User guide
21
Release Notes for Cisco Router and Security Device Manager 2.5
OL-5009-20
Important Notes
For example, if you have configured a SSL VPN connection on the interface Fe 0/0 with the gateway IP
address 10.10.10.1, and the gateway name MySSLVPN, you may not be able to launch Cisco SDM using
that IP address.
To be able to launch Cisco SDM using that IP address, add the following Cisco IOS CLI commands:
Router# config t
Router(config)# interface loopback
next-available-loopback-number
Router(config-if)# description Do not delete - SDM SSLVPN generated interface
Router(config-if)# ip address 192.168.1.1 255.255.255.252
Router(config-if)# no shutdown
Router(config-if)# ip nat inside
Router(config-if)# exit
Router(config)# ip nat inside source static tcp 192.168.1.1 443 10.10.10.1 4443
Router(config)# router(config)# webvpn gateway MySSLVPN
Router(config-webvpn-gateway)# http-redirect port 80
Router(config) # interface FastEthernet 0/0
Router(config-if)# ip nat outside
Router(config-if)# exit
After adding these commands, you can launch Cisco SDM by entering the following IP address and port
in the browser:
https://10.10.10.1:4443
If you remove the SSL VPN gateway that was modified for Cisco SDM access, you must remove the
loopback interface and NAT rule that you created to allow access in the first place. Enter the commands
shown in the description of caveat CSCek38259.
Cisco SDM IPS User Guide Discontinued for Cisco SDM 2.2
The Cisco SDM IPS application has been merged with Cisco SDM 2.2. Instructions for using IPS are
included in the Cisco Router and Security Device Manager Version 2.2 User’s Guide and later versions
of the user’s guide. No Cisco SDM IPS User’s Guide has been published for this release.
Cisco SDM May Lose Connection to Network Access Device
This note concerns the NAC feature.
If the PC used to invoke Cisco SDM returns a posture state (Healthy, Infected, Checkup, Quarantine, or
Unknown) and if the group policy on the ACS server attached to the posture token assigned to the PC
has a redirect URL configured, the connection between Cisco SDM and the router acting as the Network
Access Device (NAD) may be lost. The same problem can occur if an exception list entry attached to a
policy with a redirect URL is configured with the IP address or MAC address of the PC.
If you try to reinvoke Cisco SDM from this PC, you will not be able to do so because the browser will
be redirected to the location specified in the redirect URL.
There are two workarounds for this problem:
• Ensure that the PC that you use to invoke Cisco SDM attains a posture token which has an associated
group policy on the ACS server that is not configured with a redirect URL.
• Alternatively, use Cisco SDM to create a NAC exception list entry with the IP address or MAC
address of the PC you use to invoke Cisco SDM. Note that the exception list entry created for the
PC should be associated to an exception policy which does not have a redirect URL configured in it.
For more information, see the links in the Cisco SDM NAC online help pages.