Cisco Router and Security Device Manager (SDM) Version 2.2 User’s Guide Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E NT S Home Page 1 LAN Wizard 1 Ethernet Configuration 2 LAN Wizard: Select an Interface 3 LAN Wizard: IP Address and Subnet Mask 3 LAN Wizard: Enable DHCP Server 4 LAN Wizard: DHCP Address Pool 4 DHCP Options 5 LAN Wizard: VLAN Mode 6 LAN Wizard: Switch Port 6 IRB Bridge 7 BVI Configuration 7 DHCP Pool for BVI 8 IRB for Ethernet 9 Layer 3 Ethernet Configuration 9 802.1Q Configuration 9 Trunking or Routing Configuration 9 Configure Switch Device Module 10 Summary 10 How Do I...
Contents How Do I View the IOS Commands I Am Sending to the Router? 12 How Do I Launch the Wireless Application from SDM? 13 Create Connection Wizards 1 Create Connection 1 WAN Wizard Interface Welcome Window 2 ISDN Wizard Welcome Window 3 Analog Modem Welcome Window 3 Aux Backup Welcome Window 3 Select Interface 4 Encapsulation: PPPoE 4 IP Address: ATM or Ethernet with PPPoE/PPPoA 4 IP Address: ATM with RFC 1483 Routing 5 IP Address: Ethernet without PPPoE 6 IP Address: Serial with Point-to-Point Protoc
Contents Delete Connection 19 Summary 21 Connectivity testing and troubleshooting 22 How Do I...
Contents Add or Edit BVI Interface 18 Add Loopback Interface/Connection—Loopback 18 Connection: Ethernet LAN 19 Connection: Ethernet WAN 20 Ethernet Properties 21 Connection: Ethernet with No Encapsulation 22 Connection: ADSL 23 Connection: ADSL over ISDN 26 Connection: G.SHDSL 28 Configure DSL Controller 32 Connection: G.
Contents Advanced Firewall Interface Configuration 5 Advanced Firewall DMZ Service Configuration 6 DMZ Service Configuration 7 Advanced Firewall Inspection Rule Configuration 7 Application Security Configuration 9 Domain Name Server Configuration 10 Summary 10 How Do I...
Contents SDM Warning: Inspection Rule 15 SDM Warning: Firewall 16 Application Security 17 Application Security Windows 17 No Application Security Policy 19 E-mail 20 HTTP 21 Header Options 23 Content Options 23 Instant Messaging 25 Point-to-Point Applications 25 Applications/Protocols 26 Global Timeouts and Thresholds 27 Associate Policy with an Interface 29 Edit Inspection Rule 30 Permit, Block, and Alarm Controls 31 Site-to-Site VPN 33 Create Site to Site VPN 33 Site-to-Site VPN Wizard 36 View Defaults 3
Contents VPN Authentication Information 49 Backup GRE Tunnel Information 51 Routing Information 52 Static Routing Information 53 Select Routing Protocol 54 Summary of Configuration 55 Edit Site-to-Site VPN 55 Add new connection 58 Add Additional Crypto Maps 59 Crypto Map Wizard: Welcome 60 Crypto Map Wizard: General 60 Crypto Map Wizard: Peers 62 Crypto Map Wizard: Transform Set 62 Crypto Map Wizard: Traffic to Protect 63 Crypto Map Wizard: Summary of the configuration 64 Delete Connection 65 Ping 65 Gener
Contents Easy VPN Remote 77 Create Easy VPN Remote 77 Configure an Easy VPN Remote Client 77 Connection Settings 78 Authentication 79 Interfaces 80 Summary of Configuration 82 Edit Easy VPN Remote 83 Add or Edit Easy VPN Remote 89 Add or Edit Easy VPN Remote: Easy VPN Settings 91 Add or Edit Easy VPN Remote: Authentication Information 94 Enter SSH Credentials 95 XAuth Login Window 96 Add or Edit Easy VPN Remote: General Settings 96 Network Extension Options 98 Add or Edit Easy VPN Remote: Authentication In
Contents General Group Information 111 DNS and WINS Configuration 112 Split Tunneling 113 Client Settings 115 Choose Browser Proxy Settings 117 Add or Edit Browser Proxy Settings 117 User Authentication (XAuth) 119 Client Update 120 Add or Edit Client Update Entry 121 Summary 121 Browser Proxy Settings 122 Add or Edit Easy VPN Server 123 Add or Edit Easy VPN Server Connection 125 Restrict Access 126 Group Policies Configuration 126 Local Pools 129 Add or Edit IP Local Pool 130 Add IP Address Range 130 DMVP
Contents DMVPN Network Topology 9 Specify Hub Information 10 Spoke GRE Tunnel Interface Configuration 10 SDM Warning: DMVPN Dependency 11 Edit Dynamic Multipoint VPN (DMVPN) 12 General Panel 14 NHRP Panel 15 NHRP Map Configuration 16 Routing Panel 17 How Do I Configure a DMVPN Manually? 19 VPN Global Settings 21 VPN Global Settings 21 VPN Global Settings: IKE 23 VPN Global Settings: IPSec 24 VPN Key Encryption Settings 25 IP Security 27 IPSec Policies 27 Add or Edit IPSec Policy 29 Add or Edit Crypto Map:
Contents Add or Edit Transform Set 40 IPSec Rules 43 Internet Key Exchange 45 Internet Key Exchange (IKE) 45 IKE Policies 46 Add or Edit IKE Policy 48 IKE Pre-shared Keys 50 Add or Edit Pre Shared Key 51 VPN Troubleshooting 53 VPN Troubleshooting 53 VPN Troubleshooting: Specify Easy VPN Client 55 VPN Troubleshooting: Generate Traffic 56 VPN Troubleshooting: Generate GRE Traffic 57 SDM Warning: SDM will enable router debugs...
Contents Enable Password Encryption Service 10 Enable TCP Keepalives for Inbound Telnet Sessions 11 Enable TCP Keepalives for Outbound Telnet Sessions 11 Enable Sequence Numbers and Time Stamps on Debugs 11 Enable IP CEF 12 Disable IP Gratuitous ARPs 12 Set Minimum Password Length to Less Than 6 Characters 12 Set Authentication Failure Rate to Less Than 3 Retries 13 Set TCP Synwait Time 13 Set Banner 14 Enable Logging 14 Set Enable Secret Password 15 Disable SNMP 15 Set Scheduler Interval 16 Set Scheduler
Contents Enable AAA 24 Configuration Summary Screen 25 SDM and Cisco IOS AutoSecure 25 Security Configurations SDM Can Undo 27 Undoing Security Audit Fixes 28 Add or Edit Telnet/SSH Account Screen 28 Configure User Accounts for Telnet/SSH Page 29 Enable Secret and Banner Page 30 Logging Page 31 Routing 1 Add or Edit IP Static Route 3 Add or Edit an RIP Route 5 Add or Edit an OSPF Route 5 Add or Edit EIGRP Route 7 Network Address Translation 1 Network Address Translation Wizards 1 Basic NAT Wizard: Welcome
Contents Details 8 Network Address Translation Rules 8 Designate NAT Interfaces 12 Translation Timeout Settings 12 Edit Route Map 14 Edit Route Map Entry 15 Address Pools 15 Add or Edit Address Pool 16 Add or Edit Static Address Translation Rule: Inside to Outside 17 Add or Edit Static Address Translation Rule: Outside to Inside 20 Add or Edit Dynamic Address Translation Rule: Inside to Outside 23 Add or Edit Dynamic Address Translation Rule: Outside to Inside 26 How Do I . . .
Contents Signature Import Wizard Summary 41 Signatures 42 Assign Actions 46 Import Signatures 46 Add, Edit, or Clone Signature 48 Add or Edit a Signature Location 49 Cisco Intrusion Prevention Alert Center 50 IPS-Supplied Signature Definition Files 50 Global Settings 51 Edit Global Settings 53 SDEE Messages 54 SDEE Message Text 55 Network Module Management 1 IDS Network Module Management 1 IDS Sensor Interface IP Address 3 IP Address Determination 4 IDS NM Configuration Checklist 5 IDS NM Interface Monitor
Contents Edit QoS Policy 13 Edit QoS Class 15 Add a Protocol 17 Interface Association 18 QoS Status 18 Network Admission Control 21 Create NAC Tab 21 Other Tasks in a NAC Implementation 22 Welcome 23 RADIUS Server 23 Select the Interface(s) 25 NAC Exception List 25 Configure Exception List Entry Dialog 26 Policy List 27 Add Exception Policy 27 Agentless Host Policy 28 NAC Router Management Access 29 Open Interface ACL 29 Details Window 30 Summary of the configuration 30 Edit NAC Tab 31 EAPoUDP Components 3
Contents Router Properties 1 Device Properties 1 Date and Time: Clock Properties 2 Date and Time Properties 3 NTP 4 Add or Edit NTP Server Details 5 SNTP 7 Add an NTP Server 7 Syslog 8 SNMP 8 Router Access 10 User Accounts: Configure User Accounts for Router Access 10 Add or Edit a Username 11 View Password 13 VTYs 13 Edit VTY Lines 14 Configure Management Access Policies 15 Add or Edit a Management Policy 17 Management Access Error Messages 18 SDM Warning: ANY Not Allowed 18 SDM Warning: Unsupported Acces
Contents DNS Properties 26 Dynamic DNS Methods 26 Add or Edit Dynamic DNS Method 27 ACL Editor 1 Useful Procedures for Access Rules and Firewalls 2 Rules Windows 3 Add or Edit a Rule 7 Associate with an Interface 9 Add a Standard Rule Entry 11 Add an Extended Rule Entry 13 Select a Rule 16 Port-to-Application Mapping 19 Port-to-Application Mappings 19 Add or Edit Port Map Entry 21 Authentication, Authorization, and Accounting 23 AAA Main Window 23 AAA Servers and Groups 24 AAA Servers Window 25 Add or Edit
Contents Router Provisioning 33 Router Provisioning from USB 33 Public Key Infrastructure 35 Certificate Wizards 35 Welcome to the SCEP Wizard 37 Certificate Authority (CA) Information 37 Advanced Options 39 Certificate Subject Name Attributes 39 Other Subject Attributes 40 RSA Keys 41 Summary 42 Enrollment Status 43 Cut and Paste Wizard Welcome 43 Enrollment Task 43 Enrollment Request 44 Continue with Unfinished Enrollment 44 Import CA certificate 45 Import Router Certificate(s) 46 Digital Certificates 46
Contents Open Firewall 56 Open Firewall Details 57 Resetting to Factory Defaults 1 This Feature Not Supported 4 More About.... 1 IP Addresses and Subnet Masks 1 Host and Network Fields 3 Available Interface Configurations 4 DHCP Address Pools 5 Meanings of the Permit and Deny Keywords 6 Services and Ports 6 More About NAT 13 Static Address Translation Scenarios 13 Dynamic Address Translation Scenarios 16 Reasons that SDM Cannot Edit a NAT Rule 17 More About VPN 18 Cisco.
Contents Firewall Policy Use Case Scenario 29 DMVPN Configuration Recommendations 32 SDM White Papers 34 Getting Started 1 What’s New in this Release? 2 Cisco IOS Versions Supported 2 Viewing Router Information 1 Overview 2 Interface Status 6 VPN Status 8 Firewall Status 13 Application Security Log 14 NAC Status 15 Logging 17 File Menu Commands 1 Save Running Config to PC 1 Deliver Configuration to Router 1 Write to Startup Config 2 Reset to Factory Defaults 2 File Management 2 Rename 4 New Folder 5 Save S
Contents Edit Menu Commands 9 Preferences 9 View Menu Commands 1 Home 1 Configure 1 Monitor 1 Running Config 2 Show Commands 2 SDM Default Rules 2 Refresh 3 Tools Menu Commands 1 Ping 1 Telnet 1 Security Audit 1 USB Token PIN Settings 2 Update SDM 3 Help Menu Commands 1 Help Topics 1 SDM on CCO 1 About this router... 1 About SDM 1 Cisco Router and Security Device Manager (SDM) Version 2.
C H A P T E R 1 Home Page The home page supplies basic information about the router’s hardware, software, and configuration. This page contains the following sections: Host Name The configured name of the router. About Your Router Shows basic information about your router hardware and software, and contains the following fields: Hardware Software Model Type Shows the router model IOS Version number.
Chapter 1 Hardware Home Page Software Total Flash Capacity Flash plus Webflash (if applicable) Feature Availability The features available in the Cisco IOS image the router is using are designated by a check. The features SDM checks for are: IP, Firewall, VPN, IPS, and NAC. More... The More... link displays a popup window providing additional hardware and software details.
Chapter 1 Home Page Up (n): The number of LAN and WAN connections that are up. Down (n): The number Double-arrow head: Click to display/hide details. of LAN and WAN connections that are down. Total Supported LAN The total number of LAN interfaces that are present in the router. Total Supported WAN The number of SDM-supported WAN interfaces that are present on the router. Configured LAN Interface The number of supported LAN interfaces currently configured on the router.
Chapter 1 Home Page Firewall Policies Active/Inactive Trusted (n) Untrusted (n) DMZ (n) Interface Firewall Icon NAT Inspection Rule Access Rule The name of the interface to which a firewall has been applied Whether the interface is designated as an inside or an outside interface. The name or number of the NAT rule applied to this interface. The names or numbers of the inbound and outbound inspection rules. The names or numbers of the inbound and outbound access rules.
Chapter 1 Home Page Note • Some VPN servers or concentrators authenticate clients using Extended Authentication (XAuth). This shows the number of VPN tunnels awaiting an Xauth login. If any Easy VPN tunnel awaits XAuth login, a separate message panel is shown with a Login button. Clicking Login allows you to enter the credentials for the tunnel. • If Xauth has been configured for a tunnel, it will not begin to function until the login and password has been supplied.
Chapter 1 Home Page Cisco Router and Security Device Manager Version 2.
C H A P T E R 2 LAN Wizard The Cisco Router and Security Device Manager (SDM) LAN wizard guides you in the configuration of a LAN interface. The screen lists the LAN interfaces on the router. You can select any of the interfaces shown in the window, and click Configure to make the interface a LAN interface and configure it.
Chapter 2 LAN Wizard Ethernet Configuration What Do You Want to Do? If you want to: Do this: Configure or edit a LAN interface or LAN switch port. Select the LAN interface or switch port in the list, and click Configure. If the interface has not been configured, or if you select a switch port, SDM will take you through a LAN wizard which you can use to configure the interface.
Chapter 2 LAN Wizard LAN Wizard: Select an Interface • A DHCP address pool if you decide to use DHCP on this interface • The addresses of DNS and WINS servers on the WAN • A domain name LAN Wizard: Select an Interface Select the interface on which you want to configure a LAN connection in this window. This window lists interfaces that can support Ethernet LAN configurations.
Chapter 2 LAN Wizard LAN Wizard: Enable DHCP Server LAN Wizard: Enable DHCP Server This screen lets you enable a DHCP server on your router. A DHCP server automatically assigns reusable IP addresses to the devices on the LAN. When a device becomes active on the network, the DHCP server grants it an IP address. When the device leaves the network, the IP address is returned to the pool for use by another device. To enable a DHCP server on the router: Click Yes.
Chapter 2 LAN Wizard DHCP Options DHCP Options Use this window to configure DHCP options that will be sent to hosts on the LAN that are requesting IP addresses from the router. These are not options for the router that you are configuring; these are parameters that will be sent to the requesting hosts on the LAN. To set these properties for the router, click Additional Tasks on the SDM category bar, click DHCP, and configure these settings in the DHCP Pools window.
Chapter 2 LAN Wizard LAN Wizard: VLAN Mode LAN Wizard: VLAN Mode This screen lets you determine the type of VLAN information that will be carried over the switch port. Switch ports can be designated either to be in access mode, in which case they will forward only data that is destined for the VLAN to which they are assigned, or they can be designated to be in trunking mode, in which case they will forward data destined for all VLANs including the VLAN to which they are assigned.
Chapter 2 LAN Wizard IRB Bridge Include this VLAN in an IRB bridge that will form a bridge with your wireless network. (Use Wireless Application to complete.) If you check this box, the switch port will form part of a bridge with your wireless network. The other part of the bridge must be configured using the Wireless Application. The IP address and Subnet mask fields under New VLAN are disabled when this box is checked.
Chapter 2 LAN Wizard DHCP Pool for BVI IP Address Enter the IP address for the interface in dotted decimal format. Your network administrator should determine the IP addresses of LAN interfaces. For more information, see IP Addresses and Subnet Masks. Net Mask Enter the subnet mask. Obtain this value from your network administrator. The subnet mask enables the router to determine how much of the IP address is used to define the network and host portions of the address.
Chapter 2 LAN Wizard IRB for Ethernet IRB for Ethernet If your router has a wireless interface, you can use Integrated Routing and Bridging to have this interface form part of a bridge to the wireless LAN, and enable traffic destined for the wireless network to be routed through this interface. Click Yes if you want to configure this Layer 3 interface for Integrated Routing and Bridging. If you do not want this interface to be used in bridge to the wireless interface, click No.
Chapter 2 LAN Wizard Summary Configure Switch Device Module If you are configuring a Gigabit Ethernet interface for routing, you can provide information about the switch module in this window. It is not required that you provide this information. You can provide an IP address and subnet mask for the switch module, and login credentials required to log on to the the switch module interface.
Chapter 2 LAN Wizard How Do I... Step 1 From the category bar, click Routing. Step 2 In the Static Routing group, click Add.... The Add IP Static Route dialog box appears. Step 3 In the Prefix field, enter the IP address of the static route destination network. Step 4 In the Prefix Mask field, enter the subnet mask of the destination network. Step 5 If you want this static route to be the default route, check the Make this as the Default Route check box.
Chapter 2 LAN Wizard How Do I... Step 5 Click Start Monitoring to see statistics for all selected data items. The Interface Details screen appears, displaying the statistics you selected. The screen defaults to showing real-time data, for which it polls the router every 10 seconds. If the interface is up and there is data transmitting across it, you should see an increase in the number of packets and bytes transferred across the interface.
Chapter 2 LAN Wizard How Do I... The next time you use a wizard to configure the router and click Finish on the Summary window, the Deliver window will appear. In this window you can view the commands that you are delivering to the router’s configuration. Click Deliver when you are finished reviewing the commands. If you are editing a configuration, the Deliver window is displayed when you click OK in the dialog window.
Chapter 2 LAN Wizard How Do I... Cisco Router and Security Device Manager Version 2.
C H A P T E R 3 Create Connection Wizards The Create Connection wizards let you configure LAN and WAN connections for all SDM-supported interfaces. Create Connection This window allows you to create new LAN and WAN connections. Note You cannot use SDM to create WAN connections for Cisco 7000 series routers. Create a New Connection Choose a connection type in this area of the window.
Chapter 3 Create Connection Wizards WAN Wizard Interface Welcome Window The Other (Unsupported by SDM) radio button appears if an unsupported logical or physical interface exists, or if a supported interface exists that has been given an unsupported configuration. When you click this radio button, Create New Connection is disabled, and a reason for the Other radio button appearing is given in the Information box.
Chapter 3 Create Connection Wizards ISDN Wizard Welcome Window ISDN Wizard Welcome Window PPP is the only type of encoding supported over ISDN BRI by SDM. Analog Modem Welcome Window PPP is the only type of encoding supported over an analog modem connection by SDM. Aux Backup Welcome Window The option to configure the AUX port as a dial-up connection will only be shown for the Cisco 831 and 837 routers.
Chapter 3 Create Connection Wizards Select Interface Select Interface This window appears if there are more than one interface of the type you selected in the Create Connection window. Choose the interface that you want to use for this connection. If you are configuring an Ethernet interface, SDM inserts the description text $ETH-WAN$ in the configuration file so that it will recognize the interface as a WAN interface in the future.
Chapter 3 Create Connection Wizards IP Address: ATM with RFC 1483 Routing Dynamic (DHCP Client) If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Enter the name of the DHCP server that will assign addresses. IP Unnumbered Select IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, choose the interface whose IP address you want the interface that you are configuring to use.
Chapter 3 Create Connection Wizards IP Address: Ethernet without PPPoE IP Unnumbered Click IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, choose the interface whose IP address you want the interface that you are configuring to use. Dynamic DNS Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interface’s IP address changes. Click the Dynamic DNS button to configure dynamic DNS.
Chapter 3 Create Connection Wizards IP Address: Serial with HDLC or Frame Relay Static IP Address If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to IP Addresses and Subnet Masks. IP Unnumbered Select IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface.
Chapter 3 Create Connection Wizards IP Address: ISDN BRI or Analog Modem IP Unnumbered Select IP Unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, choose the interface whose IP address you want the interface that you are configuring to use. Dynamic DNS Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interface’s IP address changes. Click the Dynamic DNS button to configure dynamic DNS.
Chapter 3 Create Connection Wizards Authentication Authentication This page is displayed if you enabled PPP for a serial connection, PPPoE or PPPoA encapsulation for an ATM or Ethernet connection, or if you are configuring an ISDN BRI or analog modem connection. Your service provider or network administrator may use a Challenge Handshake Authentication Protocol (CHAP) password or a Password Authentication Protocol (PAP) password to secure the connection between the devices.
Chapter 3 Create Connection Wizards Switch Type and SPIDs ISDN Switch Type Select the ISDN switch type. Contact your ISDN service provider for the switch type for your connection.
Chapter 3 Create Connection Wizards Dial String A SPID is usually a 7-digit telephone number with some optional numbers. However, service providers may use different numbering schemes. For the DMS-100 switch type, two SPIDs are assigned, one for each B channel. SPID1 Enter the SPID for the first BRI B channel provided to you by your ISP. SPID2 Enter the SPID for the second BRI B channel provided to you by your ISP.
Chapter 3 Create Connection Wizards Backup Configuration Backup Configuration: Primary Interface & Next Hop IP Addresses In order for the ISDN BRI or analog modem connection to act as a backup connection, it must be associated with another interface on the router that will act as the primary connection. The ISDN BRI or analog modem connection will be made only if the connection on the primary interface goes down. Primary Interface Select the router interface that will maintain the primary connection.
Chapter 3 Create Connection Wizards Advanced Options Advanced Options There are two advanced options available, based on the router’s configuration: Default static route, and Port Address Translation (PAT). If the Static Route option is not visible in the window, a static route has already been configured on the router. If the PAT option is not visible, PAT has already been configured on an interface.
Chapter 3 Create Connection Wizards Encapsulation Autodetect Click Autodetect to have SDM discover the encapsulation type. If SDM succeeds, it will automatically supply the encapsulation type and other configuration parameters it discovers. Note SDM supports autodetect on SB106, SB107, Cisco 836 and Cisco 837 routers. However if you are configuring a Cisco 837 router and the router is running an IOS image of version 12.3(8)T or version 12.3(8.3)T, the autodetect feature is not supported.
Chapter 3 Create Connection Wizards PVC The encapsulations available if you have a serial interface are shown in the following table. Encapsulation Description Frame Relay Provides Frame Relay encapsulation. This option is available when you have selected a serial interface. A serial subinterface will be created when you create a Frame Relay connection. This subinterface will be visible in the Summary window.
Chapter 3 Create Connection Wizards Configure LMI and DLCI VCI Enter the VCI value obtained from your service provider or system administrator. The virtual circuit identifier (VCI) is used in ATM switching and routing to identify a particular connection within a path that it may share with other connections. Enter the VCI value given to you by your service provider. Cisco IOS Default Values The values shown in the following table are Cisco IOS defaults.
Chapter 3 Create Connection Wizards Configure Clock Settings LMI Type Description ANSI Annex D defined by American National Standards Institute (ANSI) standard T1.617. Cisco LMI type defined jointly by Cisco Systems and three other companies. ITU-T Q.933 ITU-T Q.933 Annex A. Autosense The default. This setting allows the router to detect which LMI type is being used by communicating with the switch and to then use that type. If autosense fails, the router will use the Cisco LMI type.
Chapter 3 Create Connection Wizards Configure Clock Settings T1 Framing This field configures the T1 or E1 link for operation with D4 Super Frame (sf) or Extended Superframe (esf). The default is esf. Line Code This field configures the router for operation on binary 8-zeroes substitution (B8ZS) or alternate mark inversion (AMI) T1 lines. The b8zs setting ensures density on a T1 or E1 line by substituting intentional bipolar violations in bit positions 4 and 7 for a sequence of eight zero bits.
Chapter 3 Create Connection Wizards Delete Connection Line Build Out (LBO) This field is used to configure the Line Build Out (LBO) of the T1 link. The LBO decreases the transmit strength of the signal by -7.5 or -15 decibels. It is not likely to be needed on actual T1 or E1 lines. The default is none. Remote Loopback Requests This field specifies whether the router will go into loopback when a loopback code is received on the line.
Chapter 3 Create Connection Wizards Delete Connection To view the associations that the connection has: Click View Details. To delete the connection and all associations: Click Automatically delete all associations, and then click OK to cause SDM to delete the connection and all of the associations. To manually delete the association: To manually delete the associations, click View Details to see a list of the associations that this connection has.
Chapter 3 Create Connection Wizards Summary • Crypto—A crypto map is applied to the interface on which the connection was created. To delete the crypto map, click Configure; then click Interfaces and Connections. Click the connection in the Interface List, then click Edit. Click the Association tab; then in the VPN group, in the IPSec Policy field, click None. • EZVPN—An Easy VPN is applied to the interface on which the connection was created.
Chapter 3 Create Connection Wizards Connectivity testing and troubleshooting Test the connectivity after configuring Check this box if you want SDM to test the connection you have configured after it delivers the commands to the router. SDM will test the connection and report results in another window. To save this configuration to the router’s running configuration and leave this wizard: Click Finish. SDM saves the configuration changes to the router’s running configuration.
Chapter 3 Create Connection Wizards Connectivity testing and troubleshooting 3. Checks for DHCP and IPCP configurations on the interface. 4. Exits interface test. 5. Pings the destination. SDM reports the results of each of these checks in the Activity/Status columns. If the ping succeeds, then the connection will be reported as successful. Otherwise the connection is reported down, and the test that failed is noted.
Chapter 3 Create Connection Wizards Connectivity testing and troubleshooting • the PPPoE tunnel status • the PPP authentication status After performing these checks, SDM reports the reason that the ping failed. If the ping fails on an Ethernet with PPPoE encapsulation connection, SDM checks: • the PPPoE tunnel status • the PPP authentication status After performing these checks, SDM reports the reason that the ping failed.
Chapter 3 Create Connection Wizards Connectivity testing and troubleshooting Activity This column displays the troubleshooting activities. Status Displays the status of each troubleshooting activity by the following icons and text alerts: The connection is up. The connection is down. Test is successful. Test failed. Reason This box provides the possible reason(s) for the WAN interface connection failure. Recommended action(s) This box provides a possible action/solution to rectify the problem.
Chapter 3 Create Connection Wizards How Do I... How Do I... This section contains procedures for tasks that the wizard does not help you complete. How Do I View the IOS Commands I Am Sending to the Router? See How Do I View the IOS Commands I Am Sending to the Router? How Do I Configure an Unsupported WAN Interface? SDM does not support configuration of every WAN interface that your router might support.
Chapter 3 Create Connection Wizards How Do I... How Do I View Activity on My WAN Interface? You can view activity on a WAN interface by using the Monitor feature in SDM. Monitor screens can display statistics about the WAN interface, including the number of packets and bytes that have been sent or received by the interface, and the number of send or receive errors that have occurred. To display statistics about a WAN interface: Step 1 From the toolbar, click Monitor.
Chapter 3 Create Connection Wizards How Do I... The interface is added to the pool of interfaces using NAT. Step 6 Review the Network Address Translation Rules in the NAT window. If you need to add, delete, or modify a rule, click the appropriate button on the NAT window to perform the configuration you need.
Chapter 3 Create Connection Wizards How Do I... The Dynamic Routing dialog box appears, displaying the tab for the dynamic routing protocol you selected. Step 5 Using the fields in the Dynamic Routing dialog box, configure the dynamic routing protocol. If you need an explanation for any of the fields in the dialog box, click Help. Step 6 When you have finished configuring the dynamic routing protocol, click OK.
Chapter 3 Create Connection Wizards How Do I... Step 4 Click Edit. The Connection tab appears. Step 5 Click Options. The Edit Dialer Option dialog box appears. Step 6 If you want the router to establish the connection only when it recognizes specific IP traffic, click the Filter traffic based on selected ACL radio button, and either enter a rule (ACL) number that will identify which IP traffic should cause the router to dial out, or click the ...
Chapter 3 Create Connection Wizards How Do I... Step 3 Select the radio interface and click Edit. In the Connections tab, you can change the IP address or bridging information. If you want to change other wireless parameters, click Launch Wireless Application. Cisco Router and Security Device Manager Version 2.
Chapter 3 Create Connection Wizards How Do I... Cisco Router and Security Device Manager Version 2.
C H A P T E R 4 Edit Interface/Connection This window displays the router’s interfaces and connections. The window also enables you to add, edit, and delete connections, and to enable or disable connections. Add Clicking the Add button displays a drop-down menu. This menu will always have options to add a new loopback or tunnel interface, and if there are switch ports present on the router, this menu will have an option to add a new VLAN.
Chapter 4 Edit Interface/Connection Delete Selecting a connection and clicking Delete displays a dialog box informing you of the associations this connection has and asking you if you want to remove the associations along with the connection. You can delete just the connection, or the connection and all of its associations. Summary Clicking the Summary button hides the details about the connection, restricting the information to the IP address, Type, Slot, Status, and Description.
Chapter 4 Edit Interface/Connection If SDM is running on a Cisco 7000 router, you will be able to create a connection only on Ethernet and Fast Ethernet interfaces. IP Address This column can contain the following types of IP addresses: • The configured IP address of the interface. • DHCP Client—The interface receives an IP address from a Dynamic Host Configuration Protocol (DHCP) server. • IP address negotiated—The interface receives an IP address via negotiation with the remote device.
Chapter 4 Edit Interface/Connection Item Name The name of the configuration item, such as IP address/Subnet mask, or IPSec policy. The actual items listed in this column depend on the type of interface selected. Item Value If the named item has a configured value, it is displayed in this column. Reset/Delete Reset is enabled when the selected physical interface has a configured connection. Delete is enabled when a supported logical interface, such as a loopback or tunnel is selected.
Chapter 4 Edit Interface/Connection If you want to: Do this: Delete a logical interface. Select the interface you want to delete, and click Delete. Find out how to perform related configuration tasks.
Chapter 4 Edit Interface/Connection Connection: Ethernet for IRB Connection: Ethernet for IRB This dialog box contains the following fields if you selected Ethernet for IRB in the Configure list. Current Bridge Group/Associated BVI These read-only field contain the current bridge group value and the current Bridge-Group Virtual Interface (BVI) name.
Chapter 4 Edit Interface/Connection Connection: Ethernet for Routing • Create a new dynamic DNS method. Click the drop-down menu and choose to create a new dynamic DNS method. To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. Connection: Ethernet for Routing This dialog box contains the following fields if you selected Ethernet for Routing in the Configure list. IP Address Enter an IP address and subnet mask in the IP Address fields.
Chapter 4 Edit Interface/Connection Connection: Ethernet for Routing Dynamic DNS Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interface’s IP address changes. Note This feature appears only if supported by your Cisco server’s IOS. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method.
Chapter 4 Edit Interface/Connection Connection: Ethernet for Routing HTTP HTTP is a dynamic DNS method type that updates a DNS service provider with changes to the associated interface’s IP address. Server If using HTTP, choose the domain address of the DNS service provider from the drop-down menu. Username If using HTTP, enter a username for accessing the DNS service provider. Password If using HTTP, enter a password for accessing the DNS service provider.
Chapter 4 Edit Interface/Connection Wireless Wireless If the router has a wireless interface, you can launch the Wireless Application from this tab. You can also launch the Wireless Application from the Tools menu by selecting Tools>Wireless Application. Association Use this window to view, create, edit, or delete associations between interfaces and rules or VPN connections. Interface The name of the interface you selected in the Interfaces and Connections window.
Chapter 4 Edit Interface/Connection Association When a rule is applied to outbound traffic on an interface, the rule filters traffic after it has entered the router but before it exits the interface. Any packet that the rule does not permit is dropped before it leaves the interface. Inspect Rule The names of inspection rules associated with this interface.
Chapter 4 Edit Interface/Connection NAT is Serial0/0, you would first select Tunnel3 in the Interfaces and Connections window, click Edit and associate the policy with it, and then click OK. Then you would select the Serial0/0 interface and associate the same policy with it. EzVPN If the interface is used in an Easy VPN connection, the name of the connection is shown here. Note An interface cannot be used in both a virtual private network (VPN) connection and an Easy VPN connection.
Chapter 4 Edit Interface/Connection General Mode Group Choose the type of VLAN information you want to be carried across this Ethernet switch port. Choosing Access causes the switch port to forward only data destined for the specific VLAN number. Choosing Trunking causes the switch port to forward data for all VLANs, including the VLAN data itself.
Chapter 4 Edit Interface/Connection General Description You can enter a short description in this field. This description will be visible in the theEdit Interfaces and Connections window. A description can help others who might be less familiar with the router configuration to understand the purpose of the configuration. A description such as “Accounting,” or “Test Net 5” lets SDM users know without their having to examine details of the configuration.
Chapter 4 Edit Interface/Connection QoS IP Route Cache-Flow This option enables the Cisco IOS NetFlow feature. Using NetFlow, you can determine packet distribution, protocol distribution, and current flows of data on the router. This is valuable data, particularly when searching for the source of a spoofed IP address attack. IP Redirects ICMP redirect messages instruct an end node to use a specific router as its path to a particular destination.
Chapter 4 Edit Interface/Connection Select Ethernet Configuration Type Dissociate Current QoS Policy checkbox Enabled when a QoS policy is associated with the interface. Check to dissociate the currently associated policy from the interface. Associate an existing QoS policy checkbox Click to associate an existing policy, and then select the QoS policy from the list.
Chapter 4 Edit Interface/Connection Connection: Subinterfaces VLAN ID Enter the ID number of the new VLAN interface. If you are editing a VLAN interface, you cannot change the VLAN ID. Native VLAN Checkbox Check if this VLAN is a nontrunking VLAN. IP Address Fields IP Address Type Select whether this VLAN interface will have a static IP address or no IP address. This field is visible when VLAN only is selected in the Configure As field. IP Address Enter the IP address of the VLAN interface.
Chapter 4 Edit Interface/Connection Add or Edit BVI Interface In this example, FastEthernet1.5 is configured for routing, and FastEthernet1.3 is configured for IRB. Note You must choose the physical interface on which the subinterfaces are configured to display this window. For the example described, you would have to choose FastEthernet 1 to display this window. If you chose FastEthernet1.3 or FastEthernet1.5 and clicked edit, you would display the edit dialog with the information for that interface.
Chapter 4 Edit Interface/Connection Connection: Ethernet LAN Static IP Address If you selected Static IP address, enter that IP address in this field. Subnet Mask Enter the subnet mask in this field, or select the number of subnet bits from the field on the right. The subnet mask tells the router which bits of the IP address designate the network address and which bits designate the host address.
Chapter 4 Edit Interface/Connection Connection: Ethernet WAN IP Address of Remote DHCP Server If you clicked DHCP Relay, enter the IP address of the DHCP server that will provide addresses to devices on the LAN. Connection: Ethernet WAN This window lets you add an Ethernet WAN connection. Enable PPPoE Encapsulation Click this option if the connection must use PPPoE encapsulation. Your service provider can tell you whether the connection uses PPPoE.
Chapter 4 Edit Interface/Connection Ethernet Properties Authentication Click this button to enter CHAP/PAP authentication password information. Dynamic DNS Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interface’s IP address changes. Note This feature appears only if supported by your Cisco server’s IOS. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method.
Chapter 4 Edit Interface/Connection Connection: Ethernet with No Encapsulation IP Address Static IP Address Available with PPPoE encapsulation and with no encapsulation. If you choose static IP address, enter the IP address and subnet mask or the network bits in the fields provided. For more information, refer to IP Addresses and Subnet Masks. Dynamic (DHCP Client) Available with PPPoE encapsulation and with no encapsulation.
Chapter 4 Edit Interface/Connection Connection: ADSL • Dynamic IP address—If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Then, enter the name or IP address of the DHCP server. Hostname If your service provider inserts a host name for the router into the DHCP response that contains the dynamic IP address, you can enter that name in this field for informational purposes.
Chapter 4 Edit Interface/Connection Connection: ADSL Encapsulation Select the type of encapsulation that will be used for this link. • PPPoE specifies Point-to-Point Protocol over Ethernet encapsulation. • PPPoA specifies Point-to-Point Protocol over AT M encapsulation. • RFC 1483 Routing (AAL5 SNAP) specifies that each PVC can carry multiple protocols. • RFC 1483 Routing (AAL5 MUX) specifies that each PVC carry only one type of protocol.
Chapter 4 Edit Interface/Connection Connection: ADSL • Dynamic IP address—If you choose Dynamic, the router will lease an IP address from a remote DHCP server. Then, enter the name or IP address of the DHCP server. • Unnumbered IP address—Select IP unnumbered if you want the interface to share an IP address that has already been assigned to another interface. Then, select the interface whose IP address you want to share with the interface that you are configuring.
Chapter 4 Edit Interface/Connection Connection: ADSL over ISDN • Enter the name of an existing dynamic DNS method. Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure > Additional Tasks > Dynamic DNS Methods. • Choose an existing dynamic DNS method from a list. Click the drop-down menu and choose to use an existing method. A window with a list of existing dynamic DNS methods will open.
Chapter 4 Edit Interface/Connection Connection: ADSL over ISDN If you are editing an existing connection, this field is disabled. If you need to change this value, delete the connection and recreate it using the value you need. Virtual Circuit Identifier The virtual circuit identifier (VCI) is used in ATM switching and routing to identify a particular connection within a path that it may share with other connections. Obtain this value from your service provider.
Chapter 4 Edit Interface/Connection Connection: G.SHDSL • auto—Configure the ADSL line after auto-negotiating with the DSLAM located at the Central Office. • etsi—European Telecommunications Standards Institute mode. • multimode—Mode chosen by firmware for best operating condition on digital subscriber line (DSL). The final mode can be either ETSI mode, or standard Annex-B mode depending on current DSLAM setting.
Chapter 4 Edit Interface/Connection Connection: G.SHDSL Encapsulation Select the type of encapsulation that will be used for this link. • PPPoE specifies Point-to-Point Protocol over Ethernet encapsulation. • PPPoA specifies Point-to-Point Protocol over AT M encapsulation. • RFC 1483 Routing (AAL5 SNAP) specifies that each PVC can carry multiple protocols. • RFC 1483 Routing (AAL5 MUX) specifies that each PVC carry only one type of protocol.
Chapter 4 Edit Interface/Connection Connection: G.SHDSL Static IP address If you select Static IP address, enter the address that the interface will use, and the subnet mask, or the network bits. Obtain this information from your service provider or network administrator. For more information, refer to IP Addresses and Subnet Masks. Dynamic IP address If you select Dynamic IP address, the interface will obtain an IP address from a DHCP server on the network.
Chapter 4 Edit Interface/Connection Connection: G.SHDSL Annex A (U.S.) Configures the regional operating parameters for North America. Annex B (Europe) Configures the regional operating parameters for Europe. Authentication Click this button if you need to enter CHAP or PAP authentication information. Dynamic DNS Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interface’s IP address changes.
Chapter 4 Edit Interface/Connection Configure DSL Controller Configure DSL Controller SDM supports the configuration of the Cisco WIC-1SHDSL-V2. This WIC supports TI, E1, or a G.SHDSL connection over an ATM interface. SDM only supports a G.SHDSL connection using the ATM interface. This window lets you set the controller mode on the WIC to ATM, enab ling a G.SHDSL connection, and lets you create or edit DSL controller information for the G.SHDSL connection.
Chapter 4 Edit Interface/Connection Configure DSL Controller If you have selected a 4-wire connection, you must select a fixed line rate.
Chapter 4 Edit Interface/Connection Connection: G.SHDSL with DSL Controller in this field and click Edit. This also will display the Connection: G.SHDSL with DSL Controller page, letting you edit the connection configuration. To delete a connection, select the connection in this field, and click Delete. Connection: G.SHDSL with DSL Controller This window enables you to create or edit a G.SHDSL connection. Encapsulation Select the type of encapsulation that will be used for this link.
Chapter 4 Edit Interface/Connection Connection: G.SHDSL with DSL Controller IP Address Select how the router will obtain an IP address for this link. The fields that appear in this area change according to the encapsulation type chosen. Your service provider or network administrator must tell you the method the router should use to obtain an IP address. Static IP address If you select Static IP address, enter the address that the interface will use, and the subnet mask, or the network bits.
Chapter 4 Edit Interface/Connection Connection: Serial Interface, Frame Relay Encapsulation Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure > Additional Tasks > Dynamic DNS Methods. • Choose an existing dynamic DNS method from a list. Click the drop-down menu and choose to use an existing method. A window with a list of existing dynamic DNS methods will open. This menu choice is available only if there are existing dynamic DNS methods.
Chapter 4 Edit Interface/Connection Connection: Serial Interface, Frame Relay Encapsulation Subnet Mask If you selected Static IP address, enter the subnet mask. The subnet mask specifies the portion of the IP address that provides the network address. This value is synchronized with the subnet bits. Your network administrator or Internet service provider provides the value of the subnet mask or the network bits.
Chapter 4 Edit Interface/Connection Connection: Serial Interface, Frame Relay Encapsulation Autosense Default. This setting allows the router to detect which LMI type is being used by communicating with the switch and to then use that type. If autosense fails, the router will use the Cisco LMI type. Use IETF Frame Relay Encapsulation Check this box to use Internet Engineering Task Force (IETF) encapsulation. This option is used with connecting to non-Cisco routers.
Chapter 4 Edit Interface/Connection Connection: Serial Interface, PPP Encapsulation To clear an associated dynamic DNS method from the interface, choose None from the drop-down menu. Connection: Serial Interface, PPP Encapsulation Complete these fields if you are configuring a serial interface for Point-to-Point Protocol encapsulation. If you are editing a connection or creating a connection in the Edit Interfaces and Connections window, the encapsulation is shown, but not editable.
Chapter 4 Edit Interface/Connection Connection: Serial Interface, PPP Encapsulation Authentication Click this button if you need to enter CHAP or PAP authentication information. Clock Settings In most cases, clock settings should not be changed from the default values. If you know that your requirements are different from the defaults, click this button and make new clock settings in the window displayed. The clock settings button will only appear if you are configuring a T1 or E1 serial connection.
Chapter 4 Edit Interface/Connection Connection: Serial Interface, HDLC Encapsulation Connection: Serial Interface, HDLC Encapsulation Fill out these fields if you are configuring a serial interface for HDLC encapsulation.If you are editing a connection or creating a connection in the Edit Interfaces and Connections window, the encapsulation is shown, but not editable. If you need to change the encapsulation type, delete the connection, and recreate it, using the encapsulation type you need.
Chapter 4 Edit Interface/Connection Add or Edit GRE Tunnel' The clock settings button will only appear if you are configuring a T1 or E1 serial connection. Dynamic DNS Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interface’s IP address changes. Note This feature appears only if supported by your Cisco server’s IOS. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method.
Chapter 4 Edit Interface/Connection Add or Edit GRE Tunnel' Tunnel Source Select the interface that the tunnel will use. This interface must be reachable from the other end of the tunnel; therefore, it must have a public, routeable IP address. Tunnel Destination The tunnel destination is the interface on the router at the other end of the tunnel. Select whether you will specify an IP address or a host name, and then enter that information.
Chapter 4 Edit Interface/Connection Connection: ISDN BRI Connection: ISDN BRI Complete these fields if you are configuring an ISDN BRI connection. Because SDM supports only PPP encapsulation over an ISDN BRI connection, the encapsulation shown is not editable. Encapsulation PPP selected. ISDN Switch Type Select the ISDN switch type. Contact your ISDN service provider for the switch type for your connection.
Chapter 4 Edit Interface/Connection Connection: ISDN BRI Some service providers use SPIDs to define the services subscribed to by the ISDN device that is accessing the ISDN service provider. The service provider assigns the ISDN device one or more SPIDs when you first subscribe to the service.
Chapter 4 Edit Interface/Connection Connection: ISDN BRI Subnet Mask Enter the subnet mask. The subnet mask specifies the portion of the IP address that provides the network address. This value is synchronized with the network bits. Obtain the value of the subnet mask or the network bits from your network administrator or Internet service provider. Subnet Bits Alternatively, enter the network bits to specify how many bits in the IP address provide the network address.
Chapter 4 Edit Interface/Connection Connection: Analog Modem Connection: Analog Modem Complete these fields if you are configuring an analog modem connection. Because SDM supports only PPP encapsulation over an analog modem connection, the encapsulation shown is not editable. Encapsulation PPP selected. Remote Phone Number Enter the phone number of the destination of the analog modem connection.
Chapter 4 Edit Interface/Connection Connection: Analog Modem Subnet Mask Enter the subnet mask. The subnet mask specifies the portion of the IP address that provides the network address. This value is synchronized with the network bits. Obtain the value of the subnet mask or the network bits from your network administrator or Internet service provider. Subnet Bits Alternatively, enter the network bits to specify how many bits in the IP address provide the network address.
Chapter 4 Edit Interface/Connection Connection: (AUX Backup) Connection: (AUX Backup) Complete these fields if you are configuring an asynchronous dial-up connection using the console port to double as an AUX port on a Cisco 831 or 837. Once you have entered the informatoin on this screen, click Backup Details and enter dial-backup information, which is required for this type of connection.
Chapter 4 Edit Interface/Connection Connection: (AUX Backup) Clear Line Click this button to clear the line. You should clear the line after creating an async connection so that interesting traffic triggers the connection. IP Address Select either Static IP address, IP Unnumbered or IP Negotiated. If you select Specify an IP address, complete the fields below. IP Address Enter the IP address for this point-to-point subinterface. Obtain this value from your network administrator or service provider.
Chapter 4 Edit Interface/Connection Authentication Dynamic DNS Enable dynamic DNS if you want to automatically update your DNS servers whenever the WAN interface’s IP address changes. Note This feature appears only if supported by your Cisco server’s IOS. To choose a dynamic DNS method to use, do one of the following: • Enter the name of an existing dynamic DNS method. Enter the name in the Dynamic DNS Method field exactly as it appears in the list in Configure > Additional Tasks > Dynamic DNS Methods.
Chapter 4 Edit Interface/Connection SPID Details CHAP authentication is more secure than PAP authentication. Login Name The login name is given to you by your Internet service provider and is used as the username for CHAP/PAP authentication. Password Enter the password exactly as given to you by your service provider. Passwords are case sensitive. For example, the password cisco is not the same as Cisco. Reenter Password Reenter the same password that you entered in the previous box.
Chapter 4 Edit Interface/Connection Dialer Options SPID2 Enter the SPID to the second BRI B Channel provided to you by your ISP. Dialer Options Both ISDN BRI and analog modem interfaces can be configured for Dial-on-Demand Routing (DDR), which causes the connection to dial out and become active only under specified circumstances, thus saving connection time and cost. This screen lets you configure options about when ISDN BRI or analog modem connections should be initiated and ended.
Chapter 4 Edit Interface/Connection Dialer Options Idle timeout Enter the number of seconds that will be allowed to pass before an idle connection (one that has no traffic passing over it) will be terminated. Fast idle timeout The fast idle timout sets the maximum number of seconds of that can pass on a connection for which there is contention that has no interesting traffic before the connection is terminated and the competing connection is made.
Chapter 4 Edit Interface/Connection Backup Configuration Backup Configuration ISDN BRI and analog modem interfaces can be configured to work as backup interfaces to other, primary interfaces. In that case, an ISDN or analog modem connection will be made only if the primary interface goes down for some reason. Should the primary interface and connection go down, the ISDN or analog modem interface will immediately dial out and try to establish a connection so that network services are not lost.
Chapter 4 Edit Interface/Connection Backup Configuration Next Hop Forwarding These fields are optional. You can enter the IP address to which the primary and backup interfaces will connect when they are active. This is known as the next hop IP address. If you do not enter next hop IP addresses, SDM will configure static routes using the interface name.
C H A P T E R 5 Create Firewall A firewall is a set of rules used to protect the resources of your LAN. These rules filter the packets arriving at the router. If a packet does not meet the criteria specified in the rule, it is dropped. If it does meet the criteria, it is allowed to pass through the interface that the rule is applied to. This wizard enables you to create a firewall for your LAN by answering prompts in a set of screens. In this window, select the type of firewall that you want to create.
Chapter 5 Create Firewall Advanced Firewall Click this if you want SDM to lead you through the steps of configuring a firewall. You have the option to create a DMZ network, and to specify an inspection rule. The use case scenario shown when you select this option shows you a typical configuration for an Internet of firewall. What Do You Want to Do? If you want to: Do this: Have SDM create a firewall for me. Click Basic Firewall. Then, click Launch the Selected Task.
Chapter 5 Create Firewall If you want to: Do this: Have SDM help me create an Advanced Firewall. Select Advanced Firewall. Then, click Launch the Selected Task. If your router has multiple inside and outside interfaces, and you want to configure a DMZ, you should select this option. SDM will show you the default inspection rule and allow you to use it in the firewall. Or, you can create your own inspection rule.
Chapter 5 Create Firewall Basic Firewall Configuration Wizard Basic Firewall Configuration Wizard SDM will protect the LAN with a default firewall when you select this option. For SDM to do this, you must specify the inside and outside interfaces in the next window. Click Next to begin configuration. Basic Firewall Interface Configuration Identify the interfaces on the router so that the firewall will be applied to the correct interface.
Chapter 5 Create Firewall Advanced Firewall Configuration Wizard Source Host/Network If you want to allow a single host access through the firewall, choose Host Address and enter the IP address of a host. Choose Network Address and enter the address of a network and a subnet mask to allow hosts on that network access through the firewall. The host or network must be accessible from the interfaces that you specified. Choose Any to exempt any host connected to the specified interfaces from NAC validation.
Chapter 5 Create Firewall Advanced Firewall Configuration Wizard Advanced Firewall DMZ Service Configuration This window allows you to view rule entries that specify which services available inside the DMZ you want to make available through the router’s outside interfaces. Traffic of the specified service types will be allowed through the outside interfaces into the DMZ network. DMZ Service Configuration This area shows the DMZ service entries configured on the router.
Chapter 5 Create Firewall Advanced Firewall Configuration Wizard DMZ Service Configuration Create or edit a DMZ service entry in this window. Host IP Address Enter the address range that will specify the hosts in the DMZ that this entry applies to. The firewall will allow traffic for the specified TCP or UDP service to reach these hosts. Start IP Address Enter the first IP address in the range; for example, 172.20.1.1.
Chapter 5 Create Firewall Advanced Firewall Configuration Wizard traffic onto the network. These rules cause the router to examine outgoing packets for specified types of traffic. Traffic arriving at the outside interface is compared against the traffic types in the inspection rule, and allowed onto the network if it associated with a session started on the LAN and is of a type specified in the inspection rules.
Chapter 5 Create Firewall Advanced Firewall Configuration Wizard If you want to: Do this: Examine an existing inspection rule. Select the rule name from the Inspection Rule Name list. The inspection rule entries appear in the box below. Edit an existing inspection rule. Select the rule name from the Inspection Rule Name list, and click Edit. Then, edit the rule in the Inspection Rule Information window. Create a new inspection rule.
Chapter 5 Create Firewall Advanced Firewall Configuration Wizard Domain Name Server Configuration The router must be configured with the IP address of at least one DNS server for application security to work. Click Enable DNS-based hostname-to-address translation, and provide the IP address of the primary DNS server. If a secondary DNS server is available, enter it’s IP address in the Secondary DNS Server field.
Chapter 5 Create Firewall How Do I... • Apply access rule to the inbound direction to permit IPSec tunnel traffic if necessary. • Apply access rule to the inbound direction to deny spoofing traffic. • Apply access rule to the inbound direction to deny traffic sourced from broadcast, local loopback and private address. • Apply access rule to the inbound direction to deny all other traffic.
Chapter 5 Create Firewall How Do I... How Do I View Activity on My Firewall? Activity on your firewall is monitored through the creation of log entries. If logging is enabled on the router, whenever an access rule that is configured to generate log entries is invoked—for example, if a connection were attempted from a denied IP address—then a log entry is generated and can be viewed in Monitor mode. Enable Logging The first step to viewing firewall activity is to enable logging on the router.
Chapter 5 Create Firewall How Do I... The Edit a Rule dialog box appears. Step 5 The Rule Entry field shows each of the source IP/destination IP/service combinations that are permitted or denied by the rule. Click the rule entry that you want to configure to generate log entries. Step 6 Click Edit. Step 7 In the rule entry dialog box, check the Log Matches Against this Entry check box. Step 8 Click OK to close the dialog boxes you have displayed.
Chapter 5 Create Firewall How Do I... To verify that the connection is working, verify that the interface status is “Up” in the Interfaces and Connections window. The following is an exerpt showing the configuration for an ISDN interface on a Cisco 3620 router: ! isdn switch-type basic-5ess ! interface BRI0/0 ! This is the data BRI WIC ip unnumbered Ethernet0/0 no ip directed-broadcast encapsulation ppp no ip mroute-cache dialer map ip 100.100.100.
Chapter 5 Create Firewall How Do I... access-list 105 permit udp host 123.3.4.5 host 192.168.0.1 eq isakmp access-list 105 permit udp host 123.3.4.5 host 192.168.0.1 eq non500-isakmp How Do I Permit Specific Traffic Through a DMZ Interface? Follow the steps below to configure access through your firewall to a web server on a DMZ network: Step 1 From the left frame, select Firewall and ACL. Step 2 Select Advanced Firewall. Step 3 Click Launch the Selected Task. Step 4 Click Next.
Chapter 5 Create Firewall How Do I... How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? You can use the Edit Firewall Policy tab to modify your firewall configuration to permit traffic from a new network or host. Step 1 From the left frame, select Firewall and ACL. Step 2 Click the Edit Firewall Policy tab. Step 3 In the traffic selection panel select a From interface and a To interface to specify the traffic flow to which the firewall has been applied, and click Go.
Chapter 5 Create Firewall How Do I... How Do I Configure NAT Passthrough for a Firewall? If you have configured NAT and are now configuring your firewall, you must configure the firewall so that it permits traffic from your public IP address. To do this you must configure an ACL. To configure an ACL permitting traffic from your public IP address: Step 1 From the left frame, select Additional Tasks. Step 2 In the Rules tree, select ACL Editor and then Access Rules. Step 3 Click Add.
Chapter 5 Create Firewall How Do I... Step 1 From the left frame, select Additional Tasks. Step 2 In the Rules tree, select ACL Editor and then Access Rules. Step 3 Click Add. The Add a Rule dialog box appears. Step 4 In the Name/Number field, enter a unique name or number for this rule. Step 5 In the Description field, enter a description of the rule, such as “VPN Concentrator Traffic.” Step 6 Click Add. The Add an Extended Rule Entry dialog box appears.
Chapter 5 Create Firewall How Do I... How Do I Associate a Rule with an Interface? If you use the SDM Firewall wizard, the access and inspection rules that you create are automatically associated with the interface for which you created the firewall. If you are creating a rule in Additonal Tasks/ACL Editor, you can associate it with an interface from the Add or Edit a Rule window. If you do not associate it with an interface at that time, you can still do so later.
Chapter 5 Create Firewall How Do I... Step 5 Click in the inbound or outbound field, and then click the button to the right. Step 6 Click None (clear rule association). Step 7 Click OK. How Do I Delete a Rule That Is Associated with an Interface? SDM does not allow you to delete a rule that is associated with an interface; you must first remove the association between the rule and the interface, and then delete the access rule.
Chapter 5 Create Firewall How Do I... Step 1 If you are at the Inspection Rules window, and you have clicked Java List, click the button to the right of the Number field and click Create a new rule (ACL) and select. The Add a Rule window opens. If you are at the Access Rules window, click Add to open the Add a Rule window. Step 2 From the Add a Rule window, create a standard access rule that permits traffic from the addresses you trust. For example, if you wanted to permit Java applets from hosts 10.
Chapter 5 Create Firewall How Do I... Step 2 Click Edit Firewall Policy/ACL. Step 3 To display the access rule you need to modify, select the outside (untrusted) interface as the From interface, and the inside (trusted) interface as the To interface. The access rule applied to inbound traffic on the untrusted interface is displayed. Step 4 To allow a particular type of traffic onto the network that is not already allowed, click Add in the Service area.
C H A P T E R 6 Firewall Policy The Firewall Policy feature lets you view and modify firewall configurations— access rules, and/or CBAC inspection rules—in the context of the interfaces whose traffic they filter. Using a graphical representation of the router and its interfaces, you can select different interfaces on the router and see whether an access rule or an inspection rule has been applied to that interface.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL 3. Come to the Firewall Policy win dow to edit the firewall policy you created. After configuring LAN and WAN interfaces and creating a firewall, you can open this window and get a graphical representation of the policy in a traffic flow. You can view the access rule and inspection rule entries and make any necessary changes.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL From–Select the interface from which the traffic flow you are interested in originates. The firewall will protect the network connected to the From interface. The From list contains only interfaces with configured IP addresses. To—Select the interface out of which the traffic will leave the router. . The To list contains only interfaces with configured IP addresses. Details button. Click to view details about the interface.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL Originating Traffic—Click this to highlight the part of the diagram that represents the traffic flow that enters the router at the From interface and exits the router at the To interface. When this area is highlighted, you can see the details of the rules applied in the direction of traffic flow. Returning Traffic—Click this to highlight the part of the diagram that represents returning traffic.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL Rules applied to Originating traffic are indicated by a right arrow. An icon on the From interface traffic line indicates the presence of a rule filtering traffic inbound to the router. An icon placed on the To interface traffic line indicates a rule filtering traffic outbound from the router. If you place the mouse over this icon, SDM will display the names of the rules that have been applied.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL Service Area header fields Firewall Feature Availability—If the Cisco IOS image that the router is using supports the Firewall feature, this field contains the value Available. Access Rule—The name or number of the access rule whose entries are being displayed. Inspection Rule—The name of the inspection rule whose entries are being displayed.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL the Extended entry dialog when you add an entry from the Edit Firewall Policy/ACL window. If you want to add a standard rule entry, you can do so in the Rules window. Edit—Click to edit a selected access rule entry. Although you can only add extended rule entries in the Edit Firewall Policy/ACL window, you are not prevented from editing a standard rule entry that has already been applied to a selected interface.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL If you want to apply a firewall that protects the network connected to the Ethernet 1 interface from traffic entering the Ethernet 0 interface, you can do so in the Rules window. Service Area Entry Fields The following table describes the icons and other data in the Service Area entries.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL Applications Area This area appears if the Cisco IOS image running on the router supports CBAC Inspection rules. The Applications area displays the inspection rule entries that are filtering the traffic flow. This area is updated whenever a new traffic flow is selected. This area displays the inspection rule that will affect the selected direction of traffic. The Applications area is shown in the following graphic.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL Global Settings—Click to display a dialog box that enables you to set global timeouts and thresholds. Summary—Click to display the application or protocol name and description for each entry. Detail—Click to display the application or protocol name, description, alert status, audit trail status, and timeout settings for each entry. Application Area entry fields The following table describes the Application area entry fields.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL Swap From and To Interfaces to Bring Other Rules into View SDM only displays inspection rules for Originating traffic in the Application area. If you want to view an inspection rule that is applied to Returning traffic in the diagram, select Swap From and To interfaces in the View Options menu. Add App-Name Application Entry Use this window to add an application entry that you want the Cisco IOS firewall to inspect.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL Alert Action One of the following: • default-on—Leave as default. Default value is on. • on—Enable alert. • off—Disable alert. Audit Action One of the following: • default-off—Leave as default. Default value is off. • on—Enable audit trail. • off—Disable audit trail. Timeout Specify how long the router should wait before blocking return traffic for this protocol or application. The field is prefilled with the default value.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL Alert Action One of the following: • default(on)—Leave as default. Default value is on. • on—Enable alert. • off—Disable alert. Audit Action One of the following: • default(off)—Leave as default. Default value is off. • on—Enable audit trail. • off—Disable audit trail. Timeout Specify how long the router should wait before blocking return traffic for this protocol or application. The field is prefilled with the default value.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL Audit Action One of the following: • default-off—Leave as default. Default value is off. • on—Enable audit trail. • off—Disable audit trail. Timeout Specify how long the router should wait before blocking return traffic for this protocol or application. The field is prefilled with the default value. Hosts/network for Java applet download The source hosts or networks whose applet traffic is to be inspected.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL Type One of the following: • A Network—If you select this, provide a network address in the IP address field. Note that the wildcard mask enables you to enter a network number that may specify multiple subnets. • A Host Name or IP Address—If you select this, provide a host IP address or host name in the next field. • Any IP address—If you select this, the action you specified is to apply to any host or network.
Chapter 6 Firewall Policy Edit Firewall Policy/ACL • Keep inspection rule name on outbound and dissociate inspection rule name on inbound—SDM will keep one inspection rule, and dissociate the rule from the other interface. Before you make a selection and click OK, you may want to click Cancel, and examine the two inspection rules to determine if you need to need to add entries to the inspection rule you want to retain.
C H A P T E R 7 Application Security Application Security allows you to create security policies to govern the use of network and web applications. You can apply the policies that you create to specific interfaces, clone an existing policy to leverage the settings for a new policy, and remove policies from the router.
Chapter 7 Application Security Application Security Windows • Associate button—Click to display a dialog that allows you to associate the policy with an interface. The dialog allows to choose the interface, and to specify the traffic direction to which the policy is to apply. • Global Settings button—Click to make settings to timeout and threshold values that apply to all policies. Click Global Settings for more information.
Chapter 7 Application Security No Application Security Policy No Application Security Policy SDM displays this window when you have clicked the Application Security tab, but no Application Security policy has been configured on the router. You can create a policy from this window, and view the global settings that provide default values for the parameters that you can set when you create policies. Policy Name This list is empty when no policy has been configured for the router.
Chapter 7 Application Security E-mail E-mail Specify the e-mail applications that you want to inspect in this window. To learn about the buttons and drawers available in the Application Security tab, click Application Security Windows. Edit Button Click this button to edit the settings for the chosen application. Settings that you make override the global settings configured on the router. Applications Column The name of the e-mail application, for example bliff, esmtp, and smtp.
Chapter 7 Application Security HTTP Reset Resets the TCP connection if the client enters a non-protocol command before authentication is complete. Router Traffic Enables inspection of traffic destined to or originated from a router. Applicable only for H.323, TCP, and UDP protocols. HTTP Specify general settings for HTTP traffic inspection in this window. To learn about the buttons and drawers available in the Application Security tab, click Application Security Windows.
Chapter 7 Application Security HTTP Set maximum URI length inspection Checkbox Check this box if you want to define a maximum length for Universal Resource Indicators (URIs). Specify the maximum length in bytes, and then use the Permit, Block, and Alarm controls to specify the action that the router is to take when an URL that is longer than this value is encountered. Enable HTTP inspection checkbox Check this box if you want the router to inspect HTTP traffic.
Chapter 7 Application Security HTTP Header Options You can have the router permit or deny traffic based on HTTP header length and the request method contained in the header. Request methods are the commands sent to HTTP servers to fetch URLs, web pages, and perform other actions. To learn about the buttons and drawers available in the Application Security tab, click Application Security Windows.
Chapter 7 Application Security HTTP Click Permit, Block, and Alarm Controls to learn how to specify the action that the router is to take when it encounters traffic with the characteristics that you specify in this window. Verify Content Type checkbox Check this box if you want the router to verify the content of HTTP packets by matching the response with the request, by enabling an alarm for unknown content types, or by using both of these methods.
Chapter 7 Application Security Instant Messaging gzip checkbox The encoding format produced by the GNU zip (“gzip”) program. Identity checkbox Default encoding, which indicates that no encoding has been performed. Instant Messaging Use this window to control the traffic for instant messaging applications such as Yahoo Messenger, and MSN Messenger. To learn about the buttons and drawers available in the Application Security tab, click Application Security Windows.
Chapter 7 Application Security Applications/Protocols Applications/Protocols This window allows you to create policy settings for applications and protocols that are not found in the other windows. To learn about the buttons and drawers available in the Application Security tab, click Application Security Windows. Applications/Protocols Tree The Applications/Protocols tree enables you to filter the list on the right according to the type of applications and protocols that you want to view.
Chapter 7 Application Security Global Timeouts and Thresholds Options Column This column can contain fields if there are other settings that have been made for the chosen item. MAX Data Specifies the maximum number of bytes (data) that can be transferred in a single Simple Mail Transport Protocol (SMTP) session. After the maximum value is exceeded, the firewall logs an alert message and closes the session. Default value: 20 MB.
Chapter 7 Application Security Global Timeouts and Thresholds TCP FIN Wait Timeout Value The amount of time that a TCP session will still be managed after the firewall detects a FIN exchange. The default value is 4 seconds. TCP IdleTimeout Talue The amount of time that a TCP session will still be managed after no activity has been detected. The default value is 3600 seconds.
Chapter 7 Application Security Global Timeouts and Thresholds Maximum incomplete session thresholds. These fields let you specify the threshold values for the total number of existing half-open sessions. Low Stop deleting new connections after the number of new connections drops below this value. The default value is 400 sessions High Start deleting new connections when the number of new connections exceeds this value.
Chapter 7 Application Security Global Timeouts and Thresholds Edit Inspection Rule Use this window to specify custom inspection rule settings for an application. Settings made here and applied to the router’s configuration override the global settings. Click the Global Settings button in the Application Security window to display the global settings for the parameters that you can set in this window. See Global Timeouts and Thresholds for more information.
Chapter 7 Application Security Global Timeouts and Thresholds MAX Data field Specifies the maximum number of bytes (data) that can be transferred in a single Simple Mail Transport Protocol (SMTP) session. After the maximum value is exceeded, the firewall logs an alert message and closes the session. Default value: 20 MB. Secure Login Checkbox Causes a user at a non-secure location to use encryption for authentication.
Chapter 7 Application Security Global Timeouts and Thresholds Cisco Router and Security Device Manager Version 2.
C H A P T E R 8 Site-to-Site VPN The help topics in this section describe the Site-to-Site configuration screens. Create Site to Site VPN A Virtual Private Network (VPN) lets you protect traffic that travels over lines that your organization may not own or control. VPNs can encrypt traffic sent over these lines and authenticate peers before any traffic is sent. You can let Cisco Router and Security Device Manager (SDM) guide you through a simple VPN configuration by clicking the VPN icon.
Chapter 8 Site-to-Site VPN Create Site to Site VPN What Do You Want to Do? If you want to: Do this: Configure the router as part of a VPN network connecting two routers. Select Create a site-to-site VPN . Then click Launch the selected task. When you configure a VPN network between two routers, you can control how the remote router is authenticated, how traffic is encrypted, and what traffic is encrypted. Configure a GRE tunnel between your router and another router.
Chapter 8 Site-to-Site VPN Create Site to Site VPN If you want to: Do this: Find out how to perform other VPN-related tasks that this wizard does not guide you through.
Chapter 8 Site-to-Site VPN Create Site to Site VPN If you want to: Do this: The following link provides guidelines to use when configuring a Cisco VPN 3000 series Configuration instructions for Easy VPN servers and concentrator to operate with an Easy VPN concentrators are available on www.cisco.com. Remote Phase II client, and other information which you might find useful: Configure an Easy VPN concentrator. http://www.cisco.
Chapter 8 Site-to-Site VPN Create Site to Site VPN What do you want to do? If you want to: Do this: Quickly configure a site-to-site VPN using SDM-provided defaults. Check Quick setup, and then click Next. SDM will automatically provide a default IKE policy to govern authentication, a default transform set to control the encryption of data and a default IPSec rule that will encrypt all traffic between the router and the remote device.
Chapter 8 Site-to-Site VPN Create Site to Site VPN VPN Connection Information Use this window to identify the IP address or host name of the remote site that will terminate the VPN tunnel that you are configuring, to specify the router interface to use, and to enter the pre-shared key that both routers will use to authenticate each other. Select the interface for This VPN Connection Select the interface on this router that connects to the remote site.
Chapter 8 Site-to-Site VPN Create Site to Site VPN Enter the pre-shared key, and then reenter it for confirmation. Exchange the pre-shared key with the administrator of the remote site through some secure and convenient method, such as an encrypted e-mail message. Question marks (?) and spaces must not be used in the pre-shared key. The pre-shared key can contain a maximum of 128 characters. Note • The characters you enter for the pre-shared key are not displayed in the field as you enter them.
Chapter 8 Site-to-Site VPN Create Site to Site VPN Details Click this button to obtain details about the interface you selected. The details window shows any access rules, IPSec policies, Network Address Translation (NAT) rules, or Inspection rules associated with the interface. To examine any of these rules in more detail, go to Additional Tasks/ACL Editor, and examine them in the Rules windows. Destination IP address and Subnet Mask.
Chapter 8 Site-to-Site VPN Create Site to Site VPN Encryption SDM supports a variety of encryption types, listed in order of security. The more secure an encryption type is, the more processing time it requires. Note • Not all routers support all encryption types. Unsupported types will not appear in the screen. • Not all IOS images support all the encryption types that SDM supports. Types unsupported by the IOS image will not appear in the screen.
Chapter 8 Site-to-Site VPN Create Site to Site VPN Hash The authentication algorithm to be used for the negotiation. SDM supports the following algorithms: • SHA_1—Secure Hash Algorithm. A hash algorithm used to authenticate packet data. • MD5—Message Digest 5. A hash algorithm used to authenticate packet data. D-H Group The Diffie-Hellman Group—Diffie-Hellman is a public-key cryptography protocol that allows two routers to establish a shared secret over an unsecure communications channel.
Chapter 8 Site-to-Site VPN Create Site to Site VPN To add or edit an IKE policy: If you want to add an IKE policy that is not included in this list, click Add and create the policy in the window displayed. Edit an existing policy by selecting it and clicking Edit. SDM Default policies are read only, and cannot be edited. To accept the policy list: To accept the IKE policy list and continue, click Next.
Chapter 8 Site-to-Site VPN Create Site to Site VPN ESP Encryption The type of Encapsulating Security Protocol (ESP) encryption used. If ESP encryption is not configured for this transform set, this column will be empty. ESP Authentication The type of ESP authentication used. If ESP authentication is not configured for this transform set, this column will be empty. AH Authentication The type of Authentication Header (AH) authentication used.
Chapter 8 Site-to-Site VPN Create Site to Site VPN What Do You Want to Do? If you want to: Do this: Select a transform set for the VPN to use. Select a transform set, and click Next. Add a transform set to the router’s configuration. Click Add, and create the transform set in the Add Transform Set window. Then click Next to continue VPN configuration. Edit an existing transform set. Select a transform set, and click Edit. Then, edit the transform set in the Edit Transform Set window.
Chapter 8 Site-to-Site VPN Create Site to Site VPN All traffic from this source subnet that has a destination IP address on the destination subnet will be protected. Destination Enter the address of the destination subnet, and specify the mask for that subnet. You can select a subnet mask from the list, or type in a custom mask. The subnet number and mask must be entered in dotted decimal format, as shown in the previous examples. All traffic going to the hosts in this subnet will be protected.
Chapter 8 Site-to-Site VPN Create Site to Site VPN Spoke Configuration If you have configured a DMVPN hub, you can have SDM generate a procedure that will assist you or other administrators in configuring DMVPN spokes. The procedure explains which options to select in the wizard, and what information to enter in spoke configuration windows. You can save this information to a text file that you or another administrator can use.
Chapter 8 Site-to-Site VPN Create Site to Site VPN • The hash, encryption, DH group, and Authentication Type of the IKE policies that the hub uses, so that compatible IKE policies can be configured on the spoke. • The ESP and Mode information of the transform sets that the hub uses. If similar transform sets have not been configured on the spoke, they can be configured using this information.
Chapter 8 Site-to-Site VPN Create Site to Site VPN Details Click to obtain details about the interface that you selected. The details window shows any access rules, IPSec policies, NAT rules, or Inspection rules associated with the interface. If a NAT rule has been applied to this interface that causes the address to be unroutable, the tunnel will not operate properly. To examine any of these rules in more detail, go to Additional Tasks/ACL Editor and examine the in the Rules window.
Chapter 8 Site-to-Site VPN Create Site to Site VPN Pre-Shared Key Click this button if the VPN peers use a pre-shared key for authentication and then enter the pre-shared key, and then reenter it for confirmation. Exchange the pre-shared key with the administrator of the remote site through some secure and convenient method, such as an encrypted e-mail message. Question marks (?) and spaces must not be used in the pre-shared key.
Chapter 8 Site-to-Site VPN Create Site to Site VPN Backup GRE Tunnel Information You can configure a backup GRE-over-IPSec tunnel that the router can use when the primary tunnel fails. This tunnel will use the same interface that you configured for the primary tunnel, but it must be configured with the backup VPN router as the peer. If routing is configured for the primary GRE-over-IPSec tunnel, the keepalive packets that the routing protocol sends are used to verify that the tunnel is still active.
Chapter 8 Site-to-Site VPN Create Site to Site VPN Routing Information This window enables you to configure routing for the tunneled traffic. Information that you add in this window appears in the Routing window. Changes that you make in the Routing window may affect routing of VPN traffic. Configuring routing enables you to specify the networks that will participate in the GRE-over-IPSec VPN.
Chapter 8 Site-to-Site VPN Create Site to Site VPN Static Routing Static routing can be used in smaller VPN deployments in which only a few private networks participate in the GRE-over-IPSec VPN. You can configure a static route for each remote network so that traffic destined for the remote networks will pass through the appropriate tunnels.
Chapter 8 Site-to-Site VPN Create Site to Site VPN • Do split tunneling—Split tunneling allows traffic that is destined for the network specified in the IP Address and Network Mask fields to be encrypted and routed through the tunnel interface. All other traffic will not be encrypted. When this option is selected, SDM creates a static route to the network, using the IP address and network mask. The following example assumes that the network address 10.2.0.0/255.255.0.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN Note • RIP—Routing Internet Protocol. • Static Routing. This option is enabled when you are configuring a GRE over IPSec tunnel. RIP is not supported for DMVPN Hub and spoke topology but is available for DMVPN Full Mesh topology. Summary of Configuration This screen summarizes the GRE configuration that you have completed. You can review the information in this screen and click the back button to return to any screen in which you want to make changes.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN Use this window to create and manage VPN connections to remote systems. You can create, edit, and delete VPN connections, and reset existing connections. You can also use this window to configure your router as an Easy VPN client with connections to one or more Easy VPN servers or concentrators.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN Sequence Number The sequence number for this connection. Because an IPSec policy may be used in more than one connection, the combination of the sequence number and IPSec policy name uniquely identifies this VPN connection. The sequence number does not prioritize the VPN connection; the router will attempt to establish all configured VPN connections regardless of sequence number.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN Delete Button Click to delete a selected VPN connection Test Tunnel.. Button Click to test a selected VPN tunnel.The results of the test will be shown in another window. Clear Connection Button Click to reset an established connection to a remote peer. This button is disabled if you have selected a dynamic site-to-site VPN tunnel. Generate Mirror..
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN Step 2 Select a policy from the Choose IPSec Policy list. Click OK to return to the VPN Connections window. Add Additional Crypto Maps Use this window to add a new crypto map to an existing IPSec policy. This window shows the interface associated with the VPN connection that you selected in the VPN Connections window, the IPSec policy associated with it, and the crypto maps that the policy already contains.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN What Do You Want to Do? If you want to: Do this: Configure the crypto map yourself. Click Add New Crypto Map and use the Add Crypto Map window to create the new crypto map. Click OK when you are finished. Then click OK in this window. Have Cisco Router and Security Device Check the Use Add Wizard box, and click OK. SDM will Manager (SDM) help you add a new guide you in creating a new crypto map, and will associate it crypto map to this connection.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN Security Association Lifetime IPSec security associations use shared keys. These keys and their security associations time out together. There are two lifetimes: a timed lifetime and a traffic-volume lifetime. The security association expires when the first of these lifetimes is reached. You can use this field to specify a different security association lifetime for this crypto map than the lifetime that is specified globally.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN Crypto Map Wizard: Peers A crypto map includes the names or IP addresses of the peers involved in the security association. This screen allows you to add and remove peers associated with this crypto map. Multiple peers provide the router with multiple routes for encrypted data. Specify Peers Enter the IP address or host name of the peer devices in the IP Address or Hostname field. Then click Add to add it to the current list of peers.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN What Do You Want to Do? If you want to: Do this: Use the selected transform set for the crypto map. Click Next. Use another existing transform set. Select it in the Select Transform Set list, and click Next. Use a new transform set. Click Add, and create the transform set in the Add Transform Set window. Then, return to this window, and click Next. Edit the selected transform set.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN All traffic from this source subnet that has a destination IP address on the destination subnet will be encrypted. Destination Enter the address of the destination subnet, and specify the mask for that subnet. You can either select a subnet mask from the list or type in a custom mask. The subnet number and mask must be entered in dotted decimal format. All traffic going to the hosts in this subnet will be encrypted.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN Delete Connection Use this window to delete a VPN tunnel, or simply to disassociate it from an interface but preserve the definition for future use. Delete the crypto map with sequence number n from IPSec policy policy name Click this button, and then click OK to remove the VPN tunnel definition. The associations created between the interface, IPSec policy, and peer devices will be lost when you do this.
Chapter 8 Site-to-Site VPN Edit Site-to-Site VPN Destination Select the IP address that you want to ping. If the address you want to use is not in the list, you can enter a different one in the field. To ping a remote peer: Specify the source and destination, and click Ping. You can read the output of the ping command to determine whether the ping was successful. To clear the output of the ping command: Click Clear. Generate Mirror...
Chapter 8 Site-to-Site VPN How Do I... may be used on the remote router, but the policies and transform sets may be different. If the text file is simply copied into the remote configuration file, configuration errors are likely to result. SDM Warning: NAT Rules with ACL This window appears when you are configuring a VPN using interfaces with associated NAT rules that use Access rules.
Chapter 8 Site-to-Site VPN How Do I... How Do I Create a VPN to More Than One Site? You can use SDM to create multiple VPN tunnels on one interface on your router. Each VPN tunnel will connect the selected interface on your router to a different subnet at the destination router.
Chapter 8 Site-to-Site VPN How Do I... Step 12 Click Finish. Create an Additional Tunnel from the Same Source Interface After you have created the initial VPN tunnel, follow these steps to create an additional tunnel from the same source interface to a different destination interface or destination subnet: Step 1 From the left frame, select VPN. Step 2 Select Create a Site-to-Site VPN. Step 3 Click Launch the Selected Task. The VPN Wizard starts. Step 4 Click Quick Setup. Step 5 Click Next>.
Chapter 8 Site-to-Site VPN How Do I... • If you entered the same IP address in the Peer Identity field as you used for the initial VPN connection, indicating that this VPN tunnel will use the same router interface as the initial VPN tunnel, then enter the IP address and subnet mask of the new subnet that you want to protect in the appropriate fields. Step 11 Click Next>. Step 12 Click Finish.
Chapter 8 Site-to-Site VPN How Do I... Caution Step 6 Step 7 Do not apply the mirror configuration to the peer device without editing! This configuration is a template that requires additional manual configuration. Use it only as a starting point to build the configuration for the VPN peer. After saving the file, use a text editor to make any needed changes to the template configuration.
Chapter 8 Site-to-Site VPN How Do I... Step 7 If you need to modify any of the components of the connection, such as the IPSec policy or the existing crypto map, note the names of those components in the VPN window, and go to the appropriate windows under VPN Components to make changes. How Do I Confirm That My VPN Is Working? You can verify that your VPN connection is working by using the Monitor mode in SDM.
Chapter 8 Site-to-Site VPN How Do I... If you are viewing IKE SA information, you can verify that your VPN connection is working by verifying that the source and destination IP addresses are correct, and that the state is “QM_IDLE,” indicating that the connection has been authenticated and that data transfer can take place. How Do I Configure a Backup Peer for My VPN? To configure multiple VPN peers inside a single crypto map: Step 1 From the left frame, select VPN.
Chapter 8 Site-to-Site VPN How Do I... Step 1 From the left frame, select VPN. Step 2 From the VPN tree, select VPN Components, and then IPSec Policies. Step 3 In the IPSec Policies table, click the IPSec policy that contains the crypto map to which you want to add another transform set. Step 4 Click Edit. The Edit IPSec Policy dialog box appears. Step 5 In the “Crypto Maps in this IPSec Policy” table, click the crypto map to which you want to add another transform set. Step 6 Click Edit.
Chapter 8 Site-to-Site VPN How Do I... How Do I Configure a VPN After I Have Configured a Firewall? In order for a VPN to function with a firewall in place, the firewall must be configured to permit traffic between the local and remote peer IP addresses. SDM creates this configuration by default when you configure a VPN configuration after you have already configured a firewall.
Chapter 8 Site-to-Site VPN How Do I... Step 10 In the IP Address and Wildcard Mask fields, enter the IP address and subnet mask of the VPN source peer. Step 11 In the Destination Host/Network group, from the Type field, select A Network. Step 12 In the IP Address and Wildcard Mask fields, enter the IP address and subnet mask of the VPN destination peer. Step 13 In the Description field, enter a short description of the network or host. Step 14 Click OK.
C H A P T E R 9 Easy VPN Remote Create Easy VPN Remote SDM allows you to configure your router as a client to an Easy VPN server or concentrator. Your router must be running a Cisco IOS software image that supports Easy VPN Phase II. To be able to complete the configuration, you must have the following information ready. • Easy VPN server’s IP address or hostname • IPSec group name • Key Obtain this information from the Easy VPN server administrator.
Chapter 9 Easy VPN Remote Create Easy VPN Remote Connection Settings The information entered in this window identifies the Easy VPN tunnel, the Easy VPN server or concentrator that the router will connect to, and the way you want traffic to be routed in the VPN. Easy VPN Tunnel Name Enter the name that you want to give this Easy VPN connection. The name must be unique among Easy VPN tunnel names for this router and must not contain spaces or special characters such as question marks (?).
Chapter 9 Easy VPN Remote Create Easy VPN Remote Choose Network Extension if you want the devices connected to the inside interfaces to have IP addresses that are routable and reachable by the destination network. The devices at both ends of the connection will form one logical network. PAT will be automatically disabled, allowing the PCs and hosts at both ends of the connection to have direct access to one another.
Chapter 9 Easy VPN Remote Create Easy VPN Remote User Authentication (XAuth) User authentication (XAuth) appears in this window if the Cisco IOS image on the router supports Easy VPN Remote Phase III. If user authentication does not appear, it must be set from the router command-line interface. Choose one of these ways to enter the XAuth username and password: • Manually in a web browser window Note The web browser option appears only if supported by the Cisco IOS image on your router.
Chapter 9 Easy VPN Remote Create Easy VPN Remote Inside Interfaces Choose the inside (LAN) interface to associate with this Easy VPN configuration. You can choose multiple inside interfaces, with the following restrictions: • If you choose an interface that is already used in another Easy VPN configuration, you are told that an interface cannot be part of two Easy VPN configurations.
Chapter 9 Easy VPN Remote Create Easy VPN Remote With the automatic setting, the VPN tunnel is established automatically when the Easy VPN configuration is delivered to the router configuration file. However, you will not be able to control the tunnel manually in the VPN Connections window. The Connect or Disconnect button is disabled when this Easy VPN connection is chosen. With the traffic-based setting, the VPN tunnel is established whenever outbound local (LAN side) traffic is detected.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote ID and password to log on to the router and then provide the XAuth login and password for the Easy VPN server or concentrator. You must follow this process when you click Finish and the configuration is delivered to the router, and when you disconnect and then reconnect the tunnel in the Edit Easy VPN Remote window. Find out whether XAuth is used, and determine the required username and password.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote The connection is down. When an Easy VPN connection is down, the Connect button enables you to activate the connection if manual tunnel control is used. The connection is being established. Xauth Required—The Easy VPN server or concentrator requires an XAuth login and password. Use the Login button to enter the login ID and password and establish the connection.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote Inside Interfaces These are the inside interfaces included in this Easy VPN connection. All hosts connected to these interfaces are part of the VPN. Easy VPN Server The names or IP addresses of the Easy VPN servers or concentrators. If the Cisco IOS image on your router supports Easy VPN Remote Phase III, you can identify two Easy VPN servers or concentrators during configuration using SDM.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote • The credentials are automatically sent because they have been saved on the router Add Button Add a new Easy VPN Remote connection. Edit Button Edit the specified Easy VPN Remote connection. Delete Button Delete the specified Easy VPN Remote connection. Reset Connection Button Click to clear and reestablish a tunnel with a peer. Test Tunnel Button Click to test a specified VPN tunnel. The results of the test appear in another window.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote • The XAuth response is set to be requested from SDM or the router console • The tunnel is waiting for XAuth credentials (the connection has been initiated) If the connection is set to automatic or traffic-based tunnel control, this button is disabled. What Do You Want to Do? If you want to: Do this: Create a new Easy VPN connection. Click Add in the Edit Easy VPN Remote window.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote If you want to: Do this: Connect to an Easy VPN server for which the router has a configured connection. If the connection uses manual tunnel control, choose the connection, then click Connect. Connections that use automatic or traffic-based tunnel control cannot be brought up manually through SDM.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote Add or Edit Easy VPN Remote Use this window to configure your router as an Easy VPN client. Your router must have a connection to an Easy VPN concentrator or server on the network. Note This window appears if the Cisco IOS image on your router supports Easy VPN Client Phase II. The Cisco Easy VPN Remote feature implements the Cisco Unity Client protocol, which allows most VPN parameters to be defined at a VPN remote access server.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote Network Extension—Choose Network Extension if you want the devices connected to the inside interfaces to have IP addresses that are routable and reachable by the destination network. The devices at both ends of the connection will form one logical network. PAT will be automatically disabled, allowing the PCs and hosts at both ends of the connection to have direct access to one another.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote Group Key Enter the IPSec group password. The group password must match the group password defined on the VPN concentrator or server. Obtain this information from your network administrator. Confirm Key Reenter the group password to confirm. Interfaces Outside Interface Toward Server or Concentrator Choose the interface that has the connection to the Easy VPN server or concentrator.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote The Cisco Easy VPN Remote feature implements The Cisco Unity Client protocol, which allows most VPN parameters to be defined on a VPN remote access server. This server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or it can be a Cisco IOS router that supports the Cisco Unity Client protocol. Name Enter a name for the Easy VPN remote configuration.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote Servers You can specify up to ten Easy VPN servers by IP address or hostname, and you can order the list to specify which servers the router will attempt to connect to first. Add Click to specify the name or the IP address of a VPN concentrator or server for the router to connect to; then enter the address or hostname in the window displayed. Delete Click to delete the specified IP address or hostname.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote Add or Edit Easy VPN Remote: Authentication Information This window appears if the Cisco IOS image on your router supports Easy VPN Client Phase III. If the image supports Easy VPN Client Phase II, a different window appears. Use this window to enter the information required for the router to be authenticaticated by the Easy VPN server or concentrator. Device Authentication Group Name Enter the IPSec group name.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote Manually enter the username and password in a web browser window. If you choose this option, you can check the checkbox to use basic HTTP authentication to compensate for legacy web browsers that don’t support HTML 4.0 or JavaScript. Note • The web browser option appears only if supported by the Cisco IOS image on your router. From your router Manually enter the username and password from the command line or SDM.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote Please Enter the Username Enter the SSH or Telnet account username that you will use to log in to this router. Please Enter the Password Enter the password associated with the SSH or Telnet account username that you will use to log in to this router. XAuth Login Window This window appears when the Easy VPN server requests extended authentication.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote Servers You can specify up to ten Easy VPN servers by IP address or hostname, and you can order the list to specify which servers the router will attempt to connect to first. Click the Add button to specify the name or the IP address of a VPN concentrator or server for the router to connect to, and then enter the address or hostname in the window displayed. Click the Delete button to delete the specified IP address or hostname.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote You can enable remote management of the router by checking the box to request a server-assigned IP address for you router. This IP address can be used for connecting to your router for remote management and troubleshooting (ping, Telnet, and Secure Shell). This mode is called Network Extension Plus.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote Enter the IPSec groupname in the Group Name field and the new IKE key value in the New Key field. Reenter the new key for confirmation in the Confirm Key field. If the values in the New Key and Confirm Key field are not the same, SDM prompts you to reenter the key values. The Current Key field displays asterisks (*) if there is a current IKE key value. This field is blank if no key has been configured.
Chapter 9 Easy VPN Remote Edit Easy VPN Remote The information is saved in the router configuration file and used each time the tunnel is established. Caution Storing the XAuth username and password in router memory creates a security risk because anyone who has access to the router configuration can obtain this information. If you do not want this information stored on the router, do not enter it here.
Chapter 9 Easy VPN Remote How Do I... Outside Interface Choose the outside interface that connects to the Easy VPN server or concentrator. Note Cisco 800 routers do not support the use of interface E 0 as the outside interface Connection Control Choose Automatic, Manual, or traffic-based VPN tunnel activation.
Chapter 9 Easy VPN Remote How Do I... How Do I Edit an Existing Easy VPN Connection? To edit an existing Easy VPN remote connection, follow these steps: Step 1 From the left frame, choose VPN. Step 2 In the VPN tree, choose Easy VPN Remote. Step 3 Click the Edit Easy VPN Remote tab and choose the connection that you want to edit. Step 4 Click Edit. The Edit Easy VPN Remote window appears. Step 5 In the Edit Easy VPN Remote window, click the tabs to display the the values that you want to change.
Chapter 9 Easy VPN Remote How Do I... If the ISDN, async, or analog modem interface has been configured, follow these steps: Step 1 From the left frame, click Interfaces and Connections. Step 2 Click the Edit Interface/Connection tab. Step 3 Choose an ISDN, async, or analog modem interface from the list of configured interfaces. Step 4 Click the Edit button. Step 5 Click the Backup tab and configure the backup for an Easy VPN Remote connection.
Chapter 9 Easy VPN Remote How Do I... Cisco Router and Security Device Manager Version 2.
C H A P T E R 10 Easy VPN Server The Easy VPN Server feature introduces server support for the Cisco VPN Client Release 3.x and later software clients and Cisco VPN hardware clients. The feature allows a remote end user to communicate using IP Security (IPSec) with any Cisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPSec policies are “pushed” to the client by the server, minimizing configuration by the end user.
Chapter 10 Easy VPN Server Create an Easy VPN Server Create an Easy VPN Server Click to Create an Easy VPN server configuration on your router. Launch the Easy VPN Server Wizard Button Click to start the wizard. Welcome to the Easy VPN Server Wizard This window summarizes the tasks you will perform when using the wizard. Interface and Authentication This window lets you choose the interface on which you want to configure the Easy VPN Server.
Chapter 10 Easy VPN Server Create an Easy VPN Server If you choose both preshared keys and digital certificates, entering a key value in the Add Group Policy general setup window is optional. Group Authorization: Group Policy Lookup This window lets you define a new AAA authorization network method list for group policy lookup or to choose an existing network method list. Local Only This option allows you to create a method list for the local database only.
Chapter 10 Easy VPN Server Create an Easy VPN Server If you want to: Do this: Define an AAA method list for the local database only. Choose Local only. Then click Next. When you define an AAA method list for the local database, the router looks at the local database for group authentication. Choose any of the existing method lists for group authentication. Choose Choose an existing AAA method list. Then click Next.
Chapter 10 Easy VPN Server Create an Easy VPN Server Add User Credentials Button Click to add a user account. User Accounts for XAuth Add an account for a user you want to authenticate after IKE has authenticated the device. User Accounts The user accounts that XAuth will authenticate are listed in this box. The account name and privilege level are visible. Add or Edit Buttons Use these buttons to add and edit user accounts.
Chapter 10 Easy VPN Server Create an Easy VPN Server Ping Ping an already existing RADIUS server or newly configured RADIUS server. Group Authorization: User Group Policies This window allows you to add, edit, clone or delete user group policies on the local database. This lists already configured group policies. Group Name Name given to the user group. Pool Name of the IP address pool from which an IP address is assigned to a user connecting from this group.
Chapter 10 Easy VPN Server Create an Easy VPN Server Idle Timer Disconnecting idle VPN tunnels can help the Easy VPN Server run more efficiently by reclaiming unused resources. Click the Configure Idle Timer check box and enter a value for the maximum time that a VPN tunnel can remain idle before being disconnected. Enter hours in the left field, minutes in the middle field, and seconds in the right field. The minimum time allowed is 1 minute.
Chapter 10 Easy VPN Server Create an Easy VPN Server Select from an Existing Pool Choose the range of IP addresses from the existing pool of IP addresses. Note This field cannot be edited if there are no predefined IP address pools. Subnet Mask (Optional) Enter a subnet mask to send with the IP addresses allocated to clients in this group. Maximum Connections Allowed Specify the maximum number of client connections to the Easy VPN Server from this group.
Chapter 10 Easy VPN Server Create an Easy VPN Server WINS Enter the primary and secondary WINS server IP address in the fields provided. Entering a secondary WINS server address is optional. Domain Name Specify the domain name that should be pushed to the Easy VPN client. What Do You Want to Do? If you want to: Do this: Configure a DNS server. Check the DNS option. Then enter the primary and secondary DNS server IP addresses in the fields provided. Configure a WINS server. Check the WINS option.
Chapter 10 Easy VPN Server Create an Easy VPN Server Enter the Protected Subnets Add or remove the subnets for which the packets are tunneled from the VPN clients. Choose the Split Tunneling ACL Choose the ACL to use for split tunneling. Split DNS Enter the Internet domain names that should be resolved by your network’s DNS server. The following restrictions apply: Note • A maximum of 10 entries is allowed. • Entries must be separated with a comma.
Chapter 10 Easy VPN Server Create an Easy VPN Server Client Settings This window allows you to configure additional attributes for security policy such as adding or removing a backup server, Firewall Are-U-There, and Include-Local-LAN. Note Some of the features described below appear only if supported by your Cisco server’s IOS release.
Chapter 10 Easy VPN Server Create an Easy VPN Server Browser Proxy You can specify browser proxy settings for Easy VPN software clients. The Easy VPN Server sends the browser proxy settings to Easy VPN software clients requesting that information. Only Easy VPN software clients belonging to the group policy you are configuring can request the browser proxy settings you enter in this window.
Chapter 10 Easy VPN Server Create an Easy VPN Server What Do You Want to Do? If you want to: Do this: Add a backup server. Click Add in the Backup Servers area. Then add the backup server IP address or host name in the window displayed. Delete a backup server. Choose the backup server to be deleted from the Backup Server area and click Delete. Reorder backup servers. Delete backup servers and recreate them in the order you want. Enable Firewall Are-U-There. Check the Firewall Are-U-There option.
Chapter 10 Easy VPN Server Create an Easy VPN Server Browser Proxy Settings Name If you are adding browser proxy settings, enter a name that will appear in drop-down menus listing browser proxy settings. If you are editing browser proxy settings, the name field is read-only. Proxy Settings Choose one of the following: • No Proxy Server You do not want clients in this group to use a proxy server when they use the VPN tunnel.
Chapter 10 Easy VPN Server Create an Easy VPN Server User Authentication (XAuth) This allows you to configure additional attributes for user authentication, such as Group Lock and save Password Attributes. XAuth Banner Enter the text for a banner that is shown to users during XAuth requests. Note This feature appears only if supported by your Cisco server’s IOS release. Maximum Logins Allowed Per User: Specify the maximum number of connections a user can establish at a time.
Chapter 10 Easy VPN Server Create an Easy VPN Server Client Update This window allows you to set up client software or firmware update notifications, and displays existing client update entries. Existing client update entries can be selected for editing or deletion. Notifications are sent automatically to clients which connect to the server after a new or edited client update configuration is saved. Clients already connected require manual notification.
Chapter 10 Easy VPN Server Create an Easy VPN Server Add or Edit Client Update Entry This window allows you to configure a new client update entry. Client Type Enter a client type or choose one from the drop-down menu. Client type names are case sensitive. For software clients, the client type is usually the operating system, for example, Windows. For hardware clients, the client type is usually the model number, for example, vpn3002.
Chapter 10 Easy VPN Server Browser Proxy Settings Test VPN Connectivity After Configuring Click to test the VPN connection you have just configured. The results of the test appear in a separate window. Browser Proxy Settings This window lists browser proxy settings, showing how they are configured. You can add, edit, or delete browser proxy settings. Use the group policies configuration to associate browser proxy settings with client groups. Name The name of the browser proxy settings.
Chapter 10 Easy VPN Server Add or Edit Easy VPN Server Exceptions List A list of IP addresses for which you do not want clients to use the proxy server. Add Button Configure new browser proxy settings. Edit Button Edit the specified browser proxy settings. Delete Button Delete the specified browser proxy settings. Browser proxy settings associated with one or more group policies can not be deleted before those associations are removed.
Chapter 10 Easy VPN Server Add or Edit Easy VPN Server Interface Column The name of the interface used for this connection. Group Authorization Column The name of the method list used for group policy lookup. User Authentication Column The name of the method list used for user authentication lookup. Mode Configuration Displays one of the following: • Initiate The router is configured to initiate connections with Easy VPN Remote clients.
Chapter 10 Easy VPN Server Add or Edit Easy VPN Server Add or Edit Easy VPN Server Connection This window lets you add or edit an Easy VPN Server connection. Choose an Interface If you are adding a connection, choose the interface to use from this list. If you are editing the connection, this list is disabled. Choose an IPSec Policy If you are adding a connection, choose the IPSec policy to use from this list. If you are editing the connection, this list is disabled.
Chapter 10 Easy VPN Server Group Policies Configuration Restrict Access This window allows you to specify which group policies are allowed to use the Easy VPN connection. Allow a group access to the Easy VPN Server connection by checking its check box. Deny a group access to the Easy VPN Server connection by unchecking its check box.
Chapter 10 Easy VPN Server Group Policies Configuration Add, Edit, Clone, and Delete Buttons Use these buttons to manage group policies on the router. Clicking Clone displays the Group Policy edit tabs. Send Update Button Click to send an IKE notification of software or firmware updates to active clients of the chosen group. If this button is disabled, the chosen group does not have client update configured.
Chapter 10 Easy VPN Server Group Policies Configuration Details Window The Details window is a list of feature settings and their values for the chosen group policy. Feature settings are displayed only if they are supported by your Cisco router’s IOS release, and apply only to the chosen group. The following feature settings may appear in the list: • Authentication Values indicate a preshared key if one was configured, or a digital certificate if a preshared key was not configured.
Chapter 10 Easy VPN Server Local Pools The maximum number of connections a user can establish simultaneously. SDM supports a maximum of 10 simultaneous logins per user. • XAuth Banner The text message shown to clients during XAuth requests. Local Pools This window lists the IP address pools configured for Easy VPN group policies on the router. Add or Edit or Delete Buttons Use these buttons to manage the local pools on the router. Pool Name Column The name of the IP address pool.
Chapter 10 Easy VPN Server Local Pools Add or Edit IP Local Pool This window lets you create or edit a local pool of IP addresses. Pool Name If you are creating a pool, enter the pool name. If you are editing a pool, this field is disabled. IP Address Range Enter or edit the IP address ranges for the pool in this area. A pool can contain more than one IP address range. Use the Add, Edit, and Delete buttons to create additional ranges, edit ranges, and delete IP address ranges.
C H A P T E R 11 DMVPN These help topics provide information about Dynamic Multipoint Virtual Private Network (DMVPN) configuration screens. Dynamic Multipoint VPN This wizard will help you to configure your router as a Dynamic Multipoint VPN (DMVPN) hub or DMVPN spoke. A typical VPN connection is a point-to-point IPSec tunnel connecting two routers. DMVPN enables you to create a network with a central hub that connects other remote routers, referred to as spokes using a GRE over IPSec tunnel.
Chapter 11 DMVPN Dynamic Multipoint VPN It is important to configure the hub first because spokes must be configured using information about the hub. If you are configuring a hub, you can use the SpokeConfiguration feature available in the Summary window to generate a procedure that you can send to spoke administrators so that they can configure the spokes with the correct hub information. If you are configuring a spoke, you must obtain the correct information about the hub before you begin.
Chapter 11 DMVPN Dynamic Multipoint VPN SDM’s Configure Spoke feature enables you to create a text file that contains the information that spoke administrators need about the hub’s configuration. This feature is available from the Summary window of this wizard. You also need to tell the spoke administrators which subnet mask to use, and assign each spoke an IP address from the same subnet as the hub so that address conflicts do not occur.
Chapter 11 DMVPN Dynamic Multipoint VPN Digital Certificates Select this button if your router uses digital certificates for authentication. Digital certificates are configured under VPN Components>Public Key Infrastructure. Confirm Pre-Shared Key Reenter the key for confirmation. If the values in this field and the Pre-Shared Key field do not match, SDM prompts you to reenter them.
Chapter 11 DMVPN Dynamic Multipoint VPN Advanced Button SDM provides default values for advanced tunnel settings. However, the hub administrator must decide on the tunnel settings and give them to the personnel administering spoke routers so that they can make matching settings. Advanced Configuration for the Tunnel Interface Use this window to configure GRE tunnel parameters. SDM provides default values, but you must obtain the correct values from the hub administrator and enter them here.
Chapter 11 DMVPN Dynamic Multipoint VPN Tunnel Key Enter the key to use for this tunnel. This key should be the same for all mGRE tunnels in the network. SDM Default: 100000 Bandwidth Enter the intended bandwidth, in kilobytes per second (kbps). Default bandwidth values are set during startup; the bandwidth values can be displayed using the show interfaces EXEC command. 1000 is a typical bandwidth setting in DMVPN configurations.
Chapter 11 DMVPN Dynamic Multipoint VPN IP Address of hub’s mGRE tunnel interface Enter the IP address of the mGRE tunnel interface on the primary hub. Obtain this information from the hub administrator. Select Routing Protocol Use this window to specify how other networks behind your router are advertised to the other routers in the network. Select one of the following: Note • EIGRP—Extended Interior Gateway Routing Protocol. • OSPF—Open Shortest Path First. • RIP—Routing Internet Protocol.
Chapter 11 DMVPN Dynamic Multipoint VPN Select an existing OSPF process ID/EIGRP AS number You can select an existing process ID for OSPF or AS number for EIGRP if one has been previously configured. See Recommendations for Configuring Routing Protocols for DMVPN. Create a new OSPF process ID/EIGRP AS number If no process IDs exist, or if you want to use a different one, you can configure a process ID in this field. OSPF Area ID for tunnel network Enter a new OSPF area ID for the network.
Chapter 11 DMVPN Dynamic Multipoint VPN Edit—Click to edit the data for an advertised network or group of networks. This button is enabled for entries that you created during the current instance of this wizard. Delete—Click to delete the data for the selected network or group of networks. This button is enabled for entries that you created during the current instance of this wizard. Dynamic Multipoint VPN (DMVPN) Spoke Wizard This wizard helps you to configure your router as a spoke in a DMVPN network.
Chapter 11 DMVPN Dynamic Multipoint VPN Fully Meshed Network Select if you are configuring the router as a spoke capable of establishing a direct IPSec tunnel to other spokes in the network. A multipoint GRE tunnel is configured on the spoke to support this functionality. When you select this option, the graphic displays links from the spokes to the hub, and links to each other. The wizard screen list the IOS images required to support a fully-meshed DMVPN network.
Chapter 11 DMVPN Dynamic Multipoint VPN Re-register with hub when IP address of interface-name changes—This option is available when the interface you selected receives a dynamic IP address via DHCP or IPCP. Specifying’ this option will allow the spoke to re-register with the hub when it receives a new IP address. IP Address Enter the IP address for the GRE interface to this hub. This must be a private address and be in the same subnet as the GRE interfaces of the other routers in the network.
Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Firewall If a firewall has been applied to the interface that was designated as the tunnel source, SDM can add access rule entries to the configuration so that GRE, IPSec, and ISAKMP traffic is allowed through the firewall. View Details Click this button to view the access control entries that SDM will add to the access rule if you select Allow GRE, IPSec, and ISAKMP traffic through the firewall.
Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) IPSec Profile The IPSec profile that the tunnel uses. The IPSec profile defines the transform sets that are used to encrypt traffic on the tunnel. SDM supports the use of only IPSec profiles to define encryption in a DMVPN. If you want to use crypto-maps, configure the DMVPN using the CLI. IP Address The IP address of the GRE tunnel. The GRE tunnel is used to send routing updates to the DMVPN. Description A description of this tunnel.
Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) General Panel In this panel add or edit general configuration parameters of the DMVPN tunnel. IP Address Enter the IP address of the tunnel. This must be a private address and must be in the same subnet as the other tunnel addresses in the DMVPN. If you are configuring a spoke, you must use the address that the hub administrator has assigned to your router so that no address conflicts occur.
Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Bandwidth Enter the intended bandwidth, in kilobytes per second (kbps). Default bandwidth values are set during startup; the bandwidth values can be displayed using the show interfaces EXEC command. The value 1000 is a typical bandwidth setting in DMVPN configurations. Delay Set a delay value for an interface, in tens of microseconds. The value 1000 is a typical delay setting in DMVPN configurations. Tunnel Key Enter the key to use for this tunnel.
Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Hold Time Enter the number of seconds that NHRP network IDs should be advertised as valid. Network ID Enter the NHRP Network ID. The network ID is a globally unique, 32-bit network identifier for a nonbroadcast, multiaccess (NBMA) network. The range is 1 to 4294967295. The network ID must be unique for each NHRP station. Next Hop Server This area lists the IP addresses of the next hop servers that this router can contact.
Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) Destination Reachable through NBMA network—Enter the IP address of the mGRE tunnel configured on the primary hub. Spokes and backup hubs use this tunnel information to establish contact with the hub and create an mGRE tunnel to it. Spokes use the tunnel to send encrypted data to the hub and to query the hub for next hop information to other spokes.
Chapter 11 DMVPN Edit Dynamic Multipoint VPN (DMVPN) RIP Fields If you selected RIP as the dynamic routing protocol, select Version 1, Version 2, or Default. If you select Version 2, the router will include the subnet mask in the routing update. If you select Default, the router will send out Version 2 updates, but it will be able to receive RIP Version 1 or Version 2 updates. Turn off split horizon—If this is the hub router, check this box to turn off split horizon on the mGRE tunnel interface.
Chapter 11 DMVPN How Do I Configure a DMVPN Manually? How Do I Configure a DMVPN Manually? You can configure your router as a DMVPN hub or spoke using the VPN Components windows and the Edit Dynamic Multipoint VPN (DMVPN) window. In order to do so you need to complete the following tasks: • Configure an IPSec profile. You cannot configure a DMVPN connection until you have configured at least one IPSec profile. • Configure the DMVPN connection.
Chapter 11 DMVPN How Do I Configure a DMVPN Manually? To specify the networks you want to advertise to the DMVPN: If there are networks behind your router that you want to advertise to the DMVPN, you can do so by adding the network numbers in the Routing windows. Step 1 From the left panel, click Routing. Step 2 In the Routing window, select the routing protocol that you specified in DMVPN configuration, and click Edit. Step 3 Add the network numbers that you want to advertise.
C H A P T E R 12 VPN Global Settings These help topics describe the VPN Global Settings windows. VPN Global Settings This window displays the VPN global settings for the router. Edit Button Click the Edit button to add or change VPN global settings. Enable IKE The value is True if IKE is enabled; it is False if IKE is disabled. Note If IKE is disabled, VPN configurations will not operate.
Chapter 12 VPN Global Settings VPN Global Settings XAuth Timeout The number of seconds the router is to wait for a a system to respond to the XAuth challenge. IKE Identity Either the host name of the router or the IP address that the router will use to identify itself in IKE negotiations. Dead Peer Detection Dead Peer Detection (DPD) enables a router to detect a dead peer and, if detected, delete the IPSec and IKE security associations with that peer.
Chapter 12 VPN Global Settings VPN Global Settings IPSec Security Association (SA) Lifetime (Kilobytes) The number of kilobytes that the router can send over the VPN connection before the IPSec SA expires. The SA will be renewed after the shortest lifetimes is reached. VPN Global Settings: IKE This window lets you specify global settings for IKE and IPSEC. Enable IKE Leave this box checked if you want to use VPN. Caution If IKE is disabled, VPN configurations will not work.
Chapter 12 VPN Global Settings VPN Global Settings Keepalive Specify the number of seconds that the router should maintain a connection when it is not being used. Retry Specify the number of seconds that the router should wait between attempts to establish an IKE connection with a peer. The default value is ‘2’ seconds. DPD Type Select On Demand or Periodic. If set to On Demand, DPD messages are sent on the basis of traffic patterns.
Chapter 12 VPN Global Settings VPN Global Settings VPN Key Encryption Settings The VPN Key Encryption Settings window appears if the Cisco IOS image on your router supports Type 6 encryption, also referred to as VPN key encryption. You can use this window to specify a master key to use when encrypting VPN keys, such as pre-shared keys, Easy VPN keys, and XAuth keys. When encrypted, these keys will not be readable by someone viewing the router’s configuration file.
Chapter 12 VPN Global Settings VPN Global Settings Cisco Router and Security Device Manager Version 2.
C H A P T E R 13 IP Security IP Security (IPSec) is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. SDM lets you configure IPSec transform sets, rules, and policies.
Chapter 13 IP Security IPSec Policies Name The name of this IPSec policy. Type One of the following: • ISAKMP—IKE will be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry. SDM supports Internet Security Association and Key Management Protocol (ISAKMP) crypto maps. • Manual—IKE will not be used to establish the IPSec security associations for protecting the traffic specified by this crypto map entry.
Chapter 13 IP Security IPSec Policies Dynamic Crypto Maps Sets in this IPSec Policy Dynamic Crypto Map Set Name The name of this dynamic crypto map set. Names enable administrators to understand how the crypto map set is used. Sequence Number The sequence number for this dynamic crypto map set. Type Type is always Dynamic. What Do You Want to Do? If you want to: Do this: Add an IPSec policy to the configuration. Click Add. Edit an existing IPSec policy. Select the policy, and click Edit.
Chapter 13 IP Security IPSec Policies Crypto Maps in this IPSec policy This box lists the crypto maps in this IPSec policy. The list includes the name, the sequence number, and the transform set that makes up this crypto map. You can select a crypto map and edit it or delete it from the IPSec policy. If you want to add a crypto map, click Add. If you want SDM to guide you through the process, check Use Add Wizard, and then click Add.
Chapter 13 IP Security IPSec Policies Add or Edit Crypto Map: General Panel Change general crypto map parameters in this window. This window contains the following fields. Name of IPSec Policy A read-only field that contains the name of the policy in which this crypto map is used. Description Enter or edit a description of the crypto map in this field. This description appears in the VPN Connections list, and it can be helpful in distinguishing this crypto map from others in the same IPSec policy.
Chapter 13 IP Security IPSec Policies independently. It thus ensures that if one key is compromised, no other keys will be. If you enable PFS, you can specify use of the Diffie-Hellman group1, group2, or group5 method. Note If your router does not support group5, it will not appear in the list.
Chapter 13 IP Security IPSec Policies Note A crypto map can contain a maximum of 6 transform sets. Available Transform Sets Configured transform sets available for use in crypto maps. If no transform sets have been configured on the router, this list contains the default transform sets that SDM provides. Note • Not all routers support all transform sets (encryption types). Unsupported transform sets will not appear in the screen.
Chapter 13 IP Security IPSec Policies If you want to: Do this: Change the preference order of the selected transform sets. Select a transform set, and click the up button or the down button. Add a transform set to the Available Transform Sets list. Click Add, and configure the transform set in the Add Transform Set window. Edit a transform set in the Available Transform Sets list. Click Edit, and configure the transform set in the Edit Transform Set window.
Chapter 13 IP Security Dynamic Crypto Map Sets Dynamic Crypto Map Sets This window lists the dynamic crypto map sets configured on the router. Add/Edit/Delete Buttons Use these buttons to manage the crypto maps in the window. If you try to delete a crypto map set associated with an IPSec policy, SDM prevents you from doing so. You must disassociate the crypto map from the policy before deleting it. You can do this in the IPSec Policies window. Name The name of the dynamic crypto map.
Chapter 13 IP Security IPSec Profiles Associate Crypto Map with this IPSec Policy Sequence Number Enter a sequence number to identify this crypto map set. This sequence number cannot be in use by any other crypto map set. Select the Dynamic Crypto Map Set Select the dynamic crypto map set you want to add from this list. Crypto Maps in this Dynamic Crypto Map Set This area lists the names, sequence numbers, and peers in the dynamic crypto map set you selected.
Chapter 13 IP Security Transform Set Delete Click to edit a selected IPSec profile. If the profile you are deleting is currently used in a DMVPN tunnel, you must configure the DMVPN tunnel to use a different IPSec profile. Add or Edit IPSec Profile and Add Dynamic Crypto Map Use this window to add or to edit an IPSec profile, or to add a dynamic crypto map. Name Enter a name for this profile. Available Transform Sets This column lists the transform sets configured on this router.
Chapter 13 IP Security Transform Set You can create multiple transform sets and then specify one or more of them in a crypto map entry. The transform set defined in the crypto map entry will be used in the IPSec security association negotiation to protect the data flows specified by that crypto map entry’s access list. During IPSec security association negotiations with IKE, the peers search for a transform set that is the same at both peers.
Chapter 13 IP Security Transform Set ESP Integrity Indicates the integrity algorithm being used. This column will contain a value when the transform set is configured to provide both data integrity and encryption. The column will contain one of the following values: • ESP-MD5-HMAC—Message Digest 5, Hash-based Message Authentication Code (HMAC). • ESP-SHA-HMAC—Security Hash Algorithm, HMAC. AH Integrity Indicates the integrity algorithm being used.
Chapter 13 IP Security Transform Set What Do You Want to Do? If you want to: Do this: Add a new transform set to the router’s Click Add, and create the transform set in the Add Transform configuration. Set window. Edit an existing transform set. Select the transform set, and click Edit. Then edit the transform set in the Edit Transform Set window. Note Delete an existing transform set. SDM Default transform sets are read-only and cannot be edited. Select the transform set, and click Delete.
Chapter 13 IP Security Transform Set • Easy VPN Servers do not support ESP-SEAL encryption. Name of this transform set This can be any name that you want. The name does not have to match the name in the transform set that the peer uses, but it may be helpful to give corresponding transform sets the same name. Data integrity and encryption (ESP) Check this box if you want to provide Encapsulating Security Payload (ESP) data integrity and encryption.
Chapter 13 IP Security Transform Set • Note ESP_NULL. Null encryption algorithm, but encryption transform used. The types of ESP encryption available depend on the router. Depending on the type of router you are configuring, one or more of these encryption types may not be available. Data and address integrity without encryption (AH) This check box and the fields below it appear if you click Show Advanced.
Chapter 13 IP Security IPSec Rules Note Not all routers support IP compression. If your router does not support IP compression, this box is disabled. IPSec Rules This window shows the IPSec rules configured for this router. IPSec rules define which traffic IPSec will encrypt. The top part of the window lists the access rules defined. The bottom part shows the access rule entries for the access rule selected in the rule list. IPSec rules contain IP address and type-of-service information.
Chapter 13 IP Security IPSec Rules Source An IP address or keyword that specifies the source of the traffic. Any specifies that the source can be any IP address. An IP address in this column may appear alone, or it may be followed by a wildcard mask. If present, the wildcard mask specifies the portions of the IP address that the source IP address must match. For more information, see IP Addresses and Subnet Masks. Destination An IP address or keyword that specifies the destination of the traffic.
C H A P T E R 14 Internet Key Exchange The help topics in this section describe the Internet Key Exchange (IKE) configuration screens. Internet Key Exchange (IKE) Internet Key Exchange (IKE) is a standard method for arranging for secure, authenticated communications. IKE establishes session keys (and associated cryptographic and networking configuration) between two hosts across the network. SDM lets you create IKE policies that will protect the identities of peers during authentication.
Chapter 14 Internet Key Exchange Internet Key Exchange (IKE) If you want to: Do this: Create an IKE policy. Click the IKE Policy node on the VPN tree. SDM provides a default IKE policy, but there is no guarantee that the peer has the same policy. You should configure other IKE policies so that the router is able to offer an IKE policy that the peer can accept. Create a pre-shared key. If IKE is used, the peers at each end must exchange a pre-shared key to authenticate each other.
Chapter 14 Internet Key Exchange Internet Key Exchange (IKE) Hash The authentication algorithm for negotiation. There are two possible values: • Secure Hash Algorithm (SHA) • Message Digest 5 (MD5) Authentication The authentication method to be used. • Pre-SHARE. Authentication will be performed using pre-shared keys. • RSA_SIG. Authentication will be performed using digital signatures. Type Either SDM_DEFAULT or User Defined. SDM_DEFAULT policies cannot be edited.
Chapter 14 Internet Key Exchange Internet Key Exchange (IKE) Add or Edit IKE Policy Add or edit an IKE policy in this window. Note • Not all routers support all encryption types. Unsupported types will not appear in the screen. • Not all IOS images support all the encryption types that SDM supports. Types unsupported by the IOS image will not appear in the screen.
Chapter 14 Internet Key Exchange Internet Key Exchange (IKE) • AES-192—Advanced Encryption Standard (AES) encryption with a 192-bit key. • AES-256—Advanced Encryption Standard (AES) encryption with a 256-bit key. Hash The authentication algorithm to be used for the negotiation. There are two options: • Secure Hash Algorithm (SHA) • Message Digest 5 (MD5) Authentication The authentication method to be used. • Pre-SHARE. Authentication will be performed using pre-shared keys. • RSA_SIG.
Chapter 14 Internet Key Exchange Internet Key Exchange (IKE) Lifetime This is the lifetime of the security association, in hours, minutes and seconds. The default is one day, or 24:00:00. IKE Pre-shared Keys This window allows you to view, add, edit, and remove IKE pre-shared keys in the router’s configuration. A pre-shared key is exchanged with a remote peer during IKE negotiation. Both peers must be configured with the same key.
Chapter 14 Internet Key Exchange Internet Key Exchange (IKE) If you want to: Do this: Add a pre-shared key to the router’s configuration. Click Add, and add the pre-shared key in the Adda new Pre Shared Key window. Edit an existing pre-shared key. Select the pre-shared key, and click Edit. Then edit the key in the Edit Pre Shared Key window. Remove an existing pre-shared key. Select the pre-shared key, and click Remove. Add or Edit Pre Shared Key Use this window to add or edit a pre-shared key.
Chapter 14 Internet Key Exchange Internet Key Exchange (IKE) IP Address/Subnet Mask These fields appear if you selected “IP Address” in the Peer field. Enter the IP address of a network or subnet in the IP Address field. The pre-shared key will apply to all peers in that network or subnet. For more information, refer to IP Addresses and Subnet Masks. Enter a subnet mask if the IP address you entered is a subnet address, and not the address of a specific host.
C H A P T E R 15 VPN Troubleshooting SDM can troubleshoot VPN connections that you have configured. SDM reports the success or failure of the connection tests, and when tests have failed, recommends actions that you can take to correct connection problems. The following link provides information on VPN troubleshooting using the CLI. http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/v pnman/vms_2_2/rmc13/useguide/u13_rtrb.
Chapter 15 VPN Troubleshooting VPN Troubleshooting Peer The IP address or host name of the devices at the other end of the VPN connection. Summary Click this button if you want to view the summarized troubleshooting information. Details Click this button if you want to view the detailed troubleshooting information. Activity This column displays the troubleshooting activities. Status Displays the status of each troubleshooting activity by the following icons and text alerts: The connection is up.
Chapter 15 VPN Troubleshooting VPN Troubleshooting: Specify Easy VPN Client Test Specific Client Button This button is enabled if you are testing connections for an Easy VPN server configured on the router. Click this button and specify the client to which you want to test connectivity. This button is disabled in the following circumstances: • The Basic testing is not done or has not completed successfully. • The IOS image does not support the required debugging commands.
Chapter 15 VPN Troubleshooting VPN Troubleshooting: Generate Traffic Continue Button After selecting the traffic generation type you want, click this button to continue testing. Close Button Click this button to close the window. VPN Troubleshooting: Generate Traffic This window allows you to generate site-to-site VPN or Easy VPN traffic for debugging. You can allow SDM to generate VPN traffic or you can generate VPN traffic yourself.
Chapter 15 VPN Troubleshooting VPN Troubleshooting: Generate GRE Traffic Have SDM generate VPN Traffic Select this option if you want SDM to generate VPN traffic on the interface for debugging. Note SDM will not generate VPN traffic when the VPN tunnel traffic is from non-IP based Access Control List (ACL) or when the applied and current CLI View is not root view. Enter the IP address of a host in the source network Enter the host IP address in the source network.
Chapter 15 VPN Troubleshooting SDM Warning: SDM will enable router debugs... Have SDM generate VPN Traffic Select this option if you want SDM to generate VPN traffic on the interface for debugging. Enter the remote tunnel IP address Enter the IP address of the remote GRE tunnel. Do not use the address of the remote interface. I will generate VPN traffic from the source network Select this option if you want to generate VPN traffic from the source network.
C H A P T E R 16 Security Audit Security Audit is a feature that examines your existing router configurations and then updates your router in order to make your router and network more secure. Security Audit is based on the Cisco IOS AutoSecure feature; it performs checks on and assists in configuration of almost all of the AutoSecure functions.
Chapter 16 Security Audit The Welcome page of the Security Audit wizard appears. Step 3 Click Next>. The Security Audit Interface Configuration page appears. Step 4 The Security Audit wizard needs to know which of your router interfaces connect to your inside network and which connect outside of your network. For each interface listed, check either the Inside or Outside check box to indicate where the interface connects. Step 5 Click Next>.
Chapter 16 Security Audit One-Step Lockdown This option tests you router configuration for any potential security problems and automatically makes any necessary configuration changes to correct any problems found.
Chapter 16 Security Audit Welcome Page • Enable NetFlow Switching • Disable IP Redirects • Disable IP Proxy ARP • Disable IP Directed Broadcast • Disable MOP Service • Disable IP Unreachables • Disable IP Mask Reply • Disable IP Unreachables on NULL Interface • Enable Unicast RPF on Outside Interfaces • Enable Firewall on All of the Outside Interfaces • Set Access Class on HTTP Server Service • Set Access Class on VTY Lines • Enable SSH for Access to the Router Welcome Page This
Chapter 16 Security Audit Report Card Page Outside Column This column displays a check box for each interface listed in the Interface column. Check the check box for each interface that connects to a network outside of your network, such as the Internet. Inside Column This column displays a check box for each interface listed in the Interface column. Check the check box for each interface that connects directly to your local network and is thus protected from the Internet by your firewall.
Chapter 16 Security Audit Fix It Page you selected, collecting further input from you as necessary, and will then display a list of the new configuration commands that will be added to the router configuration. Fix All Click this button to place a check mark next to all of the potential security problems listed on the Report Card screen. Select an option: Undo Security Configurations When this option is selected, SDM displays the security configurations that it can undo.
Chapter 16 Security Audit Fix It Page The configuration that will be delivered to the router to disable the Finger service is as follows: no service finger This fix can be undone. To learn how, click Undoing Security Audit Fixes.. Disable PAD Service Security Audit disables all packet assembler/disassembler (PAD) commands and connections between PAD devices and access servers whenever possible.
Chapter 16 Security Audit Fix It Page The configuration that will be delivered to the router to disable TCP small servers is as follows: no service tcp-small-servers This fix can be undone. To learn how, click Undoing Security Audit Fixes. Disable UDP Small Servers Service Security Audit disables small services whenever possible. By default, Cisco devices running Cisco IOS version 11.3 or earlier offer the “small services”: echo, chargen, and discard.
Chapter 16 Security Audit Fix It Page In addition, the BOOTP service is vulnerable to DoS attacks; therefore it should be disabled or filtered via a firewall for this reason as well. The configuration that will be delivered to the router to disable BOOTP is as follows: no ip bootp server This fix can be undone. To learn how, click Undoing Security Audit Fixes. Disable IP Identification Service Security Audit disables identification support whenever possible.
Chapter 16 Security Audit Fix It Page This fix can be undone. To learn how, click Undoing Security Audit Fixes. Disable IP Source Route Security Audit disables IP source routing whenever possible. The IP protocol supports source routing options that allow the sender of an IP datagram to control the route that the datagram will take toward its ultimate destination, and generally the route that any reply will take. These options are rarely used for legitimate purposes in networks.
Chapter 16 Security Audit Fix It Page Enable TCP Keepalives for Inbound Telnet Sessions Security Audit enables TCP keep alive messages for both inbound and outbound Telnet sessions whenever possible. Enabling TCP keep alives causes the router to generate periodic keep alive messages, letting it detect and drop broken Telnet connections.
Chapter 16 Security Audit Fix It Page service sequence-numbers Enable IP CEF Security Audit enables Cisco Express Forwarding (CEF) or Distributed Cisco Express Forwarding (DCEF) whenever possible. Because there is no need to build cache entries when traffic starts arriving at new destinations, CEF behaves more predictably than other modes when presented with large volumes of traffic addressed to many destinations.
Chapter 16 Security Audit Fix It Page This configuration change will require every password on the router, including the user, enable, secret, console, AUX, tty, and vty passwords, to be at least six characters in length. This configuration change will be made only if the Cisco IOS version running on your router supports the minimum password length feature.
Chapter 16 Security Audit Fix It Page connections, this can overwhelm and disable the host. Setting the TCP synwait time to 10 seconds causes the router to shut down an incomplete connection after 10 seconds, preventing the buildup of incomplete connections at the host. The configuration that will be delivered to the router to set the TCP synwait time to 10 seconds is as follows: ip tcp synwait-time <10> Set Banner Security Audit configures a text banner whenever possible.
Chapter 16 Security Audit Fix It Page logging logging logging logging console critical trap debugging buffered Set Enable Secret Password Security Audit will configure the enable secret Cisco IOS command for more secure password protection whenever possible. The enable secret command is used to set the password that grants privileged administrative access to the Cisco IOS system.
Chapter 16 Security Audit Fix It Page The configuration that will be delivered to the router to disable SNMP is as follows: no snmp-server Set Scheduler Interval Security Audit configures the scheduler interval on the router whenever possible. When a router is fast-switching a large number of packets, it is possible for the router to spend so much time responding to interrupts from the network interfaces that no other work gets done. Some very fast packet floods can cause this condition.
Chapter 16 Security Audit Fix It Page Set Users Security Audit secures the console, AUX, vty, and tty lines by configuring Telnet user accounts to authenticate access to these lines whenever possible. Security Audit will display a dialog box that lets you define user accounts and passwords for these lines.
Chapter 16 Security Audit Fix It Page NetFlow identifies flows of network packets based on the source and destination IP addresses and TCP port numbers. NetFlow then can use just the initial packet of a flow for comparison to ACLs and for other security checks, rather than having to use every packet in the network flow. This enhances performance, allowing you to make use of all of the router security features.
Chapter 16 Security Audit Fix It Page The configuration that will be delivered to the router to disable proxy ARP is as follows: no ip proxy-arp This fix can be undone. To learn how, click Undoing Security Audit Fixes. Disable IP Directed Broadcast Security Audit disables IP directed broadcasts whenever possible. An IP directed broadcast is a datagram which is sent to the broadcast address of a subnet to which the sending machine is not directly attached.
Chapter 16 Security Audit Fix It Page Disable MOP Service Security Audit will disable the Maintenance Operations Protocol (MOP) on all Ethernet interfaces whenever possible. MOP is used to provide configuration information to the router when communicating with DECNet networks. MOP is vulnerable to various attacks. The configuration that will be delivered to the router to disable the MOP service on Ethernet interfaces is as follows: no mop enabled This fix can be undone.
Chapter 16 Security Audit Fix It Page in the internetwork. ICMP mask reply messages are sent to the device requesting the information by devices that have the requested information. These messages can be used by an attacker to gain network mapping information. The configuration that will be delivered to the router to disable ICMP mask reply messages is as follows: no ip mask-reply This fix can be undone. To learn how, click Undoing Security Audit Fixes.
Chapter 16 Security Audit Fix It Page Enable Unicast RPF on Outside Interfaces Security Audit enables unicast Reverse Path Forwarding (RPF) on all interfaces that connect to the Internet whenever possible. RPF is a feature that causes the router to check the source address of any packet against the interface through which the packet entered the router. If the input interface is not a feasible path to the source address according to the routing table, the packet will be dropped.
Chapter 16 Security Audit Fix It Page destination addresses. Without CBAC, advanced application traffic is permitted only by writing Access Control Lists (ACLs). This approach leaves firewall doors open, so most administrators tend to deny all such application traffic. With CBAC enabled, however, you can securely permit multimedia and other application traffic by opening the firewall as needed and closing it all other times.
Chapter 16 Security Audit Fix It Page access-class Enable SSH for Access to the Router If the Cisco IOS image running on the router is a crypto image (an image that uses 56-bit Data Encryption Standard (DES) encryption and is subject to export restrictions), then Security Audit will implement the following configurations to secure Telnet access whenever possible: • Enable Secure Shell (SSH) for Telnet access. SSH makes Telnet access much more secure.
Chapter 16 Security Audit Configuration Summary Screen • Configure authentication and authorization for VTY lines The local database will be used for both authentication and authorization. • Configure authentication for a console line The local database will be used for authentication.
Chapter 16 Security Audit SDM and Cisco IOS AutoSecure • Disable IP Proxy ARP • Disable IP Directed Broadcast • Disable MOP Service • Disable IP Unreachables • Disable IP Unreachables on NULL Interface • Disable IP Mask Reply • Enable Password Encryption Service • Disable IP Unreachables on NULL Interface • Disable IP Unreachables on NULL Interface • Set Minimum Password Length to Less Than 6 Characters • Enable IP CEF • Enable Firewall on All of the Outside Interfaces • Set User
Chapter 16 Security Audit Security Configurations SDM Can Undo • Configuring AAA—If the Authentication, Authorization, and Accounting (AAA) service is not configured, AutoSecure configures local AAA and prompts for configuration of a local username and password database on the router. SDM does not support AAA configuration. • Setting SPD Values—SDM does not set Selective Packet Discard (SPD) values. • Enabling TCP Intercepts—SDM does not enable TCP intercepts.
Chapter 16 Security Audit Undoing Security Audit Fixes Security Configuration Equivalent CLI Enable NetFlow Switching ip route-cache flow Disable IP Redirects no ip redirects Disable IP Proxy ARP no ip proxy-arp Disable IP Directed Broadcast no ip directed-broadcast Disable MOP Service No mop enabled Disable IP Unreachables int no ip unreachables Disable IP Mask Reply no ip mask-reply Disable IP Unreachables on NULL Interface int null 0 Enable Password Encryption Servic
Chapter 16 Security Audit Configure User Accounts for Telnet/SSH Page User Name Enter the username for the new account in this field. Password Enter the password for the new account in this field. Confirm Password Reenter the new account password in this field for confirmation. The entry in this field must match the entry in the password field. Configure User Accounts for Telnet/SSH Page This screen lets you manage the user accounts that have Telnet or Secure Shell (SSH) access to your router.
Chapter 16 Security Audit Enable Secret and Banner Page Delete Button Click a user account in the table to select it, and click this button to delete the selected account. Enable Secret and Banner Page This screen lets you enter a new enable secret and a text banner for the router. The enable secret is an encrypted password that provides administrator-level access to all functions of the router. It is vital that the secret be secure and difficult to crack.
Chapter 16 Security Audit Logging Page Logging Page This screen lets you configure the router log by creating a list of syslog servers where log messages will be forwarded, and by setting the logging level, which determines the minimum severity a log message must have in order for it to be captured. IP Address/Hostname Table This table displays a list of hosts to where the router log messages will be forwarded. These hosts should be syslog servers that can trap and manage the router log messages. Add...
Chapter 16 Security Audit Logging Page Immediate action needed – 2 - critical Critical conditions – 3 - errors Error conditions – 4 - warnings Warning conditions – 5 - notifications Normal but significant condition – 6 - informational Informational messages only – 7 - debugging Debugging messages Cisco Router and Security Device Manager Version 2.
C H A P T E R 17 Routing The Routing window displays the configured static routes and Routing Internet Protocol, (RIP), Open Shortest Path First (OSPF), and Extended Interior Gateway Routing Protocol (EIGRP) configured routes. From this window, you can review the routes, add new routes, edit existing routes, and delete routes. Note Static and dynamic routes configured for GRE over IPSec tunnels will appear in this window.
Chapter 17 Routing What Do You Want To Do? If you want to: Do this: Add a static route. Click Add, and create the static route in the Add a Static Route window. Edit a static route. Select the static route, and click Edit. Edit the route information in the IP Static Route window. When a route has been configured that SDM does not support, the Edit button is disabled. Delete a static route. Select the static route, and click Delete. Then, confirm the deletion in the warning window.
Chapter 17 Routing Add or Edit IP Static Route Routing Protocol Configuration Parameters RIP RIP Version, Network, Passive Interface OSPF Process ID EIGRP Autonomous System Number Item Value This column contains the text “Enabled,” and configuration values when a routing type has been configured. It contains the text “Disabled” when a routing protocol has not been configured. What Do You Want To Do? If you want to: Do this: Configure an RIP route. Select the RIP tab and click Edit.
Chapter 17 Routing Add or Edit IP Static Route Prefix Enter the IP address of the destination network. For more information, refer to Available Interface Configurations. Prefix Mask Enter the destination address subnet mask. Make this the default route Check this box to make this the default route for this router. A default route forwards all the unknown outbound packets through this route. Forwarding Specify how to forward data to the destination network.
Chapter 17 Routing Add or Edit an RIP Route Add or Edit an RIP Route Use this window to add or edit a Routing Internet Protocol (RIP) route. RIP Version The values are RIP version 1, RIP version 2, and Default. Select the version supported by the Cisco IOS image that the router is running. When you select version 1, the router sends version 1 RIP packets and can receive version 1 packets. When you select version 2, the router sends version 2 RIP packets and can receive version 2 packets.
Chapter 17 Routing Add or Edit an OSPF Route IP Network List Enter the networks that you want to create routes to. Click Add to add a network. Click Delete to delete a network from the list. Network The address of the destination network for this route. For more information, refer to Available Interface Configurations. Mask The subnet mask used on that network. Area The OSPF area number for that network. Each router in a particular OSPF area maintains a topological database for that area.
Chapter 17 Routing Add or Edit EIGRP Route Add or Edit EIGRP Route Use this window to add or delete an Extended IGRP (EIGRP) route. Autonomous System Number The autonomous system number is used to identify the router’s EIGRP routing process to other routers. IP Network List Enter the networks that you want to create routes to. Click Add to add a network. Click Delete to delete a network from the list. Available Interface List The available interfaces are shown in this list.
Chapter 17 Routing Add or Edit EIGRP Route Cisco Router and Security Device Manager Version 2.
C H A P T E R 18 Network Address Translation Network Address Translation (NAT) is a robust form of address translation that extends addressing capabilities by providing both static address translations and dynamic address translations. NAT allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet.
Chapter 18 Network Address Translation Network Address Translation Wizards If your network has email servers, web servers, or other types of servers and you want them to accept connections from the Internet, choose Advanced NAT and click the Launch button. Note If you do not want your servers to accept connections from the Internet, you can use the Basic NAT wizard.
Chapter 18 Network Address Translation Network Address Translation Wizards To remove a network from the NAT configuration, clear its checkbox. Note If SDM detects a conflict between the NAT configuration and an existing VPN configuration for the WAN interface, it will inform you with a dialog box after you click Next. Summary This window shows you the NAT configuration you created, and allows you to save the configuration.
Chapter 18 Network Address Translation Network Address Translation Wizards Advanced NAT Wizard: Connection Choose an Interface From the drop down menu, choose the interface that connects to the Internet. This is the router’s WAN interface. Additional Public IP Addresses Click Add to enter public IP addresses that you own. You will be able to assign these IP address to servers on your network that you want to make available to the Internet.
Chapter 18 Network Address Translation Network Address Translation Wizards • Any comments entered about the network To remove a network from the NAT configuration, clear its checkbox. To add a network not directly connected to your router to the list, click Add Networks. Note If SDM does not allow you to place a checkmark next to a network for which you want to configure a NAT rule, the interface associated with the network has already been designated as a NAT interface.
Chapter 18 Network Address Translation Network Address Translation Wizards To reorder the list based on the private IP addresses, click the column head Private IP Address. To reorder the list based on the public IP addresses, click the column head Public IP Address. Add Button To add a translation rule for a server, click Add. Edit Button To edit a translation rule for a server, select it in the list and click Edit. Delete Button To delete a translation rule, select it in the list and click Delete.
Chapter 18 Network Address Translation Network Address Translation Wizards Type of Server This field appears only if you choose to show advanced options with the Show or Hide Advanced button. Choose one of the following server types from the drop-down menu: • Web server An HTTP host serving HTML and other WWW-oriented pages. • Email server An SMTP server for sending Internet mail. • Other The server is not a web or email server, but requires port translation to provide service.
Chapter 18 Network Address Translation Network Address Translation Rules Advanced NAT Wizard: VPN Conflict If this Advanced NAT wizard window appears, SDM has detected a conflict between the NAT configuration and an existing VPN configuration for the WAN interface. Choose to modify the NAT configuration to remove the conflict, or choose to not modify the NAT configuration. If you choose to not modify the NAT configuration, the conflict may cause your VPN connection to stop working.
Chapter 18 Network Address Translation Network Address Translation Rules Address Pools Click this button to configure or edit address pools. Address pools are used with dynamic address translation. The router can dynamically assign addresses from the pool as they are needed. When an address is no longer needed, it is returned to the pool. Translation Timeouts When dynamic NAT is configured, translation entries have a timeout period after which they expire and are purged from the translation table.
Chapter 18 Network Address Translation Network Address Translation Rules Rule Type Rules are either static address translation rules or dynamic address translation rules. Static address translation allows hosts with private addresses to access the Internet and to be publicly accessible from the Internet. It statically maps one private IP address to one public or global address. If you wanted to provide static translation to 10 private addresses, you would create a separate static rule for each address.
Chapter 18 Network Address Translation Network Address Translation Rules If you want to: Do this: Make translation timeout settings. Click Translation Timeouts, and make settings in the Translation Timeouts window. Add a NAT rule. Click Add, and create the NAT rule in the Add Address Translation Rule window. If you want to use an existing NAT rule as a template for the new rule, select the rule, click Clone selected entry on Add, and then click Add. Edit a NAT rule.
Chapter 18 Network Address Translation Network Address Translation Rules Note There are many conditions that cause previously-configured NAT rules to appear as read-only in the Network Address Translation Rules list, causing the rule to not be editable. For more information, see the help topic Reasons that SDM Cannot Edit a NAT Rule. Designate NAT Interfaces Use this window to designate the inside and outside interfaces that you want to use in NAT translations.
Chapter 18 Network Address Translation Network Address Translation Rules DNS Timeout Enter the number of seconds after which connections to DNS servers time out. ICMP Timeout Enter the timeout value for Internet Control Message Protocol (ICMP) flows. The default is 60 seconds. PPTP Timeout Enter the timeout value for NAT Point-to-Point Tunneling Protocol (PPTP) flows. The default is 86400 seconds (24 hours).
Chapter 18 Network Address Translation Network Address Translation Rules Edit Route Map When VPNs and NAT are both configured on a router, packets that would normally meet the criteria for an IPSec rule will not do so if NAT translates their IP addresses. In this case, NAT translation will cause packets to be sent without being encrypted. SDM may create route maps to prevent NAT from translating IP addresses that you want to be preserved.
Chapter 18 Network Address Translation Network Address Translation Rules Edit Route Map Entry Use this window to edit the access list specified in a route map entry. Name A read-only field containing the name of the route map entry. Seq No. A read-only field containing the sequence number for the route map. When SDM creates a route map, it automatically assigns it a sequence number. Action Either permit or deny. Route maps created by SDM are configured with the permit keyword.
Chapter 18 Network Address Translation Network Address Translation Rules Address This field contains the IP address range in the pool. Devices whose IP addresses match the access rule specified in the Add Address Translation rule window will be given private IP addresses from this pool. What do you want to do? If you want to: Do this: Add an address pool to the router’s configuration. Click Add, and configure the pool in the Add Address Pool window.
Chapter 18 Network Address Translation Network Address Translation Rules Port Address Translation (PAT) There may be times when most of the addresses in the pool have been assigned, and the IP address pool is nearly depleted. When this occurs, PAT can be used with a single IP address to satisfy additional requests for IP addresses. Check this box if you want the router to use PAT when the address pool is close to depletion.
Chapter 18 Network Address Translation Network Address Translation Rules Direction This help topic describes how to use the Add Address Translation Rule fields when From inside to outside is selected. From inside to outside Select this option if you want to translate private addresses on the LAN to legal addresses on the Internet or on your organization’s intranet. You may want to select this option if you use private addresses on your LAN that are not globally unique on the Internet.
Chapter 18 Network Address Translation Network Address Translation Rules Network Mask If you want SDM to translate the addresses of a subnet, enter the mask for that subnet. SDM determines the network/subnet number and the set of addresses needing translation from the IP address and mask that you supply. Translate to Interface This area shows the interfaces out of which packets with translated addresses may exit the router.
Chapter 18 Network Address Translation Network Address Translation Rules • If you are mapping the inside local addresses of a subnet to the corresponding inside global addresses, enter any IP address that you want to use in the translation in this field. The network mask entered in the Translate from... Interface area will be used to calculate the remaining inside global addresses. Note If you do not enter a network mask in the Translate from Interface area, SDM will perform only one translation.
Chapter 18 Network Address Translation Network Address Translation Rules Note If you create a NAT rule that would translate addresses of devices that are part of a VPN, SDM will prompt you to allow it to create a route map that protects those addresses from being translated by NAT. If NAT is allowed to translate addresses of devices on a VPN, their translated addresses will not match the IPSec rule used in the IPSec policy, and traffic will be sent unencrypted.
Chapter 18 Network Address Translation Network Address Translation Rules IP Address Do one of the following: • If you want to create a one-to-one static mapping between the outside global address of a single remote host and a translated address, known as the outside local address, enter the IP address for the remote host.
Chapter 18 Network Address Translation Network Address Translation Rules Note If you do not enter a network mask in the Translate from Interface area, SDM will perform only one translation. Redirect Port Check this box if you want to include port information for the outside device in the translation. This enables you to use extended static translation and to use the same public IP address for multiple devices, as long as the port specified for each device is different.
Chapter 18 Network Address Translation Network Address Translation Rules Note If you create a NAT rule that would translate addresses of devices that are part of a VPN, SDM will prompt you to allow it to create a route map that protects those addresses from being translated by NAT. If NAT is allowed to translate addresses of devices on a VPN, their translated addresses will not match the IPSec rule used in the IPSec policy, and traffic will be sent unencrypted.
Chapter 18 Network Address Translation Network Address Translation Rules Access Rule... Dynamic NAT translation rules use access rules to specify the addresses that need translation. If you select From inside to outside, these are the inside local addresses. Enter the name or number of the access rule that defines the addresses you want to translate. If you do not know the name or number, you can click on the ... button and select an existing access rule, or you can create a new access rule and select it.
Chapter 18 Network Address Translation Network Address Translation Rules Add or Edit Dynamic Address Translation Rule: Outside to Inside Use this help topic when you have chosen direction From Outside to Inside in the Add or the Edit Dynamic Address Translation Rule window. Add or edit an address translation rule in this window. If you are editing a rule, the rule type, static or dynamic, and the direction are disabled.
Chapter 18 Network Address Translation Network Address Translation Rules Translate from Interface This area shows the interfaces from which packets needing address translation may arrive. It provides fields for you to specify the IP address of a single host, or a network address and subnet mask that represent the hosts on a network. Outside Interfaces If you chose From outside to inside, this area contains the designated outside interfaces.
Chapter 18 Network Address Translation How Do I . . . Type Select Interface if you want the Translate from... addresses to use the address of an interface on the router. They will be translated to the address that you specify in the interface field, and PAT will be used to distinguish each host on the network. Select Address Pool if you want the addresses to be translated to addresses defined in a configured address pool.
Chapter 18 Network Address Translation How Do I . . . • Add or Edit Dynamic Address Translation Rule: Inside to Outside Each time you add a new address translation rule using these directions, choose the same LAN interface and a new WAN interface. Repeat this procedure for all WAN interfaces that you want to configure with address translation rules. Cisco Router and Security Device Manager Version 2.
Chapter 18 Network Address Translation How Do I . . . Cisco Router and Security Device Manager Version 2.
C H A P T E R 19 Intrusion Prevention System IOS Intrusion Prevention System (IPS) allows you to manage intrusion prevention on routers that run an IOS image of version 12.3(8)T4 or later. IPS lets you monitor and prevents intrusions by comparing traffic against signatures of known threats and blocking the traffic when a threat is detected. SDM lets you control the application of IPS on interfaces, import and edit signature definition files (SDFs) from Cisco.
Chapter 19 Intrusion Prevention System IPS Rules Global Settings Drawer Click to display the Global Settings window where you make settings that affect the overall operation of IOS IPS. SDEE Messages Drawer Secure Device Event Exchange (SDEE) messages report on the progress of IPS initialization and operation. Click this node to display the SDEE Messages window, where you can review SDEE messages and filter them to display only error messages or only status messages.
Chapter 19 Intrusion Prevention System IPS Rules • The location of the Signature Definition File (SDF). The use case scenario illustrates a configuration in which an IPS rule is used. Once you create the IPS rule and deliver the configuration to the router, you can modify the rule by clicking the Edit IPS Rule tab. Click the Launch IPS Rule Wizard button to begin.
Chapter 19 Intrusion Prevention System IPS Rules Use the Add, Delete, Move Up, and Move Down buttons to add, remove, and order a list of SDF locations that the router can attempt to contact to obtain an SDF. The router starts at the first entry, and works down the list until it obtains an SDF. Cisco IOS images that support IOS IPS contain built-in signatures.
Chapter 19 Intrusion Prevention System IPS Rules Enable Button Click this button to enable IPS on the selected interface. You are able to specify the traffic directions to which IPS is to be applied, and the ACLs to use to define the type of traffic to examine. Enable or Edit IPS on an Interface has more information. Edit Button Click this button to edit the IPS characteristics applied to the selected interface. Disable Button Click this button to disable IPS on the selected interface.
Chapter 19 Intrusion Prevention System IPS Rules • Unnumbered—The router will use one of a pool of IP addresses supplied by your service provider for your router, and for the devices on the LAN. • Not Applicable—The interface type cannot be assigned an IP address. Inbound IPS/Outbound IPS • Enabled—IPS is enabled for this traffic direction. • Disabled—IPS is disabled for this traffic direction. VFR Status Virtual Fragment Reassembly (VFR) status.
Chapter 19 Intrusion Prevention System IPS Rules Permit source traffic. Deny source traffic. Source/Destination—A network or host address, or any host or network. Service—Type of service filtered. IP, TCP, UDP, IGMP, and ICMP services can be filtered. Log—Whether or not denied traffic is logged. Options—Options configured using the CLI. Description—Any description provided.
Chapter 19 Intrusion Prevention System Import Signatures Outbound Filter (Optional) Enter the name or number of the access rule that specifies the outbound traffic to be examined. The ACL that you specify appears in the IPS Rules Configuration window when the interface with which it is associated is selected. If you need to browse for the access rule or create a new one, click the ... button. ...Button Use this button to specify a filter.
Chapter 19 Intrusion Prevention System Import Signatures Note Before you use the IPS Signature Import wizard, you must have saved the SDF that you intend to use to a directory on your PC. Click the Edit Signatures tab to manage the signatures that IPS uses. File Selection This window allows you to load a file from your router. Only DOSFS file systems can be viewed in this window.
Chapter 19 Intrusion Prevention System Import Signatures Welcome to the IPS Signature Import Wizard This window summarizes the tasks that you perform as you go through the IPS Signature Import wizard. Click Next to begin. Signature Definition File (SDF) and Signature Selection Click Browse, and navigate to the SDF that you saved on your PC. When the path to the file is visible in the field, click Next to continue. Signature Filter The router may not have enough memory to use all signatures in the SDF.
Chapter 19 Intrusion Prevention System Import Signatures Match all of the conditions button If the signatures that you want must match all of the conditions, that you specify, choose this button. Note If you select this button, you can only select one OS criteria, one Service criteria, and one Attack criteria. Match any of the conditions button If you want signatures that match any of the criteria, choose this button. If you choose this button, you can add any number of category items.
Chapter 19 Intrusion Prevention System Import Signatures Signatures This window lets you view the configured IPS signatures on the router. You can add customized signatures, or import signatures from Cisco.com-downloaded Signature Definition Files (SDF). You can also edit, delete, enable, and disable signatures. IPS is shipped with an SDF that contains a number of signatures that your router can accommodate.
Chapter 19 Intrusion Prevention System Import Signatures Edit Click the Edit button to edit the parameters of the selected signature. Delete button Click to mark the selected signature for deletion from the list. To view signatures you have deleted, click Details. For more information on the status and handling of these signatures, see Signatures marked for deletion. Note You cannot delete built-in signatures such as TrendMicro OPACL signatures, as these signatures are part of the Cisco IOS image.
Chapter 19 Intrusion Prevention System Import Signatures SDFs are available from Cisco. Click the following URL to download an SDF from Cisco.com: http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup Cisco maintains an alert center that provides information on emerging threats. See Cisco Intrusion Prevention Alert Center for more information Summary/Details Button Use this button to display or hide the signatures marked for deletion.
Chapter 19 Intrusion Prevention System Import Signatures Icons Signature is present in Router configuration and enabled. Signature is present in router configuration but not active. Signature status has changed in SDM, and awaits delivery to router. Right-click Context Menu If you right-click a signature, SDM displays a context menu with the following options: • Actions—Click to select the actions to be taken when the signature is matched. See Assign Actions for more information.
Chapter 19 Intrusion Prevention System Import Signatures Apply Changes button Click to deliver newly imported signatures, signature edits, and newly enabled or disabled signatures to the router. When the changes are applied, the yellow Wait icon is removed from the ! column. Discard Changes button Click to discard accumulated changes. Assign Actions The window contains the actions that can be taken upon signature match.
Chapter 19 Intrusion Prevention System Import Signatures Signature Tree If you need a description of the signature tree, click this link: Signature Tree. You can use the signature tree in this window to assemble the signatures that you want to import, category by category. For example, you may want to add signatures from the OS category, and from the Service category.
Chapter 19 Intrusion Prevention System Import Signatures Add, Edit, or Clone Signature This window contains fields and values described in the Field Definitions section. The fields vary depending on the signature. Therefore, this is not an exhaustive list of all the fields you might see. Field Definitions The following fields are found on the Add, Edit and Clone Signature screens. • SIGID—Identifies the unique numerical value assigned to this signature.
Chapter 19 Intrusion Prevention System Import Signatures • SigVersion—Signature version. • ThrottleInterval —Number of seconds defining an Alarm Throttle interval. This is used with the AlarmThrottle parameter to tune special alarm limiters. • WantFrag—True if a fragment is desired. False if a fragment is not desired. Any for either. Add or Edit a Signature Location Specify the location that IOS IPS should load an SDF from.
Chapter 19 Intrusion Prevention System Import Signatures Autosave Check this option if you want the router to automatically save the SDF in the event of a router crash. This eliminates the need for you to reconfigure IPS with this SDF when the router comes back up. Cisco Intrusion Prevention Alert Center The Cisco Intrusion Prevention Alert center provides information on emerging threats and links to the Cisco IPS signatures available to protect your network from them.
Chapter 19 Intrusion Prevention System Global Settings Determine Which SDF File is in Memory To determine which SDF file is in router memory, open a Telnet session to the router, and enter the show flash command. The output will be similar to the following: System flash directory: File Length Name/status 1 10895320 c1710-k9o3sy-mz.123-8.T.bin 2 1187840 ips.tar 3 252103 attack-drop.sdf 4 1038 home.shtml 5 1814 sdmconfig-1710.cfg 6 113152 home.tar 7 758272 es.tar 8 818176 common.
Chapter 19 Intrusion Prevention System Global Settings Notification Method Status Syslog If Enabled, then notifications are sent to the syslog server specified in System Properties. SDEE Security Device Event Exchange. If Enabled, SDEE events are generated. SDEE Events The number of SDEE events to store in the router’s buffer. SDEE Subscription The number of concurrent SDEE subscriptions.
Chapter 19 Intrusion Prevention System Global Settings Delete Button Click to delete a selected location. Move Up/Down Buttons Use these buttons to change the order of preference for the URLs in the list. Edit Global Settings Edit settings that affect the overall operation of IOS IPS in this window. Enable Syslog Notification Check to enable the router to send alarm, event, and error messages to a syslog server.
Chapter 19 Intrusion Prevention System SDEE Messages Enable Deny Action on IPS interface This option is applicable if signature actions are configured to "denyAttackerInline" or "denyFlowInline". By default, IPS applies ACLs to the interfaces from which attack traffic came, and not to IPS interfaces. Enabling this option causes IPS to apply the ACLs directly to the IPS interfaces, and not to the interfaces that originally received the attack traffic.
Chapter 19 Intrusion Prevention System SDEE Messages Description Available description. Refresh Button Click to check for new SDEE messages. Close Button Click to close the SDEE Messages window. SDEE Message Text This topic lists possible SDEE messages. IDS status messages ENGINE_BUILDING: %s - %d signatures - %d of %d engines Explanation: Triggers when the signature micro-engine (SME) begins building.
Chapter 19 Intrusion Prevention System SDEE Messages IDS error messages ENGINE_BUILD_FAILED: %s - %d ms - engine build failed - %s Explanation: Triggers when one of the engines fails to build after a SDF file is loaded. One such message for each failed engine is sent. This means that the IOS IPS engine failed to import signatures for the specified engine in the message. Insufficient memory is the most likely cause of this problem.
C H A P T E R 20 Network Module Management If the router has network modules that are managed by other applications, such as Intrusion Detection System (IDS), SDM provides a means for you to launch those applications. IDS Network Module Management If a Cisco IDS Network Module is installed on the router, this window displays basic status information for it.
Chapter 20 Network Module Management IDS Network Module Management Reset Click to perform a reset of the IDS network module hardware You should only use the Reset button to recover from Failed state, or after you have shutdown the IDS Network Module. Shutdown Click to shutdown the IDS Network Module. You should always perform a shutdown before you to remove the module from the router. Launch IDM Click to start the IDM software on the IDS module.
Chapter 20 Network Module Management IDS Network Module Management IDS NM Monitoring Interface Settings This area of the window shows which router interfaces have traffic sent to the IDS network module for monitoring. A check mark icon next to the interface name indicates that the IDS network module is monitoring the traffic on that interface. A red icon with an X next to the interface name indicates that the IDS network module is not monitoring the traffic on that interface.
Chapter 20 Network Module Management IDS Network Module Management IP Address Enter an IP address to use for the IDS Sensor interface. SDM will do the following: • Create a loopback interface. The number 255 is used if available, if not, another number will be used. This loopback interface will be listed in the Interfaces and Connections window. • Configure the loopback interface with the IP address you enter. • Configure the IDS network module IP unnumbered to the loopback interface.
Chapter 20 Network Module Management IDS Network Module Management Specify If you know the network module’s IP address, choose this option, and enter the address. SDM will remember the address, and you can select Use SDM last known IP Address the next time you start the network module.
Chapter 20 Network Module Management IDS Network Module Management Date & Time If this row contains an X icon in the Action column, the router’s clock settings have not been configured. Double-click on this row, and enter time and date settings in the Date and Time Properties window. IP CEF Setting If this row contains an X icon in the Action column, Cisco Express Forwarding (CEF) has not been enabled on the router. Double-click on this row, and click Yes to enable IP CEF on the router.
Chapter 20 Network Module Management Network Module Login IDS NM Interface Monitoring Configuration Use this window to select router interfaces whose traffic you want the IDS network module to monitor. Monitored Interfaces This lists contains the interfaces whose traffic the IDS network module is monitoring. To add an interface to this list, select an interface from the Available Interfaces list, and click the left arrow (<<) button.
Chapter 20 Network Module Management Switch Module Interface Selection Switch Module Interface Selection This window is displayed when there is more than one switch module installed on the router, and allows you to select the one that you want to manage. Click the radio button next to the switch module that you want to manage, and then click OK. Cisco Router and Security Device Manager Version 2.
C H A P T E R 21 Quality of Service The Quality of Service (QoS) Wizard allows a network administrator to enable Quality of Service (QoS) on the router’s WAN interfaces. QoS can also be enabled on IPSec VPN interfaces and tunnels. The QoS edit windows enables the administrator to edit policies created using the wizard. Create QoS Policy The QoS Wizard allows a network administrator to enable Quality of Service (QoS) on the router’s WAN interfaces.
Chapter 21 Quality of Service QoS Wizard QoS Wizard Next Click the Next button to begin configuring a QoS policy. Interface Selection Choose the interface on which you want to configure the QoS policy in this window. This window lists WAN interfaces, and interfaces which do not have a configured outbound QoS policy. VPN interfaces are included in the list, but interfaces used for Easy VPN clients, and interfaces with an existing QoS policy are not included. QoS is not supported for Easy VPN clients.
Chapter 21 Quality of Service QoS Policy Generation Bandwidth Allocation This area allows you to track and allocate bandwidth to the outgoing traffic.This column also lists the bandwidth remaining after allocating bandwidth to each traffic type going out on the selected interface. Note At least one traffic type has to be selected to generate the QoS policy. Type of Traffic This column list the type of traffic exiting the selected interface.
Chapter 21 Quality of Service QoS Policy Generation View QoS Class Details The window that appears when you click the View Details button displays details of the QoS classes that are going to be created for the QoS policy. Real Time Traffic Click the Real Time Traffic tab to view details of QoS class type and class attributes configured for the Real-Time Traffic type. Attributes cannot be edited in this window.
Chapter 21 Quality of Service Summary of the configuration Summary of the configuration The QoS Wizard Summary window displays the summary of QoS policy-map and its related QoS class-maps. This policy map will inturn be attached to the selected interface for configuring QoS policy. Clicking Finish exits the QoS Wizard and takes you to the Edit QoS Policy screen. Edit QoS Policy The Edit QoS Policy window allows to change already configured QoS policies.
Chapter 21 Quality of Service Edit QoS Policy IP Address The IP address of the interface to which the policy is applied. Qos Policy Details This area lists type of traffic and the bandwidth allocated to each traffic type configured. Real-Time/Business-Critical/Trivial The percentage of overall bandwidth allocated to each of these traffic types. Traffic Type Lists the type of traffic configured on the interface by the QoS policy.
Chapter 21 Quality of Service Edit QoS Policy Queuing This column lists the queuing type, either bandwidth or priority. Class Based Weighted Fair Queuing (CBWFQ) defines two types of Low Latency Queuing methods—bandwidth and priority. • Priority—Priority ensures a fixed amount of bandwidth for whatever bandwidth value is configured for the QoS class • Bandwidth—Bandwidth queuing promises a minimum amount of bandwidth.
Chapter 21 Quality of Service Edit QoS Policy Add Click this button to add an NBAR-recognized protocol that has not be matched under any of the existing classes. Delete Select the protocols from the list and click Delete button to delete protocols from the traffic class. Note The Add and Delete buttons are disabled for real-time traffic classes except for the SDM-generated SDMQoS-StreamVideo class.
Chapter 21 Quality of Service Edit QoS Policy Add a Protocol This window allows you to add the protocols that are not added to the real-time traffic class. NBAR Protocol This area lists the NBAR protocols that are not added to any of the traffic classes. Select the NBAR protocol from the list and click OK button to add the protocol.
Chapter 21 Quality of Service QoS Status Interface Association This window provides you the opportunity to associate a cloned policy to an interface. Interface list The interface list displays the interfaces with which you can associate the QoS policy. If you want to associate the cloned policy to an interface, select the interface from the list and click Yes.
Chapter 21 Quality of Service QoS Status Bandwidth utilization is shown in Kbps. • Total incoming and outgoing bytes for each traffic type – Incoming and outgoing bytes for each class defined under the traffic type – Incoming and outgoing bytes for each protocol for each class If the value is more than 1,000,000, then the graph may show the bytes as a multiple of 10^6. If the value is more than 1,000,000,000, then the graph may show the bytes as a multiple of 10^9.
Chapter 21 Quality of Service QoS Status Statistics Select one of the following • Bandwidth • Bytes • Packets dropped All Traffic—Real-Time—Business-Critical—Trivial SDM displays statistics for all traffic classes in bar chart form, based on the type of statistic you selected. SDM displays a message instead of a bar chart if there are not adequate statistics for a particular traffic type. Cisco Router and Security Device Manager Version 2.
C H A P T E R 22 Network Admission Control Network Admission Control (NAC) reduces the infection of data networks from computer viruses by assessing the health of client workstations, helping to ensure that they receive the latest available virus signature updates, and controlling their access to the network. NAC works with anti-virus software to assess the condition of a client, called the client’s posture, before allowing it access to the network.
Chapter 22 Network Admission Control Create NAC Tab The NAC configuration on the router is only one part of a complete NAC implementation. Click Other Tasks in a NAC Implementation to learn the tasks that must be performed on other devices in order to implement NAC. Enable AAA Button Authentication, Authorization, and Accounting (AAA) must be enabled on the router before you can configure NAC. If AAA is not enabled, click the Enable AAA button.
Chapter 22 Network Admission Control Create NAC Tab Welcome The NAC wizard enables you to do the following: • Configure RADIUS parameters—Admission control polices are configured on RADIUS servers that the router contacts when a network host attempts access to the network. You can specify information for multiple RADIUS servers. • Select the interfaces on which NAC is to be enabled—Hosts attempting access to the network through these interfaces go through the NAC process.
Chapter 22 Network Admission Control Create NAC Tab Select the interface through which the RADIUS server is accessed List Choose the interface that the router is to use to connect to the RADIUS servers. If you need more information about an interface, select the interface and click the Details button. SDM displays a warning message if a NAC policy is configured on the interface that you select. If this occurs, you can dissociate the NAC policy from the interface, or select a different interface.
Chapter 22 Network Admission Control Create NAC Tab Add, Edit, and Ping Buttons To provide information for a RADIUS server, click the Add button and enter the information in the screen displayed. Select a row and click Edit to modify the information for a RADIUS server. Select a row and click Ping to test the connection between the router and a RADIUS server. The Add The Edit and the Ping buttons are disabled when no RADIUS server information is available for the selected interface.
Chapter 22 Network Admission Control Create NAC Tab IP Address/MAC Address/Device Type, Address/Device, and Policy Columns These columns contain information about a host in the exception list. A host can be identified by its IP address, MAC address, or by the type of device it is. If it is identified by an address, the IP address or MAC address is shown in the row along with the name of the policy that governs the host’s access to the network.
Chapter 22 Network Admission Control Create NAC Tab Policy List Select the policy that you want to apply to the host. When you select a policy, the redirect URL specified for the policy appears in a read-only field, and the access rule entries for the policy are displayed. If no policies are available in the list, click Cancel to return to the wizard screen, and then choose the option that allows you to add a policy. Policy List Select the policy that you want to apply to the excepted host from the list.
Chapter 22 Network Admission Control Create NAC Tab Access Rule Field Enter the name of the access rule that you want to use, or click the button to the right of this field and browse for the access rule, or create a new access rule. The access rule must contain permit entries that specify the IP addresses that hosts on the exception list can connect to. The access rule must be a named ACL; numbered ACLs are not supported.
Chapter 22 Network Admission Control Create NAC Tab NAC Router Management Access Hosts logging on to SDM must be exempt from NAC validation. Specify the interfaces through which SDM can be run, and specify the hosts that are to be exempt from NAC validation so that users can launch SDM on them. Select the Interface Area Select the interfaces through which users must be able to launch SDM. The interfaces listed in this area are those that you selected for NAC configuration.
Chapter 22 Network Admission Control Create NAC Tab Interface Service ACL Action FastEthernet0/0 NTP 101 (INBOUND) [ ] Modify FastEthernet0/0 RADIUS Server [ ] Modify Details Window This window displays the entries that SDM will add to ACLs to allow services needed for the NAC validation process. The window might contain an entry like the following: permit tcp host 10.77.158.84 eq www host 10.77.158.
Chapter 22 Network Admission Control Edit NAC Tab Edit NAC Tab The Edit NAC tab lists the NAC policies configured on the router and enables you to configure other NAC settings. A NAC policy must be configured for each interface on which posture validation is to be performed. EAPoUDP Timeouts Button The router and the client use Extensible Authentication Protocol over Unformatted Data Protocol (EAPoUDP) to exchange posture information.
Chapter 22 Network Admission Control Edit NAC Tab Exception List Window This placeholder topic will be removed when the help system for NAC is built. This help topic has already been written for wizard mode. To view it, click on the following link: NAC Exception List Exception Policies Window NAC exception policies control the network access of hosts in the exception list. A NAC exception policy consists of a name, an access rule, and/or a redirect URL.
Chapter 22 Network Admission Control Edit NAC Tab Add, Edit, and Delete Buttons Click the Add button to create a new exception policy. Use the Edit button to modify existing exception policies, and the Delete button to remove exception policies. The Edit and Delete buttons are disabled when there are no exception policies in the list. EAPoUDP Timeouts Configure the timeout values the router is to use for EAPoUDP communication with network hosts.
Chapter 22 Network Admission Control Edit NAC Tab Revalidation Timeout Field The router periodically queries the posture agent on the client to determine the client’s adherence to security policy. Enter the number of seconds that the router should wait between queries. Status Query Timeout Field Enter the number of seconds the router should wait between queries to the posture agent on the host. Reset to Defaults Button Click to reset all EAPoUDP timeouts to their default values.
Chapter 22 Network Admission Control How Do I... The access rule must contain deny statements that specify the traffic that is to be exempted from the admission control process. No posture validation triggering occurs if the access rule contains only deny statements. An example of ACL entries for a NAC admission rule follows: deny udp any host 10.10.30.10 eq domain deny tcp any host 10.10.20.
Chapter 22 Network Admission Control How Do I... http://www.cisco.com/en/US/products/ps5923/index.html The document at the following link explains how to install and configure CTA software on a host. http://www.cisco.com/en/US/products/ps5923/products_administration_gui de_book09186a008023f7a5.html The specific installation procedures required to install third-party posture agent software and the optional remediation server vary depending on the software in use.
C H A P T E R 23 Router Properties Router properties let you define the overall attributes of the router, such as the router name, domain name, password, Simple Network Management Protocol (SNMP) status, Domain Name System (DNS) server address, user accounts, router log attributes, virtual type terminal (vty) settings, SSH settings, and other router access security settings. Device Properties The Properties—Device screen contains host, domain, and password information for your router.
Chapter 23 Router Properties Date and Time: Clock Properties Enter the text for Banner Enter text for the router banner. The router text banner is displayed whenever anyone logs in to the router. It is recommended that the text banner include a message indicating that unauthorized access is prohibited. Password Tab The Password tab contains the following fields. Enable Secret Password Cisco Router and Security Device Manager (SDM) supports the enable secret password.
Chapter 23 Router Properties Date and Time: Clock Properties Date/Time You can see the router’s date and time settings on the right side of the SDM status bar. The time and date settings in this part of the Clock Properties window is not updated. Router Time Source This field can contain the following values: • NTP. The router receives time information from an NTP server. • User Configuration. The time and date values are set manually, via SDM or the CLI. • No time source.
Chapter 23 Router Properties Date and Time: Clock Properties Note You must make the Time Zone and Daylight Savings settings on the PC before starting SDM so that SDM will receive the correct settings when you click Synchronize. Edit Date and Time Use this area to set the date and time manually. You can choose the month and the year from the drop-down lists, and choose the day of the month in the calendar. The fields in the Time area require values in 24-hour format.
Chapter 23 Router Properties Date and Time: Clock Properties IP Address The IP address of an NTP server. If your organization does not have an NTP server, you may want to use a publicly available server, such as the server described at the following URL: http://www.eecis.udel.edu/~mills/ntp/clock2a.html Interface The interface over which the router will communicate with the NTP server. Prefer This column contains Yes if this NTP server has been designated as a preferred NTP server.
Chapter 23 Router Properties Date and Time: Clock Properties Prefer Click this box if this is to be the preferred NTP server. Interface Select the router interface that will provide access to the NTP Server. You can use the show IP routes CLI command to determine which interface has a route to this NTP server. Note An extended access rule will be created traffic for port 123 traffic and applied to the interface that you select in this window.
Chapter 23 Router Properties Date and Time: Clock Properties SNTP This window is displayed on Cisco 830 routers. Network Time Protocol (NTP) allows routers on your network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source will have more consistent time settings. This window allows you to view the NTP server information that has been configured, to add new information, or to edit or delete existing information.
Chapter 23 Router Properties Date and Time: Clock Properties Note An extended access rule will be created traffic for port 123 traffic and applied to the interface that you select in this window. If an access rule was already in place for this interface, SDM will add statements to permit port 123 traffic on this interface. If the existing rule was a standard access rule, SDM changes it to an extended rule in order to be able to specify traffic type and destination.
Chapter 23 Router Properties Date and Time: Clock Properties Enable SNMP Check this box to enable SNMP support. Uncheck this box to disable SNMP support. SNMP is enabled by default. Community String SNMP community strings are embedded passwords to Management Information Bases (MIBs). MIBs store data about the router’s operation and are meant to be available to authenticated remote users.
Chapter 23 Router Properties Router Access Router Access This window explains which features are included in Router Access. User Accounts: Configure User Accounts for Router Access This window allows you to define accounts and passwords that will enable users to authenticate themselves when logging into the router via HTTP, HTTPS, Telnet, PPP, or other means. User Name A user account name. Password The user account password, displayed as asterisks (*).
Chapter 23 Router Properties Router Access What Do You Want To Do? If you want to: Do this: Add a new user account. Click Add. Then, add the account in the Add a Username window. Edit a user account. Select the user account and click Edit. Then, edit the account in the Edit a Username window. Delete a user account. Select the user account and click Delete. Then, confirm the deletion in the displayed warning box.
Chapter 23 Router Properties Router Access Note Protocols that require the retrieval of clear text passwords, such as CHAP, cannot be used with MD5-encrypted passwords. MD5 encryption is not reversible. To restore the password to clear text, you must delete the user account and recreate it without checking the Encrypt password option. Privilege Level Enter the privilege level for the user.
Chapter 23 Router Properties VTYs Details The Associate a View for this user area displays details of the selected view. Click on Details button for a more detailed information about the selected view. View Password If you are associating a view for any user for the first time, you will be prompted to enter the view password for SDM defined views. Use this password to switch between other views. Enter the View Password Enter the view password in the View Password: field.
Chapter 23 Router Properties VTYs Note • Authentication Policy—The AAA authentication policy associated with this vty line. This field is visible if AAA is configured on the router. • Authorization Policy—The AAA authorization policy associated with this vty line. This field is visible if AAA is configured on the router. To use SSH as an input or output protocol, you must enable it by clicking SSH in the Additional Tasks tree and generating an RSA key.
Chapter 23 Router Properties VTYs SSH Check this check box to enable the router to communicate to SSH clients. Access Rule You can associate access rules to filter inbound and outbound traffic on the vty lines in the range. Inbound Enter the name or number of the access rule you want to filter inbound traffic, or click the button and browse for the access rule. Outbound Enter the name or number of the access rule you want to filter inbound traffic, or click the button and browse for the access rule.
Chapter 23 Router Properties VTYs Host/Network A network address or host IP address. If a network address is given, the policy applies to all hosts on that network. If a host address is given, the policy applies to that host. A network address is shown in the format network number/network bits, as in the following example: 172.23.44.0/24 For more information on this format, and on how IP addresses and subnet masks are used, see IP Addresses and Subnet Masks.
Chapter 23 Router Properties VTYs Edit Button Click to edit a management policy, and specify the policy in the Edit a Management Policy window. Delete Button Click to delete a selected management policy. Apply Button Click to apply changes you have made in the Add or Edit a Management Policy window to the router’s configuration. Discard Changes Button Click to discard changes you have made in the Add or Edit a Management Policy window to the router’s configuration.
Chapter 23 Router Properties VTYs Management Protocols Specify the management protocols allowed for the host or network. Allow SDM Check to allow the specified host or network to access SDM. When you check this box, the following protocols are automatically checked: Telnet, SSH, HTTP, HTTPS, and RCP. Checking this option does not prevent you from allowing additional protocols. If you want to make users employ secure protocols when logging on to SDM, check Allow secure protocols only.
Chapter 23 Router Properties VTYs can create a security risk because if source is “any” it allows traffic from any network to enter the router, or if destination is “any” it allows access to any node on the network that the local router supports. You can remove the access entry that caused this message to appear by selecting the rule in the Rules window and clicking Edit. Or, you can disassociate the rule from the interface it is applied to in the Interfaces and Connections window.
Chapter 23 Router Properties VTYs SSH This router implements Secure Shell (SSH) Server, a feature that enables an SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection, but that provides strong encryption to be used with Cisco IOS software authentication. The SSH server in Cisco IOS software will work with publicly and commercially available SSH clients.
Chapter 23 Router Properties DHCP Configuration DHCP Configuration This window explains how you can manage DHCP configurations on your router. DHCP Pools This window displays the DHCP pools configured on the router. Pool Name The name of the DHCP pool. Interface The interface on which it is configured. Clients attached to this interface will receive IP addresses from this DHCP pool Details of DHCP Pool name This area provides the following details about the selected pool.
Chapter 23 Router Properties DHCP Configuration Add Select this option to create a new DHCP Pool. User need to specify DHCP Pool name, DHCP Pool network, DHCP pool ip address range and Lease time. Also DNS servers, WINS server, domain name and default router can be configured in the DHCP pool, but these were option fields. Edit Select this option to edit an existing DHCP Pool. Delete Select this option to delete a DHCP pool.
Chapter 23 Router Properties DHCP Configuration Subnet Mask Enter the subnet mask. The subnet mask of the example network address could be 255.255.255.0, providing 255 IP addresses. DHCP Pool Enter the starting and ending IP addresses in the range. The starting address based on the example network number would be 192.168.233.1. The ending address would be 192.168.233.254. Lease Length Enter the amount of time that addresses are to be leased to clients.
Chapter 23 Router Properties DHCP Configuration Host/IP Mask The IP address and mask bound to the client. MAC Address The MAC address of the client. Type The type of MAC address is one of the following: • Ethernet Client has a hardware address. • IEEE802 Client has a hardware address. • Client has a client identifier. Client Name An optional name assigned to the client. Add Button Click to add a new manual DHCP binding. Edit Button Click to edit the specified manual DHCP binding.
Chapter 23 Router Properties DHCP Configuration Name Enter the name you want for the DHCP binding. If you are editing the DHCP binding, the name field is read-only. Host IP Enter the IP address you want to bind to the client. The address should be from the DHCP pool available to the client. Do not enter an address in use by another DHCP binding. Mask Enter the mask used for the host IP address. Identifier From the drop-down menu, choose a method for identifying the client with a MAC address.
Chapter 23 Router Properties DNS Properties DNS Properties The Domain Name System (DNS) is a database of Internet host names with their corresponding IP addresses distributed over designated DNS servers. It enables network users to refer to hosts by name, rather than by IP addresses, which are harder to remember. Use this window to enable the use of DNS servers for host name to address translation. Enable DNS-based hostname to address translation Check this box to enable the router to use the DNS.
Chapter 23 Router Properties Dynamic DNS Methods Edit Button To edit a dynamic DNS method, choose it from the list of existing dynamic DNS methods and then click the Edit button. Delete Button To edit a dynamic DNS method, choose it from the list of existing dynamic DNS methods and then click the Delete button. Note A warning appears if you attempt to delete a dynamic DNS method that has been associated with one or more interfaces.
Chapter 23 Router Properties Dynamic DNS Methods IETF IETF is a dynamic DNS method type that updates a DNS server with changes to the associated interface’s IP address. If using IETF, configure a DNS server for the router in Configure > Additional Tasks > DNS. Cisco Router and Security Device Manager Version 2.
C H A P T E R 24 ACL Editor Rules define how the router will respond to a particular kind of traffic. Using SDM, you can create access rules that cause the router to block certain types of traffic while permitting other types, NAT rules that define the traffic that is to receive address translation, and IPSec rules that specify which traffic is to be encrypted. SDM also provides default rules that are used in guided configurations, and that you can examine and use when you create your own access rules.
Chapter 24 ACL Editor Useful Procedures for Access Rules and Firewalls Unsupported Rules Rules that have not been created using SDM, and that SDM does not support. These rules are read only, and cannot be modified using SDM. Externally Defined Rules Rules that have not been created using SDM, but that SDM does support. These rules may not be associated with any interface.
Chapter 24 ACL Editor Rules Windows • How Do I Modify an Existing Firewall to Permit Traffic from a New Network or Host? • How Do I Configure NAT Passthrough for a Firewall? • How Do I Permit Traffic Through a Firewall to My Easy VPN Concentrator? • How Do I Associate a Rule with an Interface? • How Do I Disassociate an Access Rule from an Interface • How Do I Delete a Rule That Is Associated with an Interface? • How Do I Create an Access Rule for a Java List? Rules Windows These windows let
Chapter 24 ACL Editor Rules Windows The upper portion of the screen lists the access rules that have been configured on this router. This list does not contain SDM default rules. To view SDM default rules, click the SDM Default Rules branch of the Rules tree. The lower portion of the window lists the rule entries associated with the selected rule. A rule entry consists of criteria that incoming or outgoing traffic is compared against, and the action to take on traffic matching the criteria.
Chapter 24 ACL Editor Rules Windows Access rules can be either standard rules or extended rules. IPSec rules have to extended rules because they must be able to specify a service type. Externally defined and unsupported rules may be either standard or extended. Description A description of the rule, if one has been entered. First Column (Rule Entry Area) Permit traffic. Deny traffic. Action The action to take when a packet matching the criteria in this entry arrives on the interface.
Chapter 24 ACL Editor Rules Windows Destination For extended rules, the destination IP address criteria that the traffic must match. The address may be for a network, or a specific host. This column may contain: • An IP address and wildcard mask. The IP address specifies a network, and the wildcard mask specifies how much of the rule’s IP address the IP address in the packet must match. • The keyword any. Any indicates that the source IP address can be any IP address • A host name.
Chapter 24 ACL Editor Rules Windows If you want to: Do this: Delete a rule that has not been associated with an interface. Select the Access rule, and click Delete. Delete a rule that has been associated with an interface SDM does not permit you to delete a rule that has been associated with an interface. In order to delete the rule, you must first disassociate it from the interface. See How Do I Delete a Rule That Is Associated with an Interface? What I want to do is not described here.
Chapter 24 ACL Editor Rules Windows Rule Entry List This list shows the entries that make up the rule. You can add, edit, and delete entries. You can also reorder them to change the order in which they are evaluated. Observe the following guidelines when creating rule entries: • There must be at least one permit statement in the list; otherwise, all traffic will be denied. • A permit all or deny all entry in the list must be the last entry.
Chapter 24 ACL Editor Rules Windows What do you want to do? If you want to: Do this: Add or edit a rule entry. Click Add, and create the entry in the window displayed. Or click Edit, and change the entry in the window displayed. Add a rule entry using an existing entry as a template. Select the entry you want to use as a template, and click Clone. Then create the entry in the dialog box displayed.
Chapter 24 ACL Editor Rules Windows Select an Interface Select the interface to which you want this rule to apply. Specify a Direction If you want the router to check packets inbound to the interface, click Inbound. The router checks for a match with the rule before routing it; the router accepts or drops the packet based on whether the rule states permit or deny. If you want the router to forward the packet to the outbound interface before comparing it to the entries in the access rule, click Outbound.
Chapter 24 ACL Editor Rules Windows What do you want to do? If you want to: Do this: Cancel the operation and preserve the association between the interface and the existing rule. Click No. The association between the existing rule and the interface is preserved, and the rule that you created in the Add a Rule window is saved. You can examine the existing rule and the new rule and decide whether you want to replace the existing rule or to merge the entries of the new rule with the existing rule.
Chapter 24 ACL Editor Rules Windows Note Any traffic that does not match the criteria in one of the rule entries you create is implicitly denied. To ensure that traffic you do not intend to deny is permitted, you must append explicit permit entries to the that rule you are configuring. Action Select the action you want the router to take when a packet matches the criteria in the rule entry. The choices are Permit and Deny. What Permit and Deny do depends on the type of rule in which they are used.
Chapter 24 ACL Editor Rules Windows Mask If you selected A Network or if you selected A Host Name or IP address, either select the wildcard mask from this list, or enter a custom wildcard mask. A binary 0 in a wildcard mask means that the corresponding bit in a packet’s IP address must match exactly. A binary 1 in a wildcard mask means that the corresponding bit in the packet’s IP address need not match.
Chapter 24 ACL Editor Rules Windows What Permit and Deny do depends on the type of rule in which they are used. In SDM, extended rule entries can be used in access rules, NAT rules, IPSec rules, and access lists associated with route maps. Click Meanings of the Permit and Deny Keywords to learn more about the action of Permit and the action of Deny in the context of a specific type of rule. Source Host/Network The source IP address criteria that the traffic must match.
Chapter 24 ACL Editor Rules Windows Type Select one of the following: • A specific IP address. This can be a network address or the address of a specific host. • A host name. • Any IP address. Mask If you selected A specific IP address, either select the wildcard mask from this list or enter a custom wildcard mask. A binary 0 in a wildcard mask means that the corresponding bit in the packet’s IP address must match exactly.
Chapter 24 ACL Editor Rules Windows If you select this protocol: You can specify the following in the Source Port and Destination Port fields: TCP and UDP Specify the source and destination port by name or number. If you do not remember the name or number, click the ... button and select the value you want from the Service window. This field accepts protocol numbers from 0 through 65535. • =. The rule entry applies to the value that you enter in the field to the right. • !=.
Chapter 24 ACL Editor Rules Windows Rule Category Select the rule category that you want to select from. The rules in the category you select will appear in the box below the list. If no rules appear in the box, no rules of that category have been defined. Name/Number The name or number of the rule. Used By How the rule is being used. For example, if the rule has been associated with an interface, the name of the interface. If the rule is being used in an IPSec policy, the name of the policy.
Chapter 24 ACL Editor Rules Windows Destination For extended rules, the destination IP address criteria that the traffic must match. The address may be for a network, or a specific host. This column may contain the following: • An IP address and wildcard mask. The IP address specifies a network, and the wildcard mask specifies how much of the rule’s IP address the IP address in the packet must match. • The keyword any. Any indicates that the source IP address can be any IP address • A host name.
C H A P T E R 25 Port-to-Application Mapping Port-to-Application Mapping (PAM) allows you to customize TCP and UDP port numbers for network services and applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application. The information that PAM maintains enables Context-Based Access Control (CBAC) supported services to run on nonstandard ports.
Chapter 25 Port-to-Application Mapping Port-to-Application Mappings Application Protocol Column This column contains the name of the application protocol, and the names of the protocol types. For example, the FTP and the TFTP entries are found under the File Transfer protocol type. Port Type Column This list appears if the router is running a Cisco IOS image that allows you to specify whether this port map entry applies to TCP or to UDP traffic. Port Column This column contains the port number.
Chapter 25 Port-to-Application Mapping Port-to-Application Mappings Description Column If a description of the PAM entry has been created, the description is displayed in this column. Add or Edit Port Map Entry You can add and edit port map entries for custom or standard protocols. Protocol Field If you are adding an entry, specify the protocol by clicking the list (...) button to the right and choosing a system-defined protocol, or by entering the name of a custom protocol.
Chapter 25 Port-to-Application Mapping Port-to-Application Mappings numbers separated by commas, or port number ranges indicated with a dash. For example, you might enter three noncontiguous port numbers as 310, 313, 318, or you might enter the range 415–419. If the router is not running a Cisco IOS image that allows you to specify whether this port map entry applies to TCP or to UDP traffic, you can enter a single port number.
C H A P T E R 26 Authentication, Authorization, and Accounting Cisco IOS Authentication, Authorization, and Accounting (AAA) is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing authentication, authorization, and accounting services. Cisco IOS AAA provides the following benefits: • Increased flexibility and control • Scalability • Standardized authentication methods.
Chapter 26 Authentication, Authorization, and Accounting AAA Servers and Groups Enable/Disable AAA AAA is enabled by default. If you click Disable, SDM displays a message telling you that it will make configuration changes to ensure that the router can be accessed. Disabling AAA will prevent you from configuring your router as an Easy VPN server, and will prevent you from associating user accounts with command line interface (CLI) views.
Chapter 26 Authentication, Authorization, and Accounting AAA Servers and Groups AAA Servers Window This window lets you view a snapshot of the information about the AAA servers that the router is configured to use. The IP address, server type, and other parameters are displayed for each server. Global Settings Click this button to make global settings for TACACS+ and RADIUS servers.
Chapter 26 Authentication, Authorization, and Accounting AAA Servers and Groups Add or Edit a TACACS+ Server Add or edit information for a TACACS+ server in this window. Server IP or Host Enter the IP address or the host name of the server. If the router has not been configured to use a Domain Name Service (DNS) server, enter an IP address.
Chapter 26 Authentication, Authorization, and Accounting AAA Servers and Groups Add or Edit a RADIUS Server Add or edit information for a RADIUS server in this window. Server IP or Host Enter the IP address or the host name of the server. If the router has not been configured to use a Domain Name Service (DNS) server, enter an IP address. Authorization Port Specify the server port to use for authorization requests. The default is 1645.
Chapter 26 Authentication, Authorization, and Accounting AAA Servers and Groups TACACS+ Server/ RADIUS Server Click the appropriate button to specify the server type for which you are setting global parameters. If you select TACACS+ Server, the parameters will apply to all communication with TACACS+ servers that do not have server specific parameters set. If you select RADIUS Server, the parameters will apply to all communication with RADIUS servers that do not have server specific parameters set.
Chapter 26 Authentication, Authorization, and Accounting AAA Servers and Groups Type The type of servers in the selected group, either TACACS+, or RADIUS. Group Members The IP addresses or host names of the AAA servers in this group. Authentication and Authorization Policies The Authentication Policies and the Authorization Policies windows summarize the authentication policy information on the router. Authentication Type The type of authentication policy.
Chapter 26 Authentication, Authorization, and Accounting AAA Servers and Groups List Name The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. Method 1 The method that the router will attempt first. If one of the servers in this method authenticates the user (sends a PASS response), authentication is successful. If a server returns a FAIL response, authentication fails.
Chapter 26 Authentication, Authorization, and Accounting AAA Servers and Groups Method 1 Column The method that the router will attempt first. If one of the servers in this method authenticates the user (sends a PASS response), authentication is successful. If a server returns a FAIL response, authentication fails. If no servers in the first method respond, then the router uses the next method in the list. Methods can be ordered when you create or edit a method list.
Chapter 26 Authentication, Authorization, and Accounting AAA Servers and Groups Methods A method is a configured server group. Up to four methods can be specified and placed in the list in the order you want the router to use them. The router will attempt the first method in the list. If the authentication request receives a PASS or a FAIL response, the router does not query further.
C H A P T E R 27 Router Provisioning This window tells you if SDM has detected a USB token or USB flash device connected to your router. You can click the Router Provisioning button to choose a configuration file from the USB token or USB flash device. If you choose to provision your router this way, the configuration file from the USB token or USB flash device is merged with your router’s running configuration file to create a new running configuration file.
Chapter 27 Router Provisioning Router Provisioning from USB Step 5 Click OK to load the chosen file. Cisco Router and Security Device Manager Version 2.
C H A P T E R 28 Public Key Infrastructure The Public Key Infrastructure (PKI) windows enable you to generate enrollment requests and RSA keys, and manage keys and certificates. You can use the Simple Certificate Enrollment Process (SCEP) to create an enrollment request and an RSA key pair and receive certificates online, create an enrollment request that you can submit to a Certificate Authority (CA) server offline, or use Secure Device Provisioning (SDP) to enroll for a certificate.
Chapter 28 Public Key Infrastructure Certificate Wizards • NTP not configured—The router must have accurate time for certificate enrollment to work. Identifying a Network Time Protocol server from which your router can obtain accurate time provides a time source that is not affected if the router needs to be rebooted. If your organization does not have an NTP server, you may want to use a publicly available server, such as the server described at the following URL: http://www.eecis.udel.
Chapter 28 Public Key Infrastructure Certificate Wizards Note SDM supports only base-64-encoded PKCS#10-type cut and paste enrollment. SDM does not support importing PEM and PKCS#12 type certificate enrollments. SDP Click this button if you want to use Secure Device Provisioning (SDP) to enroll your router with a CA server. SDM transfers you to the SDP web-browser based application to complete the enrollment process.
Chapter 28 Public Key Infrastructure Certificate Wizards Note The information you enter in this screen is used to generate a trustpoint. The trustpoint is generated with a default revocation check method of CRL. If you are editing an existing trustpoint with the SCEP wizard, and a revocation method different from CRL, such as OCSP, already exists under the trustpoint, SDM will not modify it.
Chapter 28 Public Key Infrastructure Certificate Wizards Advanced Options Button Advanced options allow you to provide more information to enable the router to contact the CA server. Advanced Options Use this window to provide more information to enable the router to contact the CA server. HTTP Proxy and HTTP Port If the enrollment request will be sent through a proxy server, enter the proxy server IP address, and the port number to use for proxy requests in these fields.
Chapter 28 Public Key Infrastructure Certificate Wizards Include router’s IP Address Check if you want to include a valid IP address configured on your router in the certificate request. If you check this box, you can manually enter an IP address, or you can select the interface whose IP address you want to be used. IP Address Click if you want to enter an IP address, and enter an IP address configured on the router in the field that appears.
Chapter 28 Public Key Infrastructure RSA Keys State (st) Enter the state or province in which the router or the organization is located. Country (c) Enter the country in which the router or the organization is located. Email (e) Enter the email address to be included in the router certificate. Note If the Cisco IOS image running on the router does not support this attribute, this field is disabled. RSA Keys You must include an RSA public key in the enrollment request.
Chapter 28 Public Key Infrastructure Summary The modulus determines the size of the key. The larger the modulus, the more secure the key, but keys with large modulus take longer to generate, and encryption/decryption operations take longer with larger keys. Generate separate key pairs for encryption and signature By default, SDM creates a general purpose key pair that is used for both encryption and signature.
Chapter 28 Public Key Infrastructure Enrollment Status If you are performing a cut-and-paste enrollment After the commands are delivered to the router, SDM generates an enrollment request and displays it in another window. You must save this enrollment request and present it to the CA server administrator in order to obtain the CA server’s certificate, and the certificate for the router. The enrollment request is in Base64 encoded PKCS#10 format.
Chapter 28 Public Key Infrastructure Enrollment Request Begin New Enrollment Click Begin new enrollment to generate a trustpoint, an RSA key pair and an enrollment request that you can save to your PC and send to the CA server. The wizard completes after you save the enrollment request. To complete the enrollment after you have receive the CA server certificate and the certificate for your router, re-enter the Cut and Paste wizard and select Continue with an unfinished enrollment.
Chapter 28 Public Key Infrastructure Import CA certificate Import CA and router certificate(s) Choose this option if you want to import both the CA server’s certificate and the router’s certificate in the same session. Both certificates must be available on the PC. This option is disabled if the CA certificate has already been imported. Import CA certificate Choose this option to import a CA server certificate that you have saved on your PC.
Chapter 28 Public Key Infrastructure Import Router Certificate(s) Browse Button Click to locate the certificate file on the PC. Import Router Certificate(s) If you have one or more certificates for your router granted by the CA on your hard disk, you can browse for it and import it to your router. Import more certificates If you generated separate RSA key pairs for encryption and signature, you receive two certificates for the router.
Chapter 28 Public Key Infrastructure Digital Certificates Edit Button A trustpoint can be edited if it is an SCEP trustpoint, and if the CA server’s certificate and the router’s certificate have not both been successfully imported. If the trustpoint is not an SCEP trustpoint, or if both the CA server and router certificate associated with an SCEP trustpoint have been delivered, this button is disabled. Delete Button Click to delete the selected trustpoint.
Chapter 28 Public Key Infrastructure Digital Certificates Refresh Button Click to refresh the Certificate chain area when you select a different trustpoint in the Trustpoints list. Type One of the following: Usage • RA KeyEncipher Certificate—Rivest Adelman encryption certificate • RA Signature Certificate—Rivest Adelman signature certificate. • CA Certificate—The certificate of the CA organization. • Certificate—The certificate of the router.
Chapter 28 Public Key Infrastructure Digital Certificates Revocation Check Specify how the router is to check whether a certificate has been revoked in this window. Revocation Check Configure how the router is to check for revocations, and order them by preference. The router can use multiple methods. Use/Method/Move Up/Move Down Check the methods that you want to use, and use the Move Up and Move Down buttons to place the methods in the order you want to use them.
Chapter 28 Public Key Infrastructure RSA Keys Window • Best Effort—Download the CRL from the CRL server if it is available. If it is not available, the certificate will be accepted. • Optional—Check the CRL only if it has already been downloaded to the cache as a result of manual loading. CRL Query URL Enter the URL where the certificate revocation list is located. Enter the URL only if the certificate supports X.500 DN.
Chapter 28 Public Key Infrastructure RSA Keys Window Key Data Click to view a selected RSA key. Save Key to PC Button Click to save the data of the selected key to your PC. Generate RSA Key Pair Use this window to generate a new RSA key pair. Label Enter the label of the key in this field. Modulus Enter the key modulus value. If you want a modulus value between 512 and 1024 enter an integer value that is a multiple of 64. If you want a value higher than 1024, you can enter 1536 or 2048.
Chapter 28 Public Key Infrastructure USB Tokens Save to USB Token Check the Save keys to secure USB token checkbox if you want to save the RSA keys to a USB token connected to your router. This checkbox appears only if a USB token is connected to your router. Choose the USB token from the USB token drop-down menu. Enter the PIN needed to log in to the chosen USB token in PIN. After you choose a USB token and enter its PIN, click Login to log in to the USB token.
Chapter 28 Public Key Infrastructure USB Tokens Maximum PIN Retries Displays the maximum number of times SDM will attempt to log in to the USB token with the given PIN. If SDM is unsuccessful after trying for the number specified, it will stop trying to log in to the USB token. Removal Timeout Displays the maximum number of seconds that SDM will continue to use Internet Key Exchange (IKE) credentials obtained from the USB token after the token is removed from the router.
Chapter 28 Public Key Infrastructure USB Tokens Current PIN If you are adding a USB token login, or if you are editing a USB token login that has no PIN, the Current PIN field displays . If you are editing a USB token login which has a PIN, the Current PIN field displays ******. Enter New PIN Enter a new PIN for the USB token. The new PIN must be at least 4 digits long and must match the name of the token you want to log in to.
Chapter 28 Public Key Infrastructure SDP Troubleshooting Tips SDP Troubleshooting Tips Use this information before enrolling using Secure Device Provisioning (SDP) to prepare the connection between the router and the certificate server. If you experience problems enrolling, you can review these tasks to determine where the problem is. Guidelines • When SDP is launched, you must minimize the browser window displaying this help topic so that you can view the SDP web application.
Chapter 28 Public Key Infrastructure Open Firewall Open Firewall This screen is displayed when SDM detects firewall(s) on interfaces that would block return traffic that the router needs to receive. Two situations in which it might appear are when a firewall will block DNS traffic or PKI traffic and prevent the router from receiving this traffic from the servers. SDM can modify these firewalls so that the servers can communicate with the router.
Chapter 28 Public Key Infrastructure Open Firewall Details Button Click this button to view the access control entry that SDM would add to the firewall if you allow the modification. Open Firewall Details This window displays the access control entry (ACE) that SDM would add to a firewall to enable CA traffic to reach the router. This entry is not added unless you check Modify in the Open Firewall window and complete the wizard. Cisco Router and Security Device Manager Version 2.
Chapter 28 Public Key Infrastructure Open Firewall Cisco Router and Security Device Manager Version 2.
C H A P T E R 29 Resetting to Factory Defaults You can reset the configuration of the router to factory defaults and save the current configuration to a file that can be used later. If you changed the router’s LAN IP address from the factory value 10.10.10.1, you will lose the connection between the router and the PC because that IP address will change back to 10.10.10.1 when you reset. Note • The Reset to Factory Defaults feature is not supported on Cisco 3620, 3640, 3640A, and 7000 series routers.
Chapter 29 Resetting to Factory Defaults Routers Needing Dynamic Addresses Routers Needing Static Addresses SB10x Cisco 83x, 85x, and 87x Cisco 1701, 1710, and 171x Cisco 180x and 181x Cisco 1721, 1751, and 1760 Cisco 1841 Cisco 2600XM, and 2691 Cisco 28xx, 36xx, 37xx, and 38xx The process for giving the PC a static or dynamic IP address varies slightly depending on the version of Microsoft Windows the PC is running. Note Do not reconfigure the PC until after you reset the router.
Chapter 29 Resetting to Factory Defaults Specify an IP address. Enter the IP address 10.10.10.2 or any other address in the 10.10.10.0 subnet greater than 10.10.10.1. Enter the subnet 255.255.255.248. Click OK. Microsoft Windows XP Click Start, select Settings, Network Connections, and then select the LAN connection you will use. Click Properties, select Internet Protocol TCP/IP, and click the Properties button. Click Obtain an IP Address Automatically to obtain a dynamic IP address.
Chapter 29 Resetting to Factory Defaults This Feature Not Supported This Feature Not Supported This window appears when an SDM feature is not supported. This may be because the router is running a Cisco IOS image that does not support the feature, or because SDM is being run on a PC and cannot support the feature. Cisco Router and Security Device Manager Version 2.
C H A P T E R 30 More About.... These topics provide more information about subjects that SDM online help discusses. IP Addresses and Subnet Masks This topic provides background information about IP addresses and subnet masks, and shows you how to use this information when entering addresses and masks in SDM. IP version 4 addresses are 32 bits, or 4 bytes, in length.
Chapter 30 More About.... IP Addresses and Subnet Masks The subnet mask is used to specify how many of the 32 bits are used for the network number and, if subnetting is used, the subnet number. It is a binary mask with a 1 bit in every position used by the network and subnet numbers. Like the IP address, it is a 32-bit value, expressed in decimal format. The following figure shows a subnet mask entered in SDM. SDM shows the subnet mask and the equivalent number of bits in the mask.
Chapter 30 More About.... IP Addresses and Subnet Masks When a network address is displayed in SDM windows, the IP address and subnet mask for it may be shown in network address/subnet bits format, as in the following example: 172.28.33.0/24 The network address in this example is 172.28.33.0. The number 24 indicates the number of subnet bits used. You can think of it as shorthand for the corresponding subnet mask of 255.255.255.0.
Chapter 30 More About.... Available Interface Configurations IP Address/Wildcard Mask Enter a network address, and then the wildcard mask to specify how much of the network address must match exactly. For example, if you entered a network address of 10.25.29.0 and a wildcard mask of 0.0.0.255, any java applet with a source address containing 10.25.29 would be filtered. If the wildcard mask were 0.0.255.255, any java applet with a source address containing 10.25 would be filtered.
Chapter 30 More About.... DHCP Address Pools An ATM interface without any encapsulation • An ADSL interface • A G.
Chapter 30 More About.... Meanings of the Permit and Deny Keywords Reserved Addresses You must not use the following addresses in the range of addresses that you specify: • The network/subnetwork IP address. • The broadcast address on the network. Meanings of the Permit and Deny Keywords Rule entries can be used in access rules, NAT rules, IPSec rules, and in access rules associated with route maps. Permit and Deny have various meanings depending on which type of rule is using it.
Chapter 30 More About.... Services and Ports • IP Services • Services That Can Be Specified in Inspection Rules TCP Services TCP Service Port Number Description bgp 179 Border Gateway Protocol.BGP exchanges reachability information with other systems that use the BGP protocol chargen 19 Character generator. cmd 514 Remote commands. Similar to exec except that cmd has automatic authentication daytime 13 Daytime discard 9 Discard domain 53 Domain Name Service.
Chapter 30 More About.... Services and Ports TCP Service Port Number Description lpd 515 Line Printer Daemon. A protocol used to send print jobs between UNIX systems. nntp 119 Network News Transport Protocol. pim-auto-rp 496 Protocol-Independent Multicast Auto-RP. PIM is a multicast routing architecture that allows the addition of multicast IP routing on existing IP networks. pop2 109 Post Office Protocol v2. Protocol that client e-mail applications use to retrieve mail from mail servers.
Chapter 30 More About.... Services and Ports UDP Service Port Number Description netbios-ns 137 NetBios name service netbios-ss 139 NetBios session service ntp 123 Network Time Protocol. TCP protocol that ensures accurate local timekeeping with reference to radio and atomic clocks located on the Internet. pim-auto-rp 496 Protocol Independent Multicast, reverse path flooding, dense mode rip 520 Routing Information Protocol. A protocol used to exchange route information between routers.
Chapter 30 More About.... Services and Ports ICMP Message Types ICMP Messages Port Number Description alternate-address 6 Alternate host address. conversion-error 31 Sent to report a datagram conversion error. echo 8 Type of message sent when ping command is issued. echo-reply 0 Response to an echo-request (ping) message. information-reply 16 Obsolete. Response to message sent by host to discover number of the network it is on. Replaced by DHCP. information-request 15 Obsolete.
Chapter 30 More About.... Services and Ports ICMP Messages Port Number Description timestamp-request 13 Request for timestamp to be used for synchronization between two devices. traceroute 30 Message sent in reply to a host that has issued a traceroute request. unreachable 3 Destination unreachable. Packet cannot be delivered for reasons other than congestion. IP Services IP Services Port Number Description aahp 51 eigrp 88 Enhanced Interior Gateway Routing Protocol.
Chapter 30 More About.... Services and Ports IP Services Port Number Description tcp 6 Transmission Control Protocol. Connection-oriented transport layer protocol that provides reliable full-duplex data transmission. udp 17 User Datagram Protocol. Connectionless transport layer protocol in the TCP/IP protocol stack. Services That Can Be Specified in Inspection Rules Protocol Description cuseeme Videoconferencing protocol. fragment Specifies that the rule perform fragment inspection.
Chapter 30 More About.... More About NAT Protocol Description tcp See tcp. tftp See tftp. udp See udp. vdolive VDOLive protocol. A streaming video protocol. More About NAT This section provides scenario information that may help you in completing the NAT Translation Rule windows, and other information that explains why NAT rules created using the CLI may not be editable in SDM.
Chapter 30 More About.... More About NAT Scenario 2 You need to map each IP address in a network to a unique public IP address, and you do not want to create a separate rule for each mapping. The source network number is 10.l2.12.0, and the target network is 172.17.4.0. However, in this scenario, it is not necessary to know the source or target network numbers. It is sufficient to enter host addresses and a network mask.
Chapter 30 More About.... More About NAT Result The source address 10.12.12.3 is translated to the address 172.17.4.8 in packets leaving the router. The port number in the Redirect port field is changed from 137 to 139. Return traffic carrying the destination address 172.17.4.8 is routed to port number 137 of the host with the IP address 10.12.12.3. You need to create a separate entry for each host/port mapping that you want to create.
Chapter 30 More About.... More About NAT Dynamic Address Translation Scenarios The following scenarios show you how you can use dynamic address translation rules. These scenarios are applicable whether you select from inside-to-outside, or from outside-to-inside. Scenario 1 You want source–”Translate from”–addresses to use the IP address that is assigned to the router’s Fast Ethernet 0/1 interface 172.17.4.8.
Chapter 30 More About.... More About NAT Scenario 2 You want the host addresses specified in access-list 7 in the previous scenario to use addresses from a pool you define. If the addresses in the pool become depleted, you want the router to use PAT to satisfy additional requests for addresses from the pool. The following table shows how the fields in the Address Pool window would be used for this scenario. Pool Name Port Address Translation IP Address fields Network Mask Pool 1 Checked 172.16.131.
Chapter 30 More About....
Chapter 30 More About.... More About VPN • Security and VPN Devices • IPSecurity Troubleshooting–Understanding and Using Debug Commands • Field Notices More about VPN Connections and IPSec Policies A VPN connection is an association between a router interface and an IPSec policy. The building block of an IPSec policy is the crypto map.
Chapter 30 More About.... More About VPN ATM3/1.1 Crypto Map 1 Seattle Crypto Map 2 Chicago Crypto Map 3 Topeka Lawrence 88434 Policy 5 A router interface can be associated with only one IPSec policy. However, an IPSec policy can be associated with multiple router interfaces, and a crypto map can specify more than one peer for a connection. The following diagram shows two router interfaces associated with a policy, and a crypto map specifying two peers.
Chapter 30 More About.... More About VPN More About IKE IKE handles the following tasks: • Authentication • Session Negotiation • Key Exchange • IPSec Tunnel Negotiation and Configuration Authentication Authentication is arguably the most important task that IKE accomplishes, and it certainly is the most complicated. Whenever you negotiate something, it is of utmost importance that you know with whom you are negotiating.
Chapter 30 More About.... More About VPN – Encryption Algorithm: DES, 3DES, or AES – Packet Signature Algorithm: MD5 or SHA-1 Key Exchange IKE uses the negotiated key-exchange method (see “Session Negotiation” above) to create enough bits of cryptographic keying material to secure future transactions. This method ensures that each IKE session will be protected with a new, secure set of keys. Authentication, session negotiation, and key exchange constitute phase 1 of an IKE negotiation.
Chapter 30 More About.... More About VPN Allowable Transform Combinations To define a transform set, you specify one to three transforms. Each transform represents an IPSec security protocol (AH or ESP) plus the algorithm that you want to use. When the particular transform set is used during negotiations for IPSec security associations, the entire transform set (the combination of protocols, algorithms, and other settings) must match a transform set at the remote peer.
Chapter 30 More About.... Reasons Why a Serial Interface or Subinterface Configuration May Be Read-Only Transform Description esp-md5-hmac ESP with the MD5 (HMAC variant) authentication algorithm. es-aes-128 ESP with Advanced Encryption Standard (AES). Encryption with a 128-bit key esp-aes-192 ESP with AES. Encryption with a 192-bit key. esp-aes-256 ESP with AES. Encryption with a 256-bit key. esp-sha-hmac ESP with the SHA (HMAC variant) authentication algorithm.
Chapter 30 More About.... Reasons Why an ATM Interface or Subinterface Configuration May Be Read-Only • The interface is configured with the encapsulation frame-relay command with an IP address on the main interface. • The interface encapsulation is not “hdlc,” “ppp,” or “frame-relay.” • The encapsulation frame-relay ... command contains the mfr ... option. • The interface is configured with the encapsulation ppp command, but the PPP configuration contains unsupported commands.
Chapter 30 More About.... Reasons Why an Ethernet Interface Configuration May Be Read-Only • If the “dial-on-demand” option is configured on the pppoe-client command. • If there is more than 1 PVC configured on the interface. • If the encapsulation on the associated dialer is blank or is not “ppp.” • If no IP address is configured on the associated dialer. • If VPDN is required (which is determined dynamically from the Cisco IOS image) but is not configured for this connection.
Chapter 30 More About.... Reasons Why an ISDN BRI Interface Configuration May Be Read-Only Reasons Why an ISDN BRI Interface Configuration May Be Read-Only A previously configured ISDN BRI interface will be read-only and will not be configurable in the following cases: • An IP address is assigned to the ISDN BRI interface. • Encapsulation other than ppp is configured on the ISDN BRI interface. • The dialer-group or dialer string command is configured on the ISDN BRI interface.
Chapter 30 More About.... Reasons Why an Analog Modem Interface Configuration May Be Read-Only – The SDM-supported interfaces are configured with unsupported configurations – The primary interfaces are not supported by SDM Reasons Why an Analog Modem Interface Configuration May Be Read-Only A previously configured analog modem interface or will be read-only and will not be configurable in the following cases: • An IP address is assigned to the asynchronous interface.
Chapter 30 More About.... Firewall Policy Use Case Scenario – track /rtr or both is not configured – route-map is removed – Access-list is removed or access-list is modified (for example, tracking ip address is modified) – The SDM-supported interfaces are configured with unsupported configurations – The primary interfaces are not supported by SDM Firewall Policy Use Case Scenario In this scenario, a firewall and DMZ network have been created using the SDM Firewall wizard.
Chapter 30 More About.... Firewall Policy Use Case Scenario Examining Originating Traffic: From Interface Fast Ethernet 0/0; To Interface Serial 1/0 In this configuration, there is a firewall filtering traffic entering the router on the Serial 1/0 interface bound for the network connected to the Fast Ethernet 0/0 interface.
Chapter 30 More About.... Firewall Policy Use Case Scenario These are the entries that protect the network attached to Fast Ethernet 0/0. The Deny entries filter IP traffic from specific networks. There is an explicit permit all entry for IP traffic, and two Permit entries for ICMP traffic bound for specific hosts. The Applications area would still display the inspection rule applied to Fast Ethernet 0/0 inbound, even though returning traffic was selected.
Chapter 30 More About.... DMVPN Configuration Recommendations The Services area shows that certain types of ICMP traffic have been permitted. Allowing www Traffic to DMZ Interface The method shown in this section can also be used when there is no DMZ network, but you want to allow a certain type of traffic onto your trusted network. In order to allow www traffic to the hosts 10.10.10.1 and 10.10.10.2 in the DMZ network, the user creates 2 entries using the Add button.
Chapter 30 More About.... DMVPN Configuration Recommendations Assigning Spoke Addresses All routers in the DMVPN must be in the same subnet. Therefore, the hub administrator must assign addresses in the subnet to the spoke routers so that address conflicts do not occur, and so that everyone is using the same subnet mask. Recommendations for Configuring Routing Protocols for DMVPN The following are guidelines that you should note when configuring routing protocols for DMVPN.
Chapter 30 More About.... SDM White Papers Ping the Hub Before You Start Spoke Configuration Before configuring a spoke router, you should test connectivity to the hub by issuing the ping command. If the ping does not succeed, you must configure a route to the hub. SDM White Papers A number of white papers are available that describe how SDM can be used. These white papers are available at the following link. http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/appnote/index.
C H A P T E R 31 Getting Started Cisco Router and Security Device Manager (SDM) is an easy-to-use Internet browser-based software tool designed for configuring LAN, WAN, and security features on a router. SDM is designed for resellers and network administrators of small- to medium-sized businesses who are proficient in LAN fundamentals and basic network design.
Chapter 31 Getting Started What’s New in this Release? What’s New in this Release? To find out the new features SDM supports, go to: http://www.cisco.com/go/sdm Click the Technical Documentation link, and then click Release Notes. Cisco IOS Versions Supported To determine which Cisco IOS versions SDM supports, go to the following URL: http://www.cisco.com/go/sdm Click the Technical Documentation link, and then click Release Notes. Cisco Router and Security Device Manager Version 2.
C H A P T E R 32 Viewing Router Information The Cisco Router and Security Device Manager (SDM) Monitor mode lets you view a current snapshot of information about your router, the router interfaces, the firewall, and any active VPN connections. You can also view any messages in the router event log. Note The Monitor window is not dynamically updated with the latest information. To view any information that has changed since you brought up this window, you must click Update.
Chapter 32 Viewing Router Information Overview If you want to: Do this: View information about router interfaces. From the toolbar, click Monitor, and then in the left frame, click Interface Status. From the Select Interface field select the interface for which you want to view information, then in the Available Items group, select the information you want to view. Then click Show Details. View graphs of CPU or memory usage. From the toolbar, click Monitor.
Chapter 32 Viewing Router Information Overview Resource Status Shows basic information about your router hardware and contains the following fields: CPU Usage Shows the percentage of CPU usage. Memory Usage Shows the percent of RAM usage. Flash Usage Shows the available flash over the amount of flash installed on the router. Interface Status Shows basic information about the interfaces installed on the router and their status.
Chapter 32 Viewing Router Information Overview Bandwidth Usage The percent of interface bandwidth being used. Description Available description for the interface. SDM may add descriptions such as $FW_OUTSIDE$ or $ETH_LAN$.
Chapter 32 Viewing Router Information Overview No. of DMVPN Clients If the router is configured as a DMVPN hub, the number of DMVPN clients. No. of Active VPN Clients If the router is configured as an EasyVPN Server, this field shows the number of Easy VPN Remote clients. NAC Status Group Shows a basic snapshot of Network Admission Control (NAC) status on the router. No. of NAC enabled interfaces field The number of router interfaces on which NAC is enabled. No.
Chapter 32 Viewing Router Information Interface Status Informational The number of log entries stored that have a severity level of 6 or higher. These information messages signal normal network events. Interface Status The Interface Status screen displays the current status of the various interfaces on the router, and the numbers of packets, bytes, or data errors that have travelled through the selected interface.
Chapter 32 Viewing Router Information Interface Status • Bandwidth Usage—The percent of bandwidth used by the interface, shown as a percentage value.
Chapter 32 Viewing Router Information VPN Status Note • Real-time data every 10 sec. This option will continue polling the router for a maximum of two hours, resulting in approximately 120 data points. • 10 minutes of data polled every 10 sec. • 60 minutes of data, polled every 1 minute. • 12 hours of data, polled every 10 minutes. The last three options will retrieve a maximum of 60 data points.
Chapter 32 Viewing Router Information VPN Status • IPSec Tunnels • DMVPN Tunnels • Easy VPN Servers • IKE SAs Test Tunnel.. Button Click to test a selected VPN tunnel.The results of the test will be shown in another window. IPSec Tunnels This group displays statistics about each IPSec VPN that is configured on the router. Each row in the table represents one IPSec VPN.
Chapter 32 Viewing Router Information VPN Status The number of errors that have occurred while sending packets. • Receive Error Packets column The number of errors that have occurred while receiving packets. • Encrypted Packets column The number of packets encrypted over the connection. • Decrypted Packets column The number of packets decrypted over the connection. • Update button Click this button to refresh the IPSec Tunnel table and display the most current data from the router.
Chapter 32 Viewing Router Information VPN Status Resets statistics counters for the tunnel listed, setting number of packets encapsulated and decaspsulated, number of sent and received errors, and number of packets encrypted and decrypted to zero.
Chapter 32 Viewing Router Information VPN Status • Public IP address • Assigned IP address • Encrypted Packets • Decrypted Packets • Dropped Outbound Packets • Dropped Inbound Packets • Status Update button Click this button to display the most current data from the router. Disconnect button • Choose a row in the table and click Disconnect to drop the connection with the client.
Chapter 32 Viewing Router Information Firewall Status – MM_KEY_EXCH—The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated. – MM_KEY_AUTH—The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE and a Quick mode exchange begins. – AG_NO_STATE—The ISAKMP SA has been created but nothing else has happened yet.
Chapter 32 Viewing Router Information Firewall Status Number of Attempts Denied by Firewall Shows the number of connection attempts rejected by the firewall. Attempts Denied by Firewall Table Shows a list of connection attempts denied by the firewall. This table includes the following columns: • Time column Shows the time that each denied connection attempt occurred.
Chapter 32 Viewing Router Information NAC Status *Jun 27 11:42:01.323: %APPFW-6-IM_MSN_SESSION: im-msn text-chat service session initiator 14.1.0.1:1973 sends 142 bytes to responder 207.46.108.33:1863 *Jun 28 11:42:01.323: %APPFW-6-IM_MSN_SESSION: im-msn un-recognized service session initiator 14.1.0.1:2000 sends 1364 bytes to responder 207.46.108.19:1863 *Jun 29 11:42:01.323: %APPFW-6-IM_YAHOO_SESSION: im-yahoo text-chat service session initiator 14.1.0.1:2009 sends 100 bytes to responder 216.155.193.
Chapter 32 Viewing Router Information NAC Status Clicking on an interface entry displays the information returned by posture agents installed on the hosts in the subnet for that interface. An example of the interface information follows: 10.10.10.5 Remote EAP Policy Infected 12 10.10.10.1 is the host’s IP address. Remote EAP Policy is the type of authentication policy that is in force.
Chapter 32 Viewing Router Information Logging Logging The router contains a log of events categorized by severity level, like a UNIX syslog service. This screen displays the router log. Note that it is the router log that is displayed, even if log messages are being forwarded to a syslog server. Logging Buffer Shows whether or not the logging buffer and syslog logging are enabled. The text “Enabled” is displayed when both are enabled.
Chapter 32 Viewing Router Information Logging Shows the severity of the logging event. Severity is shown as a number from 1 through 7, with lower numbers indicating more severe events.
Chapter 32 Viewing Router Information Logging Cisco Router and Security Device Manager Version 2.
Chapter 32 Viewing Router Information Logging Cisco Router and Security Device Manager Version 2.
C H A P T E R 33 File Menu Commands The following options are available from the Cisco Router and Security Device Manager (SDM) File menu. Save Running Config to PC Saves the router’s running configuration file to a text file on the PC. Deliver Configuration to Router This window lets you deliver to the router any configuration changes that you have made using SDM. Note that any changes to the configuration that you made using SDM will not affect the router until you deliver the configuration.
Chapter 33 File Menu Commands Write to Startup Config Cancel Click this button to discard the configuration change and close the SDM Deliver to Router dialog box. Save to File Click this button to save the configuration changes shown in the window to a text file. Write to Startup Config Writes the router’s running configuration file to the router startup configuration.
Chapter 33 File Menu Commands File Management You can choose a file or directory in the list on the right side of the window and then choose one of the commands above the list. Directories can be renamed or deleted. Files can be copied, pasted, renamed, or deleted, but files cannot be pasted into the directory from which they were copied. Files with the no-write icon next to their names cannot be copied, pasted, renamed, or deleted.
Chapter 33 File Menu Commands File Management Paste Button After you click the Copy button to copy a file, click the Paste button to place the copy of the file in a different directory. Choose a target directory from the left side of the window. You cannot place a copy of the file in the same directory as the original file. Rename Button Choose a file or directory from the right side of the window and click the Rename button to change its name.
Chapter 33 File Menu Commands Save SDF to PC New Folder This window allows you to name and create a new folder in the directory system on your Cisco router flash memory and on USB flash devices connected to that router. Enter the name of the new folder in the Folder Name field. The path to the location of the new folder is displayed above the Folder Name field. Save SDF to PC If you are working in IPS, you can save the signature definition file (SDF) that you are working on to your PC.
Chapter 33 File Menu Commands Unable to perform ‘squeeze flash’ Note If the router does lose power after the erase flash operation, you can use the procedure at the following link to recover: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_mod/cis37 00/sw_conf/37_swcf/appendc.htm#xtocid11 Step 2 Save the router’s running configuration to a file on the PC by clicking File > Save Running Config to PC, and entering a filename.
Chapter 33 File Menu Commands Unable to perform ‘squeeze flash’ Step 6 Enter the command erase flash:, and confirm. The router's IOS image, configuration file, the SDM.tar file, and the SDM.shtml file are removed from non-volatile RAM (NVRAM). Step 7 Use the tftpcopy command to first copy the IOS image and then SDM.tar from the TFTP server to the router: copy tftp://tftp-server-address/filename flash: Example: copy tftp://10.10.10.
Chapter 33 File Menu Commands Unable to perform ‘squeeze flash’ Cisco Router and Security Device Manager Version 2.
C H A P T E R 34 Edit Menu Commands The following options are available from the Cisco Router and Security Device Manager (SDM) Edit menu. Preferences This screen lets you configure the following Cisco Router and Security Device Manager options: Preview commands before delivering to router Choose this option if you want SDM to display a list of the Cisco IOS configuration commands generated before the commands are sent to the router.
Chapter 34 Edit Menu Commands Preferences Continue monitoring interface status when switching mode/task This is SDM default behavior. SDM begins monitoring interface status when you click Monitor and select Interface status. To have SDM continue monitoring the interface even if you leave Monitor mode and perform other tasks in SDM, select this check box and specify the maximum number of interfaces you want SDM to monitor. The default maximum number of interfaces to monitor is 4.
C H A P T E R 35 View Menu Commands The following options are available from the Cisco Router and Security Device Manager (SDM) View menu. Home Displays the SDM Home page which provides information about router hardware, software, and LAN, WAN, Firewall, and VPN configurations. Configure Displays the SDM Tasks bar, which allows you to perform guided and manual configurations for Interfaces and Connections, Firewalls and ACLs, VPNs Routing, and other tasks.
Chapter 35 View Menu Commands Running Config Running Config Displays the router’s running configuration. Show Commands Displays the Show Commands dialog box, which lets you issue Cisco IOS show commands to the router and view the output. The Show Commands dialog box can display the output from the following show commands: • show flash—Shows the contents of the router Flash memory. • show startup-config—Shows the router startup configuration file.
Chapter 35 View Menu Commands Refresh Access Rules Shows all of the default Access Control List (ACL) rules that permit or deny traffic to the network. Firewall Shows a list of protocols and the default options for whether each of them triggers an alert and an audit trail. VPN - IKE Policy Shows the default Internet Key Exchange (IKE) policies. VPN - Transform Sets Shows the default IP Security (IPSec) transform sets. Refresh Reloads configuration information from the router.
Chapter 35 View Menu Commands Refresh Cisco Router and Security Device Manager Version 2.
C H A P T E R 36 Tools Menu Commands The following options are available from the Cisco Router and Security Device Manager (SDM) Tools menu. Ping Displays the Ping dialog box, which lets you send a ping message to another network device. See Generate Mirror... for information on how to use the Ping window. Telnet Displays the Windows Telnet dialog box, letting you connect to your router and access the Cisco IOS command-line interface (CLI) using the Telnet protocol.
Chapter 36 Tools Menu Commands USB Token PIN Settings USB Token PIN Settings The USB Token PIN Settings dialog box allows you to set PINs for USB tokens connected to your router. Select a PIN Type Choose User PIN to set a user PIN, or Admin PIN to set an administrator PIN. A user PIN is used to log into a router.
Chapter 36 Tools Menu Commands Update SDM Save the New PIN to Router Check the Save the new PIN to router checkbox if you want to save the new PIN as an entry in Configure > VPN > VPN Components > Public Key Infrastructure > USB Tokens. If an entry with the same name already exists in Configure > VPN > VPN Components > Public Key Infrastructure > USB Tokens, it is replaced with the new one. The Save the new PIN to router checkbox is available only for user PINs.
Chapter 36 Tools Menu Commands Update SDM If there is more than one SDM .zip file, obtain the copy with the highest version number. Step 2 Use the update wizard to copy the SDM files from your PC to the router. Cisco Router and Security Device Manager Version 2.
Chapter 36 Tools Menu Commands Update SDM Update SDM from CD If you have the SDM CD, you can use it to update SDM on your router. To do so, follow these steps: Step 1 Place the SDM CD in the CD drive on your PC. Step 2 Select Update SDM from CD, and click Update SDM in the General Instructions window after reading the text. Step 3 SDM will enable you to locate the file SDM-Updates.xml on the CD. When you locate the file, click Open. Step 4 Follow the instructions in the installation wizard.
Chapter 36 Tools Menu Commands Update SDM Cisco Router and Security Device Manager Version 2.
C H A P T E R 37 Help Menu Commands The following options are available from the Cisco Router and Security Device Manager (SDM) Help menu. Help Topics Displays the SDM online help. The SDM online help Table of Contents appears in the left frame of the help. SDM on CCO Opens up a browser and displays the SDM page on the Cisco.com website. About this router... Displays hardware and software information about the router on which SDM is running. About SDM Displays version information about SDM.
Chapter 37 Help Menu Commands About SDM Cisco Router and Security Device Manager Version 2.
G L O S S A RY Symbols and Numerics 3DES Triple DES. An encryption algorithm that uses three 56-bit DES encryption keys (effectively 168 bits) in quick succession. An alternative 3DES version uses just two 56-bit DES keys, but uses one of them twice, resulting effectively in a 112-bit key length. Legal for use only in the United States. See DES. A AAA authentication, authorization, and accounting. Pronounced “triple-A.” AAL5-SNAP ATM Adaptation Layer 5 Subnetwork Access Protocol.
Glossary address translation The translation of a network address and/or port to another network address/or port. See also IP address, NAT, PAT, Static PAT. ADSL asymmetric digital subscriber line. aggressive mode A mode of establishing ISAKMP SAs that simplifies IKE authentication negotiation (phase 1) between two or more IPSec peers. Aggressive mode is faster than main mode, but is not as secure. See main mode, quick mode. AH Authentication Header.
Glossary asymmetric encryption Also called public key systems, this approach allows anyone to obtain access to anyone else's public key and therefore send an encrypted message to that person using the public key. asymmetric keys A pair of mathematically related cryptographic keys. The public key encrypts information that only the private key can decrypt, and vice versa. Additionally, the private key signs data that only the public key can authenticate. ATM Asynchronous Transfer Mode.
Glossary CA certificate A digital certificate granted to one certification authority (CA) by another certification authority. cache A temporary repository of information accumulated from previous task executions that can be reused, decreasing the time required to perform the tasks. CBAC Context-based Access Control. Protocol that provides internal users with secure access control for each application and for all traffic across network perimeters.
Glossary CHAP Challenge Handshake Authentication Protocol. Security feature supported on lines using PPP encapsulation that prevents unauthorized access. CHAP does not itself prevent unauthorized access, it merely identifies the remote end. The router or access server then determines whether that user is allowed access. See also PAP. chargen Character Generation. Via TCP, a service that sends a continual stream of characters until stopped by the client.
Glossary cookie A cookie is a web browser feature which stores or retrieves information, such as a user's preferences, to persistent storage. In Netscape and Internet Explorer, cookies are implemented by saving a small text file on your local hard drive. The file can be loaded the next time you run a Java applet or visit a website. In this way information unique to you as a user can be saved between sessions. The maximum size of a cookie is approximately 4KB. CPE customer premises equipment.
Glossary DES Data Encryption Standard. Standard cryptographic algorithm developed and standardized by the U.S. National Institute of Standards and Technology (NIST). Uses a secret 56-bit encryption key. The DES algorithm is included in many encryption standards. DHCP Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses to hosts dynamically, so that addresses can be reused when hosts no longer need them.
Glossary DMVPN Dynamic multipoint virtual private network. A virtual private network in which routers are arranged in a logical hub and spoke topology, and in which the hubs have point-to-point GRE over IPSec connections with the hub. DMVPN uses GRE and NHRP to enable the flow of packets to destinations in the network. single DMVPN A router with a single DMVPN configuration has a connection to one DMVPN hub, and has one configured GRE tunnel for DMVPN communication.
Glossary E EAPoUDP Extensible Authentication Protocol over User Datagram Protocol. Sometimes shortened to EOU. The protocol used by a client and a NAD to perform posture validation. Easy VPN A centralized VPN management solution based on the Cisco Unified Client Framework.A Cisco Easy VPN consists of two components: a Cisco Easy VPN Remote client, and a Cisco Easy VPN server. ECHO See ping, ICMP. EIGRP Enhanced Interior Gateway Routing Protocol. Advanced version of IGRP developed by Cisco Systems.
Glossary ESP Encapsulating Security Payload. An IPSec protocol that provides both data integrity and confidentiality. Also known as Encapsulating Security Payload, ESP provides confidentiality, data origin authentication, replay-detection, connectionless integrity, partial sequence integrity, and limited traffic flow confidentiality. ESP_SEAL ESP with the 160-bit key SEAL (Software Encryption Algorithm) encryption algorithm. This feature was introduced in 12.3(7)T.
Glossary extended rules A type of Access rule. Extended rules extended rules can examine a greater variety of packet fields to determine a match. Extended rules can examine both the packet’s source and destination IP addresses, the protocol type, the source and destination ports, and other packet fields. SDP Secure Device Provisioning.
Glossary G global IKE policy An IKE policy that is global to a device, rather than affecting only a single interface on that device. GRE generic routing encapsulation. Tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork.
Glossary headend The upstream, transmit end of a tunnel. HMAC Hash-based Message Authentication Code. HMAC is a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. HMAC-MD5 Hashed Message Authentication Codes with MD5 (RFC 2104).
Glossary IDS Sensor An IDS sensor is hardware on with the Cisco IDS runs. IDS sensors can be stand-alone devices, or network modules installed on routers. IDM IDS Device Manager. IDM is software used to manage an IDS sensor. IETF Internet Engineering Task Force. IGMP Internet Group Management Protocol. IGMP is a protocol used by IPv4 systems to report IP multicast memberships to neighboring multicast routers IKE Internet Key Exchange.
Glossary interface The physical connection between a particular network and the router. The router’s LAN interface connects to the local network that the router serves. The router has one or more WAN interfaces that connect to the Internet. Internet The global network which uses IP, Internet protocols. Not a LAN. See also intranet. intranet Intranetwork. A LAN which uses IP, and Internet protocols, such as SNMP, FTP, and UDP. See also network, Internet. IOS Cisco IOS software.
Glossary IPSec A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec.
Glossary key pair See public key encryption. key recovery A trusted method by which encrypted information can be decrypted if the decryption key is lost or destroyed. L L2F Protocol Layer 2 Forwarding Protocol. Protocol that supports the creation of secure virtual private dial-up networks over the Internet. L2TP Layer 2 Tunneling Protocol. An Internet Engineering Task Force (IETF) standards track protocol defined in RFC 2661 that provides tunneling of PPP.
Glossary logical interface An interface that has been created solely by configuration, and that is not a physical interface on the router. Dialer interfaces and tunnel interfaces are examples of logical interfaces. loopback In a loopback test, signals are sent and then redirected back toward their source from some point along the communications path. Loopback tests are often used to determine network interface usability. M MAC message authentication code.
Glossary MD5 Message Digest 5. A one-way hashing function that produces a 128-bit hash. Both MD5 and Secure Hashing Algorithm (SHA) are variations on MD4 and are designed to strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. MD5 verifies the integrity and authenticates the origin of a communication. message digest A string of bits that represents a larger data block.
Glossary NAD Network Access Device. In a NAC implementation, the device that receives a host’s request to log on to the network. A NAD, usually a router, works with posture agent software running on the host, virus protection software, and ACS and posture/remediation servers on the network to control access to the network in order to prevent infection by computer viruses. NAS Network Access Server. Platform that interfaces between the Internet and the public switched telephone network (PSTN).
Glossary NHRP Next Hop Resolution protocol. A client and server protocol used in DMVPN networks, in which the hub router is the server and the spokes are the clients. The hub maintains an NHRP database of the public interface addresses of the each spoke. Each spoke registers its real address when it boots and queries the NHRP database for real addresses of the destination spokes in order to build direct tunnels to them.
Glossary P PAD packet assembler/disassembler. Device used to connect simple devices (like character-mode terminals) that do not support the full functionality of a particular protocol to a network. PADs buffer data and assemble and disassemble packets sent to such end devices. padding In cryptosystems, padding refers to random characters, blanks, zeros, and nulls added to the beginning and ending of messages, to conceal their actual length or to satisfy the data block size requirements of some ciphers.
Glossary physical interface A router interface supported by a network module that is installed in the router chassis, or that is part of the router’s basic hardware. ping An ICMP request sent between hosts to determine whether a host is accessible on the network. PKCS7 Public Key Cryptography Standard No. 7. PKI public-key infrastructure.
Glossary PPTP Point-to-Point Tunneling Protocol. Creates client-initiated tunnels by encapsulating packets into IP datagrams for transmission over TCP/IP-based networks. Can be used as an alternative to the L2F and L2TP tunneling protocols. Proprietary Microsoft protocol. pre-shared key One of three authentication methods offered in IPSec, with the other two methods being RSA encrypted nonces, and RSA signatures.
Glossary public key encryption In public key encryption systems, every user has both a public key and a private key. Each private key is maintained by a single user and shared with no one. The private key is used to generate a unique digital signature and to decrypt information encrypted with the public key. In contrast, a user’s public key is available to everyone to encrypt information intended for that user, or to verify that user’s digital signature. Sometimes called public key cryptography.
Glossary remote subnet Subnetworks are IP networks arbitrarily segmented by a network administrator (by means of a subnet mask) in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. A “remote subnet” is the subnet that is not associated with your end of a transmission.
Glossary route map Route maps enable you to control information that is added to the routing table. SDM automatically creates route maps to prevent NAT from translating specific source addresses when doing so would prevent packets from matching criteria in an IPSec rule. RPC remote procedure call. RPCs are procedure calls that are built or specified by clients and executed on servers, with the results returned over the network to the clients. See also client/server computing.
Glossary S SA security association. A set of security parameters agreed upon by two peers to protect a specific session in a particular tunnel. Both IKE and IPSec use SAs, although SAs are independent of one another. IPSec SAs are unidirectional and are unique in each security protocol. An IKE SA is used by IKE only, and unlike the IPSec SA, it is bidirectional. IKE negotiates and establishes SAs on behalf of IPSec. A user can also establish IPSec SAs manually.
Glossary SHA-1 Secure Hashing Algorithm 1. Algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The large message digest provides security against brute-force collision and inversion attacks. SHA-1 [NIS94c] is a revision to SHA that was published in 1994. shared key The secret key that all users share in a symmetric key-based communication session. shared secret A crytographic key. signature See digital signature.
Glossary The act of a packet illegally claiming to be from an address from which it was not actually sent. Spoofing is designed to foil network security mechanisms such as filters and access lists. spoofing spoof SRB source-route bridging. Method of bridging originated by IBM and popular in Token Ring networks. In an SRB network, the entire route to a destination is predetermined, in real time, prior to the sending of data to the destination. SSH Secure Shell.
Glossary subnet, subnetwork In IP networks, a network sharing a particular subnet address. Subnetworks are networks arbitrarily segmented by the network administrator in order to provide a multilevel, hierarchical routing structure while shielding the subnetwork from the addressing complexity of attached networks. See also IP address, subnet bits, subnet mask. subnet mask 32-bit address mask used in IP to indicate the bits of an IP address that are being used for the network and optional subnet address.
Glossary traffic flow confidentiality or traffic analysis Security concept that prevents the unauthorized disclosure of communication parameters. The successful implementation of this concept hides source and destination IP addresses, message length, and frequency of communication from unauthorized parties transform Description of a security protocol and its corresponding algorithms.
Glossary VFR Virtual Fragment Reassembly. VFR enables IOS Firewall to dynamically create ACLs to block IP fragments. IP fragments often do not contain enough information for static ACLs to be able to filter them. VPI virtual path identifier. Identifies the virtual path used by an ATM connection. VPDN virtual private dial-up network. A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected.
Glossary VPN mirror policy A VPN policy on a remote system that contains values that are compatible with a local policy and that enable the remote system to establish a VPN connection to the local system. Some values in a mirror policy must match values in a local policy, and some values, such as the IP address of the peer, must be the reverse of the corresponding values in the local policy. You can create mirror policies for remote administrators to use when you configure site-to-site VPN connections.
Glossary X X.509 A digital certificate standard, specifying certificate structure. Main fields are ID, subject field, validity dates, public key, and CA signature. X.509 certificate A digital certificate that is structured according to the X.509 guidelines. A list of certificate numbers that have been revoked. An X.509 CRL is one that X.509 certificate revocation list (CRL) meets either of the two CRL formatting definitions in X.509. XAuth IKE Extended Authentication.
Glossary Cisco Router and Security Device Manager Version 2.
I N D EX operating modes 27 Symbols AES encryption 41 $ETH-LAN$ 1 AH authentication 44 $ETH-WAN$ 4 Alert 8 ansi-dmt 25 Numerics 3DES 41 ATM subinterface 1 Audit trail 8 authentication AH 44 A digital signatures 21 ESP 44 About SDM MD5 42 SDM version 1 SHA_1 42 access rule in NAT translation rule 25, 27 AutoSecure 25 Access Rules window 3 address pools 9, 15 ADSL operating mode 16, 25 ADSL operating mode B banner, configuring 14, 30 BOOTP, disabling 8 ansi-dmt 25 itu-dmt 25 splitterless 25
Index CEF, enabling 12 Fully Meshed Network 10 Challenge Handshake Authentication Protocol, see CHAP hub 2 Hub and Spoke Network 9 CHAP 9 pre-shared key 3 Client Mode 78 primary hub 3 clock settings 17, 38, 41 routing information 7 COMP-LZS 44 crypto map 60 spoke 2 DMZ network 5 dynamic 28 permitting specific traffic through 15 IPSec rule 64 peers in 62 services 6 DMZ service 7 protected traffic 63 security association lifetime 61 sequence number 60 transform set 62 address range 7 DSS dig
Index IPSec group key 79 F IPSec group name 79 manual tunnel control 81, 101 File menu 1 Network Extension Mode 79 finger service, disabling 6 Network Extension Plus 79, 98 firewall 1 number of interfaces supported 81, 100 configuring NAT passthrough 17 Preshared key 79, 98 configuring on an unsupported interface 13 SSH logon ID 82 enabling CBAC 22 traffic-based tunnel control 82, 101 permitting specific traffic 15, 16 Unity Client 89, 92, 96 permitting traffic from specific hosts or netwo
Index GRE over IPSec tunnel 48 state 12 GRE tunnel 48 viewing activity 8 pre-shared key 50 Inspection rule 7 split tunnelling 54 interfaces available configurations for each type 4 editing associations 10 H statistics 6 HDLC 15 unsupported 2 Help menu 1 viewing activity 6 HTTP service configuring an access class 23 Hub-and-Spoke network 9 Internet Key Exchange 21 IP address dynamic 5, 22 for ATM or Ethernet with PPPoE 4 for ATM with RFC 1483 routing 5 I for Ethernet without PPPoE 6 ICMP h
Index statistics 9 N tunnel status 9 NAT 1 viewing activity 8 IPSec Rules window 3 address pools 9, 15 IP source routing, disabling 10 affect on DMZ service configuration 7 and VPN connections 67 configuring on unsupported interface 28, 16 L configuring with a VPN 75 LMI 16, 37 designated interfaces 8 logging DNS timeout 13 dynamic address translation rule, inside to outside 23 configuring 31 enabling 14 enabling sequence numbers and time stamps 11 dynamic NAT timeout 13 ICMP timeout 13 max n
Index translation timeouts 9, 12 permanent route 4 UDP flow timeouts 13 ping sending to VPN peer 65 Wizard 1 NAT Rules window 3 NetFlow, enabling 17 next hop IP address 13 Point-to-Point-Protocol over Ethernet, see PPPoE Port Address Translation, see PAT PPP 15 NHRP authentication string 5 PPPoE 14, 26, 29, 34 in Ethernet WAN wizard 4 hold time 5 network ID 5 preferences, SDM 9 pre-shared key 39, 50, 3 pre-shared keys 50 O preview commands option 9 One-Step Lockdown 3 OSPF route 5 primary hub
Index distance metric 4 Report Card 5 EIGRP route 7 starting 1 OSPF route 5 sequence numbers, enabling 11 passive interface 5, 6, 7 serial interface permanent route 4 clock settings 17 RIP route 5 subinterface 1 routing protocol, dynamic 28 SHA_1 42 RSA shared key 21 digital signature 21 show commands 2 encryption 21 SNMP, disabling 15 rule 46 split tunneling 54 rule entry squeeze flash, unable to perform guidelines 8 erase flash command 5 rules SSH 82 enabling 24 extended rules
Index T V TCP keep-alive message, enabling 11 VCI 15 TCP small servers, disabling 7 View menu 1 TCP synwait time 13 VPI 15 Telnet user accounts 17 VPN 33, 55 Telnet user accounts, configuring 29 AH authentication 44 terminology, definitions 1 configuring backup peers 73 text banner, configuring 14, 30 configuring NAT passthrough 75 time stamps, enabling 11 configuring on an unsupported interface 74 Tools menu 1 configuring on peer router 70 transform set 43, 62 deleting tunnel 65 tran
Index permitting traffic through a firewall to 17 vty lines configuring an access class 23 W WAN connections creating in wizard 1 deleting 19 WAN interface unsupported 26 X Xauth logon 83 Cisco Router and Security Device Manager Version 2.
Index Cisco Router and Security Device Manager Version 2.