Cisco Router and Security Device Manager User’s Guide 2.5 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E NT S Home Page 1 Creating a New Connection 1 Creating a New Connection 1 New Connection Reference 2 Create Connection 2 Additional Procedures 3 How Do I Configure a Static Route? 4 How Do I View Activity on My LAN Interface? 4 How Do I Enable or Disable an Interface? 5 How Do I View the IOS Commands I Am Sending to the Router? 5 How Do I Launch the Wireless Application from Cisco SDM? 6 How Do I Configure an Unsupported WAN Interface? 6 How Do I Enable or Disable an Interface? 7 How Do I View Acti
Contents LAN Wizard: Enable DHCP Server 3 LAN Wizard: DHCP Address Pool 4 DHCP Options 4 LAN Wizard: VLAN Mode 5 LAN Wizard: Switch Port 6 IRB Bridge 7 BVI Configuration 8 DHCP Pool for BVI 8 IRB for Ethernet 9 Layer 3 Ethernet Configuration 9 802.1Q Configuration 10 Trunking or Routing Configuration 10 Configure Switch Device Module 10 Configure Gigabit Ethernet Interface 11 Summary 11 802.1x Authentication 1 LAN Wizard: 802.
Contents Configuring WAN Connections 1 Configuring an Ethernet WAN Connection 1 Ethernet WAN Connection Reference 2 WAN Wizard Interface Welcome Window Select Interface 3 IP Address: Ethernet without PPPoE 3 Encapsulation: PPPoE 4 Summary 5 Advanced Options 5 2 Configuring a Serial Connection 6 Serial Connection Reference 7 IP Address: Serial with Point-to-Point Protocol 7 IP Address: Serial with HDLC or Frame Relay 8 Authentication 9 Configure LMI and DLCI 10 Configure Clock Settings 11 Configuring a DS
Contents Aux Backup Welcome Window 25 Backup Configuration 25 Backup Configuration: Primary Interface and Next Hop IP Addresses 26 Backup Configuration: Hostname or IP Address to Be Tracked 27 Configuring an Analog Modem Connection 27 Analog Modem Connection Reference 28 Analog Modem Welcome 28 Configuring a Cable Modem Connection 29 Cable Modem Connection Reference 29 Cable Modem Connection Wizard Welcome 30 Select Interface 30 Summary 30 Edit Interface/Connection 1 Connection: Ethernet for IRB 5 Connecti
Contents Connection: Virtual Template Interface 19 Connection: Ethernet LAN 19 Connection: Ethernet WAN 20 Connection: Ethernet Properties 22 Connection: Ethernet with No Encapsulation 24 Connection: ADSL 25 Connection: ADSL over ISDN 28 Connection: G.SHDSL 30 Connection: Cable Modem 34 Configure DSL Controller 35 Add a G.
Contents NM WAAS 4 Integrated Service Engine 6 WCCP 7 Central Manager Registration 8 Create Firewall 1 Basic Firewall Configuration Wizard 4 Basic Firewall Interface Configuration 4 Configuring Firewall for Remote Access 5 Advanced Firewall Configuration Wizard 5 Advanced Firewall Interface Configuration 5 Advanced Firewall DMZ Service Configuration 6 DMZ Service Configuration 7 Application Security Configuration 8 Domain Name Server Configuration 9 URL Filter Server Configuration 9 Select Interface Zone 9
Contents How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? 20 How Do I Associate a Rule with an Interface? 22 How Do I Disassociate an Access Rule from an Interface 22 How Do I Delete a Rule That Is Associated with an Interface? 23 How Do I Create an Access Rule for a Java List? 23 How Do I Permit Specific Traffic onto My Network if I Don’t Have a DMZ Network? 24 Firewall Policy 1 Edit Firewall Policy/ACL 1 Choose a Traffic Flow 3 Examine the Traffic Diagram and Choose a Traffic Direc
Contents Application Security 1 Application Security Windows 1 No Application Security Policy 3 E-mail 4 Instant Messaging 5 Peer-to-Peer Applications 6 URL Filtering 7 HTTP 8 Header Options 9 Content Options 10 Applications/Protocols 12 Timeouts and Thresholds for Inspect Parameter Maps and CBAC Associate Policy with an Interface 16 Edit Inspection Rule 16 Permit, Block, and Alarm Controls 17 13 Site-to-Site VPN 1 VPN Design Guide 1 Create Site to Site VPN 1 Site-to-Site VPN Wizard 4 View Defaults 5 VPN
Contents VPN Authentication Information 17 Backup GRE Tunnel Information 18 Routing Information 19 Static Routing Information 20 Select Routing Protocol 22 Summary of Configuration 23 Edit Site-to-Site VPN 23 Add new connection 26 Add Additional Crypto Maps 26 Crypto Map Wizard: Welcome 27 Crypto Map Wizard: Summary of the configuration 28 Delete Connection 28 Ping 29 Generate Mirror... 29 Cisco SDM Warning: NAT Rules with ACL 30 How Do I...
Contents Create Easy VPN Remote 4 Configure an Easy VPN Remote Client 5 Easy VPN Remote Wizard: Network Information 5 Easy VPN Remote Wizard: Identical Address Configuration 6 Easy VPN Remote Wizard: Interfaces and Connection Settings 7 Easy VPN Remote Wizard: Server Information 9 Easy VPN Remote Wizard: Authentication 11 Easy VPN Remote Wizard: Summary of Configuration 13 Administering Easy VPN Remote Connections 14 Editing an Existing Easy VPN Remote Connection 15 Creating a New Easy VPN Remote Connectio
Contents How Do I Edit an Existing Easy VPN Connection? 40 How Do I Configure a Backup for an Easy VPN Connection? 41 Easy VPN Server 1 Creating an Easy VPN Server Connection 1 Create an Easy VPN Server Reference 3 Create an Easy VPN Server 4 Welcome to the Easy VPN Server Wizard 4 Interface and Authentication 4 Group Authorization and Group Policy Lookup 5 User Authentication (XAuth) 6 User Accounts for XAuth 7 Add RADIUS Server 8 Group Authorization: User Group Policies 9 General Group Information 10 DNS
Contents Restrict Access 26 Group Policies Configuration 26 IP Pools 29 Add or Edit IP Local Pool 29 Add IP Address Range 30 Enhanced Easy VPN 1 Interface and Authentication 1 RADIUS Servers 2 Group Authorization and Group User Policies 4 Add or Edit Easy VPN Server: General Tab 5 Add or Edit Easy VPN Server: IKE Tab 6 Add or Edit Easy VPN Server: IPSec Tab 8 Create Virtual Tunnel Interface 10 DMVPN 1 Dynamic Multipoint VPN 1 Dynamic Multipoint VPN (DMVPN) Hub Wizard 2 Type of Hub 3 Configure Pre-Shared Ke
Contents General Panel 14 NHRP Panel 15 NHRP Map Configuration 16 Routing Panel 17 How Do I Configure a DMVPN Manually? 19 VPN Global Settings 1 VPN Global Settings 1 VPN Global Settings: IKE 3 VPN Global Settings: IPSec 4 VPN Global Settings: Easy VPN Server 5 VPN Key Encryption Settings 6 IP Security 1 IPSec Policies 1 Add or Edit IPSec Policy 3 Add or Edit Crypto Map: General 5 Add or Edit Crypto Map: Peer Information 6 Add or Edit Crypto Map: Transform Sets 7 Add or Edit Crypto Map: Protecting Traffic
Contents Internet Key Exchange 1 Internet Key Exchange (IKE) 1 IKE Policies 2 Add or Edit IKE Policy 4 IKE Pre-shared Keys 6 Add or Edit Pre Shared Key 7 IKE Profiles 8 Add or Edit an IKE Profile 9 Public Key Infrastructure 1 Certificate Wizards 1 Welcome to the SCEP Wizard 2 Certificate Authority (CA) Information 3 Advanced Options 4 Certificate Subject Name Attributes 4 Other Subject Attributes 6 RSA Keys 7 Summary 8 CA Server Certificate 9 Enrollment Status 9 Cut and Paste Wizard Welcome 9 Enrollment Ta
Contents Revocation Check 15 Revocation Check, CRL Only 16 RSA Keys Window 16 Generate RSA Key Pair 17 USB Token Credentials 18 USB Tokens 19 Add or Edit USB Token 20 Open Firewall 22 Open Firewall Details 23 Certificate Authority Server 1 Create CA Server 1 Prerequisite Tasks for PKI Configurations 2 CA Server Wizard: Welcome 3 CA Server Wizard: Certificate Authority Information 3 Advanced Options 5 CA Server Wizard: RSA Keys 7 Open Firewall 8 CA Server Wizard: Summary 8 Manage CA Server 9 Backup CA Serve
Contents Cisco IOS SSL VPN 1 Cisco IOS SSL VPN links on Cisco.
Contents Select a Gateway 25 Context: Group Policies 26 Group Policy: General Tab 26 Group Policy: Clientless Tab 27 Group Policy: Thin Client Tab 29 Group Policy: SSL VPN Client (Full Tunnel) Tab 29 Advanced Tunnel Options 31 DNS and WINS Servers 33 Context: HTML Settings 33 Select Color 35 Context: NetBIOS Name Server Lists 35 Add or Edit a NBNS Server List 35 Add or Edit an NBNS Server 36 Context: Port Forward Lists 36 Add or Edit a Port Forward List 36 Context: URL Lists 36 Add or Edit a URL List 37 Co
Contents How do I associate a VRF instance with a Cisco IOS SSL VPN context? 50 SSL VPN Enhancements 1 SSL VPN Reference 1 SSL VPN Context: Access Control Lists 1 Add or Edit Application ACL 2 Add ACL Entry 3 Action URL Time Range 4 Add or Edit Action URL Time Range Dialog 5 Add or Edit Absolute Time Range Entry 6 Add or Edit Periodic Time Range Entry 7 VPN Troubleshooting 1 VPN Troubleshooting 1 VPN Troubleshooting: Specify Easy VPN Client 3 VPN Troubleshooting: Generate Traffic 4 VPN Troubleshooting: G
Contents Disable CDP 9 Disable IP Source Route 10 Enable Password Encryption Service 10 Enable TCP Keepalives for Inbound Telnet Sessions 11 Enable TCP Keepalives for Outbound Telnet Sessions 11 Enable Sequence Numbers and Time Stamps on Debugs 11 Enable IP CEF 12 Disable IP Gratuitous ARPs 12 Set Minimum Password Length to Less Than 6 Characters 12 Set Authentication Failure Rate to Less Than 3 Retries 13 Set TCP Synwait Time 13 Set Banner 14 Enable Logging 14 Set Enable Secret Password 15 Disable SNMP 15
Contents Set Access Class on VTY Lines 23 Enable SSH for Access to the Router 24 Enable AAA 24 Configuration Summary Screen 25 Cisco SDM and Cisco IOS AutoSecure 25 Security Configurations Cisco SDM Can Undo 27 Undoing Security Audit Fixes 28 Add or Edit Telnet/SSH Account Screen 28 Configure User Accounts for Telnet/SSH Page 29 Enable Secret and Banner Page 30 Logging Page 31 Routing 1 Add or Edit IP Static Route 3 Add or Edit an RIP Route 5 Add or Edit an OSPF Route 5 Add or Edit EIGRP Route 7 Network Ad
Contents Add or Edit Address Translation Rule 6 Advanced NAT Wizard: ACL Conflict 7 Details 8 Network Address Translation Rules 8 Designate NAT Interfaces 12 Translation Timeout Settings 12 Edit Route Map 13 Edit Route Map Entry 14 Address Pools 15 Add or Edit Address Pool 16 Add or Edit Static Address Translation Rule: Inside to Outside 17 Add or Edit Static Address Translation Rule: Outside to Inside 20 Add or Edit Dynamic Address Translation Rule: Inside to Outside 23 Add or Edit Dynamic Address Transla
Contents Edit IPS 9 Edit IPS: IPS Policies 10 Enable or Edit IPS on an Interface 13 Edit IPS: Global Settings 14 Edit Global Settings 16 Add or Edit a Signature Location 17 Edit IPS: SDEE Messages 18 SDEE Message Text 19 Edit IPS: Global Settings 22 Edit Global Settings 23 Edit IPS Prerequisites 24 Add Public Key 25 Edit IPS: Auto Update 25 Edit IPS: SEAP Configuration 27 Edit IPS: SEAP Configuration: Target Value Rating 28 Add Target Value Rating 29 Edit IPS: SEAP Configuration: Event Action Overrides 29
Contents IPS Migration 59 Migration Wizard: Welcome 59 Migration Wizard: Choose the IOS IPS Backup Signature File 60 Signature File 60 Java Heap Size 60 Network Module Management 1 IDS Network Module Management 1 IDS Sensor Interface IP Address 3 IP Address Determination 4 IDS NM Configuration Checklist 5 IDS NM Interface Monitoring Configuration 7 Network Module Login 7 Feature Unavailable 7 Switch Module Interface Selection 7 Quality of Service 1 Creating a QoS Policy 1 Create a QoS Policy Reference 2 Cr
Contents Add Class for the New Policy 13 Add Service Policy to Class 14 Associate or Disassociate the QoS Policy 15 Add or Edit a QoS Class 15 Edit Match DSCP Values 18 Edit Match Protocol Values 19 Add Custom Protocols 19 Edit Match ACL 19 Configure Policing 19 Configure Shaping 20 Configure Queuing 21 Network Admission Control 1 Create NAC Tab 1 Other Tasks in a NAC Implementation 2 Welcome 3 NAC Policy Servers 4 Interface Selection 6 NAC Exception List 7 Add or Edit an Exception List Entry 7 Choose an E
Contents Exception Policies Window 15 NAC Timeouts 15 Configure a NAC Policy 17 How Do I...
Contents DHCP Pools 23 Add or Edit DHCP Pool 25 DHCP Bindings 26 Add or Edit DHCP Binding 27 DNS Properties 28 Dynamic DNS Methods 28 Add or Edit Dynamic DNS Method 29 ACL Editor 1 Useful Procedures for Access Rules and Firewalls 3 Rules Windows 3 Add or Edit a Rule 7 Associate with an Interface 10 Add a Standard Rule Entry 11 Add an Extended Rule Entry 13 Select a Rule 16 Port-to-Application Mapping 1 Port-to-Application Mappings 1 Add or Edit Port Map Entry 3 Zone-Based Policy Firewall 1 Zone Window 2 Ad
Contents Authentication, Authorization, and Accounting 1 Configuring AAA 2 AAA Screen Reference 2 AAA Root Screen 3 AAA Servers and Server Groups 4 AAA Servers 4 Add or Edit a TACACS+ Server 5 Add or Edit a RADIUS Server 6 Edit Global Settings 7 AAA Server Groups 8 Add or Edit AAA Server Group 9 Authentication and Authorization Policies 10 Authentication and Authorization 10 Authentication NAC 11 Authentication 802.
Contents Application Inspection 5 Configure Deep Packet Inspection 6 Class Maps 6 Associate Class Map 7 Class Map Advanced Options 7 QoS Class Map 8 Add or Edit a QoS Class Map 9 Add or Edit a QoS Class Map 9 Select a Class Map 9 Deep Inspection 9 Class Map and Application Service Group Windows 9 Add or Edit an Inspect Class Map 12 Associate Parameter Map 12 Add an HTTP Inspection Class Map 13 HTTP Request Header 13 HTTP Request Header Fields 14 HTTP Request Body 15 HTTP Request Header Arguments 15 HTTP Me
Contents Add or Edit an SMTP Class Map 22 Add or Edit a SUNRPC Class Map 23 Add or Edit an Instant Messaging Class Map 23 Add or Edit a Point-to-Point Class Map 23 Add P2P Rule 24 Add or Edit a POP3 Class Map 24 Parameter Maps 25 Parameter Map Windows 25 Add or Edit a Parameter Map for Protocol Information 25 Add or Edit a Server Entry 26 Add or Edit Regular Expression 26 Add a Pattern 27 Build Regular Expression 28 Regular Expression Metacharacters 30 URL Filtering 1 URL Filtering Window 2 Edit Global Set
Contents This Feature Not Supported 6 More About.... 1 IP Addresses and Subnet Masks 1 Host and Network Fields 3 Available Interface Configurations 4 DHCP Address Pools 5 Meanings of the Permit and Deny Keywords 6 Services and Ports 6 More About NAT 13 Static Address Translation Scenarios 13 Dynamic Address Translation Scenarios 16 Reasons that Cisco SDM Cannot Edit a NAT Rule 17 More About VPN 18 Cisco.
Contents Getting Started 1 What’s New in this Release? 2 Cisco IOS Versions Supported 4 Viewing Router Information 1 Overview 2 Interface Status 6 Firewall Status 9 Zone-Based Policy Firewall Status 10 VPN Status 12 IPSec Tunnels 12 DMVPN Tunnels 14 Easy VPN Server 15 IKE SAs 17 SSL VPN Components 18 SSL VPN Context 19 User Sessions 19 URL Mangling 20 Port Forwarding 20 CIFS 20 Full Tunnel 21 User List 21 Traffic Status 23 Netflow Top Talkers 23 Top Protocols 23 Top Talkers 24 QoS 25 Application/Protocol T
Contents Logging 29 Syslog 29 Firewall Log 32 Application Security Log 34 SDEE Message Log 35 IPS Status 37 IPS Signature Statistics 38 IPS Alert Statistics 39 802.
Contents Running Config 2 Show Commands 2 Cisco SDM Default Rules 3 Refresh 4 Tools Menu Commands 1 Ping 1 Telnet 1 Security Audit 1 USB Token PIN Settings 2 Wireless Application 3 Update Cisco SDM 3 CCO Login 4 Help Menu Commands 1 Help Topics 1 Cisco SDM on CCO 1 Hardware/Software Matrix 1 About this router... 2 About Cisco SDM 2 Cisco Router and Security Device Manager 2.
Contents Cisco Router and Security Device Manager 2.
CH A P T E R 1 Home Page The home page supplies basic information about the router hardware, software, and configuration. This page contains the following sections: Host Name The configured name of the router. About Your Router Shows basic information about your router hardware and software, and contains the following fields: Hardware Software Model Type Shows the router model IOS Version number.
Chapter 1 Hardware Home Page Software Total Flash Capacity Flash plus Webflash (if applicable) Feature Availability The features available in the Cisco IOS image the router is using are designated by a check. The features Cisco SDM checks for are: IP, Firewall, VPN, IPS, and NAC. More... The More... link displays a popup window providing additional hardware and software details.
Chapter 1 Home Page Interfaces and Connections Total Supported LAN Up (n): The number of LAN and WAN connections that are up. Down (n): The number Double-arrow head: Click to display/hide details. of LAN and WAN connections that are down. The total number of LAN interfaces that are present in the router. Total Supported WAN The number of Cisco SDM-supported WAN interfaces that are present on the router.
Chapter 1 Home Page Firewall Policies Active/Inactive Trusted (n) Untrusted (n) DMZ (n) Interface Firewall Icon NAT Inspection Rule Access Rule The name of the interface to which a firewall has been applied Whether the interface is designated as an inside or an outside interface. The name or number of the NAT rule applied to this interface. The names or numbers of the inbound and outbound inspection rules. The names or numbers of the inbound and outbound access rules.
Chapter 1 Home Page Note • Some VPN servers or concentrators authenticate clients using Extended Authentication (XAuth). This shows the number of VPN tunnels awaiting an Xauth login. If any Easy VPN tunnel awaits XAuth login, a separate message panel is shown with a Login button. Clicking Login allows you to enter the credentials for the tunnel. • If Xauth has been configured for a tunnel, it will not begin to function until the login and password has been supplied.
Chapter 1 Routing Home Page Intrusion Prevention SDF Version The version of SDF files on this router. Security Dashboard A link to the IPS Security Dashboard, where the top-ten signatures can be viewed and deployed. Cisco Router and Security Device Manager 2.
CH A P T E R 2 Creating a New Connection The Cisco SDM connection wizards guide you LAN and WAN configurations, and check the information that you enter against the existing configuration, warning you of any problems. This chapter contains the following sections: • Creating a New Connection • New Connection Reference • Additional Procedures Creating a New Connection Complete these steps to create a new connection: Step 1 On the Cisco SDM toolbar, click Configure.
Chapter 2 Creating a New Connection New Connection Reference New Connection Reference The following topic describes the screen referred to in this chapter: • Create Connection Create Connection This window allows you to create new LAN and WAN connections. Note You cannot use Cisco SDM to create WAN connections for Cisco 7000 series routers. Field Reference Table 2-1 describes the fields in this screen.
Chapter 2 Creating a New Connection Additional Procedures Table 2-1 Create Connection Fields Element Description If the router has radio interfaces but you do not see a Wireless radio button, you are not logged on as an Cisco SDM Administrator. If you need to use the wireless application, go to the Cisco SDM Tools menu and choose Wireless Application. Use Case Scenario When you click the radio button for a connection type, a network diagram appears illustrating that type of connection.
Chapter 2 Creating a New Connection Additional Procedures • How Do I Configure Dial-on-Demand Routing for My ISDN or Asynchronous Interface? How Do I Configure a Static Route? To configure a static route: Step 1 From the task bar, click Routing. Step 2 In the Static Routing group, click Add.... The Add IP Static Route dialog box appears. Step 3 In the Prefix field, enter the IP address of the static route destination network.
Chapter 2 Creating a New Connection Additional Procedures Step 1 From the toolbar, click Monitor. Step 2 From the left frame, click Interface Status. Step 3 In the Select an Interface field, select the LAN interface for which you want to view statistics. Step 4 Select the data item(s) you want to view by checking the associated check box(es). You can view up to four statistics at a time. Step 5 Click Start Monitoring to see statistics for all selected data items.
Chapter 2 Creating a New Connection Additional Procedures Step 1 From the Cisco SDM Edit menu, select Preferences. Step 2 Check Preview commands before delivering to router. Step 3 Click OK. The next time you use a wizard to configure the router and click Finish on the Summary window, the Deliver window will appear. In this window you can view the commands that you are delivering to the router’s configuration. Click Deliver when you are finished reviewing the commands.
Chapter 2 Creating a New Connection Additional Procedures To configure an unsupported interface, you must use the router command-line interface (CLI). How Do I Enable or Disable an Interface? You can disable an interface without removing its configuration, and you can reenable an interface that you have disabled. Step 1 Click Configure on the Cisco SDM toolbar. Step 2 Click Interfaces and Connections in the left frame. Step 3 Click the interface that you want to disable or enable.
Chapter 2 Creating a New Connection Additional Procedures The Interface Details screen appears, displaying the statistics you selected. The screen defaults to showing real-time data, for which it polls the router every 10 seconds. If the interface is up and there is data transmitting across it, you should see an increase in the number of packets and bytes transferred across the interface. How Do I Configure NAT on a WAN Interface? Step 1 Click Configure on the Cisco SDM toolbar.
Chapter 2 Creating a New Connection Additional Procedures How Do I Configure NAT on an Unsupported Interface? Cisco SDM can configure Network Address Translation (NAT) on an interface type unsupported by Cisco SDM. Before you can configure the firewall, you must first use the router CLI to configure the interface. The interface must have, at a minimum, an IP address configured, and it must be working. To verify that the connection is working, verify that the interface status is “Up.
Chapter 2 Creating a New Connection Additional Procedures How Do I Configure Dial-on-Demand Routing for My ISDN or Asynchronous Interface? ISDN BRI and asynchronous connections are dial-up connections, meaning that in order to establish a connection, the router must dial a preconfigured phone number.
Chapter 2 Creating a New Connection Additional Procedures Step 7 If you want to configure the router to end the connection when the connection is idle, i.e., no traffic passes across it, for a specified amount of time, in the Idle timeout field, enter the number of seconds the connection can remain idle before the router ends the connection.
Chapter 2 Creating a New Connection Additional Procedures Cisco Router and Security Device Manager 2.
CH A P T E R 3 LAN Wizard The Cisco Router and Security Device Manager (Cisco SDM) LAN wizard guides you in the configuration of a LAN interface. The screen lists the LAN interfaces on the router. You can select any of the interfaces shown in the window, and click Configure to make the interface a LAN interface and configure it.
Chapter 3 LAN Wizard Ethernet Configuration Field Reference Table 3-1 IP Address and Subnet Mask Element Description Interface The name of the interface Configure To configure an interface you have selected, click Configure. If the interface has not been configured before, Cisco SDM will take you through the LAN Wizard to help you configure it. If the interface has been given a configuration using Cisco SDM, Cisco SDM displays an Edit window enabling you to change configuration settings.
Chapter 3 LAN Wizard LAN Wizard: IP Address and Subnet Mask LAN Wizard: IP Address and Subnet Mask This window lets you configure an IP address and subnet mask for the Ethernet interface that you chose in the first window. Field Reference Table 3-2 IP Address and Subnet Mask Element Description IP Address Enter the IP address for the interface in dotted decimal format. Your network administrator should determine the IP addresses of LAN interfaces.
Chapter 3 LAN Wizard LAN Wizard: DHCP Address Pool LAN Wizard: DHCP Address Pool This screen lets you configure the DHCP IP address pool. The IP addresses that the DHCP server assigns are drawn from a common pool that you configure by specifying the starting IP address in the range, and the ending address in the range. For more information, see DHCP Address Pools. Note If there are discontinuous address pools configured on the router, then the Starting IP and Ending IP address fields will be read-only.
Chapter 3 LAN Wizard LAN Wizard: VLAN Mode Field Reference Table 3-5 IP Address and Subnet Mask Element Description DNS Server 1 The DNS server is typically a server that maps a known device name with its IP address. If you have DNS server configured for your network, enter the IP address for that device here. DNS Server 2 If there is an additional DNS server on the network, you can enter the IP address for that server in this field.
Chapter 3 LAN Wizard LAN Wizard: Switch Port Field Reference Table 3-6 IP Address and Subnet Mask Element Description Single Device If this switch port will be connected to a single device, such as a single PC or IP phone, or if this device will be connected to a port on a networking device, such as another switch, that is an access mode port, then choose Single Device.
Chapter 3 LAN Wizard IRB Bridge Launching the Wireless Application After completing this LAN configuration, do the following to launch the Wireless Application and complete the bridging configuration. Step 1 Select Wireless Application from the Cisco SDM Tools menu. The Wireless Application opens in a separate browser window. Step 2 In the Wireless Application, click Wireless Express Security, and then click Bridging to provide the information to complete the bridging configuration.
Chapter 3 LAN Wizard BVI Configuration BVI Configuration Assign an IP address and subnet mask to the BVI interface. If you selected an existing bridge group in the previous screen, the IP address and subnet mask will appear in this screen. You can change it, or leave the values unchanged. Field Reference Table 3-9 BVI Configuration Element Description IP Address Enter the IP address for the interface in dotted decimal format.
Chapter 3 LAN Wizard IRB for Ethernet Field Reference Table 3-10 DHCP Pool for BVI Element Description DHCP Server Configuration If you want to have the router function as a DHCP server, check DHCP Server Configuration. Start IP Enter the starting IP address for the pool. Be sure to specify IP addresses in the same subnet as the IP address you gave the interface. For example, If you gave the interface an IP address of 10.10.22.1, with a subnet mask of 255.255.255.
Chapter 3 LAN Wizard Layer 3 Ethernet Configuration 802.1Q Configuration You can configure a VLAN that does not use the 802.1Q encapsulation protocol used for trunking connections. Provide a VLAN ID number, and check Native VLAN if you do not want the VLAN to use 802.1Q tagging. If you want to use the 802.1Q tagging, leave the Native VLAN box unchecked. Field Reference Table 3-11 IP Address and Subnet Mask Element Description VLAN ID (1-4094) Enter a VLAN ID number from 1 to 4094.
Chapter 3 LAN Wizard Summary Check the box at the bottom of the screen if you want to log on to the switch module after providing the information in this wizard and delivering the configuration to the router. Configure Gigabit Ethernet Interface Provide IP address and subnet mask information for Gigabit Ethernet interfaces in this window. For more information on IP addresses and subnet masks, see LAN Wizard: IP Address and Subnet Mask.
Chapter 3 LAN Wizard Summary Cisco Router and Security Device Manager 2.
CH A P T E R 4 802.1x Authentication 802.1x authentication allows a remote Cisco IOS router to connect authenticated VPN users to a secure network through a VPN tunnel that is up at all times. The Cisco IOS router will authenticate users through a RADIUS server on the secure network. 802.1x authentication is applied to switch ports or Ethernet (routed) ports, but not to both types of interfaces. If 802.
Chapter 4 802.1x Authentication LAN Wizard: 802.1x Authentication (Switch Ports) Host Mode Choose Single or Multiple. Single mode allows only one authenticated client to have access. Multiple mode allows for any number of clients to have access once a single client has been authenticated. Note Ports on Cisco 85x and Cisco 87x routers can be set only to multiple host mode. Single mode is disabled for these routers. Guest VLAN Check Guest VLAN to enable a VLAN for clients lacking 802.1x support.
Chapter 4 802.1x Authentication LAN Wizard: 802.1x Authentication (Switch Ports) Radius Server Timeout Enter the time, in seconds, that your Cisco IOS router waits before timing out its connection to the RADIUS server. Values must be in the range of 1–65535 seconds. The default setting is 30 seconds. Supplicant Reply Timeout Enter the time, in seconds, that your Cisco IOS router waits for a reply from an 802.1x client before timing out its connection to that client.
Chapter 4 802.1x Authentication LAN Wizard: RADIUS Servers for 802.1x Authentication Reset to Defaults Click Reset to Defaults to reset all advanced options to their default values. LAN Wizard: RADIUS Servers for 802.1x Authentication 802.1x authentication information is configured and stored in a policy database residing on RADIUS servers running Cisco Secure ACS version 3.3. The router must validate the credentials of 802.1x clients by communicating with a RADIUS server.
Chapter 4 802.1x Authentication LAN Wizard: RADIUS Servers for 802.1x Authentication Note Cisco IOS software allows a single RADIUS source interface to be configured on the router. If the router already has a configured RADIUS source and you choose a different source, the source IP address placed in the packets sent to the RADIUS server changes to the IP address of the new source, and may not match the NAD IP address configured on the Cisco ACS.
Chapter 4 802.1x Authentication Edit 802.1x Authentication (Switch Ports) The Edit and Ping buttons are disabled when no RADIUS server information is available for the chosen interface. Edit 802.1x Authentication (Switch Ports) This window allows you to enable and configure 802.1x authentication parameters. If a message is displayed indicating that the port is operating in trunk mode instead of the 802.1x authentication parameters, then the switch cannot have 802.1x authentication enabled. If the 802.
Chapter 4 802.1x Authentication LAN Wizard: 802.1x Authentication (VLAN or Ethernet) Guest VLAN Check Guest VLAN to enable a VLAN for clients lacking 802.1x support. If you enable this option, choose a VLAN form the VLAN drop-down list. Auth-Fail VLAN Check Auth-Fail VLAN to enable a VLAN for clients that fail 802.1x authorization. If you enable this option, choose a VLAN form the VLAN drop-down list. Periodic Reauthentication Check Periodic Reauthentication to force reauthentication of 802.
Chapter 4 802.1x Authentication LAN Wizard: 802.1x Authentication (VLAN or Ethernet) Use 802.1x Authentication to separate trusted and untrusted traffic on the interface Check Use 802.1x Authentication to separate trusted and untrusted traffic on the interface to enable 802.1x authentication. Exception Lists Click Exception Lists to create or edit an exception list. An exception list exempts certain clients from 802.1x authentication while allowing them to use the VPN tunnel.
Chapter 4 802.1x Authentication 802.1x Authentication on Layer 3 Interfaces Delete Click Delete to remove a chosen client from the exception list. 802.1x Authentication on Layer 3 Interfaces This window allows you to configure 802.1x authentication on a Layer 3 Interface. It lists Ethernet ports and VLAN interfaces that have or can be configured with 802.1x authentication, allows you to choose a Virtual Template interface for untrusted clients, and create an exception list for clients to bypass 802.
Chapter 4 802.1x Authentication 802.1x Authentication on Layer 3 Interfaces Edit Click Edit to open a window of editable 802.1x authentication parameters. The parameters are the 802.1x authentication settings for the interface chosen in the Interfaces table. Untrusted User Policy Choose a Virtual Template interface from the drop-down list. The chosen Virtual Template interface represents the policy applied to clients that fail 802.1x authentication.
Chapter 4 802.1x Authentication How Do I ... Enable 802.1x Authentication Check Enable 802.1x Authentication to enable 802.1x authentication on the Ethernet port. Periodic Reauthentication Check Periodic Reauthentication to force reauthentication of 802.1x clients on a regular interval. Choose to configure the interval locally, or to allow the RADIUS server to set the interval. If you choose to configure the reauthentication interval locally, enter a value in the range of 1–65535 seconds.
Chapter 4 802.1x Authentication How Do I ... Cisco Router and Security Device Manager 2.
CH A P T E R 5 Configuring WAN Connections The WAN wizards enable you to configure WAN connections for all Cisco SDM-supported interfaces.
Chapter 5 Configuring WAN Connections Configuring an Ethernet WAN Connection Step 4 In the Create Connection tab, click Ethernet WAN. Step 5 Click Create Connection to start the wizard. The wizard Welcome screen describes the tasks you will complete. Step 6 Click Next to go to the subsequent screens to configure the connection. Step 7 Cisco SDM displays the Summary screen when you have completed the configuration. Review the configuration.
Chapter 5 Configuring WAN Connections Configuring an Ethernet WAN Connection Select Interface This window appears if there is more than one interface of the type you selected in the Create Connection window. Choose the interface that you want to use for this connection. Field Reference Table 5-1 describes the fields in this screen. Table 5-1 Select Interface Fields Element Description Check Boxes Check the box next to the interface that you want to use for this connection.
Chapter 5 Configuring WAN Connections Configuring an Ethernet WAN Connection Table 5-2 Ethernet without PPPoE IP Address Fields Element Description Static IP Address If you choose Static IP Address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, see IP Addresses and Subnet Masks. Dynamic (DHCP Client) If you choose Dynamic, the router will lease an IP address from a remote DHCP server.
Chapter 5 Configuring WAN Connections Configuring an Ethernet WAN Connection Summary This screen displays a summary of the WAN link that you configured.You can review this information, and if you need to change anything, you can click the Back button to return to the screen on which you need to make changes. Button Reference Table 5-4 describes the buttons in this screen.
Chapter 5 Configuring WAN Connections Configuring a Serial Connection Table 5-5 Advanced Options Fields Element Description Default Static Route Check this box if you want to configure a static route to the outside interface to which outgoing traffic will be routed. If a static route has already been configured on this router, this box does not appear. Next Hop Address If your service provider has given you a next-hop IP address to use, enter the IP address in this field.
Chapter 5 Configuring WAN Connections Configuring a Serial Connection Step 7 Cisco SDM displays the Summary screen when you have completed the configuration. Review the configuration. If you need to make changes, click Back to return to the screen in which you need to make changes, then return to the Summary screen. Step 8 If you want to test the connection after sending the configuration to the router, check Test the connectivity after configuring.
Chapter 5 Configuring WAN Connections Configuring a Serial Connection Table 5-6 Serial Connection with Point-to-Point Protocol Element Description Static IP Address If you choose Static IP Address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, see IP Addresses and Subnet Masks. IP Unnumbered Choose IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface.
Chapter 5 Configuring WAN Connections Configuring a Serial Connection Table 5-7 Serial Connection with HDLC or Frame Relay Fields Element Description IP Unnumbered Choose IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then choose the interface whose IP address you want to use for the interface you are configuring.
Chapter 5 Configuring WAN Connections Configuring a Serial Connection Field Reference Table 5-8 describes the fields in this screen. Table 5-8 Authentication Fields Element Description Authentication Type Check the box for the type of authentication used by your service provider. If you do not know which type your service provider uses, you can check both boxes: the router will attempt both types of authentication, and one attempt will succeed.
Chapter 5 Configuring WAN Connections Configuring a Serial Connection Table 5-9 LMI and DLCI Fields Element Description Cisco LMI type defined jointly by Cisco Systems and three other companies. ITU-T Q.933 ITU-T Q.933 Annex A. Autosense The default. This setting allows the router to detect which LMI type is being used by communicating with the switch and to then use that type. If autosense fails, the router will use the Cisco LMI type. DLCI Enter the DLCI in this field.
Chapter 5 Configuring WAN Connections Configuring a Serial Connection Table 5-10 Clock Settings Fields Element Description Line Code This field configures the router for operation on binary 8-zeros substitution (B8ZS) or alternate mark inversion (AMI) T1 lines. The b8zs setting ensures density on a T1 or E1 line by substituting intentional bipolar violations in bit positions 4 and 7 for a sequence of eight zero bits.
Chapter 5 Configuring WAN Connections Configuring a DSL Connection Table 5-10 Clock Settings Fields Element Description Remote Loopback Requests This field specifies whether the router will go into loopback mode when a loopback code is received on the line. Choosing full causes the router to accept full loopbacks, while choosing payload-v54 will cause the router to choose payload loopbacks.
Chapter 5 Configuring WAN Connections Configuring a DSL Connection Step 7 Cisco SDM displays the Summary screen when you have completed the configuration. Review the configuration. If you need to make changes, click Back to return to the screen in which you need to make changes, then return to the Summary screen. Step 8 If you want to test the connection after sending the configuration to the router, check Test the connectivity after configuring.
Chapter 5 Configuring WAN Connections Configuring a DSL Connection Field Reference Table 5-11 describes the fields in this screen. Table 5-11 ATM or Ethernet with PPPoE or PPPoA Element Description Static IP Address If you choose Static IP Address, enter the IP address and subnet mask or the network bits in the fields provided. Dynamic (DHCP Client) If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server that will assign addresses.
Chapter 5 Configuring WAN Connections Configuring a DSL Connection Field Reference Table 5-12 describes the fields in this screen. Table 5-12 ATM with RFC 1483 Routing Element Description Static IP Address If you choose Static IP Address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, see IP Addresses and Subnet Masks. Dynamic (DHCP Client) If you choose Dynamic, the router will lease an IP address from a remote DHCP server.
Chapter 5 Configuring WAN Connections Configuring a DSL Connection Field Reference Table 5-13 describes the fields in this screen. Table 5-13 Encapsulation Fields Element Description Autodetect Click Autodetect to have Cisco SDM discover the encapsulation type. If Cisco SDM succeeds, it will automatically supply the encapsulation type and other configuration parameters it discovers. Note Cisco SDM supports autodetect on SB106, SB107, Cisco 836, and Cisco 837 routers.
Chapter 5 Configuring WAN Connections Configuring a DSL Connection Table 5-13 Encapsulation Fields Element Description Encapsulations Available for Serial Interfaces Frame Relay Provides Frame Relay encapsulation. This option is available when you have selected a serial interface. A serial subinterface will be created when you create a Frame Relay connection. This subinterface will be visible in the Summary window.
Chapter 5 Configuring WAN Connections Configuring a DSL Connection Field Reference Table 5-14 describes the fields in this screen. Table 5-14 PVC Fields Element Description VPI Enter the VPI value obtained from your service provider or system administrator. The virtual path identifier (VPI) is used in ATM switching and routing to identify the path used for a number of connections. Enter the VPI value given to you by your service provider.
Chapter 5 Configuring WAN Connections Configuring an ISDN Connection Configuring an ISDN Connection Complete these steps to configure an ISDN connection: Step 1 If you want to review the IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. Step 2 In the Cisco SDM toolbar, click Configure. Step 3 In the Cisco SDM taskbar, click Interfaces and Connections.
Chapter 5 Configuring WAN Connections Configuring an ISDN Connection • Advanced Options • Dial String • Summary ISDN Wizard Welcome Window PPP is the only type of encoding supported over an ISDN BRI by Cisco SDM. IP Address: ISDN BRI or Analog Modem Choose the method that the ISDN BRI or analog modem interface will use to obtain an IP address. Field Reference Table 5-15 describes the fields in this screen.
Chapter 5 Configuring WAN Connections Configuring an ISDN Connection Switch Type and SPIDs ISDN BRI connections require identification of the ISDN switch type, and in some cases, identification of the B channels using service profile ID (SPID) numbers. This information will be provided to you by your service provider. Field Reference Table 5-16 describes the fields in this screen. Table 5-16 Switch Type and SPIDs Fields Element Description ISDN Switch Type Choose the ISDN switch type.
Chapter 5 Configuring WAN Connections Configuring an ISDN Connection Table 5-16 Element Switch Type and SPIDs Fields Description • For voice or PBX systems: – basic-qsig—PINX (PBX) switches with QSIG signaling per Q.931 I have SPIDS Check this check box if your service provider requires SPIDs. Some service providers use SPIDs to define the services that are subscribed to by an ISDN device that is accessing the ISDN service provider.
Chapter 5 Configuring WAN Connections Configuring an Aux Backup Connection Configuring an Aux Backup Connection Complete these steps to configure an Aux Backup connection: Step 1 If you want to review the IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. Step 2 In the Cisco SDM toolbar, click Configure.
Chapter 5 Configuring WAN Connections Configuring an Aux Backup Connection • Summary Aux Backup Welcome Window The option to configure the AUX port as a dial-up connection only appears for the Cisco 831 and 837 routers. The Aux dial-backup radio button is disabled if any of the following conditions exist: • More than one default route exists. • One default route exists and it is configured with an interface other than the primary WAN interface.
Chapter 5 Configuring WAN Connections Configuring an Aux Backup Connection Field Reference Table 5-17 describes the fields in this screen. Table 5-17 Backup Configuration Fields Element Description Configure this connection as backup Check this option to designate this interface as backup. Do not configure this connection Check this option if you do not want to designate this interface as as backup. backup.
Chapter 5 Configuring WAN Connections Configuring an Analog Modem Connection Table 5-18 Hostname or IP Address to Be Tracked Fields Element Description Primary Next Hop IP Address Choose the router interface that will maintain the primary connection. Backup Next Hop IP Address This field is optional. Enter the IP address to which the backup interface will connect when it is active, known as the next hop IP address.
Chapter 5 Configuring WAN Connections Configuring an Analog Modem Connection Step 4 In the Create Connection tab, click Analog Modem. Step 5 Click Create Connection to start the wizard. The wizard Welcome screen describes the tasks you will complete. Step 6 Click Next to go to the subsequent screens to configure the connection. Step 7 Cisco SDM displays the Summary screen when you have completed the configuration. Review the configuration.
Chapter 5 Configuring WAN Connections Configuring a Cable Modem Connection Configuring a Cable Modem Connection Complete these steps to configure a Cable Modem connection: Step 1 If you want to review the IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. Step 2 In the Cisco SDM toolbar, click Configure.
Chapter 5 Configuring WAN Connections Configuring a Cable Modem Connection Cable Modem Connection Wizard Welcome The Welcome screen indicates that you are using the cable modem connection wizard, and describes the tasks you perform when you configure a Cable Modem connection. Click Next to begin configuring the connection. Select Interface Select the cable modem interface to configure in this screen. The interface that you select will be configured as a DHCP client.
Chapter 5 Configuring WAN Connections Configuring a Cable Modem Connection Field Reference Table 5-21 describes the buttons in this screen. Table 5-21 Summary Buttons Element Description Test the connectivity after configuring Check this box if you want Cisco SDM to test the connection you have configured after it delivers the commands to the router. Cisco SDM will test the connection and report results in another window.
Chapter 5 Configuring WAN Connections Configuring a Cable Modem Connection Cisco Router and Security Device Manager 2.
CH A P T E R 6 Edit Interface/Connection This window displays the router’s interfaces and connections. The window also enables you to add, edit, and delete connections, and to enable or disable connections. Add When you choose an unconfigured physical interface and click Add, the menu contains choices for adding a connection on that interface. Click Add to create a new loopback or tunnel interface.
Chapter 6 • Application Service • General tab Edit Interface/Connection If the interface is not supported, the dialog will not have a Connection tab. If you choose a switch port, the Edit Switch Port dialog appears. The Edit button will be disabled if the interface is supported and unconfigured. Delete Choosing a connection and clicking Delete displays a dialog box informing you of the associations this connection has and asking you if you want to remove the associations along with the connection.
Chapter 6 Edit Interface/Connection Interface List The interface list displays the physical interfaces and the logical connections to which they are configured. Interfaces This column lists the physical and logical interfaces by name. If a logical interface is configured for a physical interface, the logical interface is shown under the physical interface. If Cisco SDM is running on a Cisco 7000 family router, you will be able to create a connection only on Ethernet and Fast Ethernet interfaces.
Chapter 6 Edit Interface/Connection Description This column contains any descriptions provided for this connection. Details About Interface This area of the window displays association and, if applicable, connection details about the interface chosen in the interface list. Association details include such information as Network Address Translation (NAT), access, and inspection rules, IPsec policies, and Easy VPN configurations. Connection details include IP address, encapsulation type, and DHCP options.
Chapter 6 Edit Interface/Connection Connection: Ethernet for IRB Connection: Ethernet for IRB This dialog box contains the following fields if you chose Ethernet for IRB in the Configure list. Current Bridge Group/Associated BVI These read-only fields contain the current bridge group value and the current Bridge-Group Virtual Interface (BVI) name.
Chapter 6 Edit Interface/Connection Connection: Ethernet for Routing • Create a new dynamic DNS method. Click the drop-down menu and choose to create a new dynamic DNS method. To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. Connection: Ethernet for Routing This dialog box contains the following fields if you chose Ethernet for Routing in the Configure list. IP Address Enter an IP address and subnet mask in the IP Address fields.
Chapter 6 Edit Interface/Connection Connection: Ethernet for Routing Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method. Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure > Additional Tasks > Dynamic DNS Methods. • Choose an existing dynamic DNS method from a list.
Chapter 6 Edit Interface/Connection Connection: Ethernet for Routing HTTP HTTP is a dynamic DNS method that updates a DNS service provider with changes to the associated interface’s IP address. Server If using HTTP, choose the domain address of the DNS service provider from the drop-down menu. Username If using HTTP, enter a username for accessing the DNS service provider. Password If using HTTP, enter a password for accessing the DNS service provider.
Chapter 6 Edit Interface/Connection Wireless Wireless If the router has a wireless interface, you can launch the wireless application from this tab. You can also launch the wireless application from the Tools menu by choosing Tools > Wireless Application. Association Use this window to view, create, edit, or delete associations between interfaces and rules or VPN connections. Interface The name of the interface you selected in the Interfaces and Connections window.
Chapter 6 Edit Interface/Connection Association direction on an interface, you are not only preventing it from entering a trusted network connected to the router, you are also preventing it from being routed anywhere else by the local router. Outbound The name or number of an access rule applied to outbound traffic on this interface. If you want to apply a rule, click the ... button and either choose an existing rule or create a rule and choose it.
Chapter 6 Edit Interface/Connection NAT Note An interface can be associated with only one IPsec policy. Note To create a GRE-over-IPsec Tunnel, you must first associate the policy with the tunnel interface, and then associate it with the source interface for the tunnel. For example, if you wanted to associate a policy with Tunnel3, whose source interface is Serial0/0, you would first choose Tunnel3 in the Interfaces and Connections window, click Edit and associate the policy with it, and then click OK.
Chapter 6 Edit Interface/Connection Edit Switch Port Edit Switch Port This window lets you edit VLAN information for Ethernet switch ports. Mode Group Choose the type of VLAN information you want to be carried across this Ethernet switch port. Choosing Access causes the switch port to forward only data destined for the specific VLAN number. Choosing Trunking causes the switch port to forward data for all VLANs, including the VLAN data itself.
Chapter 6 Edit Interface/Connection Application Service Duplex Choose full or half, or auto to allow for the duplex to be automatically set to match the network to which the switch port will be connected. If Speed is set to auto, then Duplex is disabled. Power Inline The Power inline drop-down list appears if the switch port supports an inline power supply. Choose one of the following values: • auto—Automatically detect and power inline devices. • never —Never apply inline power.
Chapter 6 Edit Interface/Connection General NBAR To associate Network-based application recognition (NBAR) with the interface, check the NBAR Protocol check box. NBAR statistics for the interface can be monitored by going to Monitor > Traffic Status > Application/Protocol Traffic. General This window displays general security settings and allows you to enable or disable them by checking or unchecking the check box next to the name and description.
Chapter 6 Edit Interface/Connection General replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger reply stream, which can completely inundate the host whose address is being falsified. Disabling IP directed broadcasts drops directed broadcasts that would otherwise be “exploded” into link-layer broadcasts at that interface. IP Proxy ARP ARP is used by the network to convert IP addresses into MAC addresses.
Chapter 6 Edit Interface/Connection Select Ethernet Configuration Type IP Mask-Reply ICMP mask reply messages are sent when a network device must know the subnet mask for a particular subnetwork in the internetwork. ICMP mask reply messages are sent to the device requesting the information by devices that have the requested information. These messages can be used by an attacker to gain network mapping information.
Chapter 6 Edit Interface/Connection Connection: VLAN Connection: VLAN This window lets you configure a VLAN interface. VLAN ID Enter the ID number of the new VLAN interface. If you are editing a VLAN interface, you cannot change the VLAN ID. Native VLAN Check Box Check if this VLAN is a nontrunking VLAN. IP Address Fields IP Address Type Choose whether this VLAN interface will have a static IP address or no IP address. This field is visible when VLAN only is chosen in the Configure As field.
Chapter 6 Edit Interface/Connection Add or Edit BVI Interface 5 3 56 67 56.8.1.1/255.255.255.0 Bridge No. 77 In this example, FastEthernet1.5 is configured for routing, and FastEthernet1.3 is configured for IRB. Note You must choose the physical interface on which the subinterfaces are configured to display this window. For the example described, you would have to choose FastEthernet 1 to display this window. If you chose FastEthernet1.3 or FastEthernet1.
Chapter 6 Edit Interface/Connection Connection: Virtual Template Interface Static IP Address If you chose Static IP address, enter that IP address in this field. Subnet Mask Enter the subnet mask in this field, or choose the number of subnet bits from the field on the right. The subnet mask tells the router which bits of the IP address designate the network address and which bits designate the host address. Connection: Virtual Template Interface You can add or edit a VTI as part of an 802.
Chapter 6 Edit Interface/Connection Connection: Ethernet WAN IP Address Enter the IP address for this interface. Obtain the IP address value from your service provider or network administrator. For more information, see IP Addresses and Subnet Masks. Subnet Mask Enter the subnet mask. Obtain this value from your network administrator. The subnet mask enables the router to determine how much of the IP address is used to define the network and subnet portion of the address.
Chapter 6 Edit Interface/Connection Connection: Ethernet WAN IP Address Choose one of the following IP address types, and enter the information in the fields displayed. If the Ethernet connection is not using PPPoE, you will see only the Static IP address and Dynamic options. Static IP Address If you choose Static IP Address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, see IP Addresses and Subnet Masks.
Chapter 6 Edit Interface/Connection Connection: Ethernet Properties Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure > Additional Tasks > Dynamic DNS Methods. • Choose an existing dynamic DNS method from a list. Click the drop-down menu and choose an existing method. A window with a list of existing dynamic DNS methods opens. This menu choice is available only if there are existing dynamic DNS methods. • Create a new dynamic DNS method.
Chapter 6 Edit Interface/Connection Connection: Ethernet Properties IP Unnumbered Available with PPPoE encapsulation. Choose IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then choose the interface whose IP address this interface is to share. Easy IP (IP Negotiated) Available with PPPoE encapsulation. Choose Easy IP (IP Negotiated) if the router will obtain an IP address using PPP/IPCP address negotiation.
Chapter 6 Edit Interface/Connection Connection: Ethernet with No Encapsulation Connection: Ethernet with No Encapsulation Use this window to configure an Ethernet connection with no encapsulation. IP Address Choose how the router will obtain an IP address for this link. • Static IP address—If you choose Static IP Address, enter the IP address and subnet mask or network bits in the fields provided. For more information, see IP Addresses and Subnet Masks.
Chapter 6 Edit Interface/Connection Connection: ADSL Click the drop-down menu and choose to create a new dynamic DNS method. To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. Connection: ADSL This window enables you to specify or edit properties of a PPPoE link supported by an ADSL connection. Encapsulation Choose the type of encapsulation that will be used for this link. • PPPoE specifies Point-to-Point Protocol over Ethernet encapsulation.
Chapter 6 Edit Interface/Connection Connection: ADSL Virtual Circuit Identifier The virtual circuit identifier (VCI) is used in ATM switching and routing to identify a particular connection within a path that your connection may share with other connections. Enter the VCI value given to you by your service provider. If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and re-create it using the value you need.
Chapter 6 Edit Interface/Connection Connection: ADSL • adls2—Configure the ADSL line to train in the ITU G.992.3 mode. This mode is available for the HWIC-ADSL-B/ST, HWIC-ADSLI-B/ST, HWIC-1ADSL, and HWIC-1ADSLI ADSL network modules. • adsl2+—Configure the ADSL line to train in the ITU G.992.4 mode. This mode is available for the HWIC-ADSL-B/ST, HWIC-ADSLI-B/ST, HWIC-1ADSL, and HWIC-1ADSLI ADSL network modules. • splitterless—Configure the ADSL line to train in the G.Lite mode.
Chapter 6 Edit Interface/Connection Connection: ADSL over ISDN Enable Multilink PPP Check this check box if you want to use Multilink Point-to-Point Protocol (MLP) with this interface. MLP can improve the performance of a network with multiple WAN connections by using load balancing functionality, packet fragmentation, bandwidth-on-demand, and other features. Connection: ADSL over ISDN Add or edit an ADSL over ISDN connection in this window.
Chapter 6 Edit Interface/Connection Connection: ADSL over ISDN If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and re-create it using the value you need. IP Address Choose how the router will obtain an IP address for this link. • Static IP address—If you choose Static IP Address, enter the IP address and subnet mask, or network bits in the fields provided. For more information, see IP Addresses and Subnet Masks.
Chapter 6 Edit Interface/Connection Connection: G.SHDSL Authentication Click if you need to enter CHAP or PAP authentication information. Dynamic DNS Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method.
Chapter 6 Edit Interface/Connection Connection: G.SHDSL Note If the connection that you are configuring uses a DSL controller, the Equipment Type and Operating Mode fields do not appear in the dialog. Encapsulation Choose the type of encapsulation that will be used for this link. • PPPoE specifies Point-to-Point Protocol over Ethernet encapsulation. • PPPoA specifies Point-to-Point Protocol over ATM encapsulation. • RFC 1483 Routing (AAL5 SNAP) specifies that each PVC can carry multiple protocols.
Chapter 6 Edit Interface/Connection Connection: G.SHDSL IP Address Choose how the router will obtain an IP address for this link. The fields that appear in this area change according to the encapsulation type chosen. Your service provider or network administrator must tell you the method the router should use to obtain an IP address. Static IP address If you choose Static IP Address, enter the address that the interface will use, and the subnet mask or the network bits.
Chapter 6 Edit Interface/Connection Connection: G.SHDSL CO Central office. Operating Mode Choose one of the values below: Annex A (U.S.) Configures the regional operating parameters for North America. Annex B (Europe) Configures the regional operating parameters for Europe. Enable Multilink PPP Check this check box if you want to use Multilink Point-to-Point Protocol (MLP) with this interface.
Chapter 6 Edit Interface/Connection Connection: Cable Modem Click the drop-down menu and choose an existing method. A window with a list of existing dynamic DNS methods opens. This menu choice is available only if there are existing dynamic DNS methods. • Create a new dynamic DNS method. Click the drop-down menu and choose to create a new dynamic DNS method. To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu.
Chapter 6 Edit Interface/Connection Configure DSL Controller Configure DSL Controller Cisco SDM supports the configuration of the Cisco WIC-1SHDSL-V2. This WIC supports TI, E1, or a G.SHDSL connection over an ATM interface. Cisco SDM only supports a G.SHDSL connection using the ATM interface. This window lets you set the controller mode on the WIC to ATM, enabling a G.SHDSL connection, and lets you create or edit DSL controller information for the G.SHDSL connection.
Chapter 6 Edit Interface/Connection Configure DSL Controller Line Rate Choose the DSL line rate for the G.SHDSL port. If you have chosen a 2-wire connection, you can choose either auto, which configures the interface to automatically negotiate the line rate between the G.SHDSL port and the DSLAM, or the actual DSL line rate. The supported line rates are 200, 264, 392, 520, 776, 1032, 1160, 1544, 2056, and 2312. If you have chosen a 4-wire connection, you must choose a fixed line rate.
Chapter 6 Edit Interface/Connection Add a G.SHDSL Connection DSL Connections This field displays all of the G.SHDSL connections currently configured on this controller. To configure a new G.SHDSL connection, click Add. This displays the Add a G.SHDSL Connection page, letting you configure the new connection. To edit an existing G.SHDSL connection, choose the connection in this field and click Edit. This also will display the Add a G.SHDSL Connection page, letting you edit the connection configuration.
Chapter 6 Edit Interface/Connection Add a G.SHDSL Connection Virtual Circuit Identifier The virtual circuit identifier (VCI) is used in ATM switching and routing to identify a particular connection within a path that it may share with other connections. Obtain this value from your service provider. If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and recreate it using the value you need.
Chapter 6 Edit Interface/Connection Add a G.SHDSL Connection Enable Multilink PPP Check this check box if you want to use Multilink Point-to-Point Protocol (MLP) with this interface. MLP can improve the performance of a network with multiple WAN connections by using load balancing functionality, packet fragmentation, bandwidth-on-demand, and other features. Authentication Click if you need to enter CHAP or PAP authentication information.
Chapter 6 Edit Interface/Connection Connection: Serial Interface, Frame Relay Encapsulation Connection: Serial Interface, Frame Relay Encapsulation Complete these fields if you are configuring a serial subinterface for Frame Relay encapsulation. If you are editing a connection or creating a connection in the Edit Interfaces and Connections window, the encapsulation is shown but is not editable.
Chapter 6 Edit Interface/Connection Connection: Serial Interface, Frame Relay Encapsulation DLCI Enter the data link connection identifier (DLCI) in this field. This number must be unique among all DLCIs used on this interface. The DLCI provides a unique Frame Relay identifier for this connection. If you are editing an existing connection, the DLCI field will be disabled. If you need to change the DLCI, delete the connection and create it again.
Chapter 6 Edit Interface/Connection Connection: Serial Interface, Frame Relay Encapsulation Clock Settings In most cases, clock settings should not be changed from the default values. If you know that your requirements are different from the defaults, click and adjust the clock settings in the window displayed. The Clock Settings button appears only if you are configuring a T1 or E1 serial connection.
Chapter 6 Edit Interface/Connection Connection: Serial Interface, PPP Encapsulation Connection: Serial Interface, PPP Encapsulation Complete these fields if you are configuring a serial interface for Point-to-Point Protocol encapsulation. If you are editing a connection or creating a connection in the Edit Interfaces and Connections window, the encapsulation is shown but is not editable.
Chapter 6 Edit Interface/Connection Connection: Serial Interface, PPP Encapsulation Clock Settings In most cases, clock settings should not be changed from the default values. If you know that your requirements are different from the defaults, click and adjust the clock settings in the window displayed. The Clock Settings button appears only if you are configuring a T1 or E1 serial connection.
Chapter 6 Edit Interface/Connection Connection: Serial Interface, HDLC Encapsulation Connection: Serial Interface, HDLC Encapsulation Fill out these fields if you are configuring a serial interface for HDLC encapsulation. If you are editing a connection or creating a connection in the Edit Interfaces and Connections window, the encapsulation is shown but is not editable. If you need to change the encapsulation type, delete the connection and re-create it using the encapsulation type you need.
Chapter 6 Edit Interface/Connection Add or Edit GRE Tunnel The Clock Settings button appears only if you are configuring a T1 or E1 serial connection. Dynamic DNS Enable dynamic DNS if you want to update your DNS servers automatically whenever the WAN interface IP address changes. Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method.
Chapter 6 Edit Interface/Connection Add or Edit GRE Tunnel Tunnel Source Choose the interface that the tunnel will use. This interface must be reachable from the other end of the tunnel; therefore, it must have a public, routable IP address. Tunnel Destination The tunnel destination is the interface on the router at the other end of the tunnel. Choose whether you will specify an IP address or a hostname, and then enter that information.
Chapter 6 Edit Interface/Connection Connection: ISDN BRI Connection: ISDN BRI Complete these fields if you are configuring an ISDN BRI connection. Because Cisco SDM supports only PPP encapsulation over an ISDN BRI connection, the encapsulation shown is not editable. Encapsulation PPP chosen. ISDN Switch Type Choose the ISDN switch type. Contact your ISDN service provider for the switch type for your connection.
Chapter 6 Edit Interface/Connection Connection: ISDN BRI Some service providers use SPIDs to define the services subscribed to by the ISDN device that is accessing the ISDN service provider. The service provider assigns the ISDN device one or more SPIDs when you first subscribe to the service.
Chapter 6 Edit Interface/Connection Connection: ISDN BRI Subnet Mask Enter the subnet mask. The subnet mask specifies the portion of the IP address that provides the network address. This value is synchronized with the network bits. Obtain the value of the subnet mask or the network bits from your network administrator or service provider. Subnet Bits Alternatively, enter the network bits to specify how many bits in the IP address provide the network address.
Chapter 6 Edit Interface/Connection Connection: Analog Modem Connection: Analog Modem Complete these fields if you are configuring an analog modem connection. Because Cisco SDM supports only PPP encapsulation over an analog modem connection, the encapsulation shown is not editable. Encapsulation PPP chosen. Remote Phone Number Enter the phone number of the destination of the analog modem connection.
Chapter 6 Edit Interface/Connection Connection: Analog Modem Subnet Mask Enter the subnet mask. The subnet mask specifies the portion of the IP address that provides the network address. This value is synchronized with the network bits. Obtain the value of the subnet mask or the network bits from your network administrator or service provider. Subnet Bits Alternatively, enter the network bits to specify how many bits in the IP address provide the network address.
Chapter 6 Edit Interface/Connection Connection: (AUX Backup) Connection: (AUX Backup) Complete these fields if you are configuring an asynchronous dial-up connection using the console port to double as an AUX port on a Cisco 831 or 837 router. Once you enter the information in this window, click Backup Details and enter dial-backup information, which is required for this type of connection.
Chapter 6 Edit Interface/Connection Connection: (AUX Backup) Clear Line Click to clear the line. You should clear the line after creating an async connection so that interesting traffic triggers the connection. IP Address Choose Static IP address, IP Unnumbered, or IP Negotiated. If you choose Specify an IP address, complete the fields below. IP Address Enter the IP address for this point-to-point subinterface. Obtain this value from your network administrator or service provider.
Chapter 6 Edit Interface/Connection Authentication Note This feature appears only if supported by the Cisco IOS release on your router. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method. Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure > Additional Tasks > Dynamic DNS Methods. • Choose an existing dynamic DNS method from a list. Click the drop-down menu and choose an existing method.
Chapter 6 Edit Interface/Connection SPID Details Login Name The login name is given to you by your service provider and is used as the username for CHAP/PAP authentication. Password Enter the password exactly as given to you by your service provider. Passwords are case sensitive. For example, the password test is not the same as TEST. Reenter Password Reenter the same password that you entered in the previous box.
Chapter 6 Edit Interface/Connection Dialer Options Dialer Options Both ISDN BRI and analog modem interfaces can be configured for dial-on-demand routing (DDR), which causes the connection to dial out and become active only under specified circumstances, thus saving connection time and cost. This window lets you configure options specifying when ISDN BRI or analog modem connections should be initiated and ended.
Chapter 6 Edit Interface/Connection Dialer Options Fast idle timeout The fast idle timeout is used when one connection is active while a competing connection is waiting to be made. The fast idle timeout sets the maximum number of seconds with no interesting traffic before the active connection is terminated and the competing connection is made.
Chapter 6 Edit Interface/Connection Backup Configuration Backup Configuration ISDN BRI and analog modem interfaces can be configured to work as backup interfaces to other, primary interfaces. In that case, an ISDN or analog modem connection will be made only if the primary interface goes down for some reason. If the primary interface and connection go down, the ISDN or analog modem interface will immediately dial out and try to establish a connection so that network services are not lost.
Chapter 6 Edit Interface/Connection Delete Connection Next Hop Forwarding These fields are optional. You can enter the IP address to which the primary and backup interfaces will connect when they are active. This is known as the next hop IP address. If you do not enter next hop IP addresses, Cisco SDM will configure static routes using the interface name.
Chapter 6 Edit Interface/Connection Delete Connection To manually delete the associations: To manually delete the associations, click View Details to see a list of the associations that this connection has. Make note of the associations, choose I will delete the associations later, and then click OK. You can manually delete the associations using the instructions in the following list.
Chapter 6 Edit Interface/Connection Connectivity Testing and Troubleshooting • EZVPN—An Easy VPN is applied to the interface on which the connection was created. To delete the Easy VPN, click Configure, then click Interfaces and Connections. Click the connection in the Interface List, and then click Edit. Click the Association tab, then in the VPN group, in the Easy VPN field, click None. • VPDN—VPDN commands that are required for a PPPoE configuration are present in the router configuration.
Chapter 6 Edit Interface/Connection Connectivity Testing and Troubleshooting Cisco SDM cannot troubleshoot unencapsulated Ethernet connections, Serial and T1 or E1 connections, Analog connections, and ISDN connections. Cisco SDM provides basic ping testing for these connection types. What is Basic Ping Testing? When Cisco SDM performs basic ping testing, it does the following: 1. Checks the interface status to see if it is up or down. 2.
Chapter 6 Edit Interface/Connection Connectivity Testing and Troubleshooting 2. Checks DNS Settings, whether they be Cisco SDM default options or user-specified hostnames. 3. Checks DHCP or IPCP configuration and status. If the router has an IP address through either DHCP or IPCP Cisco SDM goes to step 4. If the router is configured for DHCP or IPCP but has not received an IP address through either of these methods, Cisco SDM performs the checks in step 1.
Chapter 6 Edit Interface/Connection Connectivity Testing and Troubleshooting User Specified Specify the IP address of hostname of your choice for testing WAN interface. Summary Click this button if you want to view the summarized troubleshooting information. Details Click this button if you want to view the detailed troubleshooting information. Activity This column displays the troubleshooting activities.
Chapter 6 Edit Interface/Connection Connectivity Testing and Troubleshooting What Do You Want to Do? If you want to: Do this: Troubleshoot the WAN interface connection. Click Start button. Save the test report. When test is running, Start button label will change to Stop. You have option to abort the troubleshooting while test is in progress. Click Save Report button to save the test report in HTML format. This button will be active only when test is in progress or when the testing is complete.
CH A P T E R 7 Wide Area Application Services Cisco’s Wide Area Application Services (WAAS) is a WAN optimization and application acceleration solution that enables branch office server consolidation, improves performance for centralized applications, and provides remote users with LAN-like access to applications, storage, and content across the WAN. The WAAS solution has three major components: • Wide Area Engine Edge—(WAE-E). The edge WAE is installed on clients.
Chapter 7 Wide Area Application Services Configuring a WAAS Connection This chapter contains the help topics for the WAAS configuration screens and contains the following sections: • Configuring a WAAS Connection • WAAS Reference Configuring a WAAS Connection You must have a WAAS network interface module installed on the router in order to configure WAAS.
Chapter 7 Wide Area Application Services WAAS Reference Step 10 If necessary, enter the enable command, press Enter, and provide the enable password. Step 11 At the Cisco IOS command prompt, enter the following commands: Router(config)# wccp router-list 1 default_gateway Router(config)# wccp tcp-promiscuous router-list-num 1 Router(config)# wccp version 2 Replace default_gateway with the IP address of the router that provides a route to the CM. Step 12 In the NM WAAS tab, click Register. a.
Chapter 7 Wide Area Application Services WAAS Reference NM WAAS If a WAAS network module is installed on the router, Cisco SDM shows the NM WAAS tab. This tab shows the current WAAS status and configuration, and from this tab you can go to the WAAS configuration screens. From this screen, Cisco SDM allows you to log in to the WAAS Central Manager (CM) so that you can register the edge WAE, and view the registration status sent by the CM.
Chapter 7 Wide Area Application Services WAAS Reference Field Reference Table 7-1 describes the information in the NM WAAS tab. Table 7-1 NM WAAS Tab Element Description Registration status with the WAAS central manager Cisco SDM shows one of the following: Register • Active—The Edge WAE is registered with the WAAS central manager. Cisco SDM displays a green icon when the Edge WAE is registered. • Inactive—The Edge WAE is not registered with the WAAS central manager.
Chapter 7 Wide Area Application Services WAAS Reference Table 7-1 NM WAAS Tab (continued) Element Description Version The version of the WCCP protocol in use; for example, WCCP Version 2. Inside Interface The name of the router interface being used for the WCCP inside interface. This interface is connected to the LAN. Outside Interface The name of the router interface being used for the WCCP outside interface. This interface is connected to the WAN.
Chapter 7 Wide Area Application Services WAAS Reference Table 7-2 Integrated Service Engine Tab (continued) Element Description Subnet mask Enter the subnet mask in decimal format; for example, 255.255.255.0. Or, choose the number of subnet bits; for example, 24. Entering values in one field updates the other. For example, if you enter 255.255.255.0, the subnet bits field is automatically updated to display 24.
Chapter 7 Wide Area Application Services WAAS Reference Field Reference Table 7-3 describes the fields in this screen. Table 7-3 WCCP Tab Field Reference Element Description WCCP Settings WCCP 61 Redirect Choose the LAN subinterface from the list that carries the traffic that you want to redirect to the WAAS NM. The interface that you choose is displayed as the Inside Interface on the NM WAAS tab. Choose IN from the list to the right of the interface list.
CH A P T E R 8 Create Firewall A firewall is a set of rules used to protect the resources of your LAN. These rules filter the packets arriving at the router. If a packet does not meet the criteria specified in the rule, it is dropped. If it does meet the criteria, it is allowed to pass through the interface that the rule is applied to. This wizard enables you to create a firewall for your LAN by answering prompts in a set of screens. In this window, select the type of firewall that you want to create.
Chapter 8 Create Firewall Advanced Firewall Click this if you want Cisco SDM to lead you through the steps of configuring a firewall. You have the option to create a DMZ network, and to specify an inspection rule. The use case scenario shown when you select this option shows you a typical configuration for an Internet of firewall. What Do You Want to Do? If you want to: Do this: Have Cisco SDM create a firewall for me. Click Basic Firewall. Then, click Launch the Selected Task.
Chapter 8 Create Firewall If you want to: Do this: Have Cisco SDM help me create an Advanced Firewall. Select Advanced Firewall. Then, click Launch the Selected Task. If your router has multiple inside and outside interfaces, and you want to configure a DMZ, you should select this option. Cisco SDM will show you the default inspection rule and allow you to use it in the firewall. Or, you can create your own inspection rule.
Chapter 8 Create Firewall Basic Firewall Configuration Wizard Basic Firewall Configuration Wizard Cisco SDM will protect the LAN with a default firewall when you select this option. For Cisco SDM to do this, you must specify the inside and outside interfaces in the next window. Click Next to begin configuration. Basic Firewall Interface Configuration Identify the interfaces on the router so that the firewall will be applied to the correct interface.
Chapter 8 Create Firewall Advanced Firewall Configuration Wizard Configuring Firewall for Remote Access Creating a firewall can block access to the router that remote administrators may need. You can specify the router interfaces to use for remote management access and the hosts from which administrators can log on to Cisco SDM to manage the router. The firewall will be modified to allow secure remote access from the host or network that you specify.
Chapter 8 Create Firewall Advanced Firewall Configuration Wizard Check outside or inside to identify each interface as an outside or an inside interface. Outside interfaces connect to your organizations’s WAN or to the Internet. Inside interfaces connect to your LAN. Allow secure Cisco SDM access from outside interfaces checkbox Check this box if you want users outside the firewall to be able to access the router using Cisco SDM.
Chapter 8 Create Firewall Advanced Firewall Configuration Wizard Service Type The type of service, either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). Service The name of the service, such as Telnet, or FTP, or a protocol number. To configure a DMZ service entry: Click Add, and create the entry in the DMZ Service Configuration window. To edit a DMZ service entry: Select the service entry, and click Edit. Then, edit the entry in the DMZ Service Configuration window.
Chapter 8 Create Firewall Advanced Firewall Configuration Wizard Service TCP Click this option if you want to allow traffic for a TCP service. UDP Click this option if you want to allow traffic for a UDP service. Service Enter the service name or number in this field. If you do not know the name or number, click the button and select the service from the list displayed.
Chapter 8 Create Firewall Advanced Firewall Configuration Wizard Domain Name Server Configuration The router must be configured with the IP address of at least one DNS server for application security to work. Click Enable DNS-based hostname-to-address translation, and provide the IP address of the primary DNS server. If a secondary DNS server is available, enter it’s IP address in the Secondary DNS Server field.
Chapter 8 Create Firewall Advanced Firewall Configuration Wizard Select Zone Select the security zone that you want the interface to be a member of. If you choose not to assign the interface to a zone, there is a strong possibility that traffic will not pass through the interface. ZPF Inside Zones Zones that include interfaces used in generic routing encapsulation (GRE) tunnels must be designated as inside (trusted) zones in order for GRE traffic to pass through the firewall.
Chapter 8 Create Firewall Advanced Firewall Configuration Wizard Table 8-1 Voice Configuration Fields Element Description Select the Lineside Protocol The lineside protocol is the protocol used when sending traffic too and from the phones on the network. Choose one of the following options: Select the Trunkside Protocol Enable logging for voice traffic • SIP—Session Initiation Protocol. • SCCP—Skinny Client Control Protocol.
Chapter 8 Create Firewall Advanced Firewall Configuration Wizard Apply access rule to the inbound direction to deny traffic sourced from broadcast, local loopback address. Apply access rule to the inbound direction to permit all other traffic. Apply application security policy SDM_HIGH to the inbound direction. This example shows the Cisco SDM Application Security policy SDM_HIGH applied to inbound traffic on this interface.
Chapter 8 Create Firewall Advanced Firewall Configuration Wizard DMZ Interface If you configured an Advanced firewall, this area shows you the DMZ interface you designated, along with its IP address. Underneath, Cisco SDM describes what access and inspection rules were associated with this interface. The following are examples: FastEthernet (10.10.10.1) Apply CBAC inspection rule to the outbound direction Apply access rule to the inbound direction to deny all other traffic.
Chapter 8 Create Firewall Advanced Firewall Configuration Wizard Step 3 If no outside interface has a static IP address, select one and click Edit to display a dialog that allows you to reconfigure the IP address information for the interface. If there is anoutside interface with a static IP address, note that interface name and complete the next procedure. Configuring SSH and HTTPS Complete the following steps to configure a management policy for SSH and HTTPS on the router.
Chapter 8 Create Firewall How Do I... How Do I... This section contains procedures for tasks that the wizard does not help you complete. How Do I View Activity on My Firewall? Activity on your firewall is monitored through the creation of log entries. If logging is enabled on the router, whenever an access rule that is configured to generate log entries is invoked—for example, if a connection were attempted from a denied IP address—then a log entry is generated and can be viewed in Monitor mode.
Chapter 8 Create Firewall How Do I... Each access rule appears in the upper table on the right side of the screen. The lower table shows the specific source and destination IP addresses and the services that are permitted or denied by the rule. Step 3 In the upper table, click the rule that you want to modify. Step 4 Click Edit. The Edit a Rule dialog box appears. Step 5 The Rule Entry field shows each of the source IP/destination IP/service combinations that are permitted or denied by the rule.
Chapter 8 Create Firewall How Do I... How Do I Configure a Firewall on an Unsupported Interface? Cisco SDM can configure a firewall on an interface type unsupported by Cisco SDM. Before you can configure the firewall, you must first use the router CLI to configure the interface. The interface must have, at a minimum, an IP address configured, and it must be working. For more information on how to configure an interface using the CLI, refer to the Software Configuration Guide for your router.
Chapter 8 Create Firewall How Do I... If you create an access rule in the ACL Editor available in Additional Tasks, you have complete control over the permit and deny statements in the rule, and you must ensure that traffic is permitted between VPN peers.
Chapter 8 Create Firewall How Do I... How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? You can use the Edit Firewall Policy tab to modify your firewall configuration to permit traffic from a new network or host. Step 1 From the left frame, select Firewall and ACL. Step 2 Click the Edit Firewall Policy tab. Step 3 In the traffic selection panel select a From interface and a To interface to specify the traffic flow to which the firewall has been applied, and click Go.
Chapter 8 Create Firewall How Do I... How Do I Configure NAT Passthrough for a Firewall? If you have configured NAT and are now configuring your firewall, you must configure the firewall so that it permits traffic from your public IP address. To do this you must configure an ACL. To configure an ACL permitting traffic from your public IP address: Step 1 From the left frame, select Additional Tasks. Step 2 In the Rules tree, select ACL Editor and then Access Rules. Step 3 Click Add.
Chapter 8 Create Firewall How Do I... Step 1 From the left frame, select Additional Tasks. Step 2 In the Rules tree, select ACL Editor and then Access Rules. Step 3 Click Add. The Add a Rule dialog box appears. Step 4 In the Name/Number field, enter a unique name or number for this rule. Step 5 In the Description field, enter a description of the rule, such as “VPN Concentrator Traffic.” Step 6 Click Add. The Add an Extended Rule Entry dialog box appears.
Chapter 8 Create Firewall How Do I... How Do I Associate a Rule with an Interface? If you use the Cisco SDM Firewall wizard, the access and inspection rules that you create are automatically associated with the interface for which you created the firewall. If you are creating a rule in Additonal Tasks/ACL Editor, you can associate it with an interface from the Add or Edit a Rule window. If you do not associate it with an interface at that time, you can still do so later.
Chapter 8 Create Firewall How Do I... Step 5 Click in the inbound or outbound field, and then click the button to the right. Step 6 Click None (clear rule association). Step 7 Click OK. How Do I Delete a Rule That Is Associated with an Interface? Cisco SDM does not allow you to delete a rule that is associated with an interface; you must first remove the association between the rule and the interface, and then delete the access rule.
Chapter 8 Create Firewall How Do I... Step 1 If you are at the Inspection Rules window, and you have clicked Java List, click the button to the right of the Number field and click Create a new rule (ACL) and select. The Add a Rule window opens. If you are at the Access Rules window, click Add to open the Add a Rule window. Step 2 From the Add a Rule window, create a standard access rule that permits traffic from the addresses you trust. For example, if you wanted to permit Java applets from hosts 10.
Chapter 8 Create Firewall How Do I... Step 2 Click Edit Firewall Policy/ACL. Step 3 To display the access rule you need to modify, select the outside (untrusted) interface as the From interface, and the inside (trusted) interface as the To interface. The access rule applied to inbound traffic on the untrusted interface is displayed. Step 4 To allow a particular type of traffic onto the network that is not already allowed, click Add in the Service area.
Chapter 8 Create Firewall How Do I... Cisco Router and Security Device Manager 2.
CH A P T E R 9 Firewall Policy The Firewall Policy feature lets you view and modify firewall configurations— access rules and CBAC inspection rules—in the context of the interfaces whose traffic they filter. Using a graphical representation of the router and its interfaces, you can choose different interfaces on the router and see whether an access rule or an inspection rule has been applied to that interface. You can also view the details of the rules displayed in the Edit Firewall Policy/ACL window.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL 3. Come to the Firewall Policy window to edit the firewall policy you created. After configuring LAN and WAN interfaces and creating a firewall, you can open this window and get a graphical representation of the policy in a traffic flow. You can view the access rule and inspection rule entries and make any necessary changes.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Choose a Traffic Flow Traffic flow refers to traffic that enters the router on a specified interface (the from interface) and exits the router on a specified interface (the to interface). The Cisco SDM traffic-flow display controls are located in a row at the top of the Edit Firewall Policy/ACL window. Note There must be a least two configured interfaces on the router.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Cisco SDM displays interfaces that have IP addresses in alphabetical order in both the From and To drop-down lists. By default, Cisco SDM chooses the first interface in the From list, and the second interface in the To list. Use the From and To drop-down lists to choose a different traffic flow. The chosen traffic flow is displayed in the traffic diagram below the traffic-flow display controls.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Originating Traffic Click to highlight the traffic flow that enters the router at the From interface and exits the router at the To interface. When this area is highlighted, you can see the details of rules applied in the direction of traffic flow. Returning Traffic Click to highlight the traffic flow that enters the router on the To interface and exits the router on the From interface.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Rules applied to Originating traffic are indicated by a right arrow. An icon on the From interface traffic line indicates the presence of a rule filtering traffic inbound to the router. An icon placed on the To interface traffic line indicates a rule filtering traffic outbound from the router. If you place the mouse over this icon, Cisco SDM will display the names of the rules that have been applied.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Service Area Header Fields Firewall Feature Availability If the Cisco IOS image that the router is using supports the Firewall feature, this field contains the value Available. Access Rule The name or number of the access rule whose entries are being displayed. Inspection Rule The name of the inspection rule whose entries are being displayed.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Cut button Click to remove a chosen access rule entry. The entry is placed on the clipboard and can be pasted to another position in the list, or it can be pasted to another access rule. If you want to reorder an entry, you can cut the entry from one location, choose an entry before or after the location that you want for the cut entry, and click Paste. The Paste context menu allows you to place the entry before or after the entry you chose.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Service area buttons are disabled if the rule is read-only. A rule is read-only when it contains syntax that Cisco SDM does not support. Read-only rules are indicted by this icon: . If there is an existing standard rule that filters the returning traffic flow to which you are applying the firewall, Cisco SDM informs you that it will convert the standard access rule to an extended rule.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Field Description Icons Option Options configured using the CLI No icons. Description Any description provided. No icons Meaning To make changes to inspection rules, see Make Changes to Inspection Rules. To return to the main Firewall Policy window description see Edit Firewall Policy/ACL. Make Changes to Inspection Rules The Applications area appears if the Cisco IOS image running on the router supports CBAC Inspection rules.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL This icon appears when two inspection rules are found in the chosen traffic direction. Cisco SDM also displays a warning dialog, giving you the opportunity to dissociate one of the inspection rules from the interface. Application Area Controls The following is a list of Application area controls: Add—Click to add an inspection rule.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL To return to the main Firewall Policy window description see Edit Firewall Policy/ACL. Add App-Name Application Entry Use this window to add an application entry that you want the Cisco IOS firewall to inspect. Alert Action Choose one of the following: • default-on—Leave as default. Default value is on. • on—Enable alert. • off—Disable alert. Audit Action Choose one of the following: • default-off—Leave as default. Default value is off.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Alert Action Choose one of the following: • default-on—Leave as default. Default value is on. • on—Enable alert. • off—Disable alert. Audit Action Choose one of the following: • default-off—Leave as default. Default value is off. • on—Enable audit trail. • off—Disable audit trail. Timeout Specify how long the router should wait before blocking return traffic for this protocol or application. The field is prefilled with the default value.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Alert Action Choose one of the following: • default(on)—Leave as default. Default value is on. • on—Enable alert. • off—Disable alert. Audit Action Choose one of the following: • default(off)—Leave as default. Default value is off. • on—Enable audit trail. • off—Disable audit trail. Timeout Specify how long the router should wait before blocking return traffic for this protocol or application. The field is prefilled with the default value.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Audit Action Choose one of the following: • default-off—Leave as default. Default value is off. • on—Enable audit trail. • off—Disable audit trail. Timeout Specify how long the router should wait before blocking return traffic for this protocol or application. The field is prefilled with the default value. Hosts/network for Java applet download The source hosts or networks whose applet traffic is to be inspected.
Chapter 9 Firewall Policy Edit Firewall Policy/ACL Type Choose one of the following: • A Network—If you choose this, provide a network address in the IP address field. Note that the wildcard mask enables you to enter a network number that may specify multiple subnets. • A Host Name or IP Address—If you choose this, provide a host IP address or host name in the next field. • Any IP address—If you choose this, the action you specified is to apply to any host or network.
Chapter 9 Firewall Policy Edit Firewall Policy • Keep inspection rule name on inbound, and dissociate inspection rule name on outbound—Cisco SDM will keep one inspection rule, and dissociate the rule from the other interface. • Keep inspection rule name on outbound and dissociate inspection rule name on inbound—Cisco SDM will keep one inspection rule, and dissociate the rule from the other interface.
Chapter 9 Firewall Policy Edit Firewall Policy • Expanding and Collapsing the Display of a Policy • Adding a New Rule to a Policy • Adding a New Zone Policy • Reordering Rules Within a Policy • Copying and Pasting a Rule • Displaying the Rule Flow Diagram • Applying Your Changes • Discarding Your Changes Things You Must do Before Viewing Information in this Window This window is empty if no zone, zone-pairs, or policy maps have been configured.
Chapter 9 Firewall Policy Edit Firewall Policy Traffic Classification Action Rule Options udp icmp 2 Unmatched Traffic Drop The policy named clients-servers-policy contains two ACLs. The rule with the ID 1 permits TCP, UDP, and ICMP traffic from any source to any destination. The rule with the ID 2 drops any unmatched traffic.
Chapter 9 Firewall Policy Edit Firewall Policy Step 3 Specify the destination zone by clicking the button to the right of the Destination Zone field and selecting an existing zone or creating a new zone. Make settings in the other fields of the Add a Rule window. See Add a New Rule for more information. Reordering Rules Within a Policy If a policy contains more than one rule that permits traffic, you can reorder them by selecting a rule and clicking the Move Up button or the Move Down button.
Chapter 9 Firewall Policy Edit Firewall Policy Applying Your Changes To send your changes to the router, click Apply Changes at the bottom of the screen. Discarding Your Changes To discard changes that you have made but have not sent to the router, click Discard Changes at the bottom of the screen. Add a New Rule Define a traffic flow and specify protocols to inspect in the Add a Rule window. Complete the following steps to add a new rule.
Chapter 9 Firewall Policy Edit Firewall Policy Step 5 Reorder an entry if necessary by selecting it and clicking Move Up or Move Down. The Move Up button is disabled when the selected entry is already at the top of the list. The Move Down button is disabled when the selected entry is already at the bottom of the list. Step 6 Enter a name that describes the protocols or services that you are identifying for inspection in the Service Name field.
Chapter 9 Firewall Policy Edit Firewall Policy Source Host/Network and Destination Host/Network Specify the source and the destination of the traffic in these fields. Type Choose one of the following values: • Any IP Address—Choose if you do now want to limit the source or destination traffic to any host or network. • A Network—Choose if you want to specify a network address as the source or destination, and specify the network address in the IP Address and Wildcard Mask fields.
Chapter 9 Firewall Policy Edit Firewall Policy For example, to create a new policy map for Instant Messaging, check the box next to IM, click the button next to the IM field, and choose Create. Then, create the policy map in the Configure Deep Packet Inspection dialog. URL Filter Add an URL filter by choosing an existing URL filter from the URL Filter Name list, or by clicking Create New and making a new URL filter in the dialogs displayed.
Chapter 9 Firewall Policy Edit Firewall Policy Delete Rule This dialog is displayed when you delete a rule that contains a class map or ACL that you might want to delete along with the rule or keep for use in other rules. Automatically delete class maps and ACLs used by this rule Click this option to remove the class maps and ACLs that are part of this rule. They will be removed from the router configuration and not be available for use by other rules.
Chapter 9 Firewall Policy Edit Firewall Policy Manually Deleting ACLs To manually delete an ACL, complete the following steps. Step 1 Go to Configure > Additional Tasks > ACL Editor. Step 2 Click the node for the type of ACL that you are deleting. Step 3 Select the name or number of the ACL that was displayed in the View Details window and click Delete. Cisco Router and Security Device Manager 2.
CH A P T E R 10 Application Security Application Security allows you to create security policies to govern the use of network and web applications. You can apply the policies that you create to specific interfaces, clone an existing policy to leverage the settings for a new policy, and remove policies from the router.
Chapter 10 Application Security Application Security Windows Policy Name List Select the policy that you want to modify from this list. If no policies are configured, this list is empty, and the Application Security window displays a message that indicates no policies are available on the router. To create a policy, click the Action button, and choose Add. Application Security Buttons • Action button—Click to add a policy, delete the chosen policy, or clone the chosen policy.
Chapter 10 Application Security No Application Security Policy HTTP Drawer Click to make changes to HTTP security settings. Click HTTP for more information. Applications/Protocols Drawer Click to make changes to the security settings of other applications and protocols. Click Applications/Protocols for more information. No Application Security Policy Cisco SDM displays this window when you click the Application Security tab, but no Application Security policy is configured on the router.
Chapter 10 Application Security E-mail Global Settings Global settings provide the default timouts, thresholds, and other values for policy parameters. Cisco SDM provides defaults for each parameter, and you can change each value to define a new default that will apply unless overridden for a specific application or protocol. When you are creating a policy, you can accept the default value for a particular parameter, or choose another setting.
Chapter 10 Application Security Instant Messaging Options Column This column can contain fields if other settings for the chosen application exist. MAX Data Field Specifies the maximum number of bytes (data) that can be transferred in a single Simple Mail Transport Protocol (SMTP) session. After the maximum value is exceeded, the firewall logs an alert message and closes the session. Default value: 20 MB. Secure login Checkbox Causes a user at a nonsecure location to use encryption for authentication.
Chapter 10 Application Security Peer-to-Peer Applications the router to block these applications, check the Send Alarm checkbox next to the IM applications to reveal the names of the servers to which the applications connect. Then, use the CLI to block traffic from these servers. The following example uses the server name newserver.yahoo.com: Router(config)# appfw policy-name SDM_HIGH Router(cfg-appfw-policy)# application im yahoo Router(cfg-appfw-policy-ymsgr)# server deny name newserver.yahoo.
Chapter 10 Application Security URL Filtering Note • Peer-to-peer applications are able to communicate over nonnative protocol ports, such as HTTP, and through their native TCP and UDP ports. Cisco SDM configures block and permit actions based on the native port for the application, and always blocks communication conducted over HTTP ports. • Application security policies will not block files if they are being provided by a paid service such as altnet.com.
Chapter 10 Application Security HTTP HTTP Specify general settings for HTTP traffic inspection in this window. To learn about the buttons and drawers available in the Application Security tab, click Application Security Windows. Click Permit, Block, and Alarm Controls to learn how to specify the action that the router takes when it encounters traffic with the characteristics that you specify in this window.
Chapter 10 Application Security HTTP Enable HTTP inspection Checkbox Check if you want the router to inspect HTTP traffic. If you want to block traffic from Java applications, you can specify a Java blocking filter by clicking the ... button and either specifying an existing ACL, or creating a new ACL for Java inspection. Enable HTTPS inspection checkbox Check if you want the router to inspect HTTPS traffic.
Chapter 10 Application Security HTTP Set maximum header length checkbox Check if you want the router to permit or deny traffic based on HTTP header length, and specify the maximum Request and maximum Response header length. Use the Permit, Block, and Alarm controls to specify the action the router takes if header length exceeds these lengths.
Chapter 10 Application Security HTTP Set Content Length checkbox Check this box to set a minimum and maximum length for the data in an HTTP packet, and enter the values in the fields provided. Use the permit, block, and alarm controls to specify the action the router takes if the amount of data falls below the minimum length or when it exceeds the maximum length.
Chapter 10 Application Security Applications/Protocols Applications/Protocols This window allows you to create policy settings for applications and protocols that are not found in the other windows. To learn about the buttons and drawers available in the Application Security tab, click Application Security Windows. Applications/Protocols Tree The Applications/Protocols tree enables you to filter the list on the right according to the type of applications and protocols that you want to view.
Chapter 10 Application Security Applications/Protocols Options Column This column can contain fields if other settings were made for the chosen item. MAX Data Specifies the maximum number of bytes (data) that can be transferred in a single Simple Mail Transport Protocol (SMTP) session. After the maximum value is exceeded, the firewall logs an alert message and closes the session. Default value: 20 MB. Secure login Causes a user at a nonsecure location to use encryption for authentication.
Chapter 10 Application Security Applications/Protocols TCP FIN Wait Timeout Value Amount of time that a TCP session will still be managed after the firewall detects a FIN exchange. The default value is 5 seconds. TCP Idle Timeout Value Amount of time that a TCP session will still be managed after no activity has been detected. The default value is 3600 seconds. UDP Idle Timeout Value Amount of time that a User Datagram Protocol (UDP) session will still be managed after no activity has been detected.
Chapter 10 Application Security Applications/Protocols Maximum incomplete session thresholds. These fields let you specify the threshold values for the total number of existing half-open sessions. Low Stop deleting new connections after the number of new connections drops below this value. The default value is 400 sessions for Cisco IOS releases older than 12.4(11)T. When a Low value is not explicitly set, Cisco IOS will stop deleting new sessions when the number of sessions drops to 400.
Chapter 10 Application Security Applications/Protocols Associate Policy with an Interface In this window, select the interface to which you want to apply the selected policy. Also specify whether the policy is to apply to incoming traffic, to outgoing traffic, or to traffic in both directions.
Chapter 10 Application Security Applications/Protocols Timeout Field Enter the number of seconds that a session for this application should be managed after no activity has been detected. The timeout value that you enter sets the TCP Idle Timeout value if this is a TCP application, or the UDP timeout value if this is a UDP application. Other Options Certain applications can have additional options set. Depending on the application, you may see the options described next.
Chapter 10 Application Security Applications/Protocols Logging must be enabled for Application Security to send alarms to the log. For more information go to this link: Application Security Log. Cisco Router and Security Device Manager 2.
CH A P T E R 11 Site-to-Site VPN The help topics in this section describe the Site-to-Site VPN configuration screens, and the VPN Design Guide screens. VPN Design Guide If you are an administrator setting up a VPN network, the VPN Design Guide helps you to determine which kind of VPN to configure.
Chapter 11 Site-to-Site VPN Create Site to Site VPN If you want to learn more about VPN technology, there is background information at the link More About VPN. Create a Site-to-Site VPN This option allows you to create a VPN network connecting two routers. Create a Secure GRE Tunnel (GRE-over-IPSec) This option allows you to configure a generic routing encapsulation protocol (GRE) tunnel between your router and a peer system.
Chapter 11 Site-to-Site VPN Create Site to Site VPN If you want to: Do this: Find out how to perform other VPN-related tasks that this wizard does not guide you through.
Chapter 11 Site-to-Site VPN Create Site to Site VPN If you want to: Do this: The following link provides guidelines to use when configuring a Cisco VPN 3000 series Configuration instructions for Easy VPN servers and concentrator to operate with an Easy VPN concentrators are available on www.cisco.com. Remote Phase II client, and other information which you might find useful: Configure an Easy VPN concentrator. http://www.cisco.
Chapter 11 Site-to-Site VPN Create Site to Site VPN What do you want to do? If you want to: Do this: Quickly configure a site-to-site VPN using Cisco SDM-provided defaults. Check Quick setup, and then click Next. Cisco SDM will automatically provide a default IKE policy to govern authentication, a default transform set to control the encryption of data and a default IPSec rule that will encrypt all traffic between the router and the remote device.
Chapter 11 Site-to-Site VPN Create Site to Site VPN VPN Connection Information Use this window to identify the IP address or host name of the remote site that will terminate the VPN tunnel that you are configuring, to specify the router interface to use, and to enter the pre-shared key that both routers will use to authenticate each other. Select the interface for this VPN Connection Select the interface on this router that connects to the remote site.
Chapter 11 Site-to-Site VPN Create Site to Site VPN Enter the pre-shared key, and then reenter it for confirmation. Exchange the pre-shared key with the administrator of the remote site through some secure and convenient method, such as an encrypted e-mail message. Question marks (?) and spaces must not be used in the pre-shared key. The pre-shared key can contain a maximum of 128 characters. Note • The characters you enter for the pre-shared key are not displayed in the field as you enter them.
Chapter 11 Site-to-Site VPN Create Site to Site VPN Details Click this button to obtain details about the interface you selected. The details window shows any access rules, IPSec policies, Network Address Translation (NAT) rules, or Inspection rules associated with the interface. To examine any of these rules in more detail, go to Additional Tasks/ACL Editor, and examine them in the Rules windows. Destination IP address and Subnet Mask.
Chapter 11 Site-to-Site VPN Create Site to Site VPN Encryption Cisco SDM supports a variety of encryption types, listed in order of security. The more secure an encryption type is, the more processing time it requires. Note • Not all routers support all encryption types. Unsupported types will not appear in the screen. • Not all IOS images support all the encryption types that Cisco SDM supports. Types unsupported by the IOS image will not appear in the screen.
Chapter 11 Site-to-Site VPN Create Site to Site VPN D-H Group The Diffie-Hellman Group—Diffie-Hellman is a public-key cryptography protocol that allows two routers to establish a shared secret over an unsecure communications channel. Cisco SDM supports the following groups: • group1—D-H Group 1. 768-bit D-H Group. • group2—D-H Group 2. 1024-bit D-H Group. This group provides more security than group 1, but requires more processing time. • group5—D-H Group 5.1536-bit D-H Group.
Chapter 11 Site-to-Site VPN Create Site to Site VPN Transform Set This window lists the Cisco SDM-default transform sets and the additional transform sets that have been configured on this router. These transform sets will be available for use by the VPN or DMVPN. A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
Chapter 11 Site-to-Site VPN Create Site to Site VPN AH Authentication The type of Authentication Header (AH) authentication used. If AH authentication is not configured for this transform set, this column will be empty. IP Compression If IP compression is configured for this transform set, this field contains the value COMP-LZS. IP compression is not supported on all routers. Note Mode This column contains one of the following: • Transport—Encrypt data only.
Chapter 11 Site-to-Site VPN Create Site to Site VPN If you want to: Do this: Edit an existing transform set. Select a transform set, and click Edit. Then, edit the transform set in the Edit Transform Set window. After editing the transform set, click Next to continue VPN configuration. Cisco SDM Default transform sets are read only and cannot be edited. Associate additional transform sets with this VPN. Select one transform set in this window, and complete the VPN wizard.
Chapter 11 Site-to-Site VPN Create Site to Site VPN All traffic going to the hosts in this subnet will be protected. Create/Select an access-list for IPSec traffic Use this option if you need to specify multiple sources and destinations, and/or specific types of traffic to encrypt. An IPSec rule can consist of multiple entries, each specifying different traffic types and different sources and destinations.
Chapter 11 Site-to-Site VPN Create Site to Site VPN Test the connectivity after configuring Click to test the VPN connection you have just configured.The results of the test will be shown in another window. To save this configuration to the router’s running configuration and leave this wizard: Click Finish. Cisco SDM saves the configuration changes to the router’s running configuration. The changes will take effect immediately, but will be lost if the router is turned off.
Chapter 11 Site-to-Site VPN Create Site to Site VPN Secure GRE Tunnel (GRE-over-IPSec) Generic routing encapsulation (GRE) is a tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork.
Chapter 11 Site-to-Site VPN Create Site to Site VPN Tunnel Destination Enter the IP address of the interface on the remote router at the other end of the tunnel. This is the source interface from the point of view of the other end of the tunnel. Make sure that this address is reachable by using the ping command. The ping command is available from the Tools menu. If the destination address cannot be reached, the tunnel will not be created properly.
Chapter 11 Site-to-Site VPN Create Site to Site VPN Note • The characters that you enter for the pre-shared key are not displayed in the field as you enter them. You may find it helpful to write down the key before you enter it so that you can communicate it to the administrator of the remote system. • Pre-shared keys must be exchanged between each pair of IPSec peers that need to establish secure tunnels.
Chapter 11 Site-to-Site VPN Create Site to Site VPN Create a backup secure GRE tunnel for resilience Check this box if you want to create a backup tunnel. IP address of the backup GRE tunnel’s destination Enter the IP address of the interface on the remote router at the other end of the tunnel. (This is the source interface from the point of view of the other end of the tunnel.) Make sure that this address is reachable by using the ping command. The ping command is available from the Tools menu.
Chapter 11 Site-to-Site VPN Create Site to Site VPN EIGRP Check this box to use the Enhanced Interior Gateway Routing Protocol (EIGRP) protocol to route traffic. Then click Next to specify which networks will participate in the GRE-over-IPSec VPN in the Routing Information window. OSPF Check this box to use the Open Shortest Path First protocol (OSPF) to route traffic. Then click Next to specify which networks will participate in the GRE-over-IPSec VPN in the Routing Information window.
Chapter 11 Site-to-Site VPN Create Site to Site VPN • Tunnel all traffic—All traffic will be routed through the tunnel interface and encrypted. Cisco SDM creates a default static route entry with the tunnel interface as the next hop.
Chapter 11 Site-to-Site VPN Create Site to Site VPN When split tunneling is selected, the IP Address and Subnet Mask fields will appear, requiring you to enter the IP Address and Subnet Mask of the destination peer. You must ensure that the destination IP address entered in the Tunnel Destination field of the GRE Tunnel Information window is reachable. If it is not reachable, no tunnel will be established. IP Address Enabled with split tunneling.
Chapter 11 Site-to-Site VPN Edit Site-to-Site VPN Summary of Configuration This screen summarizes the GRE configuration that you have completed. You can review the information in this screen and click the back button to return to any screen in which you want to make changes. If you want to save the configuration, click Finish. GRE tunnel configuration creates an IPSec rule that specifies which hosts the GRE traffic will be allowed to flow between. This IPSec rule is displayed in the summary.
Chapter 11 Site-to-Site VPN Edit Site-to-Site VPN Status column The status of the connection, which is indicated by the following icons: The connection is up. The connection is down. The connection is being established. Interface The router interface that is connected to the remote peers in this VPN connection. An interface can be associated with only one IPSec policy.
Chapter 11 Site-to-Site VPN Edit Site-to-Site VPN Transform Set This shows the name of the transform set used by this VPN connection. Multiple transform set names are separated by commas. A transform set specifies the algorithms that will be used to encrypt data, ensure data integrity, and provide data compression. Both peers must use the same transform set, and they negotiate to determine which set they will use.
Chapter 11 Site-to-Site VPN Edit Site-to-Site VPN Generate Mirror..Button Click to create a text file that captures the VPN configuration of the local router so that a remote router can be given a VPN configuration that enables it to establish a VPN connection to the local router. This button is disabled if you have selected a dynamic site-to-site VPN tunnel.
Chapter 11 Site-to-Site VPN Edit Site-to-Site VPN Note Adding a crypto map to an existing IPSec policy is the only way to add a VPN tunnel to an interface that is already being used in an existing VPN connection. Interface This is the interface used in this VPN connection. IPSec Policy This is the name of the IPSec policy controlling the VPN connection. The crypto maps making up the IPSec policy are shown in the list below this field.
Chapter 11 Site-to-Site VPN Edit Site-to-Site VPN Crypto Map Wizard: Summary of the configuration The Cryptomap wizard summary page displays the data you entered in the wizard windows. You can review it, click Back to return to a screen to make changes, and then return to the Summary window and click Finish to deliver the cryptomap configuration to the router.
Chapter 11 Site-to-Site VPN Edit Site-to-Site VPN Ping You can ping a peer device in this window. You can select both the source and destination of the ping operation. You may want to ping a remote peer after you reset a VPN tunnel. Source Select or enter the IP address where you want the ping to originate. If the address you want to use is not in the list, you can enter a different one in the field. The ping can originate from any interface on the router.
Chapter 11 Site-to-Site VPN Edit Site-to-Site VPN To create a text file of the IPSec policy: Click Save, and specify a name and location for the text file. You can give this text file to the administrator of the peer device so that he or she can create a policy that mirrors the one you created on the router. Click After Configuring a VPN, How Do I Configure the VPN on the Peer Router? to learn how to use the text file to create a mirror policy.
Chapter 11 Site-to-Site VPN How Do I... Rule Type The type of NAT rule, either Static or Dynamic. To make the listed NAT rules use route maps: Click OK. How Do I... This section contains procedures for tasks that the wizard does not help you complete. How Do I Create a VPN to More Than One Site? You can use Cisco SDM to create multiple VPN tunnels on one interface on your router. Each VPN tunnel will connect the selected interface on your router to a different subnet at the destination router.
Chapter 11 Site-to-Site VPN How Do I... Step 6 From the Select the Router Interface for this VPN Connection field, choose the interface on the source router on which to create the VPN tunnel. This is the interface connected to the Internet on the Local system in the Use Case Scenario diagram. Step 7 In the Peer Identity field, enter the IP address of the destination router interface. Step 8 In the Authentication fields, enter and reenter the pre-shared key that the two VPN peers will use.
Chapter 11 Site-to-Site VPN How Do I... same interface on the destination router as the initial VPN connection. If you do not want both VPN connections to connect to the same destination interface, enter the IP address of a different interface on the destination router. Step 8 In the Authentication fields, enter and reenter the pre-shared key that the two VPN peers will use. Step 9 In the Source field, select the same interface used to create the initial VPN connection.
Chapter 11 Site-to-Site VPN How Do I... Step 3 Select the VPN connection that you want to use as a template, and click Generate Mirror. Cisco SDM displays the Generate Mirror screen. Step 4 From the Peer Device field, select the IP address of the peer device for which you want to generate a suggested configuration. The suggested configuration for the peer device appears on the Generate Mirror screen. Step 5 Click Save to display the Windows Save File dialog box, and save the file.
Chapter 11 Site-to-Site VPN How Do I... Step 4 Click Add. Step 5 Select Static crypto maps to Step 6 In the Add static crypto maps window, you can add more crypto maps to the VPN connection. Step 7 If you need to modify any of the components of the connection, such as the IPSec policy or the existing crypto map, note the names of those components in the VPN window, and go to the appropriate windows under VPN Components to make changes.
Chapter 11 Site-to-Site VPN How Do I... If you are viewing IKE SA information, you can verify that your VPN connection is working by verifying that the source and destination IP addresses are correct, and that the state is “QM_IDLE,” indicating that the connection has been authenticated and that data transfer can take place. How Do I Configure a Backup Peer for My VPN? To configure multiple VPN peers inside a single crypto map: Step 1 From the left frame, select VPN.
Chapter 11 Site-to-Site VPN How Do I... Step 1 From the left frame, select VPN. Step 2 From the VPN tree, select VPN Components, and then IPSec Policies. Step 3 In the IPSec Policies table, click the IPSec policy that contains the crypto map to which you want to add another transform set. Step 4 Click Edit. The Edit IPSec Policy dialog box appears. Step 5 In the “Crypto Maps in this IPSec Policy” table, click the crypto map to which you want to add another transform set. Step 6 Click Edit.
Chapter 11 Site-to-Site VPN How Do I... How Do I Configure a VPN After I Have Configured a Firewall? In order for a VPN to function with a firewall in place, the firewall must be configured to permit traffic between the local and remote peer IP addresses. Cisco SDM creates this configuration by default when you configure a VPN configuration after you have already configured a firewall.
Chapter 11 Site-to-Site VPN How Do I... Step 10 In the IP Address and Wildcard Mask fields, enter the IP address and subnet mask of the VPN source peer. Step 11 In the Destination Host/Network group, from the Type field, select A Network. Step 12 In the IP Address and Wildcard Mask fields, enter the IP address and subnet mask of the VPN destination peer. Step 13 In the Description field, enter a short description of the network or host. Step 14 Click OK.
Chapter 11 Site-to-Site VPN How Do I... Cisco Router and Security Device Manager 2.
CH A P T E R 12 Easy VPN Remote Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet, but many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection • Authenticating users, that is, ensuring that users are who they say they are by way of usernames, group names, and passwords. • Managing security keys for encryption and decryption. Cisco SDM provides a wizard that guides you through Easy VPN Remote configuration. You can also edit an existing configuration using Easy VPN Remote edit screens.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Step 8 Cisco SDM displays the Summary screen when you have completed the configuration. Review the configuration. If you need to make changes, click Back to return to the screen in which you need to make changes, then return to the Summary screen. Step 9 If you want to test the connection after sending the configuration to the router, check Test the connectivity after configuring.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Create Easy VPN Remote Cisco SDM allows you to configure your router as a client to an Easy VPN server or concentrator. Your router must be running a Cisco IOS software image that supports Easy VPN Phase II. The Create Easy VPN Remote tab enables you to launch the Easy VPN Remote wizard. To be able to complete the configuration, you must have the following information ready.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Configure an Easy VPN Remote Client This wizard guides you through the configuration of an Easy VPN Remote Phase II Client. Note If the router is not running a Cisco IOS image that supports Easy VPN Remote Phase II or later, you will not be able to configure an Easy VPN client.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Table 12-2 Network Information Fields (continued) Element Description Device Reachability Do you have devices at your client location Yes—Click Yes if there are devices on the local network, that must be reached from the server-side such as printers, that must be reached from networks that networks or other client locations? the router connects to through the Easy VPN server.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Table 12-3 Identical Address Configuration Fields (continued) Element Description Non Accessible Devices IP Address Enter the IP address that you reserved for non accessible devices in this field. This IP address must be in the same subnet as the device global IP addresses.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Table 12-4 Interfaces and Connection Settings Fields Element Description Interfaces Choose the inside and outside interfaces in this box. Check boxes Check the inside (LAN) interfaces that serve the local networks that you want to include in this Easy VPN configuration.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Table 12-4 Interfaces and Connection Settings Fields Element Description Automatically With the automatic setting, the VPN tunnel is established automatically when the Easy VPN configuration is delivered to the router configuration file. However, you will not be able to control the tunnel manually in the VPN Connections window. The Connect or Disconnect button is disabled when this Easy VPN connection is chosen.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Field Reference Table 12-5 describes the fields in this screen. Table 12-5 Server Information Fields Element Description Easy VPN Servers Easy VPN Server 1 Enter the IP address or the hostname of the primary Easy VPN server or concentrator to which the router will connect.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Table 12-5 Server Information Fields (continued) Element Description If you choose Network Extension, you can enable remote management of the router by checking the box to request a server-assigned IP address for your router. This IP address can be used for connecting to your router for remote management and troubleshooting (ping, Telnet, and Secure Shell).
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Table 12-6 Authentication Screen Fields Element Description Device Authentication Authentication Choose Digital Certificate or Preshared Key. Digital Certificate If you choose digital certificate, a digital certificate must be configured on the router to use. Note The Digital Certificates option is available only if supported by the Cisco IOS image on your router.
Chapter 12 Easy VPN Remote Creating an Easy VPN Remote Connection Table 12-6 Authentication Screen Fields Element Description Save XAuth Credentials to this router The Easy VPN server may use XAuth to authenticate the router. If the server allows the save password option, you can eliminate the need to enter the username and password each time the Easy VPN tunnel is established by this option.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Control: Auto Mode: Client Outside Interface: BVI222 Inside Interfaces: Dialer0 You can review the configuration in this window and click the Back button to change any items. Clicking the Finish button writes the information to the router’s running configuration, and, if the tunnel has been configured to operate in automatic mode, the router attempts to contact the VPN concentrator or server.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections • Editing an Existing Easy VPN Remote Connection • Creating a New Easy VPN Remote Connection • Deleting an Easy VPN Remote Connection • Resetting an Established Easy VPN Remote Connection • Connecting to an Easy VPN Server • Connecting other Subnets to the VPN Tunnel • Administering Easy VPN Remote Reference Editing an Existing Easy VPN Remote Connection Follow these steps to edit an existing Easy VPN Remote connection: Ste
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Step 3 In the VPN tree, choose Easy VPN Remote. Step 4 Click the Edit Easy VPN Remote tab. Step 5 Click Add. Step 6 Make settings in the Add Easy VPN Remote dialog tabs. Step 7 Click OK to send the changes to the router and close the dialog. Deleting an Easy VPN Remote Connection Follow these steps to delete an Easy VPN Remote connection: Step 1 On the Cisco SDM toolbar, click Configure.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Step 6 Click Reset Connection. The status window that is displayed reports the success or failure of the reset. Connecting to an Easy VPN Server Follow these steps to connect to an Easy VPN Remote server: Step 1 On the Cisco SDM toolbar, click Configure. Step 2 On the Cisco SDM category bar, click VPN. Step 3 In the VPN tree, choose Easy VPN Remote. Step 4 Click the Edit Easy VPN Remote tab.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Administering Easy VPN Remote Reference The following topics describe the Edit Easy VPN Remote screens: • Edit Easy VPN Remote • Add or Edit Easy VPN Remote • Add or Edit Easy VPN Remote: General Settings • Network Extension Options • Add or Edit Easy VPN Remote: Easy VPN Settings • Add or Edit Easy VPN Remote: Authentication Information • Add or Edit Easy VPN Remote: Easy VPN Client Phase III Authentication • Add or Edit
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Field Reference Table 12-7 describes the fields and buttons in this screen. Table 12-7 Edit Easy VPN Remote Fields Element Description Add Click Add to create a new Easy VPN Remote connection. Edit Choose an Easy VPN Remote connection, and click Edit to modify connection settings. Delete Choose an Easy VPN Remote connection, and click Delete to delete the connection.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-7 Element Edit Easy VPN Remote Fields Description This button is labeled Login if all of the following are true: • The Easy VPN server or concentrator being connected to uses XAuth. • The XAuth response is set to be requested from Cisco SDM or the router console. • The tunnel is waiting for XAuth credentials (the connection has been initiated). Click Login to login to the Easy VPN server and establish the connection.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-7 Edit Easy VPN Remote Fields Element Description Mode Either client or network extension. In client mode, the VPN concentrator or server assigns a single IP address to all traffic coming from the router; devices outside the LAN have no direct access to devices on the LAN.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-7 Edit Easy VPN Remote Fields Element Description Tunnel Activation The value is Auto, Manual, or traffic-based. If the connection is configured with the Manual setting, you must click Connect to establish the tunnel, but you can start or stop the tunnel at any time by clicking Connect or Disconnect.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Add or Edit Easy VPN Remote Use this window to configure your router as an Easy VPN client. Your router must have a connection to an Easy VPN concentrator or server on the network. Note This window appears if the Cisco IOS image on your router supports Easy VPN Client Phase II. The Cisco Easy VPN Remote feature implements the Cisco Unity Client protocol, which allows most VPN parameters to be defined at a VPN remote access server.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-8 Add or Edit Easy VPN Remote Fields Element Description Network Extension Choose Network Extension if you want the devices connected to the inside interfaces to have IP addresses that are routable and reachable by the destination network. The devices at both ends of the connection will form one logical network.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-8 Add or Edit Easy VPN Remote Fields Element Description Group Key Enter the IPSec group password. The group password must match the group password defined on the VPN concentrator or server. Obtain this information from your network administrator. Confirm Key Reenter the group password to confirm.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections The Cisco Easy VPN Remote feature implements the Cisco Unity Client protocol, which allows most VPN parameters to be defined on a VPN remote access server. This server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol. Field Reference Table 12-9 describes the fields in this screen.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-9 Easy VPN Remote General Settings Fields Element Description Network Extension Choose Network Extension if you want the devices connected to the inside interfaces to have IP addresses that are routable and reachable by the destination network. The devices at both ends of the connection will form one logical network.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Network Extension Options To allow subnets not directly connected to your router to use the tunnel, enter the subnets in this screen, or enter an ACL that defines the subnets you want to allow. Field Reference Table 12-10 describes the fields in this screen. Table 12-10 Network Extension Options Fields Element Description Configure Multiple Subnets Check Configure Multiple Subnets to enable the other fields in this screen.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Field Reference Table 12-11 describes the fields in this screen. Table 12-11 Easy VPN Settings Fields Element Description Name Enter a name for the Easy VPN remote configuration. Mode Client Choose Client mode if you want the PCs and other devices on the router’s inside networks to form a private network with private IP addresses. Network Address Translation (NAT) and Port Address Translation (PAT) will be used.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-11 Easy VPN Settings Fields Element Description Add Click Add to specify the name or the IP address of a VPN concentrator or server for the router to connect to; then enter the address or hostname in the window displayed. Delete Click Delete to delete the chosen server IP address or hostname. Move Up Click Move Up to move the specified server IP address or hostname up in the list.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-12 Authentication Information Fields Element Description Device Authentication Digital Certificate. If you choose digital certificate, a digital certificate must be configured on the router to use. Note The Digital Certificates option is available only if supported by the Cisco IOS image on your router. Preshared Key Choose Preshared Key to use the IKE key value given to you by your network administrator.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-12 Authentication Information Fields Element Description From PC Choose From PC if you will enter the credentials in a web browser window. Note This option appears only if supported by the Cisco IOS image on your router. From this router Choose From this router if you will enter the credentials from the router command line interface or from Cisco SDM.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-12 Authentication Information Fields Element Description New Password Enter the new password given to you by the server administrator. Reenter Password Reenter the new password to confirm accuracy. If the values in the New Password and Reenter Password fields are not the same, Cisco SDM prompts you to reenter the password values.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-13 Authentication Information Fields Element Description User Authentication If the Easy VPN server or concentrator has been configured to use XAuth, it requires a username and password whenever the router establishes the connection, including when you deliver the configuration to the router, and when you disconnect and reconnect the tunnel. Find out whether XAuth is used, and obtain the required username and password.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-13 Authentication Information Fields Element Description Current Password The Current Password field displays asterisks (*) if there is a configured password. This field contains the value if no password has been configured. New Password Enter the new password given to you by the server administrator. Reenter Password Reenter the new password to confirm accuracy.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-14 Interfaces and Connection Settings Fields Element Description • An existing interface does not appear in the list of interfaces if it cannot be used in an Easy VPN configuration. For example, loopback interfaces configured on the router do not appear in this list. • An interface cannot be designated as both an inside and an outside interface.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-14 Interfaces and Connection Settings Fields Element Description Manual Choose Manual if you want to bring up and shut down the VPN tunnel manually. With the manual setting, you must click the Connect or Disconnect button in the Edit Easy VPN Remote screen to establish or take down the tunnel.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections Table 12-15 Identical Addressing Tab Fields (continued) Element Description Add Clicking Add displays the dialog that enables you to configure a loopback interface. Enable split tunneling Split tunneling enables the router to only use the VPN tunnel to send traffic to network addresses given to it by the Easy VPN server and to send other traffic through the Internet.
Chapter 12 Easy VPN Remote Administering Easy VPN Remote Connections • If you enter local IP address for a device that falls outside the subnet for the LAN interface it connects to. • If you chose client mode in the General tab. Identical addressing only works with network extension mode. • If you did not choose a virtual tunnel interface in the Interfaces and Connections tab. Easy VPN Remote: Add a Device Enter the local IP address and global IP address information for a device in this screen.
Chapter 12 Easy VPN Remote Other Procedures Field Reference Table 12-17 describes the fields in this screen. Table 12-17 Enter SSH Credentials Fields Element Description Please Enter the Username Enter the SSH or Telnet account username that you will use to log in to this router. Please Enter the Password Enter the password associated with the SSH or Telnet account username that you will use to log in to this router.
Chapter 12 Easy VPN Remote Other Procedures Step 5 In the Edit Easy VPN Remote window, click the tabs to display the values that you want to change. Step 6 When you have finished making changes, click OK. How Do I Configure a Backup for an Easy VPN Connection? To configure a backup for an Easy VPN Remote connection, your router must have an ISDN, async, or analog modem interface available for the backup.
Chapter 12 Easy VPN Remote Other Procedures Step 6 When you have finished configuring the backup, click OK. Cisco Router and Security Device Manager 2.
CH A P T E R 13 Easy VPN Server The Easy VPN Server feature introduces server support for the Cisco VPN Client Release 3.x and later software clients and Cisco VPN hardware clients. The feature allows a remote end user to communicate using IP Security (IPSec) with anyCisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPSec policies are “pushed” to the client by the server, minimizing configuration by the end user.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Complete these steps to configure an Easy VPN Server connection using the Easy VPN Server wizard: Step 1 If you want to review the Cisco IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Create an Easy VPN Server Reference The topics in this section describe the configuration screens: • Create an Easy VPN Server • Welcome to the Easy VPN Server Wizard • Interface and Authentication • Group Authorization and Group Policy Lookup • User Authentication (XAuth) • User Accounts for XAuth • Add RADIUS Server • Group Authorization: User Group Policies • General Group Information • DNS and WINS Configuration • S
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Create an Easy VPN Server This wizard will guide you through the necessary steps to configure an Easy VPN Server on this router. Field Reference Table 13-1 describes the fields in this screen. Table 13-1 Create an Easy VPN Server Fields Element Description Launch the Easy VPN Server Wizard Click this button to start the wizard.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection If the chosen interface is part of an Easy VPN Remote, GREoIPSec, or DMVPN interface, Cisco SDM displays a message to choose another interface. Field Reference Table 13-2 describes the fields in this screen. Table 13-2 Interface and Authentication Fields Element Description Details Click this button to obtain details about the interface you choose.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Field Reference Table 13-3 describes the fields in this screen. Table 13-3 Group Authorization and Policy Lookup Fields Element Description Local Only This option allows you to create a method list for the local database only. When you define an AAA method list for the local database, the router looks at the local database for group authentication. RADIUS Only This option allows you to create a method list for a RADIUS database.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Field Reference Table 13-4 describes the fields in this screen. Table 13-4 User Authentication Fields Element Description Local Click Local to add user authentication details to the local database. RADIUS Click RADIUS if you want to add user authentication details to the database on the RADIUS server. RADIUS and Local Click RADIUS and Local to add user authentication details for both a RADIUS and local database.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Field Reference Table 13-5 describes the fields in this screen. Table 13-5 User Accounts for XAuth Fields Element Description User Accounts The user accounts that XAuth will authenticate are listed in this box. The account name and privilege level are visible. Add Use these buttons to add and edit user accounts. User accounts can be deleted in the Additional Tasks > Router Access > User Accounts/View window.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Group Authorization: User Group Policies This window allows you to add, edit, clone or delete user group policies on the local database. Field Reference Table 13-7 describes the fields in this screen. Table 13-7 User Group Policies Fields Element Description Group Policy List area Select Check the box in this column next to the groups that you want this Easy VPN server connection to serve. Group Name Name given to the user group.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection General Group Information This window allows you to configure, edit and clone group polices. Field Reference Table 13-8 describes the fields in this screen. Table 13-8 General Group Information Fields Element Description Please Enter a Name for This Group Enter the group name in the field provided. If this group policy is being edited, this field is disabled.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection DNS and WINS Configuration This window allows you to specify the Domain Name Service (DNS) and Windows Internet Naming Service (WINS) information. Field Reference Table 13-9 describes the fields in this screen. Table 13-9 DNS and WINS Fields Element Description DNS Enter the primary and secondary DNS server IP address in the fields provided. Entering a secondary DNS server address is optional.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Field Reference Table 13-10 describes the fields in this screen. Table 13-10 Split Tunneling Fields Element Description Enable Split Tunneling This box allows you to add protected subnets and ACLs for split tunneling. Split DNS • Enter the Protected Subnets—Add or remove the subnets for which the packets are tunneled from the VPN clients. • Choose the Split Tunneling ACL—Choose the ACL to use for split tunneling.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Field Reference Table 13-11 describes the fields in this screen. Table 13-11 Client Setting Fields Element Description Backup Servers You can specify up to ten servers by IP address or hostname as backup for the Easy VPN server, and order the list to control which servers the router will attempt to connect to first if the primary connection to the Easy VPN server fails.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Table 13-11 Client Setting Fields (continued) Element Description Configuration Push • cns: • xmodem: • ymodem: • null: • flash:sdm.exe • nvram:sdm.exe • usbtoken[0-9]:sdm.exe The USB token port number range is 0-9. For example, for a USB token attached to USB port 0, the URL is usbtoken0:sdm.exe. • usbflash[0-9]:sdm.exe The USB flash port number range is 0-9.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Table 13-11 Client Setting Fields (continued) Element Description Browser Proxy You can specify browser proxy settings for Easy VPN software clients. The Easy VPN Server sends the browser proxy settings to Easy VPN software clients requesting that information. Only Easy VPN software clients belonging to the group policy you are configuring can request the browser proxy settings you enter in this window.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Table 13-12 Choose Browser Proxy Settings Element Description Proxy Settings Choose the settings that you want to associate with the group. Add or Edit Browser Proxy Settings This window allows you to add or edit browser proxy settings. Field Reference Table 13-13 describes the fields in this screen.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Manually Configuring a Proxy Server If you choose Manual Proxy Configuration, follow these steps to manually configure a proxy server: Step 1 Enter the proxy server IP address in the Server IP Address field. Step 2 Enter the port number that proxy server uses for receiving proxy requests in the Port field. Step 3 Enter a list of IP addresses for which you do not want clients to use the proxy server.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Table 13-14 User Authentication (XAuth) Fields (continued) Element Description Group Lock You can restrict a client to connect to the Easy VPN Server only from the specified user group. Save Password You can save extended authentication user name and password locally on the Easy VPN Client. Client Update This window allows you to set up client software or firmware update notifications, and displays existing client update entries.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Add or Edit Client Update Entry This window allows you to configure a new client update entry. Field Reference Table 13-6 describes the fields in this screen. Table 13-16 Add a RADIUS Server Fields Element Description Client Type Enter a client type or choose one from the drop-down menu. Client type names are case sensitive. For software clients, the client type is usually the operating system, for example, Windows.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Table 13-16 Element Add a RADIUS Server Fields (continued) Description • flash:vpnclient-4.6.exe • nvram:vpnclient-4.6.exe • usbtoken[0-9]:vpnclient-4.6.exe The USB token port number range is 0-9. For example, for a USB token attached to USB port 0, the URL is usbtoken0:vpnclient-4.6.exe. • usbflash[0-9]:vpnclient-4.6.exe The USB flash port number range is 0-9.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Field Reference Table 13-17 describes the fields in this screen. Table 13-17 Cisco Tunneling Control Protocol Element Description Enable cTCP Check Enable cTCP to enable this protocol on the Easy VPN server. Specify the port numbers Specify the port numbers on which the Easy VPN server must listen for cTCP requests from clients, You can add a maximum of 10 port numbers. Use a comma to separate entries.
Chapter 13 Easy VPN Server Creating an Easy VPN Server Connection Field Reference Table 13-6 describes the fields in this screen. Table 13-19 Add a RADIUS Server Fields Element Description Name The name of the browser proxy settings. Settings Displays one of the following: • No Proxy Server No proxy server can be used by clients when they connect through the VPN tunnel. • Automatically Detect Settings Clients attempt to automatically detect a proxy server.
Chapter 13 Easy VPN Server Editing Easy VPN Server Connections Editing Easy VPN Server Connections To edit an Easy VPN Server connection, complete these steps: Step 1 If you want to review the Cisco IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.
Chapter 13 Easy VPN Server Editing Easy VPN Server Connections • Add IP Address Range Edit Easy VPN Server This window lets you view and manage Easy VPN server connections. Field Reference Table 13-6 describes the fields in this screen. Table 13-20 Edit Easy VPN Server Fields Element Description Add Click Add to add a new Easy VPN Server. Edit Click Edit to edit an existing Easy VPN Server configuration. Delete Click Delete to delete a specified configuration.
Chapter 13 Easy VPN Server Editing Easy VPN Server Connections Table 13-20 Edit Easy VPN Server Fields (continued) Element Description Test VPN Server Button Click to test the chosen VPN tunnel. The results of the test appear in a separate window. Restrict Access Button Click this button to restrict group access to the specified Easy VPN Server connection.
Chapter 13 Easy VPN Server Editing Easy VPN Server Connections Table 13-21 Easy VPN Server Connection Fields (continued) Element Description Method List for User Authentication Choose the method list to use for user authentication from this list. Method lists are configured by clicking Additional tasks on the Cisco SDM taskbar, and then clicking the AAA node. Mode Configuration Check Initiate if you want the router to initiate connections with Easy VPN Remote clients.
Chapter 13 Easy VPN Server Editing Easy VPN Server Connections Field Reference Table 13-6 describes the fields in this screen. Table 13-23 Group Policies Configuration Fields Element Description Common Pool Click Common Pool to designate an existing pool as a common pool for all group policies to use. If no local pools have been configured, this button is disabled. Pools can be configured by clicking Additional Tasks > Local Pools, or when you configure Easy VPN Server connections.
Chapter 13 Easy VPN Server Editing Easy VPN Server Connections Table 13-23 Element Group Policies Configuration Fields (continued) Description • Authentication—Values indicate a preshared key if one was configured, or a digital certificate if a preshared key was not configured. • Maximum Connections Allowed—Shows the maximum number of simultaneous connections allowed. Cisco SDM supports a maximum of 5000 simultaneous connections per group.
Chapter 13 Easy VPN Server Editing Easy VPN Server Connections IP Pools This window lists the IP address pools available to group policies configured on the router. Depending upon the area of Cisco SDM you are working in, Add, Edit, and Delete buttons may be available, and the name of the window varies depending on the area of Cisco SDM you are working in. You can use these to manage local IP pools on the router. Field Reference Table 13-6 describes the fields in this screen.
Chapter 13 Easy VPN Server Editing Easy VPN Server Connections Field Reference Table 13-6 describes the fields in this screen. Table 13-25 Add or Edit IP Local Pool Fields Element Description Pool Name If you are creating a pool, enter the pool name. If you are editing a pool, this field is disabled. IP Address Range Enter or edit the IP address ranges for the pool in this area. A pool can contain more than one IP address range.
14 C H A P T E R Enhanced Easy VPN The following sections describe the Cisco Router and Security Device Manager configuration screens for Enhanced Easy VPN. Interface and Authentication Specify the router interface to which the virtual template interface is to be unnumbered, and specify the method to use for authentication in this window. Interface A virtual template interface must be unnumbered to a router interface to obtain an IP address.
Chapter 14 Enhanced Easy VPN Authentication Select the method that Easy VPN clients are to use to authenticate themselves to the Easy VPN Server configured on the router. Pre-shared keys require that you communicate the key to administrators of Easy VPN clients. Digital certificates do not require this, but each client must enroll for and receive a digital certificate.
Chapter 14 Table 14-1 Enhanced Easy VPN RADIUS Servers Fields Element Description Note Cisco IOS software allows a single RADIUS source interface to be configured on the router. If the router already has a configured RADIUS source and you choose a different source, the source IP address placed in the packets sent to the RADIUS server changes to the IP address of the new source, and may not match the NAD IP address configured on the Cisco ACS.
Chapter 14 Table 14-1 Element Enhanced Easy VPN RADIUS Servers Fields Description VPN Groups in RADIUS Server Enter the VPN groups configured on the RADIUS server that you want this connection to give access to. Use a comma to separate entries. A sample set of entries follows: WGP-1, WGP-2, ACCTG, CSVC These names must match the group names configured on the RADIUS server. For easy administration, they should also match the group names you configure for the easy VPN clients.
Chapter 14 Enhanced Easy VPN The group name, IP address pool name, DNS and WINS server names, and domain name of each configured group is shown in the list. When you click Add to configure settings for a new group or click Edit to change settings, the changes appear in this list. To use settings for an existing group as a basis for a new group configuration, select the existing group and click Clone. The Add, Edit, and Clone buttons display dialogs that enable you to configure group settings.
Chapter 14 Enhanced Easy VPN Add or Edit Easy VPN Server: IKE Tab The IKE dialog in the Add Easy VPN Server dialogs enables you to create an IKE profile for this connection. Field Reference xref describes the fields in this tab. Table 14-2 Add or Edit Easy VPN Server Connection: IKE Tab Element Description Match Identity Type The IKE profile includes match criteria that allow the router to identify the incoming and outgoing connections to which the IKE connection parameters are to apply.
Chapter 14 Table 14-2 Enhanced Easy VPN Add or Edit Easy VPN Server Connection: IKE Tab Element Description Mode Configuration Choose one of the followingoptions to specify how the Easy VPN server is to handle mode configuration requests: Group Policy Lookup Authorization Policy User Authentication Policy • Respond—Choose Respond in the Mode Configuration field if the Easy VPN server is to respond to mode configuration requests.
Chapter 14 Table 14-2 Enhanced Easy VPN Add or Edit Easy VPN Server Connection: IKE Tab Element Description Dead Peer Discovery Click Dead Peer Discovery to enable the router to send dead peer detection (DPD) messages to Easy VPN Remote clients. If a client does not respond to DPD messages, the connection with it is dropped. • Keepalive Interval—Specify the number of seconds between DPD messages in the Keepalive Interval field. The range is from 10 to 3600 seconds.
Chapter 14 Enhanced Easy VPN Transform Set Columns Use the two columns at the top of the dialog to specify the transform sets that you want to include in the profile. The left-hand column contains the transform sets configured on the router. To add a configured tranform set to the profile, select it and click the >> button. If there are no tranform sets in the left-hand column, or if you need a transform set that has not been created, click Add and create the transform set in the displayed dialog.
Chapter 14 • Enhanced Easy VPN group5—The 1536-bit Diffie-Hellman prime modulus group is used to encrypt the PFS request. Create Virtual Tunnel Interface Enter the information for a virtual tunnel interface in this dialog. Interface Type Choose default, or tunnel as the interface type. If you are editing a virtual tunnel interface, the configured value is displayed and the field is read only.
CH A P T E R 15 DMVPN These help topics provide information about Dynamic Multipoint Virtual Private Network (DMVPN) configuration screens. Dynamic Multipoint VPN This wizard will help you to configure your router as a Dynamic Multipoint VPN (DMVPN) hub or DMVPN spoke. A typical VPN connection is a point-to-point IPSec tunnel connecting two routers. DMVPN enables you to create a network with a central hub that connects other remote routers, referred to as spokes using a GRE over IPSec tunnel.
Chapter 15 DMVPN Dynamic Multipoint VPN It is important to configure the hub first because spokes must be configured using information about the hub. If you are configuring a hub, you can use the SpokeConfiguration feature available in the Summary window to generate a procedure that you can send to spoke administrators so that they can configure the spokes with the correct hub information. If you are configuring a spoke, you must obtain the correct information about the hub before you begin.
Chapter 15 DMVPN Dynamic Multipoint VPN Cisco SDM’s Configure Spoke feature enables you to create a text file that contains the information that spoke administrators need about the hub’s configuration. This feature is available from the Summary window of this wizard. You also need to tell the spoke administrators which subnet mask to use, and assign each spoke an IP address from the same subnet as the hub so that address conflicts do not occur.
Chapter 15 DMVPN Dynamic Multipoint VPN Digital Certificates Select this button if your router uses digital certificates for authentication. Digital certificates are configured under VPN Components>Public Key Infrastructure. Confirm Pre-Shared Key Reenter the key for confirmation. If the values in this field and the Pre-Shared Key field do not match, Cisco SDM prompts you to reenter them.
Chapter 15 DMVPN Dynamic Multipoint VPN Advanced Button Cisco SDM provides default values for advanced tunnel settings. However, the hub administrator must decide on the tunnel settings and give them to the personnel administering spoke routers so that they can make matching settings. Advanced Configuration for the Tunnel Interface Use this window to configure GRE tunnel parameters. Cisco SDM provides default values, but you must obtain the correct values from the hub administrator and enter them here.
Chapter 15 DMVPN Dynamic Multipoint VPN Tunnel Key Enter the key to use for this tunnel. This key should be the same for all mGRE tunnels in the network. Cisco SDM Default: 100000 Bandwidth Enter the intended bandwidth, in kilobytes per second (kbps). Default bandwidth values are set during startup; the bandwidth values can be displayed using the show interfaces EXEC command. 1000 is a typical bandwidth setting in DMVPN configurations.
Chapter 15 DMVPN Dynamic Multipoint VPN IP Address of hub’s mGRE tunnel interface Enter the IP address of the mGRE tunnel interface on the primary hub. Obtain this information from the hub administrator. Select Routing Protocol Use this window to specify how other networks behind your router are advertised to the other routers in the network. Select one of the following: Note • EIGRP—Extended Interior Gateway Routing Protocol. • OSPF—Open Shortest Path First. • RIP—Routing Internet Protocol.
Chapter 15 DMVPN Dynamic Multipoint VPN Select an existing OSPF process ID/EIGRP AS number You can select an existing process ID for OSPF or AS number for EIGRP if one has been previously configured. See Recommendations for Configuring Routing Protocols for DMVPN. Create a new OSPF process ID/EIGRP AS number If no process IDs exist, or if you want to use a different one, you can configure a process ID in this field. OSPF Area ID for tunnel network Enter a new OSPF area ID for the network.
Chapter 15 DMVPN Dynamic Multipoint VPN Add—Click to add a network, or a group of networks, to advertise. Edit—Click to edit the data for an advertised network or group of networks. This button is enabled for entries that you created during the current instance of this wizard. Delete—Click to delete the data for the selected network or group of networks. This button is enabled for entries that you created during the current instance of this wizard.
Chapter 15 DMVPN Dynamic Multipoint VPN Fully Meshed Network Select if you are configuring the router as a spoke capable of establishing a direct IPSec tunnel to other spokes in the network. A multipoint GRE tunnel is configured on the spoke to support this functionality. When you select this option, the graphic displays links from the spokes to the hub, and links to each other. The wizard screen list the IOS images required to support a fully-meshed DMVPN network.
Chapter 15 DMVPN Dynamic Multipoint VPN Re-register with hub when IP address of interface-name changes—This option is available when the interface you selected receives a dynamic IP address via DHCP or IPCP. Specifying’ this option will allow the spoke to re-register with the hub when it receives a new IP address. IP Address Enter the IP address for the GRE interface to this hub. This must be a private address and be in the same subnet as the GRE interfaces of the other routers in the network.
Chapter 15 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Firewall If a firewall has been applied to the interface that was designated as the tunnel source, Cisco SDM can add access rule entries to the configuration so that GRE, IPSec, and ISAKMP traffic is allowed through the firewall. View Details Click this button to view the access control entries that Cisco SDM will add to the access rule if you select Allow GRE, IPSec, and ISAKMP traffic through the firewall.
Chapter 15 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Interface The physical interface from which this tunnel originates. IPSec Profile The IPSec profile that the tunnel uses. The IPSec profile defines the transform sets that are used to encrypt traffic on the tunnel. Cisco SDM supports the use of only IPSec profiles to define encryption in a DMVPN. If you want to use crypto-maps, configure the DMVPN using the CLI. IP Address The IP address of the GRE tunnel.
Chapter 15 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Delete Click to delete a DMVPN tunnel configuration. General Panel In this panel add or edit general configuration parameters of the DMVPN tunnel. IP Address Enter the IP address of the tunnel. This must be a private address and must be in the same subnet as the other tunnel addresses in the DMVPN. If you are configuring a spoke, you must use the address that the hub administrator has assigned to your router so that no address conflicts occur.
Chapter 15 DMVPN Edit Dynamic Multipoint VPN (DMVPN) MTU Enter the largest amount of data, in bytes, that should be allowed in a packet traveling through the tunnel. Bandwidth Enter the intended bandwidth, in kilobytes per second (kbps). Default bandwidth values are set during startup; the bandwidth values can be displayed using the show interfaces EXEC command. The value 1000 is a typical bandwidth setting in DMVPN configurations. Delay Set a delay value for an interface, in tens of microseconds.
Chapter 15 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Authentication String Enter the string that DMVPN hubs and spokes must use to authenticate themselves for NHRP transactions. The string can be up to 8 characters long. All NHRP stations in the DMVPN must be configured with the same authentication string. Hold Time Enter the number of seconds that NHRP network IDs should be advertised as valid. Network ID Enter the NHRP Network ID.
Chapter 15 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Statically configure the IP-to-NMBA address mapping of IP destinations connected to an NBMA network. Click this button if you are configuring a spoke in a fully meshed network. Cisco SDM treats backup hubs as spokes to primary hubs, so also click this if you are configuring a backup hub. In this part of the window you are providing the address information that the spoke or backup hub needs to contact the primary hub.
Chapter 15 DMVPN Edit Dynamic Multipoint VPN (DMVPN) • EIGRP—Extended Interior Gateway Routing Protocol RIP Fields If you selected RIP as the dynamic routing protocol, select Version 1, Version 2, or Default. If you select Version 2, the router will include the subnet mask in the routing update. If you select Default, the router will send out Version 2 updates, but it will be able to receive RIP Version 1 or Version 2 updates.
Chapter 15 DMVPN How Do I Configure a DMVPN Manually? Use original next hop— If this is a DMVPN hub router, EIGRP will advertise this router as the next hop. Check this box to have EIGRP use the original IP next hop when advertising routes to the DMVPN spoke routers. How Do I Configure a DMVPN Manually? You can configure your router as a DMVPN hub or spoke using the VPN Components windows and the Edit Dynamic Multipoint VPN (DMVPN) window.
Chapter 15 DMVPN How Do I Configure a DMVPN Manually? Step 4 In the DMVPN Tunnel Configuration window, complete the General, NHRP, and Routing tabs to create a DMVPN tunnel.Consult the online help for more information about a particular field. To specify the networks you want to advertise to the DMVPN: If there are networks behind your router that you want to advertise to the DMVPN, you can do so by adding the network numbers in the Routing windows. Step 1 From the left panel, click Routing.
CH A P T E R 16 VPN Global Settings These help topics describe the VPN Global Settings windows. VPN Global Settings This window displays the VPN global settings for the router. Field Reference Table 16-1 describes the fields in this screen. Table 16-1 VPN Global Settings Fields Element Description Edit Button Click the Edit button to add or change VPN global settings. Enable IKE The value is True if IKE is enabled; it is False if IKE is disabled.
Chapter 16 VPN Global Settings VPN Global Settings Table 16-1 VPN Global Settings Fields Element XAuth Timeout Description IKE Identity Either the host name of the router or the IP address that the router will use to identify itself in IKE negotiations. Dead Peer Detection Dead Peer Detection (DPD) enables a router to detect a dead peer and, if detected, delete the IPSec and IKE security associations with that peer.
Chapter 16 VPN Global Settings VPN Global Settings Table 16-1 VPN Global Settings Fields Element Description IPSec Security Association (SA) The number of kilobytes that the router can send over the VPN Lifetime (Kilobytes) connection before the IPSec SA expires. The SA will be renewed after the shortest lifetimes is reached. Syslog Messages for Easy VPN Connections This field can have the following values: • Enabled—Syslog messages are enabled for all Easy VPN connections.
Chapter 16 VPN Global Settings VPN Global Settings XAuth Timeout The number of seconds the router is to wait for a response from a system requiring XAuth authentication. Enable Dead Peer Detection (DPD) Dead Peer Detection (DPD) enables a router to detect a dead peer and, if detected, delete the IPSec and IKE security associations with that peer. The Enable Dead Peer Detection checkbox is disabled when the Cisco IOS image that the router is using does not support DPD.
Chapter 16 VPN Global Settings VPN Global Settings Authenticate and Generate new key after every Check this box and specify the time interval at which the router should authenticate and generate a new key. If you do not specify a value, the router will authenticate and generate a new key every hour.
Chapter 16 VPN Global Settings VPN Global Settings Table 16-2 VPN Global Settings: Easy VPN Server Fields Element Description Common Pool You can configure a common IP address pool for all clients to use. If a group does not have a specific pool, clients belonging to that group will be allocated an IP address from this common pool. Select a common pool—Select a pool name from this list.
Chapter 16 VPN Global Settings VPN Global Settings Enable VPN Keys Encryption Check to enable encryption of these keys. Current Master Key This field contains asterisks (*) when a master key has been configured. New Master Key Enter a new master key in this field. Master keys must be at least 8 characters long and can be as long as 128 characters. Confirm Master Key Reenter the master key in this field for confirmation.
Chapter 16 VPN Global Settings VPN Global Settings Cisco Router and Security Device Manager 2.
CH A P T E R 17 IP Security IP Security (IPSec) is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. Cisco SDM lets you configure IPSec transform sets, rules, and policies.
Chapter 17 IP Security IPSec Policies Name The name of this IPSec policy. Type One of the following: • ISAKMP—IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. Cisco SDM supports Internet Security Association and Key Management Protocol (ISAKMP) crypto maps. • Manual—IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
Chapter 17 IP Security IPSec Policies Dynamic Crypto Maps Sets in this IPSec Policy Dynamic Crypto Map Set Name The name of this dynamic crypto map set. Names enable administrators to understand how the crypto map set is used. Sequence Number The sequence number for this dynamic crypto map set. Type Type is always Dynamic. What Do You Want to Do? If you want to: Do this: Add an IPSec policy to the configuration. Click Add. Edit an existing IPSec policy. Select the policy, and click Edit.
Chapter 17 IP Security IPSec Policies Crypto Maps in this IPSec policy This box lists the crypto maps in this IPSec policy. The list includes the name, the sequence number, and the transform set that makes up this crypto map. You can select a crypto map and edit it or delete it from the IPSec policy. If you want to add a crypto map, click Add. If you want Cisco SDM to guide you through the process, check Use Add Wizard, and then click Add.
Chapter 17 IP Security IPSec Policies Add or Edit Crypto Map: General Change general crypto map parameters in this window. This window contains the following fields. Name of IPSec Policy A read-only field that contains the name of the policy in which this crypto map is used. This field does not appear if you are using the Crypto Map Wizard. Description Enter or edit a description of the crypto map in this field.
Chapter 17 IP Security IPSec Policies Enable Perfect Forwarding Secrecy When security keys are derived from previously generated keys, there is a security problem, because if one key is compromised, then the others can be compromised also. Perfect Forwarding Secrecy (PFS) guarantees that each key is derived independently. It thus ensures that if one key is compromised, no other keys will be. If you enable PFS, you can specify use of the Diffie-Hellman group1, group2, or group5 method.
Chapter 17 IP Security IPSec Policies Add or Edit Crypto Map: Transform Sets Use this window to add and edit the transform set used in the crypto map. A crypto map includes the hostnames or IP addresses of the peers involved in the security association. Multiple peers provide the router with multiple routes for encrypted data. However, the devices at both ends of the VPN connection must use the same transform set.
Chapter 17 IP Security IPSec Policies Details of Selected Transform Set (Crypto Map Wizard Only) Shows the name, encryption, authentication characteristics, and other parameters of the chosen crypto map. If this icon appears next to the transform set, it is read-only, and it cannot be edited. Selected Transform Sets In Order of Preference (Manual Configuration of Crypto Map Only) The transform sets that have been chosen for this crypto map, in the order in which they will be used.
Chapter 17 IP Security IPSec Policies What Do You Want to Do? (Manual Configuration of Crypto Map Only) If you want to: Do this: Add a transform set to the Selected Transform Sets box. Select a transform set in the Available Transform Sets box, and click the right-arrow button. Remove a transform set from the Selected Transform Sets box. Select the transform set you want to remove, and click the left-arrow button. Change the preference order of the selected transform sets.
Chapter 17 IP Security IPSec Policies Destination Enter the address of the destination subnet, and specify the mask for that subnet. You can either select a subnet mask from the list or type in a custom mask. The subnet number and mask must be entered in dotted decimal format. All traffic going to the hosts in this subnet will be encrypted. IPSec Rule (Create/Select an access-list for IPSec traffic) You can add or change the IPSec rule used in this crypto map.
Chapter 17 IP Security Dynamic Crypto Map Sets Dynamic Crypto Map Sets This window lists the dynamic crypto map sets configured on the router. Add/Edit/Delete Buttons Use these buttons to manage the crypto maps in the window. If you try to delete a crypto map set associated with an IPSec policy, Cisco SDM prevents you from doing so. You must disassociate the crypto map from the policy before deleting it. You can do this in the IPSec Policies window. Name The name of the dynamic crypto map.
Chapter 17 IP Security IPSec Profiles Associate Crypto Map with this IPSec Policy Sequence Number Enter a sequence number to identify this crypto map set. This sequence number cannot be in use by any other crypto map set. Select the Dynamic Crypto Map Set Select the dynamic crypto map set you want to add from this list. Crypto Maps in this Dynamic Crypto Map Set This area lists the names, sequence numbers, and peers in the dynamic crypto map set you selected.
Chapter 17 IP Security IPSec Profiles Edit Select an existing profile and click Edit to change the profile configuration. Delete Click to edit a selected IPSec profile. If the profile you are deleting is currently used in a DMVPN tunnel, you must configure the DMVPN tunnel to use a different IPSec profile. Details of IPSec Profile This area displays the configuration of the selected IPSec profile. For a description of the information displayed in this area see Add or Edit IPSec Profile.
Chapter 17 IP Security IPSec Profiles Time Based IPSec SA Lifetime Click Time Based IPSec SA Lifetime if you want a new SA to be established after a set period of time has elapsed. Enter the time period in the HH:MM:SS fields to the right. Traffic Volume Based IPSec SA Lifetime Click Traffic Volume Based IPSec SA Lifetime if you want a new SA to be established after a specified amount of traffic has passed through the IPSec tunnel.
Chapter 17 IP Security Transform Set Name Enter a name for this profile. Available Transform Sets This column lists the transform sets configured on this router. To add a transform set from this list to the Selected Transform Sets column, select a transform set and click the right arrow (>>) button. If you need to configure a new transform set, click the Transform Sets node in the IPSec tree to go to the Transform Sets window. In that window, click Add to create a new transform set.
Chapter 17 IP Security Transform Set ESP Encryption Cisco SDM recognizes the following ESP encryption types: • ESP_DES—Encapsulating Security Payload (ESP), Data Encryption Standard (DES). DES supports 56-bit encryption. • ESP_3DES—ESP, Triple DES. This is a stronger form of encryption than DES, supporting 168-bit encryption. • ESP_AES_128—ESP, Advanced Encryption Standard (AES). Encryption with a 128-bit key. AES provides greater security than DES and is computationally more efficient than 3DES.
Chapter 17 IP Security Transform Set IP Compression Indicates whether IP data compression is used. Note If your router does not support IP compression, this box will be disabled. Mode This column contains one of the following values: • Tunnel—Both the headers and data are encrypted. The mode used in VPN configurations. • Transport—Only the data is encrypted. This mode is used when the encryption endpoints and the communication endpoints are the same. Type Either User Defined or Cisco SDM Default.
Chapter 17 IP Security Transform Set Add or Edit Transform Set Use this window to add or edit a transform set. To obtain a description of the allowable transform combinations, and descriptions of the transforms, click Allowable Transform Combinations. Note • Not all routers support all transform sets (encryption types). Unsupported transform sets will not appear in the screen. • Not all IOS images support all the transform sets that Cisco SDM supports.
Chapter 17 IP Security Transform Set Encryption Cisco SDM recognizes the following ESP encryption types: Note • ESP_DES. Encapsulating Security Payload (ESP), Data Encryption Standard (DES). DES supports 56-bit encryption. • ESP_3DES. ESP, Triple DES. This is a stronger form of encryption than DES, supporting 168-bit encryption. • ESP_AES_128. ESP, Advanced Encryption Standard (AES). Encryption with a 128-bit key.
Chapter 17 IP Security IPSec Rules Mode Select which parts of the traffic you want to encrypt: • Transport. Encrypt data only—Transport mode is used when both endpoints support IPsec; this mode places the AH or ESP after the original IP header; thus, only the IP payload is encrypted. This method allows users to apply network services such as quality-of-service (QoS) controls to encrypted packets. Transport mode should be used only when the destination of the data is always the remote VPN peer.
Chapter 17 IP Security IPSec Rules Used By Which crypto maps this rule is used in. Type IPSec rules must specify both source and destination and must be able to specify the type of traffic the packet contains. Therefore, IPSec rules are extended rules. Description A textual description of the rule, if available. Action Either Permit or Deny. Permit means that packets matching the criteria in this rules are protected by encryption. Deny means that matching packets are sent unencrypted.
Chapter 17 IP Security IPSec Rules What Do You Want to Do? If you want to: Do this: See the access rule entries for a particular rule. Select the rule in the rule list. The entries for that rule appear in the lower box. Add an IPSec rule. Click Add, and create the rule in the rule window displayed. Delete an IPSec rule. Select the rule in the rule list, and click Delete. Delete a particular rule entry. Select the rule in the rule list, and click Edit.
CH A P T E R 18 Internet Key Exchange The help topics in this section describe the Internet Key Exchange (IKE) configuration screens. Internet Key Exchange (IKE) Internet Key Exchange (IKE) is a standard method for arranging for secure, authenticated communications. IKE establishes session keys (and associated cryptographic and networking configuration) between two hosts across the network. Cisco SDM lets you create IKE policies that will protect the identities of peers during authentication.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) If you want to: Do this: Create an IKE policy. Click the IKE Policy node on the VPN tree. See IKE Policies for more information. Cisco SDM provides a default IKE policy, but there is no guarantee that the peer has the same policy. You should configure other IKE policies so that the router is able to offer an IKE policy that the peer can accept. Create a pre-shared key.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) Hash The authentication algorithm for negotiation. There are two possible values: • Secure Hash Algorithm (SHA) • Message Digest 5 (MD5) Authentication The authentication method to be used. • Pre-SHARE. Authentication will be performed using pre-shared keys. • RSA_SIG. Authentication will be performed using digital signatures. Type Either SDM_DEFAULT or User Defined. SDM_DEFAULT policies cannot be edited.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) Add or Edit IKE Policy Add or edit an IKE policy in this window. Note • Not all routers support all encryption types. Unsupported types will not appear in the screen. • Not all IOS images support all the encryption types that Cisco SDM supports. Types unsupported by the IOS image will not appear in the screen.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) • AES-192—Advanced Encryption Standard (AES) encryption with a 192-bit key. • AES-256—Advanced Encryption Standard (AES) encryption with a 256-bit key. Hash The authentication algorithm to be used for the negotiation. There are two options: • Secure Hash Algorithm (SHA) • Message Digest 5 (MD5) Authentication The authentication method to be used. • Pre-SHARE. Authentication will be performed using pre-shared keys. • RSA_SIG.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) Lifetime This is the lifetime of the security association, in hours, minutes and seconds. The default is one day, or 24:00:00. IKE Pre-shared Keys This window allows you to view, add, edit, and remove IKE pre-shared keys in the router’s configuration. A pre-shared key is exchanged with a remote peer during IKE negotiation. Both peers must be configured with the same key.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) If you want to: Do this: Add a pre-shared key to the router’s configuration. Click Add, and add the pre-shared key in the Adda new Pre Shared Key window. Edit an existing pre-shared key. Select the pre-shared key, and click Edit. Then edit the key in the Edit Pre Shared Key window. Remove an existing pre-shared key. Select the pre-shared key, and click Remove. Add or Edit Pre Shared Key Use this window to add or edit a pre-shared key.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) IP Address/Subnet Mask These fields appear if you selected “IP Address” in the Peer field. Enter the IP address of a network or subnet in the IP Address field. The pre-shared key will apply to all peers in that network or subnet. For more information, refer to IP Addresses and Subnet Masks. Enter a subnet mask if the IP address you entered is a subnet address, and not the address of a specific host.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) Details of IKE Profile The details area of the screen lists the configuration values for the selected profile. You can use it to view details without clicking the Edit button and displaying an additional dialog. If you need to make changes, click Edit and make the changes you need in the displayed dialog. To learn more about the information shown in this area, click Add or Edit an IKE Profile.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) Table 18-1 Add or Edit IKE Profile Fields Element Description Add VPN groups to be Build a list of groups that you want to be included in the match associated with this IKE profile. criteria. The groups you add are listed.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) Table 18-1 Add or Edit IKE Profile Fields Element Description Group Policy Lookup Authorization Policy Specify an authorization policy that controls access to group policy information on the AAA server. User Authentication Policy • default—Choose default if you want to grant access to group policy lookup information. • Policyname—To specify a policy, choose an existing policy in the list.
Chapter 18 Internet Key Exchange Internet Key Exchange (IKE) Table 18-1 Add or Edit IKE Profile Fields Element Description Download user attributes from RADIUS server based on PKI certificate fields. Check this option if you want the Easy VPN server to download user-specific attributes from the RADIUS server and push them to the client during mode configuration. The Easy VPN server obtains the username from the client’s digital certificate.
CH A P T E R 19 Public Key Infrastructure The Public Key Infrastructure (PKI) windows enable you to generate enrollment requests and RSA keys, and manage keys and certificates. You can use the Simple Certificate Enrollment Process (SCEP) to create an enrollment request and an RSA key pair and receive certificates online, or create an enrollment request that you can submit to a Certificate Authority (CA) server offline.
Chapter 19 Public Key Infrastructure Certificate Wizards Simple Certificate Enrollment Protocol (SCEP) Click this button if you can establish a direct connection between your router and a Certificate Authority (CA) server. You must have the server’s enrollment URL in order to do this. The wizard will do the following: • Gather information from you to configure a trustpoint and deliver it to the router. • Initiate an enrollment with the CA server you specified in the trustpoint.
Chapter 19 Public Key Infrastructure Certificate Wizards After the wizard completes and the commands are delivered to the router, Cisco SDM attempts to contact the CA server. If the CA server is contacted, Cisco SDM displays a message window with the server’s digital certificate. Certificate Authority (CA) Information Provide information to identify the CA server in this window. Also specify a challenge password that will be sent along with the request.
Chapter 19 Public Key Infrastructure Certificate Wizards challenge Password, enter that password and then reenter it in the confirm field. The challenge Password will be sent along with the enrollment request. For security purposes, the challenge password is encrypted in the router configuration file, so you should record the password and save it in a location you will remember. This password is also referred to as a challenge password.
Chapter 19 Public Key Infrastructure Certificate Wizards Include router’s fully qualified Domain Name (FQDN) in the certificate. It is recommended that the router’s fully qualified domain name be included in the certificate. Check this box if you want Cisco SDM to include the router’s fully qualified domain name in the certificate request. Note If the Cisco IOS image running on the router does not support this feature, this box is disabled.
Chapter 19 Public Key Infrastructure Certificate Wizards Other Subject Attributes The information you enter in this window will be placed in the enrollment request. CAs use the X.500 standard to store and maintain information for digital certificates. All fields are optional, but it is recommended that you enter as much information as possible. Common Name (cn) Enter the common name to be included in this certificate. This would be the name used to search for the certificate in the X.500 directory.
Chapter 19 Public Key Infrastructure RSA Keys RSA Keys You must include an RSA public key in the enrollment request. Once the certificate has been granted, the public key will be included in the certificate so that peers can use it to encrypt data sent to the router. The private key is kept on the router and used to decrypt the data sent by peers, and also used to digitally sign transactions when negotiating with peers.
Chapter 19 Public Key Infrastructure Summary Save to USB Token Check the Save keys and certificates to secure USB token checkbox if you want to save the RSA keys and certificates to a USB token connected to your router. This checkbox appears only if a USB token is connected to your router. Choose the USB token from the USB token drop-down menu. Enter the PIN needed to log in to the chosen USB token in PIN. After you choose a USB token and enter its PIN, click Login to log in to the USB token.
Chapter 19 Public Key Infrastructure CA Server Certificate CA Server Certificate Cisco SDM displays the digital fingerprint of the CA server’s certificate. If you wish to continue the enrollment process, you must accept this certificate. If you do not accept the certificate, the enrollment does not proceed CA server’s certificate’s finger print is: Cisco SDM displays the hexadecimal value of the CA server’s certificate in large type.
Chapter 19 Public Key Infrastructure Enrollment Task After you have submitted the enrollment request to the CA server manually, and received the CA server certificate and the certificate for your router, you must start the Cut and Paste wizard again to complete the enrollment and import the certificates to the router. Enrollment Task Specify whether you are beginning a new enrollment or you are resuming an enrollment with an enrollment request that you saved to the PC.
Chapter 19 Public Key Infrastructure Continue with Unfinished Enrollment Continue with Unfinished Enrollment If you are continuing with an unfinished enrollment you need to select the trustpoint associated with the unfinished enrollment, and then specify the part of the enrollment process you need to complete. If you are importing a CA server certificate or a router certificate, the certificate must be available on your PC.
Chapter 19 Public Key Infrastructure Import CA certificate Generate enrollment request Choose this option if you need to generate an enrollment request for the selected trustpoint. The router will generate an enrollment request that you can save to the PC and send to the CA. Cisco SDM generates a base-64 encoded PKCS#10 enrollment request. Import CA certificate If you have the CA server certificate on your hard disk, you can browse for it and import it to your router in this window.
Chapter 19 Public Key Infrastructure Digital Certificates Digital Certificates This window allows you to view information about the digital certificates configured on the router. Trustpoints This area displays summary information for the trustpoints configured on the router and allows you to view details about the trustpoints, edit trustpoints, and determine if a trustpoint has been revoked. Details Button The Trustpoints list only displays the name, enrollment URL, and enrollment type for a trustpoint.
Chapter 19 Public Key Infrastructure Digital Certificates CA Server The name or IP address of the CA server. Enrollment Type One of the following: • SCEP—Simple Certificate Enrollment Protocol. The enrollment was accomplished by connecting directly to the CA server • Cut and Paste—Enrollment request was imported from PC. • TFTP—Enrollment request was made using a TFTP server.
Chapter 19 Public Key Infrastructure Digital Certificates Status One of the following: • Available—The certificate is available for use. • Pending—The certificate has bee applied for, but is not available for use. Expires (Days) The number of days the certificate can be used before it expires. Expiry Date The date on which the certificate expires. Trustpoint Information The Trustpoints list in the Router Certificates window displays the key information about each trustpoint on the router.
Chapter 19 Public Key Infrastructure RSA Keys Window • None—Do not perform a revocation check. CRL Query URL Enabled when CRL is selected. Enter the URL where the certificate revocation list is located. Enter the URL only if the certificate supports X.500 DN. OCSP URL Enabled when OCSP is selected. Enter the URL of the OCSP server that you want to contact. Revocation Check, CRL Only Specify how the router is to check whether a certificate has been revoked in this window.
Chapter 19 Public Key Infrastructure RSA Keys Window generates a pair of keys. One is called the public key, and the other is called the private key. The Public key is given to anyone who wants to send encrypted data to the host. The Private key is never shared. When a remote hosts wants to send data, it encrypts it with the public key shared by the local host. The local host decrypts sent data using the private key. RSA keys configured on your router Name The key name.
Chapter 19 Public Key Infrastructure RSA Keys Window Modulus Enter the key modulus value. If you want a modulus value between 512 and 1024 enter an integer value that is a multiple of 64. If you want a value higher than 1024, you can enter 1536 or 2048. If you enter a value greater than 512, key generation may take a minute or longer. The larger the modulus size, the more secure the key is. However keys with larger modulus sizes take longer to generate and longer to process when exchanged.
Chapter 19 Public Key Infrastructure USB Tokens Choose the USB token from the USB token drop-down menu. Enter the PIN needed to log in to the chosen USB token in PIN. USB Tokens This window allows you to configure USB token logins. This window also displays a list of configured USB token logins. When a USB token is connected to your Cisco router, Cisco SDM uses the matching login to log in to the token. Add Click Add to add a new USB token login. Edit Click Edit to edit an existing USB token login.
Chapter 19 Public Key Infrastructure USB Tokens Removal Timeout Displays the maximum number of seconds that Cisco SDM will continue to use Internet Key Exchange (IKE) credentials obtained from the USB token after the token is removed from the router. If Removal Timeout is empty, the default timeout is used. The default timeout is triggered when a new attempt to access the IKE credentials is made. Secondary Config File Displays the configuration file that Cisco SDM attempts to find on the USB token.
Chapter 19 Public Key Infrastructure USB Tokens Enter New PIN Enter a new PIN for the USB token. The new PIN must be at least 4 digits long and must match the name of the token you want to log in to. If you are editing a USB token login, the current PIN will be replaced by the new PIN. Reenter New PIN Reenter the new PIN to confirm it. Maximum PIN Retries Choose the maximum number of times Cisco SDM will attempt to log in to the USB token with the given PIN.
Chapter 19 Public Key Infrastructure Open Firewall Open Firewall This screen is displayed when Cisco SDM detects firewall(s) on interfaces that would block return traffic that the router needs to receive. Two situations in which it might appear are when a firewall will block DNS traffic or PKI traffic and prevent the router from receiving this traffic from the servers. Cisco SDM can modify these firewalls so that the servers can communicate with the router.
Chapter 19 Public Key Infrastructure Open Firewall Details Button Click this button to view the access control entry that Cisco SDM would add to the firewall if you allow the modification. Open Firewall Details This window displays the access control entry (ACE) that Cisco SDM would add to a firewall to enable various types of traffic to reach the router. This entry is not added unless you check Modify in the Open Firewall window and complete the wizard. Cisco Router and Security Device Manager 2.
Chapter 19 Public Key Infrastructure Open Firewall Cisco Router and Security Device Manager 2.
CH A P T E R 20 Certificate Authority Server You can configure a Cisco IOS router to serve as a Certificate Authority (CA) server. A CA server handles certificate enrollment requests from clients, and can issue and revoke digital certificates. To create, back up, restore, or edit a CA server, go to Configure > VPN > Public Key Infrastructure > Certificate Authority > Create CA Server.
Chapter 20 Certificate Authority Server Create CA Server and complete the configuration. If Cisco SDM does not discover missing configurations, this box does not appear. Possible prerequisite tasks are described in Prerequisite Tasks for PKI Configurations. Create Certificate Authority (CA) Server Click this button to create a CA server on the router. Because only one CA server can be configured on the router, this button is disabled if a CA server is already configured.
Chapter 20 Certificate Authority Server Create CA Server affected if the router needs to be rebooted. If your organization does not have an NTP server, you may want to use a publicly available server, such as the server described at the following URL: http://www.eecis.udel.edu/~mills/ntp/clock2a.html • DNS not configured—Specifying DNS servers helps ensure that the router is able to contact the certificate server.
Chapter 20 Certificate Authority Server Create CA Server CA Server Name Provide a name to identify the server in the CA Server Name field. This could be the host name of the router, or another name that you enter. Grant Choose Manual if you want to grant certificates manually. Choose Auto if you want the server to grant certificates automatically. Auto, used mostly for debug purposes, is not recommended since it will issue certificates to any requester without requiring enrollment information.
Chapter 20 Certificate Authority Server Create CA Server Organizational Unit (ou) Enter the Organizational Unit, or department name to use for this certificate. For example, IT support, or Engineering might be organizational units. Organization (o) Enter the organization or company name. State (st) Enter the state or province in which the organization is located. Country (c) Enter the country in which the organization is located.
Chapter 20 Certificate Authority Server Create CA Server • complete—In addition to the information given by the minimal and names options, each issued certificate is written to the database. Database URL Enter the location to which the CA server will write certificate enrollment data. If no location is given, certificate enrollment data will be written to flash memory by default. For example, to write certificate enrollment data to a tftp server, enter tftp://mytftp.
Chapter 20 Certificate Authority Server Create CA Server • Enrollment-Request—Open certificate requests existing in the enrollment database, but not including requests received through SCEP. Lifetime is entered in hours, in the range 1–1000. If no value is entered, an open enrollment request expires after 168 hours (one week). CA Server Wizard: RSA Keys The CA server uses public and private RSA keys to encrypt data and to sign certificates.
Chapter 20 Certificate Authority Server Create CA Server Passphrase and Confirm Passphrase In the Passphrase field, enter a passphrase to use when restoring the CA server from backup. Reenter the same passphrase in the Confirm Passphrase field. Open Firewall The Open Firewall window appears when a firewall configuration must be modified in order to allow communication between the CDP server and the CA server.
Chapter 20 Certificate Authority Server Manage CA Server CA Server will automatically generate RSA key pair with following defaults:Modulus:1024 Type of Key:General Purpose Exportable Key:No Passphrase configured:****** -----------------------------------------------------------Firewall Pass-through ACEs for Interface(s): -----------------------------------------------------------FastEthernet0/0 permit tcp host 192.27.108.92 eq www host 192.27.108.
Chapter 20 Certificate Authority Server Manage CA Server Start Server The Start Server button is displayed if the server is stopped. Click Start Server to start the CA server. Stop Server The Stop Server button is displayed if the server the server is running, click Stop Server if you need to stop the CA server. Backup Server Click Backup Server to backup the server configuration information onto the PC. Enter the backup location in the displayed dialog.
Chapter 20 Certificate Authority Server Manage CA Server Restore Window Item Name Item Value Issuer Name CN=CertSvr Mode Certificate Authority Name CertSvr See CA Server Wizard: Certificate Authority Information and Advanced Options for descriptions of these items. Backup CA Server You can back up the files that contain the information for the CA server to your PC. The Backup CA Server window lists the files that will be backed up.
Chapter 20 Certificate Authority Server Manage CA Server Restore Window CA Server Name Enter the name of the CA server that you backed up. File Format Choose the file format that was specified in server configuration, either PEM or PKCS12. Complete URL Enter the router database URL that was provided when the CA server was configured. This is the location to which the CA server writes certificate enrollment data. Two sample URLs follow: nvram:/mycs_06.p12 tftp://192.168.3.2/mycs_06.
Chapter 20 Certificate Authority Server Manage CA Server: CA Server Not Configured Edit CA Server Settings: Advanced Tab You can change any of the advanced CA server settings in this window. For information on these settings, see Advanced Options. Manage CA Server: CA Server Not Configured This window appears when you click Manage CA Server but no CA server is configured. Click Create CA Server and complete the wizard to configure a CA server on your router.
Chapter 20 Certificate Authority Server Manage Certificates Grant Click Grant to issue the certificate to the requesting client. Note The CA server windows do not show the IDs of the certificates that are granted. In case it is ever necessary to revoke a certificate, you should obtain the certificate ID from the administrator of the client that the certificate was issued for. The client administrator can determine the certificate ID by entering the Cisco IOS command sh crypto pki cert.
Chapter 20 Certificate Authority Server Manage Certificates Revoke Certificate Click Revoke Certificate to display a dialog that allows you to enter the ID of the certificate that you want to revoke. Note The certificate ID does not always match the request ID shown in the CA server windows. It may be necessary to obtain the ID of the certificate to be revoked from the administrator of the client for which the certificate was granted.
Chapter 20 Certificate Authority Server Manage Certificates Note The certificate ID does not always match the request ID shown in the CA server windows. It may be necessary to obtain the ID of the certificate to be revoked from the administrator of the client for which the certificate was granted. See Pending Requests for information on how the client administrator can determine the certificate ID. Revoke Certificate You can revoke certificates that have been granted by this CA server in this window.
CH A P T E R 21 Cisco IOS SSL VPN Cisco IOS SSL VPN provides Secure Socket Layer (SSL) VPN remote-access connectivity from almost any Internet-enabled location using only a web browser and its native SSL encryption. This enables companies to extend their secure enterprise networks to any authorized user by providing remote-access connectivity to corporate resources from any Internet-enabled location.
Chapter 21 Cisco IOS SSL VPN Cisco IOS SSL VPN links on Cisco.com Cisco IOS SSL VPN Contexts, Gateways, and Policies describes how the components of a Cisco IOS SSL VPN configuration work together. Click Cisco IOS SSL VPN links on Cisco.com for links to Cisco IOS SSL VPN documents. This chapter contains the following sections: • Cisco IOS SSL VPN links on Cisco.com • Creating an SSL VPN Connection • Editing SSL VPN Connections • Additional Help Topics Cisco IOS SSL VPN links on Cisco.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Step 3 On the Cisco SDM category bar, click VPN. Step 4 In the VPN tree, choose SSL VPN. Step 5 In the Create SSL VPN tab, complete any recommended tasks that are displayed by clicking the link for the task. Cisco SDM either completes the task for you, or displays the necessary configuration screens for you to make settings in. Step 6 Choose the task you want to complete.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection • Configure Intranet Websites • Add or Edit URL • Customize SSL VPN Portal • SSL VPN Passthrough Configuration • User Policy • Details of SSL VPN Group Policy: Policyname • Select the SSL VPN User Group • Select Advanced Features • Thin Client (Port Forwarding) • Add or Edit a Server • Full Tunnel • Locating the Install Bundle for Cisco SDM • Enable Cisco Secure Desktop • Common Internet File System • Enable Clientle
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection that enables you to complete the missing configuration. When all prerequisite configurations are complete, you can return to this window and start configuring Cisco IOS SSL VPN. Cisco SDM enables AAA without user input. Cisco SDM can help you generate public and private keys for the router, and enroll them with a certification authority to obtain digital certificates. See Public Key Infrastructure for more information.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Launch the selected task button Click to begin the configuration that you selected. You will receive a warning message if you cannot complete the task that you chose. If there is a prerequisite task that you need to complete, you will be told what it is and how to complete it. Persistent Self-Signed Certificate You can provide the information for a persistent self-signed certificate in this dialog.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Generate Button After providing the information in this window, click Generate to have the router create the persistent self-signed certificate. Welcome The Welcome window for each wizard lists the tasks that the wizard enables you to complete. Use this information to ensure that you are using the correct wizard. If you are not, click Cancel to return to the Create SSL VPN window and choose the wizard that you want to use.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Allow Cisco SDM access through IP Address Checkbox Check if you want to continue to access Cisco SDM from this IP address. This checkbox appears if you entered the IP address you are currently using to access Cisco SDM. Note If you check this checkbox, the URL that you must use to access Cisco SDM changes after you deliver the configuration to the router. Review the information area at the bottom of the window to learn which URL to use.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection External AAA server Button Click if you want the router to use an AAA server to authenticate Cisco IOS SSL VPN users. The router will use the AAA servers that are listed in this window. If there are no AAA servers configured, you can configure them in this window. To use this option, there must be at least one AAA server configured on the router. Locally on this router Button Click if you want the router to authenticate users itself.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Create user accounts locally on this router Enter the users that you want the router to authenticate in this list. Use the Add and Edit buttons to manage the users on the router. This list does not appear if you chose External AAA server. Configure Intranet Websites Configure groups of intranet websites that you want users to have access to in this window.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Customize SSL VPN Portal The settings that you make in this screen determine the appearance of the portal to the user. You can select among the predefined themes listed, and obtain a preview of the portal as it would appear if that theme were used. Theme Select the name of a predefined theme. Preview This area shows what the portal looks like with the selected theme.You may want to preview several themes to determine which one you want to use.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection User Policy This window allows you to choose an existing Cisco IOS SSL VPN and add a new policy to it. For example, you might have created a Cisco IOS SSL VPN named Corporate, and you want to define intranet access for a new group of users that you name Engineering. Select existing SSL VPN Choose the Cisco IOS SSL VPN for which you want to create a new group of users.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection WINS servers This area displays the IP addresses of the WINS servers that this policy is configured to use. Select the SSL VPN User Group Choose the Cisco IOS SSL VPN and associated user group for which you want to configure advanced services in this window. SSL VPN Choose the Cisco IOS SSL VPN that the user group is associated with from this list. User Group Choose the user group for which you will configure advanced features.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection This window contains a list of the servers and port numbers configured for the intranet. Use the Add button to add a server IP address and port number. Use the Edit and Delete buttons to make changes to the information in this list and to remove information for a server. The list that you build appears in the portal that clients see when they log in. Add or Edit a Server Add or edit server information in this window.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Full Tunnel Full tunnel clients must download the full tunnel software and obtain an IP address from the router. Use this window to configure the IP address pool that full tunnel clients will draw from when they log in and to specify the location of the full tunnel install bundle.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Example 21-1 Full Tunnel Package Installed on Router flash:sslclient-win-1.0.2.127.pkg In Example 21-1, the Full Tunnel install bundle is loaded in router flash. If your router’s primary device is a disk or a slot, the path that you see will start with diskn or slotn . If this field is empty, you must locate the install bundle so that Cisco SDM can load it onto the router primary device, or download the software install bundle from Cisco.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Step 1 Look at the Location field. If the path to the install bundle is in that field, no further action need be taken. Cisco SDM configures the router to download the software from that location. Example 21-2 shows a path to a software install bundle. Example 21-2 Full Tunnel Package Installed on Router flash:sslclient-win-1.0.2.127.pkg Step 2 If the Location field is empty, click the ...
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Cisco SDM installs the software onto the router from the PC directory that you specified when you deliver the configuration to the router by clicking Finish. Enable Cisco Secure Desktop The router can install Cisco Secure Desktop on the user PC when the user logs in to the Cisco IOS SSL VPN. Web transactions can leave cookies, browser history files, e-mail attachments, and other files on the PC after the user logs out.
Chapter 21 Cisco IOS SSL VPN Creating an SSL VPN Connection Click Locating the Install Bundle for Cisco SDM to learn how to locate the Cisco Secure Desktop software install bundle, and supply a path to it for Cisco Cisco SDM to use. Common Internet File System Common Internet File System (CIFS) allows clients to remotely browse, access, and create files on Microsoft Windows-based file servers using a web browser interface.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Summary This window displays a summary of the Cisco IOS SSL VPN configuration that you have created. Click Finish to deliver the configuration to the router, or click Back to return to a wizard window to make changes. To see the CLI commands that you are delivering to the router, go to Edit > Preferences, and check Preview commands before delivering to router.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Editing SSL VPN Connection Reference The topics in this section describe the SSL VPN Edit screens.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Edit SSL VPN The Edit SSL VPN window allows you modify or create Cisco IOS SSL VPN configurations. The top portion of the tab lists the configured Cisco IOS SSL VPN contexts. The bottom portion displays details for that context. Click Cisco IOS SSL VPN to get an overview of the Cisco IOS SSL VPN features that Cisco SDM supports. Click Cisco IOS SSL VPN links on Cisco.com for links to Cisco IOS SSL VPN documents.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Status Contains icons for quick status identification. Administrative Status Textual description of status. • In Service—Context is in service. Users specified in policies configured under the context can access their Cisco IOS SSL VPN portal. • Not in Service—Context is not in service. Users specified in policies configured under the context cannot access their Cisco IOS SSL VPN portal.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Table 21-1 SSL VPN Context Fields Element Description Name Enter the name of a new context, or choose the name of an existing context to edit it. Associated Gateway Select an existing gateway, or click Create gateway to configure a new gateway for the context. The gateway contains the IP address and digital certificate is used for this context. Each gateway requires a unique public IP address.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Table 21-1 SSL VPN Context Fields (continued) Element Description Default Group Policy Select the policy that you want to use as the default group policy. The default group policy will be used for users who have not been included in any policy configured on the AAA server. Enable RADIUS Accounting Check Enable RADIUS Accounting to enable this feature for the context that you are editing.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Context: Group Policies This window displays the group policies configured for the chosen Cisco IOS SSL VPN context. Use the Add, Edit, and Delete buttons to manage these group policies. For each policy, this window shows the name of the policy and whether the policy is the default group policy. The default group policy is the policy assigned to a user who has not been included in another policy.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Table 21-2 General Tab Fields Element Description Name Enter a name for the group policy, for example Engineering, Human Resources, or Marketing. Make this the default group policy for context Check if you want to make this the default group policy. The default group policy is the policy assigned to a user who is not included in another policy.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Table 21-3 Clientless Tab Fields Element Description Clientless Web Browsing Action URL List Select one or more URL lists that you want to display in the portal that the users in this group will see. URLs in the list that you specify will be displayed in the portal. View To examine a URL list, choose a name from the list and click View.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Table 21-3 Clientless Tab Fields Element Description NBNS Server List You must specify the NBNS server list that will enable the appropriate files to be displayed to these users. Choose the NBNS Server list to use for this group. To configure a list, click NETBIOS Name Server Lists in the SSL VPN Context tree and click Add to configure a list. View To verify the contents of a WINS server list, choose the list and click View.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Note You must specify the location of the Full Tunnel client software by clicking Packages in the SSL VPN tree, specifying the location of the install bundle, and then clicking Install. Enable Full Tunnel connections by choosing Enable from the list. If you want to require Full Tunnel connections, choose Required.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Dead Peer Detection Timeouts Dead Peer Detection (DPD) allows a system to detect a peer that is no longer responding. You can set separate timeouts that the router can use to detect clients that are no longer responding, and servers that are no longer responding. The range for both is from 0 to 3600 seconds.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections The section “Learn More About Split Tunneling” contains more information about this topic. Split DNS If you want Cisco IOS SSL VPN clients to use the DNS server in the corporate network only to resolve specific domains, you can enter those domains in this area. They should be domains within the corporate intranet. Separate each entry with a semicolon and do not use carriage returns. Here is a sample list of entries: yourcompany.com;dev-lab.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Do not use proxy server for addresses beginning with If you do not want clients to use proxy servers when sending traffic to specific IP addresses or networks, you can enter them here. Use a semicolon to separate each entry. For example, if you do not want clients to use a proxy server when connecting to any server in the 10.10.0.0 or 10.11.0.0 networks, enter 10.10;10.11. You can enter as many networks as you want.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections values you enter are used in the portal for the selected context. Changes that you make in this window only affect the portal you are creating. They do not change the default values for the theme. Login Message Enter the login message that you want clients to see when their browsers display the portal. For example: Welcome to the company-name network. Log off if you are not an authorized user.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Preview Button Click to see a preview of the portal as it will look with the predefined theme or custom values you have specified. Select Color Click Basic to select a predefined color, or click RGB to create a custom color. Basic Select the color that you want to use from the palette on the left. The color you select appears in the large square in the right side of the dialog.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Add or Edit an NBNS Server You must enter the IP address of each server, along with the number of seconds that the router is to wait before attempting to connect to the server again, and the number of times the router is to attempt to contact the server. Check Make this server the master server if you want this server to be the first server that the router contacts on the list.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Add or Edit a URL List You must enter a name for each URL list, and heading text that will appear at the top of the URL list. Heading text should describe the overall contents of the links in the list. For example, if a URL list provides access to the health plan web pages and insurance web pages, you might use the heading text Benefits. Use the Add button to create a new entry for the list, and the Edit and Delete buttons to maintain the list.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Click a gateway to view details about it in the lower part of the window. Enable a gateway that is Disabled by choosing it and clicking Enable. Take an enabled gateway out of service by choosing it and clicking Disable. To edit a gateway, select the gateway and click the Edit button. To remove a gateway, choose the gateway and click the Delete button.
Chapter 21 Cisco IOS SSL VPN Editing SSL VPN Connections Enable Gateway Checkbox Uncheck if you do not want to enable the gateway. You can also enable and disable the gateway from the SSL VPN Gateways window. Packages This window enables you to obtain software install bundles that must be downloaded to Cisco IOS SSL VPN clients to support Cisco IOS SSL VPN features, and to load them on the router. You can also use this window to remove install bundles that have been installed.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics http://www.cisco.com/cgi-bin/tablebuild.pl/securedesktop Install Package Specify the current location of an install bundle by browsing for it in this window. If the install bundle is already located on the router, click Router and browse for it. If it is located on the PC, click My Computer and browse for it. When you have specified the current location of the install bundle, click OK. The location will be visible in the Packages window.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics • One Cisco IOS SSL VPN context can support multiple group policies. • Each context must have one associated gateway. • One gateway can support multiple contexts. • If there is more than one group policy on the router, a AAA server must be used for authentication.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics another reachable IP address if one is available. Either a digital certificate or a self-signed certificate must be configured for gateways to use. All gateways on the router can use the same certificate. Although one gateway can serve multiple Cisco IOS SSL VPN contexts, resource constraints and IP address reachability must be taken into account.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics Table 21-5 Creating a New SSLVPN Cisco IOS SSL VPN Wizard Window Configuration Create SSL VPN Window Prerequisite Tasks area indicates that digital certificates are not configured on the router. Cisco SDM configures a self-signed certificate named “Router_Certificate” that will be available for use in all Cisco IOS SSL VPN configurations.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics Table 21-5 Creating a New SSLVPN (continued) Cisco IOS SSL VPN Wizard Window Configuration User chooses Locally on this router. Cisco SDM creates the authentication list User adds one user account to the existing “sdm_vpn_xauth_ml_1.” This list will be displayed in the list. Cisco IOS SSL VPN Contexts window when the user completes the wizard.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics Table 21-5 Creating a New SSLVPN (continued) Cisco IOS SSL VPN Wizard Window Configuration Summary Window The Summary window displays the information shown at the right. Additional details can be viewed in the Edit SSL VPN windows.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics policy_1 provides the basic Cisco IOS SSL VPN service of URL mangling, and specifies that a full tunnel be established between clients and the router. No other features are configured.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics When the client's browser connects to the gateway router, a portal applet is downloaded to the client PC. This applet contains the server's IP address and static port number, and the port number that the client PC is to use. The applet does the following: • Creates a mapping on the client PC that maps traffic for port 23 on 10.0.0.100 to the PC's loopback IP address 127.0.0.1, port 3001. • Listens on port 3001, IP address 127.0.0.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics for those policies, the router can contact that server, and receive the information that Bob Smith is a member of the group Sales. The router can then display the correct portal for the Sales group. For information on how to configure the AAA server, see the “Configuring RADIUS Attribute Support for SSL VPN” section in the SSL VPN Enhancements document at the following link: http://www.cisco.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics Note The Destination Network list in the Split Tunneling area may already contain network addresses. The traffic settings you make in the Split Tunneling area override any settings previously made for the listed networks.
Chapter 21 Cisco IOS SSL VPN Additional Help Topics How do I configure a Cisco IOS SSL VPN after I have configured a firewall? If you have already configured a firewall, you can still use the Cisco IOS SSL VPN wizards in Cisco SDM to create Cisco IOS SSL VPN contexts and policies. Cisco SDM validates the Cisco IOS SSL VPN CLI commands that it generates against the existing configuration on the router.
CH A P T E R 22 SSL VPN Enhancements This chapter explains how to configure SSL VPN enhancements available with SSL VPN Reference • SSL VPN Context: Access Control Lists • Add or Edit Application ACL • Add ACL Entry • Action URL Time Range • Add or Edit Action URL Time Range Dialog • Add or Edit Absolute Time Range Entry • Add or Edit Periodic Time Range Entry SSL VPN Context: Access Control Lists You can create Application ACLs to control access to specific URLs.
Chapter 22 SSL VPN Enhancements SSL VPN Reference Field Reference Table 22-1 describes the fields in this screen. Table 22-1 SSL VPN Access Control List Fields Element Description Access Control List Add To create an Application ACL, click Add and create the Application ACL in the displayed dialog. Edit To edit an Application ACL, choose the ACL and click Edit. Edit the ACL in the displayed dialog. Delete To delete an ACL choose the ACL and click Delete.
Chapter 22 SSL VPN Enhancements SSL VPN Reference Table 22-2 Add or Edit SSL VPN Context ACL Fields Element Description ACL Name Enter a name for this ACL. Add To create an entry for this ACL, click Add and create the entry in the displayed dialog. Edit To modify an entry, select the entry and click Edit. Then modify it in the displayed dialog. Delete To remove an entry from this ACL, select the entry and click Delete.
Chapter 22 SSL VPN Enhancements SSL VPN Reference Table 22-3 Add or Edit SSL VPN Context ACL Entry Fields (continued) Element Description Specific URL To have this ACL entry apply to a URL that you specify, click Specific URL. Then, enter the URL in the field. Be sure to enter the entire URL. The following are examples of valid URLs: http://www.cisco.com https://www.foo.com ftp://ftp.bad-down-loads.
Chapter 22 SSL VPN Enhancements SSL VPN Reference Table 22-4 Action URL Time Range Fields (continued) Element Description Delete To remove an entry, select the entry and click Delete. Item Name The Item Name list displays the time range entries configured for this context. Details of Action URL Time Range The Details area displays additional information about the selected time range entry. Type Period One of the following: • Absolute—The time range specifies an absolute date.
Chapter 22 SSL VPN Enhancements SSL VPN Reference Table 22-5 Time Range Fields Element Description Time Range Name Enter a name for the time range. Time Range Entry List Area Type Period One of the following: • Absolute—The time range specifies an absolute date. There can be a start date, and there can be an end date, or both. • Periodic—The time range specifies days of the week, so that you can include some days and not others. It can also specify a start time and an end time.
Chapter 22 SSL VPN Enhancements SSL VPN Reference Field Reference Table 22-6 describes the fields in this screen. Table 22-6 Element Absolute Time Range Fields Description Start To specify a start date, click Start, and enter a date and time. From Date Enter the starting date in dd/mm/yyyy format. For example, entering 1/10/2007 specifies a start date of October 1, 2007. Time Enter the starting time in 24-hour format. For example, entering 13:00 specifies a starting time of 1:00 p.m.
Chapter 22 SSL VPN Enhancements SSL VPN Reference Table 22-7 Periodic Time Range Fields Element Description Period Choose one of the following: • Specific weekdays—To select specific days, choose this option, and then check the boxes next to the days of the week that you want to include. • weekdays—To include only Monday, Tuesday, Wednesday, Thursday, and Friday, choose this option. • weekend—To include only Saturday, and Sunday, choose this option.
CH A P T E R 23 VPN Troubleshooting Cisco SDM can troubleshoot VPN connections that you have configured. Cisco SDM reports the success or failure of the connection tests, and when tests have failed, recommends actions that you can take to correct connection problems. The following link provides information on VPN troubleshooting using the CLI. http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/v pnman/vms_2_2/rmc13/useguide/u13_rtrb.
Chapter 23 VPN Troubleshooting VPN Troubleshooting Peer The IP address or host name of the devices at the other end of the VPN connection. Summary Click this button if you want to view the summarized troubleshooting information. Details Click this button if you want to view the detailed troubleshooting information. Activity This column displays the troubleshooting activities. Status Displays the status of each troubleshooting activity by the following icons and text alerts: The connection is up.
Chapter 23 VPN Troubleshooting VPN Troubleshooting: Specify Easy VPN Client Test Specific Client Button This button is enabled if you are testing connections for an Easy VPN server configured on the router. Click this button and specify the client to which you want to test connectivity. This button is disabled in the following circumstances: • The Basic testing is not done or has not completed successfully. • The IOS image does not support the required debugging commands.
Chapter 23 VPN Troubleshooting VPN Troubleshooting: Generate Traffic Continue Button After selecting the traffic generation type you want, click this button to continue testing. Close Button Click this button to close the window. VPN Troubleshooting: Generate Traffic This window allows you to generate site-to-site VPN or Easy VPN traffic for debugging. You can allow Cisco SDM to generate VPN traffic or you can generate VPN traffic yourself.
Chapter 23 VPN Troubleshooting VPN Troubleshooting: Generate GRE Traffic Have SDM generate VPN Traffic Select this option if you want Cisco SDM to generate VPN traffic on the interface for debugging. Note Cisco SDM will not generate VPN traffic when the VPN tunnel traffic is from non-IP based Access Control List (ACL) or when the applied and current CLI View is not root view. Enter the IP address of a host in the source network Enter the host IP address in the source network.
Chapter 23 VPN Troubleshooting Cisco SDM Warning: SDM will enable router debugs... Have SDM generate VPN Traffic Select this option if you want Cisco SDM to generate VPN traffic on the interface for debugging. Enter the remote tunnel IP address Enter the IP address of the remote GRE tunnel. Do not use the address of the remote interface. I will generate VPN traffic from the source network Select this option if you want to generate VPN traffic from the source network.
CH A P T E R 24 Security Audit Security Audit is a feature that examines your existing router configurations and then updates your router in order to make your router and network more secure. Security Audit is based on the Cisco IOS AutoSecure feature; it performs checks on and assists in configuration of almost all of the AutoSecure functions.
Chapter 24 Security Audit The Welcome page of the Security Audit wizard appears. Step 3 Click Next>. The Security Audit Interface Configuration page appears. Step 4 The Security Audit wizard needs to know which of your router interfaces connect to your inside network and which connect outside of your network. For each interface listed, check either the Inside or Outside check box to indicate where the interface connects. Step 5 Click Next>.
Chapter 24 Security Audit • Disable PAD Service • Disable TCP Small Servers Service • Disable UDP Small Servers Service • Disable IP BOOTP Server Service • Disable IP Identification Service • Disable CDP • Disable IP Source Route • Enable Password Encryption Service • Enable TCP Keepalives for Inbound Telnet Sessions • Enable TCP Keepalives for Outbound Telnet Sessions • Enable Sequence Numbers and Time Stamps on Debugs • Enable IP CEF • Disable IP Gratuitous ARPs • Set Minimum
Chapter 24 Security Audit Welcome Page • Disable IP Unreachables • Disable IP Mask Reply • Disable IP Unreachables on NULL Interface • Enable Unicast RPF on Outside Interfaces • Enable Firewall on All of the Outside Interfaces • Set Access Class on HTTP Server Service • Set Access Class on VTY Lines • Enable SSH for Access to the Router Welcome Page This screen describes the Security Audit wizard and the changes the wizard will attempt to make to your router configuration.
Chapter 24 Security Audit Report Card Page Inside Column This column displays a check box for each interface listed in the Interface column. Check the check box for each interface that connects directly to your local network and is thus protected from the Internet by your firewall. Report Card Page The Report Card popup page displays a list of recommended configuration changes that, if made, make the network more secure.
Chapter 24 Security Audit Fix It Page Fix All Click this button to place a check mark next to all of the potential security problems listed on the Report Card screen. Select an option: Undo Security Configurations When this option is selected, Cisco SDM displays the security configurations that it can undo. To have Cisco SDM undo all the security configurations, click Undo All. To specify a security configuration that you want to undo, check the Undo box next to it.
Chapter 24 Security Audit Fix It Page This fix can be undone. To learn how, click Undoing Security Audit Fixes. Disable PAD Service Security Audit disables all packet assembler/disassembler (PAD) commands and connections between PAD devices and access servers whenever possible. The configuration that will be delivered to the router to disable PAD is as follows: no service pad This fix can be undone. To learn how, click Undoing Security Audit Fixes.
Chapter 24 Security Audit Fix It Page This fix can be undone. To learn how, click Undoing Security Audit Fixes. Disable UDP Small Servers Service Security Audit disables small services whenever possible. By default, Cisco devices running Cisco IOS version 11.3 or earlier offer the “small services”: echo, chargen, and discard. (Small services are disabled by default in Cisco IOS software version 12.0 and later.
Chapter 24 Security Audit Fix It Page The configuration that will be delivered to the router to disable BOOTP is as follows: no ip bootp server This fix can be undone. To learn how, click Undoing Security Audit Fixes. Disable IP Identification Service Security Audit disables identification support whenever possible. Identification support allows you to query a TCP port for identification.
Chapter 24 Security Audit Fix It Page Disable IP Source Route Security Audit disables IP source routing whenever possible. The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that the datagram will take toward its ultimate destination, and generally the route that any reply will take. These options are rarely used for legitimate purposes in networks.
Chapter 24 Security Audit Fix It Page Enable TCP Keepalives for Inbound Telnet Sessions Security Audit enables TCP keep alive messages for both inbound and outbound Telnet sessions whenever possible. Enabling TCP keep alives causes the router to generate periodic keep alive messages, letting it detect and drop broken Telnet connections.
Chapter 24 Security Audit Fix It Page service sequence-numbers Enable IP CEF Security Audit enables Cisco Express Forwarding (CEF) or Distributed Cisco Express Forwarding (DCEF) whenever possible. Because there is no need to build cache entries when traffic starts arriving at new destinations, CEF behaves more predictably than other modes when presented with large volumes of traffic addressed to many destinations.
Chapter 24 Security Audit Fix It Page This configuration change will require every password on the router, including the user, enable, secret, console, AUX, tty, and vty passwords, to be at least six characters in length. This configuration change will be made only if the Cisco IOS version running on your router supports the minimum password length feature.
Chapter 24 Security Audit Fix It Page connections, this can overwhelm and disable the host. Setting the TCP synwait time to 10 seconds causes the router to shut down an incomplete connection after 10 seconds, preventing the buildup of incomplete connections at the host. The configuration that will be delivered to the router to set the TCP synwait time to 10 seconds is as follows: ip tcp synwait-time <10> Set Banner Security Audit configures a text banner whenever possible.
Chapter 24 Security Audit Fix It Page logging logging logging logging console critical trap debugging buffered Set Enable Secret Password Security Audit will configure the enable secret Cisco IOS command for more secure password protection whenever possible. The enable secret command is used to set the password that grants privileged administrative access to the Cisco IOS system.
Chapter 24 Security Audit Fix It Page The configuration that will be delivered to the router to disable SNMP is as follows: no snmp-server Set Scheduler Interval Security Audit configures the scheduler interval on the router whenever possible. When a router is fast-switching a large number of packets, it is possible for the router to spend so much time responding to interrupts from the network interfaces that no other work gets done. Some very fast packet floods can cause this condition.
Chapter 24 Security Audit Fix It Page Set Users Security Audit secures the console, AUX, vty, and tty lines by configuring Telnet user accounts to authenticate access to these lines whenever possible. Security Audit will display a dialog box that lets you define user accounts and passwords for these lines.
Chapter 24 Security Audit Fix It Page NetFlow identifies flows of network packets based on the source and destination IP addresses and TCP port numbers. NetFlow then can use just the initial packet of a flow for comparison to ACLs and for other security checks, rather than having to use every packet in the network flow. This enhances performance, allowing you to make use of all of the router security features.
Chapter 24 Security Audit Fix It Page The configuration that will be delivered to the router to disable proxy ARP is as follows: no ip proxy-arp This fix can be undone. To learn how, click Undoing Security Audit Fixes. Disable IP Directed Broadcast Security Audit disables IP directed broadcasts whenever possible. An IP directed broadcast is a datagram which is sent to the broadcast address of a subnet to which the sending machine is not directly attached.
Chapter 24 Security Audit Fix It Page Disable MOP Service Security Audit will disable the Maintenance Operations Protocol (MOP) on all Ethernet interfaces whenever possible. MOP is used to provide configuration information to the router when communicating with DECNet networks. MOP is vulnerable to various attacks. The configuration that will be delivered to the router to disable the MOP service on Ethernet interfaces is as follows: no mop enabled This fix can be undone.
Chapter 24 Security Audit Fix It Page in the internetwork. ICMP mask reply messages are sent to the device requesting the information by devices that have the requested information. These messages can be used by an attacker to gain network mapping information. The configuration that will be delivered to the router to disable ICMP mask reply messages is as follows: no ip mask-reply This fix can be undone. To learn how, click Undoing Security Audit Fixes.
Chapter 24 Security Audit Fix It Page Enable Unicast RPF on Outside Interfaces Security Audit enables unicast Reverse Path Forwarding (RPF) on all interfaces that connect to the Internet whenever possible. RPF is a feature that causes the router to check the source address of any packet against the interface through which the packet entered the router. If the input interface is not a feasible path to the source address according to the routing table, the packet will be dropped.
Chapter 24 Security Audit Fix It Page addresses. Without CBAC, advanced application traffic is permitted only by writing Access Control Lists (ACLs). This approach leaves firewall doors open, so most administrators tend to deny all such application traffic. With CBAC enabled, however, you can securely permit multimedia and other application traffic by opening the firewall as needed and closing it all other times.
Chapter 24 Security Audit Fix It Page access-class Enable SSH for Access to the Router If the Cisco IOS image running on the router is a crypto image (an image that uses 56-bit Data Encryption Standard (DES) encryption and is subject to export restrictions), then Security Audit will implement the following configurations to secure Telnet access whenever possible: • Enable Secure Shell (SSH) for Telnet access. SSH makes Telnet access much more secure.
Chapter 24 Security Audit Configuration Summary Screen • Configure authentication and authorization for VTY lines The local database will be used for both authentication and authorization. • Configure authentication for a console line The local database will be used for authentication.
Chapter 24 Security Audit Cisco SDM and Cisco IOS AutoSecure • Disable IP Redirects • Disable IP Proxy ARP • Disable IP Directed Broadcast • Disable MOP Service • Disable IP Unreachables • Disable IP Unreachables on NULL Interface • Disable IP Mask Reply • Enable Password Encryption Service • Disable IP Unreachables on NULL Interface • Disable IP Unreachables on NULL Interface • Set Minimum Password Length to Less Than 6 Characters • Enable IP CEF • Enable Firewall on All of the
Chapter 24 Security Audit Security Configurations Cisco SDM Can Undo • Configuring AAA—If the Authentication, Authorization, and Accounting (AAA) service is not configured, AutoSecure configures local AAA and prompts for configuration of a local username and password database on the router. Cisco SDM does not support AAA configuration. • Setting SPD Values—Cisco SDM does not set Selective Packet Discard (SPD) values. • Enabling TCP Intercepts—Cisco SDM does not enable TCP intercepts.
Chapter 24 Security Audit Undoing Security Audit Fixes Security Configuration Equivalent CLI Enable NetFlow Switching ip route-cache flow Disable IP Redirects no ip redirects Disable IP Proxy ARP no ip proxy-arp Disable IP Directed Broadcast no ip directed-broadcast Disable MOP Service No mop enabled Disable IP Unreachables int no ip unreachables Disable IP Mask Reply no ip mask-reply Disable IP Unreachables on NULL Interface int null 0 Enable Password Encryption Servic
Chapter 24 Security Audit Configure User Accounts for Telnet/SSH Page User Name Enter the username for the new account in this field. Password Enter the password for the new account in this field. Confirm Password Reenter the new account password in this field for confirmation. The entry in this field must match the entry in the password field. Configure User Accounts for Telnet/SSH Page This screen lets you manage the user accounts that have Telnet or Secure Shell (SSH) access to your router.
Chapter 24 Security Audit Enable Secret and Banner Page Delete Button Click a user account in the table to select it, and click this button to delete the selected account. Enable Secret and Banner Page This screen lets you enter a new enable secret and a text banner for the router. The enable secret is an encrypted password that provides administrator-level access to all functions of the router. It is vital that the secret be secure and difficult to crack.
Chapter 24 Security Audit Logging Page Logging Page This screen lets you configure the router log by creating a list of syslog servers where log messages will be forwarded, and by setting the logging level, which determines the minimum severity a log message must have in order for it to be captured. IP Address/Hostname Table This table displays a list of hosts to where the router log messages will be forwarded. These hosts should be syslog servers that can trap and manage the router log messages. Add...
Chapter 24 Security Audit Logging Page Immediate action needed – 2 - critical Critical conditions – 3 - errors Error conditions – 4 - warnings Warning conditions – 5 - notifications Normal but significant condition – 6 - informational Informational messages only – 7 - debugging Debugging messages Cisco Router and Security Device Manager 2.
CH A P T E R 25 Routing The Routing window displays the configured static routes and Routing Internet Protocol, (RIP), Open Shortest Path First (OSPF), and Extended Interior Gateway Routing Protocol (EIGRP) configured routes. From this window, you can review the routes, add new routes, edit existing routes, and delete routes. Note Static and dynamic routes configured for GRE over IPSec tunnels will appear in this window.
Chapter 25 Routing What Do You Want To Do? If you want to: Do this: Add a static route. Click Add, and create the static route in the Add a Static Route window. Edit a static route. Select the static route, and click Edit. Edit the route information in the IP Static Route window. When a route has been configured that SDM does not support, the Edit button is disabled. Delete a static route. Select the static route, and click Delete. Then, confirm the deletion in the warning window.
Chapter 25 Routing Add or Edit IP Static Route Routing Protocol Configuration Parameters RIP RIP Version, Network, Passive Interface OSPF Process ID EIGRP Autonomous System Number Item Value This column contains the text “Enabled,” and configuration values when a routing type has been configured. It contains the text “Disabled” when a routing protocol has not been configured. What Do You Want To Do? If you want to: Do this: Configure an RIP route. Select the RIP tab and click Edit.
Chapter 25 Routing Add or Edit IP Static Route Prefix Enter the IP address of the destination network. For more information, refer to Available Interface Configurations. Prefix Mask Enter the destination address subnet mask. Make this the default route Check this box to make this the default route for this router. A default route forwards all the unknown outbound packets through this route. Forwarding Specify how to forward data to the destination network.
Chapter 25 Routing Add or Edit an RIP Route Add or Edit an RIP Route Use this window to add or edit a Routing Internet Protocol (RIP) route. RIP Version The values are RIP version 1, RIP version 2, and Default. Select the version supported by the Cisco IOS image that the router is running. When you select version 1, the router sends version 1 RIP packets and can receive version 1 packets. When you select version 2, the router sends version 2 RIP packets and can receive version 2 packets.
Chapter 25 Routing Add or Edit an OSPF Route IP Network List Enter the networks that you want to create routes to. Click Add to add a network. Click Delete to delete a network from the list. Network The address of the destination network for this route. For more information, refer to Available Interface Configurations. Mask The subnet mask used on that network. Area The OSPF area number for that network. Each router in a particular OSPF area maintains a topological database for that area.
Chapter 25 Routing Add or Edit EIGRP Route Add or Edit EIGRP Route Use this window to add or delete an Extended IGRP (EIGRP) route. Autonomous System Number The autonomous system number is used to identify the router’s EIGRP routing process to other routers. IP Network List Enter the networks that you want to create routes to. Click Add to add a network. Click Delete to delete a network from the list. Available Interface List The available interfaces are shown in this list.
Chapter 25 Routing Add or Edit EIGRP Route Cisco Router and Security Device Manager 2.
CH A P T E R 26 Network Address Translation Network Address Translation (NAT) is a robust form of address translation that extends addressing capabilities by providing both static address translations and dynamic address translations. NAT allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet.
Chapter 26 Network Address Translation Network Address Translation Wizards If your network has e-mail servers, web servers, or other types of servers and you want them to accept connections from the Internet, choose Advanced NAT and click the Launch button. Note If you do not want your servers to accept connections from the Internet, you can use the Basic NAT wizard.
Chapter 26 Network Address Translation Network Address Translation Wizards To remove a network from the NAT configuration, uncheck its check box. Note If Cisco SDM detects a conflict between the NAT configuration and an existing VPN configuration for the WAN interface, it will inform you with a dialog box after you click Next. Summary This window shows you the NAT configuration you created, and allows you to save the configuration.
Chapter 26 Network Address Translation Network Address Translation Wizards Advanced NAT Wizard: Connection Choose an Interface From the drop-down menu, choose the interface that connects to the Internet. This is the router WAN interface. Additional Public IP Addresses Click Add to enter public IP addresses that you own. You will be able to assign these IP address to servers on your network that you want to make available to the Internet.
Chapter 26 Network Address Translation Network Address Translation Wizards • Comments entered about the network To remove a network from the NAT configuration, uncheck its check box. To add a network not directly connected to your router to the list, click Add Networks. Note If Cisco SDM does not allow you to place a check mark next to a network for which you want to configure a NAT rule, the interface associated with the network has already been designated as a NAT interface.
Chapter 26 Network Address Translation Network Address Translation Wizards To reorder the list based on the private IP addresses, click the column head Private IP Address. To reorder the list based on the public IP addresses, click the column head Public IP Address. Add Button To add a translation rule for a server, click Add. Edit Button To edit a translation rule for a server, choose it in the list and click Edit. Delete Button To delete a translation rule, choose it in the list and click Delete.
Chapter 26 Network Address Translation Network Address Translation Wizards • E-mail server An SMTP server for sending Internet mail. • Other A server which is not a web or e-mail server, but which requires port translation to provide service. This choice activates the Translated Port field and the Protocol drop-down menu. If you do not choose a server type, all traffic intended for the public IP address you choose for the server will be routed to that address, and no port translation will be done.
Chapter 26 Network Address Translation Network Address Translation Rules View Details Click the View Details button to see the proposed modifications to the NAT configuration to resolve the conflict. This button is not displayed with all feature conflicts. Details This window lists the changes Cisco SDM will make to the NAT configuration to resolve conflicts between NAT and another feature configured on the same interface.
Chapter 26 Network Address Translation Network Address Translation Rules Translation Timeouts When dynamic NAT is configured, translation entries have a timeout period after which they expire and are purged from the translation table. Click this button to configure the timeout values for NAT translation entries and other values. Network Address Translation Rules This area shows the designated inside and outside interfaces and the NAT rules that have been configured.
Chapter 26 Network Address Translation Network Address Translation Rules Dynamic address translation. There are two methods of dynamic addressing using NAT. One method maps multiple private addresses to a single public address and the port numbers of host sessions to determine which host to route returning traffic to. The second method uses named address pools. These address pools contain public addresses.
Chapter 26 Network Address Translation Network Address Translation Rules If you want to: Do this: Edit a NAT rule. Choose the NAT rule that you want to edit, click Edit, and edit the rule in the Edit Address Translation Rule window. Delete a NAT rule. Choose the NAT rule that you want to delete, and click Delete. You must confirm deletion of the rule in the Warning box displayed. View or edit route maps. Click View Route MAP.
Chapter 26 Network Address Translation Network Address Translation Rules Designate NAT Interfaces Use this window to designate the inside and outside interfaces that you want to use in NAT translations. NAT uses the inside and outside designations when interpreting translation rules, because translations are performed from inside to outside, or from outside to inside. Once designated, these interfaces are used in all NAT translation rules.
Chapter 26 Network Address Translation Network Address Translation Rules PPTP Timeout Enter the number of seconds after which NAT Point-to-Point Tunneling Protocol (PPTP) flows time out. The default is 86400 seconds (24 hours). Dynamic NAT Timeout Enter the maximum number of seconds that dynamic NAT translations should live. Max Number of NAT Entries Enter the maximum number of NAT entries in the translation table.
Chapter 26 Network Address Translation Network Address Translation Rules Name The name of this route map. Route map entries This box lists the route map entries. Name The name of the route map entry. Seq No. The sequence number of the route map. Action Route maps created by Cisco SDM are configured with the permit keyword. If this field contains the value deny, the route map was created using the CLI. Access Lists The access lists that specify the traffic to which this route map applies.
Chapter 26 Network Address Translation Network Address Translation Rules Action Either permit or deny. Route maps created by Cisco SDM are configured with the permit keyword. If this field contains the value deny, the route map was created using the CLI. Access Lists This area shows the access lists associated with this entry. The route map uses these access lists to determine which traffic to protect from NAT translation.
Chapter 26 Network Address Translation Network Address Translation Rules What Do You Want to Do? If you want to: Do this: Add an address pool to the router configuration. Click Add, and configure the pool in the Add Address Pool window. If you want to use an existing pool as a template for the new pool, choose the existing pool, check Clone selected entry on Add, and click Add. Edit an existing address pool.
Chapter 26 Network Address Translation Network Address Translation Rules IP Address Enter the lowest-numbered IP address in the range in the left field; enter the highest-numbered IP address in the range in the right field. For more information, see Available Interface Configurations. Network Mask Enter the subnet mask or the number of network bits that specify how many bits in the IP addresses are network bits.
Chapter 26 Network Address Translation Network Address Translation Rules From inside to outside Choose this option if you want to translate private addresses on the LAN to legal addresses on the Internet or on your organization’s intranet. You may want to choose this option if you use private addresses on your LAN that are not globally unique on the Internet. Translate from Interface This area shows the interfaces from which packets needing address translation come in to the router.
Chapter 26 Network Address Translation Network Address Translation Rules Translate to Interface This area shows the interfaces from which packets with translated addresses exit the router. It also provides fields for specifying the translated address and other information. Outside Interface(s) If you chose From inside to outside for Direction, this area contains the designated outside interfaces.
Chapter 26 Network Address Translation Network Address Translation Rules Note If you do not enter a network mask in the Translate from Interface area, Cisco SDM will perform only one translation. Redirect Port Check this check box if you want to include port information for the inside device in the translation. This enables you to use the same public IP address for multiple devices, as long as the port specified for each device is different.
Chapter 26 Network Address Translation Network Address Translation Rules addresses of devices on a VPN, their translated addresses will not match the IPSec rule used in the IPSec policy, and traffic will be sent unencrypted. You can view route maps created by Cisco SDM or created using the CLI by clicking the View Route Maps button in the NAT window. Direction Choose the traffic direction for this rule.
Chapter 26 Network Address Translation Network Address Translation Rules • If you want to create n-to-n mappings between the addresses in a remote subnet to corresponding outside local addresses, enter any valid address from the subnet whose addresses you want translated, and enter a network mask in the next field. Network Mask If you want Cisco SDM to translate the addresses in a remote subnet, enter the mask for that subnet.
Chapter 26 Network Address Translation Network Address Translation Rules Redirect Port Check this check box if you want to include port information for the outside device in the translation. This enables you to use extended static translation and to use the same public IP address for multiple devices, as long as the port specified for each device is different. Click TCP if this is a TCP port number; click UDP if it is a UDP port number.
Chapter 26 Network Address Translation Network Address Translation Rules Note If you create a NAT rule that would translate addresses of devices that are part of a VPN, Cisco SDM will prompt you to allow it to create a route map that protects those addresses from being translated by NAT. If NAT is allowed to translate addresses of devices on a VPN, their translated addresses will not match the IPSec rule used in the IPSec policy, and traffic will be sent unencrypted.
Chapter 26 Network Address Translation Network Address Translation Rules you want to translate. If you do not know the name or number, you can click the ... button and choose an existing access rule, or you can create a new access rule to use. Translate to Interface This area shows the interfaces from which packets with translated addresses exit the router. It also provides fields for specifying the translated address.
Chapter 26 Network Address Translation Network Address Translation Rules Add or Edit Dynamic Address Translation Rule: Outside to Inside Use this help topic when you have chosen From Outside to Inside in the Add or the Edit Dynamic Address Translation Rule window. Add or edit an address translation rule in this window. If you are editing a rule, the rule type (static or dynamic) and the direction are disabled.
Chapter 26 Network Address Translation Network Address Translation Rules Translate from Interface This area shows the interfaces from which packets needing address translation come in to the router. It provides fields for specifying the IP address of a single host, or a network address and subnet mask that represent the hosts on a network. Outside Interfaces If you chose From outside to inside, this area contains the designated outside interfaces.
Chapter 26 Network Address Translation How Do I . . . Type Choose Interface if you want the Translate from addresses to use the address of an interface on the router. They will be translated to the address that you specify in the Interface field, and PAT will be used to distinguish each host on the network. Choose Address Pool if you want the addresses to be translated to addresses defined in a configured address pool.
Chapter 26 Network Address Translation How Do I . . . How Do I Configure NAT With One LAN and Multiple WANs? The NAT wizard allows you to configure a Network Address Translation (NAT) rule between one LAN interface on your router and one WAN interface. If you want to configure NAT between one LAN interface on your router and multiple WAN interfaces, first use the NAT wizard to configure an address translation rule between the LAN interface on your router and one WAN interface.
Chapter 26 Network Address Translation How Do I . . . Cisco Router and Security Device Manager 2.
CH A P T E R 27 Cisco IOS IPS The Cisco IOS Intrusion Prevention System (Cisco IOS IPS) allows you to manage intrusion prevention on routers that use Cisco IOS Release 12.3(8)T4 or later releases. Cisco IOS IPS lets you monitor and prevents intrusions by comparing traffic against signatures of known threats and blocking the traffic when a threat is detected. Cisco SDM lets you control the application of Cisco IOS IPS on interfaces, import and edit signature definition files (SDF) from Cisco.
Chapter 27 Cisco IOS IPS Create IPS IPS Rules A Cisco IOS IPS rule specifies an interface, the type and direction of traffic that it is to examine, and the location of the signature definition file (SDF) that the router uses. Create IPS In this window you can launch the IPS Rule wizard.
Chapter 27 Cisco IOS IPS Create IPS Create IPS: Welcome This window provides a summary of the tasks to perform when you complete the IPS Rule wizard. Click Next to begin configuring a Cisco IOS IPS rule. Create IPS: Select Interfaces Choose the interfaces on which you want to apply the Cisco IOS IPS rule by specifying whether the rule is to be applied to inbound traffic or outbound traffic. If you check both the inbound and the outbound boxes, the rule applies to traffic flowing in both directions.
Chapter 27 Cisco IOS IPS Create IPS Create IPS: Signature File The Cisco IOS IPS signature file contains the default signature information present in each update to the file on Cisco.com. Any changes made to this configuration are saved in a delta file. For security, the delta file must be digitally signed. Specify the location of the signature file and provide the name and text of the public key that will be used to sign the delta file in this window.
Chapter 27 Cisco IOS IPS Create IPS Step 1 Go to the following link to obtain the public key: http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup Step 2 Download the key to your PC. Step 3 Copy the text after the phrase “named-key” into the Name field. For example, if the line of text including the name is the following: named-key realm-cisco.pub signature copy realm-cisco.
Chapter 27 Cisco IOS IPS Create IPS Choose Category Because router memory and resource constraints may prevent the use of all the available signatures, there are two categories of signatures—basic and advanced. In the Choose Category field, choose the category that will allow the Cisco IOS IPS to function efficiently on the router. The basic category is appropriate for routers with less than 128 MB of available flash memory.
Chapter 27 Cisco IOS IPS Create IPS Directory Selection Click the folder in which you want to store configuration information. If you want to create a new folder, click New Folder, provide a name for it in the dialog displayed, select it, and click OK. Signature File Specify the location of the signature file that the Cisco IOS IPS will use. Specify Signature File on Flash If the signature file is located on router flash memory, click the button to the right of the field.
Chapter 27 Cisco IOS IPS Create IPS Create IPS: Summary Here is an example of a Cisco IOS IPS summary display on a router running a Cisco IOS release earlier than 121.4(11)T. Selected Interface: FastEthernet 0/1 IPS Scanning Direction: Both Signature Definition File Location: flash//sdmips.sdf Built-in enabled: yes In this example, Cisco IOS IPS is enabled on the FastEthernet 0/1 interface, and both inbound and outbound traffic is scanned. The SDF is named sdmips.
Chapter 27 Cisco IOS IPS Edit IPS In this example, the Cisco IOS IPS policy is applied to the FastEthernet 0/0 and the FastEthernet 0/1 interfaces. The signature file is located on the PC. The config location is on router flash memory, in a directory named configloc. Edit IPS In this window you can view the Cisco IOS IPS buttons for configuring and managing Cisco IOS IPS policies, security messages, signatures, and more.
Chapter 27 Cisco IOS IPS Edit IPS SDEE Messages Button Secure Device Event Exchange (SDEE) messages report on the progress of Cisco IOS IPS initialization and operation. Click to display the Edit IPS: SDEE Messages window, where you can review SDEE messages and filter them to display only error, status, or alert messages. Signatures Button Click to display the Edit IPS: Signatures window where you can manage signatures on the router.
Chapter 27 Cisco IOS IPS Edit IPS Disable Button Click to disable Cisco IOS IPS on the specified interface. A context menu shows you the traffic directions on which Cisco IOS IPS has been applied, and you can choose the direction on which you want to disable Cisco IOS IPS. If you disable Cisco IOS IPS on an interface to which it has been applied, Cisco SDM dissociates any Cisco IOS IPS rules from that interface.
Chapter 27 Cisco IOS IPS Edit IPS • On—VFR is enabled. • Off—VFR is disabled. Cisco IOS IPS cannot identify the contents of IP fragments, nor can it gather port information from the fragment in order to match it with a signature. Therefore, fragments can pass through the network without being examined or without dynamic access control list (ACL) creation. VFR enables the Cisco IOS Firewall to create the appropriate dynamic ACLs, thereby protecting the network from various fragmentation attacks.
Chapter 27 Cisco IOS IPS Edit IPS Enable or Edit IPS on an Interface Use this window to choose the interfaces on which you want to enable intrusion detection, and to specify the IPS filters for examining traffic. Both, Inbound, and Outbound Buttons Use these buttons to specify whether you are going to enable Cisco IOS IPS on both inbound and outbound traffic, only inbound traffic, or only outbound traffic.
Chapter 27 Cisco IOS IPS Edit IPS Enable fragment checking on other interfaces If fragment checking is enabled for outbound traffic, the router must examine the inbound traffic that arrives on the interfaces that send outbound traffic to the interface being configured. Specify these interfaces below. If the Inbound radio button is chosen, this area does not appear.
Chapter 27 Cisco IOS IPS Edit IPS Engine Options Shun Events The engine options are: • Fail Closed—By default, while the Cisco IOS compiles a new signature for a particular engine, it allows packets to pass through without scanning for the corresponding engine. When enabled, this option makes the Cisco IOS drop packets during the compilation process.
Chapter 27 Cisco IOS IPS Edit IPS Move Up an d Move Down Buttons Use to change the order of preference for the URLs in the list. Reload Signatures Click to recompile signatures in all signature engines. During the time that signatures are being recompiled in a signature engine, the Cisco IOS software can not use that engine’s signatures to scan packets. Edit Global Settings Edit settings that affect the overall operation of Cisco IOS IPS in this window, in the Syslog and SDEE and Global Engine tabs.
Chapter 27 Cisco IOS IPS Edit IPS Use Built-in Signatures (as backup) (Global Engine Tab) If Cisco IOS IPS does not find or fails to load signatures from the specified locations, it can use the Cisco IOS built-in signatures to enable Cisco IOS IPS. This option is enabled by default. Enable Deny Action on IPS interface (Global Engine Tab) This option is applicable if signature actions are configured to “denyAttackerInline” or “denyFlowInline.
Chapter 27 Cisco IOS IPS Edit IPS Protocol Choose the protocol the router should use to obtain the SDF, such as http or https. URL Enter the URL in the following form: path-to-signature-file Note The protocol you chose from the Protocol menu appears to the right of the URL field. Do not reenter the protocol in the URL field. The following URL is provided as an example of the format. It is not a valid URL to a signature file, and it includes the protocol to show the full URL: https://172.16.122.
Chapter 27 Cisco IOS IPS Edit IPS View By Choose the SDEE message field to search. Criteria Enter the search string. Go Button Click to initiate the search on the string entered in the Criteria field. Type Types are Error, Status, and Alerts. Click SDEE Message Text to see possible SDEE messages. Time Time message was received. Description Available description. Refresh Button Click to check for new SDEE messages. Close Button Click to close the SDEE Messages window.
Chapter 27 Cisco IOS IPS Edit IPS IDS Status Messages Error Message ENGINE_BUILDING: %s - %d signatures - %d of %d engines Explanation Triggered when Cisco IOS IPS begins building the signature microengine (SME). Error Message ENGINE_BUILD_SKIPPED: %s - there are no new signature definitions for this engine Explanation Triggered when there are no signature definitions or no changes to the existing signature definitions of an Intrusion Detection System SME.
Chapter 27 Cisco IOS IPS Edit IPS IDS Error Messages Error Message ENGINE_BUILD_FAILED: %s - %d ms - engine build failed - %s Explanation Triggered when Cisco IOS IPS fails to build one of the engines after an SDF file is loaded. One message is sent for each failed engine. This means that the Cisco IOS IPS engine failed to import signatures for the specified engine in the message. Insufficient memory is the most probable cause of this problem.
Chapter 27 Cisco IOS IPS Edit IPS Edit IPS: Global Settings Several Cisco IOS IPS configuration options are available with Cisco IOS 12.4(11)T and later images. These are described in this help topic. Screen controls and configuration options available prior to Cisco IOS 12.4(11)T, such as the Syslog and SDEE global settings are described in Edit IPS: Global Settings. This help topic describes the Global Settings window that is displayed when the router runs Cisco IOS 12.4(11)T and later releases.
Chapter 27 Cisco IOS IPS Edit IPS Edit Global Settings The Edit Global Settings dialog contains a Syslog and SDEE tab, and a Global Engine tab. Click the link below for the information that you want to see: • Syslog and SDEE Tab • Global Engine Tab Syslog and SDEE Tab The Syslog and SDEE dialog displayed when the router uses a Cisco IOS 12.4(11)T or later image allows you to configure syslog notification and parameters for SDEE subscriptions, events and messages.
Chapter 27 Cisco IOS IPS Edit IPS Enable Engine Fail Closed By default, while the Cisco IOS software compiles a new signature for a particular engine, it allows packets to pass through without scanning for the corresponding engine. Enable this option to make the Cisco IOS software drop packets during the compilation process. Enable Deny Action on IPS interface This option is applicable if signature actions are configured to “denyAttackerInline” or “denyFlowInline.
Chapter 27 Cisco IOS IPS Edit IPS Configure Category Click Configure Category and choose either basic or advanced. The basic category is appropriate for routers with less than 128 MB of available flash memory. The advanced category is appropriate for routers with more than 128 MB of available flash memory. Delete Category If you want to remove the category configuration, click Delete Category. Public Key Tab This dialog displays the public keys configured for Cisco IOS IPS.
Chapter 27 Cisco IOS IPS Edit IPS Before Configuring Autoupdate Before configuring autoupdate, you should synchronize the router clock with the clock on your PC. To do this, complete the following steps: Step 1 Go to Configure > Additional Tasks > Router Properties > Date/Time. Step 2 In the Date/Time window, click Change Settings. Step 3 Check the Synchronize with my local PC clock option, and then click the Synchronize button. Step 4 Close the dialog. Download signature file from Cisco.
Chapter 27 Cisco IOS IPS Edit IPS IPS Autoupdate URL Settings Enter the username and password required to log in to the server, and enter the URL to the update file in the IPS Autoupdate URL Settings fields. A sample URL follows: tftp//:192.168.0.2/jdoe/ips-auto-update/IOS_update.zip Schedule Specify a schedule for when you want the router to obtain the update from the server. You can specify multiple values in each column to indicate a range or to indicate multiple time values.
Chapter 27 Cisco IOS IPS Edit IPS Edit IPS: SEAP Configuration: Target Value Rating The target value rating (TVR) is a user-defined value that represents the user’s perceived value of the target host. This allows the user to increase the risk of an event associated with a critical system and to de-emphasize the risk of an event on a low-value target. Use the buttons to the right of the Target Value Rating and Target IP Address columns to add, remove, and edit target entries.
Chapter 27 Cisco IOS IPS Edit IPS Discard Changes To clear information that you have entered in the Target Value Rating window but have not sent to the router, click Discard Changes. The Discard Changes button is disabled when there are no changes made that are awaiting delivery to the router. Add Target Value Rating To add a TVR entry, choose the target value rating and enter a Target IP Address or range of IP addresses.
Chapter 27 Cisco IOS IPS Edit IPS Use Event Action Overrides Check the Use Event Action Overrides box to enable Cisco IOS IPS to use event action overrides. You can add and edit event action overrides whether or not they are enabled on the router. Select All The Select All button works with the Enable, Disable and Delete buttons. If you want to enable or disable all event action overrides, click Select All and then click Enable or Disable.
Chapter 27 Cisco IOS IPS Edit IPS Discard Changes If you want to clear information that you have entered in the Event Action Overrides window but have not sent to the router, click Discard Changes. The Discard Changes button is disabled when there are no changes made that are awaiting delivery to the router. Add or Edit an Event Action Override To add an event action override, choose the event action, enable or disable it, and specify the RR range. If you are editing, you cannot change the event action.
Chapter 27 Cisco IOS IPS Edit IPS Edit IPS: SEAP Configuration: Event Action Filters Event action filters let Cisco IOS IPS perform individual actions in response to an event without requiring it to perform all actions or remove the entire event. Filters work by removing actions from an event. A filter that removes all actions from an event effectively consumes the event. Event action filters are processed as an ordered list.
Chapter 27 Cisco IOS IPS Edit IPS Insert Before To insert a new event action filter before an existing one, select the existing filter entry and click Insert Before. A dialog is displayed that enables you to enter the data for the filter. Insert After To insert a new event action filter after an existing one, select the existing filter entry and click Insert Before. A dialog is displayed that enables you to enter the data for the filter.
Chapter 27 Cisco IOS IPS Edit IPS Discard Changes If you want to clear information that you have entered in this window but have not sent to the router, click Discard Changes. The Discard Changes button is disabled when there are no changes awaiting delivery to the router. Add or Edit an Event Action Filter The following information describes the fields in the Add and the Edit Event Action Filter dialogs.
Chapter 27 Cisco IOS IPS Edit IPS Attacker Address For Attacker Address, enter a range of addresses from 0.0.0.0 to 255.255.255.255, or enter a single address in that range. If you enter a range, use a dash (-) to separate the upper and lower bounds of the range. For example, enter 192.168.7.0-192.168.50.0. Attacker Port For Attacker Port, enter a range of port numbers from 0 to 65535, or enter a single port number in that range.
Chapter 27 Cisco IOS IPS Edit IPS Stop on Match If you want the Cisco IOS IPS to stop when an event matches this event action filter, click Yes. If you want the Cisco IOS IPS to evaluate matching events against the other remaining filters, click No. Comments You can add comments to describe the purpose of this filter. This field is optional. Edit IPS: Signatures Cisco IOS IPS prevents intrusion by comparing traffic against the signatures of known attacks.
Chapter 27 Cisco IOS IPS Edit IPS Import Button Click to import a signature definition file from the PC or from the router. When you have specified the file, Cisco IOS IPS displays the signatures available in the file, and you can choose the ones that you want to import to the router. For more information about how to choose the signatures to import, see Import Signatures. Note You can only import signatures from the router if the router has a DOS-based file system. SDFs are available from Cisco.
Chapter 27 Cisco IOS IPS Edit IPS • Add New—Choose this option to add a new signature, and provide signature parameters in the displayed dialog. • Clone—The clone option is enabled if a signature is specified that does not belong to a hardcoded engine. It is disabled if the signature uses one of the the Cisco IOS hardcoded engines. Edit Click to edit the parameters of the specified signature. Delete Click Delete to mark the specified signature for deletion from the list.
Chapter 27 Cisco IOS IPS Edit IPS Signature List Displays the signatures retrieved from the router, and any signatures added from an SDF. Note Signatures that are set to import and are identical to deployed signatures will not be imported and will not appear in the signature list. The signature list can be filtered using the selection controls. Enabled Enabled signatures are indicated with a green icon. If enabled, the actions specified when the signature is detected is carried out.
Chapter 27 Cisco IOS IPS Edit IPS • Actions—Click to choose the actions to be taken when the signature is matched. See Assign Actions for more information. • Set Severity to—Click to set the severity level of a signature to: high, medium, low, or informational. • Restore Defaults—Click to restore the signature’s default values. • Remove Filter—Click to remove a filter applied to the signature. • NSDB help (need CCO account)—Click to display help on the Network Security Data Base (NSDB).
Chapter 27 Cisco IOS IPS Edit IPS Note If you are attempting to import signatures, and these signatures are all identical to deployed signatures, then the Apply Changes button is disabled. Discard Changes Button Click to discard accumulated changes. Note If you are attempting to import signatures, and these signatures are all identical to deployed signatures, then the Discard Changes button is disabled.
Chapter 27 Cisco IOS IPS Edit IPS Edit IPS: Signatures Cisco IOS IPS prevents intrusion by comparing traffic against the signatures of known attacks. Cisco IOS images that support Cisco IOS IPS have built-in signatures that Cisco IOS IPS can use, and you can also have Cisco IOS IPS import signatures for the router to use when examining traffic. Imported signatures are stored in a signature definition file (SDF). This help topic describes the Signatures window displayed when the router runs Cisco IOS 12.
Chapter 27 Cisco IOS IPS Edit IPS Note You can only import signatures from the router if the router has a DOS-based file system. SDFs are available from Cisco. Click the following URL to download an SDF from Cisco.com (requires login): http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup Cisco maintains an alert center that provides information on emerging threats. See Cisco Security Center for more information.
Chapter 27 Cisco IOS IPS Edit IPS If you choose Sig ID, or Sig Name, you must enter a value in the criteria field. Total [n] This text gives you the total number of signatures on the router. Select All Click to choose all signatures in the list. Disable Click Disable to disable the specified signature. A signature that is disabled is designated with a red icon.
Chapter 27 Cisco IOS IPS Edit IPS Enabled Enabled signatures are indicated with a green icon. If enabled, the actions specified when the signature is detected is carried out. Disabled signatures are indicated with a red icon. If disabled, the actions are disabled and are not be carried out. Alert (!) This column may contain the yellow Wait icon. This icon indicates new signatures that have not been delivered to the router or modified signatures that have not been delivered to the router.
Chapter 27 Cisco IOS IPS Edit IPS • NSDB help (need CCO account)—Click to display help on the Network Security Data Base (NSDB). Apply Changes Click Apply Changes to deliver newly imported signatures, signature edits, and newly enabled or disabled signatures to the router. When the changes are applied, the yellow Wait icon is removed from the ! column. These changes are saved to your router flash memory in the file sdmips.sdf. This file is created automatically the first time you click Apply Changes.
Chapter 27 Cisco IOS IPS Edit IPS Subsignature ID The unique numerical value assigned to this subsignature. A subsignature ID is used to identify a more granular version of a broad signature. Alert Severity Choose one of the following to categorize the severity of the alert: High, Medium, Low, or Informational. Sig Fidelity Rating The signature fidelity rating is a value set by the author of the signature to quantify the confidence that the signature will produce true positives.
Chapter 27 Cisco IOS IPS Edit IPS The Engine box contains fields that allow you to tune a wide variety of signature parameters. For example, you can specify the action to be taken if this signature is matched and an event is generated, you can specify the layer 4 protocol to inspect for events matching this signature, and you can specify IP parameters, such as header length and type of service.
Chapter 27 Cisco IOS IPS Edit IPS Summary Key The type of information to use to determine when to summarize. For example, if you choose both attacker and victim addresses and ports, each time you have these 4 pieces of information for an event, summarization occursY. If you choose attacker address, only that piece of information is needed. Specify Global Summary Threshold You can optionally specify numerical thresholds to use for determining when to summarize events to the log.
Chapter 27 Cisco IOS IPS Edit IPS Name Click Name to order the files and directories alphabetically based on name. Clicking Name again will reverse the order. Size Click Size to order the files and directories by size. Directories always have a size of zero bytes, even if they are not empty. Clicking Size again will reverse the order. Time Modified Click Time Modified to order the files and directories based on modification date and time. Clicking Time Modified again will reverse the order.
Chapter 27 Cisco IOS IPS Edit IPS • produce-alert—Generate an alert. Same as denyFlowInline and deny-connection-inline. • produce-verbose-alert—Generate an alert which includes an encoded dump of the offending packet. Same as alarm. • reset—Reset the connection and drop the offending packet. Same as reset-tcp-connection. • reset-tcp-connection—Send TCP RESETS to terminate the TCP flow. Same as reset.
Chapter 27 Cisco IOS IPS Edit IPS You can make changes to the imported signatures before deploying them. Signatures that set to import and are identical to deployed signatures will not be imported. If all imported signatures are identical to deployed signatures, then the Apply Changes button is disabled. Signature Tree If you need a description of the signature tree, click this link: Signature Tree.
Chapter 27 Cisco IOS IPS Edit IPS Note • Name—Name of the signature. For example: FTP Improper Address. • Severity—High, medium, low, or informational. • Deployed—Displays Yes if the signature is already deployed on the router. Displays No if the signature is not deployed on the router. • Import—Contains a checkbox for each signature. If you want to import the signature, check this box. All of the signatures imported from an SDF or a zip file with the name IOS-Sxxx.
Chapter 27 Cisco IOS IPS Edit IPS • SigName—Name assigned to the signature. • SubSig—Unique numerical value assigned to this subsignature. A subsig ID is used to identify a more granular version of a broad signature. • AlarmInterval—Special Handling for timed events. Use AlarmInterval Y with MinHits X for X alarms in Y second interval. • AlarmSeverity—Severity of the alarm for this signature. • AlarmThrottle—Technique used for triggering alarms.
Chapter 27 Cisco IOS IPS Edit IPS Cisco Security Center The Cisco Security Center provides information on emerging threats, and links to the Cisco IOS IPS signatures available to protect your network from them. Signature reports and downloads are available at this link (requires login): http://tools.cisco.com/MySDN/Intelligence/searchSignatures.
Chapter 27 Cisco IOS IPS Security Dashboard File Length Name/status 1 10895320 c1710-k9o3sy-mz.123-8.T.bin 2 1187840 ips.tar 3 252103 attack-drop.sdf 4 1038 home.shtml 5 1814 sdmconfig-1710.cfg 6 113152 home.tar 7 758272 es.tar 8 818176 common.tar [14028232 bytes used, 2486836 available, 16515068 total] 16384K bytes of processor board System flash (Read/Write) In this example, the attack-drop.sdf file is in router memory.
Chapter 27 Cisco IOS IPS Security Dashboard Top Threats Table The Top Threats table displays the latest top threats from Cisco if the status of the associated signatures indicates that they are available for deployment or are under investigation. Some of the top threats in the table are associated with signatures that can be deployed to your router. The text of signatures already found on your router is blue. To obtain the latest top threats, click the Update top threats list button.
Chapter 27 Cisco IOS IPS Security Dashboard Select SDF Click the Browse button and choose the Cisco IOS SDF file to use. The Cisco IOS SDF file must be present on your PC. The format that the filename has depends on the version of Cisco IOS the router is running. • If the router is running a Cisco IOS image earlier than 12.4(11)T, the SDF must have a name with the format IOS-Sxxx.zip, where xxx is a three-digit number. For example: a Cisco IOS IPS SDF file may be named IOS-S193.zip.
Chapter 27 Cisco IOS IPS IPS Migration Step 3 Click the Browse button and choose the latest Cisco IOS file if you need to ensure that you are using the latest signature file. You may need to do this if the location of the latest SDF file has changed since it was last set in the Security Dashboard, or if the format of its name is not IOS-Sxxx.zip, where xxx is a three-digit number Step 4 Click the Deploy signatures button to deploy the chosen signatures to your router.
Chapter 27 Cisco IOS IPS Java Heap Size Migration Wizard: Choose the IOS IPS Backup Signature File The backup file contains the Cisco IOS IPS information that will be migrated. This may be a Signature Definition File (SDF), such as attack-drop.sdf, or 128MB.sdf. If you made changes to the signature information, such as disabling signatures or changing the attributes of specific signatures, the records of your changes are kept in a separate file.
Chapter 27 Cisco IOS IPS Java Heap Size Step 3 Step 4 Open the Java Runtime Settings dialog. The location of this dialog varies by release. a. Click the Advanced tab. Locate the Java Runtime Settings dialog and proceed to Step 4. If the dialog is not available from the Advanced tab, proceed to b. b. Click the Java tab. Locate the Java Runtime Settings dialog. Click the View button if necessary to display the dialog, and proceed to Step 4.
Chapter 27 Cisco IOS IPS Java Heap Size Cisco Router and Security Device Manager 2.
CH A P T E R 28 Network Module Management If the router has network modules that are managed by other applications, such as Intrusion Detection System (IDS), Secure Router Device Manager (Cisco SDM) provides a means for you to launch those applications. IDS Network Module Management If a Cisco IDS Network Module is installed on the router, this window displays basic status information for it.
Chapter 28 Network Module Management IDS Network Module Management Reset Click to perform a reset of the IDS network module hardware You should only use the Reset button to recover from Failed state, or after you have shutdown the IDS Network Module. Shutdown Click to shutdown the IDS Network Module. You should always perform a shutdown before you to remove the module from the router. Launch IDM Click to start the IDM software on the IDS module.
Chapter 28 Network Module Management IDS Network Module Management IDS NM Monitoring Interface Settings This area of the window shows which router interfaces have traffic sent to the IDS network module for monitoring. A check mark icon next to the interface name indicates that the IDS network module is monitoring the traffic on that interface. A red icon with an X next to the interface name indicates that the IDS network module is not monitoring the traffic on that interface.
Chapter 28 Network Module Management IDS Network Module Management IP Address Enter an IP address to use for the IDS Sensor interface. Cisco SDM will do the following: • Create a loopback interface. The number 255 is used if available, if not, another number will be used. This loopback interface will be listed in the Interfaces and Connections window. • Configure the loopback interface with the IP address you enter. • Configure the IDS network module IP unnumbered to the loopback interface.
Chapter 28 Network Module Management IDS Network Module Management Specify If you know the network module’s IP address, choose this option, and enter the address. Cisco SDM will remember the address, and you can select Use SDM last known IP Address the next time you start the network module.
Chapter 28 Network Module Management IDS Network Module Management Date & Time If this row contains an X icon in the Action column, the router’s clock settings have not been configured. Double-click on this row, and enter time and date settings in the Date and Time Properties window. IP CEF Setting If this row contains an X icon in the Action column, Cisco Express Forwarding (CEF) has not been enabled on the router. Double-click on this row, and click Yes to enable IP CEF on the router.
Chapter 28 Network Module Management Network Module Login IDS NM Interface Monitoring Configuration Use this window to select router interfaces whose traffic you want the IDS network module to monitor. Monitored Interfaces This lists contains the interfaces whose traffic the IDS network module is monitoring. To add an interface to this list, select an interface from the Available Interfaces list, and click the left arrow (<<) button.
Chapter 28 Network Module Management Switch Module Interface Selection Cisco Router and Security Device Manager 2.
CH A P T E R 29 Quality of Service The Quality of Service (QoS) Wizard allows a network administrator to enable Quality of Service (QoS) on the router’s WAN interfaces. QoS can also be enabled on IPSec VPN interfaces and tunnels. The QoS edit windows enables the administrator to edit policies created using the wizard.
Chapter 29 Quality of Service Creating a QoS Policy Step 7 To send the configuration to the router, click Finish. Step 8 If you checked Preview commands before delivering to router in the Edit Preferences screen, the Cisco IOS CLI commands that you are sending are displayed. Click Deliver to send the configuration to the router, or click Cancel to discard it. If you did not make this setting, clicking Finish sends the configuration to the router.
Chapter 29 Quality of Service Creating a QoS Policy QoS Wizard This window summarizes the information that you will be providing as you complete the QoS Policy wizard. Click the Next button to begin configuring a QoS policy. Interface Selection Choose the interface on which you want to configure the QoS policy in this window. This window lists WAN interfaces, and interfaces which do not have a configured outbound QoS policy.
Chapter 29 Quality of Service Creating a QoS Policy Table 29-1 Interface Selection (continued) Element Description DSCP marking (trusted) To use Differentiated Services Code Point (DSCP) markings to classify traffic, click DSCP marking (trusted). Cisco network devices such as IP phones and switches add DSCP markings to packets. Configuring DSCP on the router allows these markings to be used to classify traffic.
Chapter 29 Quality of Service Creating a QoS Policy Table 29-2 Queuing for Outbound Traffic (continued) Element Description Bandwidth Percentage To specify the bandwidth percentage for a traffic class, enter the percentage value for that class. Traffic types that depend on high transmission rates, such as voice traffic, should be given a higher percentage than traffic classes that do not need high transmission rates, such as routing traffic.
Chapter 29 Quality of Service Creating a QoS Policy Table 29-3 Add New Traffic Class Fields (continued) Element Description Classification Match Specify whether the QoS class is to look for matches to Any or to All of the selected criteria. If you choose Any, traffic must meet only one of the match criteria. If you choose All, traffic must meet all of the match criteria. The DSCP values chosen are displayed in the DSCP column.
Chapter 29 Quality of Service Creating a QoS Policy Policing for Outbound Traffic Configure policing for outbound traffic in this screen. Field Reference Table 29-4 describes the fields in this screen. Table 29-4 Policing for Outbound Traffic Fields Element Description Configure policing for outbound traffic If you want the QoS policy to include policing for outbound traffic, check this option and enter values in the configuration fields. Otherwise, click Next to proceed to the next screen.
Chapter 29 Quality of Service Creating a QoS Policy Field Reference Table 29-5 QoS Policy Generation Element Description Voice Voice traffic. The default value is 33 percent of the bandwidth. Call Signalling Signalling needed to control voice traffic. The default value is 5 percent of the bandwidth Routing Traffic generated by this and other routers to manage the routing of packets. The default value is 5 percent of the bandwidth.
Chapter 29 Quality of Service Editing QoS Policies Match DSCP: ef Queuing: LLQ Bandwidth Percentage: 33 ---------------------------------------------------------------------Class Name: SDM-Signalling-1 ---------------------------------------------------------------------Enabled: Yes Match DSCP: cs3,af31 Queuing: CBWFQ Bandwidth Percentage: 5 ---------------------------------------------------------------------Class Name: SDM-Routing-1 ---------------------------------------------------------------------En
Chapter 29 Quality of Service Editing QoS Policies Step 2 In the Cisco SDM toolbar, click Configure. Step 3 In the Cisco SDM taskbar, click QoS. Step 4 Click Edit QoS Policy. Step 5 Choose the QoS policy that you want to edit. Step 6 Click Edit. Then, make changes to the settings in the displayed dialogs. Step 7 Click OK to close the dialog and send the changes to the router.
Chapter 29 Quality of Service Editing QoS Policies Policy Selection Reference Table 29-6 Policy Selection Area Element Description View Policy on interface Choose the interface whose QoS policies you want to view. In Direction Choose the traffic direction on which the policy that you want to view is applied. Go To view the policy for the interface and traffic direction that you chose, click Go. Associate To change the association of a QoS policy with an interface, click Associate.
Chapter 29 Quality of Service Editing QoS Policies Table 29-7 QoS Buttons (continued) Element Description Paste To edit copied class information and provide a new name for the class, click Paste. If you choose Add this class to the policy, the class will be placed with the enabled polices in the class. The Paste button is disabled when a read-only Qos class is selected. Move Up To move a class up the class list, choose a class and click Move Up.
Chapter 29 Quality of Service Editing QoS Policies Table 29-8 Class List Display Area (continued) Element Description Match Whether the QoS class looks for matches to Any or to All of the selected DSCP values. If you choose Any, traffic must meet only one of the match criteria. If you choose All, traffic must meet all of the match criteria. The DSCP values chosen are displayed in the DSCP column.
Chapter 29 Quality of Service Editing QoS Policies Field Reference Table 29-9 describes the fields in this screen. Table 29-9 Add Class for New Policy Element Description Policy Name Enter a name for the QoS Policy. Class Name Enter a name for the traffic class. Classification Match Specify whether the QoS class is to look for matches to Any or to All of the selected criteria. If you choose Any, traffic must meet only one of the match criteria.
Chapter 29 Quality of Service Editing QoS Policies Field Reference Table 29-10 describes the fields in this screen. Table 29-10 Add Service Policy to Class Element Description Existing service policy Select an existing service policy from the list. Associate or Disassociate the QoS Policy Use this window to change the associations that a QoS policy has to router interfaces and traffic directions. Field Reference Table 29-11 Element Description Interface This column lists the router interfaces.
Chapter 29 Quality of Service Editing QoS Policies Field Reference Table 29-12 Add or Edit a QoS Class Element Description Add this class to the policy To include this QoS class in QoS policy, check Add this class to the policy. If this option is not checked, then the selected QoS class is marked as Disabled in the Edit QoS Policy window. Class Name The QoS class name is displayed in this field if you are editing an existing class.
Chapter 29 Quality of Service Editing QoS Policies Table 29-12 Add or Edit a QoS Class (continued) Element Description Classification Choose the types of items and values that you want the router to examine traffic for. If you click All, traffic must match all criteria. If you click Any, traffic need only match a single criterion. You must specify a value type in the list and click Edit to specify the values.
Chapter 29 Quality of Service Editing QoS Policies Table 29-12 Add or Edit a QoS Class (continued) Element Description Action Choose the action that the router is to take when it finds traffic that matches the specified DSCP values. • Drop—Drop the traffic. If you select Drop, other options in the Action area are disabled. • Set DSCP— Choose the DSCP value that you want the traffic to be reset to. • Queuing— LLQ is available if the traffic uses the RTP protocol or has a DSCP value of EF.
Chapter 29 Quality of Service Editing QoS Policies Edit Match Protocol Values To add a protocol to a class, choose a protocol from the Available Protocol Values column on the left, and click the top double-arrowhead button to add it to the Selected Protocol Values column. To remove a protocol from the Selected Protocol Values column, choose the protocol and click the bottom double-arrowhead button.
Chapter 29 Quality of Service Editing QoS Policies Table 29-13 Configure Policing Element Description Specify the access rate parameters for policing Committed Information Rate (CIR) Enter the CIR to be used for the policy in kilobits per second. When the traffic rate reaches the CIR, excess traffic is dropped or remarked. Normal Burst Size (BC) Optional. Enter the normal burst size in kilobits per second.
Chapter 29 Quality of Service Editing QoS Policies Field Reference Table 29-14 describes the fields in this screen. Table 29-14 Configure Shaping Element Description Committed Information Rate (CIR) Enter the CIR to be used for the policy in kilobits per second. When the traffic rate reaches the CIR, excess traffic is dropped or remarked. Normal Burst Size (BC) Optional. Enter the normal burst size in kilobits per second.
Chapter 29 Quality of Service Editing QoS Policies Table 29-15 Configure Queuing Fields Element Description LLQ Chosen Priority Percentage Bandwidth is allocated as an absolute percentage of the total bandwidth of the interface or tunnel. Enter a percentage value from 1 to 100 to specify the amount of bandwidth that you want to use. CBWFQ Chosen Bandwidth Bandwidth is allocated as an absolute percentage of the total bandwidth of the interface or tunnel.
CH A P T E R 30 Network Admission Control Network Admission Control (NAC) protects data networks from computer viruses by assessing the health of client workstations, ensuring that they receive the latest available virus signature updates, and controlling their access to the network. NAC works with antivirus software to assess the condition of a client, called the client’s posture, before allowing the client access to the network.
Chapter 30 Network Admission Control Create NAC Tab The NAC configuration on the router is only one part of a complete NAC implementation. Click Other Tasks in a NAC Implementation to learn the tasks that must be performed on other devices in order to implement NAC. Enable AAA Button Authentication, authorization, and accounting (AAA) must be enabled on the router before you can configure NAC. If AAA is not enabled, click the Enable AAA button.
Chapter 30 Network Admission Control Create NAC Tab Step 3 Install and configure the posture validation and remediation server. If you are a registered Cisco.com user, you can download Cisco Trust Agent (CTA) software from the following link: http://www.cisco.com/cgi-bin/tablebuild.pl/cta The document at the following link explains how to install and configure CTA software on a host. http://www.cisco.com/en/US/products/ps5923/products_administration_guide_b ook09186a008023f7a5.
Chapter 30 Network Admission Control Create NAC Tab • Configure a NAC exception list—Hosts such as printers, IP phones, and hosts without NAC posture agents installed may need to bypass the NAC process. Hosts with static IP addresses and other devices can be identified in an exception list, and be handled using an associated exception policy. Hosts can also be identified by their MAC address, or by their device type.
Chapter 30 Network Admission Control Create NAC Tab If you choose Router chooses source, the source IP address in the RADIUS packets will be the address of the interface through which the RADIUS packets exit the router. If you choose an interface, the source IP address in the RADIUS packets will be the address of the interface that you chose as the RADIUS client source. Note Cisco IOS software allows a single RADIUS source interface to be configured on the router.
Chapter 30 Network Admission Control Create NAC Tab Note When performing a ping test, enter the IP address of the RADIUS source interface in the source field in the ping dialog. If you chose Router chooses source, you need not provide any value in the ping dialog source field. The Edit and Ping buttons are disabled when no RADIUS server information is available for the chosen interface. Interface Selection Choose the interface on which to enable NAC in this window.
Chapter 30 Network Admission Control Create NAC Tab policies on the NAC policy server, and then reconfigure NAC on the router to use Strict Validation, by changing the ACL applied to the interface to deny ip any any using the Cisco SDM Firewall Policy feature. NAC Exception List You can identify hosts that must be allowed to bypass the NAC validation process. Typically, hosts such as printers, IP phones, and hosts without NAC posture agent software installed are added to the exception list.
Chapter 30 Network Admission Control Create NAC Tab Type List Hosts are chosen by the way they are identified. This list contains the following selections: • IP Address—Choose this if you want to identify the host by its IP address. • MAC Address—Choose this if you want to identify the host by its MAC address. • Cisco IP Phone—Choose this if you want to include the Cisco IP phones on the network in the exception list.
Chapter 30 Network Admission Control Create NAC Tab Preview of Access Rule The Action, Source, Destination, and Service columns show the ACL entries in the access rule associated with the policy. These columns are empty if no ACL is configured for this policy. Add Exception Policy Create a new exception policy in this window.
Chapter 30 Network Admission Control Create NAC Tab Agentless Host Policy If a policy for agentless hosts exists on the Cisco Secure ACS server, the router can use that policy to handle hosts without installed posture agents. This method of handling agentless hosts can be used as an alternative or as a complement to a NAC exception list. If you are using the NAC wizard and you do not need to configure an agentless host policy, you can click Next without entering information in this window.
Chapter 30 Network Admission Control Create NAC Tab Cisco SDM traffic from hosts on that network. The host or network must be accessible from the interfaces that you specified. Choose Any to allow Cisco SDM traffic from any host connected to the specified interfaces. Modify Firewall Cisco SDM checks each ACL applied to the interface specified in this configuration to determine if it blocks any traffic that should be allowed through the firewall so that the feature you are configuring will work.
Chapter 30 Network Admission Control Create NAC Tab Summary of the configuration This window summarizes the information you entered, and allows you to review it in a single window. You can use the Back button to return to any wizard screen to change information. Click Finish to deliver the configuration to the router. Cisco Router and Security Device Manager 2.
Chapter 30 Network Admission Control Edit NAC Tab Here is an example of a NAC configuration summary: NAC Interface: FastEthernet0/1.42 Admission Name:: SDM_EOU_3 AAA Client Source Interface: FastEthernet0/1.40 NAC Policy Server 1: 10.77.158.54 Exception List ---------------------------------------------------------------------Address/Device IP Address (22.22.22.2) newly added Policy Details: Policy Name: P55 Redirect URL: http://www.fix.
Chapter 30 Network Admission Control Edit NAC Tab Agentless Host Policy Button If a policy for agentless hosts exists on the Cisco Secure ACS server, the router can use that policy to handle hosts without installed posture agents. This method of handling agentless hosts can be used when such hosts do not have static IP addresses. This button is disabled if there is no NAC policy configured on the router. Add, Edit, and Delete Buttons These buttons allow you to manage the NAC policy list.
Chapter 30 Network Admission Control Edit NAC Tab Exception Policies Window NAC exception policies control the network access of hosts in the exception list. A NAC exception policy consists of a name, an access rule, and/or a redirect URL. The access rule specifies the destinations to which hosts governed by the policy have access. If a redirect URL is specified in the policy, the policy can point web clients to sites that contain information on how to obtain the latest available virus protection.
Chapter 30 Network Admission Control Edit NAC Tab Value Default Minimum Maximum Hold Period Timeout 180 seconds 60 seconds 86400 seconds Retransmission Timeout 3 seconds 1 second 60 seconds Revalidation Timeout 36000 seconds 300 seconds 86400 seconds Status Query Timeout 300 seconds 30 seconds 1800 seconds Interface Selection Choose the interface to which the NAC timeout settings are to apply.
Chapter 30 Network Admission Control Edit NAC Tab Configure these timeout values globally Check Box Click this check box to have these values apply to all interfaces. Configure a NAC Policy A NAC policy enables the posture validation process on a router interface, and can be used to specify the types of traffic that are to be exempt from posture validation in the admission control process. Name Field Enter a name for the policy.
Chapter 30 Network Admission Control How Do I... How Do I... The following topics contain procedures for performing tasks that the Create NAC wizard does not help you to do. How Do I Configure a NAC Policy Server? The router must have a connection to a Cisco Secure Access Control Server (ACS) running ACS software version 3.3. The ACS must be configured to use the RADIUS protocol in order to implement NAC. The document at the following link contains an overview of the configuration process. http://www.
CH A P T E R 31 Router Properties Router properties let you define the overall attributes of the router, such as the router name, domain name, password, Simple Network Management Protocol (SNMP) status, Domain Name System (DNS) server address, user accounts, router log attributes, virtual type terminal (vty) settings, SSH settings, and other router access security settings. Device Properties The Properties—Device screen contains host, domain, and password information for your router.
Chapter 31 Router Properties Date and Time: Clock Properties Enter the Text for Banner Enter text for the router banner. The router text banner is displayed whenever anyone logs in to the router. We recommend that the text banner include a message indicating that unauthorized access is prohibited. Password Tab The Password tab contains the following fields. Enable Secret Password Cisco Router and Security Device Manager (Cisco SDM) supports the enable secret password.
Chapter 31 Router Properties Date and Time: Clock Properties Date/Time You can see the router date and time settings on the right side of the Cisco SDM status bar. The time and date settings in this part of the Clock Properties window are not updated. Router Time Source This field can contain the following values: • NTP – The router receives time information from an NTP server. • User Configuration – The time and date values are set manually, using Cisco SDM or the CLI.
Chapter 31 Router Properties Date and Time: Clock Properties Note You must make the Time Zone and Daylight Savings settings on the PC before starting Cisco SDM so that Cisco SDM will receive the correct settings when you click Synchronize. Edit Date and Time Use this area to set the date and time manually. You can choose the month and the year from the drop-down lists, and choose the day of the month in the calendar. The fields in the Time area require values in 24-hour format.
Chapter 31 Router Properties Date and Time: Clock Properties http://www.eecis.udel.edu/~mills/ntp/clock2a.html Interface The interface over which the router will communicate with the NTP server. Prefer This column contains Yes if this NTP server has been designated as a preferred NTP server. Preferred NTP servers will be contacted before nonpreferred servers. There can be more than one preferred NTP server. Add Click to add NTP server information.
Chapter 31 Router Properties Date and Time: Clock Properties Interface Choose the router interface that will provide access to the NTP server. You can use the show IP routes CLI command to determine which interface has a route to this NTP server. Note An extended access rule will be created for port 123 traffic and applied to the interface that you choose in this window. If an access rule is already in place for this interface, Cisco SDM will add statements to permit port 123 traffic on this interface.
Chapter 31 Router Properties Date and Time: Clock Properties source will have more consistent time settings. This window allows you to view the NTP server information that has been configured, to add new information, or to edit or delete existing information. Note If your router does not support NTP commands, this branch will not appear in the Router Properties tree. Property The system-defined name for this NTP server. Value The IP address for this NTP server.
Chapter 31 Router Properties Date and Time: Clock Properties IP Address Enter the IP address of the NTP server in dotted-decimal format. For more information, see IP Addresses and Subnet Masks. Logging Use this window to enable logging of system messages, and to specify logging hosts where logs can be kept. You can specify the level of logging messages that you want to send and to collect, and enter the hostname or IP address of multiple logging hosts.
Chapter 31 Router Properties Date and Time: Clock Properties the log collects or sends messages of levels 0 through 5. Firewall logging messages require a logging level of debugging(7), and Application Security logging messages require a level of informational(6). Logging to Buffer If you want system messages to be logged to the router buffer, check the Logging Buffer check box in the dialog that Cisco SDM displays when you click Edit, then enter the buffer size in the Buffer Size field.
Chapter 31 Router Properties Date and Time: Clock Properties Trap Receiver Enter the IP addresses and community strings of the trap receivers—that is, the addresses where the trap information should be sent. These are normally the IP addresses of the SNMP management stations monitoring your domain. Check with your site administrator to determine the address if you are unsure of it. Click the Add, Edit, or Delete buttons to administer trap receiver information.
Chapter 31 Router Properties Router Access Top Talkers Set the number of top talkers in the Top Talkers number box. Choose a number in the range 1–200. Cisco SDM will track and record data on up to the number of top talkers that you set. Cache Timeout Set the timeout, in milliseconds, for the top-talkers cache in the Cache timeout number box. Choose a number in the range 1–3600000. The top-talkers cache will refresh when the timeout is reached.
Chapter 31 Router Properties Router Access Note The user password is not the same as the enable secret password configured in the Device Properties—Password tab. The user password enables the specified user to log in to the router and enter a limited set of commands. Privilege Level Privilege level for the user. View Name If a CLI view has been associated with the user account, the view name appears in this column. Views define the user’s access to Cisco SDM based on the user’s role.
Chapter 31 Router Properties Router Access Username Enter or edit the username in this field. Password Enter or edit the password in this field. Confirm Password Reenter the password in this field. If the password and the confirm password do not match, an error message window appears when you click OK. When you click OK, the new or edited account information appears in the Configure User Accounts for Telnet window.
Chapter 31 Router Properties Router Access View Name: Choose the view you want to associate with this user from the following: • SDM_Administrator—A user associated with the view type SDM_Administrator has complete access to Cisco SDM and can perform all operations supported by Cisco SDM. • SDM_Monitor—A user associated with the view type SDM_Monitor can monitor all features supported by Cisco SDM. The user is not able to deliver configurations using Cisco SDM.
Chapter 31 Router Properties vty Settings vty Settings This window displays the virtual terminal (vty) settings on your router. The Property column contains configured line ranges and configurable properties for each range. The settings for these properties are contained in the Value column. This table shows your router vty settings and contains the following columns: Note • Line Range—Displays the range of vty connections to which the rest of the settings in the row apply.
Chapter 31 Router Properties vty Settings Line Range Enter the range of vty lines to which the settings made in this window will apply. Time Out Enter the number of seconds of inactivity allowed to pass before an inactive connection will be terminated. Input Protocol Choose the input protocols by clicking the appropriate check boxes. Telnet Check Box Check to enableTelnet access to your router. SSH Check Box Check to enable SSH clients to log in to the router.
Chapter 31 Router Properties vty Settings Outbound Enter the name or number of the access rule you want to filter outbound traffic, or click the button and browse for the access rule. Authentication/Authorization These fields are visible when AAA is enabled on the router. AAA can be enabled by clicking Additional Tasks > AAA > Enable. Authentication Policy Choose the authentication policy that you want to use for this vty line.
Chapter 31 Router Properties vty Settings Permitted Protocols This column lists the protocols that the specified hosts can use when communicating with the router. The following protocols can be configured: • Cisco SDM—Specified hosts can use Cisco SDM. • Telnet—Specified hosts can use Telnet to access the router CLI. • SSH—Specified hosts can use Secure Shell to access the router CLI. • HTTP—Specified hosts can use Hypertext Transfer Protocol to access the router.
Chapter 31 Router Properties vty Settings Discard Changes Button Click to discard changes you made in the Add or Edit a Management Policy window to the router configuration. The changes you made are discarded and removed from the Configure Management Access Policies window. Add or Edit a Management Policy Use this window to add or edit a management policy. Type Specify whether the address you provide is the address of a host or a network.
Chapter 31 Router Properties vty Settings If you want to make users employ secure protocols when logging in to Cisco SDM, check Allow secure protocols only. When you check this box, the following protocols are automatically checked: SSH, HTTPS, RCP. If you then check a nonsecure protocol such as Telnet, Cisco SDM unchecks Allow secure protocols only.
Chapter 31 Router Properties vty Settings – If “any” is associated with destination, it allows access to any node on the network supported by the router. Recommended Action You can remove the access entry that caused this message to appear by choosing the rule in the Rules window and clicking Edit. Alternatively, in the Interfaces and Connections window, you can disassociate the rule from the interface it is applied to.
Chapter 31 Router Properties vty Settings Error Message SDM Warning: Current Host Not Allowed Explanation This message is displayed if you have not configured a management access policy to allow the current host or network to access Cisco SDM on this router. Recommended Action You should create such a policy in order to make Cisco SDM on this router accessible from the current host or network. If you do not, you will lose the connection to the router when you deliver the configuration to the router.
Chapter 31 Router Properties DHCP Configuration Key modulus size Button Visible if no cryptographic key has been generated. Click this button and enter the modulus size you want to give the key. If you want a modulus value between 512 and 1024, enter an integer value that is a multiple of 64. If you want a value higher than 1024, you can enter 1536 or 2048. If you enter a value greater than 512, key generation may take a minute or longer.
Chapter 31 Router Properties DHCP Configuration • DNS Servers—IP addresses of the DNS servers that the router will provide to DHCP clients. • WINS Servers—IP addresses of the WINS servers that the router will provide to DHCP clients. • Domain Name—Domain name configured on the router. • Lease Time—Amount of time that the router will lease an IP address to a client.
Chapter 31 Router Properties DHCP Configuration Add or Edit DHCP Pool Add or edit a DHCP pool in this window. You cannot edit Cisco SDM-default pools. DHCP Pool Name Provide a name for the DHCP pool in this field. DHCP Pool Network Enter the network from which the IP addresses in the pool will be taken, for example, 192.168.233.0. This cannot be the IP address of an individual host. Subnet Mask Enter the subnet mask. The subnet mask of 255.255.255.0 provides 255 IP addresses.
Chapter 31 Router Properties DHCP Configuration Import all DHCP Options into the DHCP server database Click this option if you want to import DHCP option parameters into the DHCP server database and also send this information to DHCP clients on the LAN when they request IP addresses. DHCP Bindings This window shows existing manual DHCP bindings.
Chapter 31 Router Properties DHCP Configuration Client Name Optional name assigned to the client. Add Button Click to add a new manual DHCP binding. Edit Button Click to edit the specified manual DHCP binding. Delete Button Click to delete the specified manual DHCP binding. Add or Edit DHCP Binding This window allows you to add or edit existing manual DHCP bindings. Name Enter the name you want for the DHCP binding. If you are editing the DHCP binding, the name field is read-only.
Chapter 31 Router Properties DNS Properties MAC Address Enter the MAC address of the client. Do not enter an address in use by another DHCP binding. Type If you chose Hardware Address from the Identifier drop-down menu, choose Ethernet or IEEE802 to set the MAC address type of the client. Client Name (Optional) Enter a name to identify the client. The name should be a hostname only, not a domain-style name. For example, router is an acceptable name, but router.cisco.com is not.
Chapter 31 Router Properties Dynamic DNS Methods Each dynamic DNS method shown will send with its update the hostname and domain name configured in Configure > Additional Tasks > Router Properties. However, if you create a dynamic DNS method when configuring a WAN interface, you can override the hostname and domain name configured in Configure > Additional Tasks > Router Properties. The new hostname and domain name will apply only to that dynamic DNS method. Some dynamic DNS methods are read-only.
Chapter 31 Router Properties Dynamic DNS Methods Server If using HTTP, choose the domain address of the DNS service provider from the drop-down menu. Username If using HTTP, enter a username for accessing the DNS service provider. Password If using HTTP, enter a password for accessing the DNS service provider. IETF IETF is a dynamic DNS method type that updates a DNS server with changes to the associated interface’s IP address.
CH A P T E R 32 ACL Editor Rules define how the router will respond to a particular kind of traffic. Using Cisco SDM, you can create access rules that cause the router to block certain types of traffic while permitting other types, NAT rules that define the traffic that is to receive address translation, and IPSec rules that specify which traffic is to be encrypted.
Chapter 32 ACL Editor NAC Rules Rules that specify the IP addresses to be admitted to the network, or blocked from the network. Firewall Rules Rules that can specify source and destination addresses, type of traffic, and whether the traffic should be permitted or denied. QoS Rules Rules that specify traffic that should belong to the QoS Class that the rule is associated with. Unsupported Rules Rules that have not been created using Cisco SDM, and that Cisco SDM does not support.
Chapter 32 ACL Editor Useful Procedures for Access Rules and Firewalls Useful Procedures for Access Rules and Firewalls This section contains procedures that you may find useful.
Chapter 32 ACL Editor Rules Windows • QoS Rules window—Rules that specify traffic that should belong to the QoS Class that the rule is associated with. • Unsupported Rules window—Unsupported rules contain syntax or keywords that Cisco SDM does not support. Unsupported rules may affect the way the router operates, but are marked as read-only by Cisco SDM. • Externally Defined Rules window—Externally defined rules are those that Cisco SDM was not used to create.
Chapter 32 ACL Editor Rules Windows Used By The name of the interface or VTY numbers to which this rule has been applied. Type The type of rule, either standard or extended. Standard rules compare a packet’s source IP address against its IP address criteria to determine a match. The rule’s IP address criteria can be a single IP address, or portions of an IP address, defined by a wildcard mask. Extended rules can examine a greater variety of packet fields to determine a match.
Chapter 32 ACL Editor Rules Windows Source The source IP address criteria that the traffic must match. This column may contain: • An IP address and wildcard mask. The IP address specifies a network, and the wildcard mask specifies how much of the rule’s IP address the IP address in the packet must match. • The keyword any. Any indicates that the source IP address can be any IP address • A host name. Destination For extended rules, the destination IP address criteria that the traffic must match.
Chapter 32 ACL Editor Rules Windows What do you want to do? If you want to: Do this: Add a rule. Click the Add button and create the rule in the windows displayed. Edit a rule, or edit a rule entry. Select the access rule and click Edit. Then edit the rule in the Edit rule window displayed. Associate a rule with an interface. See How Do I Associate a Rule with an Interface? Delete a rule that has not been associated with an interface. Select the Access rule, and click Delete.
Chapter 32 ACL Editor Rules Windows Type Select the type of rule you are adding. Standard rules let you have the router examine the source host or network in the packet. Extended rules let you have the router examine the source host or network, the destination host or network, and the type of traffic that the packet contains. Description You can provide a description of the rule in this field. The description must be less than 100 characters long.
Chapter 32 ACL Editor Rules Windows Note The Associate button is enabled only if you are adding a rule from the Access Rules window. What do you want to do? If you want to: Do this: Add or edit a rule entry. Click Add, and create the entry in the window displayed. Or click Edit, and change the entry in the window displayed. Add a rule entry using an existing entry as a template. Select the entry you want to use as a template, and click Clone. Then create the entry in the dialog box displayed.
Chapter 32 ACL Editor Rules Windows Associate with an Interface You can use this window to associate a rule you have created from the Access Rules window with an interface and to specify whether it applies to outbound traffic or inbound traffic. Select an Interface Select the interface to which you want this rule to apply. Specify a Direction If you want the router to check packets inbound to the interface, click Inbound.
Chapter 32 ACL Editor Rules Windows What do you want to do? If you want to: Do this: Cancel the operation and preserve the association between the interface and the existing rule. Click No. The association between the existing rule and the interface is preserved, and the rule that you created in the Add a Rule window is saved. You can examine the existing rule and the new rule and decide whether you want to replace the existing rule or to merge the entries of the new rule with the existing rule.
Chapter 32 ACL Editor Rules Windows Note Any traffic that does not match the criteria in one of the rule entries you create is implicitly denied. To ensure that traffic you do not intend to deny is permitted, you must append explicit permit entries to the that rule you are configuring. Action Select the action you want the router to take when a packet matches the criteria in the rule entry. The choices are Permit and Deny. What Permit and Deny do depends on the type of rule in which they are used.
Chapter 32 ACL Editor Rules Windows Mask If you selected A Network or if you selected A Host Name or IP address, either select the wildcard mask from this list, or enter a custom wildcard mask. A binary 0 in a wildcard mask means that the corresponding bit in a packet’s IP address must match exactly. A binary 1 in a wildcard mask means that the corresponding bit in the packet’s IP address need not match.
Chapter 32 ACL Editor Rules Windows What Permit and Deny do depends on the type of rule in which they are used. In Cisco SDM, extended rule entries can be used in access rules, NAT rules, IPSec rules, and access lists associated with route maps. Click Meanings of the Permit and Deny Keywords to learn more about the action of Permit and the action of Deny in the context of a specific type of rule. Source Host/Network The source IP address criteria that the traffic must match.
Chapter 32 ACL Editor Rules Windows Type Select one of the following: • A specific IP address. This can be a network address or the address of a specific host. • A host name. • Any IP address. Mask If you selected A specific IP address, either select the wildcard mask from this list or enter a custom wildcard mask. A binary 0 in a wildcard mask means that the corresponding bit in the packet’s IP address must match exactly.
Chapter 32 ACL Editor Rules Windows If you select this protocol: You can specify the following in the Source Port and Destination Port fields: TCP and UDP Specify the source and destination port by name or number. If you do not remember the name or number, click the ... button and select the value you want from the Service window. This field accepts protocol numbers from 0 through 65535. • =. The rule entry applies to the value that you enter in the field to the right. • !=.
Chapter 32 ACL Editor Rules Windows Rule Category Select the rule category that you want to select from. The rules in the category you select will appear in the box below the list. If no rules appear in the box, no rules of that category have been defined. Name/Number The name or number of the rule. Used By How the rule is being used. For example, if the rule has been associated with an interface, the name of the interface. If the rule is being used in an IPSec policy, the name of the policy.
Chapter 32 ACL Editor Rules Windows Destination For extended rules, the destination IP address criteria that the traffic must match. The address may be for a network, or a specific host. This column may contain the following: • An IP address and wildcard mask. The IP address specifies a network, and the wildcard mask specifies how much of the rule’s IP address the IP address in the packet must match. • The keyword any. Any indicates that the source IP address can be any IP address • A host name.
CH A P T E R 33 Port-to-Application Mapping Port-to-Application Mapping (PAM) allows you to customize TCP and UDP port numbers for network services and applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. The information that PAM maintains enables Context-Based Access Control (CBAC) supported services to run on nonstandard ports.
Chapter 33 Port-to-Application Mapping Port-to-Application Mappings Application Protocol Column This column contains the name of the application protocol, and the names of the protocol types. For example, the FTP and the TFTP entries are found under the File Transfer protocol type. Port Type Column This list appears if the router is running a Cisco IOS image that allows you to specify whether this port map entry applies to TCP or to UDP traffic. Port Column This column contains the port number.
Chapter 33 Port-to-Application Mapping Port-to-Application Mappings Description Column If a description of the PAM entry has been created, the description is displayed in this column. Add or Edit Port Map Entry You can add and edit port map entries for custom or standard protocols. Protocol Field If you are adding an entry, specify the protocol by clicking the list (...) button to the right and choosing a system-defined protocol, or by entering the name of a custom protocol.
Chapter 33 Port-to-Application Mapping Port-to-Application Mappings numbers separated by commas, or port number ranges indicated with a dash. For example, you might enter three noncontiguous port numbers as 310, 313, 318, or you might enter the range 415–419. If the router is not running a Cisco IOS image that allows you to specify whether this port map entry applies to TCP or to UDP traffic, you can enter a single port number.
CH A P T E R 34 Zone-Based Policy Firewall Zone-based policy firewall (also known as “Zone-Policy Firewall” or “ZPF”) changes the firewall from the older interface-based model to a more flexible, more easily understood zone-based configuration model. Interfaces are assigned to zones, and an inspection policy is applied to traffic moving between the zones.
Chapter 34 Zone-Based Policy Firewall Zone Window 3. Define class-maps that describe traffic that must have policy applied as it crosses a zone-pair. 4. Define policy-maps to apply action to your class-map’s traffic. 5. Apply policy-maps to zone-pairs. 6. Assign interfaces to zones. The sequence of tasks is not important, but some events must be completed in order. For instance, you must configure a class-map before you assign a class-map to a policy-map.
Chapter 34 Zone-Based Policy Firewall Zone Window Add or Edit a Zone To add a new zone, also called a security zone, enter a zone name, and choose the interfaces that are to be included in the zone. The Interface list displays the names of available interfaces. Because physical interfaces can be placed in only one zone, they do not appear in the list if they have already been placed in a zone.
Chapter 34 Zone-Based Policy Firewall Zone Window • An interface can be assigned to only one security zone. • All traffic to/from a given interface is implicitly blocked when the interface is assigned to a zone, excepting traffic to/from other interfaces in the same zone, and traffic to any interface on the router. • Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.
Chapter 34 Zone-Based Policy Firewall Zone Pairs Zone Pairs A zone-pair allows you to specify a unidirectional firewall policy between two security zones. The direction of the traffic is specified by specifying a source and destination security zone.The same zone cannot be defined as both the source and the destination. If you want traffic to flow in both directions between two zones, you must create a zone pair for each direction.
Chapter 34 Zone-Based Policy Firewall Zone Pairs for traffic originating from the router itself, or destined for the router itself, such as a zone pair configured for SNMP traffic. The Policy list contains the name of each policy map configured on the router. If you are editing a zone pair, you can change the policy map, but you cannot change the name or the source or destination zones.
Chapter 34 Zone-Based Policy Firewall Zone Pairs Select a Zone If a security zone has been configured on the router, you can add the interface that you are configuring as a member of that zone. Select a Zone for the Interface Select the zone that you want to include the interface in, and click OK. Cisco Router and Security Device Manager 2.
Chapter 34 Zone-Based Policy Firewall Zone Pairs Cisco Router and Security Device Manager 2.
CH A P T E R 35 Authentication, Authorization, and Accounting Cisco IOS Authentication, Authorization, and Accounting (AAA) is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing authentication, authorization, and accounting services. Cisco IOS AAA provides the following benefits: • Increased flexibility and control • Scalability • Standardized authentication methods.
Chapter 35 Authentication, Authorization, and Accounting Configuring AAA Configuring AAA To configure AAA, complete the following steps: Step 1 If you want to review the IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to. Step 2 In the Cisco SDM toolbar, click Configure.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference • AAA Server Groups • Add or Edit AAA Server Group • Authentication and Authorization Policies • Authentication and Authorization • Authentication NAC • Authentication 802.1x • Add or Edit a Method List for Authentication or Authorization AAA Root Screen This screen is located at the top level of the AAA tree. It provides a summary view of the AAA configuration on the router.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Table 35-1 AAA Main Screen Fields Element Description Authentication Policies This read-only field lists configured authentication policies. Authentication policies define how users are identified. To edit authentication policies, click the Login sub-node under Authentication Policies in the AAA tree. Authorization Policies This read-only field lists configured authorization policies.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Table 35-2 AAA Servers Fields Element Description Global Settings Click Global Settings to make global settings for TACACS+ and RADIUS servers. In the Edit Global Settings window, you can specify how long to attempt contact with an AAA server before going on to the next server, the key to use when contacting TACACS+ or RADIUS servers, and the interface on which TACACS+ or RADIUS packets will be received.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Table 35-3 Add or Edit a TACACS+ Server Fields Element Description Server IP or Host Enter the IP address or the host name of the server. If the router has not been configured to use a Domain Name Service (DNS) server, enter an IP address.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Field Reference Table 35-4 describes the fields in this screen. Table 35-4 Add or Edit a RADIUS Server Fields Element Description Server IP or Host Enter the IP address or the host name of the server. If the router has not been configured to use a Domain Name Service (DNS) server, enter an IP address. Authorization Port Specify the server port to use for authorization requests. The default is 1645.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Table 35-5 Global Settings Fields Element Description TACACS+ Server Click the appropriate button to specify the server type for which you are setting global parameters. If you select TACACS+ Server, the parameters will apply to all communication with TACACS+ servers that do not have server specific parameters set.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Table 35-6 AAA Server Groups Fields Element Description Add Click the Add button to create a RADIUS server group. After you create this group, the name and group members are displayed in this window. Edit Click Edit to modify the information for the highlighted server group. Delete Click Delete to remove the highlighted server group. Group Name The name of the server group.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Table 35-7 Add or Edit AAA Server Group Fields Element Description Server Type Select the Server type, either RADIUS, or TACACS+. Note This field may be protected and set to a specific type, depending on the configuration that you are performing.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Field Reference Table 35-9 describes the fields in this screen. Table 35-9 Authentication and Authorization Fields Element Description Add Use these buttons to create, edit, and remove method lists. Edit Delete List Name The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. Method 1 The method that the router will attempt first.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Field Reference Table 35-10 describes the fields in this screen. Table 35-10 NAC Authentication Fields Element Description Add Use these buttons to create, edit, and remove method lists. Edit Delete List Name The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Field Reference Table 35-11 describes the fields in this screen. Table 35-11 802.1x Authentication Fields Element Description Add Use these buttons to create, edit, and remove method lists. Edit Delete List Name The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. If the LAN wizard has been used to create an 802.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Cisco IOS software uses the first listed method to authenticate users. If that method fails to respond, the Cisco IOS software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method, or all methods defined in the method list are exhausted.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Table 35-12 Add a Method List for Authentication or Authorization Fields Element Description Move Up The router attempts the methods in the order they are listed in this window. Click Move Up to move a method up the list. Click Move Down to move a method further down the list. Move Down The method "none" will always be last in the list. No other method in the list can be moved below it. This is an IOS restriction.
Chapter 35 Authentication, Authorization, and Accounting AAA Screen Reference Cisco Router and Security Device Manager 2.
CH A P T E R 36 Router Provisioning You can provision your router using a USB device attached directly to your router, or using Secure Device Provisioning (SDP). SDP must be supported by your Cisco IOS release to be available in Cisco SDM. Secure Device Provisioning This window allows you to use Secure Device Provisioning (SDP) to complete tasks such as enrolling your router with a CA server and configuring your router.
Chapter 36 Router Provisioning Router Provisioning from USB Router Provisioning from USB This window tells you if Cisco SDM has detected a USB token or USB flash device connected to your router. You can click the Router Provisioning button to choose a configuration file from the USB token or USB flash device.
Chapter 36 Router Provisioning SDP Troubleshooting Tips Guidelines • When SDP is launched, you must minimize the browser window displaying this help topic so that you can view the SDP web application. • If you are planning to configure the router using SDP, you should do so immediately after configuring your WAN connection.
Chapter 36 Router Provisioning SDP Troubleshooting Tips Cisco Router and Security Device Manager 2.
CH A P T E R 37 Cisco Common Classification Policy Language Cisco Common Classification Policy Language (C3PL) is a structured replacement for feature-specific configuration commands. C3PL allows you to create traffic policies based on events, conditions, and actions. Cisco Router and Security Device Manager (Cisco SDM) uses C3PL to create the policy maps and class maps that the following help topics describe. Policy Map Policy maps specify the actions to be taken when traffic matches defined criteria.
Chapter 37 Cisco Common Classification Policy Language Policy Map This help topic provides a general description for the policy map windows and some sample data. Add Click Add to display a dialog in which you can configure a policy map. Edit Click Edit to display a dialog in which you can edit the selected policy map. The Edit button is disabled if no policy maps have been configured. Delete Click Delete to remove the selected policy map.
Chapter 37 Cisco Common Classification Policy Language Policy Map Protocol Inspection, SMTP, and SUNRPC policy map detail includes Match Class Name and Action columns.The following table shows detail for a SUNRPC policy map. Match Class Name Action cmap-sunrpc1 Allow cmap-sunrpc2 None Add or Edit a QoS Policy Map Use this information as you add or edit a QoS policy map. Policy Name and Description If you are creating a new policy map, enter a name and a description for it in these fields.
Chapter 37 Cisco Common Classification Policy Language Policy Map Table 37-1 Associate a Policy Map Fields Element Description Policy Map Choose the policy map that you want to associate with the interface. Policy Map details Class Map The Class Map column displays the class maps that the policy map contains. Queuing The Queuing column displays the type of queuing used by the class map, and the percentage of bandwidth allocated to the class.
Chapter 37 Cisco Common Classification Policy Language Policy Map Add an Inspection Policy Map Inspection policy maps specify the action that the router will take for traffic that matches the criteria in the associated class maps. The router can allow the traffic to pass, can drop the traffic and optionally log the event, or can inspect the traffic. The name and description that you enter will be visible in the Inspect Policy Maps window.
Chapter 37 Cisco Common Classification Policy Language Class Maps • Add or Edit a Point-to-Point Class Map • Add or Edit an Instant Messaging Class Map Configure Deep Packet Inspection Layer 7 (application) inspection augments Layer 4 inspection with the capability to recognize and apply service-specific actions, such as selectively blocking or allowing file search, file transfer, and text chat capabilities. Service-specific capabilities vary by service.
Chapter 37 Cisco Common Classification Policy Language Class Maps • Class map—A subordinate class map providing additional match criteria can be nested inside another class map. Class Maps can apply “match any” or “match all” operators to determine how to apply the match criteria. If “match any” is specified, traffic must meet only one of the match criteria in the class map. If “match all” is specified, traffic must match all of the class map’s criteria to belong to that particular class.
Chapter 37 Cisco Common Classification Policy Language Class Maps URL Filtering Parameter Map URL filtering parameter maps can specify URL filtering servers and local URL lists. You can select an existing parameter map. If no parameter map is configured, this field is disabled. Click View to display the selected parameter map without leaving this dialog. Enable Application Inspection An application inspection policy specifies the types of data to inspect in packets of a specified application.
Chapter 37 Cisco Common Classification Policy Language Class Maps Add or Edit a QoS Class Map Use this information to help add or edit a QoS class map. If you are adding a new QoS class map, click the button on the right of the field and choose either Add a Classmap or Select a Classmap from the context menu. See the information in Action to learn about the Drop, Set DSCP, and Queuing options.
Chapter 37 Cisco Common Classification Policy Language Class Maps Add Click Add to create a new class map of the type you have selected and enter the configuration in the displayed dialog. Edit Click Edit to change the configuration of the selected class map. Delete Click Delete to remove the selected class map. Cisco SDM may display dialogs if there are dependencies associated with this configuration, such as subordinate class maps or parameter maps that could be used by other class maps.
Chapter 37 Cisco Common Classification Policy Language Class Maps Instant Messaging Service Groups and Peer-to-Peer Application Service Groups Instant Messaging Service group and peer-to-peer (P2P) application service groups have an additional column because class maps are configured for a specific application, such as the Yahoo! Messenger instant messaging application or the gnutella P2P application.
Chapter 37 Cisco Common Classification Policy Language Class Maps • Add or Edit a SUNRPC Class Map • Add or Edit an IMAP Class Map • Add or Edit a POP3 Class Map Add or Edit an Inspect Class Map Creating an inspect class map enables you to make a wide variety of traffic available for inspection. Enter a name to identify this class map in the Class Name field. You can also enter a description. If you are editing a class map, you cannot change the name.
Chapter 37 Cisco Common Classification Policy Language Class Maps Add an HTTP Inspection Class Map HTTP inspection class maps allow you to make a wide variety of HTTP request, response, and request response data available for inspection. To create an HTTP inspection class map, follow these steps: Step 1 Enter a class name to identify the class map. You can also enter a description that will be displayed in the HTTP Class Maps window.
Chapter 37 Cisco Common Classification Policy Language Class Maps Regular Expressions Click this box to specify regular expressions to be matched against. Choose an existing regular expression class map, or create a new one that will match the strings that you are inspecting for. See Add or Edit Regular Expression for more information about creating regular expressions. To examine an existing map without leaving this dialog, choose the map in the Select an existing map list, and click View.
Chapter 37 Cisco Common Classification Policy Language Class Maps information about creating regular expressions. To examine an existing map without leaving this dialog, choosethe map in the Select an existing map list, and click View. Match Field Check this box to match the class map to the field type that you chose. Other Fields in This Dialog Depending on which HTTP header field you choose, additional fields may be displayed in this dialog, enabling you to specify additional criteria.
Chapter 37 Cisco Common Classification Policy Language Class Maps Length greater Than Click this box to specify the number of bytes that the total length of request header arguments should not exceed. Regular Expressions Click this box to specify regular expressions to be matched against. Choose an existing regular expression class map, or create a new one that will match the strings you are inspecting for. See Add or Edit Regular Expression for more information on how to create regular expressions.
Chapter 37 Cisco Common Classification Policy Language Class Maps Regular Expressions Click this box to specify regular expressions to be matched against. Choose an existing regular expression class map, or create a new one that will match the strings you are inspecting for. See Add or Edit Regular Expression for more information on how to create regular expressions. To examine an existing map without leaving this dialog, choose it in the Select an existing map list, and click View.
Chapter 37 Cisco Common Classification Policy Language Class Maps information on how to create regular expressions. To examine an existing map without leaving this dialog, choose it in the Select an existing map list, and click View. Response Header Fields Choose the type of header field from the list, and specify the inspection criteria for it. Length Greater Than Click this box to specify a field length that a packet should not exceed, and enter the number of bytes.
Chapter 37 Cisco Common Classification Policy Language Class Maps Match Field Check this box the class map to match the field type that you chose. HTTP Response Body Specify the HTTP response body criteria to inspect for. Java Applets in HTTP Response Check this box to inspect for Java applets in the HTTP response. Length Check this box and choose Greater than (>) to specify an upper limit to the response body length. Choose Less than (<) to specify a lower limit.
Chapter 37 Cisco Common Classification Policy Language Class Maps Logging is specified in the policy map to which the HTTP class map is associated. See Add or Edit Regular Expression for more information on how to create regular expressions. To examine an existing map without leaving this dialog, choose it in the Select an existing map list, and click View. Request/Response Header Criteria Enter class map criteria for HTTP request/response headers.
Chapter 37 Cisco Common Classification Policy Language Class Maps Count Greater Than Click this box to specify a limit to the total number of fields of this type that a packet should not exceed, and enter the number of fields. Regular Expressions Click this box to specify regular expressions to be matched against. Choose an existing regular expression class map, or create a new one that will match the strings you are inspecting for.
Chapter 37 Cisco Common Classification Policy Language Class Maps Regular Expressions Click this box to specify regular expressions to be matched against. Choose an existing regular expression class map, or create a new one that will match the strings you are inspecting for. See Add or Edit Regular Expression for more information on how to create regular expressions. To examine an existing map without leaving this dialog, choose it in the Select an existing map list, and click View.
Chapter 37 Cisco Common Classification Policy Language Class Maps Add or Edit a SUNRPC Class Map SUN Remote Procedure Call (SUNRPC) class maps allow you to specify the number of the program whose traffic you want the router to inspect. Enter a name to identify this class map in the Class Name field. You can also enter a description. If you are editing a class map, you cannot change the name. Click Add in the Match Program Number box to add a program number.
Chapter 37 Cisco Common Classification Policy Language Class Maps Match Criteria and Value Click Add to enter match criteria to specify the type of connections to be identified by the traffic class. Enter match criteria to specify the type of connections that are to be identified by the traffic class. You can specify that file transfer connections be identified by the traffic class for fasttrack, gnutella, and kazaa2.
Chapter 37 Cisco Common Classification Policy Language Parameter Maps Parameter Maps Parameter Maps specify inspection behavior for Zone-Policy Firewall, for parameters such as denial-of-service protection, session and connection timers, and logging settings, Parameter Maps are also applied with Layer 7 class maps and policy maps to define application-specific behavior, such as HTTP objects, POP3 and IMAP authentication requirements, and other application-specific information.
Chapter 37 Cisco Common Classification Policy Language Parameter Maps Parameter Map Name Enter a name that conveys the use of this parameter map. For example, if you are creating a server list for Yahoo! Instant Messenger text chat servers, you can enter the name ymsgr-pmap. Server Details This area of the screen is a list of server names, server IP addresses, or IP address ranges.
Chapter 37 Cisco Common Classification Policy Language Parameter Maps Pattern List A regular expression can contain multiple patterns. Click Add to display a dialog in which you can enter a new regular expression pattern. Each pattern that you create is automatically added to the list. If you need to copy a pattern from another regular expression, click Copy Pattern, click the plus (+) sign next to regular expression name, click the pattern that you want, and then click OK.
Chapter 37 Cisco Common Classification Policy Language Parameter Maps Build Regular Expression The Build Regular Expression dialog box lets you construct a regular expression from characters and metacharacters. Fields that insert metacharacters include the metacharacter in parentheses in the field name. Build Snippet This area lets you build text snippets of regular text or lets you insert a metacharacter into the Regular Expression field.
Chapter 37 Cisco Common Classification Policy Language Parameter Maps [a-z] [aeiou] [\n\f\r\t] (which matches a new line, form feed, return, or a tab) For example, if you specify [0-9A-Za-z], then this snippet will match any character from A to Z (uppercase or lowercase) or any digit 0 through 9. • Special character—Inserts a character that requires an escape, including \, ?, *, +, |, ., [, (, or ^. The escape character is the backslash (\), which is automatically entered when you choose this option.
Chapter 37 Cisco Common Classification Policy Language Parameter Maps – Zero or one times (?)—A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose. – One or more times (+)—A quantifier that indicates that there is at least 1 of the previous expression. For example, lo+se matches lose and loose, but not lse. – One or more times (+)—A quantifier that indicates that there is at least 1 of the previous expression.
Chapter 37 Cisco Common Classification Policy Language Parameter Maps Character Description Notes ? A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose. Question mark Note You must enter Ctrl+V and then the question mark or else the help function is invoked. * Asterisk A quantifier that indicates that there are 0, 1 or any number of the previous expression. For example, lo*se matches lse, lose, loose, etc.
Chapter 37 Cisco Common Classification Policy Language Parameter Maps Character Description Notes char Character When character is not a metacharacter, matches the literal character. \r Carriage return Matches a carriage return 0x0d. \n Newline Matches a new line 0x0a. \t Tab Matches a tab 0x09. \f Formfeed Matches a form feed 0x0c. \xNN Escaped hexadecimal number Matches an ASCII character using hexadecimal (exactly two digits).
CH A P T E R 38 URL Filtering URL filtering allows you to control access to Internet websites by permitting or denying access to specific websites based on information contained in a URL list. You can maintain a local URL list on the router, and you can use URL lists stored on Websense or Secure Computing URL filter list servers. URL filtering is enabled by configuring an Application Security policy that enables it.
Chapter 38 URL Filtering URL Filtering Window URL Filtering Window This window displays the global settings for URL filtering on the router. You can maintain the local URL list and the URL filter server list in the Additional Tasks screens or in the Application Security windows. The Global settings for URL filtering can only be maintained from this Additional Tasks window. Use the Edit Global Settings button to change these values.
Chapter 38 URL Filtering URL Filtering Window Audit Trail Check this box to enable the router to maintain an audit trail in the log. The router will record URL request status messages that indicate whether an HTTP request has been permitted or denied and other audit trail messages. This option is disabled by default. URL Filter Server Log Check this box to enable the router to record system messages that pertain to the URL filter server in the log. This option is disabled by default.
Chapter 38 URL Filtering URL Filtering Window URL Filter Name Enter a name that will convey how this URL filter is configured or used. For example, if you specify a source interface of Fast Ethernet 1, you might enter the name fa1-parmap. If the filter uses a Websense URL filter server at IP address 192.128.54.23, you might enter websense23-parmap as the name.
Chapter 38 URL Filtering URL Filtering Window Maximum Buffered HTTP Requests You can set the maximum number of outstanding HTTP requests that the router can buffer. By default, the router buffers up to 1000 requests. You can specify from 1 to 2147483647 requests. Maximum Buffered HTTP Responses You can set the number of HTTP responses from the URL filtering server that the router can buffer. After this number is reached, the router drops additional responses. The default value is 200.
Chapter 38 URL Filtering URL Filtering Window Note If an entry is deleted from the local list and the router is configured to use URL filtering servers, entries that match ones that you are deleting from the local list may exist on those servers. Use the Delete All button to delete all entries on the router. If no local list is configured on the router, the router must rely on the configured URL filter servers.
Chapter 38 URL Filtering URL Filtering Window Import URL List This dialog allows you to examine the URL list you are importing from your PC to the router and specify what you want to do with each entry. If a URL entry in this dialog is not already present on the router, you can add it to the list on the router by clicking Append. If a URL entry is already present on the router but you want to replace it with the entry in this dialog, click Replace. All boxes in the Import column are checked by default.
Chapter 38 URL Filtering URL Filtering Window will receive an error message if you attempt to add an Secure Computing server to the list. If the URL filter server list currently contains one type of server and you want to change to the other type, you must delete all the server entries in the list before adding an entry of the new type. This window displays the configuration for each URL filter server in the list. See Add or Edit a URL Filter Server for a description of each configuration value.
Chapter 38 URL Filtering URL Filtering Window Retransmission Timeout Optional field. Enter the number of seconds that the router should wait for a response from the server before retransmitting the request. The default value is 5 seconds. URL Filtering Precedence URL filtering must be enabled by going to Configure > Firewall and ACL > Application Security > URL Filtering and clicking Enable URL filtering. This can only be done when an Application security policy is configured on the router.
Chapter 38 URL Filtering URL Filtering Window Cisco Router and Security Device Manager 2.
CH A P T E R 39 Configuration Management Cisco SDM allows you to edit the router configuration file and to reset the router configuration to factory defaults. Because editing the configuration file directly and resetting the router to factory defaults can cause you to lose the connection between the PC and the router, be sure to read the online help for all screens in this area of Cisco SDM.
Chapter 39 Configuration Management Config Editor through, and is able to make them for you. However, if you use the Config Editor, you must determine which conflicts may result by examining the existing configuration and making any additional changes needed to resolve those conflicts, and then monitor router behavior to see if it handles traffic as you intend it to. Although it is not required, it is strongly recommended that you allow Cisco SDM to back up the current running configuration.
Chapter 39 Configuration Management Reset to Factory Defaults Replacing the Running Config If you want to replace the running config with the contents of the Edit Configuration box, click Replace Running Config. You should not use this button unless you have populated the Edit Configuration box with a configuration that you have imported from the router and edited, or a configuration that you have imported from your PC.
Chapter 39 Configuration Management Reset to Factory Defaults restricting it to the LAN interface, and only from the internal subnet defined on that interface. After you access the router, you can change the router default IP address and set it to allow remote access. Understanding How to Give the PC a Dynamic or Static IP Address After You Reset If you want to use Cisco SDM after you reset, you have to give your PC a static or dynamic IP address, depending on the type of router that you have.
Chapter 39 Configuration Management Reset to Factory Defaults IP address, click Specify an IP address. Enter the IP address 10.10.10.2 or any other address in the 10.10.10.0 subnet greater than 10.10.10.1. Enter the subnet 255.255.255.248. Click OK. Microsoft Windows 2000 From the Control Panel, select Network and Dialup Connections/Local Area Connections. Select the Ethernet adapter in the Connect Using field. Select Internet Protocol, and click Properties.
Chapter 39 Configuration Management This Feature Not Supported Resetting the router to its factory default configuration changes the router’s inside interface IP address back to 10.10.10.1. The next time you log on to the router with your browser, enter the IP address 10.10.10.1 in the browser’s location field. This Feature Not Supported This window appears when an Cisco SDM feature is not supported.
CH A P T E R 40 More About.... These topics provide more information about subjects that Cisco SDM online help discusses. IP Addresses and Subnet Masks This topic provides background information about IP addresses and subnet masks, and shows you how to use this information when entering addresses and masks in Cisco SDM. IP version 4 addresses are 32 bits, or 4 bytes, in length.
Chapter 40 More About.... IP Addresses and Subnet Masks The subnet mask is used to specify how many of the 32 bits are used for the network number and, if subnetting is used, the subnet number. It is a binary mask with a 1 bit in every position used by the network and subnet numbers. Like the IP address, it is a 32-bit value, expressed in decimal format. The following figure shows a subnet mask entered in Cisco SDM. Cisco SDM shows the subnet mask and the equivalent number of bits in the mask.
Chapter 40 More About.... IP Addresses and Subnet Masks When a network address is displayed in Cisco SDM windows, the IP address and subnet mask for it may be shown in network address/subnet bits format, as in the following example: 172.28.33.0/24 The network address in this example is 172.28.33.0. The number 24 indicates the number of subnet bits used. You can think of it as shorthand for the corresponding subnet mask of 255.255.255.0.
Chapter 40 More About.... Available Interface Configurations IP Address/Wildcard Mask Enter a network address, and then the wildcard mask to specify how much of the network address must match exactly. For example, if you entered a network address of 10.25.29.0 and a wildcard mask of 0.0.0.255, any java applet with a source address containing 10.25.29 would be filtered. If the wildcard mask were 0.0.255.255, any java applet with a source address containing 10.25 would be filtered.
Chapter 40 More About.... DHCP Address Pools An ATM interface without any encapsulation • An ADSL interface • A G.
Chapter 40 More About.... Meanings of the Permit and Deny Keywords Reserved Addresses You must not use the following addresses in the range of addresses that you specify: • The network/subnetwork IP address. • The broadcast address on the network. Meanings of the Permit and Deny Keywords Rule entries can be used in access rules, NAT rules, IPSec rules, and in access rules associated with route maps. Permit and Deny have various meanings depending on which type of rule is using it.
Chapter 40 More About.... Services and Ports • IP Services • Services That Can Be Specified in Inspection Rules TCP Services TCP Service Port Number Description bgp 179 Border Gateway Protocol.BGP exchanges reachability information with other systems that use the BGP protocol chargen 19 Character generator. cmd 514 Remote commands. Similar to exec except that cmd has automatic authentication daytime 13 Daytime discard 9 Discard domain 53 Domain Name Service.
Chapter 40 More About.... Services and Ports TCP Service Port Number Description lpd 515 Line Printer Daemon. A protocol used to send print jobs between UNIX systems. nntp 119 Network News Transport Protocol. pim-auto-rp 496 Protocol-Independent Multicast Auto-RP. PIM is a multicast routing architecture that allows the addition of multicast IP routing on existing IP networks. pop2 109 Post Office Protocol v2. Protocol that client e-mail applications use to retrieve mail from mail servers.
Chapter 40 More About.... Services and Ports UDP Service Port Number Description netbios-ns 137 NetBios name service netbios-ss 139 NetBios session service ntp 123 Network Time Protocol. TCP protocol that ensures accurate local timekeeping with reference to radio and atomic clocks located on the Internet. pim-auto-rp 496 Protocol Independent Multicast, reverse path flooding, dense mode rip 520 Routing Information Protocol. A protocol used to exchange route information between routers.
Chapter 40 More About.... Services and Ports ICMP Message Types ICMP Messages Port Number Description alternate-address 6 Alternate host address. conversion-error 31 Sent to report a datagram conversion error. echo 8 Type of message sent when ping command is issued. echo-reply 0 Response to an echo-request (ping) message. information-reply 16 Obsolete. Response to message sent by host to discover number of the network it is on. Replaced by DHCP. information-request 15 Obsolete.
Chapter 40 More About.... Services and Ports ICMP Messages Port Number Description timestamp-request 13 Request for timestamp to be used for synchronization between two devices. traceroute 30 Message sent in reply to a host that has issued a traceroute request. unreachable 3 Destination unreachable. Packet cannot be delivered for reasons other than congestion. IP Services IP Services Port Number Description aahp 51 eigrp 88 Enhanced Interior Gateway Routing Protocol.
Chapter 40 More About.... Services and Ports IP Services Port Number Description tcp 6 Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. udp 17 User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol stack. Services That Can Be Specified in Inspection Rules Protocol Description cuseeme Videoconferencing protocol. fragment Specifies that the rule perform fragment inspection.
Chapter 40 More About.... More About NAT Protocol Description tcp See tcp. tftp See tftp. udp See udp. vdolive VDOLive protocol. A streaming video protocol. More About NAT This section provides scenario information that may help you in completing the NAT Translation Rule windows, and other information that explains why NAT rules created using the CLI may not be editable in Cisco SDM.
Chapter 40 More About.... More About NAT Scenario 2 You need to map each IP address in a network to a unique public IP address, and you do not want to create a separate rule for each mapping. The source network number is 10.l2.12.0, and the target network is 172.17.4.0. However, in this scenario, it is not necessary to know the source or target network numbers. It is sufficient to enter host addresses and a network mask.
Chapter 40 More About.... More About NAT Result The source address 10.12.12.3 is translated to the address 172.17.4.8 in packets leaving the router. The port number in the Redirect port field is changed from 137 to 139. Return traffic carrying the destination address 172.17.4.8 is routed to port number 137 of the host with the IP address 10.12.12.3. You need to create a separate entry for each host/port mapping that you want to create.
Chapter 40 More About.... More About NAT Dynamic Address Translation Scenarios The following scenarios show you how you can use dynamic address translation rules. These scenarios are applicable whether you select from inside-to-outside, or from outside-to-inside. Scenario 1 You want source–”Translate from”–addresses to use the IP address that is assigned to the router’s Fast Ethernet 0/1 interface 172.17.4.8.
Chapter 40 More About.... More About NAT Scenario 2 You want the host addresses specified in access-list 7 in the previous scenario to use addresses from a pool you define. If the addresses in the pool become depleted, you want the router to use PAT to satisfy additional requests for addresses from the pool. The following table shows how the fields in the Address Pool window would be used for this scenario. Pool Name Port Address Translation IP Address fields Network Mask Pool 1 Checked 172.16.131.
Chapter 40 More About....
Chapter 40 More About.... More About VPN • Security and VPN Devices • IPSecurity Troubleshooting–Understanding and Using Debug Commands • Field Notices More about VPN Connections and IPSec Policies A VPN connection is an association between a router interface and an IPSec policy. The building block of an IPSec policy is the crypto map.
Chapter 40 More About.... More About VPN ATM3/1.1 Crypto Map 1 Seattle Crypto Map 2 Chicago Crypto Map 3 Topeka Lawrence 88434 Policy 5 A router interface can be associated with only one IPSec policy. However, an IPSec policy can be associated with multiple router interfaces, and a crypto map can specify more than one peer for a connection. The following diagram shows two router interfaces associated with a policy, and a crypto map specifying two peers.
Chapter 40 More About.... More About VPN More About IKE IKE handles the following tasks: • Authentication • Session Negotiation • Key Exchange • IPSec Tunnel Negotiation and Configuration Authentication Authentication is arguably the most important task that IKE accomplishes, and it certainly is the most complicated. Whenever you negotiate something, it is of utmost importance that you know with whom you are negotiating.
Chapter 40 More About.... More About VPN – Encryption Algorithm: DES, 3DES, or AES – Packet Signature Algorithm: MD5 or SHA-1 Key Exchange IKE uses the negotiated key-exchange method (see “Session Negotiation” above) to create enough bits of cryptographic keying material to secure future transactions. This method ensures that each IKE session will be protected with a new, secure set of keys. Authentication, session negotiation, and key exchange constitute phase 1 of an IKE negotiation.
Chapter 40 More About.... More About VPN Allowable Transform Combinations To define a transform set, you specify one to three transforms. Each transform represents an IPSec security protocol (AH or ESP) plus the algorithm that you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.
Chapter 40 More About.... Reasons Why a Serial Interface or Subinterface Configuration May Be Read-Only Transform Description esp-md5-hmac ESP with the MD5 (HMAC variant) authentication algorithm. es-aes-128 ESP with Advanced Encryption Standard (AES). Encryption with a 128-bit key esp-aes-192 ESP with AES. Encryption with a 192-bit key. esp-aes-256 ESP with AES. Encryption with a 256-bit key. esp-sha-hmac ESP with the SHA (HMAC variant) authentication algorithm.
Chapter 40 More About.... Reasons Why an ATM Interface or Subinterface Configuration May Be Read-Only • The interface is configured with the encapsulation frame-relay command with an IP address on the main interface. • The interface encapsulation is not “hdlc,” “ppp,” or “frame-relay.” • The encapsulation frame-relay ... command contains the mfr ... option. • The interface is configured with the encapsulation ppp command, but the PPP configuration contains unsupported commands.
Chapter 40 More About.... Reasons Why an Ethernet Interface Configuration May Be Read-Only • If the “dial-on-demand” option is configured on the pppoe-client command. • If there is more than 1 PVC configured on the interface. • If the encapsulation on the associated dialer is blank or is not “ppp.” • If no IP address is configured on the associated dialer. • If VPDN is required (which is determined dynamically from the Cisco IOS image) but is not configured for this connection.
Chapter 40 More About.... Reasons Why an ISDN BRI Interface Configuration May Be Read-Only Reasons Why an ISDN BRI Interface Configuration May Be Read-Only A previously configured ISDN BRI interface will be read-only and will not be configurable in the following cases: • An IP address is assigned to the ISDN BRI interface. • Encapsulation other than ppp is configured on the ISDN BRI interface. • The dialer-group or dialer string command is configured on the ISDN BRI interface.
Chapter 40 More About.... Reasons Why an Analog Modem Interface Configuration May Be Read-Only – The Cisco SDM-supported interfaces are configured with unsupported configurations – The primary interfaces are not supported by Cisco SDM Reasons Why an Analog Modem Interface Configuration May Be Read-Only A previously configured analog modem interface or will be read-only and will not be configurable in the following cases: • An IP address is assigned to the asynchronous interface.
Chapter 40 More About....
Chapter 40 More About.... DMVPN Configuration Recommendations Recommendations for Configuring Routing Protocols for DMVPN The following are guidelines that you should note when configuring routing protocols for DMVPN. You can choose to ignore these guidelines, but Cisco SDM has not been tested in scenarios outside the guidelines and may not be able to let you edit configurations within Cisco SDM after you enter them.
Chapter 40 More About.... Cisco SDM White Papers Cisco SDM White Papers A number of white papers are available that describe how Cisco SDM can be used. These white papers are available at the following link. http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/appnote/index.h tm Cisco Router and Security Device Manager 2.
Chapter 40 More About.... Cisco SDM White Papers Cisco Router and Security Device Manager 2.
CH A P T E R 41 Getting Started Cisco Router and Security Device Manager (Cisco SDM) is an easy-to-use Internet browser-based software tool designed for configuring LAN, WAN, and security features on a router. Cisco SDM is designed for resellers and network administrators of small- to medium-sized businesses who are proficient in LAN fundamentals and basic network design.
Chapter 41 Getting Started What’s New in this Release? What’s New in this Release? This release supports the following new features: • The following hardware is now supported: – The Cisco 815 router. – The following cable modem network adapters: • HWIC-1CABLE-D • HWIC-1CABLE-E/J – The following Wide Area Application Services (WAAS) modules.
Chapter 41 Getting Started What’s New in this Release? – Identical Addressing Support For more information on per-user AAA policy download with PKI, refer to http://www.cisco.com/en/US/products/ps6350/products_configuration_ guide_chapter09186a0080455b6a.html For more information on password aging, split DNS, and cTCP, refer to http://www.cisco.com/en/US/products/ps6441/prod_bulletin09186a008 04a84ad.html For more information about Identical Addressing Support, refer to http://www.cisco.
Chapter 41 Getting Started Cisco IOS Versions Supported – Application ACL – Transcend Client To find out more about this release, go to: http://www.cisco.com/go/sdm In the Support section, click the General Information link, and then click Release Notes. Cisco IOS Versions Supported To determine which Cisco IOS versions Cisco SDM supports, go to the following URL: http://www.cisco.com/go/sdm In the Support section, click the General Information link, and then click Release Notes.
CH A P T E R 42 Viewing Router Information The Cisco Router and Security Device Manager (Cisco SDM) Monitor mode lets you view a current snapshot of information about your router, the router interfaces, the firewall, and any active VPN connections. You can also view any messages in the router event log. Note The Monitor window is not dynamically updated with the latest information. To view any information that has changed since you brought up this window, you must click Update.
Chapter 42 Viewing Router Information Overview If you want to: Do this: View information about router interfaces. From the toolbar, click Monitor, and then in the left frame, click Interface Status. From the Select Interface field select the interface for which you want to view information, then in the Available Items group, select the information you want to view. Then click Show Details. View graphs of CPU or memory usage. From the toolbar, click Monitor.
Chapter 42 Viewing Router Information Overview Update Button Retrieves current information from the router, updating statistics displayed by this screen. Resource Status Shows basic information about your router hardware and contains the following fields: CPU Usage Shows the percentage of CPU usage. Memory Usage Shows the percent of RAM usage. Flash Usage Shows the available flash over the amount of flash installed on the router.
Chapter 42 Viewing Router Information Overview IP The IP address of the interface. Status The status of the interface, either Up, or Down. Bandwidth Usage The percent of interface bandwidth being used. Description Available description for the interface. Cisco SDM may add descriptions such as $FW_OUTSIDE$ or $ETH_LAN$.
Chapter 42 Viewing Router Information Overview Number of Open IKE SAs Shows the number of IKE Security Associations (SAs) connections currently configured and running. Number of Open IPSec Tunnels Shows the number of IPSec Virtual Private Network (VPN) connections currently configured and running. No. of DMVPN Clients If the router is configured as a DMVPN hub, the number of DMVPN clients. No.
Chapter 42 Viewing Router Information Interface Status High Severity The number of log entries stored that have a severity level of 2 or lower. These messages require immediate attention. Note that this list will be empty if you have no high severity messages. Warning The number of log entries stored that have a severity level of 3 or 4. These messages may indicate a problem with your network, but they do not likely require immediate attention.
Chapter 42 Viewing Router Information Interface Status Interface List Select the interface for which you want to display statistics from this list. The list contains the name, IP address and subnet mask, the slot and port it is located in, and any Cisco SDM or user description entered. Select Chart Types to Monitor Group These check boxes are the data items for which Cisco SDM can show statistics on the selected interface.
Chapter 42 Viewing Router Information Interface Status Note • Bytes flow—The number of bytes in the flow for the chosen interface. This data item appears only if configured under Configure > Interfaces and Connections > Edit > Application Service for the chosen interface. • Total flow—The total number flows, from sources and destinations, for the chosen interface.
Chapter 42 Viewing Router Information Firewall Status Note The last three options will retrieve a maximum of 60 data points. After 60 data points have been retrieved, Cisco SDM will continue to poll data, replacing the oldest data points with the newest ones. Show Table/Hide Table Click this button to show or hide the performance charts. Reset button Click this button to reset the interface statistic counts to zero.
Chapter 42 Viewing Router Information Zone-Based Policy Firewall Status • Destination IP Address—The IP address of the packet’s destination host. • Protocol—The network protocol being examined. • Match Count—The number of packets matching the firewall conditions. Update button Click this button to refresh the firewall sessions in the table and display the most current data from the router.
Chapter 42 Viewing Router Information Zone-Based Policy Firewall Status • 60 minutes of data polled every 1 minute—Data is reported every 1 minute. Each tick mark on the horizontal axis of the Dropped Packets and Allowed Packets graph represents 1 minute. • 12 hours of data polled every 12 minutes—Data is reported every 12 minutes. Each tick mark on the horizontal axis of the Dropped Packets and Allowed Packets graph represents 12 minutes.
Chapter 42 Viewing Router Information VPN Status VPN Status This window displays a tree of VPN connections that are possible on the router. You can choose one of the following VPN categories from the VPN connections tree: • IPSec Tunnels • DMVPN Tunnels • Easy VPN Server • IKE SAs • SSL VPN Components To view statistics on an active VPN category, choose it from the VPN connections tree. IPSec Tunnels This group displays statistics about each IPSec VPN that is configured on the router.
Chapter 42 Viewing Router Information VPN Status • Encapsulation Packets column The number of packets encapsulated over the IPSec VPN connection. • Decapsulation Packets column The number of packets decapsulated over the IPSec VPN connection. • Send Error Packets column The number of errors that have occurred while sending packets. • Receive Error Packets column The number of errors that have occurred while receiving packets.
Chapter 42 Viewing Router Information VPN Status Step 3 Choose the time interval for the real-time graphs using the View Interval drop-down list. DMVPN Tunnels This group displays the following statistics about Dynamic Multi-point VPN (DMVPN) tunnels. Each row reflects one VPN tunnel. • Remote Subnet column The network address of the subnet to which the tunnel connects. • Remote Tunnel IP column The IP address of the remote tunnel.
Chapter 42 Viewing Router Information VPN Status Reset Button Click to reset statistics counters for the tunnel list. Number of packets encapsulated and decapsulated, number of sent and received errors, and number of packets encrypted and decrypted are set to zero. Monitoring a DMVPN Tunnel To monitor a DMVPN tunnel, follow these steps: Step 1 Choose the tunnel you want to monitor in the DMVPN Tunnel table.
Chapter 42 Viewing Router Information VPN Status • Domain Name • ACL • Backup Servers • Firewall-R-U-There • Include local LAN • Group lock • Save password • Maximum connections allowed for this group • Maximum logins per user Client Connections in this Group This area shows the following information about the selected group.
Chapter 42 Viewing Router Information VPN Status IKE SAs This group displays the following statistics about each active IKE security association configured on the router: • Source IP column The IP address of the peer originating the IKE SA. • Destination IP column The IP address of the remote IKE peer. • State column Describes the current state of IKE negotiations.
Chapter 42 Viewing Router Information VPN Status • Clear button—Select a row in the table and click Clear to clear the IKE SA connection. SSL VPN Components Clicking the VPN Status button in the monitoring window causes the router to begin monitoring SSL VPN activity. This window displays the data gathered for all SSL VPN contexts configured on the router. By default, this data is refreshed every 10 seconds.
Chapter 42 Viewing Router Information VPN Status Note If a feature such as port forwarding or full tunnel has not been configured on the router, no data will be shown in the tab for that feature. Some statistics are collected anew each time the router refreshes monitoring data. Other statistics, such as peak number of active users statistics, are collected at refresh time, but compared against the same data collected when monitoring began.
Chapter 42 Viewing Router Information VPN Status • Terminated user sessions—The number of users sessions that have terminated since monitoring began. • Authentication failures—The number of sessions that have failed to be authenticated since monitoring began. • VPN Idle timeout—The number of VPN idle timeouts that have occurred since monitoring began.
Chapter 42 Viewing Router Information VPN Status Full Tunnel This tab displays information about full tunnel connections between SSL VPN clients and servers on the corporate intranet. • Active tunnel connections—The number of active full tunnel connections since data was last refreshed. Data can be refreshed every 10 seconds, or every minute. • Active connections peak time—The full tunnel connection of the longest duration since monitoring began.
Chapter 42 Viewing Router Information VPN Status User List Area This area lists all active users in all groups configured for this context. This area displays the following information: • User Login Name—The username that is authenticated with the AAA server. • Client IP address—The user’s assigned SSL VPN IP address for this session. This IP address is drawn from the address pool configured for this context.
Chapter 42 Viewing Router Information Traffic Status Traffic Status This window displays a tree of traffic types that can be monitored on an interface. Before any traffic type can be monitored, it must be enabled on at least one interface. You can choose one of the following traffic types from the Traffic Status tree: • Netflow Top Talkers • QoS • Application/Protocol Traffic This type uses Network-based application recognition (NBAR) to monitor traffic.
Chapter 42 Viewing Router Information Traffic Status Update Button Updates the window with current information about the flows. Top Talkers This window displays a table with the following columns: • Source IP Address—Source IP address of the top talker. Select a source IP address to see more information in Flow status for the source address. Note • Packets—Total number of packets received from the source IP address. • Bytes—Total number of bytes received from the source IP address.
Chapter 42 Viewing Router Information Traffic Status QoS The QoS Status window allows you to monitor the performance of the traffic on QoS configured interfaces (see Associating a QoS Policy With an Interface). This window also allows you to monitor bandwidth utilization and bytes-sent for interfaces with no QoS configuration. Monitoring inbound traffic on QoS interfaces shows the statistics only at a protocol level.
Chapter 42 Viewing Router Information Traffic Status • Every 5 minutes—Statistics are gathered when you click Start Monitoring, and refreshed at 5-minute intervals. • Every 1 hour—Statistics are gathered when you click Start Monitoring, and refreshed at 1-hour intervals. Start Monitoring Click to start monitoring QoS statistics. Select QoS Parameters for Monitoring Select the traffic direction and type of statistics you want to monitor. Direction Click either Input or Output.
Chapter 42 Viewing Router Information Traffic Status Step 5 Choose a QoS policy from the Inbound drop-down list to associate with inbound traffic on the interface. Step 6 Choose a QoS policy from the Outbound drop-down list to associate with outbound traffic on the interface. Application/Protocol Traffic This window allows you to monitor application and protocol traffic using Network-based application recognition (NBAR), a protocol and application discovery feature.
Chapter 42 Viewing Router Information NAC Status • Input Packet Count—The number of packets of the protocol shown incoming to the chosen interface. • Output Packet Count—The number of packets of the protocol shown outgoing from the chosen interface. • Bit rate (bps)—The speed, in bits per second, of traffic passing through the interface.
Chapter 42 Viewing Router Information Logging • Remote Generic Access Policy—The host does not have a posture agent installed, and the ACS server assigns an agentless host policy. The posture agents on the hosts may return the following posture tokens: • Healthy—The host is free of known viruses, and has the latest virus definition files. • Checkup—The posture agent is determining if the latest virus definition files have been installed.
Chapter 42 Viewing Router Information Logging Note It is the router log that is displayed, even if log messages are being forwarded to a syslog server. Logging Buffer Shows whether or not the logging buffer and syslog logging are enabled. The text “Enabled” is displayed when both are enabled. The logging buffer reserves a specified amount of memory to retain log messages. The setting in this field is not preserved if your router is rebooted.
Chapter 42 Viewing Router Information Logging Shows the severity of the logging event. Severity is shown as a number from 1 through 7, with lower numbers indicating more severe events.
Chapter 42 Viewing Router Information Logging Search Button Opens a search window. In the search window, enter text in the Search field and click the Find button to display all entries containing the search text. Searches are not case sensitive. Firewall Log The log entries shown in the top part of this window are determined by log messages generated by the firewall.
Chapter 42 Viewing Router Information Logging %SEC-6-IPACCESSLOGDP: list 100 denied icmp 171.71.225.148->10.77.158.140 (0/0), 3 packets Update Button Polls the router and updates the information shown on the screen with current information. Search Button Opens a search window. Choose a search type from the Search menu and enter the appropriate text in the Search field, then click the Find button to display matching log entries.
Chapter 42 Viewing Router Information Logging • View Details—A link that opens a window containing the full log of attacks against the chosen port. If you choose Top Attackers from the View drop-down menu, the top-attacks table displays entries with the following columns: • Attacker’s IP Address—The IP address from which the attacks are coming. • Number of attacks—The number of attacks that have come from the IP address.
Chapter 42 Viewing Router Information Logging *Sep 8 12:24:22.762: %FW-6-DROP_PKT: Dropping im-aol pkt 128.107.252.142:1505 => 205.188.153.121:5190 *Sep 8 12:26:02.090: %FW-6-DROP_PKT: Dropping im-msn pkt 128.107.252.142:1541 => 65.54.239.80:1863 *Sep 8 11:42:10.959: %APPFW-4-HTTP_PORT_MISUSE_IM: Sig:10006 HTTP Instant Messenger detected - Reset - Yahoo Messenger from 10.10.10.2:1334 to 216.155.194.191:80 *Sep 8 12:27:54.
Chapter 42 Viewing Router Information Logging SDEE Messages Choose the SDEE message type to display: • All— SDEE error, status, and alert messages are shown. • Error—Only SDEE error messages are shown. • Status—Only SDEE status messages are shown. • Alerts—Only SDEE alert messages are shown. Update Button Click to check for new SDEE messages. Search Button Opens a search window.
Chapter 42 Viewing Router Information IPS Status IPS Status This window appears if the router is using a Cisco IOS image that supports IPS version 4.x or earlier. This window displays a table of IPS signature statistics, grouped by signature type. The following statistics are shown: • Signature ID—Numerical signature identifier. • Description—Description of the signature.
Chapter 42 Viewing Router Information IPS Signature Statistics SDEE Log Click to view SDEE messages. You can also view these messages by clicking Monitor > Logging > SDEE Message Log. IPS Signature Statistics This window is displayed if the router is using an IOS IPS 5.x configuration. Statistics are displayed for each enabled signature in the IOS IPS configuration. The top of the window displays signature totals to provide a snapshot of the signature configuration.
Chapter 42 Viewing Router Information IPS Alert Statistics IPS Alert Statistics The IPS Alert Statistics window displays alert statistics in a color-coded format for easy recognition. The top part of the screen displays a legend that explains the use of colors in the display. Color Explanation RED The event that generated the alert has a high Risk Rating (RR) in the range of 70 to 100. MAGENTA The event that generated the alert has a medium Risk Rating (RR) in the range of 40 to 69.
Chapter 42 Viewing Router Information 802.1x Authentication Status 802.1x Authentication Status 802.1x Authentication on Interfaces Area Interface 802.1x Authentication Reauthentication 802.1x Clients Area Client MAC Address Authentication Status Interface Cisco Router and Security Device Manager 2.
CH A P T E R 43 File Menu Commands The following options are available from the Cisco Router and Security Device Manager (Cisco SDM) File menu. Save Running Config to PC Saves the router’s running configuration file to a text file on the PC. Deliver Configuration to Router This window lets you deliver to the router any configuration changes that you have made using Cisco SDM.
Chapter 43 File Menu Commands Write to Startup Config If Cisco SDM is being used to configure a Cisco 7000 router, the check box Save running config. to router's startup config. will be disabled if there are boot network or boot host commands present with service config commands in the running configuration. Cancel Click this button to discard the configuration change and close the Cisco SDM Deliver to Router dialog box.
Chapter 43 File Menu Commands File Management The right side of the window displays a list of the names of the files and directories found in the directory that is chosen in the left side of the window. It also shows the size of each file in bytes, and the date and time each file and directory was last modified. You can choose a file or directory in the list on the right side of the window and then choose one of the commands above the list. Directories (folders) can be renamed or deleted.
Chapter 43 File Menu Commands File Management Format Button Click the Format button to reformat your Cisco router flash memory or to reformat a USB flash device connected to that router. The Format button is enabled only if an icon representing your Cisco router flash memory or a USB flash device is chosen in the left side of the window. Caution Reformatting your Cisco router flash memory or a USB flash device connected to that router will erase all of the files in the file system.
Chapter 43 File Menu Commands File Management Rename Button Choose a file or directory from the right side of the window and click the Rename button to change its name. Names cannot contain spaces or question marks (“?”). Delete Button Choose a file or directory from the right side of the window and click the Delete button to delete it. A file with the no-write icon next to its name cannot be deleted. Name Click Name to order the files and directories alphabetically based on name.
Chapter 43 File Menu Commands Save SDF to PC Enter the name of the new folder in the Folder Name field. The path to the location of the new folder is displayed above the Folder Name field. Save SDF to PC If you are working in IPS, you can save the signature definition file (SDF) that you are working on to your PC. Navigate to the directory in which you want to save the file, and click Save. Exit Exits Cisco Router and Security Device Manager.
Chapter 43 File Menu Commands Unable to perform squeeze flash Step 2 Save the router’s running configuration to a file on the PC by clicking File > Save Running Config to PC, and entering a filename. Step 3 Prepare a TFTP server to which you can save files and copy them over to the router. You must have write access to the TFTP server. Your PC can be used for this purpose if it has a TFTP server program. Step 4 Use the tftpcopy command to copy the Cisco IOS image, the SDM.tar file, and the SDM.
Chapter 43 File Menu Commands Unable to perform squeeze flash copy tftp://10.10.10.3/ios_image_name flash: ! Replace ios_image_name with actual name of IOS image copy tftp://10.10.10.3/SDM.tar flash: Step 8 Start your web browser, and reconnect to Cisco SDM, using the same IP address you used when you started the Cisco SDM session. Now that an erase flash: has been performed on the router, you will be able to execute the squeeze flash command when necessary. Cisco Router and Security Device Manager 2.
CH A P T E R 44 Edit Menu Commands The following options are available from the Cisco Router and Security Device Manager (Cisco SDM) Edit menu. Preferences This screen lets you configure the following Cisco Router and Security Device Manager options: Preview commands before delivering to router Choose this option if you want Cisco SDM to display a list of the Cisco IOS configuration commands generated before the commands are sent to the router.
Chapter 44 Edit Menu Commands Preferences Continue monitoring interface status when switching mode/task This is Cisco SDM default behavior. Cisco SDM begins monitoring interface status when you click Monitor and select Interface status. To have Cisco SDM continue monitoring the interface even if you leave Monitor mode and perform other tasks in Cisco SDM, select this check box and specify the maximum number of interfaces you want Cisco SDM to monitor.
CH A P T E R 45 View Menu Commands The following options are available from the Cisco Router and Security Device Manager (Cisco SDM) View menu. Home Displays the Cisco SDM Home page which provides information about router hardware, software, and LAN, WAN, Firewall, and VPN configurations. Configure Displays the Cisco SDM Tasks bar, which allows you to perform guided and manual configurations for Interfaces and Connections, Firewalls and ACLs, VPNs Routing, and other tasks.
Chapter 45 View Menu Commands Running Config Running Config Displays the router’s running configuration. Show Commands Displays the Show Commands dialog box, which lets you issue Cisco IOS show commands to the router, view the output, and save the output to your PC. The output file is saved with the default filename show_[router_ip_address]. The Show Commands dialog box can display the output from the following show commands: • show flash—Shows the contents of the router Flash memory.
Chapter 45 View Menu Commands Cisco SDM Default Rules Cisco SDM Default Rules The Cisco SDM Default Rules screen displays a list of all of the default rules configured by Cisco SDM. The screen is organized with a tree on the left side of the screen displaying options for Access Rules, Firewall, VPN - IKE Policy, and VPN - Transform Sets. To view the default rules for these options, click the option in the tree, and the default rules for that option are displayed on the right.
Chapter 45 View Menu Commands Refresh Refresh Reloads configuration information from the router. If there are any undelivered commands, Cisco SDM displays a message window telling you that if you refresh, you will lose undelivered commands. If you want to deliver the commands. click No in this window, and then click Deliver on the Cisco SDM toolbar. Cisco Router and Security Device Manager 2.
CH A P T E R 46 Tools Menu Commands The following options are available from the Cisco Router and Security Device Manager (Cisco SDM) Tools menu. Ping Displays the Ping dialog box, which lets you send a ping message to another network device. See Generate Mirror... for information on how to use the Ping window. Telnet Displays the Windows Telnet dialog box, letting you connect to your router and access the Cisco IOS command-line interface (CLI) using the Telnet protocol.
Chapter 46 Tools Menu Commands USB Token PIN Settings USB Token PIN Settings The USB Token PIN Settings dialog box allows you to set PINs for USB tokens connected to your router. Select a PIN Type Choose User PIN to set a user PIN, or Admin PIN to set an administrator PIN. A user PIN is used to log into a router.
Chapter 46 Tools Menu Commands Wireless Application Save the New PIN to Router Check the Save the new PIN to router checkbox if you want to save the new PIN as an entry in Configure > VPN > VPN Components > Public Key Infrastructure > USB Tokens. If an entry with the same name already exists in Configure > VPN > VPN Components > Public Key Infrastructure > USB Tokens, it is replaced with the new one. The Save the new PIN to router checkbox is available only for user PINs.
Chapter 46 Tools Menu Commands CCO Login Update Cisco SDM from Local PC You can update Cisco SDM using an SDM.zip file you have downloaded from Cisco.com. Cisco SDM provides an update wizard that will copy the necessary files to your router. To update Cisco SDM from the PC you are using to run Cisco SDM follow these steps: Step 1 Download the file sdm-vnn.zip from the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/sdm If there is more than one Cisco SDM .
Chapter 46 Tools Menu Commands CCO Login If you do not have a CCO login and password, you can obtain one by opening a web browser and going to the Cisco website at the following link: http://www.cisco.com When the webpage opens, click Register and provide the necessary information to obtain a username and password. Then, try this operation again. Cisco Router and Security Device Manager 2.
Chapter 46 Tools Menu Commands CCO Login Cisco Router and Security Device Manager 2.
CH A P T E R 47 Help Menu Commands The following options are available from the Cisco Router and Security Device Manager (Cisco SDM) Help menu. Help Topics Displays the Cisco SDM online help. The Cisco SDM online help Table of Contents appears in the left frame of the help. Cisco SDM on CCO Opens up a browser and displays the Cisco SDM page on the Cisco.com website.
Chapter 47 Help Menu Commands About this router... About this router... Displays hardware and software information about the router on which Cisco SDM is running. About Cisco SDM Displays version information about Cisco SDM. Cisco Router and Security Device Manager 2.
G L O S S A RY Symbols and Numerics 3DES Triple DES. An encryption algorithm that uses three 56-bit DES encryption keys (effectively 168 bits) in quick succession. An alternative 3DES version uses just two 56-bit DES keys, but uses one of them twice, resulting effectively in a 112-bit key length. Legal for use only in the United States. See DES. 802.1x 802.
Glossary ACL access control list. Information on a device that specifies which entities are permitted to access that device or the networks behind that device. Access control lists consist of one or more access control entries (ACE). ACS Cisco Secure Access Control Server. Cisco software that can implement a RADIUS server or a TACACS+ server. The ACS is used to store policy databases used by Easy VPN, NAC and other features to control access to the network.
Glossary algorithm A logical sequence of steps for solving a problem. Security algorithms pertain to either data encryption or authentication. DES and 3DES are two examples of data encryption algorithms. Examples of encryption-decryption algorithms include block cipher, CBC, null cipher, and stream cipher. Authentication algorithms include hashes such as MD5 and SHA. AMI alternate mark inversion.
Glossary B BC Committed Burst. BC is a QoS policing parameter that specifies in bits (or bytes) per burst how much traffic can be sent within a given unit of time to not create scheduling concerns. BE Excess Burst. BC is a QoS policing parameter that specifies how large traffic bursts can be before all traffic exceeds the rate limit. Traffic that falls between the normal burst size and the excess burst size exceeds the rate limit with a probability that increases as the burst size increases.
Glossary CBAC Context-based Access Control. Protocol that provides internal users with secure access control for each application and for all traffic across network perimeters. CBAC scrutinizes both source and destination addresses and tracks each application connection status. CBWFQ Class-Based Weighted Fair Queuing. CBWFQ provides support for user-defined traffic classes.
Glossary CET Cisco Encryption Technology. Proprietary network layer encryption introduced in Cisco IOS Release 11.2. CET provides network data encryption at the IP packet level and implements the following standards: DH, DSS, and 40- and 56-bit DES. CHAP Challenge Handshake Authentication Protocol. Security feature supported on lines using PPP encapsulation that prevents unauthorized access. CHAP does not itself prevent unauthorized access, it merely identifies the remote end.
Glossary CLI command-line interface. The primary interface for entering configuration and monitoring commands to the router. Refer to the Configuration Guide for the router you are configuring for information on what commands you can enter from the CLI. client/server computing Term used to describe distributed computing (processing) network systems in which transaction responsibilities are divided into two parts: client (front end) and server (back end). Also called distributed computing. See also RPC.
Glossary crypto map In Cisco SDM, crypto maps specify which traffic should be protected by IPSec, where IPSec-protected traffic should be sent, and what IPSec transform sets should be applied to this traffic. cTCP Cisco Tunneling Control Protocol. cTCP is also called TCP over IPSec, or TCP traversal. cTCP is a protocol that encapsulates ESP and IKE traffic in the TCP header, so that firewalls in between the client and the server or headend device permit this traffic, considering it as TCP traffic.
Glossary DH, Diffie-Hellman A public key cryptography protocol that allows two parties to establish a shared secret over insecure communications channels. Diffie-Hellman is used within Internet Key Exchange (IKE) to establish session keys. Diffie-Hellman is a component of Oakley key exchange. Diffie-Hellman key exchange A public key cryptography protocol that allows two parties to establish a shared secret over insecure communication channels.
Glossary DMZ demilitarized zone. A DMZ is a buffer zone between the Internet, and your private networks. It can be a public network typically used for Web, FTP and E-Mail servers that are accessed by external clients on the Internet. Placing these public access servers on a separate isolated network provides an extra measure of security for your internal network. DN Distinguished Name.
Glossary DVTI Dynamic Virtual Tunnel Interface. A DVTI is a routable interface that is able to selectively send traffic to different destinations. DVTIs are not statically mapped to physical interfaces. Thus they are able to send and receive encrypted data over any physical interface. dynamic routing Routing that adjusts automatically to network topology or traffic changes. Also called adaptive routing.
Glossary encapsulation Wrapping of data in a particular protocol header. For example, Ethernet data is wrapped in a specific Ethernet header before network transit. Also, when bridging dissimilar networks, the entire frame from one network is simply placed in the header used by the data link layer protocol of the other network. encrypt To crytographically produce ciphertext from plaintext.
Glossary esp-null ESP (Encapsulating Security Payload) transform that provides no encryption and no confidentiality. ESP-SHA-HMAC ESP (Encapsulating Security Payload) transform using the HMAC-variant SHA authentication algorithm. Ethernet A widely used LAN protocol invented by Xerox Corporation, and developed by Xerox, Intel, and Digital Equipment Corporation. Ethernet networks use CSMA/CD, and run over a variety of cable types at 10 Mbps, or at 100 Mbps. Ethernet is similar to the IEEE 802.
Glossary fidelity rating A number from 1 to 100 that indicates the confidence the rater has that a signature will generate an accurate alert. finger A software tool for determining whether a person has an account at a particular Internet site. Many sites do not allow incoming finger requests. fingerprint The fingerprint of a CA certificate is the string of alphanumeric characters that results from an MD5 hash of the whole CA certificate.
Glossary GRE generic routing encapsulation. Tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment. GRE over IPSec This technology uses IPSec to encrypt GRE packets. G.
Glossary HMAC Hash-based Message Authentication Code. HMAC is a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. HMAC-MD5 Hashed Message Authentication Codes with MD5 (RFC 2104).
Glossary IDS Sensor An IDS sensor is hardware on with the Cisco IDS runs. IDS sensors can be stand-alone devices, or network modules installed on routers. IDM IDS Device Manager. IDM is software used to manage an IDS sensor. IEEE Institute of Electrical and Electronics Engineers. IETF Internet Engineering Task Force. IGMP Internet Group Management Protocol. IGMP is a protocol used by IPv4 systems to report IP multicast memberships to neighboring multicast routers IKE Internet Key Exchange.
Glossary inside global The IP address of a host inside a network as it appears to devices outside the network. inside local The configured IP address assigned to a host inside the network. inspection rule A CBAC inspection rule allows the router to inspect specified outgoing traffic so that it can allow return traffic of the same type that is associated with a session started on the LAN.
Glossary IP address IP version 4 addresses are 32 bits, or 4 bytes, in length. This address “space” is used to designate the network number, the optional subnetwork number, and a host number. The 32 bits are grouped into four octets (8 binary bits), represented by 4 decimal numbers separated by periods or “dots.” The part of the address used to specify the network number, the subnetwork number, and the host number is specified by the subnet mask.
Glossary key exchange The method by which two or more parties exchange encryption keys. The IKE protocol provides one such method. key lifetime An attribute of a key pair that specifies a time span, during which the certificate containing the public component of that key pair is considered valid. key management The creation, distribution, authentication, and storage of encryption keys. key pair See public key encryption.
Glossary LEFS low-end file system. life cycle See expiration date. LLQ Low Latency Queuing (LLQ) allows delay-sensitive data such as voice to be dequeued and sent first (before packets in other queues are dequeued), giving delay-sensitive data preferential treatment over other traffic. LNS L2TP network server. Device able to terminate L2TP tunnels from a LAC and able to terminate PPP sessions to remote systems through L2TP data sessions.
Glossary mask subnet mask netmask network mask A 32-bit bit mask which specifies how an Internet address is to be divided into network, subnet, and host parts. The net mask has ones (1’s) in the bit positions in the 32-bit address that are to be used for the network and subnet parts, and has zeros (0’s) for the host part. The mask should contain at least the standard network portion (as determined by the address class), and the subnet field should be contiguous with the network portion.
Glossary mGRE multipoint GRE. MTU maximum transmission unit. The maximum packet size, in bytes that an interface can transmit or receive. N NAC Network Admission Control. A method of controlling access to a network in order to prevent the introduction of computer viruses. Using a variety of protocols and software products, NAC assesses the condition of hosts when they attempt to log onto the network, and handles the request based on the host’s condition, called its posture.
Glossary NetFlow A feature of some routers that allows them to categorize incoming packets into flows. Because packets in a flow often can be treated in the same way, this classification can be used to bypass some of the work of the router and accelerate its switching operation. network A network is a group of computing devices which share part of an IP address space and not a single host. A network consists of multiple “nodes” or devices with IP address, any of which may be referred to as hosts.
Glossary O Oakley A protocol for establishing secret keys for use by authenticated parties, based on Diffie-Hellman and designed to be a compatible component of ISAKMP. OFB output feedback. An IPSec function that feeds encrypted output (generally, but not necessarily, DES-encrypted) back into the original input. Plaintext is encrypted directly with the symmetric key. This produces a pseudo-random number stream.
Glossary PAP Password Authentication Protocol. An authentication protocol that allows peers to authenticate one another. PAP passes the password and hostname or username in unencrypted form. See also CHAP. parameter map Parameter-maps specify inspection behavior for Zone-Policy Firewall, for parameters such as Denial-of-Service Protection, session and connection timers, and logging settings.
Glossary ping An ICMP request sent between hosts to determine whether a host is accessible on the network. PKCS7 Public Key Cryptography Standard Number 7. PKCS12 Public Key Cryptography Standard Number 12. A format for storing digital certificate information. See also PEM. PKI public-key infrastructure.
Glossary PPPoA Point-to-Point Protocol over Asynchronous Transfer Mode (ATM). Primarily implemented as part of ADSL, PPPoA relies on RFC1483, operating in either Logical Link Control-Subnetwork Access Protocol (LLC-SNAP) or VC-Mux mode. PPPoE Point-to-Point Protocol over Ethernet. PPP encapsulated in Ethernet frames. PPPoE enables hosts on an Ethernet network to connect to remote hosts through a broadband modem. PPTP Point-to-Point Tunneling Protocol.
Glossary public key encryption In public key encryption systems, every user has both a public key and a private key. Each private key is maintained by a single user and shared with no one. The private key is used to generate a unique digital signature and to decrypt information encrypted with the public key. In contrast, a user’s public key is available to everyone to encrypt information intended for that user, or to verify that user’s digital signature. Sometimes called public key cryptography.
Glossary RCP remote copy protocol. Protocol that allows users to copy files to and from a file system residing on a remote host or server on the network. The rcp protocol uses TCP to ensure the reliable delivery of data remote subnet Subnetworks are IP networks arbitrarily segmented by a network administrator (by means of a subnet mask) in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks.
Glossary route A path through an internetwork. route map Route maps enable you to control information that is added to the routing table. Cisco SDM automatically creates route maps to prevent NAT from translating specific source addresses when doing so would prevent packets from matching criteria in an IPSec rule. RPC remote procedure call. RPCs are procedure calls that are built or specified by clients and executed on servers, with the results returned over the network to the clients.
Glossary S SA security association. A set of security parameters agreed upon by two peers to protect a specific session in a particular tunnel. Both IKE and IPSec use SAs, although SAs are independent of one another. IPSec SAs are unidirectional and are unique in each security protocol. An IKE SA is used by IKE only, and unlike the IPSec SA, it is bidirectional. IKE negotiates and establishes SAs on behalf of IPSec. A user can also establish IPSec SAs manually.
Glossary SEAO Signature Event Action Override. An SEAO allows you to assign a risk rating (RR) range to an IPS event action type, such as alarm. If an event occurs with an RR in the range you have assigned to the action type, then that action is added to the event. In this case, an alarm would be added to the event. SEAP Signature Event Action Processor. SEAP allows filtering and overrides based on Event Risk Rating (ERR) feedback. secret key See symmetric key.
Glossary signature A data element in IOS IPS that detects a specific pattern of misuse on the network. signature engine A signature engine is a component of Cisco IOS IPS designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of legal parameters which have allowable ranges or sets of values.
Glossary spoke In a DMVPN network, a spoke router is a logical end point in the network, and has a point-to-point IPSec connection with a DMVPN hub router. spoofing The act of a packet illegally claiming to be from an address from which it was not actually sent. Spoofing is designed to foil network security mechanisms such as filters and access lists. spoof SRB source-route bridging. Method of bridging originated by IBM and popular in Token Ring networks.
Glossary standard rule In Cisco SDM, a type of access rule or NAT rule. Standard rules compare a packet’s source IP address against its IP address criteria to determine a match.Standard rules use a wildcard mask to determine which portions of the IP address must match. state, stateful, stateful Inspection Network protocols maintain certain data, called state information, at each end of a network connection between two hosts.
Glossary T T1 A T1 link is a data link capable of transmitting data at a rate of 1.5 MB per second. TACACS+ Terminal Access Controller Access Control System plus. An access server authentication and accounting protocol that uses TCP as the transport protocol. tail-end The downstream, receive end of a tunnel. TCP Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission .
Glossary tunneling The process of piping the stream of one protocol through another protocol. TVR Target Value Rating. The TVR is a user-defined value that represents the user's perceived value of the target host. This allows the user to increase the risk of an event associated with a critical system and to de-emphasize the risk of an event on a low-value target. U UDP User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol that belongs to the Internet protocol family.
Glossary VFR Virtual Fragment Reassembly. VFR enables IOS Firewall to dynamically create ACLs to block IP fragments. IP fragments often do not contain enough information for static ACLs to be able to filter them. VoIP Voice over IP. The capability to carry normal telephony-style voice over an IP-based internet with POTS-like functionality, reliability, and voice quality. VoIP enables a router to carry voice traffic (for example, telephone calls and faxes) over an IP network.
Glossary VPN mirror policy A VPN policy on a remote system that contains values that are compatible with a local policy and that enable the remote system to establish a VPN connection to the local system. Some values in a mirror policy must match values in a local policy, and some values, such as the IP address of the peer, must be the reverse of the corresponding values in the local policy. You can create mirror policies for remote administrators to use when you configure site-to-site VPN connections.
Glossary WFQ Weighted Fair Queuing. A flow-based queuing algorithm that does two things simultaneously: It schedules interactive traffic to the front of the queue to reduce response time, and it fairly shares the remaining bandwidth between high bandwidth flows. wildcard mask A bit mask used in access rules, IPSec rules, and NAT rules to specify which portions of the packet’s IP address must match the IP address in the rule. A wildcard mask contains 32 bits, the same number of bits in an IP address.
Glossary A list of certificate numbers that have been revoked. An X.509 CRL is one that X.509 certificate revocation list (CRL) meets either of the two CRL formatting definitions in X.509. XAuth IKE Extended Authentication. Xauth allows all Cisco IOS software AAA authentication methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange. The AAA configuration list-name must match the Xauth configuration list-name for user authentication to occur.
I N D EX itu-dmt 26 Symbols splitterless 27 $ETH-LAN$ 1 ADSL over ISDN $ETH-WAN$ 3 default operating mode 19 operating modes 29 Numerics 3DES 9 AES encryption 9 AH authentication 12 ansi-dmt 26 Application Traffic viewing activity 23 A ATM subinterface 2 About SDM SDM version 2 authentication AH 12 access rule in NAT translation rule 24, 27 digital signatures 21 making changes in firewall policy 6 ESP 11 Access Rules window 3 MD5 9 address pools 8, 15 SHA_1 9 ADSL AutoSecure 25 operati
Index DHCP 15, 22 C D-H Group 10 CBAC, enabling 22 dialer interface, added with PPPoE 4 CBAC inspection rules 1, 10 Diffie-Hellman group 10 CDP, disabling 9 distance metric 4 CEF, enabling 12 DLCI 10, 41 Challenge Handshake Authentication Protocol, see CHAP DMVPN 1 Fully Meshed Network 10 CHAP 10 hub 2 Cisco IOS Intrusion Prevention System (IPS), see IPS Hub and Spoke Network 9 pre-shared key 3 Client Mode 10 primary hub 3 clock settings 11, 42, 45 routing information 7 COMP-LZS 12 spo
Index Client Mode 10 3DES 9 configuring a backup 41 AES 9 Digital certificates 12, 31 DES 9 editing existing connection 40 ESP authentication and encryption 11 group key 25 extended rules 5 group name 24, 31 interfaces 7 numbering ranges 7 Externally Defined Rules window 4 IPSec group key 12 IPSec group name 12 manual tunnel control 9, 37 F Network Extension Mode 10 File menu 1 Network Extension Plus 11, 27 finger service, disabling 6 number of interfaces supported 8, 36 firewall 1 Pres
Index viewing activity 15, 9 Firewall Rules window 3 configuring an access class 23 Hub-and-Spoke network 9 Frame Relay 18 clock settings 42 DLCI 41 IETF encapsulation 41 LMI type 41 Fully Meshed Network 10 I ICMP host unreachable messages, disabling 20, 21 ICMP mask reply messages, disabling 20 ICMP redirect messages, disabling 18 IETF encapsulation 11, 41 G IKE 21 authentication 21 G.
Index Intrusion Prevention System (IPS) rules 2 IP address Rule wizard 2 SDF 58 dynamic 15, 22 for ATM or Ethernet with PPPoE 14 in router memory 55 for ATM with RFC 1483 routing 15 IPS supplied 55 for Ethernet without PPPoE 3 loading 49 for Serial with HDLC or Frame Relay 8 SDF locations 15, 17 for Serial with PPP 7 Security Dashboard 56 negotiated 15, 23 deploying signatures 58 next hop 6 top threats 57 unnumbered 15, 23 signatures IP compression 12 about 36, 42 IP directed broadcas
Index policy type 2 Firewall Status 9 rule 10 Interface Status 6 statistics 12 Logging 29 tunnel status 12 Overview 2 viewing activity 12 Traffic Status 23 IPSec Rules window 3 IP source routing, disabling 10 VPN Status 12 MOP service, disabling 20 Multipoint Generic Routing Encapsulation 4 J Jafa applets, blocking 15 N NAC Rules window 3 NAT 1 L address pools 8, 15 LMI 10, 41 affect on DMZ service configuration 7 load balancing 17, 24 and VPN connections 30 logging configuring on unsu
Index static address translation rule 17 P static address translation rule, outside to inside 20 PAD service, disabling 7 TCP flow timeouts 13 PAP 10 translate from interface,dynamic rule 24, 27 passive interface 5, 6, 7 translate from interface,static rule 18, 21 Password Authentication Protocol, see PAP translate to interface,dynamic rule 25, 27 passwords translate to interface,static rule 19, 22 enabling encryption 10 translation direction,static rule 17 setting minimum length 12 transla
Index rule 14 Q rule entry QoS guidelines 8 viewing activity 23 rules QoS Rules window 4 extended rules 5 NAT, and VPN connections 30 standard rules 5 R redirect port 20, 23 Report Card screen 5 RFC 1483 Routing 17 S scheduler allocate 16 AAL5 MUX 25, 28, 31, 37 scheduler interval 16 AAL5 SNAP 25, 28, 31, 37 SDEE RIP route 5 messages 18 route map 26 IDS error 21 route maps 30, 13 IDS status 20 router information about this router 2 subscriptions 16, 23 SDF 58 routing in router memory
Index Configure User Accounts for Telnet 29 configuring in WAN wizard 6 Enable Secret and Banner 30 default 4 Interface Selection 4 static translation rule Logging 31 redirect port 20, 23 Report Card 5 subinterfaces, for Serial and ATM interfaces 2 starting 1 syslog configuring 31 Security Dashboard 56 deploying signatures 58 in IPS 16, 23 top threats 57 viewing 29 sequence numbers, enabling 11 serial interface clock settings 11 subinterface 2 T TCP keep-alive message, enabling 11 SHA_1 9
Index mirror policy 29 U multiple devices 36 UDP small servers, disabling 8 multiple sites or tunnels 31 unicast RPF, enabling 22 peers 6, 7 unsupported interface 2 pre-shared key 7 configuring a firewall on 17 protected traffic 7, 13, 9 configuring as WAN 6 remote IPSec peer 6 configuring a VPN on 37 transform set 11, 7 configuring NAT on 9, 19 transport mode 12 Unsupported Rules window 4 tunnel mode 12 user accounts, Telnet 17 viewing activity 35, 12 VPN concentrator permitting traffic
Index WCCP 62 Redirect 8 WCCP Redirect Exclude 8 WCCP settings 7 Web Cache Communication Protocol 1 Wide Area Engine Core 1 Wide Area Engine Edge 1 X Xauth logon 14 Cisco Router and Security Device Manager 2.
Index Cisco Router and Security Device Manager 2.
