn more about the action of permit and the action of deny in the context of a specific type of rule. Cisco Router and Security Device Manager 2.5 User’s Guide 32-5 OL-4015-12...
Page 758 Attributes This field can contain other information about this entry, such as whether logging has been enabled. Description A short description of the entry. Cisco Router and Security Device Manager 2.5 User’s Guide 32-6 OL-4015-12...
Page 759: Add Or Edit A Rule
Select the Access rule, and click Delete. associated with an interface. Delete a rule that has been associated Cisco SDM does not permit you to delete a rule that has been with an interface associated with an interface. In order to delete the rule, you must first disassociate it from the interface.
Page 760 After creating the first entry, you could copy it using Clone, and change the protocol field or port field to create a new entry. Interface Association Click the Associate button to apply the rule to an interface. Cisco Router and Security Device Manager 2.5 User’s Guide 32-8 OL-4015-12...
Page 761 Delete a rule entry. Select the rule entry, and click Delete. Then confirm deletion in the Warning window displayed. Learn more about rules. Explore the resources on Cisco.com. The following link contains information about IP access lists: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_ tech_note09186a00800a5b9a.shtml What I want to do is not The following link contains procedures that you may want to consult: described here.
Page 762: Associate With An Interface
Cisco Router and Security Device Manager 2.5 User’s Guide 32-10 OL-4015-12...
Page 763: Add A Standard Rule Entry
The source can be a network or a host within a specific network. You can create a single rule entry in this window, but you can return to this window to create additional entries for a rule if you need to. Cisco Router and Security Device Manager 2.5 User’s Guide 32-11 OL-4015-12...
Page 764 The choices are Permit and Deny. What Permit and Deny do depends on the type of rule in which they are used. In Cisco SDM, standard rule entries can be used in access rules, NAT rules, and in access lists associated with route maps.
Page 765: Add An Extended Rule Entry
The choices are Permit and Deny. If you are creating an entry for an IPSec rule, the choices are protect the traffic and don’t protect the traffic. Cisco Router and Security Device Manager 2.5 User’s Guide 32-13...
Page 766 Rules Windows What Permit and Deny do depends on the type of rule in which they are used. In Cisco SDM, extended rule entries can be used in access rules, NAT rules, IPSec rules, and access lists associated with route maps.
Page 767 = any. Destination Port Available when either TCP or UDP is selected. Setting this field will cause the router to filter on the destination port in a packet. Cisco Router and Security Device Manager 2.5 User’s Guide 32-15 OL-4015-12...
Page 768: Select A Rule
For more information refer to this link: Firewall Log. Select a Rule Use this window to select a rule to use. Cisco Router and Security Device Manager 2.5 User’s Guide 32-16 OL-4015-12...
Page 769 IP address the IP address in the packet must match. The keyword any. Any indicates that the source IP address can be any IP • address A host name. • Cisco Router and Security Device Manager 2.5 User’s Guide 32-17 OL-4015-12...
Page 770 This is shown by displaying the service, such as echo-reply, followed by the protocol, such as ICMP. A rule permitting or denying multiple services between the same endpoints must contain an entry for each service. Cisco Router and Security Device Manager 2.5 User’s Guide 32-18 OL-4015-12...
Page 771: Port-To-Application Mapping
Clicking the Edit button lets you make changes to user-defined entries. Entries with the value System Defined in the Protocol Type column cannot be edited or deleted. Cisco Router and Security Device Manager 2.5 User’s Guide 33-1 OL-4015-12...
Page 772 For example, the FTP and the TFTP entries are found under the File Transfer protocol type. Port Type Column This list appears if the router is running a Cisco IOS image that allows you to specify whether this port map entry applies to TCP or to UDP traffic. Port Column This column contains the port number.
Page 773: Add Or Edit Port Map Entry
Description Field This field appears if the router is running a Cisco IOS image that allows you to specify whether this port map entry applies to TCP or to UDP traffic. You can optionally enter a description of the port map entry. Descriptions are helpful when you are adding entries for custom protocols or special applications.
Page 774 310, 313, 318, or you might enter the range 415–419. If the router is not running a Cisco IOS image that allows you to specify whether this port map entry applies to TCP or to UDP traffic, you can enter a single port number.
Page 775: Zone-Based Policy Firewall
For a good description of how Zone- Based Policy Firewall can be implemented, read The Zone-Based Policy Firewall Design Guide available on cisco.com by going to Support > Product Support > Cisco IOS Software > Cisco IOS Software Releases 12.4 Mainline > Configure > Feature Guides and clicking Zone-Based Policy Firewall Design Guide.
Page 776: Zone Window
Click Edit to choose different interfaces for an existing zone. Click Delete to remove a zone. A zone that is a member of a zone pair cannot be deleted. Cisco Router and Security Device Manager 2.5 User’s Guide 34-2 OL-4015-12...
Page 777: Add Or Edit A Zone
Router network interfaces’ membership in zones is subject to several rules governing interface behavior, as is the traffic moving between zone member interfaces: A zone must be configured before interfaces can be assigned to the zone. • Cisco Router and Security Device Manager 2.5 User’s Guide 34-3 OL-4015-12...
Page 778 An explicit policy can be configured to restrict such traffic. This set of rules was taken from The Zone-Based Policy Firewall Design Guide available at the following link: http://www.cisco.com/en/US/products/ps6350/products_feature_guide09186a00 8072c6e3.html Cisco Router and Security Device Manager 2.5 User’s Guide 34-4 OL-4015-12...
Page 779: Zone Pairs
The self zone can be used when you are configuring zone pairs Cisco Router and Security Device Manager 2.5 User’s Guide 34-5 OL-4015-12...
Page 780: Add A Zone
Zone Name Enter the name of the zone that you want to add. Cisco Router and Security Device Manager 2.5 User’s Guide 34-6 OL-4015-12...
Page 781: Select A Zone
Select a Zone for the Interface Select the zone that you want to include the interface in, and click OK. Cisco Router and Security Device Manager 2.5 User’s Guide 34-7 OL-4015-12...
Page 782 Chapter 34 Zone-Based Policy Firewall Zone Pairs Cisco Router and Security Device Manager 2.5 User’s Guide 34-8 OL-4015-12...
Page 783: Authentication, Authorization, And Accounting
C H A P T E R Authentication, Authorization, and Accounting Cisco IOS Authentication, Authorization, and Accounting (AAA) is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing authentication, authorization, and accounting services.
Page 784: Configuring Aaa
If you want to review the IOS CLI commands that you send to the router when Step 1 you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.
Page 785: Aaa Root Screen
Enable AAA. Disable AAA AAA is enabled by default. If you click Disable AAA, Cisco SDM displays a message telling you that it will make configuration changes to ensure that the router can be accessed. Disabling AAA...
Page 786: Aaa Servers And Server Groups
The IP address, server type, and other parameters are displayed for each server. Field Reference Table 35-2 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 35-4 OL-4015-12...
Page 787: Add Or Edit A Tacacs+ Server
This column lists the timeout, key, and other parameters for each server. Add or Edit a TACACS+ Server Add or edit information for a TACACS+ server in this window. Field Reference Table 35-3 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 35-5 OL-4015-12...
Page 788: Add Or Edit A Radius Server
Servers Global Settings window. New Key/Confirm Key—Enter the key and reenter it for • confirmation. Add or Edit a RADIUS Server Add or edit information for a RADIUS server in this window. Cisco Router and Security Device Manager 2.5 User’s Guide 35-6 OL-4015-12...
Page 789: Edit Global Settings
Any communications settings made for a specific router will override settings made in this window. Field Reference Table 35-12 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 35-7 OL-4015-12...
Page 790: Aaa Server Groups
This window displays the server groups configured on this router. If no AAA servers have been configured, this window is empty. Field Reference Table 35-6 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 35-8 OL-4015-12...
Page 791: Add Or Edit Aaa Server Group
Field Reference Table 35-7 describes the fields in this screen. Table 35-7 Add or Edit AAA Server Group Fields Element Description Group Name Enter a name for the group. Cisco Router and Security Device Manager 2.5 User’s Guide 35-9 OL-4015-12...
Page 792: Authentication And Authorization Policies
The Login and the Exec and Network authorization windows display the method lists used to authenticate logins, NAC requests and authorize Exec command level and network requests. You can review and manage these method lists from these windows. Cisco Router and Security Device Manager 2.5 User’s Guide 35-10 OL-4015-12...
Page 793: Authentication Nac
Cisco Router and Security Device Manager 2.5 User’s Guide 35-11 OL-4015-12...
Page 794: Authentication 802.1X
Method 4 kept empty. Authentication 802.1x The Authentication 802.1x window displays the method lists configured for 802.1x authentication. You cannot specify additional method lists for 802.1x configuration. Note Cisco Router and Security Device Manager 2.5 User’s Guide 35-12 OL-4015-12...
Page 795: Add Or Edit A Method List For Authentication Or Authorization
Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. Cisco Router and Security Device Manager 2.5 User’s Guide 35-13 OL-4015-12...
Page 796 Authentication, Authorization, and Accounting AAA Screen Reference Cisco IOS software uses the first listed method to authenticate users. If that method fails to respond, the Cisco IOS software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method, or all methods defined in the method list are exhausted.
Page 797 Enable Password Aging Check Enable Password Aging to have the Easy VPN Server notify the user when their password has expired and prompt them to enter a new password. Cisco Router and Security Device Manager 2.5 User’s Guide 35-15 OL-4015-12...
Page 798 Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Cisco Router and Security Device Manager 2.5 User’s Guide 35-16 OL-4015-12...
Page 799: Router Provisioning
If the Launch SDP button is absent, you router Cisco IOS release does not Note support SDP. If the Launch SDP button is disabled, you are logged in to Cisco SDM as a nonroot view user. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 800: Router Provisioning From Usb
Router Provisioning from USB Router Provisioning from USB This window tells you if Cisco SDM has detected a USB token or USB flash device connected to your router. You can click the Router Provisioning button to choose a configuration file from the USB token or USB flash device.
Page 801 When you complete the configuration changes in SDP, you must return to • Cisco SDM and click Refresh on the toolbar to view the status of the trustpoint in the Router Certificates window in the VPN Components tree. Troubleshooting Tips These recommendations involve preparations on the local router and on the server.
Page 802 Chapter 36 Router Provisioning SDP Troubleshooting Tips Cisco Router and Security Device Manager 2.5 User’s Guide 36-4 OL-4015-12...
Page 803: Cisco Common Classification Policy Language
Cisco Common Classification Policy Language (C3PL) is a structured replacement for feature-specific configuration commands. C3PL allows you to create traffic policies based on events, conditions, and actions. Cisco Router and Security Device Manager (Cisco SDM) uses C3PL to create the...
Page 804 The following table shows detail for an IM policy map. The router blocks AOL traffic, but allows all other types of IM traffic. Match Class Name Action aol-cmap Disabled Disabled class-default Enabled Disabled Cisco Router and Security Device Manager 2.5 User’s Guide 37-2 OL-4015-12...
Page 805: Add Or Edit A Qos Policy Map
Associate a Policy Map to Interface In this screen, associate a policy map to the chosen interface. Field Reference Table 37-1 describes the fields in this screen. Cisco Router and Security Device Manager 2.5 User’s Guide 37-3 OL-4015-12...
Page 806 Yes—Policing is configured. • No—Policing is not configured. • Set DSCP The Set DSCP column lists the DSCP markings used in the class map. Drop Cisco Router and Security Device Manager 2.5 User’s Guide 37-4 OL-4015-12...
Page 807: Add An Inspection Policy Map
Cisco IOS Software Zone-Policy Firewall offers application inspection and control on the following application services: HTTP, SMTP, POP3, IMAP,...
Page 808: Class Maps
Protocol—The Layer 4 protocols (TCP, UDP, and ICMP) and application • services such as HTTP, SMTP, DNS, etc. Any well-known or user-defined service known to PAM may be specified. Cisco Router and Security Device Manager 2.5 User’s Guide 37-6 OL-4015-12...
Page 809: Associate Class Map
You can select an existing parameter map. If no parameter map is configured, this field is disabled. Click View to display the selected parameter map without leaving this dialog. Cisco Router and Security Device Manager 2.5 User’s Guide 37-7 OL-4015-12...
Page 810: Qos Class Map
The following example shows details of a voice signaling class map. Details of Class Map:SDMSignal-FastEthernet0/1 Item Name Item Value Match Protocols h323,rtcp H.323 and RTCP are the voice signaling protocols to be matched. Cisco Router and Security Device Manager 2.5 User’s Guide 37-8 OL-4015-12...
Page 811: Add Or Edit A Qos Class Map
To edit a class map or see more detail, click Edit to display a dialog that lets you view information and make changes. Cisco Router and Security Device Manager 2.5 User’s Guide 37-9 OL-4015-12...
Page 812 Click Edit to change the configuration of the selected class map. Delete Click Delete to remove the selected class map. Cisco SDM may display dialogs if there are dependencies associated with this configuration, such as subordinate class maps or parameter maps that could be used by other class maps.
Page 813 Add an HTTP Inspection Class Map • Add or Edit an Instant Messaging Class Map • Add or Edit a Point-to-Point Class Map • Add or Edit an SMTP Class Map • Cisco Router and Security Device Manager 2.5 User’s Guide 37-11 OL-4015-12...
Page 814: Add Or Edit An Inspect Class Map
This dialog displays the parameter maps that you can associate with the class map. Click the Select box next to the parameter map you want to associate with the class map. Cisco Router and Security Device Manager 2.5 User’s Guide 37-12 OL-4015-12...
Page 815: Add An Http Inspection Class Map
Count Greater Than Click this box to specify a limit to the total number of request header fields that a packet should not exceed, and enter the number of fields. Cisco Router and Security Device Manager 2.5 User’s Guide 37-13 OL-4015-12...
Page 816: Http Request Header Fields
Click this box to specify regular expressions to be matched against. Choose an existing regular expression class map, or create a new one that will match the strings that you are inspecting for. See Add or Edit Regular Expression for more Cisco Router and Security Device Manager 2.5 User’s Guide 37-14 OL-4015-12...
Page 817: Http Request Body
HTTP Request Header Arguments You can inspect for the length of the arguments sent in a request, and inspect for strings that match regular expressions that you have configured. Cisco Router and Security Device Manager 2.5 User’s Guide 37-15 OL-4015-12...
Page 818: Http Method
Enter the Universal Resource Identifier (URI) criteria that you want to include in the class map. Length Greater Than Click this box to specify a URI length that a packet should not exceed, and enter the number of bytes. Cisco Router and Security Device Manager 2.5 User’s Guide 37-16 OL-4015-12...
Page 819: Response Header
Click this box to specify regular expressions to be matched against. Choose an existing regular expression class map, or create a new one that will match the strings you are inspecting for. See Add or Edit Regular Expression for more Cisco Router and Security Device Manager 2.5 User’s Guide 37-17 OL-4015-12...
Page 820: Response Header Fields
If you choose the transfer-encoding field, you can inspect for various types of compression and encoding. Cisco Router and Security Device Manager 2.5 User’s Guide 37-18 OL-4015-12...
Page 821: Http Response Body
A forbidden page usually contains a 403 status-code and the status line looks like “HTTP/1.0 403 page forbidden\r\n.” The regular expression for this is the following: [Hh][Tt][Tt][Pp][/][0-9][.][0-9][ \t]+403 Cisco Router and Security Device Manager 2.5 User’s Guide 37-19 OL-4015-12...
Page 822: Request/Response Header Criteria
Choose the HTTP Request/Response header field that you want to include in the class map. Length Greater Than Click this box to specify a field length that a packet should not exceed, and enter the number of bytes. Cisco Router and Security Device Manager 2.5 User’s Guide 37-20 OL-4015-12...
Page 823: Request/Response Body
Length Check this box and choose Greater than (>) to specify an upper limit to the request/response body length. Choose Less than (<) to specify a lower limit. Cisco Router and Security Device Manager 2.5 User’s Guide 37-21 OL-4015-12...
Page 824: Request/Response Protocol Violation
In the Maximum data transfer allowed in a session field, enter the maximum number of bytes the router should allow for an SMTP session. Cisco Router and Security Device Manager 2.5 User’s Guide 37-22 OL-4015-12...
Page 825: Add Or Edit A Sunrpc Class Map
Class Map Type You can create a P2P class map for the following types of P2P services: eDonkey • fasttrack • gnutella • kazaa2 • Cisco Router and Security Device Manager 2.5 User’s Guide 37-23 OL-4015-12...
Page 826: Add P2P Rule
Click Login string in clear text to have the router inspect POP3 traffic for nonsecure logins. Click Invalid protocol command to have the router inspect POP3 traffic for invalid commands. Cisco Router and Security Device Manager 2.5 User’s Guide 37-24 OL-4015-12...
Page 827: Parameter Maps
Used By column. The details of the selected parameter map are displayed in the bottom half of the window. You can add, edit, and delete parameter maps. Cisco SDM informs you if you attempt to delete a parameter map that is being used by a class map.
Page 828: Add Or Edit A Server Entry
Name Enter a name to identify the regular expression. If you are editing the regular expression, the name field is read only. Cisco Router and Security Device Manager 2.5 User’s Guide 37-26 OL-4015-12...
Page 829: Add A Pattern
If you click Guide, any text that you entered in the Pattern field appears in the Regular Expression field of the Build Regular Expression dialog. Cisco Router and Security Device Manager 2.5 User’s Guide 37-27 OL-4015-12...
Page 830: Build Regular Expression
For example, “d.g” matches dog, dag, dtg, and any word that contains those characters, such as doghouse. Character set—Inserts a character set. Text can match any character in the set. • Sets include: [0-9A-Za-z] [0-9] [A-Z] Cisco Router and Security Device Manager 2.5 User’s Guide 37-28 OL-4015-12...
Page 831 Apply to Selection. For example, if the regular expression is “test me,” and you select “me” and apply One or more times, then the regular expression changes to “test (me)+”. Cisco Router and Security Device Manager 2.5 User’s Guide 37-29 OL-4015-12...
Page 832: Regular Expression Metacharacters
For example, ab(xy){3}z matches abxyxyxyz. Alternation Matches either expression it separates. For example, dog|cat matches dog or cat. Cisco Router and Security Device Manager 2.5 User’s Guide 37-30 OL-4015-12...
Page 833 Caret Specifies the beginning of a line. Escape character When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket. Cisco Router and Security Device Manager 2.5 User’s Guide 37-31 OL-4015-12...
Page 834 Matches an ASCII character using hexadecimal (exactly two digits). \NNN Escaped octal number Matches an ASCII character as octal (exactly three digits). For example, the character 040 represents a space. Cisco Router and Security Device Manager 2.5 User’s Guide 37-32 OL-4015-12...
Page 835: Url Filtering
URL Filter Servers • For more information on URL filtering, go to the following link: Firewall Websense URL Filtering To learn how URL filtering policies are used, click URL Filtering Precedence. Cisco Router and Security Device Manager 2.5 User’s Guide 38-1 OL-4015-12...
Page 836: Url Filtering Window
URL filtering server going down, or an HTTP request containing a URL that is too long for a lookup request. This option is disabled by default. Cisco Router and Security Device Manager 2.5 User’s Guide 38-2 OL-4015-12...
Page 837: General Settings For Url Filtering
You can also specify a source interface if you do not want the URL filtering parameter map to apply to all router interfaces. Cisco Router and Security Device Manager 2.5 User’s Guide 38-3 OL-4015-12...
Page 838 IP addresses and their respective authorization status. The default size of this cache is 5000 bytes. The range is from 0 bytes to 2147483647. The cache is cleared every 12 hours. Cisco Router and Security Device Manager 2.5 User’s Guide 38-4 OL-4015-12...
Page 839: Local Url List
SDM supports. In a ZPF configuration, a local URL list can be created for each URL filtering parameter map. You can use Cisco SDM to create list entries and you can import entries from a list stored on your PC. When a local URL list is used in combination with URL filter servers, local entries are used first.
Page 840: Add Or Edit Local Url
The URL list that you select must have a .txt or .CSV extension. After you select the list on your PC, Cisco SDM displays a dialog that allows you to specify what you want to do with each entry in the list. See...
Page 841: Import Url List
Click Add, and choose either Secure Computing or Websense to specify the type of server that you are adding. Cisco IOS software can only use one type of URL filtering server, and does not Note allow you to add a server to the list if it is of a different type. For example, if a URL filter server list containing Websense servers is configured on the router, you Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 842: Add Or Edit A Url Filter Server
Optional field. Enter the number of times that you want the router to attempt to retransmit the request if no response arrives from the server. The default value is 2 times. This field accepts values from 1 to 10. Cisco Router and Security Device Manager 2.5 User’s Guide 38-8 OL-4015-12...
Page 843: Url Filtering Precedence
URL list and URL filter server list can still be maintained in the Additional Tasks windows. However, the router does not perform URL filtering unless URL filtering is enabled in an Application Security policy. Cisco Router and Security Device Manager 2.5 User’s Guide 38-9 OL-4015-12...
Page 844 Chapter 38 URL Filtering URL Filtering Window Cisco Router and Security Device Manager 2.5 User’s Guide 38-10 OL-4015-12...
Page 845: Configuration Management
C H A P T E R Configuration Management Cisco SDM allows you to edit the router configuration file and to reset the router configuration to factory defaults. Because editing the configuration file directly and resetting the router to factory defaults can cause you to lose the connection between the PC and the router, be sure to read the online help for all screens in this area of Cisco SDM.
Page 846: Config Editor
Although it is not required, it is strongly recommended that you allow Cisco SDM to back up the current running configuration. When Cisco SDM performs this backup, it uses the same filename each time, thus overwriting any earlier backup file.
Page 847: Reset To Factory Defaults
LAN IP address from the factory value 10.10.10.1, you will lose the connection between the router and the PC because that IP address will change back to 10.10.10.1 when you reset. The Reset to Factory Defaults feature is not supported on Cisco 3620, 3640, Note •...
Page 848 Understanding How to Give the PC a Dynamic or Static IP Address After You Reset If you want to use Cisco SDM after you reset, you have to give your PC a static or dynamic IP address, depending on the type of router that you have. Use the following table to determine the type of address to give the PC.
Page 849 Leave Save Running Config to PC checked in Step 1 on screen, and specify a Step 1 name for the configuration file. Cisco SDM provides a default path and name. You don’t have to change it unless you want to.
Page 850: This Feature Not Supported
This window appears when an Cisco SDM feature is not supported. This may be because the router is running a Cisco IOS image that does not support the feature, or because Cisco SDM is being run on a PC and cannot support the feature.
Page 851: More About
C H A P T E R More About..These topics provide more information about subjects that Cisco SDM online help discusses. IP Addresses and Subnet Masks This topic provides background information about IP addresses and subnet masks, and shows you how to use this information when entering addresses and masks in Cisco SDM.
Page 852 You can enter the mask in the dotted decimal format shown in the Subnet Mask field, or you can select the number of bits in the bits field. When you enter or select a value in one field, Cisco SDM automatically adjusts the other.
Page 853: Host And Network Fields
Chapter 40 More About..IP Addresses and Subnet Masks When a network address is displayed in Cisco SDM windows, the IP address and subnet mask for it may be shown in network address/subnet bits format, as in the following example: 172.28.33.0/24...
Page 854: Available Interface Configurations
Dialer Interface associated with an ADSL or • G.SHDSL configuration Serial interface with a PPP or HDLC configuration • • Serial subinterface with a Frame Relay configuration Unsupported WAN interface • Cisco Router and Security Device Manager 2.5 User’s Guide 40-4 OL-4015-12...
Page 855: Dhcp Address Pools
• 172.16.1.1 to 172.16.1.254 (assuming LAN IP address is in 172.16.1.0 • subnet) Cisco SDM configures the router to automatically exclude the LAN interface IP address in the pool. Cisco Router and Security Device Manager 2.5 User’s Guide 40-5 OL-4015-12...
Page 856: Meanings Of The Permit And Deny Keywords
This topic lists services you can specify in rules, and their corresponding port numbers. It also provides a short description of each service. This topic is divided into the following areas: TCP Services • UDP Services • ICMP Message Types • Cisco Router and Security Device Manager 2.5 User’s Guide 40-6 OL-4015-12...
Page 857 Internet Relay Chat. A world-wide protocol that allows users to exchange text messages with each other in real time. klogin Kerberos login. Kerberos is a developing standard for authenticating network users. kshell Kerberos shell login Login Cisco Router and Security Device Manager 2.5 User’s Guide 40-7 OL-4015-12...
Page 858 Mobile IP registration nameserver IEN116 name service (obsolete) netbios-dgm NetBios datagram service. Network Basic Input Output System. An API used by applications to request services from lower-level network processes. Cisco Router and Security Device Manager 2.5 User’s Guide 40-8 OL-4015-12...
Page 859 X-Display Manager Client Protocol. A protocol used for communications between X-Displays (clients) and X Display Managers. non500-isak 4500 Internet Security Association and Key Management Protocol. This keyword is used when NAT-traversal port floating is required. Cisco Router and Security Device Manager 2.5 User’s Guide 40-9 OL-4015-12...
Page 860 Sent to indicate received packet’t time to live field has reached zero. timestamp-reply Reply to request for timestamp to be used for synchronization between two devices. Cisco Router and Security Device Manager 2.5 User’s Guide 40-10 OL-4015-12...
Page 861 Open Shortest Path First. A link-state hierarchical routing algorithm. Payload Compression Protocol Protocol-Independent Multicast. PIM is a multicast routing architecture that allows the addition of multicast IP routing on existing IP networks. Cisco Router and Security Device Manager 2.5 User’s Guide 40-11 OL-4015-12...
Page 862 A telephony protocol enabling telephony clients to be H.323 compliant. smtp See smtp. sqlnet Protocol for network enabled databases. streamworks StreamWorks protocol. Streaming video protocol. Cisco Router and Security Device Manager 2.5 User’s Guide 40-12 OL-4015-12...
Page 863: More About Nat
This section provides scenario information that may help you in completing the NAT Translation Rule windows, and other information that explains why NAT rules created using the CLI may not be editable in Cisco SDM. Static Address Translation Scenarios The following scenarios show you how you can use the static address translation rules.
Page 864 Translate from... fields Translate to... fields Static/Dynamic IP Address Net Mask IP Address Redirect Port Static 10.12.12.3 Leave blank 172.17.4.8 Original Port 137 Translated Port 139 Cisco Router and Security Device Manager 2.5 User’s Guide 40-14 OL-4015-12...
Page 865 The port number in the Redirect port field is changed from 137 to 139. Return traffic carrying the destination address 172.17.4.8 & port 139 is routed to port number 137 of the host with the IP address 10.12.12.3. Cisco Router and Security Device Manager 2.5 User’s Guide 40-15 OL-4015-12...
Page 866: Dynamic Address Translation Scenarios
Result Traffic from all hosts on the 10.10.10.0 network would have the source IP address translated to 172.17.4.8. PAT would be used to distinguish traffic associated with different hosts. Cisco Router and Security Device Manager 2.5 User’s Guide 40-16 OL-4015-12...
Page 867: Reasons That Cisco Sdm Cannot Edit A Nat Rule
Pool 1, the same address is used to satisfy subsequent requests, and PAT is used to distinguish between the hosts using the address. Reasons that Cisco SDM Cannot Edit a NAT Rule A previously configured rule will be read-only and will not be configurable...
Page 868: More About Vpn
The following links provide TAC resources and other information on VPN issues. How Virtual Private Networks Work • Dynamic Multipoint IPSec VPNs • TAC-authored articles on IPSec • • TAC-authored articles on Cisco SDM Cisco Router and Security Device Manager 2.5 User’s Guide 40-18 OL-4015-12...
Page 869: More About Vpn Connections And Ipsec Policies
A crypto map can specify more than one peer for a connection. This may be done to provide redundancy. The following diagram shows the same interface and policy, but crypto map CM-3 specifies two peers: Topeka and Lawrence. Cisco Router and Security Device Manager 2.5 User’s Guide 40-19 OL-4015-12...
Page 870 Lawrence There are six VPN connections in this configuration, as both Dialer 3 and Serial 1/1 have connections to Seattle, Chicago, Topeka, and Lawrence. Cisco SDM would show the links to Topeka and Lawrence as one connection for both interfaces.
Page 871: More About Ike
• negotiation to ensure that only a party with the correct private key could continue the negotiation. Cisco SDM supports the pre-shared key method of authentication. Note Session Negotiation During session negotiation, IKE allows parties to negotiate how they will conduct authentication and how they will protect any future negotiations (that is, IPSec tunnel negotiation).
Page 872: More About Ike Policies
If the lifetimes are not identical, the shorter lifetime-from the remote peer’s policy will be used. Cisco Router and Security Device Manager 2.5 User’s Guide 40-22 OL-4015-12...
Page 873: Allowable Transform Combinations
ESP with the 168-bit DES encryption algorithm (3DES or Triple DES) esp-null Null encryption algorithm. esp-seal ESP with the 160-bit encryption key Software Encryption Algorithm (SEAL) encryption algorithm. Cisco Router and Security Device Manager 2.5 User’s Guide 40-23 OL-4015-12...
Page 874: Reasons Why A Serial Interface Or Subinterface Configuration May Be Read-Only
The interface is configured with the encapsulation hdlc and ip address • negotiated commands. The interface is part of a SERIAL_CSUDSU_56K WIC. • The interface is part of a Sync/Async WIC configured with the • physical-layer async command. Cisco Router and Security Device Manager 2.5 User’s Guide 40-24 OL-4015-12...
Page 875: Reasons Why An Atm Interface Or Subinterface Configuration May Be Read-Only
The encapsulation on the PVC is neither “aal5mux,” nor “aal5snap.” • If the encapsulation protocol on aal5mux is not “ip.” • If the IP Address is not configured on the PVC in the protocol ip command. • Cisco Router and Security Device Manager 2.5 User’s Guide 40-25 OL-4015-12...
Page 876: Reasons Why An Ethernet Interface Configuration May Be Read-Only
If no IP address is configured on the associated dialer. • VPDN is required (which is determined dynamically from the Cisco IOS • image) but is not configured for this connection. If the operating mode is “CO” on an SHDSL interface (ATM main interfaces •...
Page 877: Reasons Why An Isdn Bri Interface Configuration May Be Read-Only
If using the ISDN BRI connection as a backup connection, once the backup • configuration is through Cisco SDM, if any of the conditions below occur, the backup connection will be shown as read only: The default route through the primary interface is removed –...
Page 878: Reasons Why An Analog Modem Interface Configuration May Be Read-Only
If using the analog modem connection as a backup connection, once the • backup configuration is through Cisco SDM, if any of the conditions below occur, the backup connection will be shown as read only: The default route through the primary interface is removed –...
Page 879: Firewall Policy Use Case Scenario
The Cisco SDM-supported interfaces are configured with unsupported – configurations The primary interfaces are not supported by Cisco SDM – Firewall Policy Use Case Scenario For information on firewall policy management, including detailed deployment scenarios, see the document at the following link: http://www.cisco.com/application/pdf/en/us/guest/products/ps5318/c1225/ccmig...
Page 880 If the value is already in use, Cisco SDM informs you of this and recommends that you either use a new value, or that you select a different routing protocol to advertise networks on the DMVPN.
Page 881: Cisco Sdm White Papers
More About..Cisco SDM White Papers Cisco SDM White Papers A number of white papers are available that describe how Cisco SDM can be used. These white papers are available at the following link. http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/appnote/index.h Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 882 Chapter 40 More About..Cisco SDM White Papers Cisco Router and Security Device Manager 2.5 User’s Guide 40-32 OL-4015-12...
Page 883: Getting Started
Cisco SDM requires no previous experience with Cisco devices or the Cisco command-line interface (CLI). When you start Cisco SDM, it displays the Home Page, a window with system and configuration overview information that gives you important information about your router hardware and software.
Page 884: What's New In This Release
• Quality of Service over Dynamic Virtual Tunnel Interfaces Support—Cisco • SDM enables you to associate policies with DVTIs. QoS Policing, Queuing , and Shaping Support—Cisco SDM allows you to • configure policing, queuing, and shaping in QoS policies. For more information on QoS policing, refer to –...
Page 885 . • • Secure Socket Layer VPN (SSL VPN) enhancements—Cisco SDM now supports: URL Obfuscation – Automatic download of the Thin Client applet – Radius Accounting – Cisco Router and Security Device Manager 2.5 User’s Guide 41-3 OL-4015-12...
Page 886: Cisco Ios Versions Supported
In the Support section, click the General Information link, and then click Release Notes. Cisco IOS Versions Supported To determine which Cisco IOS versions Cisco SDM supports, go to the following URL: http://www.cisco.com/go/sdm In the Support section, click the General Information link, and then click Release Notes.
Page 887: Viewing Router Information
Monitor mode works by examining the router log and by viewing the results of Cisco IOS show commands. For Monitor mode functions that are based on log entries, such as firewall statistics, logging must be enabled. Logging is enabled by default by Cisco SDM, but you can change that setting using the Additional Tasks >...
Page 888: Overview
If you do not see feature information described in this help topic on the Overview Note screen, the Cisco IOS image does not support the feature. For example, if the router is running a Cisco IOS image that does not support security features, the Firewall Status, and VPN status sections do not appear on the screen.
Page 889 Shows the available flash over the amount of flash installed on the router. Interface Status Shows basic information about the interfaces installed on the router and their status. Only interface types supported by Cisco SDM are included in these statistics. Note Unsupported interfaces will not be counted. Total Interface(s) Up The total number of enabled (up) interfaces on the router.
Page 890 The status of the interface, either Up, or Down. Bandwidth Usage The percent of interface bandwidth being used. Description Available description for the interface. Cisco SDM may add descriptions such as $FW_OUTSIDE$ or $ETH_LAN$. Firewall Status Group Shows basic information about the router resources and contains the following...
Page 891 Log Group Shows basic information about the router resources and contains the following fields: Total Log Entries The total number of entries currently stored in the router log. Cisco Router and Security Device Manager 2.5 User’s Guide 42-5 OL-4015-12...
Page 892: Interface Status
Monitor Interface and Stop Monitoring Button Click this button to start or stop monitoring the selected interface. The button label changes based on whether Cisco SDM is monitoring the interface or not. Test Connection Button Click to test the selected connection. A dialog appears that enables you to specify a remote host to ping through this connection.
Page 893 Cisco SDM or user description entered. Select Chart Types to Monitor Group These check boxes are the data items for which Cisco SDM can show statistics on the selected interface. These data items are as follows: Packet Input—The number of packets received on the interface.
Page 894 This data item appears only if configured under Configure > Interfaces and Connections > Edit > Application Service for the chosen interface. If the router Cisco IOS image does not support Netflow, the flow counters will not Note be available.
Page 895: Firewall Status
Firewall Status The last three options will retrieve a maximum of 60 data points. After 60 data Note points have been retrieved, Cisco SDM will continue to poll data, replacing the oldest data points with the newest ones. Show Table/Hide Table Click this button to show or hide the performance charts.
Page 896: Zone-Based Policy Firewall Status
Zone-Based Policy Firewall Status If the router runs a Cisco IOS image that supports the Zone-Based Policy Firewall feature, you can display the status of the firewall activity for each zone pair configured on the router.
Page 897 View Interval list. Data is collected on the traffic configured with the pass action in the Layer 4 policy map. Cisco Router and Security Device Manager 2.5 User’s Guide 42-11 OL-4015-12...
Page 898: Vpn Status
Tunnel Status • The current status of the IPSec tunnel. Possible values are: Up—The tunnel is active – Down—The tunnel is inactive due to an error or hardware failure. – Cisco Router and Security Device Manager 2.5 User’s Guide 42-12 OL-4015-12...
Page 899 Choose the tunnel you want to monitor in the IPSec Tunnel table. Step 1 Choose the types of information you want to monitor by checking the checkboxes Step 2 under Select Item to Monitor. Cisco Router and Security Device Manager 2.5 User’s Guide 42-13 OL-4015-12...
Page 900: Dmvpn Tunnels
Click to monitor the DMVPN tunnel chosen in the DMVPN Tunnel table. See Monitoring a DMVPN Tunnel. Update button Click this button to refresh the DMVPN Tunnel table and display the most current data from the router. Cisco Router and Security Device Manager 2.5 User’s Guide 42-14 OL-4015-12...
Page 901: Easy Vpn Server
Number of client connections Group Details Button Clicking Group Details shows the following information about the selected group. Group Name • • Pool Name • DNS Servers • WINS Servers • Cisco Router and Security Device Manager 2.5 User’s Guide 42-15 OL-4015-12...
Page 902 Click this button to display the most current data from the router. Disconnect button Choose a row in the table and click Disconnect to drop the connection with • the client. Cisco Router and Security Device Manager 2.5 User’s Guide 42-16 OL-4015-12...
Page 903: Ike Sas
Quick mode exchanges. Update button—Click this button to refresh the IKE SA table and display the • most current data from the router. Cisco Router and Security Device Manager 2.5 User’s Guide 42-17 OL-4015-12...
Page 904: Ssl Vpn Components
This area of the window displays gathered statistics in a series of tabs for easier viewing. Click any of the links below for a description of the data the tab displays. User Sessions URL Mangling Port Forwarding CIFS Full Tunnel Cisco Router and Security Device Manager 2.5 User’s Guide 42-18 OL-4015-12...
Page 905: Ssl Vpn Context
AAA pending requests—The number of AAA requests that have been • pending since monitoring data was refreshed. Peak time— The longest user session recorded since monitoring began. • Cisco Router and Security Device Manager 2.5 User’s Guide 42-19 OL-4015-12...
Page 906: Url Mangling
CIFS This tab displays data gathered about CIFS requests, responses, and connections. For more information refer to the command reference available at the following link: http://www.cisco.com/en/US/products/hw/switches/ps708/products_command_r eference_chapter09186a0080419245.html#wp1226849 Cisco Router and Security Device Manager 2.5 User’s Guide 42-20 OL-4015-12...
Page 907: Full Tunnel
SSL VPN connections. You can control individual use of the SSL VPN in this window by choosing a user and clicking the Disconnect button. Cisco Router and Security Device Manager 2.5 User’s Guide 42-21 OL-4015-12...
Page 908 Last used—The time at which the user last sent traffic over any active • connection. • Cisco Secure Desktop—True or False. Indicates whether Cisco Secure Desktop has been downloaded to the user’s PC. • Group name—The name of the group policy under which the user is configured.
Page 909: Traffic Status
Netflow statistics. Choose Top N Traffic Flows > Top Protocols or Top N Traffic Flows > Top Talkers (high-traffic sources) from the Traffic Status tree. If the router Cisco IOS image does not support Netflow, the Netflow choices will Note not be available in the Traffic Status tree.
Page 910: Top Talkers
Protocols—Protocols used in the packets exchanged with the destination IP • address. Number of Packets—Number of packets exchanged with the destination IP • address. Update Button Updates the window with current information about the flows. Cisco Router and Security Device Manager 2.5 User’s Guide 42-24 OL-4015-12...
Page 911: Qos
Select the interval at which statistics should be gathered: Now—Statistics are gathered when you click Start Monitoring. • Every 1 minute—Statistics are gathered when you click Start Monitoring, • and refreshed at 1-minute intervals. Cisco Router and Security Device Manager 2.5 User’s Guide 42-25 OL-4015-12...
Page 912 • All Traffic—Real-Time—Business-Critical—Trivial Cisco SDM displays statistics for all traffic classes in bar chart form, based on the type of statistic you selected. Cisco SDM displays a message instead of a bar chart if there are not adequate statistics for a particular traffic type.
Page 913: Application/Protocol Traffic
Network-based application recognition (NBAR), a protocol and application discovery feature. NBAR is used to classify packets for more efficient handling of network traffic through a specific interface. If the router Cisco IOS image does not support NBAR, this status window will not Note be available.
Page 914: Nac Status
• interface. NAC Status If NAC is configured on the router, Cisco SDM can display snapshot information about the NAC sessions on the router, the interfaces on which NAC is configured, and NAC statistics for the selected interface. The top row in the window displays the number of active NAC sessions, the...
Page 915: Logging
SDEE messages. To open a log, click the tab with the log’s name. Syslog The router contains a log of events categorized by severity level, like a UNIX syslog service. Cisco Router and Security Device Manager 2.5 User’s Guide 42-29 OL-4015-12...
Page 916 Changing the setting in this field causes the list of log messages to be refreshed. Displays all messages with the severity level specified in the Select a Logging Level to View field. Log events contains the following information: • Severity Column Cisco Router and Security Device Manager 2.5 User’s Guide 42-30 OL-4015-12...
Page 917 Update Button Updates the window with current information about log details and the most current log entries. Clear Log Button Erases all messages from the log buffer on the router. Cisco Router and Security Device Manager 2.5 User’s Guide 42-31 OL-4015-12...
Page 918: Firewall Log
Description column • Contains the following information about the denied attempt: log name, access rule name or number, service, source address, destination address, and number of packets. An example follows: Cisco Router and Security Device Manager 2.5 User’s Guide 42-32 OL-4015-12...
Page 919 Port Number—The target port. • • Number of attacks—The number of attacks against the target port. Number of packets denied—The number of packets denied access to the • target port. Cisco Router and Security Device Manager 2.5 User’s Guide 42-33 OL-4015-12...
Page 920: Application Security Log
Firewall monitoring requires that Logging to Buffer be enabled on the router. If Logging to Buffer is not enabled, log in to Cisco SDM using an Administrator view account or a non-view based user account with privilege level 15 and configure logging.
Page 921: Sdee Message Log
Find button to display all entries containing the search text. Searches are not case sensitive. SDEE Message Log This window lists the SDEE messages received by the router. SDEE messages are generated when there are changes to IPS configuration. Cisco Router and Security Device Manager 2.5 User’s Guide 42-35 OL-4015-12...
Page 922 Searches are not case sensitive. Time The time the message was received. Type Types are Error, Status, and Alerts. Click SDEE Message Text to see possible SDEE messages. Description Available description. Cisco Router and Security Device Manager 2.5 User’s Guide 42-36 OL-4015-12...
Page 923: Ips Status
IPS Status IPS Status This window appears if the router is using a Cisco IOS image that supports IPS version 4.x or earlier. This window displays a table of IPS signature statistics, grouped by signature type. The following statistics are shown: Signature ID—Numerical signature identifier.
Page 924: Ips Signature Statistics
The Signature ID, Description, number of hits, and drop count is shown for all signatures. If packet arrives that matches a signature, the source and destination IP addresses are listed as well. Cisco Router and Security Device Manager 2.5 User’s Guide 42-38 OL-4015-12...
Page 925: Ips Alert Statistics
If the packet is malicious, the Destination IP address can be considered the target. Hits—Number of matching packets. • Drop Count—The number of matching packets dropped. • Engine—The signature engine associated with the signature. • Cisco Router and Security Device Manager 2.5 User’s Guide 42-39 OL-4015-12...
Page 926: 802.1X Authentication Status
Chapter 42 Viewing Router Information 802.1x Authentication Status 802.1x Authentication Status 802.1x Authentication on Interfaces Area Interface 802.1x Authentication Reauthentication 802.1x Clients Area Client MAC Address Authentication Status Interface Cisco Router and Security Device Manager 2.5 User’s Guide 42-40 OL-4015-12...
Page 927: File Menu Commands
Save Running Config to Router’s Startup Config Check this check box to cause Cisco SDM to save the configuration shown in the window to both the router running configuration file and the startup file. The running configuration file is temporary—it is erased when the router is rebooted.
Page 928: Write To Startup Config
File Menu Commands Write to Startup Config If Cisco SDM is being used to configure a Cisco 7000 router, the check box Save running config. to router's startup config. will be disabled if there are boot network or boot host commands present with service config commands in the running configuration.
Page 929 Files cannot be pasted into the directory from which they were copied. • If Cisco SDM is invoked from your router flash, then Cisco SDM files can not • be deleted. You can delete Cisco SDM files that are copies or if Cisco SDM is invoked from a PC.
Page 930 Click the Load File From PC button to open a file-selection window on the local PC. Choose a file to save to the chosen directory on your Cisco router flash memory or on a USB flash device connected to that router. Cisco SDM files and files with names containing spaces cannot be loaded using Load File From PC.
Page 931: Rename
Clicking Time Modified again will reverse the order. Rename This window allows you to rename a file on your Cisco router flash memory or on USB flash devices connected to that router. Enter the new filename in the New Name field. The path to the location of the file is displayed above the New Name field.
Page 932: Save Sdf To Pc
Cisco SDM afterward. Executing the erase flash: command will remove Cisco SDM and the Cisco IOS image from the router's...
Page 933 You must have write access to the TFTP server. Your PC can be used for this purpose if it has a TFTP server program. Use the tftpcopy command to copy the Cisco IOS image, the SDM.tar file, and Step 4 the SDM.shtml file from Flash memory to a TFTP server:...
Page 934 ! Replace ios_image_name with actual name of IOS image copy tftp://10.10.10.3/SDM.tar flash: Start your web browser, and reconnect to Cisco SDM, using the same IP address Step 8 you used when you started the Cisco SDM session.
Page 935: Edit Menu Commands
Manager options: Preview commands before delivering to router Choose this option if you want Cisco SDM to display a list of the Cisco IOS configuration commands generated before the commands are sent to the router. Save signature file to Flash Choose this option if you want the signature definition file (SDF) that you are working on to be saved to router flash when you click Apply Changes.
Page 936 Monitor and select Interface status. To have Cisco SDM continue monitoring the interface even if you leave Monitor mode and perform other tasks in Cisco SDM, select this check box and specify the maximum number of interfaces you want Cisco SDM to monitor. The default maximum number of interfaces to monitor is 4.
Page 937: View Menu Commands
Displays the Cisco SDM Home page which provides information about router hardware, software, and LAN, WAN, Firewall, and VPN configurations. Configure Displays the Cisco SDM Tasks bar, which allows you to perform guided and manual configurations for Interfaces and Connections, Firewalls and ACLs, VPNs Routing, and other tasks.
Page 938: Running Config
Displays the router’s running configuration. Show Commands Displays the Show Commands dialog box, which lets you issue Cisco IOS show commands to the router, view the output, and save the output to your PC. The output file is saved with the default filename show_<command>[router_ip_address].
Page 939: Cisco Sdm Default Rules
The Cisco SDM Default Rules screen displays a list of all of the default rules configured by Cisco SDM. The screen is organized with a tree on the left side of the screen displaying options for Access Rules, Firewall, VPN - IKE Policy, and VPN - Transform Sets.
Page 940: Refresh
Refresh Reloads configuration information from the router. If there are any undelivered commands, Cisco SDM displays a message window telling you that if you refresh, you will lose undelivered commands. If you want to deliver the commands. click No in this window, and then click Deliver on the Cisco SDM toolbar.
Page 941: Tools Menu Commands
C H A P T E R Tools Menu Commands The following options are available from the Cisco Router and Security Device Manager (Cisco SDM) Tools menu. Ping Displays the Ping dialog box, which lets you send a ping message to another network device.
Page 942: Usb Token Pin Settings
An administrator PIN is used to manage USB token settings using the manufacturer’s software. Cisco SDM allows you to change the administrator PIN for a USB token if you can supply the current administrator PIN. Token Name Enter the USB token’s name.
Page 943: Wireless Application
Select Update Cisco SDM from Cisco.com from the Tools menu. Selecting this Step 1 option starts the update wizard. Use the update wizard to obtain the Cisco SDM files and copy them to your router. Step 2 Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 944: Cco Login
Step 2 Update Cisco SDM from CD If you have the Cisco SDM CD, you can use it to update Cisco SDM on your router. To do so, follow these steps: Place the Cisco SDM CD in the CD drive on your PC.
Page 945 CCO Login If you do not have a CCO login and password, you can obtain one by opening a web browser and going to the Cisco website at the following link: http://www.cisco.com When the webpage opens, click Register and provide the necessary information to obtain a username and password.
Page 946 Chapter 46 Tools Menu Commands CCO Login Cisco Router and Security Device Manager 2.5 User’s Guide 46-6 OL-4015-12...
Page 947: Help Menu Commands
Opens up a browser and displays the Cisco SDM page on the Cisco.com website. Hardware/Software Matrix Opens up a browser and displays a matrix of Cisco router models and Cisco IOS image versions to guide you in selecting compatible Cisco IOS image software. A Cisco Connection Online username and password are required to access the matrix.
Page 948: About This Router
Chapter 47 Help Menu Commands About this router... About this router... Displays hardware and software information about the router on which Cisco SDM is running. About Cisco SDM Displays version information about Cisco SDM. Cisco Router and Security Device Manager 2.5 User’s Guide...
Page 949 An entry in an ACL that specifies a source host or network and whether or not traffic from that host is permitted or denied. An ACE can also specify a destination host or network, and the type of traffic. Cisco Router and Security Device Manager 2.5 User’s Guide GL-1 OL-4015-12...
Page 950 Access control lists consist of one or more access control entries (ACE). Cisco Secure Access Control Server. Cisco software that can implement a RADIUS server or a TACACS+ server. The ACS is used to store policy databases...
Page 951 In security, the verification of the identity of a person or process. Authentication authentication establishes the integrity of a data stream, ensuring that it was not tampered with in transit, and providing confirmation of the data stream’s origin. Cisco Router and Security Device Manager 2.5 User’s Guide GL-3 OL-4015-12...
Page 952 Certification Authority server. A network host that is used to issue and/or revoke CA server digital certificates. A temporary repository of information accumulated from previous task cache executions that can be reused, decreasing the time required to perform the tasks. Cisco Router and Security Device Manager 2.5 User’s Guide GL-4 OL-4015-12...
Page 953 (PKIX) of the IETF is working to standardize a protocol for these functions, either CRS or an equivalent. When an IETF standard is stable, Cisco will add support for it. CEP was jointly developed by Cisco Systems and VeriSign, Inc.
Page 954 Glossary Cisco Encryption Technology. Proprietary network layer encryption introduced in Cisco IOS Release 11.2. CET provides network data encryption at the IP packet level and implements the following standards: DH, DSS, and 40- and 56-bit DES. Challenge Handshake Authentication Protocol. Security feature supported on CHAP lines using PPP encapsulation that prevents unauthorized access.
Page 955 WAE-C. Cisco Call Manager Express. CME provides call-processing services to voice over IP (VoIP) gateways. Cisco Networking Services. A suite of services that support scalable network deployment, configuration, service-assurance monitoring, and service delivery. An IP compression algorithm.
Page 956 Glossary In Cisco SDM, crypto maps specify which traffic should be protected by IPSec, crypto map where IPSec-protected traffic should be sent, and what IPSec transform sets should be applied to this traffic. Cisco Tunneling Control Protocol. cTCP is also called...
Page 957 A router with a single DMVPN configuration has a connection to one DMVPN single DMVPN hub, and has one configured GRE tunnel for DMVPN communication.The GRE tunnel addresses for the hub and spokes must be in the same subnet. Cisco Router and Security Device Manager 2.5 User’s Guide GL-9 OL-4015-12...
Page 958 QoS. See also NBAR digital subscriber line access multiplexer. DSLAM digital signature standard. Also called digital signature algorithm (DSA), the DSS algorithm is part of many public-key standards for cryptographic signatures. Cisco Router and Security Device Manager 2.5 User’s Guide GL-10 OL-4015-12...
Page 959 Extensible Authentication Protocol-Flexible Authentication via Secure EAP-FAST Tunneling. A 802.1x EAP type developed by Cisco Systems to enable customers who cannot enforce strong password policies to deploy an 802.1x EAP type that does not require digital certificates. A centralized VPN management solution based on the Cisco Unified Client Easy VPN Framework.A Cisco Easy VPN consists of two components: a Cisco Easy VPN...
Page 960 The enrollment URL is the HTTP path to a certification authority (CA) that your enrollment URL Cisco IOS router should follow when sending certificate requests. The URL includes either a DNS name or an IP address, and may be followed by a full path to the CA scripts.
Page 961 Secure Device Provisioning. SDP uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure (PKI) between two end devices, such as a Cisco IOS client and a Cisco IOS certificate server. A file-sharing network in which indexing functions are dynamically assigned to fasttrack connected peers, called supernodes.
Page 962 IKE policy interface on that device. A decentralized P2P file sharing protocol. Using an installed Gnutella client, gnutella users can search, download and upload files across the Internet. Cisco Router and Security Device Manager 2.5 User’s Guide GL-14 OL-4015-12...
Page 963 Tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment.
Page 964 Network Address Translation. Intrusion Detection System. The Cisco IPS performs a real time analysis of network traffic to find anomalies and misuse, using a library of signatures it can compare traffic against. When it finds unauthorized activity or anomalies, it can terminate the condition, block traffic from attacking hosts, and send alerts to the IDM.
Page 965 Glossary An IDS sensor is hardware on with the Cisco IDS runs. IDS sensors can be IDS Sensor stand-alone devices, or network modules installed on routers. IDS Device Manager. IDM is software used to manage an IDS sensor. Institute of Electrical and Electronics Engineers.
Page 966 Cisco IOS Intrusion Prevention System. IOS IPS compares traffic against an IOS IPS extensive database of intrusion signatures, and can drop intruding packets and take other actions based on configuration.
Page 967 IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. In Cisco SDM, an IPSec policy is a named set of crypto map associated with a IPSec policy VPN connection.
Page 968 Layer 3 interfaces support internetwork routing. A VLAN is an example of a Layer 3 Interface logical layer 3 interface. An Ethernet port is an example of a physical layer 3 interface. Line Build Out. Cisco Router and Security Device Manager 2.5 User’s Guide GL-20 OL-4015-12...
Page 969 Loopback tests are often used to determine network interface usability. message authentication code. The cryptographic checksum of the message used to verify message authenticity. See hash. Cisco Router and Security Device Manager 2.5 User’s Guide GL-21 OL-4015-12...
Page 970 Message Digest 5. A one-way hashing function that produces a 128-bit hash. Both MD5 and Secure Hashing Algorithm (SHA) are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. MD5 verifies the integrity and authenticates the origin of a communication.
Page 971 Internet by translating those addresses into Translation globally routable address space. Network-based Application Recognition. A method used to classify traffic for NBAR QoS. Cisco Router and Security Device Manager 2.5 User’s Guide GL-23 OL-4015-12...
Page 972 Network Time Protocol. A protocol to synchronize the system clocks on network devices. NTP is a protocol. Non-volatile random access memory. NVRAM Cisco Router and Security Device Manager 2.5 User’s Guide GL-24 OL-4015-12...
Page 973 PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. Cisco Router and Security Device Manager 2.5 User’s Guide GL-25 OL-4015-12...
Page 974 A router interface supported by a network module that is installed in the router physical interface chassis, or that is part of the router’s basic hardware. Cisco Router and Security Device Manager 2.5 User’s Guide GL-26 OL-4015-12...
Page 975 Point-to-Point Protocol. A protocol that provides router-to-router, and host-to-network connections over synchronous and asynchronous circuits. PPP has built in security mechanisms, such as CHAP and PAP. Cisco Router and Security Device Manager 2.5 User’s Guide GL-27 OL-4015-12...
Page 976 An ordered sequence of bits that appears superficially similar to a truly random pseudo random sequence of the same bits. A key generated from a pseudo random number is called a nonce. Cisco Router and Security Device Manager 2.5 User’s Guide GL-28 OL-4015-12...
Page 977 Remote Authentication Dial-In User Service. An access server authentication RADIUS and accounting protocol that uses UDP as the transport protocol. See also TACACS+ Cisco Router and Security Device Manager 2.5 User’s Guide GL-29 OL-4015-12...
Page 978 RFC1483 describes two different methods for carrying connectionless network RFC 1483 routing interconnect traffic over an ATM network: routed protocol data units (PDUs) and bridged PDUs. Cisco SDM supports the configuration of RFC 1483 routing, and enables you to configure two encapsulation types: AAL5MUX, and AAL5SNAP.
Page 979 Route maps enable you to control information that is added to the routing table. route map Cisco SDM automatically creates route maps to prevent NAT from translating specific source addresses when doing so would prevent packets from matching criteria in an IPSec rule.
Page 980 Skinny Client Control Protocol. SCCP is a proprietary terminal control protocol SCCP owned by Cisco Systems. It is used as a messaging protocol between a skinny client and Cisco CallManager. Security Device Event Exchange. A message protocol that can be used to report...
Page 981 Traffic shaping retains excess packets in a queue and then reschedules the excess shaping for later transmission over increments of time. The secret key that all users share in a symmetric key-based communication shared key session. A crytographic key. shared secret Cisco Router and Security Device Manager 2.5 User’s Guide GL-33 OL-4015-12...
Page 982 A data element in IOS IPS that detects a specific pattern of misuse on the signature network. A signature engine is a component of Cisco IOS IPS designed to support many signature engine signatures in a certain category. An engine is composed of a parser and an inspector.
Page 983 SSL VPN Secure Socket Layer Virtual Private Networks. SSL VPN is a feature that enables a supported Cisco router to provide remote clients secure access to network resources by creating an encryption tunnel across the Internet using the broadband or ISP dial connection that the remote client uses.
Page 984 Glossary standard rule In Cisco SDM, a type of access rule or NAT rule. Standard rules compare a packet’s source IP address against its IP address criteria to determine a match.Standard rules use a wildcard mask to determine which portions of the IP address must match.
Page 985 A virtual channel through a shared medium such as the Internet, used for the tunnel exchange of encapsulated data packets. Cisco Router and Security Device Manager 2.5 User’s Guide GL-37 OL-4015-12...
Page 986 A virtual path may carry multiple virtual channels corresponding to individual connections. The VCI identifies the channel being used. The combination of VPI and VCI identifies an ATM connection. Cisco Router and Security Device Manager 2.5 User’s Guide GL-38 OL-4015-12...
Page 987 - An IPSec rule that defines which traffic is to be encrypted. - A list of transform sets that define how protected traffic is encrypted - A list of the device network interfaces to which the connection is applied Cisco Router and Security Device Manager 2.5 User’s Guide GL-39 OL-4015-12...
Page 988 Wide Area Network. A network that serves users across a broad geographical area, and often uses transmission devices provided by common carriers. See also LAN. Wide Area Application Services. A Cisco solution that optimizes the WAAS performance of TCP-based applications across a wide area network.
Page 989 A digital certificate standard, specifying certificate structure. Main fields are ID, X.509 subject field, validity dates, public key, and CA signature. A digital certificate that is structured according to the X.509 guidelines. X.509 certificate Cisco Router and Security Device Manager 2.5 User’s Guide GL-41 OL-4015-12...
Page 990 X.509 certificate revocation list (CRL) meets either of the two CRL formatting definitions in X.509. IKE Extended Authentication. Xauth allows all Cisco IOS software AAA XAuth authentication methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange. The AAA configuration list-name must match the Xauth configuration list-name for user authentication to occur.
Page 991 Access Rules window SHA_1 address pools 8, 15 AutoSecure ADSL operating mode 19, 26 ADSL operating mode adls2 banner, configuring adsl2+ 14, 30 ansi-dmt BOOTP, disabling Cisco Router and Security Device Manager 2.5 User’s Guide IN-1 OL-4015-12...
Page 992 Dynamic Multipoint VPN dynamic routing protocol configuring default rules, SDM default static route definitions of key terms and acronyms GLS1 Easy VPN deliver configuration to router auto tunnel control 9, 36 Cisco Router and Security Device Manager 2.5 User’s Guide IN-2 OL-4015-12...
Page 993 VPN concentrator IETF 11, 41 policy scenarios PPPoE 17, 28, 31, 37 SDM warning RFC 1483 Routing 17, 28, 31, 37 traffic flow, see traffic flow encryption traffic-flow display controls Cisco Router and Security Device Manager 2.5 User’s Guide IN-3 OL-4015-12...
Page 994 GRE tunnel inspection rule pre-shared key SDM warning split tunnelling interfaces available configurations for each type editing associations statistics HDLC unsupported Help menu viewing activity HTTP service Internet Key Exchange Cisco Router and Security Device Manager 2.5 User’s Guide IN-4 OL-4015-12...
Page 995 16, 23 choose traffic directions details 11, 13 inbound IPSec outbound description global settings group key 12, 25 interface selection group name 24, 31 reload (recompile) signatures Cisco Router and Security Device Manager 2.5 User’s Guide IN-5 OL-4015-12...
Page 996 NAT timeout ICMP timeout max number of entries permitting through a firewall PPTP timeout mGRE redirect port 20, 23 mirror configuration, VPN route map Monitor mode route maps Cisco Router and Security Device Manager 2.5 User’s Guide IN-6 OL-4015-12...
Page 997 7, 17, 3 hold time pre-shared keys network ID preview commands option primary hub Protocol Traffic viewing activity One-Step Lockdown proxy ARP, disabling OSPF route Cisco Router and Security Device Manager 2.5 User’s Guide IN-7 OL-4015-12...
Page 998 5, 6, 7 SDM Default Rules window permanent route RIP route launching routing protocol, dynamic troubleshooting Secure Device Provisioning, see SDP digital signature security association lifetime encryption Security Audit wizard Cisco Router and Security Device Manager 2.5 User’s Guide IN-8 OL-4015-12...
Page 999 3, 4 standard rules icons numbering range transform set 11, 7 static address translation rule transform sets, multiple static route translation rules configuring translation timeouts Cisco Router and Security Device Manager 2.5 User’s Guide IN-9 OL-4015-12...
Page 1000 WAE-E deleting tunnel WAN connections editing existing tunnel deleting ESP authentication WAN interface IP Compression unsupported IPSec rule 14, 10 WCCP mirror configuration WCCP 61 Redirect Cisco Router and Security Device Manager 2.5 User’s Guide IN-10 OL-4015-12...

This manual is also suitable for:

Router and security device manager 2.5

Cisco ROUTER-SDM-CD User Manual

Home Page

Creating a New Connection

LAN Wizard

802.1X Authentication

Configuring WAN Connections

Edit Interface/Connection

Nat

Wide Area Application Services

Create Firewall

Firewall Policy

Application Security

Site-To-Site VPN

Easy VPN Remote

Easy VPN Server

Quick Links

Troubleshooting

Related Manuals for Cisco ROUTER-SDM-CD

Summary of Contents for Cisco ROUTER-SDM-CD